Symlink / Softlink Protection For Security In Apache – SOLVED

You may need to read the whole article before choosing it.

Step 1 :  You may need to  turn on “SymLinksIfOwnerMatch” in WHM Apache Global Configuration

Step  2:  Apply the Patch from rack9 , what he do is to turn on by default in apache  source and compile it to apply this patch please do it as follows,

wget http://layer1.rack911.com/before_apache_make -O /scripts/before_apache_make
chmod 700 /scripts/before_apache_make

#Rebuild apache after.

/scripts/easyapache

Step  3 :  Apply the Symlink Race condition patch from Blue Host. It is is now available in easy apache. To apply the patch, select Symlink Race Condition Protection from the Exhaustive Options list during the EasyApache build process.

Please read the whole article from  http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SymlinkPatch

Now check the server if it is already have a Symlink

# find /home*/*/public_html -type l

All the above solutions can be exploited  easily too. Our Security team tested and find out it. But there is another  good option in cloud linux.

This issue can easily be fixed in Cloud linux Using the secure links. It is one of the best solution.  It use  a kernel level protection. You can enable it in sysctl.conf  by adding the following lines

fs.enforce_symlinksifowner = 1

You can set any of the followivg values

fs.enforce_symlinkowner == 0 -> do not check symlink ownership
fs.enforce_symlinkowner == 1 -> deny if gid == symlinkown_gid
fs.enforce_symlinkowner == 2 -> deny if gid > symlinkown_gid   [since kernel 2.6.32-379.19.1.lve1.2.8]

If you need to exclude Symlink check of a specific user , you can do it as follows,

fs.symlinkown_gid = XX   , where XX is the  UID

To apply the Sysctl changes , plese do it as follows,

sysctl -p

Please read more about it from  http://docs.cloudlinux.com/index.html?securelinks.html

How to Configure Multiple shared IPs in WHM

Ever wondered how to set up multiple shared IPs in WHM? Here is how.

You can’t add multiple shared IPs in WHM GUI, but it’s possible to do so via SSH (login as root).

First, you need to create a /var/cpanel/mainips/ directory, if it doesn’t exist:

# mkdir /var/cpanel/mainips/

Then, create a /var/cpanel/mainips/root file, with all the Ips as folllows

10.0.0.10
10.0.0.12

Basically, each line is an additional shared IP in WHM. That’s it!

You can verify from WHM>>Home>>IP Functions>>Show/Edit Reserved IPs

Replacing mod_rpaf with mod_remoteip in apache 2.4 Nginx Real_IP Problem Solution

Now apache 2.4 provide areal remoteIP software . It there will be enabled by default . You can check it as follows,

# httpd -l | grep mod_remoteip.c
mod_remoteip.c

If you get the above results that means the remoteip module already compiled and enable in apache. otherwise you can download it from

https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/metadata/mod_remoteip.c

And compile it as follows,

# apxs -cia mod_remoteip.c

You may now need to add the following lines to httpd.conf  for enabling this  REMOTE_ADDR with real visitor Ip as follows,

Add the following lines to httpd.conf

#LoadModule remoteip_module /usr/lib/apache/mod_remoteip.so    # This line only need if you compile this module alone
RemoteIPHeader X-Real-IP
RemoteIPInternalProxy X.X.X.X/24      # Your server IP address

Also please note this module is not available for  lower versions of apache like apache 2.2.x , for that you have to use the mod_rpaf module itself .

cPremote version 7.0 is available – Support cPanel 11.38.1+

Release Note:
It is a cPanel 11.38.1  compatibility release  with the following updates,

a) Compatible with cPanel 11.38.1+
b) Updated rsync to version 3.0.9 as default

cPanel 11.38.1+ use a new system for WHM plugin registration . So we have to integrate  it  to the cPremote and released the new version. It is available for  update.

Cpnginx version 7.0 is available – Support cPanel 11.38.1+

Release Note:
It is a cPanel 11.38.1  compatibility release  with the following updates,

a) Compatible with cPanel 11.38.1+
b) Updated Nginx to version 1.4.1 as default

cPanel 11.38.1+ use a new system for WHM plugin registration . So we have to integrate  it  to the cPnginx and released the new version. It is available for  update.