Symbolic link hack and its prevention in cPanel based servers.

Symbolic link:

Just like we use shortcut in windows based operating system. Symbolic link (symlink or soft link) is a shortcut like file in linux operating systems. In linux a normal user cannot access server main/root directory. So, they use this symlink option as a tool to hack/gain access to server main/root directory. User will create a symblink (shortcut) to root folder from his directory and gain access to the server.

eg:

windows  based operating system

In the above link, there is no such directory called /scripts exists physically. But you can access /scripts in command, becuase it is a symlink (shortcut) of /usr/local/cwpsrv/htdocs/resources/scripts/ actual folder.

Symlink defition:

In computing, a symlink is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.

Prevention:

It is quite common methods of hacking in cPanel based linux environment. So, we will see the best way to prevent the same in cPanel based servers.

The best and effective method is to disable symlink to all web users (cPanel users) and make sure only the system users were using this functionality.

Basic Steps:

We need to disable symlink to cPanel users, for that we need to make sure that web server (apache/ngnix) doesn’t allow symlink access to normal users.

To do that, we need to compile an additional symlink protection php module with Apache.


  • Login to server WHM (admin) panel

  • Go to Easy Apache, WHM >> Software >> Easy Apache

  • Go to Customize profile option

  • Click next and go to php Short list option

  • Click Exhaustive Options List

  • Select the “Symlink Race Condition Protection” option in the checkbox as shown in the below screen shot.


Condition Protection

Once done, save and build the settings and let the web server compile php with these settings. This module will prevent symlink based attacks for all your cPanel users.

Alternate option:

The above steps were one way of preventing this symlink attack. If you are running non-cPanel based servers or using a core server without any control panel, then you can use the following steps to prevent the symlink attack.

  • Login to your server ssh as root user.
  • Go to web server main global configuration path. For apache is it “/usr/local/apache/conf/includes/pre_virtualhost_global.conf”
  • Add the following rule in this file:

Rule:

<Directory "/home">

Options +All -ExecCGI -FollowSymLinks +Includes +IncludesNOEXEC -Indexes -MultiViews +SymLinksIfOwnerMatch AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch </Directory>

This rule will rejects all symlink requests which weren’t made by the specific cPanel/web user. You can also use ‘find’ command to grep and remove the existing .htaccess file rule to prevent any site error.

Command:

find /home -iname ".htaccess" -exec grep -l "FollowSymLinks" {} \;

open all the resulted files and change +FollowSymLinks to +SymLinksIfOwnerMatch. Once it is done, you have to restart the apache/web service to make the changes effective. If any user tries to symlink the root directory, they will get ‘internal server error’.