3

I have a small shared server where couple of websites are hosted, so I'm not sure if this kind of protection will be enough to prevent attackers from executing symlink attack.

I've added symlink to disabled PHP functions and of course others like exec to prevent from executing ln command.

Also apparmor is there in order to prevent some kind of damage.

Even if I allow all PHP functions and those dangerous, apparmor will block ln command:

apparmor="DENIED" operation="exec" profile="/usr/sbin/apache2" name="/bin/ln"

Is this sufficient protection against symlink attack?

user134969
  • 1,298
  • 4
  • 15
  • 24
  • I hope you're not asking this because you're setting up [Freedom Hosting 3...](http://securityaffairs.co/wordpress/55990/deep-web/freedom-hosting-ii-hack.html) – DKNUCKLES Mar 03 '17 at 15:24
  • 3
    Not even close, and I'm not sure what made you think that I'm setting that kind of server... – user134969 Mar 03 '17 at 15:46
  • it was meant to be tongue and cheek as Freedom Hosting 2 was compromised by a symlink vuln not more than 2 weeks ago. – DKNUCKLES Mar 03 '17 at 16:07
  • That's strange, probably sftp chroot was not setup, otherwise you can not make symbolic link outside your directory... – user134969 Mar 03 '17 at 16:11
  • the hackers write-up is available in the linked page from first comment if you're interested – DKNUCKLES Mar 03 '17 at 16:14
  • Yes, I've checked that - 3. login via sftp and create a symlink to / - this was a key of attack, that's why I said that it seems that sftp was misconfigured. – user134969 Mar 03 '17 at 16:29

1 Answers1

1

Symbolic links is used for creating shortcuts in Linux. If an attacker gains access to any single site on your server, he can easily create a symbolic link to / directory & then putting the document root afterwards it. Now the attacker can easily read your sensitive files.

You can protect it by:

Change the permission of /bin/ln to 400.

Locate php.ini by command- “locate php.ini” (without quotes). Edit the main php.ini & disable symlink & proc_open.

If you have a shared host, & it is vulnerable to symlink, then change the permission of your configuration files to 400.

Turn PHP safe_mode ON

torben feldthusen
  • 21
  • 2
  • Changing permissions of /bin/ln to 400 is a very weak protection, if the attacker finds some security hole in PHP, they can create symlinks directly via the symlink() syscall. – Ján Lalinský Mar 14 '19 at 11:36