Hello!

I was thinking about securing my server with ASL on top of CL and cPanel that Im already running.
Ive asked a couple questions on Atomicorps forum, and I got an answer from Michael over there.

Id love for Igor (or some other pro) here at CloudLinux to just take a look at that, and confirm or deny the answers I got from Michael at Atomicorp.
Basically, Michael said:

- ASL kernel gives a bunch of protection that the CL kernel doesn .
- ASL + CL (running CL kernel, not ASL kernel) + cPanel will work fine together, with no issues or performance hit.

Id like to ask you CloudLinux pros the same questions. Is there any point in getting ASL? And if it is, will I encounter any problems?

Here is the forum thread over there, together with my questions in full:
https://www.atomicorp.com/forums/viewtopic.php?f=3&t=7722

Thank you in advance!

/E

1. ASL kernel gives a bunch of protection that the CL kernel doesnt
This is in esence true. There is a small print statement missing though: beyond their buffer/stack overflow that comes from grsecurity -- everything else requres manual configuration, that most likely -- will not be compatible with shared hosting anyway. Millage might vary, but make sure to check how you can use that protection in your setup first - and if would be possible to enable it. I havent checked it in a long time - but last time I checked, most things werent easy to make to work with shared hosting setup.

2. Yes, ASL + CL kernel would work together. We do get people having conflicts from time to time. They aren nor really common, nor uncommon -- but right in the middle to be bothersome enough for me to remember them. Yet, not bothersome enough to do much about them

We tried working with them.

Their support was good, and everything was fixed in a timely manner.

However, we quickly discovered that their modsecurity ruleset was not for us…

At that time they didnt have a rulset compatile with Litespeed, now they do. So we had to run T-WAF infront for litespeed and their T-WAF crashed sometimes and had no automatic detection / restart feature. Now I belive you can run the rules directly in Litespeed so this is no longer an issue.

With Apache or response times went from 20ms to 130ms and with litespeed + T-WAF from 10ms to 110ms (cPanels Apache doesnt have JIT built in). But this was still too slow.

Then we had to keep contacting them to fix rule after rule, we must have had about 5% of the sites we host that had issues.

In the end we decided that we should better spend time informing our customers and telling them to do updates than to slow down all sites and host 5 times less customers on the same server.

Were thinking about setting up a very small ruleset to protect against things that cant be fixed with an update like brute force attacks.

Thank you very much for your answers!

So both of your answers denies some of Michaels answers. There ARE some conflicts from time to time, and there IS a performance hit (mod_security rules I guess).

So right now I don really know weather to get ASL or not. Probably not... for now.

Is there some other security solutions that are recommended for a shared hosting setup?
Right now Im just running cPanels default mod_security rules. Good idea or bad idea?

Have you tried waf.comodo.com?