Hello
Im working on a Security review of our servers. And as a part of that Im looking for a service/repo that will handle rules for mod_secure or similar modules.
We are running CL as a semi trial on our main server, but while it protects the server from load issues, it still doesn handle active threat detection and prevention.

While I was looking for solutions, I found the Atomic Secure Linux.
But I would like some more third hand information/thoughts/reviews about this product.
Is it secure?
will it implement the security rules without compromising the functionality of standard CMS systems like Joomla, Wordpress, Prestashop and drupal etc?

Some issues with their site gives me pause as to the quality of the product.
They have (at least for the time being) an issue on the homepage wh ere the product updates feed isn working.
And there doesn seem to be a lot of chat about their products on the internet ... a google search hardly turns up anything...

On their site, they sate that they support both CL and Interworx. I would love to get any feedback from a CL rep their (personal or official) view on the product.

Anyone here that is or have been using/trying ASL?

I see a lot of people using ASL, and I think they have a pretty good product.
From what I know -- mod_security/their rules are quite good.
If you use them with CloudLinux -- you would be running our kernel, that provides some advanced security features. Not sure how good those are -- but most are not really applicable to shared hosting anyway.

They also have proftpd with clamav integration that automatically checks if uploaded files have viruses, as well as updated versions of bunch of packages (like php/etc...)

I am looking at introducing further security to my shared hosting environment as well. Did you have any luck with ASL? Currently I am using Config Server Security&Firewall to block attacks and it has worked well.

I am also selling my clients Config Server ModSecurity Control, with delayed rules from GotRoot. If my clients pay an additional amount per year, they basically get the mod security enabled. It helps cover the cost of security licenses. Not sure if this is really a good security/business model, but I think its good to charge for additional security features.

Anyone else have more input on securing a shared linux hosting environment further than cloud linux...application firewalls etc...?
http://www.cloudlinux.com/solutions/forum/user/361/

I recently made a push to try it on one of our servers.
There was some minor configuration problems that I didnt get sorted in the time I had to try it, so I had to uninstall it.
It feels like a solid product, and we still run some of the systems installed by ASL (rootkit hunter).

We are working on a support agreement for our customers, and will probably run a seperate server with ASL for those customers that signup.
I think it might be more easy to set it up on a fresh server so that you dont need to take it offline for a few hours to fix the security settings.
The default security is set really high and restrictive, so you will need time to adapt them for your needs. And you dont want to do that on a live server. Expect to take about 10-12 hours to setup and configure your first ASL server.

thanks for the info Mikael. I dont have a lot of servers to play around with right now, but I just ordered a new server which should arrive in a few weeks. Ill most likely try and setup a virtual machine with cPanel & ASL on it and see how it installs, configures and runs.

I forgot to ask, has anyone dealt with Trustwave? I tried to call them a few times, but they never returned my call, and I couldnt speak to anyone. I guess I am too small for them to give me the time of day. They say they are the "primary custodian" of mod security, so I was thinking they would have some sort of linux based solution for application firewall.



I should be maybe discussing this more on the cPanel website, as mod security doesnt really have a whole lot to do with the OS. Seems like Cloud Linux community is pretty up on security though

My main cPanel server was hacked into by the recent cPanel/EXIM vulnerability (Good times). After root had been compromised I was a little paranoid about security. Apparently I was talking about website security in my sleep. So I purchased a copy of ASL for only $200. Like Cloud Linux, I would say it is an invaluable server expense. I highly recommend it.

Its up and running and really seems to be deferring a lot of attacks. The mod security rule updater is really nice and the interface is very intuitive. You can easily see top domains/sites that are being attacked and good information about what types of attacks.

One thing I would have to say, is that their their installer is not as turn key as I thought it would be. For example, the software requires MySQL be configured for query caching but the installer doesnt seem to check for this. Would be nice if it did. As well since I am running Cloud Linux I was not interested in running the ASL kernel. For the time being it is important that I balance performance and security. It would have been nice if the installer gave me a choice about loading the ASL kernel or not (So my lazy self did not have to edit grup.conf). Another thing which was troublesome is that their was a small bug with bind and the iptables that is built into ASL which caused my DNS queries to stop working. (The resolution was to modify name.conf and comment out "allow-query { localhost; };"). After that the server started resolving dns queries properly again.

I would recommend installing ASL on production servers, but only with the help of the ASL support people. They offer installation as a free service and they really helped me out installing it. Their support staff are very helpful.

Do you have any input on the amount of ressources modsecurity uses with their rules ?

When we tried the free version of their rules on cPanels modsecurity Apache processes went from 26MB to 200MB and PHP scripts loading time went from 60ms to 400ms… (the x10 memory usage meant that the server could only manage 1/10th of the number of processes it could without their rules.

They say this is because cPanels version of modsecurity is not the same as theirs…

We have the delayed rules fr om Gotroot installed as part of the configserver package, and yes as Richard Hordern ( above ) mentions, the memory consumption went up 10 fold. Also the rules supplied are too strict for a shared hosting environment. We have many clients where some rules have interfered with their websites, and quite a few wh ere we have had to disable the rules completely for their web sites using Modsec control. Modsec rules on a shared server certainly stops some attacks but can cause a lot of problems. If it wasnt for Modsec control we would drop Gotroot rules for shared servers completely

How do you manage the 10 fold memory increase ? Do you add 10 times more memory ? What about delays before PHP scripts load ? Goroot say the large amount of memory usage is to save CPU but we still had a 6 fold slower load time for PHP scripts…

Our servers generally are at least 8 cores and >12GB ram so its not too bad. Still, we had to do some tweeks to Apache and add caching.
Its not ideal, and we would like to find an alternative to Gotroot for our shared servers.

If each Apache process uses 120MB of ram, 12GB of ram can only handle 100 apache processes… Our current servers have got 24GB ram and we found our server Swapping using Goroot rules. Without thier rules each apache process uses 25MB ram so the total capabiliy for apache processes when nothing else is running is 980 processes without Goroot and 204 with their rules… (counting 120MB and not 200MB).

We will soon be testing modsecurity core rules on a new server to see how much overhead they have vs goroots ruleset.

We use varnish cache so the most apache processes used is always less then 50

I looked into varnish some time ago but was worried about it causing problems with dynamic websites / htaccess files etc.

Are you pleased with it ? Does it have any issues with customers scripts like Wordpress / Joomla… or with .htaccess files ?

Are you using a specific implementation ? Maybe Unixy ?

With our next server were going with Fcgid + APC and although Ive got Magento loading pages in 160ms (excluding file download times) I wouldnt mind finding a way to go even further…