Atomic Secured Linux + CL + cPanel ?
Forum
  1. Forums
  2. General
  3. General Discussion
  1. eminos
  2. Wednesday, 23 July 2014
  3.  Subscribe via email
Atomicorp answers for Igor to confirm or deny.
Rate this post:
  1. 23.07.2014 16:07:46
  2. # 1
eminos Accepted Answer
Posts: 10
Joined: 07.10.2012
0
Votes
Undo
Hello!

I was thinking about securing my server with ASL on top of CL and cPanel that I\'m already running.
I\'ve asked a couple questions on Atomicorps forum, and I got an answer from Michael over there.

I\'d love for Igor (or some other pro) here at CloudLinux to just take a look at that, and confirm or deny the answers I got from Michael at Atomicorp.
Basically, Michael said:

- ASL kernel gives a bunch of protection that the CL kernel doesn\'t.
- ASL + CL (running CL kernel, not ASL kernel) + cPanel will work fine together, with no issues or performance hit.

I\'d like to ask you CloudLinux pros the same questions. Is there any point in getting ASL? And if it is, will I encounter any problems?

Here is the forum thread over there, together with my questions in full:
https://www.atomicorp.com/forums/viewtopic.php?f=3&;t=7722

Thank you in advance!

/E
  1. 23.07.2014 18:07:55
  2. # 2
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
1. ASL kernel gives a bunch of protection that the CL kernel doesn't 
This is in esence true. There is a small print statement missing though: beyond their buffer/stack overflow that comes from grsecurity -- everything else requres manual configuration, that most likely -- will not be compatible with shared hosting anyway. Millage might vary, but make sure to check 'how' you can use that protection in your setup first - and if would be possible to enable it. I haven't checked it in a long time - but last time I checked, most things weren't easy to make to work with shared hosting setup.

2. Yes, ASL + CL kernel would work together. We do get people having 'conflicts' from time to time. They aren nor really common, nor uncommon -- but right in the middle to be bothersome enough for me to remember them. Yet, not bothersome enough to do much about them :(
  1. 24.07.2014 06:07:28
  2. # 3
Richard Hordern Accepted Answer
Posts: 219
Joined: 19.03.2011
0
Votes
Undo
We tried working with them.

Their support was good, and everything was fixed in a timely manner.

However, we quickly discovered that their modsecurity ruleset was not for us…

At that time they didn't have a rulset compatile with Litespeed, now they do. So we had to run T-WAF infront for litespeed and their T-WAF crashed sometimes and had no automatic detection / restart feature. Now I belive you can run the rules directly in Litespeed so this is no longer an issue.

With Apache or response times went from 20ms to 130ms and with litespeed + T-WAF from 10ms to 110ms (cPanel's Apache doesn't have JIT built in).  But this was still too slow.

Then we had to keep contacting them to fix rule after rule, we must have had about 5% of the sites we host that had issues.

In the end we decided that we should better spend time informing our customers and telling them to do updates than to slow down all sites and host 5 times less customers on the same server.

We're thinking about setting up a very small ruleset to protect against things that can't be fixed with an update like brute force attacks.
  1. 24.07.2014 13:07:31
  2. # 4
eminos Accepted Answer
Posts: 10
Joined: 07.10.2012
0
Votes
Undo
Thank you very much for your answers!

So both of your answers denies some of Michaels answers. There ARE some conflicts from time to time, and there IS a performance hit (mod_security rules I guess).

So right now I don\'t really know weather to get ASL or not. Probably not... for now.

Is there some other security solutions that are recommended for a shared hosting setup?
Right now I\'m just running cPanels default mod_security rules. Good idea or bad idea?
  1. 24.07.2014 15:07:25
  2. # 5
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
Have you tried waf.comodo.com?
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.