Atomic Secure Linux
Forum
  1. Forums
  2. General
  3. General Discussion
  1. Mikael Pettersson
  2. 24.04.2012
  3.  Subscribe via email
Is it worth the price, and is it a robust and secure system?
Rate this post:
  1. 24.04.2012 18:04:30
  2. # 1
Mikael Pettersson Accepted Answer
Posts: 8
Joined: 15.12.2011
0
Votes
Undo
Hello
I\'m working on a Security review of our servers. And as a part of that I\'m looking for a service/repo that will handle rules for mod_secure or similar modules.
We are running CL as a semi trial on our main server, but while it protects the server from load issues, it still doesn\'t handle active threat detection and prevention.

While I was looking for solutions, I found the Atomic Secure Linux.
But I would like some more third hand information/thoughts/reviews about this product.
Is it secure?
will it implement the security rules without compromising the functionality of standard CMS systems like Joomla, Wordpress, Prestashop and drupal etc?

Some issues with their site gives me pause as to the quality of the product.
They have (at least for the time being) an issue on the homepage wh ere the \'product updates\' feed isn\'t working.
And there doesn\'t seem to be a lot of chat about their products on the internet ... a google search hardly turns up anything...

On their site, they sate that they support both CL and Interworx. I would love to get any feedback from a CL rep their (personal or official) view on the product.

Anyone here that is or have been using/trying ASL?
  1. 24.04.2012 18:04:20
  2. # 2
Igor Seletskiy Accepted Answer
Posts: 1194
Joined: 09.02.2010
0
Votes
Undo
I see a lot of people using ASL, and I think they have a pretty good product.
From what I know -- mod_security/their rules are quite good.
If you use them with CloudLinux -- you would be running our kernel, that provides some advanced security features. Not sure how good those are -- but most are not really applicable to shared hosting anyway.

They also have proftpd with clamav integration that automatically checks if uploaded files have viruses, as well as updated versions of bunch of packages (like php/etc...)
  1. 13.09.2012 23:09:45
  2. # 3
Wesley Render Accepted Answer
Posts: 49
Joined: 16.05.2011
0
Votes
Undo
I am looking at introducing further security to my shared hosting environment as well.  Did you have any luck with ASL?  Currently I am using Config Server Security&Firewall to block attacks and it has worked well.

I am also selling my clients Config Server ModSecurity Control, with delayed rules from GotRoot.    If my clients pay an additional amount per year, they basically get the mod security enabled.  It helps cover the cost of security licenses.  Not sure if this is really a good security/business model, but I think it's good to charge for additional security features.

Anyone else have more input on securing a shared linux hosting environment further than cloud linux...application firewalls etc...?
  1. 14.09.2012 04:09:43
  2. # 4
Mikael Pettersson Accepted Answer
Posts: 8
Joined: 15.12.2011
0
Votes
Undo
I recently made a push to try it on one of our servers. 
There was some minor configuration problems that I didn't get sorted in the time I had to try it, so I had to uninstall it.
It feels like a solid product, and we still run some of the systems installed by ASL (rootkit hunter).

We are working on a support agreement for our customers, and will probably run a seperate server with ASL for those customers that signup.
I think it might be more easy to set it up on a fresh server so that you don't need to take it offline for a few hours to fix the security settings.
The default security is set really high and restrictive, so you will need time to adapt them for your needs. And you don't want to do that on a live server. Expect to take about 10-12 hours to setup and configure your first ASL server.
  1. 24.09.2012 00:09:44
  2. # 5
Wesley Render Accepted Answer
Posts: 49
Joined: 16.05.2011
0
Votes
Undo
thanks for the info Mikael.  I don't have a lot of servers to play around with right now, but I just ordered a new server which should arrive in a few weeks.  I'll most likely try and setup a virtual machine with cPanel & ASL on it and see how it installs, configures and runs.
  1. 24.09.2012 00:09:58
  2. # 6
Wesley Render Accepted Answer
Posts: 49
Joined: 16.05.2011
0
Votes
Undo
I forgot to ask, has anyone dealt with Trustwave?  I tried to call them a few times, but they never returned my call, and I couldn't speak to anyone.  I guess I am too small for them to give me the time of day.   They say they are the "primary custodian" of mod security, so I was thinking they would have some sort of linux based solution for application firewall.

https://www.trustwave.com/modsecurity-rules-support.php

I should be maybe discussing this more on the cPanel website, as mod security doesn't really have a whole lot to do with the OS.  Seems like Cloud Linux community is pretty up on security though :)
  1. 02.11.2012 23:11:46
  2. # 7
Wesley Render Accepted Answer
Posts: 49
Joined: 16.05.2011
0
Votes
Undo
My main cPanel server was hacked into by the recent cPanel/EXIM vulnerability (Good times).  After root had been compromised I was a little paranoid about security.  Apparently I was talking about website security in my sleep.  So I purchased a copy of ASL for only $200.  Like Cloud Linux, I would say it is an invaluable server expense.  I highly recommend it.

It's up and running and really seems to be deferring a lot of attacks.  The mod security rule updater is really nice and the interface is very intuitive.  You can easily see top domains/sites that are being attacked and good information about what types of attacks.

One thing I would have to say, is that their their installer is not as turn key as I thought it would be.  For example, the software requires MySQL be configured for query caching but the installer doesn't seem to check for this.  Would be nice if it did.  As well since I am running Cloud Linux I was not interested in running the ASL kernel.  For the time being it is important that I balance performance and security.  It would have been nice if the installer gave me a choice about loading the ASL kernel or not (So my lazy self did not have to edit grup.conf).  Another thing which was troublesome is that their was a small bug with bind and the iptables that is built into ASL which caused my DNS queries to stop working.  (The resolution was to modify name.conf and comment out "allow-query     { localhost; };").  After that the server started resolving dns queries properly again.

I would recommend installing ASL on production servers, but only with the help of the ASL support people.  They offer installation as a free service and they really helped me out installing it.  Their support staff are very helpful.
  1. 03.11.2012 03:11:08
  2. # 8
Richard Hordern Accepted Answer
Posts: 212
Joined: 19.03.2011
0
Votes
Undo
Do you have any input on the amount of ressources modsecurity uses with their rules ?

When we tried the free version of their rules on cPanel's modsecurity Apache processes went from 26MB to 200MB and PHP scripts loading time went from 60ms to 400ms… (the x10 memory usage meant that the server could only manage 1/10th of the number of processes it could without their rules.

They say this is because cPanel's version of modsecurity is not the same as theirs…
  1. 03.11.2012 04:11:04
  2. # 9
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
We have the delayed rules fr om Gotroot  installed as part of the configserver package, and yes as Richard Hordern ( above ) mentions, the memory consumption went up 10 fold. Also the rules supplied are too strict for a shared hosting environment. We have many  clients where some rules have interfered with their websites, and quite a few wh ere we have had to disable the rules completely for their web  sites using Modsec control. Modsec rules on a shared server certainly stops some attacks but can cause a lot of problems.  If it wasn't for Modsec control we would drop Gotroot rules for shared servers completely :(
  1. 03.11.2012 04:11:07
  2. # 10
Richard Hordern Accepted Answer
Posts: 212
Joined: 19.03.2011
0
Votes
Undo
How do you manage the 10 fold memory increase ? Do you add 10 times more memory ? What about delays before PHP scripts load ? Goroot say the large amount of memory usage is to save CPU but we still had a 6 fold slower load time for PHP scripts…
  1. 03.11.2012 05:11:48
  2. # 11
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
Our servers generally are at least 8 cores and >12GB ram so its not too bad. Still, we had to do some tweeks  to Apache and add caching.
Its not ideal, and we would like to find an alternative to Gotroot for our shared servers.
  1. 03.11.2012 07:11:41
  2. # 12
Richard Hordern Accepted Answer
Posts: 212
Joined: 19.03.2011
0
Votes
Undo
If each Apache process uses 120MB of ram, 12GB of ram can only handle 100 apache processes… Our current servers have got 24GB ram and we found our server Swapping using Goroot rules. Without thier rules each apache process uses 25MB ram so the total capabiliy for apache processes when nothing else is running is 980 processes without Goroot and 204 with their rules… (counting 120MB and not 200MB).


We will soon be testing modsecurity core rules on a new server to see how much overhead they have vs goroot's ruleset.
  1. 03.11.2012 07:11:55
  2. # 13
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
We use varnish cache so the most apache processes used is always less then 50 :)
  1. 03.11.2012 09:11:27
  2. # 14
Richard Hordern Accepted Answer
Posts: 212
Joined: 19.03.2011
0
Votes
Undo
I looked into varnish some time ago but was worried about it causing problems with dynamic websites / htaccess files etc.

Are you pleased with it ? Does it have any issues with customers scripts like Wordpress / Joomla… or with .htaccess files ?

Are you using a specific implementation ? Maybe Unixy ?

With our next server we're going with Fcgid + APC and although I've got Magento loading pages in 160ms  (excluding file download times) I wouldn't mind finding a way to go even further…
  1. 03.11.2012 10:11:06
  2. # 15
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
Hi,
We use the cpanel Unixy varnish plugin which has proved excellent and worth the money.  We run suphp as its more secure but it is slower,  but  we noticed a big difference in page load times after installing varnish. No problems with any software or .htaccess  and there options to exclude websites fr om varnish and pass them directly to Apache, there's also a "slashdot" option that serves up pages stripped of cookies etc for super fast loading if you have sites that get hit hard. One thing to note, if you give varnish say 2GB of memory it will soon clock up around 2>3 GB swap so you need to be careful when setting the memory lim it.
  1. 03.11.2012 11:11:35
  2. # 16
Wesley Render Accepted Answer
Posts: 49
Joined: 16.05.2011
0
Votes
Undo
I don't know how much overhead mod security is causing, but when running Cloud Linux with suPHP to limit resources, and ASL with mod security I have only seen an improvement in overall server performance.  I'm running a xeon 8 core, with 16GB.  Most websites are Drupal and Wordpress, but also a few Joomla.  My server is running at an average of 24% CPU usage, with a Max of 52% usage according to nagios snmp monitoring.

I did try the delayed mod security rules before with mod sec control and I did notice quite a large spike in CPU usage.   As well I did have to make a lot of exceptions for clients websites.  This was about 2 years ago though.  I think there have been a lot of improvements since with the actual mod security software itself to make it more efficient with processing.

Another thing I have noticed over the past 2 years, is that there are a lot of web crawler bots that drain server resources.  For example I have a client that runs a website with over 70,000 drupal pages.  Google bot kept coming and overloading it.  Cloud Linux has really helped with the load/resource issues.  Apparently the new ASL also has crawler protection built into their rules which I think is also going to be helpful.  Also, this website gets about 600-1000 attacks a day in mod security, so I do think that the amount of attacks it defers way outbalances how much cpu usage mod security would be using.  As well, a major problem for me has also been getting MySQL 5.5 tuned properly.  I have been using mysqtuner.pl but it always asks to allocate more and more resources to MySQL, and when I do it my CPU then starts overloading from MySQL.  I have recently reduced my table_cache from 20,000 to only 5000 which seems to have resolved MySQL using all of the resources on the server.
  1. 03.11.2012 12:11:05
  2. # 17
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
Maybe for your mysql problem you could try the Cloudlinux mysql govenor? at the very least it should tell you which database is causing the problems and from there you could try to optimise the table. We found that simply converting a table   to InnoDB  helped on one database.
  1. 03.11.2012 14:11:18
  2. # 18
Wesley Render Accepted Answer
Posts: 49
Joined: 16.05.2011
0
Votes
Undo
thanks kernow.  I was hesitant to install mysql governor because it is still in beta I think. Have you tried it?   I have switched some databases over to innodb which has really improved the performance.  The MySQL slow query log helped me identify problem areas of databases.  The problem is I think some of the databases are getting a bit large... over 1GB that it is really hard work for the hard disks to process queries.  I've got local 15K rpm SAS drives, but I may have to look at setting up another server soon with solid state drives.  last time I checked the solid state drives were about $999 per drive though. Ouch!
  1. 03.11.2012 16:11:43
  2. # 19
kernow Accepted Answer
Posts: 72
Joined: 06.08.2010
0
Votes
Undo
Hi,
Haven't tried the mysql governor yet, but I guess you can always swap back  if it doesn't work out. The support from Cloudlinux is very quick in our experience so you can always submit a ticket if problems occur. I really don't think its worth buying your own hardware any more, it seems cheaper nowadays to rent/lease. If your server is really under load mainly from MYsql and you can't tune it any more it might be worth looking at setting up a dedicated mysql server, or just move the heavy load sites onto a VPS.
  1. 27.11.2012 03:11:32
  2. # 20
Richard Hordern Accepted Answer
Posts: 212
Joined: 19.03.2011
0
Votes
Undo
@ Wesley Render


We'll be installing ASL next weekend and be checking out page load times with and without it as well as memory consumption to see if it will work for our customers. Have you had any problems with it (except excluding some rules I suppose…) ?

@ Kernow
I installed the unixy varnish plugin yesterday on a server that isn't in production yet and I've noticed that it doesn't play well with quite alot of scripts (still waiting for an answer from unixy support…).

The first script we tried varnish on is Magento as it's one of the slowest scripts out there… I connected to to client area, and changed my address, saved and the page was served from cache…

I'm also not sure how well it will play with scripts that have their admin folder renamed, or scripts that have non-ajax contact forms…

I'll see what Unixy's support suggest but we might have to abandon their product unless they provide a way to have opt-in instead of opt-out. If we had opt-in we could offer Varnish as an option and the customer would know he had to make his scripts compatible with varnish. A shame Unixy doesn't provide the ability for cPanel users to activate / deactivate varnish on their own…
  • Page :
  • 1
  • 2


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.