Securing shared hosting using CageFS



Similar documents
Igor Seletskiy. CEO, CloudLinux

Advanced Settings Oct 10, 2011

CloudLinux is a proven solution for shared hosting providers that:

Applying the Benefits of Cloud and Clustering to your Shared Hosting Platform

About CloudLinux. LVE Manager. Industry awards. Ruby Selector. Python Selector. CageFS. Mod_lsapi. MySQL Governor. OptimumCache.

Comodo Web Application Firewall for Plesk Software Version 2.11

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

RACK911 Labs. Year in Review. May 6, 2014

Comodo Web Application Firewall Software Version 2.11

Nixu SNS Security White Paper May 2007 Version 1.2

Linux VPS with cpanel. Getting Started Guide

Building Docker Cloud Services with Virtuozzo

Powerful Online Solutions HOSTING. Price List. Surge Media Pty Ltd MAINTENANCE & SUPPORT Price List 1

VIRTUOZZO TM FOR LINUX 2.6.1

The Benefits of Verio Virtual Private Servers (VPS) Verio Virtual Private Server (VPS) CONTENTS

The Operating System Lock Down Solution for Linux

Power Partners A New Start to An Already Amazing Relationship

Selling Virtual Private Servers. A guide to positioning and selling VPS to your customers with Heart Internet

Ingram Micro Cloud Hosted Services

WHM Administrator s Guide

Comodo Web Application Firewall Software Version 2.11

Nessus Agents. October 2015

This document describes the new features of this release and important changes since the previous one.

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Web Vulnerability Scan Report

Comodo Web Application Firewall Software Version 2.0

Designing and Coding Secure Systems

Information Security Services

PAKITI Patching Status System

More Efficient Virtualization Management: Templates

Asia Web Services Ltd. (vpshosting.com.hk)

Hardened Hosting. Quintin Russ. OWASP New Zealand Chapter th December 2011

Setting up of scheduling is system dependant, here you will find notes on configuring scheduling under the following systems:

Moving to Plesk Automation 11.5

Forensic analysis of a Linux web server

Security Event Management. February 7, 2007 (Revision 5)

Internal Penetration Test

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

The current version installed on your server is el6.x86_64 and it's the latest available.

PARALLELS SERVER 4 BARE METAL README

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

CYBERTRON NETWORK SOLUTIONS

Virtualization System Security

Virtualization Strategy with Oracle VM and Oracle Linux. Bjorn Naessens

Server Monitoring. AppDynamics Pro Documentation. Version Page 1

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Web Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA Minneapolis

Concise Creative Hosting Arrangement

Railo Installation on CentOS Linux 6 Best Practices

That Point of Sale is a PoS

Acceptable Use Policy Version 1.1

Managed WordPress Hosting

Your Server Support Looking after your servers, giving you peace of mind

Introducing AI. A new, free, comprehensive way to manage servers. For press inquiries please contact:

Web Hosting: Pipeline Program Technical Self Study Guide

Self Service Penetration Testing

Zeus Web Server and HP Secure Linux

The customer will be responsible for everything within the server environment and the general dayto-day running of the server, such as:

Livezilla How to Install on Shared Hosting By: Jon Manning

Directory and File Transfer Services. Chapter 7

Security from the Cloud

How to Squeeze More Efficiency Out of Your Infrastructure

InterWorx Clustering Guide. by InterWorx LLC

Lesson 7 - Website Administration

Solution Guide Parallels Virtualization for Linux

Parallels Operations Automation

Best Practices for IaaS with Parallels Virtuozzo Containers. Lowell Anderson, Director, Product Marketing, IAAS, Parallels

112 Linton House Union Street London SE1 0LH T: F:

MelbourneOnline.com.au Hosting Terms and Conditions

DATA BREACH RISK INTELLIGENCE FOR HIGHER ED. Financial prioritization of data breach risk in the language of the C-suite

Advanced Web Security, Lab

DTC & DTC-Xen Running a VPS business with Xen Thomas Goirand, GPLHost CEO. Xen Summit Asia at Intel 2009

Reseller Hosting Program. a project by

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Kaspersky Endpoint Security 10 for Windows. Deployment guide

View Ticket. 1 of 5 3/21/ :10 AM. View Ticket # BRONZE PLAN PER MONTH. Quick Navigation. Account Information. Account Statistics

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

My review of Webfaction

Reasons to choose Refresh Web Hosting

Acceptable Use Policy (AUP) For all retail customers

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Terms and conditions for Small Business Hosting

SQL Injection January 23, 2013

EZblue BusinessServer The All - In - One Server For Your Home And Business

FleSSR Project: Installing Eucalyptus Open Source Cloud Solution at Oxford e- Research Centre

Put a Firewall in Your JVM Securing Java Applications!

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Long Live Hosting! Use Solution-based Offers to Re-position Your Business and Reach New Audiences Parallels IP Holdings GmbH

NNT CIS Microsoft SQL Server 2008R2 Database Engine Level 1 Benchmark Report 0514a

Network and Host-based Vulnerability Assessment

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Malware Analysis Quiz 6

6 reasons to choose us for your web hosting

Security Best Practice

Shellshock. Oz Elisyan & Maxim Zavodchik

Cloud Homework instructions for AWS default instance (Red Hat based)

The remedies set forth in this SLA are your sole and exclusive remedies for any failure of the service.

GL550 - Enterprise Linux Security Administration

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

Transcription:

Securing shared hosting using CageFS Igor Seletskiy CEO, CloudLinux

Linux OS based on RHEL source RPMs Binary compatible with RHEL 5.x/6.x and CentOS 5.x/6.x Made for Shared Hosting Companies Focus on Stability and Security Excellent, free 24/7 support Affordable for Companies of any Size CloudLinux delivered patches for several local exploits days before RHEL and CentOS

Single customer is the most common cause of downtime Getting read of spikes would prevent issues for other customers Hard & expensive to investigate Takes time to track, which results in downtime for the server.

Lightweight resource limits CPU/Concurrent Connection/Memory limits Virtualized file system - CageFS Transparent to administrator Easy to deploy to CentOS/RHEL servers No need to setup per customer limits Easy to monitor resources usage on per user bases Works with ANY control panel

Better stability Improved security No server slow downs No need to suspend customers due to resource abuse Simplifies up sell to higher plans / VPS Removes the need to upsell to VPS Ability to track usage on per customer bases Less support Better density

Exploit vulnerability in web applications Outdated Buggy Insecure Brute force passwords Attack 0-day vulnerability in apache/php, etc Signup using stolen credit card Shared Host cannot prevent hackers from executing arbitrary code on their server

One compromised account is often enough to take over the whole server Find out all users on the server Symbolic link attacks against wordpress config files ln -s ~user1/public_html/wp-config.php ~hacker/public_html/read.html Scan for bad permissions Privilege escalation attacks

Anything that can be done via shell, can be done via CGI Majority of things can be done via PHP PHP is not secure Cron is another way to execute scripts The first thing hacker does after gaining access to end user account: Installs PHP shell

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now. -- php.net mod_php depends on safe mode Not Reliable Deprecated as of PHP 5.3.0, removed in PHP 5.4.0

Per user, virtualized file system User can see only their own files / safe system files Virtualized /etc, including passwd file No config files with all the users Only one user in /home No presence of other users. Virtualized /proc user can see only their own processes No SUID software Virtualized /dev file system

One user cannot see any other users Protects shell, cron & web sessions Can support any PAM enabled service Cannot see other user s processes Provides safe environment Users can feel protected

Can be deployed to production servers with live users Easily switched on / off Web interface for most control panels Powerful command line tool Very flexible, supports highly customized deployments cpanel, Plesk, ISP Manager, DirectAdmin, InterWorx

Protection against symbolic link attacks. Part of CageFS Better then SymlinksIfOwnerMatch Doesn t suffer from race condition Better Performance This option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable. Apache Documentation http://httpd.apache.org/docs/2.2/mod/core.html

Type CPU Memory IO Number of connections CageFS mod_php Yes No Maybe Yes No* mod_php + mod_ruid2 mod_php + MPM_ITK Yes No Maybe Yes No* Yes Maybe Maybe Yes Yes mod_suphp Yes Yes Apr 2012 Yes Yes mod_fcgid Yes Yes Apr 2012 Yes Yes mod_cgi Yes Yes Apr 2012 Yes Yes FPM Yes Yes Apr 2012 Yes Yes LiteSpeed Yes Yes Apr 2012 Yes Yes

Most Customers Deploy CloudLinux To Existing Production Servers

Visit Us At CloudLinux Booth http://www.cloudlinux.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information