Plesk 10.4.4/ASL versus Plesk 10.4.4/CageFS

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
PropelSec
New Forum User
New Forum User
Posts: 2
Joined: Mon Feb 27, 2012 1:31 pm
Location: Georgia

Plesk 10.4.4/ASL versus Plesk 10.4.4/CageFS

Unread post by PropelSec »

Ok so here is the scenario.

I have 2 test systems going. (The winner will end up in production)

It is a shared hosting environment so security and site isolation are most important.

Performance is important but slightly minimized as each box has 32GB RAM and dual Quad core processors which should be enough to allow the main focus to stay on server security and site isolation rather than performance/security using up too much resources.

> Box1
CentOS 6 x86_64 - Plesk 10.4.4 and ASL Kernel (2.6.32.57-12.art.x86_64) - for all the extra benefits of ASL.

>> Box2
CloudLinux 6 x86_64 - Plesk 10.4.4 and Cloud Linux 6 Kernel that supports LVE and CageFS 3

Since Cloud Linux was listed as a supported OS I did try to use the ART Kernel but I see it is not compatible.

Ongoing questions are:
(1) Is the shared hosting site isolation in Plesk 10.4.4 good enough to ignore the Cloud Linux benefits and stick with the ASL Kernel and its added security (which is working out very nicely so far)

(2) Would the Cloud Linux Site Isolation benefits (Security & High Availability) + Plesk 10.4.4 + ASL Lite (aka ModSecurity + updated rules) be the MORE SECURE way to go..?

(3) Would the ohh so tempting upcoming Tortix Enterprise Security package work without the ASL kernel (of course not but that also adds a little twist to things because if Tortix Enterprise Security does what it appears it will do on the check list chart shown on http://atomicorp.com/products/products-comparison.html then it cannot be overlooked too easily..)

Any insight, suggestions or just random opinions would be helpful!

Thanks,
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Plesk 10.4.4/ASL versus Plesk 10.4.4/CageFS

Unread post by scott »

So short version, Id recommend you go with Cloudlinux and ASL. Run their kernel for now, and very soon we will support LVE in our kernel. You can switch to that one later.

1) The internal plesk site isolation is mainly done by open_basedir in php, and permissions in the file system. The advantage of the ASL kernel is that we enforce a lot of those restrictions in the kernel. CageFS does that via the file system, which is good but without the kernel level enforcement can still be bypassed. Id say this is one of those places where ASL & CageFS compliment each other best.

2) You'd be losing out on a lot of other stuff with just Lite. Active response, vulnerability scanning, kernel doodads, HIDS, etc.

3) You'll be able to add Tortix to an existing ASL system. We're going for a modular approach with it, ASL is the framework.
PropelSec
New Forum User
New Forum User
Posts: 2
Joined: Mon Feb 27, 2012 1:31 pm
Location: Georgia

Re: Plesk 10.4.4/ASL versus Plesk 10.4.4/CageFS

Unread post by PropelSec »

That sounds like very solid advice/logic, Thanks!

I agree and will take your recommended route and also keep the full ASL.
Post Reply