Dear friends at Atomicorp and friends of the forum,
I have happily being using ASL 3.2.14-31 with cPanel 11.40 on my CentOS 6.4 64bit system with the ASL secure kernel, and I'm loving it every day more and more.
I'm a very small hosting provider, and I run things pretty much on my own, along with external freelancers hired as and when needed.
As I'm still very new to ASL, I have tried to research here on the forum some insight on recommended configuration of ASL with a cPanel server, but I have found a variety of very useful posts but no recommended configuration from users or staff.
At present, I have, as per recommendation, uninstalled mod_security and clamv from within cPanel, as I wish ASL only to deal with that.
As my system also uses WHMCS (although I am looking for a viable option to scrap it entirely because of its poor security), I have to leave the curl_exec feature active as it's needed by its licensing system.
I understand each system is different and each sys admin works differently, but I would definitely welcome it loads if cPanel users out there would share their configuration with me (stripped of any sensitive data of course, if present) or recommend some tips/hints that they have experienced themselves.
Many thanks to all!
Fabio
Calling out all ASL/cPanel users: recommended ASL config?
-
fabioganga
- New Forum User
- Posts: 2
- Joined: Thu Dec 05, 2013 3:22 pm
- Location: Bedford, UK
-
fabioganga
- New Forum User
- Posts: 2
- Joined: Thu Dec 05, 2013 3:22 pm
- Location: Bedford, UK
Re: Calling out all ASL/cPanel users: recommended ASL config
up
nobody uses cPanel and ASL just like me?
nobody uses cPanel and ASL just like me?
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Calling out all ASL/cPanel users: recommended ASL config
Some common things to avoid you already pointed out, avoid using cpanel managed mod_security (we have hooks to help automatically do this already), and clamav.
Don't use apache 2.4, which we document in the pre-reqs. Support modules havent caught up with this yet, not to mention the ones that have arent performing very well. Things are improving though, I suspect other modules will catch up with it in the next few quarters.
Do use the ASL kernel, as a number of services on cpanel are not compiled with compiler & library level stack protections. This is a significant reduction in security posture over the vendor distributed packages, plus the kernels method is far more advanced than the compiler level protections. BTW- We'll have a vulnerability scanner to ID this soon, but its the obvious ones things like the cpanel httpd, php, and mysql packages
Don't use apache 2.4, which we document in the pre-reqs. Support modules havent caught up with this yet, not to mention the ones that have arent performing very well. Things are improving though, I suspect other modules will catch up with it in the next few quarters.
Do use the ASL kernel, as a number of services on cpanel are not compiled with compiler & library level stack protections. This is a significant reduction in security posture over the vendor distributed packages, plus the kernels method is far more advanced than the compiler level protections. BTW- We'll have a vulnerability scanner to ID this soon, but its the obvious ones things like the cpanel httpd, php, and mysql packages