Vote for New features in ASL

[mikeshinn]

Now that ASL 4 is out, we're focusing on the next set of features to add into ASL. So its time to tell us what you want in the next major release. As long time users know, we use a user driven release and feature cycle. Based on what we can accomplish in short blocks of development and testing, we build in the most popularly requested features for the next release.

So if you want us to add something to ASL, change something, etc - let us know!

We're changing up the rules this time, instead of voting for one feature (which you can certainly do), if you want to vote for more than one feature put your feature requests in order of priority. For example:

1. Chocolate Cake
2. Pumpkin Pie

The rules are simple:

1. The more elaborate the feature, the longer it takes, so other features may get bumped
2. The sky is the limit, but take care to remember rule #1.
3. You may vote for as many features as you want, just put them in order of importance to you. You can change your vote at any time.
4. Write-ins are OK, and encouraged. We will update the candidate list as they come in.

Previous customer candidates that are still open (if we missed something, let us know):

Candidate #1: Geoblocking requests on a domain/vhost level: Block/Whitelist certain countries on a per vhost/subdomain basis instead of server wide (Note: for purely IP based services, that is ones where there is no domain context, this isnt possible unless the IP is exclusively used by that domain, and nothing else)

Candidate #2: More rule classification types: Currently you can only enable/disable several major classes, ie spam, blacklist, etc. Please change this so that you can more define which types you want active. For example, if I want to disable anything that checks on the referer - I have to disable them one by one or to check the files themselves, disable the rules individually and then hope they dont change or more dont get added later on down the road. Some of these could be in mutliple classes too such as referer spam, blacklist or malware in referer, etc. Please change it so that I can turn off referrer checks altogether regardless of which parent rule set its in.
Or add sub classes to each so that I can turn off certain checks against args, certain sub clases against referrers, etc.

Candidate #3: Support for mod_cband, to replace mod_bw in Plesk. With default values and the ability to set bw limits per vhost, throttling, and a sort of QoS priority but on a vhost level

Candidate #4: Going a little further it would be great to setup PSA so that when a new system user is created it adds them to the RBAC for that group so that FCGI can be limited by roles for a group rather then per user. It would also be nice if you could tie this into some kind of resource management so that users in that group cant have processes that use more then X amount of resources - although Im not sure if that would be better suited for something like PAM even though the users never get a shell.

Candidate #5: auto-resizing GUI for smaller screens.

Candidate #6: Manually roll back rules to older version

Candidate #7: Per domain "log only" mode for WAF with a timer to turn it back onto to block mode (15m, 1h, 1d, etc.)

Candidate #8: In GeoBlocking GUI, ability to click on country to see IP range that ASL uses. (you can see the ranges now in the country-map.gz file in /var/asl/data)

Candidate #9: Cancel false positive/negative button in GUI

Candidate #10: Configure ASL to use the Control Panel SSL and not the OS server one which most people that run control panels do not even realize that once a server is built and the control panel is installed and they purchase a server wide SSL for the CP that it does not cover the one that is created when a server is first built.

Candidate #11: ASL support for ubuntu

Candidate #12: Add in special user defined whitelist for just RBL rules

Candidate #13: Add in suhosin to ASL

Candidate #14: Add in mod_qos to ASL (This will be released possibly in 4.0.6)

Some internal candidates we came up with:

Atomicorp Candidate #1: Add in domain delegation capabilities in ASL. For example, spam rules and redaction are delegated to the domain owner. domain owner can only see their events in the ASL GUI, and can disable rules the system owner has delegated to them (the defaults from us would be things like spam rules, XSS, redaction and the like - things that could cause the system itself to be compromised or DOSed wouldnt be delegated by default)

Atomicorp Candidate #2: Redirect web page for blocks that explains why they were blocked and provides options based on the policy set by the system owner (example, give them a captcha and allow for spam, admin password and allow XSS rules, report as false positive, request unblocking on IP or unblock it selfservice style, etc.) Also for cases where the system owner does not want them to disable the rule, or allow the event, give them information to contact the system owner to resolve the issue. (the domain and/or system owner would be able to disable/enable this depending on the type of rule triggered). Allow classes of redirects, for example spam redirect with a capatcha or possibly a password over-ride so the user can tell the system to ignore the block and let it thru (the domain and/or system owner would be able to disable/enable this)

Atomicorp Candidate #3: Add in different kinds of active response, for example if a particular account is attempted to be logged into too many times with bad passwords, lock the account but dont shun the IP. SMTP/POP/IMAP may be good candidates to start with (this are highly application specific, the app would have to support lock outs and would have to be known to react to the specific log entry that have web application, courier for example has unique log entries that are different from dovecot, etc.)

Atomicorp Candidate #4: Make malware/spam domains and malware file lists editable (so you can add/remove/modify).

Atomicorp Candidate #5: Upgrade, but do not enable option. For example, if ASL adds in new PHP checks, do not enable the fix automatically, just report this as a vulnerability.

Atomicorp Candidate #6: Add in "explain" window that autoloads to the side of the "Event Detail" window that will include the wiki page for that event automatically when you view the event. Right now, we provide a "Read more" link that takes you to the wiki page.

Atomicorp Candidate #7: Dont log events for this IP, but allow block actions to continue. For example, a PCI-DSS scanner will expect the system to have a WAF, so you dont want to whitelist it, but you also may not care to know its scanning you.

Atomicorp Candidate #8: Add in an "action" column to security events, to explain if ASL blocked, did not block, etc. the event. By default most events are blocked, but with the new "log only" option for the WAF, and upcoming redirect options plus the new rule manager which allows rules to be modified as log only this seems helpful to remind an admin of what is, and is not happening with an event.

Atomicorp Candidate #9: More granularity on the rule manager, such as being able to add arguments to ignore on the fly for WAF rules, or to change thresholds for HIDS rules (such as # of auth failures, in X seconds to trigger the rule)

Atomicorp Candidate #10: File integrity GUI - report which username changed the file (where possible) in the GUI

Atomicorp Candidate #11: Add cgroups/per user limits to ASL (so you can constrain a domain, limit resouirces it can use, CPU, memory, disk, etc.)

Atomicorp Candidate #12: User defined geoip ranges.

Atomicorp Candidate #13: RBAC rules gui

Atomicorp Candidate #14: Add in two factor authentication for services like FTP, ASL GUI, SSH, etc.

And new features we are finishing right now, that will be available soon:

Atomicorp Candidate #1: Atomic Threat Intelligence System - A new feature coming to ASL thats driven by our honeypots and contains all the IPs from attackers, spammers, etc. and will automatically block advanced threats because on our Threat Intelligence groups research, and real time attack data. We're also working on an enhancement of this would allow you to create your own RBL based on your own data sources, including some or all of ours and other ASL users (that chose to share information with you of course) and allows you to share redacted anonymous threat intelligence information with us about the systems that are attacking you.

[prupert]

I would very much appreciate if no functionality was hidden behind a graphical interface. Please make it a strict policy to keep all ASL features available via a command-line interface. Using the webgui takes a huge amount of extra time (money) and introduces annoyances (such as the requirement of a full browser) as opposed to using the command-line interface. This will significantly increase the happiness of us folks managing many servers.

[faris]

#3 mod_cband and
#10 control panel ssl

And I would add my own suggestion too: Rewrite the GUI from scratch. It is rather 1990s and feels a bit too slow and clunky.

Regarding suhosin integration -- I've actually found a "new" problem with it and have been thinking of removing it. But I digress.....

[copernic2006]

Atomicorp Candidate #11: Add cgroups/per user limits to ASL (so you can constrain a domain, limit resouirces it can use, CPU, memory, disk, etc.)

I do not know if we can vote on internal candidates but certainly I'll do it for Atomicorp Candidate #11.
This will allow us to do without CloudLinux (which I use for this feature) and enjoy the ASL kernel

[mikeshinn]

I do not know if we can vote on internal candidates

You sure can. Those are just ideas we came up with, the others are from customers like you!