Ideas for new features
-
- Forum Regular
- Posts: 661
- Joined: Mon Oct 29, 2007 6:51 pm
Ideas for new features
Hello,
here are some of my ideas for new features into ASL
- Support for Windows
^^ Fairly self explanatory, but support for IIS6, IIS7, apache in windows, OS server 2003 std/web, server 2008 web/std
- modified SuPHP
Instead of using the current suphp have it set up that instead of one user it uses two users - one for the web and one for FTP. This way you can customize the permissiosn and ACLs with better security.
This would use the pre-configured php.ini files and domain vhost suphp.conf files & physical hosting event handlers that I already sent over for easy provisioning. Only problem so far is that the physical hosting updated event handler can not properly detect safe mode being turned off, so there needs to be a way arround that, or coded with the expectation that swsoft will fix that oversight soon.
- Implement Vhost limits
Set up limits in PAM through a Plesk GUI and/or command line interface on a per vhost basis that limits the amount of cpu/memory/inodes/semaphores/file descriptors etc that they are allowed to use. This will stop a user from having an infinite loop script kill your server.
-Add additional Switches to ASL command line
Add an optional switch to asl -u that will disable the YUM check so that it only performs a rule update
Add an optional switch to asl -s -f that will do a graceful apache restart instead of a full restart
Add an additional switch instead of asl --report-false-positive that is shorter and easier to type
Add an additional param to asl --report-false-positive that would allow a comment to be submitted along with the FP
- Update ASL Web GUI to alert you when you submit a FP
When clicking on the report FP button in the ASL web GUI it currently does nothing. Change the button to a green button saying "Thank you" or something when successfull (and disable the button so that you dont get multiple submissiosn of the same occurance), and a red "failed" when it could not be submitted. some kind of response is needed so that you know it actually did something.
- Update ASL Web GUI to allow you to update Rules
Allow the asl web gui to be able to update your ossec/mod_sec rules with out having to run asl -u on the command line
-Geoblocking on vhost level
Block/Whitelist certain countries on a per vhost/subdomain basis instead of server wide
- ossec active response IP Checks
When using active response have ossec check the IP against known major internet backbone IPs so that some one spoofing a backbone router IP wont get a section of the world blocked
- Custom ASL Error pages per vhost
When a ASL Rule is triggered display the custom error page of the domain instead of the generic error page. custom error pages must be enabled for the domain already in plesk, and exist on the file system. if not, then use the standard white error page
- Allow for more then 16 character MySQL usernames
Currently mysql has a hard limit of 16 characters for the usernames. Apply the patch that would allow you at compile time to set the username limit to be 64 characters (or longer if needed)
http://bugs.mysql.com/bug.php?id=16553
http://bugs.mysql.com/file.php?id=2731
- Dont block self referenced sites in URL
Currently if a domain name has its own domain name in a URL arg it will get blocked. Make the engine smart enough to know that if the host in the URI is the same thing as the host in the packet to not block
IE: a site has a redirect to link or a page from (search engine, etc) in the post or URI
- expand on the ASL Rule classes and allow for more granular enable/disable
Currently you can only enable/disable several major classes, ie spam, blacklist, etc. Please change thsi so that you can more define which types you want active.
For example, if I want to disable anything that checks on the referer - I have to disable them one by one or to check the files themselves, disable the rules individually and then hope they dont change or more dont get added later on down the road. Some of these could be in mutliple classes too such as referer spam, blacklist or malware in referer, etc.
Please change it so that I can turn off referrer checks altogether regardless of which parent rule set its in.
Or add sub classes to each so that I can turn off certain checks against args, certain sub clases against referrers, etc.
-Mod Cband as a replacement for Mod_BW
Instead of using mod_bw that comes with Plesk use mod_cband instead, with default values and the ability to set bw limits per vhost, throttling, and a sort of QoS priority but on a vhost level
- MIME types
Ability to allow customers to set MIME types through Plesk UI
Feedback (or questions) and comments are welcome
Thanks,
here are some of my ideas for new features into ASL
- Support for Windows
^^ Fairly self explanatory, but support for IIS6, IIS7, apache in windows, OS server 2003 std/web, server 2008 web/std
- modified SuPHP
Instead of using the current suphp have it set up that instead of one user it uses two users - one for the web and one for FTP. This way you can customize the permissiosn and ACLs with better security.
This would use the pre-configured php.ini files and domain vhost suphp.conf files & physical hosting event handlers that I already sent over for easy provisioning. Only problem so far is that the physical hosting updated event handler can not properly detect safe mode being turned off, so there needs to be a way arround that, or coded with the expectation that swsoft will fix that oversight soon.
- Implement Vhost limits
Set up limits in PAM through a Plesk GUI and/or command line interface on a per vhost basis that limits the amount of cpu/memory/inodes/semaphores/file descriptors etc that they are allowed to use. This will stop a user from having an infinite loop script kill your server.
-Add additional Switches to ASL command line
Add an optional switch to asl -u that will disable the YUM check so that it only performs a rule update
Add an optional switch to asl -s -f that will do a graceful apache restart instead of a full restart
Add an additional switch instead of asl --report-false-positive that is shorter and easier to type
Add an additional param to asl --report-false-positive that would allow a comment to be submitted along with the FP
- Update ASL Web GUI to alert you when you submit a FP
When clicking on the report FP button in the ASL web GUI it currently does nothing. Change the button to a green button saying "Thank you" or something when successfull (and disable the button so that you dont get multiple submissiosn of the same occurance), and a red "failed" when it could not be submitted. some kind of response is needed so that you know it actually did something.
- Update ASL Web GUI to allow you to update Rules
Allow the asl web gui to be able to update your ossec/mod_sec rules with out having to run asl -u on the command line
-Geoblocking on vhost level
Block/Whitelist certain countries on a per vhost/subdomain basis instead of server wide
- ossec active response IP Checks
When using active response have ossec check the IP against known major internet backbone IPs so that some one spoofing a backbone router IP wont get a section of the world blocked
- Custom ASL Error pages per vhost
When a ASL Rule is triggered display the custom error page of the domain instead of the generic error page. custom error pages must be enabled for the domain already in plesk, and exist on the file system. if not, then use the standard white error page
- Allow for more then 16 character MySQL usernames
Currently mysql has a hard limit of 16 characters for the usernames. Apply the patch that would allow you at compile time to set the username limit to be 64 characters (or longer if needed)
http://bugs.mysql.com/bug.php?id=16553
http://bugs.mysql.com/file.php?id=2731
- Dont block self referenced sites in URL
Currently if a domain name has its own domain name in a URL arg it will get blocked. Make the engine smart enough to know that if the host in the URI is the same thing as the host in the packet to not block
IE: a site has a redirect to link or a page from (search engine, etc) in the post or URI
- expand on the ASL Rule classes and allow for more granular enable/disable
Currently you can only enable/disable several major classes, ie spam, blacklist, etc. Please change thsi so that you can more define which types you want active.
For example, if I want to disable anything that checks on the referer - I have to disable them one by one or to check the files themselves, disable the rules individually and then hope they dont change or more dont get added later on down the road. Some of these could be in mutliple classes too such as referer spam, blacklist or malware in referer, etc.
Please change it so that I can turn off referrer checks altogether regardless of which parent rule set its in.
Or add sub classes to each so that I can turn off certain checks against args, certain sub clases against referrers, etc.
-Mod Cband as a replacement for Mod_BW
Instead of using mod_bw that comes with Plesk use mod_cband instead, with default values and the ability to set bw limits per vhost, throttling, and a sort of QoS priority but on a vhost level
- MIME types
Ability to allow customers to set MIME types through Plesk UI
Feedback (or questions) and comments are welcome
Thanks,
Last edited by hostingguy on Tue Jun 17, 2008 12:35 pm, edited 3 times in total.
Nice post!
All are good points, my favs in order of most interested to lesser:
- Add additional Switches to ASL command line
- Update ASL Web GUI to alert you when you submit a FP (with comment)
- Dont block self referenced sites in URL
- Implement Vhost limits (resources - but in the scope of ASL?)
- Geoblocking on vhost level
- Custom ASL Error pages per vhost
- Mod Cband as a replacement for Mod_BW
Heh, that's almost all BTW, when does the next feature request vote open up?
All are good points, my favs in order of most interested to lesser:
- Add additional Switches to ASL command line
- Update ASL Web GUI to alert you when you submit a FP (with comment)
- Dont block self referenced sites in URL
- Implement Vhost limits (resources - but in the scope of ASL?)
- Geoblocking on vhost level
- Custom ASL Error pages per vhost
- Mod Cband as a replacement for Mod_BW
Heh, that's almost all BTW, when does the next feature request vote open up?
"Dont block self referenced sites in URL" is top of the list for me. I suspect this is something that needs to be done by the mod_sec author though, rather than a rule update.
i.e. there would have to be a way to make sure that the self-referenced url is the ONLY url referenced, and I don't think that's practical in terms of an actual rule update.
Self-referenced urls happen a lot when customers use the auto-configure options for certain scripts, I've found.
No doubt there's a hidden danger here but I can't think of it
Maybe that's why I'm not a black hat
Faris.
i.e. there would have to be a way to make sure that the self-referenced url is the ONLY url referenced, and I don't think that's practical in terms of an actual rule update.
Self-referenced urls happen a lot when customers use the auto-configure options for certain scripts, I've found.
No doubt there's a hidden danger here but I can't think of it
Maybe that's why I'm not a black hat
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
All sound good idea's but a soft apache restart is not a good idea. Several builds of ASL ages ago I found a bug that without a full apache stop and start you end up having rule / mod-sec issues. Its much safer to properly stop and start apache like when you do a rule update.
Perhaps the asl -u add another line in the /etc/asl/config to set your preference as something like:
update with yum = "yes" or "no"
Also what about option for setting rule update intervals (like hourly) and a yes or no so they can be auto applied.
Perhaps the asl -u add another line in the /etc/asl/config to set your preference as something like:
update with yum = "yes" or "no"
Also what about option for setting rule update intervals (like hourly) and a yes or no so they can be auto applied.
-
- Forum Regular
- Posts: 661
- Joined: Mon Oct 29, 2007 6:51 pm
asl -u does a full stop and start on httpd so of course you will not have issues.
However just issuing a /etc/init.d/httpd restart will not fix any issues or if you play manually with mod-sec or rules.
A full /etc/init.d/httpd stop and then /etc/init.d/httpd start is required.
I found this bug ages ago with asl -u and asl -f (I cant remember more than a year ago) so a suggestion of a warm start for httpd is not a good idea, and hence this is what I was saying all along.
However just issuing a /etc/init.d/httpd restart will not fix any issues or if you play manually with mod-sec or rules.
A full /etc/init.d/httpd stop and then /etc/init.d/httpd start is required.
I found this bug ages ago with asl -u and asl -f (I cant remember more than a year ago) so a suggestion of a warm start for httpd is not a good idea, and hence this is what I was saying all along.
-
- Forum Regular
- Posts: 661
- Joined: Mon Oct 29, 2007 6:51 pm
-
- Forum Regular
- Posts: 661
- Joined: Mon Oct 29, 2007 6:51 pm
-
- Forum Regular
- Posts: 661
- Joined: Mon Oct 29, 2007 6:51 pm
Yes, look here: http://atomicrocketturtle.com/forum/vie ... highlight=