Ideas for new features
Posted: Thu Jun 12, 2008 6:58 pm
Hello,
here are some of my ideas for new features into ASL
- Support for Windows
^^ Fairly self explanatory, but support for IIS6, IIS7, apache in windows, OS server 2003 std/web, server 2008 web/std
- modified SuPHP
Instead of using the current suphp have it set up that instead of one user it uses two users - one for the web and one for FTP. This way you can customize the permissiosn and ACLs with better security.
This would use the pre-configured php.ini files and domain vhost suphp.conf files & physical hosting event handlers that I already sent over for easy provisioning. Only problem so far is that the physical hosting updated event handler can not properly detect safe mode being turned off, so there needs to be a way arround that, or coded with the expectation that swsoft will fix that oversight soon.
- Implement Vhost limits
Set up limits in PAM through a Plesk GUI and/or command line interface on a per vhost basis that limits the amount of cpu/memory/inodes/semaphores/file descriptors etc that they are allowed to use. This will stop a user from having an infinite loop script kill your server.
-Add additional Switches to ASL command line
Add an optional switch to asl -u that will disable the YUM check so that it only performs a rule update
Add an optional switch to asl -s -f that will do a graceful apache restart instead of a full restart
Add an additional switch instead of asl --report-false-positive that is shorter and easier to type
Add an additional param to asl --report-false-positive that would allow a comment to be submitted along with the FP
- Update ASL Web GUI to alert you when you submit a FP
When clicking on the report FP button in the ASL web GUI it currently does nothing. Change the button to a green button saying "Thank you" or something when successfull (and disable the button so that you dont get multiple submissiosn of the same occurance), and a red "failed" when it could not be submitted. some kind of response is needed so that you know it actually did something.
- Update ASL Web GUI to allow you to update Rules
Allow the asl web gui to be able to update your ossec/mod_sec rules with out having to run asl -u on the command line
-Geoblocking on vhost level
Block/Whitelist certain countries on a per vhost/subdomain basis instead of server wide
- ossec active response IP Checks
When using active response have ossec check the IP against known major internet backbone IPs so that some one spoofing a backbone router IP wont get a section of the world blocked
- Custom ASL Error pages per vhost
When a ASL Rule is triggered display the custom error page of the domain instead of the generic error page. custom error pages must be enabled for the domain already in plesk, and exist on the file system. if not, then use the standard white error page
- Allow for more then 16 character MySQL usernames
Currently mysql has a hard limit of 16 characters for the usernames. Apply the patch that would allow you at compile time to set the username limit to be 64 characters (or longer if needed)
http://bugs.mysql.com/bug.php?id=16553
http://bugs.mysql.com/file.php?id=2731
- Dont block self referenced sites in URL
Currently if a domain name has its own domain name in a URL arg it will get blocked. Make the engine smart enough to know that if the host in the URI is the same thing as the host in the packet to not block
IE: a site has a redirect to link or a page from (search engine, etc) in the post or URI
- expand on the ASL Rule classes and allow for more granular enable/disable
Currently you can only enable/disable several major classes, ie spam, blacklist, etc. Please change thsi so that you can more define which types you want active.
For example, if I want to disable anything that checks on the referer - I have to disable them one by one or to check the files themselves, disable the rules individually and then hope they dont change or more dont get added later on down the road. Some of these could be in mutliple classes too such as referer spam, blacklist or malware in referer, etc.
Please change it so that I can turn off referrer checks altogether regardless of which parent rule set its in.
Or add sub classes to each so that I can turn off certain checks against args, certain sub clases against referrers, etc.
-Mod Cband as a replacement for Mod_BW
Instead of using mod_bw that comes with Plesk use mod_cband instead, with default values and the ability to set bw limits per vhost, throttling, and a sort of QoS priority but on a vhost level
- MIME types
Ability to allow customers to set MIME types through Plesk UI
Feedback (or questions) and comments are welcome
Thanks,
here are some of my ideas for new features into ASL
- Support for Windows
^^ Fairly self explanatory, but support for IIS6, IIS7, apache in windows, OS server 2003 std/web, server 2008 web/std
- modified SuPHP
Instead of using the current suphp have it set up that instead of one user it uses two users - one for the web and one for FTP. This way you can customize the permissiosn and ACLs with better security.
This would use the pre-configured php.ini files and domain vhost suphp.conf files & physical hosting event handlers that I already sent over for easy provisioning. Only problem so far is that the physical hosting updated event handler can not properly detect safe mode being turned off, so there needs to be a way arround that, or coded with the expectation that swsoft will fix that oversight soon.
- Implement Vhost limits
Set up limits in PAM through a Plesk GUI and/or command line interface on a per vhost basis that limits the amount of cpu/memory/inodes/semaphores/file descriptors etc that they are allowed to use. This will stop a user from having an infinite loop script kill your server.
-Add additional Switches to ASL command line
Add an optional switch to asl -u that will disable the YUM check so that it only performs a rule update
Add an optional switch to asl -s -f that will do a graceful apache restart instead of a full restart
Add an additional switch instead of asl --report-false-positive that is shorter and easier to type
Add an additional param to asl --report-false-positive that would allow a comment to be submitted along with the FP
- Update ASL Web GUI to alert you when you submit a FP
When clicking on the report FP button in the ASL web GUI it currently does nothing. Change the button to a green button saying "Thank you" or something when successfull (and disable the button so that you dont get multiple submissiosn of the same occurance), and a red "failed" when it could not be submitted. some kind of response is needed so that you know it actually did something.
- Update ASL Web GUI to allow you to update Rules
Allow the asl web gui to be able to update your ossec/mod_sec rules with out having to run asl -u on the command line
-Geoblocking on vhost level
Block/Whitelist certain countries on a per vhost/subdomain basis instead of server wide
- ossec active response IP Checks
When using active response have ossec check the IP against known major internet backbone IPs so that some one spoofing a backbone router IP wont get a section of the world blocked
- Custom ASL Error pages per vhost
When a ASL Rule is triggered display the custom error page of the domain instead of the generic error page. custom error pages must be enabled for the domain already in plesk, and exist on the file system. if not, then use the standard white error page
- Allow for more then 16 character MySQL usernames
Currently mysql has a hard limit of 16 characters for the usernames. Apply the patch that would allow you at compile time to set the username limit to be 64 characters (or longer if needed)
http://bugs.mysql.com/bug.php?id=16553
http://bugs.mysql.com/file.php?id=2731
- Dont block self referenced sites in URL
Currently if a domain name has its own domain name in a URL arg it will get blocked. Make the engine smart enough to know that if the host in the URI is the same thing as the host in the packet to not block
IE: a site has a redirect to link or a page from (search engine, etc) in the post or URI
- expand on the ASL Rule classes and allow for more granular enable/disable
Currently you can only enable/disable several major classes, ie spam, blacklist, etc. Please change thsi so that you can more define which types you want active.
For example, if I want to disable anything that checks on the referer - I have to disable them one by one or to check the files themselves, disable the rules individually and then hope they dont change or more dont get added later on down the road. Some of these could be in mutliple classes too such as referer spam, blacklist or malware in referer, etc.
Please change it so that I can turn off referrer checks altogether regardless of which parent rule set its in.
Or add sub classes to each so that I can turn off certain checks against args, certain sub clases against referrers, etc.
-Mod Cband as a replacement for Mod_BW
Instead of using mod_bw that comes with Plesk use mod_cband instead, with default values and the ability to set bw limits per vhost, throttling, and a sort of QoS priority but on a vhost level
- MIME types
Ability to allow customers to set MIME types through Plesk UI
Feedback (or questions) and comments are welcome
Thanks,
BTW, when does the next feature request vote open up?