will medium VPS with Plesk work with ASL?

[avibodha]

Hi, I'm using Knownhost with their VS-2 VPS with 512mb with Plesk and SpamAssassin. Enough memory for small sites, but will this work with ASL?

I've had 4 VPS's at knownhost root-hacked recently and could not find their entry point. All were running plesk 9.5.2 and just found out that KH doesn't apply plesk security patches to Plesk automatically so that might be it. Looking to secure the servers without loading them down too much. What would you recommend?

thanks

[scott]

It depends on what else you're doing, with a 32-bit system it will probably be OK. 64-bit I'd add more ram

[faris]

The ASL malware-blacklist and domain-blacklist may cause problems in a VPS with less than 2Gigs of RAM and are almost guaranteed to cause problems even with 2Gb of RAM if the virtualisation tech is Virtuozzo. By problems I mean apache segfaults or Bus Errors.

Both of these blacklists can be manually disabled but not via a configuration file option -- you need to manually overwrite the files in two locations each time you run the ASL rule updater (or every time it runs itself automatically).

Obviously by disabling these features you reduce your level of security.

Also if your virtualization tech is Virtuozzo then you won't be able to use the ASL hardened kernel.

YMMV but the only way to find out is to try it out and see.

I would guess that your real problem is either script injection or someone's FTP password has been compromised. Password compromises are very very common these days as more and more mugs get caught out by data stealing trojans. ASL's mod_security will help with the first problem, and the ASL Kernel should help with the second in most cases. ASL's FTP AV scanning may also prevent problems.


Faris.

[avibodha]

thanks for the info...I think I'm going to skip ASL for these smaller VPS's.

[mikeshinn]

ASL works just fine in smaller VPS'.

The ASL malware-blacklist and domain-blacklist may cause problems in a VPS with less than 2Gigs of RAM and are almost guaranteed to cause problems even with 2Gb of RAM if the virtualisation tech is Virtuozzo. By problems I mean apache segfaults or Bus Errors.

You make it sound so dramatic Faris.

Just so we're clear, segfaults are memory errors - the rules don't cause the segfaults - repeat they do not cause the segfaults. I know I've explained this many times before, but since it came up again I don't want anyone to misunderstand: a segfault is a memory *error* and you see that in apache when you have a bug in your web application. Apache will kill off its children on boxes with lots of RAM usually way way before you'll see a fault if you have a bad app, but if you have low amounts of RAM and you have a lot going on in RAM then you'll see that segfault - fix the app, always fix the app!

The rules don't cause the segfaults anymore than water causes a hole in a bucket. If you fill up the bucket, and its got a hole water will come out. If you don't fill it up, water won't come out but the hole is still there. Fix the hole, the bucket won't leak. If you have a segfault in apache, you have a bug in a web app and sooner or later its gonna blow - segfaults are a blessing they are telling you something is wrong with your app. If you prefer to not fill up the bucket to the hole, then so be it - but remember, you didn't fix the problem you just changed the situation. You still have a hole - you still have a broken app.

So, if you have buggy web apps and low memory and you want to keep your bucket mostly empty, and hope that apache will clean up, then turn off some of the rule sets that use more memory such as the malware rules. Nevertheless, ASL works just fine on a box with low mem and you don't have to disable anything.

If you do disable the malware rules, ASL includes overlapping rule families and defense in depth on purpose, so you can disable the malware family with a moderate impact on security.

[scott]

Oh and while we're on this, I *think* the httpd 2.2.17 packages in the atomic-testing packages would handle this better. There are some special debug routines in there either way that would help us isolate what webapp(s) is/are causing the segfaults faris was seeing. Check it out if you can, I also added in support for the Apache ITK MPM

[faris]

[this is supposed to be funny:] But scott, we are talking about radioactive water here which does cause holes in my bucket.

But seriously, everything Scott says is correct and you should not skip ASL just because it may have problems in a small VPS under certain circumstances. Also I didn't intend to imply that the issue was ASL itself.

Basically there's something funcky going on somewhere, most probably involving php or Apache, that is the root cause of all this and for some reason it gets amplified if you use Virtuozzo (and I assume OpenVZ). The more rules you have loaded the more likely the problem is to occur.

Personally, I would not run any hosting server where scripts that are potentially full of security holes might be uploaded by third parties (i.e. customers) without ASL (and suhosin for good measure).

Faris.

[pa_bob]

Hi

I have run ASL on Plesk under VPS slice sizes from 512 meg through 2 gig. ASL runs fine on all of them. There are a variety of programs that have issues running on a VPS. You can spend years going back and forth between "lousy VPS setup" and "buggy programs should be fixed". Bottom line - ASL does indeed run quite well on a VPS.

Bob