Hi guys,

I would like to make 2 suggestions-requests which I believe could really enhance our experience with Plesk & ASL.

A great addition was the firewall in the gui. But there are no sample-suggested rulesets on your wiki...
For example CSF which is distributed for free has some default rules which to be honest seem to work very good. They were "life saving" one time on the cpanel as it blocked the irc port 6667 to both inbound and outbound when a customer account got hacked and started trying to do crazy stuff.
Most of us here know that you have written a book on iptables so wth your expertise you could help improve the security of ASL servers.
Also how can you backup your rulesets if you have setup the firewall from the gui ?

Another cool feature of CSF is that it will kill proccesses that seem suspicious or are jammed. For example, yesterday night plesk backup killed once again the server. Maybe you can develop a mechanism like CSF that kills the process before it kills the server. This would have been terrific !
Another issue that has been troubling me is the following. ASL kernel seems to use up all memory resources. For example Cpanel vps optimized servers have a minimal footprint on the OS. I have no how is this possible, but I see cpanel servers with times x 3 domains and traffic to use half the resources my plesk with ASL installed server uses. And it never crashes.

I love ASL and plesk is much better in terms of usability for the customer but for a shared webhosting server there are problems. I have lost a few customers due to the fact that plesk has crashed some times during the night backup until the next morning. And to be honest every day I wake up I rush to my computer to check only if my plesk server is alive, even before I drink my morning coffee !

Thank you for your time guys and keep up the great job you do there at the ASL labs

Thanks for the feedback.



We're going to be including sample rulesets in ASL in the very near future. We're looking at adding in a wizard too that will make it easy to setup "canned" rulesets.



Great idea. ASL can actually do that now, we just havent pushed out any rules to do this because we aren't completely comfortable with ASL doing that yet. We want to do some more testing before we turn that on. I've definitely seen CSF kill things it shouldnt (like it used to kill ossec processes). No one wants that to happen. We will add this in, we just want to be careful about how we do it.



Could you elaborate on that? The kernel itself can't do that, so did you mean that your applications are using up all your memory on your Plesk server? And if so, what applications on your system were using up all your memory? It sounds like from your previous comments that the Parallels Plesk backup tool is using up all your memory, is that correct? If so, have you opened a case to report this problem to Parallels? And what did they say the cause was?

Also, regarding cpanel, did you know that ASL works with cpanel? Are you using ASL with cpanel?



Our pleasure and thank you for the feedback and thanks! You are most welcome!

Hello Mike !

That would be great. And its also very logical and correct to test the software before it starts killing processes.
Plesk has one of the worst backup utilities ever ...
Sorry my bad, its not the kernel itself. Generally when you run asl you also run clamav (very consuming in memory...) and ossec some times uses a lot of resources plus the kernel doesn't seem to "release" ram to "free" state as the default kernel does.

I will soon try out on a test install Cpanel with ASL to see how they respond. This is something i've wanted to do for a long time but there was no free time to do exaustive testing.
CSF looks like a toy in comparison to ASL. Basically there can't even be a comparison of ASL and CSF according to my opinion. Sorry CSF guys
But to be honest, on the plesk + asl box I have most of the eshops or mission critical websites where in the cpanel box there are mostly "cheap" clients and ressellers that I don't want to waste excessive system resources to protect and I don't want to waste time with them complaining about false positives from mod security.
Generally I think in order you can retain profit, shared hosting and managed hosting should be treated in a dfferent manner.

Personally on my www1 server I don't have a control panel at all. I do all configuration by hand. I do the backup with my own scripts and it has never crashed !

Could you elaborate a little more on this? How are you measuring free memory?

Calculating free + Cached. Allthough I think thats not accurate since I have seen memory complaints when there is more than a giga of ram cached on the OS. But this again has to do with processes with bad memory leaks. Mostly I think the reason I don't see this issue on cpanel with CSF is because CSF is killing "bad" proccess. And as I said clamav is consuming extremely large ammounts of ram !

Your instincts are right on, cached memory is actually free. Linux caches things opportunistically, and drops it as soon as an application needs it. This blog post may help to understand whats going:

https://atomicorp.com/company/blogs/259 ... emory.html



Ah, thats straight forward enough to remedy. ASL enables the google safebrowsing signatures, which can double the amount of memory clamav uses. You can disable those signatures by doing this:

Step 1) Edit this file:

/var/asl/data/templates/template-freshclam.conf

Either comment out this line:

SafeBrowsing yes

Or change the "yes" to a "no".

Step 2: Run these two commands as root

asl -s -f

freshclam

Step 3: Restart clamd

/etc/init.d/clamd restart

Note that you have to repeat the steps mike outlined every time you upgrade asl (e.g. to the next point release when it comes out) as the template file gets overwritten when that happens.

[I know this isn't the place, but adding a safebrowsing yes/no switch in the config would be useful. It takes far more memory that its usefulness provides (but only in my opinion, obviously)].

Well actually this is exactly the right place! (Its the feature requests forum afterall *grin*)

FR opened for this.

Yeah I agree an option for that in the ASL would be nice !

As far as I have understood google's safe browsing signatures only offers a "notification" for administrators that a site might be serving malware ? right ? Active response wouldn't react with googles signatures right ?

The safe browsing rules are included in clamav.

Hello Mike,

Yes. What I mean is the following. Are these rules only for web browsing or are they used by mod evasive as well ? Disabling them will it create a "security gap" to the server ?

The sites listed in the safebrowsing list are only used to compare against links in FTP uploads or Email (and if you have dazuko enabled, will be used when doing a full system scan and maybe a bit more?).

The list contains "known bad" sites that probably contain malware and you risk being infexted if you visit them. They are not necessarily known sources of attack, or sources of remote inclusion malware files, though it is perfectly possible that a compromised site might be all of these.

So Safebrowsing does not apply to mod_sec as such, nor mod_evasive.

Its used for all uploads, so web too. And if you have dazuko enabled, the system will look for these domains in applications, scripts, htaccess files, you name and block them from being used or the application, script, etc. from being loaded in real time.