Toggle mobile navigation

Atomicorp FAQ

You asked, we answered.

Support Coverage

+ What is included with the support?

Standard Support

Email-based support for Atomic Secured Linux the same business day during normal business hours (M-F / 7am – 7pm EST except on US Federal Holidays). Standard support accounts include one support portal account and support for one email contact.

Extended Support

24/7 support. Extended support customers also enjoy support for multiple contacts, multiple login accounts for the support portal, and phone support.

+ What is included with the support, what is your response time?

Standard Support

Email based support for Atomic Secured Linux is the same business day (EST).

Standard support accounts includes one support portal account and support for one email contact.

Extended Support

For extended support contract customers, the response time is dictated in the support contract. Extended support customers also enjoy support for multiple contacts, multiple login accounts for the support portal, and phone support.

+ What are your normal support hours?

Support is provided 24 hours a day.

+ Do you offer phone support?

Yes, for customers with existing extended support contracts. Please contact sales@atomicorp.com for more information about extended support contracts.

Phone support is not available without an existing extended support contract.

+ How can I give Atomicorp support access to my system?

To provide us with access, please follow the process below. Do not send us your root password to log into your system. We do not need it, and we will delete it if you send it to us (we do this for your protection). Just follow the process below, which will provide us with secure access without the need to know your root password.

Step 1) Do not send us your root password to log into your system. We do not need it

As part of our security policies we will not use passwords to log into your system, and we will not store root passwords in our support system. Our policy requires our support engineers to delete this information if you send it to us. Just follow the process below, that will install cryptographically strong keys that we will use to authenticate to your system instead of using a password. This will protect you as we wont have your root password, and no one will be able to steal it from us to access your system.

Step 2) Become root on your system

Type this command:

su –

This will ask for the root password for your system, type in your root users password.

Step 3)Run the command below, as the root user to provide us with access to the system

wget -q -O – https://www.atomicorp.com/installers/key |sh

Note: You must have a version of wget installed that supports HTTPS.

If you do not see any output from this command it is likely wget on your system was replaced with a crippled version that does not support SSL. Please see this article to test if your wget supports SSL:

https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#wget

If you’ve done this before, and we’ve asked you to do this again please run the key installer again. We change our keys regularly for security reasons, so its vital you have the latest keys installed on your system. We wont be able to login in otherwise.

Step 4) (Optional) Add to AllowUsers in sshd_config

If you use ASLs admin user feature, or use sshds AllowUsers feature make sure you add the “atomic” user to the allowed users. If our tool does not add the user “atomic” that is because you allow root logins, and the tool will simply add our keys to the root account.

Step 5) Configure your firewall to allow access

If you need to open firewall access, please see the email sent with the IPs we will be logging in from.

Step 6) If this is for a new install, send us your mysql administrator password

If this is for an installation, please make sure you also provide us with your mysql administrator credentials in the email.

Step 7) Send us the IP address and SSH port for the system

And finally, remember to send an email to support AT atomicorp DOT com with the IP address(es) of the system(s) you want us to log into, and if you run SSH on a non-standard port please include that information as well.

If you have sent this information to us in the past, please make sure you send it with any new request. As part of our procedures, we must confirm the IP address for each request before logging into any system as an important safeguard to ensure we are accessing the correct system, and have permission to do so.

Atomic ModSecurity Rules

+ Are these the gotroot rules?

Yes. We are the authors of the gotroot modsecurity rules.

+ Are these the real time rules?

Yes. We are the authors of the real time gotroot modsecurity rules.

+ Do I need a real time rules subscription if I am using ASL?

No. ASL includes the Real Time Rules.

+ How can I purchase your realtime modsecurity rules?

To purchase a license for the Atomicorp Modsecurity Rules, just visit the Atomicorp’s Gotroot Modsecurity Rules page and click the click on this link.

+ Does a rules subscription include support for setting up mod_security?

No. Rules only subscriptions do not include support for installing, setting up or configuring mod_security.

+ I have a false positive/negative, how do report it?

You can also follow the Reporting False Positives procedure. That provides detailed instructions about how to report a false positive if you can not use the GUI, or if you choose to report it from the command line.

FP/FNs are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.

+ What is your approximate support response time?

For Email based support, within 4 hours of the request during normal business hours which are Monday-Friday from 7am – 7pm EST except on US Federal Holidays. Requests received after hours will be responded to the next business day.

For extended support customers, the response time is dictated in the support contract and includes after hours support, and may include 24/7 support depending on the support contract.

+ Is there any limit on name based or “vhosts”?

No. You can use our rules with as many name based (also known as “vhosts”) as you want. The rules are licensed by unique apache instance.

Unlike other commercial modsecurity rules, ours are not licensed by vhost or name based hosts, so there is no limit. One price, and protect as many domains as you want!

 

+ Do the Rules provide Brute Force protection?

You will need ASL to provide this sort of protection.

The reason this is only included with ASL is that for effective Brute Force protection, you need something to act as a reliable counter for a login failure. The HTTP protocol is not stateful which means each connection is totally independent, versus an ssh login where you can count a single connection a few times in a row. While modsecurity has a feature called “collections” that could be used to count failures, its buggy and has performance issues. Using collections can both be beaten by an attacker, and will cause sometimes severe performance problems with the web server. Therefore, we do not use this method and highly recommend against its use for brute force attacks.

ASLs correlation engine does not have these bugs, nor will it incur a performance hit on your system and cause your web server to run slower. The other advantage to the way ASL carries out Brute Force protection is that ASL can look at login failures across multiple services, whereas modsecurity can only see failures with the HTTP protocol.

Therefore, ModSecurity Rules are unable to provide Brute Force protection on other parts of your server (e.g. SSH, FTP, Control Panels) as they don’t have context past the webserver, where-as ASL is a full-spectrum suite that secures the server as a whole, and is a high performance method of brute force protection that will not slow down your web server.

+ What do the Atomic ModSecurity Rules protect against?

Lots of things, this is just some of the things our WAF rules are designed to protect against:

  • SQL Injection
  • Cross-Site Request Forgery (CSRF)
  • Cross Site Scripting (XSS)
  • Injection (RFI and raw code)
  • Encoding Abuse
  • Protocol Abuse
  • Unicode and UTF-8 attacks
  • HTTP Smuggling
  • Response Splitting
  • Proxy Abuse
  • Session Fixation
  • Invalid and Null Character
  • Path Recursion
  • Unauthorized Code, such as shells, spamtools and mailers (PHP, ASP, Perl and other shells)
  • Attack Tools and unauthorized scanners
  • Web Spam (Blog, Forum, Guestbook, and others)
  • Backup and protected file and directory protection
  • Command injection
  • Malicious scripting (javascript, vbscript, etc.)
  • Hidden content spamming
  • Hidden and malicious iframes
  • Bogus content
  • XML attacks
  • Data, Sensitive Information and Configuration Leakage
  • Malicious and spammer useragent blocking

The rules also include:

  • Just In Time Patches for web application vulnerabilities
  • Malicious “Google Hacks” Recon Blocking
  • Real Time Blacklists
  • Realtime malicious domain blocking
  • Realtime redactor for removing malicious content from websites on the fly

And more! We put out updates to our rules daily with new protections and enhancements.

+ What versions of modsecurity do the rules work with?

2.9.0

Note: 2.8.0 is not supported. It has some serious bugs that will cause it to fail to properly handle ipmatch and other similar rules. Do not use 2.8.0.

 

+ How often are the rules updated?

Daily. Depending on events there may be multiple updates within a day.

+ Are these the gotroot.com rules?

Yes they are, the one and same (and that website is being merged into this website). We are the oldest and most experienced mod_security rule authors out there. We were putting out rules long before mod_security was acquired and then acquired again. Long before OWASP existed, and others jumped on the modsecurity band wagon.

More sites use our rules and have been using them longer than everyone else combined. If you use our rules, you’re in good company.

 

+ What is included with an Atomic ModSecurity Rules subscription?

  • Access to the real time mod_security and clamav rules we publish. If you require additional features, please consider upgrading to our premier Linux security product Atomic Secured Linux.
  • Email and Web Based support during normal support hours.
  • Support fixing false positives
  • Development of new rules based on request.

 

+ Does a real time subscription include both the modsecurity and clamav rules?

Yes, realtime subscribers get instant access to the latest modsecurity and clamav signatures. We release updates daily based on new attacks we detect from our honeypots, new methods our labs develop, as well as fixes and improvements.

+ Are there any performance issues with your rules?

No. Our rules were designed for speed. Our rules are the oldest, most well tested and widest used rule set and with that unprecedented experience, we’ve built in performance enhancements to our rules sets to ensure they are fast and secure.

Keep in mind though that all WAFs use resources. If you add a WAF to your server,the server is being asked to do more work than it did previously (without the WAF). This means, as with anything new you add to a system, that there will be less resources available to do other things. So plan your architecture according to your needs and capabilities.

If your server is too slow to handle a WAF, you may want to setup a dedicated WAF server to handle WAF functions, and another server to serve up content. Most users will find that their servers are more than capable of running both a WAF and a web server, but lower end systems and oversubscribed virtualized environments may not be so capable. Just remember the golden rule, theres no such thing as a free lunch.

+ Does your rule-set have any performance enhancements built-in?

Yes. For example, our rules detect static content, and will bypass the appropriate rules automatically for that static content, without sacrifing security. Our rules also perform parallel searches to speed up analysis and to bypass entire classes of rules when its clear the content does not contain that payload. We also build in numerous exceptions based on known trusted behavior of thousands of applications and libraries to ensure that the rules work right out of the box, no tuning, modification or disabling of rules required. Our rule set is built for production use.

 

+ Are there any issues for high traffic sites with mod_security?

No, if you are using the current version of modsecurity (2.5 and up) and our ruleset. With other rule sets there may be, and with very old versions of modsecurity (before 2.0) there can definitely be in some specific cases. For a modern installation of modsecurity, with our rules, no there are no issues with high traffic sites.

Historicall, in very old versions of modsecurity (1.8 for example) with Apache 1.x some rule configurations could be slow. These are the sources of the reports of slow issues with modsecurity and “large rulesets” This was actually not caused by modsecurity, but rather by apache itself. modsecurity uses “regular expressions” to define patterns and rules to look for. Apache 1.x had an internal regular expression engine that was extremely slow.

Apache 2.x does not have this shortcoming (it uses the systems pcre library), and modsecurity 2.x includes numerous performance enhancements that are like night and day compared to the old 1.x days. The old adage of “large rulesets” slowing down sites is ancient history if you have a well constructed ruleset.

If you are using an up to date version of our modsecurity rules (we’ve been publishing rules for many years), then you will not experience any performance issues. The rules are designed to work with modern modsecurity versions (2.5 and up) and have built in performance enhancements to bypass entire rule classes for static content, known trusted behavior and include numerous performance enhancing methods, to many to list here.

 

+ Do I need to edit or modify the rules?

No, unlike all the other modsecurity rule sets out there we don’t expect you to edit or modify them to work with your system. These rules are designed to work with the widest array of web applications right out of the box, with zero modifications or tuning required. And if something doesn’t work for you, just let us know and we’ll fix the rules so the work. If you are real time rules customers, we’ll do that for you the same day for free!

 

+ I have unpatched web applications, will your modsecurity rules protect me?

In nearly every case the answer is yes. Thats exactly why we created the rules, and why we include Just In Time Patches in our rules to patch old applications such as Joomla. Unpatched vulnerabilities and zero day attacks are what we specialize in.

+ Do I need to install mod_security to use your rules?

You must install mod_security to use our rules.

 

+ What about MODevasive and Suhosin, do i need also those for full protection?

No, our rules do not require these modules to protect you. We do include mod_evasive in ASL, to provide DOS protection for web applications. mod_security is not the right tool for DOS protection. If you are concerned about DOS attacks then you should upgrade to ASL.

Suhosin is also not necessary to use our rules, nor do we depend on it to protect against web attacks. With that said, suhosin is a great module, but does require tuning. We do recommend you install it, but understand that it needs to be tuned for your system. Most of our customers do not use it nor is it necessary to be protected against web attacks, its just another line of protection.

 

+ What is asl-lite?

ASL Lite is a free unsupported lightweight rule updater project designed specifically as an atomicorp.com mod_security rule downloader. ASL Lite uses a guided dialog similar to the standard ASL configuration, that allows for the definition of custom commands for restarting web services, location of configuration files, and use via cron.

asl-lite is free for anyone to use. You can read more about it including how to install it (if your system supports asl-lite):

asl-lite

 

+ Why do you use a VERSION file method?

For three reasons:

1) When providing support to your Do It Yourself customers, and our technology integrators that are not using ASL its vitally important that we know exactly what version of the rules files and archive file they are using when they request assistance. The use of a “latest” file makes this impossible. Its actually something we used to do and stopped doing for just this reason: after many experiences with trying to sort out what our customers were using has taught us that to provide the best support for our customers we and they need to know exactly what version of the rules they are using when they request support. By including this version information in the name of the file, and through the use of the VERSION file we can reliably determine what version of our rules our customers are using. This is a key part of the rapid response capability we provide, and is why we can provide free same day support for all our customers.

2) modsecurity rules are version specific. Thats because modsecurity itself changes, that includes the rule syntax. That means that a rule directive may only work with a specific version of modsecurity or may work differently depending on the version of modsecurity installed.

3) We also provide a fully supported automated solutions, ASL amd aum, to download our rules and keep them up to date for you. This software eliminates the need to manually download our rules. We recommend our customers use this software to keep their rules up to date if they do not have a solution for this.

 

+ Should the VERSION match the latest rule file available?

Not always. That VERSION represents the latest stable version of our rules. Newer versions may also be available that include rules that are still being tested, and are not supported.

 

+ Why is modsecurity logging 4xx and 5xx events?

If modsecurity is configured with this directive:

SecAuditLogRelevantStatus “^(?:5|4(?!04))”

It will log all 4xx and 5xx events for apache (except 404 events, as in the example above). We recommend you do this, as apache will natively block some attacks, as well as other errors and basic authentication failures (401 errors and 500 errors for example) where modsecurity rules are both not necessary for these attacks (apache blocks them natively), and would never be triggered (because Apache will this block itself). For example, an invalid URI would be blocked natively by apache, and this may indicate certain types of attacks are in progress. 401 errors, authentication failed errors, are also blocked by Apache, and with this setting would be logged by modsecurity which can be used to determine if a brute force attack is in progress. 5xx errors may indicate that an application has failed, which could indicate that an attack is under way, or simply that an application or component is broken or failed to perform correctly.

These events will not include any information about a rule being triggered, because a rule will not have been triggered. Here is one example:

--12345678-A--
[1/Oct/2010:11:22:33 +0000] UKmVSQoAAGQAAEz2C2sAAAAB 1.2.3.4 12345 5.6.7.8 443
--12345678-B--
GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

--12345678-F--
HTTP/1.0 400 Bad Request
Vary: Accept-Encoding
Content-Length: 287
Connection: close
Content-Type: text/html; charset=iso-8859-1

--12345678-H--
Stopwatch: 12345678 12345678 (- - -)
Stopwatch2: 12345678 12345678; combined=620, p1=0, p2=0, p3=359, p4=240, p5=21, sr=0, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.6.2 ( http://www.modsecurity.org/); 201001102010112233
Server: Apache/2.2.23

--40deca15-Z--

And another example:

[1/Jan/2012:00:00:01 --0500] EfNGXVABuRHcKw1OaUzOEQvAUohTaUJUCSoAADxB0CEAAAAJ 1.2.3.4 5.6.7.8 443
--2ad21831-B--
GET /foo HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: some cookie
Connection: keep-alive

--2ad21831-F--
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Web Application that uses htaccess and denied this authentication request"
Content-Length: 500
Connection: close
Content-Type: text/html; charset=iso-8859-1

--2ad21831-H--
Stopwatch: 12345678901232333 12345 (- - -)
Stopwatch2: 12345678901232333 12345; combined=200, p1=1, p2=0, p3=1, p4=1, p5=1, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

In the example above you will notice that no rule is listed in the H second. That is because no rule has been triggered. This event was logged only because of the SecAuditLogRelevantStatus configuration setting. Again, we recommend you log these events, as they can be indicators of other types of attacks that modsecurity will not be able to respond to, because Apache will natively respond to these events itself.

If you do not care about these events, simply remove that configuration directive. Please keep in mind that you will miss some attacks if you do this.

 

+ Which Operating Systems are Compatible?

We support our rules on any platform that supports Apache 2.x and modsecurity, which includes (but is not limited to):

  • Linux (Including Suse, Ubuntu, CloudLinux, TrixBox, Fedora, Redhat, Gentoo, Debian, Slackware, Mandriva, and others)
  • Microsoft Windows
  • MacOS X
  • FreeBSD
  • OpenBSD
  • Dragonfly BSD
  • NetBSD
  • Solaris
  • HPUX
  • AIX

If you find that Apache and modsecurity works on a platform not listed here, please contact us so we can add it to this list.

Please note that when an operating system or distribution is no longer supported by the vendor we also no longer support the use of our rules on that platform.

 

+ Which Control Panels are Supported?

Our modsecurity rules work with any control panel. The rules are independent of the control panel, which means that they work with cPanel, Plesk, Directadmin, Hsphere, Virtualmin, interworx, etc. They work with any panel right out of the box, without modification.

 

+ Which Web Servers are supported?

Apache

Apache 2.0, 2.2, and 2.4 are fully supported.

HP-UX Internet Express

HP added modsecurity to their Internet Express package, our rules work with HP-UX Internet Express.

HP-UX 11i Internet Express is a collection of the most popular up-to-date Internet and security services and tools, combined with an Open Source graphical administration utility for ease of installation, configuration and management. Internet Express ships as optional open source software as part of the OE/AR media kit. The Open Source components in the Internet Express suite are certified for HP-UX 11i supported HP 9000 and Integrity systems and supported by the open source community.

nginx

Supported.

Note: The nginx port of mod_security is relatively new, and should be considered Beta quality at this time.

If you need a production quality solution for nginx, nginx is supported with ASL. Please see the Nginx wiki article for detailed information on Nginx WAF configuration requirements.

IIS

Supported.

Note: There is a mod_security port for IIS, however it should be considered Beta quality at this time.

IIS is also supported with ASL. We highly recommend you use ASL with IIS if you need support for modsecurity and IIS.

LiteSpeed

Supported with ASL. Please see the Litespeed wiki article for important on LiteSpeed support.

+ How do I install modsecurity?

Please see the Atomic ModSecurity Rules page.

 

+ How do I configure your modsecurity rules?

Please see the Atomic ModSecurity Rules page.

 

+ How can I modify or disable mod_security rules for a domain, rule, or globally?

See the mod_security page for details.

 

+ How do you exclude a domain from the modsecurity rules?

See the [mod_security] page for more instructions.

Note: This is very dangerous, it is not recommended as it leaves the entire domain open to all web based attacks which could also potentially cause the entire server to become compromised. If you find that you are experiencing any false positives please report them to support@atomicorp.com – we will fix the false positives for you rapidly. We generally release a fix the same day the issue is reported – its all part of the service and its included for free. We’re here to help, just ask.

+ Why should I change my CPanel mod_Security config file?

It is incomplete and will not scan all types of attacks. We are security experts, all we do is think about ways of stopping the bad guys.

 

+ How can I keep the rules updated?

We recommend you use ASL to do this. It is fully supported.

We also have a free unsupported rule updater tool in beta, that you can read more about the forum link below:

https://www.atomicorp.com/forums/viewtopic.php?f=14&t=7335

 

+ Can I setup a cronjob to automatically update the rules?

Absolutely. We recommend you do that as we put out updates to the rules daily that include new protections and fixes.

 

+ Error parsing actions: Invalid transformation function: utf8toUnicode

This means your version of modsecurity is too old. Please see the installation instructions for the minimum version required:

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Minimum_Version_of_Modsecurity_Required_to_use_the_rules

 

+ Error creating rule: Failed to resolve operator: detectSQLi

This means your version of modsecurity is very old and does not support the current modsecurity rules language. Please see the installation instructions for the minimum version required, and upgrade your version of modsecurity:

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Minimum_Version_of_Modsecurity_Required_to_use_the_rules

 

+ No action id present within the rule

This means that you using out of date rules. If you are using Atomicorp rules, then this means you are not using the latest real time rules. The latest real time rules have an id action for every rule.

 

+ httpd: ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated

This means that you are using out of date rules. If you are using Atomicorp rules, then this means you are not using the latest real time rules. The latest real time rules do not use transformations in the SecDefaultAction.

If you are using third party rules, this means that the rules contain a transform function in the SecDefaultAction setting. This is a deprecated setting.

+ ModSecurity: Found another rule with the same id

This means that you have a modsecurity rule with the same id. All of our rules have unique id’s, and ASL configures modsecurity to load our rules once. This error can only occur for one of two reasons:

1) You have loaded our rules twice. This can happen if you have used a third party product to install modsecurity (cpanels easyapache), or a third party modsecurity management tool that enables, disables, configures and loads rules and is not . Do not use third party tools to setup, install or configure modsecurity. Disable these tools, and ensure that you have modsecurity setup according to the Atomic ModSecurity Rules.

2) You have rules that are using id’s already assigned to other rules.

If you are using third party or custom rules, check to make sure they have unique id’s. Modsecurity requires a unique id for each rule. The range 300000-399999 is used by our rules, do not use this range for any custom rules, and if you have third party rules with these id’s be sure to remove these rules.

If you have used our delayed rules in the past, and setup our real time modsecurity rules or had a third party setup modsecurity for you, make sure that installation is only loading modsecurity and your rules once.

 

+ Error from ssl wrapper: Unable to produce a valid Apache configuration file

Additionally, these errors may be found in the cpanel error log:

/usr/local/cpanel/logs/error_log:

[2012-04-05 19:18:33 +1000] warn [ssladmin] Unable to produce a valid Apache configuration file. at bin/ssladmin line 201
[2012-04-05 19:18:33 +1000] warn [cpanel] Cpanel::AdminBin::adminrun(ssl) set error in context ssl
[2012-04-05 19:18:33 +1000] warn [ssl::install] Encountered error in ssl::install: Error from ssl wrapper: Unable to produce a valid Apache
configuration file.

This is caused by an insufficient amount of memory being allocated to the cpanel process. The allocated amount of memory can be changed from within WHM as follows:

1) In the menu on the left, click on “Tweak Settings”.

2) In the main frame, click on the “System” tab.

3) Increase the value for “Max cPanel process memory”.

An increase of 64MB should generally be enough, but this may vary depending on your system, the amount of domains you have on the system, etc. If an increase of 64MB is inadequate, keep increasing the limit by 32MB increments.

 

+ Error creating rule: Unknown variable: MATCHED_VARS

Causes:

If you are getting this error, it means that you are using an old version of modsecurity that does not support the modern rule language and you are not running ASL. We recommend you install [[ASL][.

ASL will not allow incompatible versions of the modsecurity rules to be installed. It will also automatically upgrade mod_security provided you have UPDATE_TYPE set to “all”, which is the default. If you have updates disabled in ASL, then you will need to manually upgrade modsecurity:

yum upgrade mod_security

If you are not using ASL, then you will need to upgrade modsecurity using whatever method you used to install it. You will need to be running at least version 2.6.3.

 

+ I used to use your Free rules, with the new rules the dates on some of my rule files appear to have changed

That is expected. ASL-Lite is a rule updater, and we release updates daily. Sometimes even multiple times a day depending on attack trends.

 

+ asl-lite -u says “package asl is not installed”.

asl-lite is a subset of ASL, so it has the same update code used in ASL. This is expected, in future releases the plan is to have it check for asl-lite updates.

 

+ I’m getting this error “Rule execution error – PCRE limits exceeded (-8): (null).”

This is a limitation of your implementation of mod_security, atomic mod_security builds do not produce this either. You can either download our builds from here:

Atomicorp RPM repository

Or you will need to build it like we do with our RPM (http://www4.atomicorp.com/channels/source/mod_security/mod_security.spec see the %build section).

Or check the atomic forums to see what luck other users have had if you choose to use a third parties mod_security build.

Your best choice is to use our builds.

 

+ /usr/bin/modsec-clamscan.pl is not installed on the server.

Malware scanning is not included in the rules only subscription. ASL comes with malware upload scanning for HTTP, SSH, FTP and other protocols, including real time malware protection and much more. If you want malware upload protection, upgrade to ASL.

We also don’t include that file or use the methods demonstrated in it because it doesn’t scale very well. ASL has a binary streaming system that scales.

 

+ Exec: Execution failed while reading output: /usr/bin/modsec-clamscan.pl (End of file found)

This error occurs if you install the 05_asl_scanner.conf file, and have not manually setup some kind of script to send uploads to clamd. Malware scanning is not included in the rules only subscription. ASL comes with malware upload scanning for HTTP, SSH, FTP and other protocols, including real time malware protection and much more. If you want malware upload protection, upgrade to ASL.

Solution:

Option 1. Update to ASL

Option 2. Remove the file 05_asl_scanner.conf and restart apache.

 

+ ModSecurity: Failed to access DBM file “/var/asl/data/msa/

Alternatively, you may get this error:

Failed to access DBM file “/var/asl/data/msa/global”: Permission denied

This means that you do not have the correct permissions setup for modsecurity to work correctly. Please make sure you have followed all the setup and installation instructions in the Atomic ModSecurity Rules wiki article.

Easy solution

Install aum which will both install the correct version of modsecurity to work with your webserver, and will setup the permissions for this directory correctly for your web server. Keep in mind that the default version of modsecurity does not work correctly with versions of apache that are setup to change apaches user “on the fly” to other users on the system. Our version of modsecurity has been enhanced to support apache in this configuration.

Do it Yourself Solution

Specific guidance is provided in this section of the Setting Up Modsecurity guide:

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Step_3:_Set_permissions_for_directories

Keep in mind that the default version of modsecurity does not work correctly with versions of apache that are setup to change apaches user “on the fly” to other users on the system. Our version of modsecurity has been enhanced to support apache in this configuration.

 

+ Apache segmentation fault

This means that apache is experiencing a recoverable memory error. We have found that many things can cause segfaults. Its not possible in this FAQ to cover all of them, but in short order they are:

1) errors in Apache

2) bugs in the APR

3) bugs in libraries compiled into apache

3) buggy modules (mod_memcache seems to cause this on some systems)

4) Buggy PHP scripts

5) bad mod_rewrite rules that cause loops

In general, to find the cause of segfault you will want to see the Apache article which explains how to generate core files and how to debug them.

Atomic Secured Linux

+ What is the benefit of using Atomic Secure Linux?

Peace of mind knowing that a team of security experts will work tirelessly to ensure that you have a security solution that will protect your system and provide on-demand support for all your security needs. If we distribute any component, be it a kernel, rules, modules, etc., we will support issues you may have with your integration, drivers, etc. We focus on building software such as AS/L that works on the widest range of hardware, with the most advanced and modern security features that will work on all platforms. This includes firewall extensions for STEALTH and MATCH support, the strongest stack protection in the world, special defenses against kernel module rootkits, cutting-edge countermeasures against the latest threats and more!

+ What features will I get with Atomic Security for Linux/Windows?

  • A full SIM with a stand-alone web GUI
  • A fully integrated web application firewall
  • Event correlation and intelligent log reduction and alerting
  • A built-in vulnerability scanner with automatic vulnerability repair
  • Virtual patching
  • Zero Day protection
  • Brute force protection
  • Compliance monitoring
  • Self healing
  • Real-time anti-spam and anti-malware protection
  • Upload malware protection (Web and FTP)
  • Automatic redation
  • A secure and hardened kernel
  • Stack and heap protection
  • Role-based access control system and many many more features!

+ What is included with the support?

Standard Support

Email-based support for Atomic Secured Linux the same business day during normal business hours (M-F / 7am – 7pm EST except on US Federal Holidays). Standard support accounts include one support portal account and support for one email contact.

Extended Support

24/7 support. Extended support customers also enjoy support for multiple contacts, multiple login accounts for the support portal, and phone support.

+ How can I report a false positive?

Send the false positive to “support@atomicorp.com” or press the “Report False Positive” button within the GUI. False positives are usually resolved and an update is released the same day they are reported, often within a few hours if the report was submitted during business hours.You can also follow the Reporting False Positives procedure that provides detailed instructions about how to report a false positives if you can not use the GUI, or if you choose to report it from the command line.”MODSEC version is not current. False reporting has been disabled.”If you see this message, your modsecurity rules are not up to date. Before reporting a false positive, make sure your rules are up to date. To do this, either click on the “Update” button in the AS/L web console, or run the command “aum -u” from the command line as root. It’s possible your issue has already been addressed, and if not, just update your rules and AS/L will let you report the false positive. We’ll then get right on it and get you a fix ASAP!

+ What Linux distributions do you support?

  • Centos 5, 6 and 7
  • Redhat Linux 5
  • Redhat Enterprise Linux 6 and 7
  • CloudLinux 5
  • CloudLinux 6
  • Amazon EC2 (We support RHEL and Centos on EC2, we do not support AMI and other customized distributions)
  • Trixbox 2.8

+ Is Atomic Secure Linux easy to install?

Atomic Security for Linux/Windows was designed to be easy to install and use, and it will work with your existing operating system without replacing any core components. You just run one command and the AS/L installer will walk you through questions to configure itself for your unique needs. Just follow the instructions on the AS/L installation page. If you have any questions, please contact us. We’re always happy to help our customers.

+ Is Atomic Secure Linux safe to install?

Yes. Atomic security for Linux/Windows was designed for high-SLA environments and comes with robust support for a company that understands the needs of high-SLA environments. Both AS/L and ASW have numerous built-in fail-safes to make them both easy to install and safe to use. For example, if AS/L detects that your kernel has an error on boot, it will reboot the system into the last known working kernel. This is a feature no Linux distribution includes, so installing AS/L will actually make sure your system is more stable and more reliable.

+ Does installing Atomic Secure Linux require downtime?

No, it does not require you to take your system down. Our cyber security solutions are designed to be installed on running systems. You will want to reboot the system into the secure kernel, but you can do that any time. AS/L and ASW will operate normally without the secure kernel, and don’t require it to function. However, without the secure kernel you will still be vulnerable to the same kernel-level weaknesses and vulnerabilities that exist in all non-secure kernels. Therefore, we recommend that you run the secure kernel, which will require a reboot.

+ How can I buy an Atomic Secured Linux (ASL) license?

To purchase a license for ASL, just visit the Atomic Secured Linux page and click the Buy Now icon, or click on this link.

+ Can I try Atomic Secured Linux (ASL) before I purchase it?

Absolutely! We offer a free, no risk and no obligation 10 day trial. Just click here to get your trial license now!

+ What is the benefit of Subscribing to ASL?

Peace of mind knowing that a team of security experts will work tirelessly to ensure that you have a security solution that will protect your system, and rapid support for all your security needs.

Access to the best Linux security product available, that includes a full SIM with a stand alone web gui, a fully integrated web application firewall, event correlation, intelligent log reduction and alerting, a built in vulnerability scanner with automatic vulnerability repair, virtual patching, compliance monitoring, self healing, anti-spam protection, anti-malware protection, upload malware protection (Web and FTP), realtime malware protection, automatic redaction, a secure and hardened kernel, Stack Protection, Heap Protection, a Role Based Access Control system and many many more features!

And most importantly, full support. If we distribute any component, be it a kernel, rules, modules, etc., we will support issues you may have with your integration, with drivers, etc. We focus on building software such as ASL that works on the widest range of hardware, with the most advanced and modern security features that will work on all platforms. This includes firewall extensions for STEALTH and MATCH support, the strongest stack protection in the world, special defenses against kernel module rootkits, cutting edge countermeasures against the latest threats and more!

With ASL, you wont have to do it all yourself, we’re here to help you.

+ What is the SLA for critical security or support issues in ASL?

If there is a security issue with ASL, in general we will release a fix within 24 hours of the issue being reported to us.

+ What is included with the support, what is your response time?

Standard Support

Email based support for Atomic Secured Linux is the same business day (EST).

Standard support accounts includes one support portal account and support for one email contact.

Extended Support

For extended support contract customers, the response time is dictated in the support contract. Extended support customers also enjoy support for multiple contacts, multiple login accounts for the support portal, and phone support.

+ What are your normal support hours?

Support is provided 24 hours a day.

+ Do you offer phone support?

Yes, for customers with existing extended support contracts. Please contact sales@atomicorp.com for more information about extended support contracts.

Phone support is not available without an existing extended support contract.

+ How can I give Atomicorp support access to my system?

To provide us with access, please follow the process below. Do not send us your root password to log into your system. We do not need it, and we will delete it if you send it to us (we do this for your protection). Just follow the process below, which will provide us with secure access without the need to know your root password.

Step 1) Do not send us your root password to log into your system. We do not need it

As part of our security policies we will not use passwords to log into your system, and we will not store root passwords in our support system. Our policy requires our support engineers to delete this information if you send it to us. Just follow the process below, that will install cryptographically strong keys that we will use to authenticate to your system instead of using a password. This will protect you as we wont have your root password, and no one will be able to steal it from us to access your system.

Step 2) Become root on your system

Type this command:

su –

This will ask for the root password for your system, type in your root users password.

Step 3)Run the command below, as the root user to provide us with access to the system

wget -q -O – https://www.atomicorp.com/installers/key |sh

Note: You must have a version of wget installed that supports HTTPS.

If you do not see any output from this command it is likely wget on your system was replaced with a crippled version that does not support SSL. Please see this article to test if your wget supports SSL:

https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#wget

If you’ve done this before, and we’ve asked you to do this again please run the key installer again. We change our keys regularly for security reasons, so its vital you have the latest keys installed on your system. We wont be able to login in otherwise.

Step 4) (Optional) Add to AllowUsers in sshd_config

If you use ASLs admin user feature, or use sshds AllowUsers feature make sure you add the “atomic” user to the allowed users. If our tool does not add the user “atomic” that is because you allow root logins, and the tool will simply add our keys to the root account.

Step 5) Configure your firewall to allow access

If you need to open firewall access, please see the email sent with the IPs we will be logging in from.

Step 6) If this is for a new install, send us your mysql administrator password

If this is for an installation, please make sure you also provide us with your mysql administrator credentials in the email.

Step 7) Send us the IP address and SSH port for the system

And finally, remember to send an email to support AT atomicorp DOT com with the IP address(es) of the system(s) you want us to log into, and if you run SSH on a non-standard port please include that information as well.

If you have sent this information to us in the past, please make sure you send it with any new request. As part of our procedures, we must confirm the IP address for each request before logging into any system as an important safeguard to ensure we are accessing the correct system, and have permission to do so.

+ Can I setup support access manually?

Yes, although as an internal policy we do not allow our support engineers to use customer passwords. That prevents your passwords from being recorded in our systems, preventing any accidental exposure of those passwords. We recommend you use the the process above, but if you are able to setup ssh key based access yourself, you can download our keys from the URL below:

https://www.atomicorp.com/authorized_keys

+ How can I verify the integrity of the ssh keys?

The installer will download the keys over a TLS encrypted channel. Each member of our support team has a unique key, we do not use shared keys or credentials. Therefore, you will see a number of keys downloaded.

You can check the integrity of the authorized_keys file, by downloading this file:

https://www.atomicorp.com/authorized_keys

And its SHA512 message digest file:

https://www.atomicorp.com/authorized_keys.sha512

+ Can I set a password for the atomic account?

Yes. We do not use passwords to log into the system, we use SSH keys only. By default, SSH will not allow password authentication to accounts without passwords (it will require SSH keys instead). So unless you have configured your system to allow empty passwords, it is not necessary to do this.

However, if you do this, you will need to let us know what the password is so that we can use sudo.

+ How can I remove Atomicorp access to my system?

If you followed the process above, just remove the “atomic” user when you are finished, or if you allow root ssh login access then you will need to remove our ssh keys from the /root/.ssh directory. The script above will not provide us with any passwords to your system, it will simply install our keys as the “atomic” user (or if you allow root access, as the “root” user). Removal of those keys will also remove our access to the system.

+ Where is the ASL Web GUI?

You can access it on your system at this URL (change www.example.com to either your systems name or IP address)

https://www.example.com:30000

Make sure your firewall is configured to allow access to the TCP port 30000.

+ Does ASL have any PHP dependencies?

No. ASL uses its own PHP libraries which are installed in /var/asl and have nothing to do with the systems PHP libraries.

The ASL PHP libraries rpm packages will start with the name “asl-“. Do not change the ASL PHP rpms, they are only used by ASL.

+ Does ASL install PHP on my system?

No. ASL will not install, replace, upgrade, change or remove PHP on your system.

+ What are the asl-php rpms?

ASL has its own, independent PHP engine that is only used by ASL web console daemon, tortixd, to power the ASL web console. ASL does not use your operating systems PHP installation, and ASLs independent PHP engine is not used by your web server, web applications or Operating system. ASL will not remove, replace, modify or upgrade or otherwise change your existing PHP installation. The asl-php RPMs are a completely separate independent isolated PHP engine that is not used by your operating system, or web server (apache, nginx, litespeed or any other web server), nor will they have any effect on any other application on your system, including any web or PHP applications.

These rpms will not and do not have any effect on your operating systems and are only installed in /var/asl and are only used by ASL.

The ASL PHP libraries rpm packages will always start with the name “asl”, for example:

asl-php-cli-5.4.17-15.el6.art.x86_64
asl-php-5.4.17-15.el6.art.x86_64
asl-php-process-5.4.17-15.el6.art.x86_64
asl-php-gd-5.4.17-15.el6.art.x86_64
asl-php-pecl-apc-3.1.13-4.el6.art.x86_64
asl-php-common-5.4.17-15.el6.art.x86_64
asl-php-mysqlnd-5.4.17-15.el6.art.x86_64
asl-php-pdo-5.4.17-15.el6.art.x86_64

Do not change, remove, configure, block the installation or upgrade of, or otherwise modify the ASL PHP rpms or their configuration files, they are only used by ASL for its web console.

If you are having problems with your operating systems PHP, webservers PHP handler, webservers PHP applications or other PHP applications: ASL did not install, upgrade, replace, configure or remove any part of your systems or web servers PHP installation. Contact your PHP vendor for assistance.

+ My system has experienced a kernel panic

We have documented several issues that may cause kernel panics on the wiki along with solutions in the Kernel_Panic article.

+ What should I do if I believe a system has been compromised?

First, stop and ask yourself what you want to do. Do you want to prosecute or do you want to just find the problem and fix it? This is a critical question you have to ask yourself because if you want to prosecute you must preserve evidence, and the actions you take to fix the intrusion may destroy or make that evidence inadmissible. If you want to prosecute, contact us to discuss your situation as you may need professional help to build a case. Also, if you choose to prosecute, you should know that in some jurisdictions the personnel working on your case may need special licenses to do this, otherwise they may be committing a felony (Michigan for example requires a Private Investigator license to perform computer forensics that will be used in court, failure to have this license is a felony.)

If you want to find out what happened and just clean up, please continue with this checklist.

First, start with the simple case – the compromise may have occurred by the attacker simply stealing a users password and logging into the system. We have put together a wiki article that provides guidance here for those cases:

Compromised System: FTP

If you know that an attacker did not simply log into the system with stolen credentials please read this Wiki article:

Compromised System

In most cases we have seen, attackers are stealing users passwords and keys via keyloggers and trojans and just logging in. In those cases, there is no technical vulnerability in your system, the issue lies with your users and their computers. So, check you logs first to see if someone simply logged into your account or your users accounts. You’d be surprised at how often we see that happen.

If you find yourself in this situation we recommend you explore two factor authentication options such as SecureID, OTP generators on your cell phone (not on your computer, if the computer has been compromised so has the OTP!) and other hardware tokens.

You can also use an operating system that is more secure for your desktop such as Linux, Solaris, BSD or MacOS.

+ Do you have pre-defined access policies , or do we have to configure these policies?

Yes, currently we use Trusted Path Execution (TPE), and the untrusted users group by default. Members of the untrusted users group can only execute commands owned by root. In addition non-root users can only see processes owned by them. Grsec has an additional RBAC and Process ACL system available.

+ How long are major releases supported?

ASL major releases (3.x, 4.x, 5.x) are supported for three (3) months after a new major release is made available. For example, when ASL 4.0 was released on March 19th, 2014, ASL 3.x was scheduled for End of Life (EOL) on June 19th, 2014.

+ How can I upgrade a trial?

Just log into the license manager using the same credentials you used to setup your trial and purchase a license. You don’t need to do anything else. The system will automatically convert your system from a trial to a full license, and you won’t have to reinstall or install anything.

You can access the license manager at the URL below:

https://atomicorp.com/amember/member

+ What about VPS Licenses?

Different machines with a VPS license pack

Question: Do the VPS licenses need to be used on one physical machine or can the VPS boxes be located on different physical machines in different locations?

They can be located on diferent physical machines in different locations, or on the same machine.

Purchasing additional licenses

Question: If we use more than 5 licenses, do we have to add additional licenses 5 at a time, or can we add just 1 at a time after we purchase the initial 5?

You can add single licenses through the license manager.

Do VPS licenses include support for the kernel?

VPS licenses do not include support for the kernel. If you want to use the secure ASL kernel, then you must purchase a full ASL license.

+ Can I use ASL as a reverse proxy for my other servers?

Yes. However, you must purchase a reverse proxy license for this to work in ASL.

If you wish to use ASL as a reverse proxy for other servers, please contact us for support and a license.

+ Is ASL compatible with AWS instances?

Absolutely. ASL is fully supported on AWS, including the secure kernel.

+ What database servers do you support?

Supported databases

Centos

ASL is supported with the official versions from Centos for that distribution.

Centos 7

ASL is supported with Mariadb 5 and 10 .

Redhat

ASL is supported on RHEL 5, 6 and 7 with the official versions from Redhat for that distribution.

Cloud Linux
CloudLinux 5 and 6

ASL is supported with the official versions from Centos for that distribution.

CloudLinux 7

ASL is supported with Mariadb 5 and 10 .

Third Party versions

ASL also works with the following versions of CPanels mysql rpms, where CPanel currently supports them for that OS and architecture:

  1. MySQL50
  2. MySQL51
  3. MySQL55

Note: CPanel does not follow package management or MySQL norms or standards. Unlike other MySQL vendors and packagers, CPanel makes non-standard changes to their MySQL rpms as they change both these packages, and what they include. We encourage our customers to contact CPanel regarding any issues with CPanels mysql packages or to use MySQL from one of the vendors above.

ASL is not tested or supported with any other mysq, mariadb or other variants builds or versions not documented above.

+ ASL does not support my version of my operating system

We support versions of operating systems per the list above, and of those we only support operating systems which are still supported by the OS vendor.

We do this because of the serious security issues associated with running an operating system that is no longer supported, as well as the problems associated with lack of bug fixes for platforms that have been abandoned by their Vendors. For example, if a serious vulnerability were to be discovered in openssh and there was no patch for your system, ASL may not be able to protect your system adequately. Some vulnerabilities are beyond even our capabilities to defend against. We are always looking out for your security – and unsupported OSes are a serious risk to operate

For newer versions of operating systems we work as fast as possible to support these new distributions.

+ Do you support custom builds of apache, or other custom non-standard Linux distributions or hybrids?

Yes, only through extended support contracts. If you do not have an extended support contract there is no support. Please contact sales@atomicorp.com and we can put together a proposal for your project and price out ongoing support for your custom configuration.

+ What browsers does the ASL GUI work with?

Supported browsers are:

Browser Minimum Version Required
Firefox 3.5
Internet Explorer 8.0
Safari 5.1.7
Opera 11.50
Chrome 30

+ Does ASL require a control panel?

No, ASL does not require any control panel product (Plesk, Cpanel, etc.). You can use ASL with, or without a control panel. If you do use a control panel, ASL works with all major control panels, and the specific list of supported configurations is provided below.

+ Does ASL work with Plesk?

Absolutely! Atomicorp was founded by two Plesk founders. You won’t find a security company that knows more about Plesk, or cares more about making security products that work with Control Panels like Plesk. ASL works with all Plesk versions from 9 and the way up to the latest version of Plesk, 12.

+ Can you use ASL without plesk?

Yes, ASL uses its own GUI and does not require any control panel to work.

+ Will I lose any functionality in Plesk if I use ASL?

No. ASL will only add new functionality to your system.

+ If predefined will your policy fit into a PLESK system? Since Plesk uses its own chroot enforcements on some daemons?

Atomicorp was founded by Plesk founders. ASL is designed to integrate in that environment and with other control panels too.

+ Can you use ASL with Directadmin?

Yes. ASL works with and is supported with Directadmin.

Note: If you are not using the systems RPMs, and are using a custom built Apache, then you will need to use the currently beta version of ASL for custom Apache environments. You can read more about it here:

https://www.atomicorp.com/forums/viewtopic.php?f=21&t=4828

When you have a custom non-rpm managed Apache install use the installer in the link above.

+ Virtualmin

ASL works with Virtualmin and is a supported configuration. Please see the Virtualmin page for any notes on using ASL with this product.

 

+ Cpanel

ASL works with CPanel and is a supported configuration. Please see the Cpanel page for any notes on using ASL with this product.

+ Interworx

ASL works with Interworx and is a supported configuration. Please see the Interworx page for any notes on using ASL with this product.

+ Is IPv6 supported?

Not at this time.

Additionally, ASL does not load any network ipv6 modules by default, therefore if you must use IPv6 you will need to ensure the modules are loaded on boot before S99 (when ASL locks the kernel).

Again, if you must use IPv6, please know that IPv6 is not supported with ASL at this time.

+ Does ASL work with X11/Xorg?

Yes, ASL works with X. To configure ASL with X, please see the X with ASL article.

+ Is ASL compatible with ConfigServer?

ASL does not support any of the ConfigServer products, and CSF (ConfigServer Firewall) in particular is known to cause major compatibility issues on a server running ASL. ASL is a complete stand-alone security product, which includes a powerful firewall, and you do not need to run any additional security software, including CSF, in conjunction with ASL.

+ Does ASL support ipset?

Yes, ASL supports ipset as of version 4.0 of ASL. To enable it, just set “FW_ENABLE_IPSET” to “yes” in the configuration screen.

+ Will ASL replace core components of my system?

No. ASL will install additional software on your system, and will not replace anything, including the kernel.

+ Does ASL need to be installed on a system before Plesk/Cpanel/etc. is installed?

No, ASL can be installed on a system that already has Plesk, Cpanel or any other control panel installed. ASL does not require a bare system, and is designed to be installed into already operating systems that have been configured for use, and have third party software already installed. ASL is an enhancement and can be installed on any supported Linux system.

 

+ I just purchased an installation from you, what now?

In order for us to conduct your installation, we will need you to open up a case with Support with the following information:

1) Confirmation, from you, that the system meets all the minimum requirements for ASL:

https://www.atomicorp.com/wiki/index.php/ASL_prerequisites

Please be sure to read the entire article, as this may include that you make certain updates to the configuration of your system. We are not permitted to make these changes to your system.

2) Access to the system

Please follow this process at the link below to provide us with access:

https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_can_I_give_atomicorp_support_access_to_my_system.3F

If you have done this in the past, please follow the process again as we do regularly change our SSH keys for security reasons, and the keys on your system may no longer be valid.

3) The IP address and SSH port for the system.

As part of our procedures, we must confirm the IP address for each request as an important safeguard to ensure we accessing the correct system, and have your permission to access the system.

4) The mysql root (or admin) password for the system.

If you are using Plesk or CPanel we generally can perform the install without this information, in most cases ASL can find this information from the control panel. In some cases though this information may not be available from the control panel, so please provide this information just in case this is the case for your system.

If we run into a condition where the mysql root (or admin) credentials are not available, we will not be able to perform the installation. So please provide them just in case.

5) Your Atomicorp License Manager Credentials

We need the username, and password you used to setup your account with us.

6) If you have specific IPs you would like whitelisted, please provide us with the list, with a single space between each IP (example: x.x.x.x y.y.y.y z.z.z.z). Please note, ASL only supports IPv4 addresses at this time.

7) We will attempt to install the product. In the event we encounter difficulties due to unusual software/hardware configurations, we will attempt to contact you for further information. Due to our high customer volume, timely response is necessary (within 30 minutes), or we reserve the right to reschedule the installation.

 

+ It is OK to install CS4 with ASL?

Just say “no” when it asks if you want to download and install clamd when you run the installation script. ASL already provides clamd.

+ Does ASL works with php sites running under fast_cgi ?

Yes, ASL works with systems using fcgi, suphp, and itk. It also works just fine with systems that use none of these. ASL integrates fully and safely into Apache.

 

+ Is mod_ruid2 supported?

Partially, when using ASL. If you are using a third party modsecurity build, this is not supported as it will not contain the necessary patches to make mod_ruid2 work correctly with mod_security.

If you are using the latest version of ASL, you will be able to use mod_ruid2 provided you do not enable any rules that use mod_security’s DBM system. This includes the advanced rules, and the search engine protection rules. Specifically, mod_ruid2 is not compatible with the security model mod_security uses to create, write and store its DBM files. mod_ruid2 will attempt to save these as the user of the context apache is currently running as. This causes problems for the DBM databases, as they are global databases and not per user databases. This breaks the DBM collection tracking system.

Therefore, you can not use these types of rules with mod_ruid2.

For third party builds, you will also encounter these issues, which will make mod_ruid2 fail to work correctly at all:

1) Under heavy load mod_uid2 when used with mod_security can cause a crash. Specifically, mod_ruid2 can cause an AcceptMutex to be held by another UID, and this will cause Apache to crash.

2) mod_ruid2 is not compatible with the security model mod_security uses to create, write and store its log, audit and DBM files. mod_ruid2 will attempt to save these as the user of the context apache is currently running as. This causes problems for the DBM databases, as they are global databases and not per user databases. This breaks the DBM collection tracking system. Storing the logs as the user of the apache context can be insecure, as it can makes it possible for an attacker to delete or modify the logs preventing security tools from using these logs to make decisions about possible attacks and compromises of the system. In general, logs that contain security information should not be stored as the user carrying out the attack for this reason. Modifying logs is a well known method for covering up attacks and compromises.

+ Does ASL works with php sites running under suphp?

Yes, ASL works with systems using suphp, fcgi, and itk. It also works just fine with systems that use none of these. ASL integrates fully and safely into Apache.

 

+ How easy is it with ASL to debug and use modsecurity?

Very easy. ASL includes an easy to use web based graphical interface that allows you to view alerts, modify rules, and report false positives all with one click. We typically can resolve a false positive in less than one hour when reported through the ASL Web interface.

 

+ If I face problems with the installation/setup of ASL do you provide support?

Absolutely! We fully support all our products. ASL licenses come with email and web based support, using an easy to use case and bug management system that is associated with your account. You can log in through our support portal directly from the atomicorp website, or via email. Phone support is also available with an extended support contract.

+ What are the minimum system requirement for ASL?

If all of the ASL security features are turned on, we recommend that your system have a minimum of 1GB of RAM. ASL includes advanced web application and antispam security features that do best with this minimum requirement.

Our servers run without issue with 2GB of RAM on Dual Core P4s or single core AMD 64bit CPUs.

+ I also had previously installed rkhunter and chkrootkit, should I have uninstalled those prior to installing ASL?

If you installed these via the package management system in your OS no. If you installed these via source, you should remove them.

+ What is the performance impact of using ASL on a system with 700-1000 domains per server?

The secure kernel operates with around a 3-5% of additional overhead on Intel processors. AMD processors implement the features we emulate on Intel processsors in hardware, so there is no additional overhead.

+ Is there an install log for ASL?

Yes, the ASL installation will generate this log file:

/tmp/tortix-install.log

+ What are testing channels for?

For the ASL channels:

Beta releases.

Please keep in mind that testing channels are not supported.

For the Free Atomic Channels:

This is for software that may be of beta quality, but has not be evaluated for security or stability issues. It may also contain rpms that are experimental or buggy and are parked here to allow other researchers to experiment with this software.

Please keep in mind that the atomic channels are not supported. The Atomic repository provides free software.

+ What are bleeding channels for?

Alpha and less releases. You shouldn’t use bleeding code unless you are prepared to roll up your sleeves and debug the builds. They are also not supported.

+ How can I install ASL?

Just follow the instructions on the ASL installation page.

+ How can I reinstall ASL?

The cleanest way to reinstall ASL is to first uninstall it, then run the installer again. The process is:

Step 1) Run this command as root (do not use sudo, you must be root to run this command):

/var/asl/lib/uninstall

Step 2) Then install ASL fresh by following the instructions on the ASL installation page.

 

+ How can I disable ASL?

Step 1) Disable mod_security

mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled

Step 2) Disable mod_evasive

mv /etc/httpd/conf.d/mod_evasive.conf /etc/httpd/conf.d/mod_evasive.conf.disabled

Step 3) Disable mod_sed

mv /etc/httpd/conf.d/00mod_sed.conf /etc/httpd/conf.d/00mod_sed.conf.disabled

Step 4) Disable OSSEC

/etc/init.d/ossec stop

Step 5) Disable clamd

/etc/init.d/clamd stop

Step 6) Restart apache

(Use your method of choice, this is just an example)

/etc/init.d/httpd restart

Step 7) Remove the hardened proftp

 yum remove psa-proftpd-1.3.2a-1.el5.art

Step 8) Boot into a non-ASL Kernel

Configure your system to boot into a non-ASL kernel.

Step 9) Reboot

 reboot

Also, its important to recognize that ASL is a threat manager that repairs vulnerabilities on your system. Disabling ASL will not undo any vulnerability repairs you have instructed ASL to fix. If you want to undo a vulnerability repair in ASL, do not uninstall ASL. Simply change the action in the ASL GUI and run ASL in Fix mode to undo the repair.

+ How do I remove or uninstall ASL?

Answer for ASL 4.x:

Just run this command as root:

 /var/asl/lib/uninstall

Do not use any other method to uninstall ASL.

Note: Because the ASL uninstaller is just that, an uninstaller, it is also designed to remove the the ASL kernel. Before you reboot, you must check to make sure you have a working non-ASL kernel installed on the system before you reboot, or you will not be able to reboot your system.

ASL will not remove any non-ASL kernels, ever. It wont remove existing kernels on install, or during uninstall. It also wont install or upgrade non-ASL kernels. So for most users this isn’t as issue, however if you have removed your non-ASL kernels or do not have a working non-ASL kernel on your system, then you wont be able to boot your system. Please contact your OS vendor for assistance with re-installing their kernel if you have removed it.

If you have an incomplete installation, and are missing the uninstaller, you can also download and locally run (as root) the uninstaller from this URL: https://www.atomicorp.com/installer/uninstall

How do I upgrade from asl-lite?

asl-lite was a free unsupported rule updater tool (it has been discontinued, and has been replaced with aum.

To install ASL on a system that had asl-lite installed you will need to remove asl-lite, and the asl-lite configuration directory:

Step 1)

If your system is package managed, then asl-lite should be installed via yum. To uninstall asl-lite run this command as root:

yum remove asl-lite

If your system is not package managed, then you will need to manually remove asl-lite yourself.

Step 2)

Remove the asl-lite configuration directory:

rm -rf /etc/asl

Step 3)

You will also need to remove your manual installation of modsecurity and its configuration files. As this is a process that is unique for every user, its not possible to provide precise directions for doing this. In general, you will want to remove the modifications you made to your apache configuration to enable modsecurity.

If you run into any issues upgrading to ASL, please contact support

+ How can I enable password based authentication via SSH?

Step 1) Log into ASL

Step 2) Click on the “Configuration” tab

Step 3) Select “ASL Configuration”

Step 4) Scroll down to “SSH daemon configuration”

Step 5) Change SSH_PASSWORD_AUTH to “yes”

Step 6) Click the update button

+ How can I migrate ASL to a new server?

Regarding your ASL license you don’t need to do anything special. The licensing manager will allow you an additional install on one (1) test or development server, so from a licensing point of view – you don’t need to do anything special.

Regarding migration, we recommend you install ASL on the new system and run through the entire configuration process. If you want the ASL configuration to use your other systems configuration then just copy over the /etc/asl/config file to your new system to migrate your settings. Doublecheck them manually to make sure you have everything setup for your needs, if you copy over your config your basically telling the new server to be completely identical to the old one and that may not be exactly right for you.

Once you copy over the config and have everything setup as you want then run this command as root:

asl -s -f

 

+ Signatures & Modules window

The Signatures & Modules window lists the state of all ASL components, such as if they are active, inactive or have updates waiting.

Green: Component is active and up to date.

Yellow: Component is active, but updates are available such as rule, signature or software updates. To force an update just click the “Updates Available” link, or you can wait for ASL to install the updates automatically based on your configuration. (Please see the FAQ below on configuring automatic updates, ASL is configured by default to automatically update all its components).

Red: Component is inactive, either because it has been disabled, or is not installed. For example, if the system is not using the ASL kernel the “Kernel Protection” will show as red. Or if a component has been uninstalled or otherwise removed, such as if mod_security was removed from the system WAF will show as red. ASL looks at the actual condition of the system and is reporting its state in this window. This is a “fail safe” to ensure that the actual state of the system is reported to the user, even if the configuration may be set to one state ASL will independently check the system to see if it really is in this state.

 

+ Will ASL automatically update the rules and signatures?

Yes, by default it will do this daily. ASL will update all the rules and signatures available automatically. Occasionally you may see ASL report that updates are available. ASL will install these updates for you at the next scheduled interval you have configured for your system. Or you can manually update these by clicking the “Updates Available” link.

+ Will ASL automatically update itself?

By default, ASL will also automatically keep itself up to date (the core components and the rules). To check this setting, log into the ASL GUI, click on the Configuration Tab and then Click on “ASL Configuration”. Scroll down to UPDATE_TYPE and check to make sure it is set to “all”.

You are recommended to check the forums to see if an update to ASL has been released, and if there are any special upgrade instructions you will need to follow for that release.

+ How can I set the update interval?

Log into the ASL GUI, click on the Configuration Tab and then Click on “ASL Configuration”. Scroll down to AUTOMATIC_UPDATES. You can set updates to “none”, “hourly” and “daily”. The default is “daily”.

+ How can I set ASL to only update the rules and not ASL itself?

If you only want ASL to keep its rules and signatures up to date, but not to automatically upgrade ASL, log into the ASL GUI, click on the Configuration Tab and then Click on “ASL Configuration”. Scroll down to UPDATE_TYPE. Then set UPDATE_TYPE to “rules only”.

+ Firewalls and Upgrades/Updates

To allow ASL to download updates, please ensure that any firewall you use allow outbound connections to the following hosts, on TCP port 443:

  • www.atomicorp.com
  • www2.atomicorp.com
  • www3.atomicorp.com
  • www4.atomicorp.com
  • www5.atomicorp.com
  • www6.atomicorp.com
  • www7.atomicorp.com
  • www8.atomicorp.com
  • updates.atomicorp.com

Important Note: Atomicorps server pool grows to accommodate increasing demand. As a result, the IP addresses often change, and because these IP addresses can change we do not publish a list of IPs. Doing so can cause problems for any sites that may have hard coded them. Be sure to monitor this FAQ as it contains the currently valid list of hosts.

You will also need to make sure that you allow DNS queries outbound, as ASL will lookup the list of current update servers to download updates from.

Please see the ASL firewall documentation page for information about configuring the ASL firewall. By default, ASL will not block anything outbound, so if your server is having problems connecting out this is either because you are blocking the port through the ASL firewall, you have another firewall that is doing this (either on the server, or up stream) or you are experiencing network connectivity issues.

+ Unable to connect to update servers

This can happen for a number of reasons due to configuration and network issues on your server, on your local network or upstream. This list includes the most common reasons, but is not a complete list. Please contact your network provider with connectivity issues, and your OS provider for OS configuration assistance.

1) DNS not correctly configured on your system

If you do not have DNS correctly configured on your system, updates will fail. One simple way to test this is to run this command:

nslookup www.atomicorp.com

If you do not get a response, then you do not have DNS correctly configured on your system. Please contact your OS vendor for assistance with configuring DNS on your system.

2) No network connectivity

Check to make sure your system has network connectivity. We know this sounds fairly obvious, but we’ve had cases where the issues was the systems network was either not started, or was misconfigured so it wasnt properly connected a network.

3) Routing misconfigured

Check to make sure you can connect to our servers. Run this command as root on the server:

openssl s_client -host www.atomicorp.com -port 443

If you can connect to our servers you will see output similar to this:

CONNECTED(00000003) depth=2 C = US, O = “The Go Daddy Group, Inc.”, OU = Go Daddy Class 2 Certification Authority verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = “GoDaddy.com, Inc.”, OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287 verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Virginia, businessCategory = Private Organization, serialNumber = 0697126-1, C = US, ST = Virginia, L = Chantilly, O = ATOMI CORP., CN = www.atomicorp.com verify return:1

If you do not see this, then you are not connecting to our servers and either you have a routing problem, or a firewall problem (see #4 below).

4) Firewall blocking connections

Check to make sure its not your firewall thats blocking the connection. The simplest way to do this is to temporary disable your firewall:

1) If you are using the ASL firewall, run this command:

/etc/init.d/asl-firewall stop

2) If you are using some third party firewall the command below may disable it, but check with your firewall vendor for assistance with disabling your firewall:

/etc/init.d/iptables stop

Note: To re-enable either of these change the command “stop” to “start”.

5) Upstream router or firewall blocking connections

If its none of these, then someone may be blocking your connections upstream. Please contact your network provider for assistance.

+ Where is the license manager?

Its on the main website, under the Support tab. You can also find it at the URL below:

https://www.atomicorp.com/amember/login/index

 

+ How can I reset my license manager password?

To reset your license manager password, please follow this process:

Step 1) please visit this page to reset the license manager password

License Manager

Step 2) now change your license manager password in ASL

https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#PASSWORD

Remember to update your license manager password in ASL. If you do not do this, ASL will no longer be able to download updates!

 

+ How can I reset my support portal account password?

To reset your password, to log into the license manager, please visit this page:

Support Portal Reset

 

+ How can I update my license manager password in ASL?

Your license manager username and password are used to log into the Atomicorp servers to download updates. These are not to be confused with your ASL GUI username and password, which is used to log into your ASL GUI.

If you change your license manager password, you will need to change those credentials in ASL as well, otherwise ASL wont be able to download updates!

Your license manager username and password credentials are only used by ASL itself to log into the Atomicorp servers to securely download updates for your system.

If you need to change your GUI password, do not follow this procedure. If you need to change your ASL GUI credentials please see the #How_can_I_reset_my_ASL_GUI_password.28s.29.3F section.

This process is only to change the internal credentials used by ASL to log into the Atomicorp servers.

Step 1) Log into the ASL GUI

Step 2) Click on Configuration

Step 3) Click on ASL Configuration

Step 4) In the “Authentication Information” section, check to make sure the USERNAME and PASSWORD variables are set to your license manager credentials. Those are the credentials you use to log into the license manager:

https://atomicorp.com/support/license-manager.html

If you do not know what those credentials are, you can reset them at the URL above.

Step 5) Then click the “Update” button to update your configuration.

 

+ How can I reset my ASL GUI password?

Just run this command as root:

/var/asl/bin/asl-web-passwd <your user name>

For example, if your username was “jdoe”, run this command as root:

/var/asl/bin/asl-web-passwd jdoe

Note: Your ASL GUI username and password are only used to log into your ASL installation. These are not to be confused with your License Manager credentials, which are used by ASL itself to log into the Atomicorp servers to securely download updates for your system. This procedure does not change your License Manager credentials.

+ How can I create new accounts in the ASL GUI?

Just run this command as root:

/var/asl/bin/asl-web-useradd <new user name>

For example, if your wanted to create the username “jdoe”, run this command as root:

/var/asl/bin/asl-web-useradd jdoe

Note: Your ASL GUI username and password are only used to log into your ASL installation. These are not to be confused with your License Manager credentials, which are used by ASL itself to log into the Atomicorp servers to securely download updates for your system. This procedure does not change your License Manager credentials.

+ What is the default username and password for ASL Web?

The default username and password are your license manager credentials, that you created when you signed up for a license. We recommend you change this password to something unique that you will remember.

You can also generate usernames and passwords by running this command as root:

 /var/asl/bin/asl-web-setup

And you can also create and configure user accounts from inside the ASL GUI.

 

+ How can I change the port tortixd listens on?

Manually change the port number on this line:

Listen 30000

In this file:

/var/asl/etc/httpd/conf.d/ssl.conf

Note: This is an advanced feature, and is not supported.

 

+ Does ASL modify /etc/hosts.deny?

Yes, as part of active response (when enabled) ASL will automatically add attackers IPs to /etc/hosts.deny. ASL will only add deny entries. It will not and can not add allow entries. If ASL is configured to expire shuns it will also automatically remove these IPs once the shun period has passed.

 

+ Does ASL modify /etc/hosts.allow?

No.

+ Do you support greylisting?

Those are all freely available from the atomic repository. They are not part of ASL and not supported through an ASL license. If you need support for these packages contact sales@atomicorp.com and we can put together a custom support package for you.

Install ClamAV and SpamAssassin:

yum install clamd spamassassin

Edit required_hits in /etc/mail/spamassassin/local.cf if you want to change the default tagging threshold (default is 5).

Install qmail-scanner (integrates virus and spam filters with Plesk’s qmail):

yum install qmail-scanner

Edit SA_DELETE in /etc/qmail-scanner.ini if you want to delete mail (at SpamAssassin’s required_hits + qmail-scanner’s SA_DELETE).

I also recommend adding Pyzor, Razor and DCC to SpamAssassin:

yum install pyzor razor-agents dcc

If you want to add greylisting:

yum install qgreylist

Start clamd and spamassassin:

service clamd start

service spamassassin start

Reconfigure qmail-scanner to make sure it uses all your custom settings:

qmail-scanner-reconfigure

Make sure clamd and spamassassin are started at boot time (maybe they are enabled by default, I’m not sure):

chkconfig –level 345 clamd on

chkconfig –level 345 spamassassin on

 

+ Atomic Scanner

Atomic Scanner is a separate project which is not available in the stable repository yet and is not currently supported. You can install the atomic-scanner package from the testing repository.

+ vmware-tools will not compile

On older Linux distributions, such as EL5 and Centos 5, VMWare(TM) has compiled its product using an older compiler. ASL uses the a newer and up to date Linux kernel, and these newer kernels must be compiled using modern compilers. For example, certain features in the kernel require a newer compiler to build and work correctly, such as the new KERNEXEC protections which can only be built using a modern compiler. Older compilers do not support the plugin structure this, and other newer features in the kernel require.

When VMWares module compiler script tries to compile the VMWare modules against one of these modern kernels it may fail if VMWare has used an older compiler for their product. Their script expects the system to have the same version of compiler installed as was used to compile the kernel. Older versions of RHEL and Centos, versions 4 and 5 do not include these newer compilers. So the system will have a modern kernel installed, but not the corresponding compiler use to build it.

Solutions (in order of ease and least impact to system):

Option 1) Use VMWares offical open-vm-tools

VMWare also makes available a package called “open-vm-tools” that will build and work correctly with a newer kernel, using an older and different compiler. You can download the source code from this site:

http://open-vm-tools.sourceforge.net/

If you have issues with these tools, please contact VMWare for support.

These tools are not developed or supported by Atomicorp.

Option 2) Upgrade your compiler

If you wish to use vmware-tools instead, and not VMWares open-vm-tools, then you must upgrade your system to the same version of the compiler used to compile the kernel. Unfortunately, neither Redhat not Centos provide modern compilers for RHEL 5 and Centos 5. To upgrade your compiler on these older platforms may require heavy modification to your system, as other components will need to be upgraded as well (tool chains for example) and this can have adverse effects on the system. Upgrading your compiler is beyond the scope of support Atomicorp can provide for VMWares product. Contact VMWare for assistance or uses vmwares open-vm-tools (option 1) which provides the same functionality.

You can read more about VMWares open machine tools at the URL below:

http://open-vm-tools.sourceforge.net/

If you have issues with these tools, please contact VMWare for support.

These tools are not developed or supported by Atomicorp.

Option 3) Use our RPM of open-vm-tools

We provide, as a courtesy, the open source open-vm-tools (VMWares official open source vmware tools package) in the ASL repository as an RPM for currently supported platforms. This package is not supported by Atomicorp.

You can install that with:

yum install –enablerepo=tortix-kernel open-vm-tools

If you have issues with these tools, please contact VMWare for support.

These tools are not developed or supported by Atomicorp.

 

+ /usr/bin/vmware-config-tools.pl

Please see the article above if VMWare’s tools will not compile on an older system.

If VMWare tools will compile, but you get an error from VMWares tools that it can not find kernel headers, you simply need to install them. Run this command as root to install the kernel source and headers:

yum -y install kernel-headers kernel-devel

If you have previously installed both, and VMWare is complaining that it can not find the source for the kernel, you simply need to upgrade the kernel-devel package. Run this command as root to do this:

yum -y upgrade kernel-headers kernel-devel

If your system does not install anything with either of these commands, check to make sure a third party has not excluded kernel updates from being installed on your system. You can read more about this in the kernel wiki article.

 

+ What is included in the open-vm-tools?

Please see the projects official FAQ:

http://open-vm-tools.sourceforge.net/faq.php

 

+ Why does Linux report that all memory is in use?

Note: This FAQ article is not about ASL, it is about all Linux based systems. This characteristic of Linux based systems is universal to all Linux systems, not just systems running ASL.

Memory is almost infinitely faster than reading from a hard disk, so modern high performance operating systems, such as Linux, will cache things into memory if they are read from disk. Over time, you should see a Linux system (via some tools) report an almost 100% “memory utilization” regardless of much memory is actually needed by a process or how much memory is installed in the system. This can be a little strange to users that are new to Linux and come from operating systems that do not cache (such as Windows), however this is normal and is good for the system as actually makes it much faster. This does not mean your processes are using up all the memory the system has, this is simply modern caching which all modern Linux kernels will do.

Why Linux does this

Hard drives are slow. Even the fastest hard drive is never even close to the speed of RAM. If hard drives were fast, we wouldnt need RAM. So we load programs into memory. As memory has gotten cheaper, and performance demands have increased, operating system vendors have increased the use of RAM over reading from hard drives to improve performance. One way they do this is by caching “reads” from the hard drive (they cache other things too). In the case of caches reads, the operating system will store, temporarily, information it has been asked to read from the hard drive into memory. This makes it much faster the next time the operating system wants to “read” that information, it doesnt have to go back to the hard drive to get it, it can get it from memory. Which results in a huge performance increase.

Caching is different from process utilization. Actual memory in use by processes, or process utilization, which will be discussed more below is different from caching. Modern operating systems will use memory for processes (actual use), and also to “cache” things that they have accessed from disk. Most users are familiar with process utilization, which is what may cause them to think that Linux is “using up all their memory”. When in reality the amount of memory in use by the processed by be considerably less than the memory in use.

It is the later use of memory, caching, that typically “uses” up the memory on the system and creates this illusion that all memory is in use. This memory is actually not “in use”, or prevented from being used by other processes on the system. Its really “free memory”, for the moment a process needs this memory the cached information is dropped and made available to the application. So in reality, the system is “using” considerably less memory that it may appear to be using because its making use of memory, temporarily, thats not actually in use. Its really a very clever enhancement, and something all operating system vendors are implementing. As memory has continued to get cheaper, some products don’t even have hard drives anymore, and just use RAM. Smart Phones for example, and even some modern tablets just use memory.

So, to determine how much memory is actually being used by your processes (as opposed to all memory being used by processes and the cache), you will need to use a tool that can tell you how much memory is cached, and how much is actually being used by your programs. Once such tool is “free”. The application “top” which is popular for looking at memory usage is not a good tool for this as it will incorrectly report that more memory is in use than is actually being used by processes.

Here is an example for how to use the “free” tool:

free -m

             total       used       free     shared    buffers     cached
Mem:         12002      10199       1803          0        573       8185
-/+ buffers/cache:       1440      10562
Swap:        14015          0      14015

In this example the total amount of memory in use is 10GB, however 8GB of that is cached. So the system isn’t using 10GB of memory. Of the 12GB of memory on the system, just slightly under 10GB is actually free (1.8 GB isnt used at all, and 8GB is cached).

This is very typical of a Linux based system, in that its really using much less memory that some tools report, because of this use of cached reads.

Remember that cached memory is always available to any program that needs it. So the memory is not “used”, its just being temporarily taken advantage of because nothing else is using it to make the system faster. Linux will just make use of the memory available on the system to cache information until any program requests it, at which time that cached data is dropped and the memory is made available to the application.

+ How can I find out what process is using swap?

Swapping in Linux is handled by the kernel, all Linux kernels will pull things out of memory and write them to the disk swap based on need depending on how much memory you have, swappiness setting on the system, and so on. Therefore, its not possible to find out which process is using swap, processes dont use swap, the kernel will write memory pages as needed to swap, processes dont control this (although a process could request memory that is not “swapped” out to disk). Linux will also use swap and memory to cache file reads, over time all Linux kernels will use 100% of memory to cache as much as possible. Memory is infinitely faster than RAM, so this is how modern high performance operating systems work. You should see near 100% memory utilization on all modern Linux kernels over time, regardless of much memory is actually needed by a process. This does not mean your processes are using up all the memory the system has, this is simply modern caching which all modern Linux kernels will do.

If you have additional questions about Linux swap you may want to ask your Operating System vendor.

 

+ How are malware domains aged out?

The actual algorithm is sensitive information and we can’t go into the specifics as that would give the bad guys an advantage to game the system. The short answer is infected domains are aged out depending on the extent to which the domain is still serving malware (more on this in a moment, this is actually pretty difficult to prove that a domain is not serving malware), if its been seen in other malware, past experience with the domain, IP range, or network and the sophistication of the malware. Some sites are long term sources of malware, and act as “clearing houses” for attackers, others may simply be victims of a compromise that clean up their systems the same day, and others may be negligent operators that don’t care. For this reason the process varies depending on a number of characteristics.

Its important to remember that all Internet based malware scans are incomplete, regardless of the technology used, the system itself is not being scanned, merely publicly discoverable resources. Attackers can hide malware in orhpaned URLs, they may use authentication to hide the malware from all crawlers, the malware may behave differently if connected to via a crawler or browser, it may require a special cookie to reveal itself, they may encrypt or obfuscate it and they may simply take the malware or domain down for a few days or weeks in hopes of being delisted by simple scanners.

For this reason we do not use a naive algorithm that simply removes malicious domains based on simplistic criteria. Our first priority is to help our customers protect their systems, if a domain has been serving malware its a good idea to treat it with kid gloves. If you know the domain is safe, you can always whitelist that domain.

The best way to delist a domain thats on our malware lists is to contact politely us. If you need our help, just ask. If we can get in contact with the domain owner we can determine more clearly if the domain is no longer infected, otherwise domains are aged out based on the criteria described above.

+ How are malware domains added?

They are collected from our honeypots.

+ Do you use third party malware domain lists?

No, but we do share our information with other projects.

You can use the google safebrowsing lists with clamav which is an excellent third party malware list. ASL enables this by default in clamav. False positives on the google lists should be reported to Google.

+ Both atomic and asl yum channels are enabled, is this normal?

That depends, ASL does not need the atomic channel and will not install nor enable this channel. If you have the atomic channel enabled on your system then someone enabled this yum channel. You do not need it for ASL. In general its perfectly safety to run both channels (we do).

The atomic yum channel is our open source yum repository. All the software in the atomic yum repository is not supported and provided as is, with no warranty. If you have issues with software in the open source atomic channel please post your questions in the General Help forums:

https://www.atomicorp.com/forums/viewforum.php?f=1&sid=56518c30b96faf5235e2f4ef5e902d11

Software in asl channels is fully supported. If you require assistance with ASL software please send a support request to support@atomicorp.com.

+ What are the IPs ASL will use to update itself?

You will want to allow access to www0 thru www6.atomicorp.com. The IPs for these hosts may change in the future.

+ I can’t upload files via web

Check and make sure you haven’t run out of drivespace. This may seem like an obvious and simple problem that one wouldn’t easily overlook, but we’ve had a number of cases where users setup /tmp partitions and filled them up. If you fill up your /tmp partition apache won’t let you upload anything! Thats not an ASL issue, thats Apache and its right – theres no place to put the file.

ASL will log this event, but since ASL isn’t designed to report when you run out of drive space it will detect this as a pretty major error and a broken connection with your HTTP session. Which will look like this:

[Fri Oct 01 17:33:21 2010] [error] [client xxx.xxx.xxx.xxx] ModSecurity: [file “/etc/httpd/modsecurity.d/10_asl_rules.conf”] [line “38”] [id “340152”] [msg “Request Body Parsing Failed. Multipart parsing error: Multipart: writing to “/tmp/20101001-173321-8ZuEbMzo8r8AABWjEW8AAAAe-file-NvPOwz” failed: check your application or client for errors, this is not a false positive.”] [severity “NOTICE”] Access denied with code 400 (phase 2). Match of “eq 0” against “REQBODY_PROCESSOR_ERROR” required. [hostname “www.example.com”] [uri “/horde/imp/compose.php”] [unique_id “8ZuEbMzo8r8AABWjEW8AAAAe”]

This would means that you ran out of drive space in /tmp.

Solution:

Free up some drive space.

 

+ Does ASL include SELinux?

Yes. SELinux is available in the ASL kernel.

ASL also includes a powerful self-learning Role Based Access Control (RBAC) System designed by the grsecurity project that is superior to SELinux. This RBAC was designed, and our company provides funding to the grsecurity project to account for weaknesses in SELinux, so we recommend you use the RBAC system in ASL if you need the same capabilities as SELinux.

However, if you wish to use just SELinux ASL will work with SELinux just fine.

 

+ If predefined can you give us a sample policy that mitigates the critical server file access when mod_perl is called via a client, or in other words how hard is your tuning. (intrusion log..etc)?

TPE would automatically prevent an untrusted user, such as apache, from executing commands owned by apache. It would log to syslog, an example entry follows:
Nov 11 14:53:10 server4 kernel: grsec: From 10.249.64.1: denied untrusted exec of /tmp/w00t by apache [uid/eid: 48/48] /home/httpd/vhosts/testhost.atomicorp.com/httpdocs/modules/phpBB/index.php

+ I’m seeing files owned by apache in /tmp

If you see files with names like this:

tmp/dos-218.254.50.104

That are very small, and only contain an integer for example the contents of the file tmp/dos-218.254.50.104 are “2671” or some other number, then you can ignore these files. These are locking files used by the web DOS protection system in ASL.

If you see files with names like this:

tmp/20120314-104701--CliB38AAAEAAEehOeMAAAAA-file-Y6rewB

These are temporary files generated by apache as a user uploads a file, via apache, to the system. Generally apache will clean up these files with a few seconds once the file is scanned by the WAF, but if you see them accumulating on your system you may have MODSEC_KEEPFILES set to “on”. This means that the ASL WAF will keep any files it has been asked to scan, regardless if the files are allowed to be uploaded to the system or not.

+ Why do they call it Europe?

Because its a beautiful name. And its local, to some of us. (this is also why if you look carefully in ASL you’ll see we consider 127.0.0.0/8 to be in the EU. Its an Easter Egg. And no, ASL wont block 127.0.0.1 if you block the EU, we always whitelist localhost.).

Yes, we have a sense of humor too, and we hope this FAQ has been helpful, but if you still require assistance after reading this FAQ please don’t hesitate to contact support. We’re here to help, and hopefully to put a smile on your face as well.

Atomic CLAMAV Signatures

+ How can I purchase your realtime CLAMAV signatures?

To purchase a license for the Atomicorp CLAMAV Signatures, either:

Purchase a license for Atomic Secured Linux (ASL). ASL includes the signatures, sets up clamav for you, automatically keeps the signatures up to date and so much more. ASL includes real time anitmalware protection, upload protection, built in vulnerablity scanner and automatic hardening system, Kernel/Web/Host based intrusion detection, log management, a powerful and easy to use web GUI, and so many options we can’t list them all here. You can try ASL for free by clicking here.

Or, purchase a rules only license for just the signatures by visiting the Atomicorp’s Realtime Modsecurity Rules pages. Just click on the Buy Now icon, or click on this link.

Note: Rules only licenses include access to our CLAMAV signatures, and do not include support with setting up, installing or configuring CLAMAV.

 

+ Does a rules subscription include support for setting up clamav?

No. Rules only subscriptions do not include support for setting up or configuring clamav. If you need that level of support you will want to get a copy of ASL , which includes full support for setting up and configuring clamav and will do this for you.

 

+ I have a false positive/negative, how do report it?

Follow the Reporting False Positives procedure. That provides detailed instructions about how to report a false positive if you can not use the ASL GUI, or if you choose to report it from the command line.

FP/FNs are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.

 

+ I’ve got a new piece of malware, how do I report it?

Please see this article:

https://www.atomicorp.com/wiki/index.php/Reporting_False_Positives#To_report_a_new_piece_of_malware

FP/FNs are usually resolved and an update is released the same day they are reported, and during normal business hours usually within a few hours.

 

+ What do the Atomic CLAMAV Signatures protect against?

Lots of things, this is just some of the things our CLAMAV Signatures are designed to protect against:

  • PHP, CGI and other Shells
  • Spam Tools
  • Rootkits
  • Viruses
  • Worms
  • Phishing Sites and Tools
  • IRC Bots
  • Attack Tools and unauthorized scanners

And more! We put out updates to our signatures daily with new protections and enhancements.

What versions of clamav do the signatures work with?

The rules are written for the latest stable version of clamav. Currently that is 0.97.5.

+ What is included with an Atomic CLAMAV Signatures subscription?

  • Access to the real time mod_security and clamav rules we publish. If you require additional features, please consider upgrading to our premier Linux security product Atomic Secured Linux.
  • Email and Web Based support during normal support hours.
  • Support fixing false positives
  • Development of new signatures based on request.

 

+ Does a real time subscription include both the modsecurity and clamav rules?

Yes, realtime subscribers get instant access to the latest modsecurity and clamav signatures. We release updates daily based on new attacks we detect from our honeypots, new methods our labs develop, as well as fixes and improvements.

 

+ Do I need to install clamav to use your rules?

You must install clamav to use our rules.

 

+ Which Operating Systems / Control Panels are Supported?

Operating Systems

We support our signatures on any platform that supports clamav, which includes (but is not limited to):

  • Linux (Including Suse, Ubuntu, CloudLinux, TrixBox, Fedora, Redhat, Gentoo, Debian, Slackware, Mandriva, and others)
  • Microsoft Windows
  • MacOS X
  • FreeBSD
  • OpenBSD
  • Dragonfly BSD
  • NetBSD

If you find that clamav works on a platform not listed here, please contact us so we can add it to this list.

Please note that when an operating system or distribution is no longer supported by the vendor we also no longer support the use of our signatures on that platform.

Control Panels

Our clamav signatures rules work with any control panel. The diantures are independent of the control panel, which means that they work with cPanel, Plesk, Directadmin, Hsphere, Virtualmin, interworx, etc. They work with any panel right out of the box, without modification

+ How do I install the signatures?

Please see the Atomic CLAMAV Signatures page.

 

+ How do I configure clamav to use your signatures?

Configuration support for clamav is not included with Rules Only licenses. If you require this level of assistance please purchase an ASL license.

 

+ Can I setup a cronjob to automatically update the rules?

Absolutely. We recommend you do that as we put out updates to the rules daily that include new protections and fixes.

 

+ Whitelisting Files

If you find that you need to whitelist a file, simply put the md5 signature of the file in this file on your system:

/var/clamav/local.fp

The format of this file is one signature name per file. For example:

MD5:FileSize:Comment

You can use the sigtool to create these lines automatically, the format is:

sigtool –md5 /full/path/to/file

For example:

sigtool –md5 /test/eicar >> /var/clamav/local.fp

The entry will the look like this:

69630e4574ec6798239b091cda43dca0:69:eicar

If you are using clamd, you will also need to tell clamd to load this exclusion for this to take effect. If you are using ASL simply run this command as root:

/etc/init.d/clamd reload

 

+ Disabling Signatures

If you find that you need to disable a signature, simply put the signature name in this file on your system:

/var/clamav/local.ign

The format of this file is one signature name per line. For example

Signature1
Signature2

If you are using clamd, you will also need to tell clamd to load this exclusion for this to take effect. If you are using ASL simply run this command as root:

/etc/init.d/clamd reload

Note: Some versions of clamav add the word “UNOFFICIAL” to the end of third party signatures. If your version of clamav does this, and the signature name contains the words “UNOFFICIAL” do not include that in the signature name. For example, if you want to disable this signature:

Atomicorp.Suspicious.Eval.PHP.20121213134008.UNOFFICIAL

You would add this to the local.ign file:

Atomicorp.Suspicious.Eval.PHP.20121213134008

And some versions actually require the addition of the UNOFFICIAL tag, if you find this does not work, add .UNOFFICIAL to the end of the signature name.

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean et sem et est gravida luctus ut sodales orci.

Learn More

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean et sem et est gravida luctus ut sodales orci.

Learn More

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean et sem et est gravida luctus ut sodales orci.

Learn More

Latest Tweets

×