Back

Atomic Secured Linux and Mod_Security

26 March 2011

34SP.com Staff

Every single hour 34SP.com is subjected to hundreds and thousands of attempts to hack and exploit our shared hosting systems. These incursions are largely automated attacks based on known exploits and are not personally motivated against our users. 34SP.com is constantly looking to ensure the very highest levels of security on our managed hosting platforms. Without taking adequate preventative steps, these attacks would lead to compromised hosting accounts and servers. The results of successful attacks can cause significant damage to a website: spam attacks launched from exploited websites, stolen login data, broken websites, overloaded or failing servers, illegal phishing and fraud attacks, and much more.

To combat these ever increasing threats on our shared hosting systems, we use a tool called ASL: Atomic Secured Linux. This is also available to our VPS and dedicated server clients too as an optional extra. ASL provides a comprehensive suite of security features that guard against the most common and problematic attacks. Moreover the system is also connected to a central database for routine updates. The core system of ”Mod Security” (mod_sec) checks for updates on the hour, so that the very latest threats are added as soon as possible – this helps guard against what are known as zero day threats.

Since our introduction of ASL in 2009, we have been able to dramatically reduce the incidents of hacked and exploited websites for our shared hosting customers – including php hosting, WordPress hosting, and MySQL hosting. However, mod_sec can occasionally incorrectly block a genuine web action, this is known as a false positive. False positives occur when a number of factors combine to cause the security system to incorrectly believe a benign action is an attack. Generally these events are a rarity, and are most commonly associated with complex scripting applications.

Should the mod_sec system accidentally detect a user’s actions as an attack, it will block the user’s IP address from the server for exactly 10 minutes. This will prevent any access to the server at all: www, ftp and siteadmin too. Once 10 minutes pass, the block expires and the user may access the site again. The block only ever affects the user that triggered the alert. Other users of the website will be unaware of the event and be able to continue accessing the site.

If you believe your site is experiencing false positive errors, 34SP.com can investigate the matter for you. To investigate a possible false positive we need to know the IP address of the machine that accessed the site and the rough time and date of the event. With this data we can inspect the server’s log files and identify the security rules triggered. More often than not we can simply exclude the triggered security rule from your domain; or (rarely) we may suggest a change to your website setup if your coding is behaving in a manner incompatible with a secure hosting environment. Please submit any reports of false positives to: support@34sp.com.

For more technical information, refer to the www.atomicorp.com description of this tool and indeed their website:

Atomic Secured Linux(tm) is an easy to use out-of-the-box Unified Security Suite add-on for Linux(tm) systems designed to protect your servers against both known and unknown zero day threats. Unlike other security solutions, ASL is designed for beginners and experts alike. You just install ASL and it does the work for you.
ASL works by combining security at all layers, from the Kernel all the way up to the application layer to provide the most complete protection available for Linux servers and helps to ensure that your system is compliant with commercial and government security standards. ASL includes the most hardened kernel on the market, automated system hardening techniques, userspace and host Intrusion Prevention Systems (IPS), malware/rootkit detection and elimination, blacklisting technologies, an autolearning Role Based Access Control System and web application firewalling to protect multiuser and web application hosting environments like no other solution. ASL is uniquely effective at addressing emerging threats posed by vulnerabilities in today’s complex systems and applications, such as web hosting environments, multiuser systems, CRM’s, ERPs, forums, shopping carts, Content Management systems and custom applications.
The design of ASL approaches securing the server and its applications, by combining different layers of security technologies and application layer firewalls to filter out malicious content before it reaches your system and its applications. Our hardened kernel further enhances the overall security model by enforcing anti-rootkit, file, network and process level security policies on the system.

The ASL approach also includes our “Just In Time Patching” system, which allows you to address security threats posed by applications where either it is not possible to fix the application due to lack of source code, availability of resources, or the number of applications that make repairing all vulnerabilities economically infeasible. You can known that your systems are protected, even when you can’t patch them.