CageFS and Immunify 360. Are they really worth the investment?

4 posts / 0 new
Last post
#1 Thu, 10/25/2018 - 15:30
adamjedgar

CageFS and Immunify 360. Are they really worth the investment?

Recently read a forum post on another forum where it was suggested to go with both cagefs and immunify 360 to protect shared hosting accounts on servers from malware etc.

In reading some of the information i am wondering if either of these two packages are doing anything more than reinventing the wheel that s already available to us.

here is a definition of what CageFS for example does...

CageFS is a virtualized file system and a set of tools to contain each user in its own 'cage'. Each customer will have its own fully functional CageFS, with all the system files, tools, etc.
CageFS - CloudLinux Documentation
https://docs.cloudlinux.com/cagefs.html


Anyone got any insights i to how they protect their virtualmin servers? Do you use these kinds of addons? Alternatives? Are they to a certain extent a bit of a con or a waste of money because of what a virtualmin system already has built in?

for example, in reading about one of the above software packages, it appears most of what it does is achieved through custom firewall iptables rules?

Sat, 10/27/2018 - 09:09
Jfro

The best thing todo is probably:

If time. ;) Take care of knowledge for users and admins and the apps / programs to be safe on their own, also have only supported secure versions of all. ( so no old php , wordpress, magento and so on) ( and a secure workflow and mind for working)

If that is hmm not so normal then you have to spend a lot of time to secure and audit your server, therefore then Immunify 360 / cloudlinux and so on are a good choise.

But as writen you and your users if some used to a "OK" for using to old unsafe versions of software is nog the right way , and in future for sure problems are programmed to hapen.

Further depending on only security is also not enough , to have a good backup restore strategy is still needed, and more then that to, if more users / admin are on the box a good audit and security check for that persons themselves, while most databreaches are from within.

For malware at its own you never know, it is not malware their protecting is for, only the damage could be somewhat limited if this happens. ( It is more overal security!)

Sun, 10/28/2018 - 02:44
Joe
Joe's picture

CageFS appears to be a chroot jail, or perhaps a "container"-based approach (though a container is merely a special type of chroot jail, with some extra kernel support).

I am ambivalent about CloudLinux. They have some interesting exploit mitigation tech in their kernel, but it's a huge swath of changes and it doesn't go through the normal kernel development process and is a small team (I think the kernel work is mostly one very prolific developer). That kind of thing makes me nervous; the mainline Linux kernel has thousands of eyes on every release. If we're talking security, I'll take the thousands of eyes over one (admittedly very clever) developer.

I have no knowledge of Immunify, but they're claiming AI-powered security, so I'm immediately skeptical. Like, I want to dismiss it outright, but can't without more info. Firewalls are of extremely limited utility in a world-facing server. You can't block ports that are needed for services, and you shouldn't have anything listening on public ports that aren't needed for services, so what are you gonna block with the firewall? There is some utility in a tool like Fail2ban (maybe they'd consider that AI, I dunno!), where an attack on any port results in blocking everything from the IP initiating the attack for a specified period. That's useful...if an attacker comes around, poking at ssh, fails to get in there, and then starts poking at Webmin, Usermin, FTP, mail, etc. they get a lot of bites at the apple. If they get shut down on the first service they don't get any other chances with other services, or at least it becomes slow enough that even a very advanced brute force password search from high resource attackers (e.g. someone who can turn a botnet against your server) is unrealistic.

In short, beware any company trying to sell security in product form. Security is a process, not a single product. You need vigilance, to insure you're always up to date, you need strong passwords, you need popular tools with history and more than one person paying attention to their security, and you need a layered approach and to always think about what an exploit of one service or server could do to your other services or servers (i.e. are you sharing passwords across systems or accounts? do you have ssh keys on public servers that have access to other servers, so exploiting one would exploit others?).

I won't say we're doing everything that could be done for security in a default installation, but there are a lot of tools at your disposal immediately after installation, and most people don't really ever dig in and get the most out of them. You've got a firewall (firewalld or iptables, depending on init system), fail2ban, a pretty tight default config for ProFTPd and ssh (with optional jailkit for chroot jails, also pretty locked down by default), SSL/TLS available on most protocols including mail and FTP, Let's Encrypt for getting good certificates, 2FA for Webmin, and probably some other stuff.

To take security further I'd recommend the following, in no particular order:

  1. Minimize attack surface. Turn off stuff you aren't using. Turn it off in Features and Plugins, and then turn off the related service.
  2. Strong passwords.
  3. Update religiously.
  4. Be aware (of what's supposed to be happening on your system so you know when things look weird, of the security updates for your OS of choice, etc.).

That alone already gets you above 95% of system administrators. Sometimes we'll see people talking about PHP versions that have been EOL for years or asking us questions about Virtualmin versions that are years out of date. Even software with a good security history (which we mostly have, and have for many years), that's insanely dangerous. And, relatedly, anything that distracts from those things is counter-productive. So, if you buy some security product, and spend a bunch of time configuring it, and while you're distracted an exploitable version of WordPress sits on your server for a week, your site (at least) is toast. If you also missed a kernel update during that time that happened to fix a local root exploit (very rare, but does happen), your whole server might be toast. But, more layers is better than fewer...I just know there's a lot of snake oil in the security product industry. Be careful out there, do your research, and be wary of big claims that aren't reasonably within the scope of what a security product can do. A lot of it is overpriced and under-delivers.

--

Check out the forum guidelines!

Mon, 10/29/2018 - 14:50
adamjedgar

Thanks guys very informative and helpful.

It is as i suspected...reinventing an already existing wheel.

I think that we are in an age of deliberately misleading marketing. It seems to me as a realtive newbie that is so easy to end up with a whole bunch of useless garbage on linux systems.

Even on ask ubuntu and stack, so many supposedly helpful solutions can cause utter chaos with my server.

What is needed for me is a really extensive online training academy specifically for virtualmin (a bit like a trimmed down version of lynda.com).

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Topic locked