Service Category: Technology

Secure Linux Kernel for your server

Our specially designed Secure Linux Kernel is here to protect your server and all services by allowing access only to specific files, variables, and networking.

Secure Linux Kernel

More info

When in use provides the highest security possible for your server.

Since this protection is MAC at the kernel level meaning all not allowed by the policy by default is denied and that provides the highest security for your system.

Supported Operating Systems

Working Process

We need to define into policy each binary file that can be executed and specify the allow list of rules for it.
We can allow per application, user, program, service access to specif file, socket, port, IP …
We can allow for example that the test.php file of the user “john” located at /home/john/public_html/test.php can be executed only by john user and only by php-cgi version 5.4 which needs to be run by the john user.

File Based restrictions (please note all not allowed, by default is denied)
file read
file write
file execute
file append
file truncate
file rename
file getattr
file create
file unlink
file symlink
file link
file chown
file chgrp
file chmod
file chroot
file mkdir
file rmdir
file mkfifo
file mksock
file mkblock
file mkchar
file ioctl
file mount
file unmount
file pivot_root
misc env

Network limits
These rules allow us to perform network socket operations.
network inet

 

Network limits
These rules allow us to perform Unix socket operations.
network unix

 

This protection can limit connection on the IP and/or port,
deny read/write/execute…. access to the files if the owner is not matched…

Example issues which kernel is protecting you from:
– symlink attacks (most commonly used to hack all users on the server)
– execution of malware or custom scripts
– access to server system files (/etc,/var, /usr, /home and all others)
– access to /tmp and /var/tmp files
– access to /dev/shm memory partition
– custom script connecting to other servers/ports
– malware cron running bad things
– hacked user ssh access to be used for running hacker scripts
– hacked user ssh access to be used for accessing the system files
– the limited set of secure tested ssh commands are only available to users
…and many others.

Demo SSH account
SSH Server: 142.4.197.233
Username: cwpuser
Password: neQumXagNUTj
SSh Port: 19443
Example ssh login: ssh cwpuser@142.4.197.233 -p 19443
Youtube Video DEMO

* You can test here all example commands, the demo account is reset every 1h.

Cgroups - control groups (resource limits)

Cgroups allow you to allocate resources such as CPU, system memory, and disk I/O per user, group, or application. Using Cgroups and other limits we provide outside cgroups makes your server stable and prevents downtime.

Cgroups

More info

Cgroups in combination with other tools provides the best stability for your server.

Working Process

Limit 100% is one CPU core fully used, all user processes are sharing this limit.
For example, two user processes will have a CPU power of 50% each.

 

Limit range: 1 ~ (Number of cores) x 100, example for 4 cores: 1~400.
Result: User websites might have a slower response if the user has higher demanding scripts.

RMEM (Real Memory RAM)
RAM limit in MB, the value of 1024 MB will limit shared RAM for the user to 1GB.

VMEM (Virtual Memory = RAM + swap)
Swap limit in MB, the value of 2048 MB will limit swap for the user to 2GB.
It’s recommended to have swap (VMEM) higher than RAM (RMEM).

Result: When the ram limit is reached system will kill the most memory demanding process.
In case of killed script webserver could return server error 5xx on the active process.

Set the limit in KB per second, you can monitor this limit with iotop.

Result: User websites might have a slower response if the user has higher demanding scripts.

We use also other Linux limit tools to allow an even more stable system per specific requirements.

  • nproc (soft/hard limits)
  • nofile (soft/hard limits)
  • inode (soft/hard limits)
  • cpulimit (available per command)

WAF - Web Application Firewall

WAF – Web Application Firewall is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. It is an extremely important tool for filtering and blocking unwanted hacker attacks or stealing data from the SQL database.

Web Application Firewall

more info

WAF makes sure even unsecured applications become more secure.

More info about WAF

There is almost no any secure application in the world that is why Mod Security WAF is here to ensure you get a higher security for your app by blocking all known attacks on the web servers.

We install the latest WAF rules and together with you, we do the testing to ensure that all required for your application to work is whitelisted.

You need to have all security tools as they ensure you have greater protection at multiple levels.
The firewall will only protect you at the network level while WAF is required to protect you from hacker attacks on your web application or a website.

FileSystem Lock

FileSystem Lock ensures your application files are in read-only mode. Read-Only mode on your files makes them immune to hacker attacks and hackers can’t make any modifications like inject malware or upload new malware and hacker files.

FileSystem Lock

More info

Secure your files from hackers and malware by locking them from changes.

Working Process

To make an update of your application or a website you would first need to disable FileSystem Lock and then do the update, after the update you should again enable FileSystem Lock.

Server Monitoring

We monitor all your server resources, services, and logs with different tools to ensure you have a stable and secure system. In case of some issue, we ensure it gets resolved quickly.

Monitoring Service

More info

Our monitoring tools ensure we resolve issues before it escalates.

Working Process

We monitor servers with many custom scripts directly on your server and our monitoring server periodically checks all.

Jailkit - chroot

Jailkit contains various tools to limit user accounts to specific files or specific commands. It’s recommended to be used when there are multiple users on the server and they use ssh/shell.

Jailkit - chroot

More info

Separate and isolate each user in the own file system.

Working Process

It’s recommended to be used when there are multiple users on the server and they use ssh/shell. Jailkit will isolate each user in their own file system (like their own VPS) and they will not be able to see the server system or other user processes.