FreeBSD vs other for web hosting

Status
Not open for further replies.
My first priority would be security. Then longevity. Then ease of use.
So... FreeBSD?
  • Security - jails - check
  • Longevity - use RELEASE and don't upgrade just for the sake of it - check
  • Ease of use - Unless you consider dealing with systemd and whatever firewall your chosen Linux distro uses to be 'ease of use.
The owner of said datacenter probably assumes:
"number of people using it" == "is good"
 
So I was advised by a major CTO of a top 5 web hosting company that CloudLinux is the way to go, I assume due to the CageFS... because in regular Linux he said he could pivot into other user directories... I don't really know the entire list of CloudLinux Pro's security features but I know it does some "light virtualization" and limits how much RAM and CPU and such that a user can use.

Let's say I create my own FreeBSD version of cPanel (web hosting control panel, ) are FreeBSD's jails as secure and applicable for shared web hosting as CloudLinux Pro's security measures? Or are they even better?

Does FreeBSD use ZFS by default now? I heard it's slower than other file systems but more stable/reliable less prone to write errors.

I don't really need all the fancy features of cPanel and really don't like all the options and configuration possibilities, this just creates more work for a web hosting company or system admin. I'd rather just create more of a web hosting appliance that just does most things perfectly and easily than something trying to please everyone with tons and tons of features.

I've found that nobody knows all of DirectAdmin (cPanel's 2nd best alternative) except for DirectAdmin's own chief programmer. Even their tech support is faking their tech support requests and don't really know much

I've used DirectAdmin for 18 years now but the new version combined with CloudLinux is just too much with too loose of integration between DirectAdmin and CloudLinux, way too many moving parts and options. I haven't looked for experts in cPanel but there are more people using it, but I doubt they really know what they are doing.

I've found that over the past 18 years the number of USA based system admins has dwindled down to almost zero and virtually all hosting companies now use overseas indian or eastern european or south american system admins to run their hosting companies and I've found that these companies aren't really senior level system admins. The world is in a weird place right now regarding tech.

So tell me about FreeBSD vs CloudLinux Pro in relation to user security in a shared web hosting environment, if you know...

I love it when people know more than me.
 
Yes I personally wrote 95% of it, and 5% with help from a web developer. As the development was a continuous progress for more than 15+ years I have no idea how much time it took me.

"pivot" from one user account to the others is not true if you have the right permissions on home directories. For example I have:

Code:
drwx------+   8 creta     creta      14 Jun 21 23:45 user1
drwx------+   6 cretadev  cretadev   10 May 19 03:40 user2

The + at the end is for giving access to Nginx with command:
setfacl -m u:www:x:allow /home/www/${username}

So each user can not access other user files.

Also to run different version of PHP I use FreeBSD jails.

I don't know the specifics since I am more of a user than a hacker...

from



The benefits of CageFS are:

  • Only safe binaries are available to user
  • User will not see any other users, and would have no way to detect presence of other users & their user names on the server
  • User will not be able to see server configuration files, such as Apache config files.
  • User's will have limited view of /proc file system, and will not be able to see other users' processes
At the same time, user's environment will be fully functional, and user should not feel in any way restricted. No adjustments to user's scripts are needed. CageFS will cage any scripts execution done via:

  • Apache (suexec, suPHP, mod_fcgid, mod_fastcgi)
  • LiteSpeed Web Server
  • Cron Jobs
  • SSH
  • Any other PAM enabled service

The person who told me to use CloudLinux is a CTO from a top 5 web hosting company, so I trust him since he's in charge of tech for a company worth hundreds of millions of dollars.

How does using jails help with different versions of PHP?


From online




Jul 5, 2013
Hi all :)

I've found the comparison of CloudLinux & BetterLinux (default settings) at Rack911's blog an interesting read.

https://blog.rack911.com/hosting-control-panels/cloudlinux-vs-betterlinux-security-default-settings/

While the intent seems to be to quickly compare the two out of the box I'd be interested in knowing where the capabilities built into WHM with jailshell come into such a comparison (or to play devils advocate, that they don't...)

Currently cPanel jailshell in tweak settings is not the default (not sure why) although jailshell IS now default for user cronjobs and when exim executes aliases or filters. This seems to have caused some confusion going by recent threads on these forums but seems to have been done with the best of intentions ;)

Ref: VirtFS (Jailed Shell)

Ref: Tweak Settings

Process Isolation

How many processes users can view. From shell by default under jailshell all processes can be viewed if CentOS5 /xenpv is in use)

Relevant tweak setting: Mount limited /proc (RHEL/CentOS 6)+, Full /proc (RHEL/CentOS 5/xenpv) is the default

This can be changed to: Mount limited /proc (RHEL/CentOS 6)+, No /proc (RHEL/CentOS 5/xenpv) if desired.

There is more information on this at http://forums.cpanel.net/f185/jailshell-users-not-seeing-processes-ps-top-351271.html a good point made in this thread is that the jail is not "complete" unless using some of the new experimental apache options (so that cgi for example is also controlled)

Jailed Environment

Access to / is directly denied. A number of directories are available in the jail. I'm unsure if this is as restricted as CloudLinux. /var/ being accessible suggests not...

Code:
>user@host [~]# ls /
/bin/ls: /: Permission denied
Mounted directories on the CentOS5 system in front of me:

/var/spool
/usr/sbin
/etc/mail
/var/tmp
/lib64
/sbin
/lib
/usr
/opt
/var
/bin
/tmp
/dev
/home/user

Information available to untrusted users

Jailshell seems to show only system users and the users's own under /etc/passwd

Code:
cat /etc/passwd | tail -n5
mailman:x:32006:32006::/usr/local/cpanel/3rdparty/mailman/mailman:/usr/local/cpanel/bin/noshell
cpaneleximfilter:x:32007:32009::/var/cpanel/userhomes/cpaneleximfilter:/usr/local/cpanel/bin/noshell
username:x:507:503::/home/username:/usr/local/cpanel/bin/jailshell
View domains on the server / dns cluster

Jailshell as with cloudlinux seems to protect the dns server configuration file.

Code:
user@host [~]# cat /etc/named.conf
cat: /etc/named.conf: No such file or directory
Access to log files

Files under /var/log are accessible, including dmesg and last logs. Seemingly therefore inferior to protection offered under CloudLinux.

suid binaries

This one is difficult to test, as Rack911 are using their own exploit for demonstration purposes...from the docs I'm unsure if their suggested scenario of an exploit possible in exim would apply under jailshell. From what Rack911 have said, It would appear that for most binaries however the included jailshell is superior to Betterlinux defaults...

From blog post:
The final comparison will be the most important one. Which software will stop an attacker from exploiting a SUID binary to ultimately gain root access on the server. So many of our security vulnerabilities work with SUID binaries, so it is extremely important for us to use software that prohibits allowing a normal user to escalate their privileges.
From cPanel docs
As of 11.38, in a jailshell, all filesystems are mounted with the nosuid option by default. The nosuid option blocks the operation of setuid and setgid commands, such as crontab and ping. This does not apply to the /usr/sbin/ directory for Exim.
Conclusions?

It would be interesting to see a discussion of jailshell on Rack911's blog alongside CloudLinux / BetterLinux, I'd like to know what Stephen thinks of the current implementation. From questions I've seen I don't think the differences between the three are well understood to the extent that they should be (being different pieces of software with different implementations and goals).

It'd also be interesting to have a matrix of jailshell features on the cPanel docs vs Cloudlinux which has become something of a "you really should have this installed" - if not mentioning CloudLinux by name perhaps where Jailshell is limited by what the 'standard' kernel provides?

Sorry for the waffle, be interested to hear others thoughts.

Let me explain the differences, and what drew us to do it in a particular way.
1. VirtFS & Web -- Unlike CageFS, VirtFS will not work for cgi/php unless you are using mod_ruid2. mod_ruid2 (IMHO) is a problem in itself, as bug in something like imagemagick extension would allow hacker to gain root on a server -- given mod_ruid2.
Anyway -- web is unprotected by VirtFS. And you can do everything through CGI, that you can do through cron/ssh
2. VirtFS is a chroot. It is possible to break out of chroot.
3. SUID is a problem. It doens't matter much which one, as quite often it is not the bug in SUID itself that is being exploited, but a bug in one of the libraries that it uses. Like glibc library Two glibc vulnerabilities [LWN.net]. It all usually circles around using LD_PRELOAD and suid binary. It is quite easy/classic way to exploit bugs to escalate priveledges. Once SUID programs removed - same bugs are no longer dangerous.







Can FreeBSD do this? Cloudlinux includes a type of user resource throttling. Not sure how this actually works in real life, however. Toward the end of life of my last FreeBSD server mysql was maxing out the CPU from user accounts that were probably hacked or insecure or being hit by DOS to try to crash the server or wear out the hard drives.

CloudLinux is a linux based operating system designed to give shared hosting providers a more stable and secure OS. Essentially a set of kernel modifications to the Linux distribution, CloudLinux implements features to enable system administrators to take fine-grained control of their server’s resource usage. By isolating users, CloudLinux helps ensure that problems with one account don’t degrade the service for others.

 
CloudLinux cannot be trusted and is far less secure because that contributor fed you a line of BS. One should never use any product that uses lies as sales techniques.

What do you mean about lies? Can you be specific about that? I'm just trying to get info. I prefer FreeBSD because after 30 years using computers I can feel a system, just by feel, FreeBSD is the best OS, but not sure about the features that apply to shared web hosting.
 
This is not simple, but the whole package. And probably way too ambitious for just one person.

And there are also projects for this purpose around, like this:


There are a few of these, but they aren't as good as cPanel or DirectAdmin and not ready for prime-time. I've used DirectAdmin for 18 years now and the new version just has too many options for me that I'd just prefer be not optional and the integration performance and reliability with CloudLinux Pro LVM is unknown to me.
DirectAdmin 18 years ago was really good because it didn't include the firewall and brute force and virtualization throttling and so many more options... I'm unable to find a single system admin who actually knows everything about DirectAdmin, only John at DirectAdmin knows about DirectAdmin and this includes their own outsourced tech support who seem to be just faking some tech support answers. If I want a firewall I'd rather just manually configure it rather than use a web GUI, same with brute force monitor, anti-malware/virus, backups, I don't want a million versions of PHP and 5 webserver options, and 3-4 database options... I just want the most basic and most reliable LAMP to host mom and pop Worpdress sites with Installatron and now DirectAdmin doesn't support FreeBSD so I have to move to CloudLinux Pro, which is OK since I use a linux flavor as my prefered desktop, but the integration between DirectAdmin and CloudLinux Pro LVM and throttling isn't seamless from what I've seen... as I've said I'm unable to find USA based system admins and even the overseas system admins are not what I'd call senior level... there has been a huge drop in the knowledge pool over the last 15 years across the board in IT, I think it's just about people retiring and a new generation coming in and more and more system admin is being outsourced remotely... I've hosted with a minor but pretty good data center that doesn't seem to have a really hot shot system administrator and just moved to a bigger data center and they outsource all of their complicated managed services and complex system admin to india... so I think that the American system admin is a dying breed. I remember when a good domestic system admin could make $120/hour, not sure if that's a thing anymore.
 
Status
Not open for further replies.
Back
Top