Trusted by Government Agencies and Industry Leaders
+1 888 457 4497 +(63)2-4111040 / +(63)2-3510292
ZOOM Hosting announced today that it is rolling out CageFS in all its shared hosting servers. CageFS is a CloudLinux feature mainly responsible for tenant isolation.
One of the most serious issues that besets web hosting companies and shared hosting account owners is security. We already know that protecting a server from attacks is a tough job for server administrators. What makes the job even tougher is the fact that in a shared hosting environment, account owners are free to administer their own websites, set directory permission, install scripts and the only time they'll ever do security audit if ever they do is when they first set it up.
While some may think that shared accounts in a server are isolated, the truth is a lot of servers around the world are not protected. Assuming an attacker is able to successfully punch a hole in one of the accounts hosted in a shared server, he can do one or combination of exploits such as symlink attacks to jump from one account directory to another. If the server is not protected from symlink attack, it's useless to be securing your precious CMS installation because there's a backdoor hole from other users’ account.
CageFS in a nutshell is a secured virtualized file system with its own set of libraries that allows the system to contain each user in its own "cage". In CageFS environment, accounts are treated as if one is isolated from the other. The account will have its own system files and configuration. Before CageFS, users are able to list other usernames in a server, view other user's process and access system files.
Some advantages of CageFS are:
A user has no means of detecting other users on the server nor will they be able to access files and directories owned by other users
Critical binaries are hidden and only safe binaries are accessible to the user
User cannot view other users’ processes and they only have a limited access to /proc file system
The beauty of CageFS is that all scripts are left untouched and will remain to be fully functional. Users do not have to configure anything and will not be restricted in anyway, except for their inability to access critical system binaries.
According to CloudLinux documentation, CageFS will cage any scripts execution done via:
However, mod_php is not supported as of this writing, and MPM ITK requires a patch.
Below are the major differences between a server running on CLOUDLINUX with CageFS enabled and traditional stand alone server running on CentOS.
For those managing their own dedicated server, CageFS is very easy to install.
Here are the system requirements:
Kernel: You must be running on CloudLinux 5.x with lve 0.8.54 or later and CloudLinux 6.x with lve 220.127.116.11 or later and must have at least 7GB free space.
To install, you must login as root and execute these commands:
The command /usr/sbin/cagefsctl1 --init will create skeleton directory needed by CageFS under /usr/share. In case you do not have enough disk space in this directory or for some other reason you want to create this in another directory, you just need to mkdir a new directory where you want to ceate the skeleton ( if it does not exist yet ) and then create a symbolick link of that directory from /usr/share/cagefs-skeleton
For cPanel servers, if you intend to create skeleton inside the /home directory, you must configure the following:
cPanel WHM WHM > Server Configuration > Basic cPanel/WHM Setup > Basic Config > Additional home directories
Change the value to blank (default is "home")
Not changing this option will cause cPanel will create new accounts in incorrect directories.
CageFS has automatic configurfation and detection script for Cpanel, DirectAdmin, Plesk, ISPManager, Interworx, PostgreSQL and LiteSpeed
Web interface to manage CageFS is available for cPanel, Plesk 10+, DirectAdmin, ISPmanager & Interworx. For other control panels, command line tool would need to be used.
For Cpanel users, once template is initialized. you can start enabling users through WHM under WHM > Plugins > CageFS. By default CageFS is disabled for all users.
Another advantage of CageFS is that it allows users to have different versions of PHP. Before this feature, the dilemma of share hosting companies is that when they upgrade their servers to new version of PHP, they would be bombarded with support tickets the next day from clients whose scripts cease to function because codes that they are using from old version of PHP are already deprecated. This issue is addressed by PHP Selector.
When enabled, an account owner may change the PHP version used for his account anytime through Cpanel.
To install PHP Selector, you need CageFS and LVE Manager, both are CloudLinux features with WHM plugins.
It's recommended that you update cagefs and lvemanager with support for PHP Alternatives to make sure you have the needed libraries.
$ yum update cagefs lvemanager
Next, you need to enable "Select PHP version" in WHM > Feature Manager, edit the package where you want to enable "PHP Selector", once done. PHP Selector will appear on the accounts' Cpanel.
WARNING: Be careful not to use settings like SuPHP_ConfigPath, PHPRC, PHP_INI_SCAN_DIR. Do not redefine path to php.ini and ini-files for php modules.
Saturday, January 18, 2014
Late 2010 when we needed to revamp PICC.GOV.PH through the help of our contractor ICONCEPT Global Advertising, Inc. It is then also when we migrated to ICONCEPT's hosting platform, now ZOOM Hosting. Since then, we no longer have to worry about our email server or our website being unavailable. ZOOM offers fast, reliable cloud web hosting service that can handle surge of traffic and can accommodate hundreds of PICC email users without any issues.
Marnie F. Onia - PICC MIS Head
Copyright © 2012 - 2015 ZOOM .PH - All Rights Reserved
Web Hosting Philippines powered by: ICONCEPT
Brands: Web Outsourcing, Website Builder, Digital Marketing
Services: Shared Web Hosting, Dedicated Server, VPS Server, Reseller Hosting, Domain Registration, .PH and .COM.PH Domain Registration, SSL
ZOOM is a DOT.PH accredited partner for .ph,.com.ph,.org.ph and .net.ph domain registration