[quote=whoisjb;11636]We work with a local company of Linux gurus that helps out with network security and they’re also very good with web hosting environments. Here are some suggestions they gave us but since they’re unfamiliar with Iworx they’re not sure what potential problems these changes would have. I’d love to get some feedback so I can decide how to proceed:
SECURITY CONCERNS
-
Users have UNIX accounts, though they seem to be configured well, from a security standpoint, they are unnecessary.
-
phpMyAdmin 2.6.2 is installed on the system.
-
The system could potentially be vulnerable to a DoS attack, in theory, if one were to deliver a vast quantity of messages to the postmaster@ abuse@ or other RFC-required account that contained files that were large, long message bodies, etc. This would cause ClamAV to scan each message (taking more memory and CPU time), and SpamAssassin scanning them (which takes more memory and CPU time.) While observing, we noticed load tends to reach >= 1.00 (5 min avg.) unnecessarily at times.
OPTIMIZATION SUGGESTIONS
-
Apache may see a potential performance gain by using mapped vhosts as opposed to user-based vhosts.
-
Apache should be using the Worker MPM model given the type of processor present. The default config for this module is untuned. There would be a potential performance increase by reconfiguring apache in this instance.
-
PHP Version 5.1.1 is installed. There may be benefits by upgrading to the latest stable release (5.2.1).
-
MySQL should be updated to the latest release (5.x) for optimal performance. (4.1.20 is being used by users and 4.0.21 by iworx)
-
Replace syslogd & klogd with the more-optimized syslog-ng
-
If all domains will utilize Guardian MX then SpamAssassin and ClamAV are a waste of resources. (Note: Guardian MX is a service they provide for some of our domains. Is there an easy way to completely disable SpamAssassin and ClamAV?)
-
Vixie-cron is more versatile than atd.
-
Utilizing tpop3d would incur less overhead than vpopmail.
-
The latest version of BIND 9 would use less overhead and would be more secure then tinydns.
-
PHP sometimes uses massive amounts of CPU time (~20-30%) & SpamAssassin eats about 30% CPU each scan. (If either of these were hammered, it could cause a DoS condition)
-
iworx consumes vast amounts of memory on the system: It runs large numbers of Apache (iworx-web) and mySQL (iworx-db) processes in addition to those that are already on the system. This results in unnecessary load. (This could also result in DoS if hammered)
-
iworks uses its own separate application of apache and mysql. Optimization could occur if these could be merged to use a single version of the applications.
I already realize some of their suggestions and findings would not be possible since I’m sure some of them would truly mess up Iworx. But, I’d like to know which ones and why Iworx is running certain services that are less secure. Overall I like the control panel really well but I’d hate to think my server is less secure and less robust simply because I’m running Iworx.[/quote]
UNIX shell accounts are disabled and bound to a noshell by default, which is exactly the same as not having one at all… moot point.
phpmyadmin is yes, a concern, but at the same time this should not be an issue if it is kept outside of the normal user view. If you get compromised there, you should be compromised entirely… because the full access there is well, mysql root access. I’d hope you were protecting that aspect with a secure enough password anyways - so in this area, if you get “hacked” its because of a weak password, NOT because of version.
The clamAV situation is also moot because if you are getting a significant # of emails to the abuse/postmaster accounts you should already have rules protecting against clamAV scanning and just simply deleting them.
All the software recommendations are simply opinions…
And, just fyi…
Tinydns is in fact more secure (and more efficient) than BIND ever has been =/ This has been proven on many levels, in just about every security paper released in hosting environments.
PHP version is moot…
MySQL - this issue is also moot, but I will address it. MySQL 4.1 and 5.0 are in tandem in terms of security. 5.0 is a completely new version and 90% of all scripts that utilize 5.0 are broken due to different data storage types, password storage, protocol interaction and furthermore… undeveloped plugins in interaction between applications produced. PHP support is still not fully out of beta, as well as well… most other web-application languages. MySQL 4.1 is slightly slower, but not by much. The only added performance to MySQL 5.0 is the cache changes, which you wont notice unless you’re running an oracle-level size database. This feature was put in to reduce the time between MASSIVELY executied queries, on the level of thousands per second.
Sorry but, what about the syslog? That… really does not make any sense. That is kernel level and completely… well, yea.
“GuardianMX?” I’ve never heard of it, and really… although I’m not a fan of spamassasin, I’m really not a fan of external services 
If you have your firewall properly configured (which, is something that is not too hard to do), a DoS can be completely avoided on any port, any web client. Its rather simple to do, its exactly the same as blocking consecutive failures in SSH.
Also…
Just FYI…
The reason I chose iworx is because of the seperation of applications between what it uses and what everything else uses. In cpanel, combining these applications is what drove me away. I could not update php to my own desires, i could not optimize apache to my own desires, and i could not take the aspects that I desire into my own hands to properly configure the way that I wanted. With iworx, I can pretty much create a server to my own standards, security preferences, and optimizations… without having to worry about my panel application dying on me. This alone pretty much makes the entire situation you provide a little absent =/ You can configure all the things you said, from the command line, with a little work and a little research. I highly recommend this if you are using an outside administration source, as it could make you more knowledgeable about the system and in the end save you some well earned money.
I’ll leave it at this…
It is easier to DoS a Plesk or cPanel system, than it is to DoS the php4 running, “high resource usage” iworx system… and this is a fact that I proved in my own testing.
cpanel still uses apache 1.3.3.7, which, as much as people keep saying, is nowhere near being updated. That… is alone an issue.
Plesk is a java heavy, database heavy, very inefficiently coded well (mess). Java alone in that aspect… I hope you know the security issue in that being within a panel. If you dont, then the DoS issues you relate to need a little research done first 