Results 1 to 25 of 34
-
06-28-2013, 12:34 PM #1Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
CloudLinux vs BetterLinux Security (Default Settings)
Here is a comparison of CloudLinux vs BetterLinux with default settings to show the differences in terms of security. We have chosen to leave the default settings intact because as a lot of you know, some people simply cannot be bothered to read a manual and make the necessary changes.
For test purposes, we have created two new cPanel accounts one called "cloud" which represents CloudLinux + CageFS and the other one called "better" which represents BetterLinux + CloakFS. Both users are using a standard bash shell, not the cPanel Jailshell.
The first comparison will be how well processes are isolated from the rest of the system and other users. Let's take a look and see how many processes each user can view.
cloud@cl [~]# ps aux | wc -l
6
cloud@cl [~]#
CloudLinux: 6 processes.
better@bl [~]# ps aux | wc -l
114
better@bl [~]#
BetterLinux: 114 processes.
Thoughts:
With CloudLinux, users are only able to see their own processes and they are not able to see any root owned processes or processes belonging to other hosting users. BetterLinux on the other hand allows the user to see every root owned process and everything else outside of other hosting users. (We have found previous exploits that were time based and CloudLinux prevented them, but BetterLinux would not in this case. There is no reason to allow users to see other processes!)The next comparison will be to see what directories the users have access to. This test was done via SSH but the same conditions would apply for cron jobs which is another one of our favourite exploit techniques when we cannot use SSH access.
cloud@cl [~]# ls /
./ ../ bin/ dev/ etc/ home/ lib/ lib64/ opt/ proc/ sbin/ scripts@ tmp/ usr/ var/
cloud@cl [~]#
better@bl [~]# ls /
./ .autofsck base/ boot/ cgroups_cpuset/ etc/ lib/ lost+found/ mnt/ proc/ sbin/ selinux/ sys/ usr/
../ .autorelabel bin/ cgroups_blockio/ dev/ home/ lib64/ media/ opt/ root/ scripts@ srv/ tmp/ var/
better@bl [~]#
Thoughts:
With CloudLinux, users see a heavily modified file system structure that is basically a jailed environment with the bare minimum files and directories available for access. BetterLinux on the other hand allows the user to see every directory and every file. (Both prevent access to view files owned by other hosting users.)The next comparison will be to see what files can be viewed by the users. While obviously nothing dangerous can be viewed, one ultimately wants to mitigate how much information is made available to untrusted users. The less information the better!
cloud@cl [~]# cat /etc/passwd | tail -n5
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
mysql:x:498:499:MySQL server:/var/lib/mysql:/bin/bash
cloud:x:617:616::/home/cloud:/bin/bash
cloud@cl [~]#
better@bl [~]# cat /etc/passwd | tail -n5
hax1:x:501:502::/home/hax1:/bin/bash
hax2:x:502:503::/home/hax2:/bin/bash
hax3:x:503:504::/home/hax3:/usr/local/cpanel/bin/noshell
hax4:x:504:505::/home/hax4:/usr/local/cpanel/bin/noshell
better:x:505:506::/home/better:/bin/bash
better@bl [~]#
Thoughts:
With CloudLinux users are only able to see system users and their own account under /etc/passwd, whereas BetterLinux lists every other hosting user on the server. If you're a malicious user and trying to gather a list of other accounts to attack or just gather information for other purposes, having the ability to list /etc/passwd would be extremely helpful.
cloud@cl [~]# cat /etc/named.conf
cat: /etc/named.conf: No such file or directory
cloud@cl [~]#
better@bl [~]# cat /etc/named.conf | wc -l
181
better@bl [~]#
Thoughts:
With CloudLinux users are not able to view the named configuration file, whereas BetterLinux allows the user to view the file in all it's glory which would ultimately list every domain configured on the server or being used in a DNS cluster. (This is sensitive information that does not need to be viewable to the user.)
cloud@cl [~]# find /var/log -perm 644
cloud@cl [~]#
better@bl [~]# find /var/log -perm 644
/var/log/dmesg
/var/log/chkservd.log
/var/log/xferlog.offsetftpsep
/var/log/bandwidth/current
/var/log/bandwidth/version
/var/log/bandwidth/ipmap
/var/log/bandwidth/2013/Jun/27
/var/log/bandwidth/2013/Jun/28
/var/log/bandwidth/lasttime
/var/log/sa/sar27
/var/log/sa/sa28
/var/log/sa/sa27
/var/log/boot.log
/var/log/dracut.log
/var/log/cpanel-install.log
/var/log/lastlog
/var/log/xferlog.offset
/var/log/dmesg.old
better@bl [~]#
Thoughts:
With CloudLinux users cannot see any log files, whereas BetterLinux allows the user to see a handful of files which could ultimately contain information that is helpful to an attacker. Particularly the dmesg logs and last logs. (The last command doesn't even work with CloudLinux, whereas BetterLinux will show the last users + their IP addresses that recently logged in.)The final comparison will be the most important one. Which software will stop an attacker from exploiting a SUID binary to ultimately gain root access on the server. So many of our security vulnerabilities work with SUID binaries, so it is extremely important for us to use software that prohibits allowing a normal user to escalate their privileges.
For test purposes, the exploit file was created by us but it's still a real world example. Just be hypothetical and replace "exploit" with "exim" which has the SUID flags set and is executable by the user. If there were ever to be an exploit in Exim, the following scenario would still apply.
cloud@cl [~]# ls -la exploit
-rwsr-xr-x 1 root root 6912 Jun 28 11:15 exploit*
cloud@cl [~]# ./exploit
cloud@cl [~]# id
uid=617(cloud) gid=616(cloud) groups=616(cloud)
cloud@cl [~]#
better@bl [~]# ls -la exploit
-rwsr-xr-x 1 root root 6912 Jun 28 11:15 exploit*
better@bl [~]# ./exploit
root@bl [~]# id
uid=0(root) gid=0(root) groups=0(root)
root@bl [~]#
Thoughts:
With CloudLinux, a user cannot elevate their privileges thus stopping the exploit dead in its tracks. BetterLinux on the other hand allowed the exploit to run which ultimately lead to a root compromise. Keeping in mind this is a default setup between the two, it is absolutely insane for BetterLinux to not have SUID protection enabled by default.Last edited by Patrick; 06-28-2013 at 12:37 PM.
-
06-28-2013, 12:36 PM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
As people who follow us know, we have found a large number of vulnerabilities in hosting software over the past two months. Several vulnerabilities were stopped by cloudlinux/cagefs while betterlinux would have let them slip by. There was multiple cases where we were working on a potential vulnerability and then... discovered that cagefs was enabled from a prior audit and it was stopping us from succeeding.
-- I am talking about vulnerabilities that would grant a user root access or at the minimum access to mysql's root user.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
06-28-2013, 12:39 PM #3Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
We could have done many more examples here, but I think people will get the point that "out of box" CloudLinux has much better limits than BetterLinux in terms of what data is accessible to un-trusted users.
-
06-28-2013, 12:54 PM #4
Very informative
Thank you for taking the time to test and post the results.
-
06-28-2013, 01:10 PM #5Web Hosting Master
- Join Date
- Oct 2004
- Posts
- 632
again, thanks a lot for this
-
06-28-2013, 01:18 PM #6Web Hosting Master
- Join Date
- Oct 2012
- Location
- Canada
- Posts
- 3,064
Wow, you guys really broke it down. Once again an outstanding job.
█ TrentaHost INC. || Fully Managed DDoS Protected Services Globally (NA - EU - Asia)
█ Reseller Hosting- Pure SSD | Litespeed | Imunify360 | CloudLinux | 24x7 Support | Mailchannels
█ Linux & Windows DDoS Protected SSD VPS - cPanel / WHM | DDoS Protection | Let's Encrypt | Pure-SSD
█ DDoS Protected Locations : Portland, OR (North America) | Amsterdam, NL (Europe) | Singapore (Asia)
-
06-28-2013, 01:31 PM #7Web Hosting Master
- Join Date
- Jan 2012
- Location
- Glasgow, Scotland
- Posts
- 607
CloudLinux vs BetterLinux Security (Default Settings)
Thanks alot - great information.
██ HostUS - Premium Hosting Made Affordable
██ TEN Worldwide locations spanning USA, Europe & Asia Pacific
██ Own ASN, Own Network, Own IPs - AS7489 & AS25926
-
06-28-2013, 01:44 PM #8Web Hosting Master
- Join Date
- Oct 2010
- Posts
- 3,662
This is very nice. Patrick, is there any chance of getting an optimized/non-standard version with a tutorial? I feel like that would be very beneficial to the community and it would be much appreciated!
-
06-28-2013, 02:45 PM #9Web Hosting Master
- Join Date
- Jan 2010
- Posts
- 686
Thanks for comparison. You and steven are doing great job for community. (y)
█ ExonHost - In Business Since 2009 - 24/7 Real Support | Multiple Locations
█ NVMe SSD | cPanel | LiteSpeed - Accelerate Your Website, Maximum Performance!
-
06-28-2013, 03:29 PM #10Premium Member
- Join Date
- Jul 2004
- Posts
- 535
Thanks for sharing
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space
-
06-28-2013, 03:57 PM #11Web Hosting Master
- Join Date
- Mar 2013
- Posts
- 565
Thanks for taking the time for this post. Glad I picked cloudlinux over betterlinux.
WordPress Hosting
Shared / White Label Reseller WHM | SSD Cloud | CloudLinux
www.LarisMedia.com Wordpress & Magento Website Design
-
06-28-2013, 05:05 PM #12Knowledge is all
- Join Date
- Jul 2005
- Location
- here, there, where?
- Posts
- 4,101
Thanks for the comparison. Its good to know that out of the box, cloudlinux is locked down enough, where betterlinux is basically not even on. I personally think such security layers should be defaulted to strict and then relaxed as admins need.
-Steven | Cooini, LLC
"It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle
-
06-28-2013, 05:51 PM #13Web Hosting Master
- Join Date
- Aug 2002
- Location
- Past North
- Posts
- 778
Wow out of the box betterlinux failed.
Thanks for the info, this is good to know.
Have you done any performance testing between the two?
-
06-29-2013, 07:27 AM #14Temporarily Suspended
- Join Date
- Mar 2012
- Location
- /etc/
- Posts
- 119
Cloudlinux simply best .
Thanks for comparison.
-
06-29-2013, 10:09 AM #15Web Hosting Guru
- Join Date
- May 2011
- Posts
- 283
Very informative, I like it.
-
06-29-2013, 10:34 PM #16Web Hosting Master
- Join Date
- Jan 2010
- Location
- USA
- Posts
- 2,173
Thank you for sharing this information. We run CloudLinux, but we have been curious about how well BetterLinux stacked up. This thread definitely answers that question.
█ No Support Linux Hosting ● Bargain cPanel Hosting ● Experts Only
█ We IGNORE the support questions, and pass the SAVINGS on to YOU!
█ We also ignore questions about VPS Hosting
-
06-30-2013, 09:23 AM #17Aspiring Evangelist
- Join Date
- Feb 2010
- Location
- SSH Terminal
- Posts
- 433
Thanks for this informative post and comparison, I personally believe BL needs to work a lot. They have commercially started just few months ago while CL is adopted by several web hosting companies a way back.
█ Web Hosting: Reliable inexpensive cPanel Web Hosting Offers
█ Domain Registration: Register Domain names, Domain registration in India
█ Reseller Hosting: Linux Reseller with cPanel/WHM and Domain Name
█ Digital Certificates: SSL Certificates with Dedicated IP at no additional cost
-
06-30-2013, 09:44 AM #18WHT Addict
- Join Date
- Dec 2009
- Posts
- 139
BL is not open to feedback. You suggest something and they will try to convince why it's better the way they decided it to be.
They have also failed to respect many of their promises.
-
06-30-2013, 10:03 AM #19Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
06-30-2013, 11:48 AM #20Web Hosting Master
- Join Date
- Oct 2004
- Posts
- 632
I think Betetrlinux for Matt is just for fun, I read somewhere on WHT that he said he has put a lot of funds on BL..etc
-
06-30-2013, 12:07 PM #21Disabled
- Join Date
- Aug 2012
- Posts
- 3,105
Thanks for sharing such a useful comparison. CloudLinux is here since a long time and also some big hosting companies are their client now.
-
06-30-2013, 12:33 PM #22WHT Addict
- Join Date
- Dec 2009
- Posts
- 139
They also run betterservers.Com
I have already told them on twitter that their website have some bugs, critical ones
for example if you go to the order page
https://www.betterservers.com/purchase
you can order as many vcpu core and ram etc.. for free
only disk is being calculated !
I have just passed an order just to see what will they do about it.
-
07-01-2013, 08:41 AM #23WHT Addict
- Join Date
- Dec 2009
- Posts
- 139
-
07-02-2013, 03:55 PM #24Newbie
- Join Date
- Aug 2011
- Posts
- 10
BetterServers Beta Program
BDX33: We have been canceling fraudulent orders when we are unable to contact the account holder (usually due to an invalid email address). If this happened to your order, I apologize. Please sign up again and try out the servers. While our interface is still in beta mode our servers are production ready and super fast.
As for the shopping cart, we will be putting the pricing back in place (we had temporarily removed it). We are offering free servers during the beta period for people to help us know what they like and don't like about the interface and to try the servers out with no risk. Once the beta period is over then normal billing will occur for the servers.
We are looking for people to help us make a better cloud server product so any feedback is welcome! We do reserve the right to cut off abusive users of the free beta program but we welcome people who want to help us out.
-
08-27-2013, 11:50 AM #25Web Hosting Master
- Join Date
- Dec 2005
- Posts
- 1,955
Similar Threads
-
Betterlinux is giving $1000 for each reported security breach
By bdx33 in forum Hosting Security and TechnologyReplies: 23Last Post: 06-28-2013, 10:39 PM -
Cloudlinux or Betterlinux
By prashant1979 in forum Hosting Security and TechnologyReplies: 12Last Post: 03-23-2013, 11:36 PM -
CloudLinux vs BetterLinux vs Litespeed
By Time4VPS in forum VPS HostingReplies: 7Last Post: 03-04-2013, 10:27 AM -
remove cloudlinux and install betterlinux
By MikeSpenclers in forum Hosting Security and TechnologyReplies: 7Last Post: 12-09-2012, 08:01 AM -
Cloudlinux VS Betterlinux
By www_webhost in forum Hosting Security and TechnologyReplies: 9Last Post: 10-08-2012, 12:19 PM