Page 1 of 2 12 LastLast
Results 1 to 25 of 34
  1. #1
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072

    Exclamation CloudLinux vs BetterLinux Security (Default Settings)

    Here is a comparison of CloudLinux vs BetterLinux with default settings to show the differences in terms of security. We have chosen to leave the default settings intact because as a lot of you know, some people simply cannot be bothered to read a manual and make the necessary changes.

    For test purposes, we have created two new cPanel accounts one called "cloud" which represents CloudLinux + CageFS and the other one called "better" which represents BetterLinux + CloakFS. Both users are using a standard bash shell, not the cPanel Jailshell.

    The first comparison will be how well processes are isolated from the rest of the system and other users. Let's take a look and see how many processes each user can view.

    cloud@cl [~]# ps aux | wc -l
    6
    cloud@cl [~]#


    CloudLinux: 6 processes.

    better@bl [~]# ps aux | wc -l
    114
    better@bl [~]#


    BetterLinux: 114 processes.

    Thoughts:

    With CloudLinux, users are only able to see their own processes and they are not able to see any root owned processes or processes belonging to other hosting users. BetterLinux on the other hand allows the user to see every root owned process and everything else outside of other hosting users. (We have found previous exploits that were time based and CloudLinux prevented them, but BetterLinux would not in this case. There is no reason to allow users to see other processes!)
    The next comparison will be to see what directories the users have access to. This test was done via SSH but the same conditions would apply for cron jobs which is another one of our favourite exploit techniques when we cannot use SSH access.

    cloud@cl [~]# ls /
    ./ ../ bin/ dev/ etc/ home/ lib/ lib64/ opt/ proc/ sbin/ scripts@ tmp/ usr/ var/
    cloud@cl [~]#


    better@bl [~]# ls /
    ./ .autofsck base/ boot/ cgroups_cpuset/ etc/ lib/ lost+found/ mnt/ proc/ sbin/ selinux/ sys/ usr/
    ../ .autorelabel bin/ cgroups_blockio/ dev/ home/ lib64/ media/ opt/ root/ scripts@ srv/ tmp/ var/
    better@bl [~]#


    Thoughts:

    With CloudLinux, users see a heavily modified file system structure that is basically a jailed environment with the bare minimum files and directories available for access. BetterLinux on the other hand allows the user to see every directory and every file. (Both prevent access to view files owned by other hosting users.)
    The next comparison will be to see what files can be viewed by the users. While obviously nothing dangerous can be viewed, one ultimately wants to mitigate how much information is made available to untrusted users. The less information the better!

    cloud@cl [~]# cat /etc/passwd | tail -n5
    haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
    named:x:25:25:Named:/var/named:/sbin/nologin
    dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
    mysql:x:498:499:MySQL server:/var/lib/mysql:/bin/bash
    cloud:x:617:616::/home/cloud:/bin/bash
    cloud@cl [~]#


    better@bl [~]# cat /etc/passwd | tail -n5
    hax1:x:501:502::/home/hax1:/bin/bash
    hax2:x:502:503::/home/hax2:/bin/bash
    hax3:x:503:504::/home/hax3:/usr/local/cpanel/bin/noshell
    hax4:x:504:505::/home/hax4:/usr/local/cpanel/bin/noshell
    better:x:505:506::/home/better:/bin/bash
    better@bl [~]#


    Thoughts:

    With CloudLinux users are only able to see system users and their own account under /etc/passwd, whereas BetterLinux lists every other hosting user on the server. If you're a malicious user and trying to gather a list of other accounts to attack or just gather information for other purposes, having the ability to list /etc/passwd would be extremely helpful.

    cloud@cl [~]# cat /etc/named.conf
    cat: /etc/named.conf: No such file or directory
    cloud@cl [~]#


    better@bl [~]# cat /etc/named.conf | wc -l
    181
    better@bl [~]#


    Thoughts:

    With CloudLinux users are not able to view the named configuration file, whereas BetterLinux allows the user to view the file in all it's glory which would ultimately list every domain configured on the server or being used in a DNS cluster. (This is sensitive information that does not need to be viewable to the user.)

    cloud@cl [~]# find /var/log -perm 644
    cloud@cl [~]#


    better@bl [~]# find /var/log -perm 644
    /var/log/dmesg
    /var/log/chkservd.log
    /var/log/xferlog.offsetftpsep
    /var/log/bandwidth/current
    /var/log/bandwidth/version
    /var/log/bandwidth/ipmap
    /var/log/bandwidth/2013/Jun/27
    /var/log/bandwidth/2013/Jun/28
    /var/log/bandwidth/lasttime
    /var/log/sa/sar27
    /var/log/sa/sa28
    /var/log/sa/sa27
    /var/log/boot.log
    /var/log/dracut.log
    /var/log/cpanel-install.log
    /var/log/lastlog
    /var/log/xferlog.offset
    /var/log/dmesg.old
    better@bl [~]#


    Thoughts:

    With CloudLinux users cannot see any log files, whereas BetterLinux allows the user to see a handful of files which could ultimately contain information that is helpful to an attacker. Particularly the dmesg logs and last logs. (The last command doesn't even work with CloudLinux, whereas BetterLinux will show the last users + their IP addresses that recently logged in.)
    The final comparison will be the most important one. Which software will stop an attacker from exploiting a SUID binary to ultimately gain root access on the server. So many of our security vulnerabilities work with SUID binaries, so it is extremely important for us to use software that prohibits allowing a normal user to escalate their privileges.

    For test purposes, the exploit file was created by us but it's still a real world example. Just be hypothetical and replace "exploit" with "exim" which has the SUID flags set and is executable by the user. If there were ever to be an exploit in Exim, the following scenario would still apply.

    cloud@cl [~]# ls -la exploit
    -rwsr-xr-x 1 root root 6912 Jun 28 11:15 exploit*
    cloud@cl [~]# ./exploit
    cloud@cl [~]# id
    uid=617(cloud) gid=616(cloud) groups=616(cloud)
    cloud@cl [~]#


    better@bl [~]# ls -la exploit
    -rwsr-xr-x 1 root root 6912 Jun 28 11:15 exploit*
    better@bl [~]# ./exploit
    root@bl [~]# id
    uid=0(root) gid=0(root) groups=0(root)
    root@bl [~]#


    Thoughts:

    With CloudLinux, a user cannot elevate their privileges thus stopping the exploit dead in its tracks. BetterLinux on the other hand allowed the exploit to run which ultimately lead to a root compromise. Keeping in mind this is a default setup between the two, it is absolutely insane for BetterLinux to not have SUID protection enabled by default.
    Last edited by Patrick; 06-28-2013 at 12:37 PM.

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    As people who follow us know, we have found a large number of vulnerabilities in hosting software over the past two months. Several vulnerabilities were stopped by cloudlinux/cagefs while betterlinux would have let them slip by. There was multiple cases where we were working on a potential vulnerability and then... discovered that cagefs was enabled from a prior audit and it was stopping us from succeeding.

    -- I am talking about vulnerabilities that would grant a user root access or at the minimum access to mysql's root user.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    We could have done many more examples here, but I think people will get the point that "out of box" CloudLinux has much better limits than BetterLinux in terms of what data is accessible to un-trusted users.

  4. #4
    Join Date
    Jul 2006
    Location
    Australia
    Posts
    3,809
    Very informative

    Thank you for taking the time to test and post the results.

  5. #5
    Join Date
    Oct 2004
    Posts
    632
    again, thanks a lot for this

  6. #6
    Join Date
    Oct 2012
    Location
    Canada
    Posts
    3,064
    Wow, you guys really broke it down. Once again an outstanding job.
    TrentaHost INC. || Fully Managed DDoS Protected Services Globally (NA - EU - Asia)
    Reseller Hosting- Pure SSD | Litespeed | Imunify360 | CloudLinux | 24x7 Support | Mailchannels
    Linux & Windows DDoS Protected SSD VPS - cPanel / WHM | DDoS Protection | Let's Encrypt | Pure-SSD
    DDoS Protected Locations : Portland, OR (North America) | Amsterdam, NL (Europe) | Singapore (Asia)

  7. #7
    Join Date
    Jan 2012
    Location
    Glasgow, Scotland
    Posts
    607

    CloudLinux vs BetterLinux Security (Default Settings)

    Thanks alot - great information.
    HostUS - Premium Hosting Made Affordable
    TEN Worldwide locations spanning USA, Europe & Asia Pacific
    Own ASN, Own Network, Own IPs - AS7489 & AS25926

  8. #8
    Join Date
    Oct 2010
    Posts
    3,662
    This is very nice. Patrick, is there any chance of getting an optimized/non-standard version with a tutorial? I feel like that would be very beneficial to the community and it would be much appreciated!

  9. #9
    Thanks for comparison. You and steven are doing great job for community. (y)
    ExonHost - In Business Since 2009 - 24/7 Real Support | Multiple Locations
    █ NVMe SSD | cPanel | LiteSpeed - Accelerate Your Website, Maximum Performance!

  10. #10
    Thanks for sharing
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | R1Soft CDP Storage | UK Server Colo | UK Rack Space

  11. #11
    Thanks for taking the time for this post. Glad I picked cloudlinux over betterlinux.
    WordPress Hosting
    Shared / White Label Reseller WHM | SSD Cloud | CloudLinux

    www.LarisMedia.com Wordpress & Magento Website Design

  12. #12
    Join Date
    Jul 2005
    Location
    here, there, where?
    Posts
    4,101
    Thanks for the comparison. Its good to know that out of the box, cloudlinux is locked down enough, where betterlinux is basically not even on. I personally think such security layers should be defaulted to strict and then relaxed as admins need.
    -Steven | Cooini, LLC
    "It is the mark of an educated mind to be able to entertain a thought without accepting it" -Aristotle

  13. #13
    Join Date
    Aug 2002
    Location
    Past North
    Posts
    778
    Wow out of the box betterlinux failed.
    Thanks for the info, this is good to know.

    Have you done any performance testing between the two?

  14. #14
    Join Date
    Mar 2012
    Location
    /etc/
    Posts
    119
    Cloudlinux simply best .
    Thanks for comparison.

  15. #15
    Join Date
    May 2011
    Posts
    283
    Very informative, I like it.

  16. #16
    Join Date
    Jan 2010
    Location
    USA
    Posts
    2,173
    Thank you for sharing this information. We run CloudLinux, but we have been curious about how well BetterLinux stacked up. This thread definitely answers that question.
    No Support Linux Hosting Bargain cPanel Hosting Experts Only
    We IGNORE the support questions, and pass the SAVINGS on to YOU!
    We also ignore questions about VPS Hosting

  17. #17
    Join Date
    Feb 2010
    Location
    SSH Terminal
    Posts
    433
    Thanks for this informative post and comparison, I personally believe BL needs to work a lot. They have commercially started just few months ago while CL is adopted by several web hosting companies a way back.
    Web Hosting: Reliable inexpensive cPanel Web Hosting Offers
    █ Domain Registration: Register Domain names, Domain registration in India
    Reseller Hosting: Linux Reseller with cPanel/WHM and Domain Name
    █ Digital Certificates: SSL Certificates with Dedicated IP at no additional cost

  18. #18
    Join Date
    Dec 2009
    Posts
    139
    BL is not open to feedback. You suggest something and they will try to convince why it's better the way they decided it to be.
    They have also failed to respect many of their promises.

  19. #19
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by bdx33 View Post
    BL is not open to feedback. You suggest something and they will try to convince why it's better the way they decided it to be.
    They have also failed to respect many of their promises.
    Yep
    Matt put on his big boy pants and stuck out his chest and defended his product when we contacted them.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  20. #20
    Join Date
    Oct 2004
    Posts
    632
    I think Betetrlinux for Matt is just for fun, I read somewhere on WHT that he said he has put a lot of funds on BL..etc

  21. #21
    Thanks for sharing such a useful comparison. CloudLinux is here since a long time and also some big hosting companies are their client now.

  22. #22
    Join Date
    Dec 2009
    Posts
    139
    Quote Originally Posted by Steven View Post
    Yep
    Matt put on his big boy pants and stuck out his chest and defended his product when we contacted them.
    They also run betterservers.Com
    I have already told them on twitter that their website have some bugs, critical ones
    for example if you go to the order page
    https://www.betterservers.com/purchase
    you can order as many vcpu core and ram etc.. for free
    only disk is being calculated !

    I have just passed an order just to see what will they do about it.

  23. #23
    Join Date
    Dec 2009
    Posts
    139
    Quote Originally Posted by bdx33 View Post
    They also run betterservers.Com
    I have already told them on twitter that their website have some bugs, critical ones
    for example if you go to the order page
    https://www.betterservers.com/purchase
    you can order as many vcpu core and ram etc.. for free
    only disk is being calculated !

    I have just passed an order just to see what will they do about it.

    My order was canceled without giving me any explanation. No email, no ticket, nothing. What's even worse, their shopping cart is still not fixed.
    This company has to be avoided, instead of catering to clients, they want clients to adapt to their views.

  24. #24

    BetterServers Beta Program

    Quote Originally Posted by bdx33 View Post
    My order was canceled without giving me any explanation. No email, no ticket, nothing. What's even worse, their shopping cart is still not fixed.
    This company has to be avoided, instead of catering to clients, they want clients to adapt to their views.
    BDX33: We have been canceling fraudulent orders when we are unable to contact the account holder (usually due to an invalid email address). If this happened to your order, I apologize. Please sign up again and try out the servers. While our interface is still in beta mode our servers are production ready and super fast.

    As for the shopping cart, we will be putting the pricing back in place (we had temporarily removed it). We are offering free servers during the beta period for people to help us know what they like and don't like about the interface and to try the servers out with no risk. Once the beta period is over then normal billing will occur for the servers.

    We are looking for people to help us make a better cloud server product so any feedback is welcome! We do reserve the right to cut off abusive users of the free beta program but we welcome people who want to help us out.

  25. #25
    Quote Originally Posted by mkarlsven View Post
    BDX33: We have been canceling fraudulent orders when we are unable to contact the account holder (usually due to an invalid email address). If this happened to your order, I apologize. Please sign up again and try out the servers. While our interface is still in beta mode our servers are production ready and super fast.

    As for the shopping cart, we will be putting the pricing back in place (we had temporarily removed it). We are offering free servers during the beta period for people to help us know what they like and don't like about the interface and to try the servers out with no risk. Once the beta period is over then normal billing will occur for the servers.

    We are looking for people to help us make a better cloud server product so any feedback is welcome! We do reserve the right to cut off abusive users of the free beta program but we welcome people who want to help us out.
    Just out of curiosity, what is your association with Better Servers?


Page 1 of 2 12 LastLast

Similar Threads

  1. Betterlinux is giving $1000 for each reported security breach
    By bdx33 in forum Hosting Security and Technology
    Replies: 23
    Last Post: 06-28-2013, 10:39 PM
  2. Cloudlinux or Betterlinux
    By prashant1979 in forum Hosting Security and Technology
    Replies: 12
    Last Post: 03-23-2013, 11:36 PM
  3. CloudLinux vs BetterLinux vs Litespeed
    By Time4VPS in forum VPS Hosting
    Replies: 7
    Last Post: 03-04-2013, 10:27 AM
  4. remove cloudlinux and install betterlinux
    By MikeSpenclers in forum Hosting Security and Technology
    Replies: 7
    Last Post: 12-09-2012, 08:01 AM
  5. Cloudlinux VS Betterlinux
    By www_webhost in forum Hosting Security and Technology
    Replies: 9
    Last Post: 10-08-2012, 12:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •