Atomic Protector FAQ

How can I buy an Atomic Protector (AP) license?

  • To purchase a license for AP, click on this link.


Can I try Atomic Protector (AP) before I purchase it?

  • Absolutely! We offer a free, no risk and no obligation 10 day trial. Just click here to get your trial license now!


What is the benefit of Subscribing to AP?

  • Peace of mind knowing that a team of security experts will work tirelessly to ensure that you have a security solution that will protect your system, and rapid support for all your security needs.

  • Access to the best Linux security product available, that includes a full SIM with a stand alone web gui, a fully integrated web application firewall, event correlation, intelligent log reduction and alerting, a built in vulnerability scanner with automatic vulnerability repair, virtual patching, compliance monitoring, self healing, anti-spam protection, anti-malware protection, upload malware protection (Web and FTP), realtime malware protection, automatic redaction, a secure and hardened kernel, Stack Protection, Heap Protection, a Role Based Access Control system and many many more features!

  • And most importantly, full support. If we distribute any component, be it a kernel, rules, modules, etc., we will support issues you may have with your integration, with drivers, etc. We focus on building software such as AP that works on the widest range of hardware, with the most advanced and modern security features that will work on all platforms. This includes firewall extensions for STEALTH and MATCH support, the strongest stack protection in the world, special defenses against kernel module rootkits, cutting edge countermeasures against the latest threats and more!

    With AP, you wont have to do it all yourself, we’re here to help you.


What is the SLA for critical security or support issues in AP?

  • If there is a security issue with AP, in general we will release a fix within 24 hours of the issue being reported to us.


I need help!


How can I give atomicorp support access to my system?

  • In the AP UI go to AP Support and click on remote support

  • Click connect and answer the question in regards to HTTP proxy and accept the agreement

  • Click connect and then provide the assigned VPN IP to support by emailing support@atomicorp.com

You can also select the support key option and accepting the agreement. Once done, please email support@atomicorp.com with your system IP and access port if other than 22


Can I just set up access myself?

  • Yes, although as an internal policy we do not allow our support engineers to use customer passwords. That prevents your passwords from being recorded in our systems, preventing any accidental exposure of those passwords. We recommend you use the the process above, but if you are able to setup ssh key based access yourself, you can download our keys from the URL below:


How can I verify the integrity of the ssh keys?

  • The installer will download the keys over a TLS encrypted channel. Each member of our support team has a unique key, we do not use shared keys or credentials. Therefore, you will see a number of keys downloaded.


Can I set a password for the atomic account?

  • Yes. We do not use passwords to log into the system, we use SSH keys only. By default, SSH will not allow password authentication to accounts without passwords (it will require SSH keys instead). So unless you have configured your system to allow empty passwords, it is not necessary to do this.

    However, if you do this, you will need to let us know what the password is so that we can use sudo.


How can I remove atomicorp access to my system?

  • If you followed the process above, just remove the “atomic” user when you are finished, or if you allow root ssh login access then you will need to remove our ssh keys from the /root/.ssh directory. The script above will not provide us with any passwords to your system, it will simply install our keys as the “atomic” user (or if you allow root access, as the “root” user). Removal of those keys will also remove our access to the system.


Where is the Atomic Protetor Web Console?

  • You can access it on your system at this URL (change www.example.com to either your systems name or IP address)

    https://www.example.com:30001
    

    Make sure your firewall is configured to allow access to the TCP port 30001.


Does AP install PHP on my system?

  • No. AP will not install, replace, upgrade, change or remove PHP on your system.


My system has experienced a kernel panic.

  • We have documented several issues that may cause kernel panics on the wiki along with solutions in the Kernel Panic article.


What should I do if I believe a system has been compromised?

  • First, stop and ask yourself what you want to do. Do you want to prosecute or do you want to just find the problem and fix it? This is a critical question you have to ask yourself because if you want to prosecute you must preserve evidence, and the actions you take to fix the intrusion may destroy or make that evidence inadmissable. If you want to prosecute, contact us to discuss your situation as you may need professional help to build a case. Also, if you choose to prosecute, you should know that in some jurisdictions the personnel working on your case may need special licenses to do this, otherwise they may be committing a felony (Michigan for example requires a Private Investigator license to perform computer forensics that will be used in court, failure to have this license is a felony.)

    If you want to find out what happened and just clean up, please continue with this checklist.

    First, start with the simple case - the compromise may have occurred by the attacker simply stealing a users password and logging into the system. We have put together a wiki article that provides guidance here for those cases: Compromised System FTP

    If you know that an attacker did not simply log into the system with stolen credentials please read this Wiki article: Compromised System

    In most cases we have seen, attackers are stealing users passwords and keys via keyloggers and trojans and just logging in. In those cases, there is no technical vulnerability in your system, the issue lies with your users and their computers. So, check you logs first to see if someone simply logged into your account or your users accounts. You’d be surprised at how often we see that happen.

    If you find yourself in this situation we recommend you explore two factor authentication options such as SecureID, OTP generators on your cell phone (not on your computer, if the computer has been compromised so has the OTP!) and other hardware tokens.

    You can also use an operating system that is more secure for your desktop such as Linux, Solaris, BSD or MacOS.


Do you have pre-defined access policies , or do we have to configure these policies?

  • Yes, currently we use Trusted Path Execution (TPE), and the untrusted users group by default. Members of the untrusted users group can only execute commands owned by root. In addition non-root users can only see processes owned by them. Grsec has an additional RBAC and Process ACL system available.


How long are major releases supported?

  • AP major releases (6.x) are supported for three (3) months after a new major release is made available.


How can I upgrade a trial?

  • Just log into the license manager using the same credentials you used to setup your trial and purchase a license. You don’t need to do anything else. The system will automatically convert your system from a trial to a full license, and you won’t have to reinstall or install anything.

    You can access the license manager `here`_


Do the VPS licenses need to be used on one physical machine or can the VPS boxes be located on different physical machines in different locations?

  • They can be located on diferent physical machines in different locations, or on the same machine.


If we use more than 5 licenses, do we have to add additional licenses 5 at a time, or can we add just 1 at a time after we purchase the initial 5?

  • You can add single licenses through the license manager.


Can I use AP as a reverse proxy for my other servers?

  • Yes. However, you must purchase a reverse proxy license for this to work in AP.

    If you wish to use AP as a reverse proxy for other servers, please contact support@atomicorp.com for a license.


What Linux distributions do you support?

  • As of January 2022, AP is officially supported with the following Linux distributions:

    • CentOS 7/8

    • Redhat Enterprise Linux 7/8

    • Amazon Linux 2

    • Rocky Linux

Note

Beta versions are not supported.

Note

AP requires software package management, which all of the supported operating systems provide. If package management has been disabled on your system, you will not be able to install AP. Older versions of these distributions are not supported.

  • When an operating system or distribution is no longer supported by the vendor we also no longer support that operating system unless you have an extended support contract from us, for that platform. Please contact sales@atomicorp.com if you need an extended support contract.


Is AP compatible with AWS instances?

  • Absolutely. AP is fully supported on AWS


AP does not support my version of my operating system

  • We support versions of operating systems per the list above, and of those we only support operating systems which are still supported by the OS vendor.

    We do this because of the serious security issues associated with running an operating system that is no longer supported, as well as the problems associated with lack of bug fixes for platforms that have been abandoned by their Vendors. For example, if a serious vulnerability were to be discovered in openssh and there was no patch for your system, AP may not be able to protect your system adequately. Some vulnerabilities are beyond even our capabilities to defend against. We are always looking out for your security - and unsupported OSes are a serious risk to operate

    For newer versions of operating systems we work as fast as possible to support these new distributions.


Do you support custom builds of apache, or other custom non-standard Linux distributions or hybrids?

  • Yes, only through extended support contracts. Please contact sales@atomicorp.com and we can put together a proposal for your project and price out ongoing support for your custom configuration.


Does AP require a control panel?

  • No, AP does not require any control panel product (Plesk, Cpanel, etc.). You can use AP with, or without a control panel. If you do use a control panel, AP works with all major control panels, and the specific list of supported configurations is provided below.


Does AP work with Plesk?

  • Absolutely! Atomicorp was founded by two Plesk founders. You won’t find a security company that knows more about Plesk, or cares more about making security products that work with Control Panels like Plesk. AP works with all Plesk versions from 9 and the way up to the latest version


Can you use AP without plesk?

  • Yes, AP uses its own GUI and does not require any control panel to work.


Will I lose any functionality in Plesk if I use AP?

  • No. AP will only add new functionality to your system.


If predefined will your policy fit into a PLESK system? Since Plesk uses its own chroot enforcements on some deamons?

  • Atomicorp was founded by Plesk founders. AP is designed to integrate in that environment and with other control panels too.


Does AP work with Directadmin?

  • No, AP 6 does not work with DirectAdmin, however ASL v.5 does. Reach out to support@atomicorp.com to learn more.


Does AP work with Virtualmin?

  • No, AP 6 does not work with Virtualmin however ASL v.5 does. Reach out to support@atomicorp.com to learn more.


Does AP work with CPanel?

  • AP works with CPanel and is a supported configuration


Does AP work with Interworx?

  • No, AP 6 does not work with Interworx however ASL v.5 does. Reach out to support@atomicorp.com to learn more.


Does AP work with Apache?

  • Yes, AP works with Apache.


Does AP work with LiteSpeed?

  • No, AP 6 does not work with LiteSpeed however ASL v.5 does. Reach out to support@atomicorp.com to learn more.


Does AP work with NGINX?

  • Yes, AP works with Nginx. Please see this page for more information.


Does AP work with IonCube?

  • No, AP 6 does not work with IronCube however ASL v.5 does. Reach out to support@atomicorp.com to learn more.


Does AP work with Zend Optimizer?

  • No, AP 6 does not work with Zend Optimizer however ASL v.5 does. Reach out to support@atomicorp.com to learn more.


Is Ipv6 supported?

  • Not at this time. Additionally, AP does not load any network IPV6 modules by default. Therefore, if you must use IPV6 you will need to ensure the modules are loaded on boot before S99.


Is AP compatible with ConfigServer?

  • Atomicorp does not support any of the ConfigServer products, and CSF (ConfigServer Firewall) in particular is known to cause major compatibility issues on a server running AP. AP is a complete stand-alone security product, which includes a powerful firewall, and you do not need to run any additional security software, including CSF, in conjunction with AP.


Does AP support ipset?

  • Yes, AP supports ipset as of version 4.0 of ASL (now AP). To enable it, just set “FW_ENABLE_IPSET” to “yes” in the configuration screen.


Is AP easy to install?

  • AP was designed to be easy to install and use. You just run one command, enter your account credentials when asked and the installer will do the rest. Just follow the instructions on the AP Installation Page.

    If you have any questions, please contact us. We’re always happy to help our customers.


Is AP safe to install?

  • Yes. AP was designed for high SLA environments and comes with robust support from a company that understands the needs of high SLA environments. AP has numerous fail safes built into it to make it both easy to install and safe to use. For example, if AP detects that your kernel has an error on boot, it will reboot the system into the last known working kernel. This a feature no Linux distribution includes, so installing AP will actually make sure your system more stable and more reliable.

    AP is also easy to uninstall, and is designed to work with your existing operating system and not replace any core components.


Will AP replace core components of my system?

  • No. AP will install additional software on your system, and will not replace anything, including the kernel.


Does AP need to be installed on a system before Plesk/Cpanel/etc. is installed?

  • No, AP can be installed on a system that already has Plesk, Cpanel or any other control panel installed. AP does not require a bare system, and is designed to be installed into already operating systems that have been configured for use, and have third party software already installed. AP is an enhancement and can be installed on any supported Linux system.


Does installing AP require any downtime?

  • No, AP does not require you to take your system down. It is designed to be installed on running systems.


I just purchased an installation from you, what now?

In order for us to conduct your installation, we will need you to open up a case with Support with the following information:

  • Confirmation, from you, that the system meets all the minimum requirements for AP.

  • Access to the system. Please see the FAQ “How can I give Atomicorp access to my system?”

  • The IP address and SSH port for the system.

  • Your Atomicorp License Manager Credentials

  • If you have specific IPs you would like whitelisted, please provide us with the list, with a single space between each IP (example: x.x.x.x y.y.y.y z.z.z.z). Please note, AP only supports IPv4 addresses at this time.

  • We will attempt to install the product. In the event we encounter difficulties due to unusual software/hardware configurations, we will attempt to contact you for further information. Due to our high customer volume, timely response is necessary (within 30 minutes), or we reserve the right to reschedule the installation.


It is OK to install CS4 with AP?

  • Just say “no” when it asks if you want to download and install clamd when you run the installation script. AP already provides clamd.


Does AP work with php sites running under fast_cgi?

  • Yes, AP works with systems using fcgi, suphp, and itk. It also works just fine with systems that use none of these. AP integrates fully and safely into Apache.


Does AP works with php sites running under suphp?

  • Yes, AP works with systems using suphp, fcgi, and itk. It also works just fine with systems that use none of these. AP integrates fully and safely into Apache.


How easy is it with AP to debug and use modsecurity?

  • Very easy. AP includes an easy to use web based graphical interface that allows you to view alerts, modify rules, and report false positives all with one click. We typically can resolve a false positive in less than one hour when reported through the AP Web interface.


If I face problems with the installation/setup of AP do you provide support?

  • Absolutely! We fully support all our products. AP licenses come with email and web based support, using an easy to use case and bug management system that is associated with your account. You can log in through our support portal directly from the atomicorp website, or via email. Phone support is also available with an extended support contract.


What are the minimum system requirement for AP?

  • If all of the AP security features are turned on, we recommend that your system have a minimum of 2 CPU and 4GB of RAM. AP includes advanced web application and antispam security features that do best with this minimum requirement.


Is there an install log for AP?

  • Yes, the AP installation will generate this log file:

    /root/awp-install.log
    

What are testing channels for?

  • For the AP Channels, Beta Releases, and free Atomic Channels.

Note

Please keep in mind that the atomic channels are not supported. The Atomic repository provides free software.


What are bleeding channels for?

  • Alpha and less releases. You shouldn’t use bleeding code unless you are prepared to roll up your sleeves and debug the builds. They are also not supported.


How do I install AP?


How can I reinstall AP?

  • The cleanest way to reinstall AP is to first uninstall it, then run the installer again. The process is:

    1. Run this command as root:

      /var/awp/bin/uninstaller
      
    2. Then install AP fresh by following the instructions on the AP Installation Page


How can I disable AP?

  • Disable ModSecurity by running the following command:

    mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled
    

  • Disable mod_sed by running the following command:

    mv /etc/httpd/conf.d/00mod_sed.conf /etc/httpd/conf.d/00mod_sed.conf.disabled
    

  • Disable OSSEC by running the following command:

    /etc/init.d/ossec stop
    

  • Disable Clamd by running the following command:

    /etc/init.d/clamd stop
    

  • Restart Apache by running the following command:

    /etc/init.d/httpd restart
    

  • Remove the hardened proftp by running the following command:

    yum remove psa-proftpd-1.3.2a-1.el5.art
    

  • Boot into a non-AP Kernel

  • Reboot the system by running the following command:

    reboot
    

Also, its important to recognize that AP is a threat manager that repairs vulnerabilities on your system. Disabling AP will not undo any vulnerability repairs you have instructed AP to fix. If you want to undo a vulnerability repair in AP, do not uninstall AP. Simply change the action in the AP GUI and run AP in Fix mode to undo the repair.


How do I remove or uninstall AP?

  • If you are running AP 6.x run the following command as root:

    /var/awp/bin/uninstaller
    

How can I enable password based authentication?

  • Follow the process below:

    Step 1) Log into AP

    Step 2) Click on the “Hub Configuration” tab

    Step 3) Select “Hub Configuration”

    Step 4) Select “SSH Security”

    Step 5) Change Password Authentication (SSH_PASSWORD_AUTH) to “yes”

    Step 6) Click “save changes”


How can I migrate AP to a new server?

  • Regarding your AP license you don’t need to do anything special. The licensing manager will allow you an additional install on one (1) test or development server, so from a licensing point of view - you don’t need to do anything special.

    Regarding migration, we recommend you install AP on the new system and run through the entire configuration process. If you want the AP configuration to use your other systems configuration then just copy over the /etc/asl/config file to your new system to migrate your settings. Doublecheck them manually to make sure you have everything setup for your needs, if you copy over your config your basically telling the new server to be completely identical to the old one and that may not be exactly right for you.

    Once you copy over the config and have everything setup as you want then run this command as root:

    awp -s -f
    

Will AP automatically update the rules and signatures?

  • Yes, by default it will do this daily. AP will update all the rules and signatures available automatically. Occasionally you may see AP report that updates are available. AP will install these updates for you at the next scheduled interval you have configured for your system. Or you can manually update these manually in the CLI by running

    aum -uf
    

Will AP automatically update itself?

  • By default, AP will also automatically keep itself up to date (the core components and the rules). To check this setting, log into the AP GUI, click on the HUB Configuration Tab and then Click on “General”. Scroll down to UPDATE_TYPE and check to make sure it is set to “all”.

    You are recommended to check the forums to see if an update to AP has been released, and if there are any special upgrade instructions you will need to follow for that release.


How can I set the update interval?

  • Log into the AP GUI, click on the HUB Configuration Tab and then Click on “General”. Scroll down to Enable Automatic Updates. You can set updates to “none”, “hourly” and “daily”. The default is “daily”.


How can I set AP to only update the rules and not AP itself?

  • If you only want AP to keep its rules and signatures up to date, but not to automatically upgrade AP, log into the AP GUI, click on the HUB Configuration Tab and then Click on “General”. Scroll down to UPDATE_TYPE. Then set UPDATE_TYPE to “rules only”.


How do I get firewall upgrades and updates?

  • To allow AP to download updates, please ensure that any firewall you use allows outbound connections to the following hosts on TCP port 443:

    • www.atomicorp.com

    • www2.atomicorp.com

    • www3.atomicorp.com

    • www4.atomicorp.com

    • www5.atomicorp.com

    • www6.atomicorp.com

    • www7.atomicorp.com

    • www8.atomicorp.com

    • updates.atomicorp.com

  • Atomicorps server pool grows to accommodate increasing demand. As a result, the IP addresses often change, and because these IP addresses can change we do not publish a list of IPs. Doing so can cause problems for any sites that may have hard coded them. Be sure to monitor this FAQ as it contains the currently valid list of hosts.

  • You will also need to make sure that you allow DNS queries outbound, as AP will lookup the list of current update servers to download updates from.


I cannot connect to the update server?

  • This can happen for a number of reasons due to configuration and network issues on your server, on your local network or upstream. This list includes the most common reasons, but is not a complete list. Please contact your network provider with connectivity issues, and your OS provider for OS configuration assistance.

    • DNS is not configured correctly on your system - If you do not have DNS correctly configured on your system, updates will fail. One simple way to test this is to run this command:

      nslookup www.atomicorp.com
      

    • No network connectivity - Check to make sure your system has network connectivity. We know this sounds fairly obvious, but we’ve had cases where the issues was the systems network was either not started, or was misconfigured so it wasnt properly connected a network.

    • Routing misconfigured - Check to make sure you can connect to our servers. Run this command as root on the server:

      openssl s_client -host www.atomicorp.com -port 443
      

      If you can connect to our servers you will see output similar to this:

      CONNECTED(00000003) depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.",
      OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
      verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Virginia, businessCategory = Private Organization, serialNumber = 0697126-1, C = US, ST = Virginia, L = Chantilly, O = ATOMI CORP., CN = www.atomicorp.com verify return:1
      

      If you do not see this, then you are not connecting to our servers and either you have a routing problem, or a firewall problem

    • Firewall blocking connections - Check to make sure its not your firewall thats blocking the connection. The simplest way to do this is to temporary disable your firewall:

      1. If you are using the AP firewall, run this command:

        /var/awp/bin/awp_firewall -stop
        
      2. If you are using some third party firewall, check with your firewall vendor for assistance with disabling your firewall

    • Upstream router or firewall blocking connections - If its none of these, then someone may be blocking your connections upstream. Please contact your network provider for assistance.


Where is the license manager?


How can I reset my license manager password?

  • To reset your license manager password, please follow this process:

    1. Please visit this page to reset the license manager password.

    2. Now change your license manager password in AP

Note

Remember to update your license manager password in AP. If you do not do this, AP will no longer be able to download updates!


How can I reset my support portal account password?


How can I update my license manager password in AP?

  • Your license manager username and password are used to log into the Atomicorp servers to download updates. These are not to be confused with your AP GUI username and password, which is used to log into your AP GUI.

    If you change your license manager password, you will need to change those credentials in AP as well, otherwise AP wont be able to download updates!

    Your license manager username and password credentials are only used by AP itself to log into the Atomicorp servers to securely download updates for your system.

  • This process is only to change the internal credentials used by AP to log into the Atomicorp servers.

    Step 1) Log into the AP GUI

    Step 2) Click on HUB Configuration

    Step 3) Click on HUB Configuration

    Step 4) In the “Authentication Information” section, check to make sure the USERNAME and PASSWORD variables are set to your license manager credentials. Those are the credentials you use to log into the license manager.

    Step 5) Then click the “save changes” button to update your configuration.


How can I reset my AP GUI password(s)?

  • Run the following command as root:

    /var/awp/bin/awp-add-user <your user name>
    

Note

Your AP GUI username and password are only used to log into your AP installation. These are not to be confused with your License Manager credentials, which are used by AP itself to log into the Atomicorp servers to securely download updates for your system. This procedure does not change your License Manager credentials.


How can I create new accounts in the AP GUI?

  • Run the following command as root:

    /var/awp/bin/awp-add-user <new user name>
    

Note

Your AP GUI username and password are only used to log into your AP installation. These are not to be confused with your License Manager credentials, which are used by AP itself to log into the Atomicorp servers to securely download updates for your system. This procedure does not change your License Manager credentials.


What is the default username and password for AP Web?

  • The default username and password are your license manager credentials, that you created when you signed up for a license. We recommend you change this password to something unique that you will remember.

    You can also generate usernames and passwords by running this command as root:

    /var/awp/bin/setup
    

    And you can also create and configure user accounts from inside the AP GUI.


Does AP modify /etc/hosts.deny?

  • Yes, as part of active response (when enabled) AP will automatically add attackers IPs to /etc/hosts.deny. AP will only add deny entries. It will not and can not add allow entries. If AP is configured to expire shuns it will also automatically remove these IPs once the shun period has passed.


Does AP modify /etc/hosts.allow?

  • No.


I want to have greylisting. What do I do?

  • Those are all freely available from the atomic repository. They are not part of AP and not supported through an AP license. If you need support for these packages contact sales@atomicorp.com and we can put together a custom support package for you. Follow the process below:

    Step 1) Install ClamAV and SpamAssassin by running the following command:

    yum install clamd spamassassin
    

    Step 2) Edit required_hits in /etc/mail/spamassassin/local.cf if you want to change the default tagging threshold (default is 5).

    Step 3) Install qmail-scanner by running the following command:

    yum install qmail-scanner
    

    Step 4) Edit SA_DELETE in /etc/qmail-scanner.ini if you want to delete mail.

    Step 5) Install Pyzor, Razor, and DCC for SpamAssassin by running the following command:

    yum install pyzor razor-agents dcc
    

    Step 6) Install greylisting by running the following command:

    yum install qgreylist
    

    Step 7) Start Clamd and SpamAssassin by running the following commands:

    service clamd start
    service spamassassin start
    

    Step 8) Reconfigure qmail-scanner to make sure it uses all your custom settings by running the following command:

    qmail-scanner reconfigure
    

    Step 9) Make sure Clamd and SpamAssassin are started at boot time by running the following commands:

    chkconfig --level 345 clamd on
    chkconfig --level 345 spamassassin on
    

Why does Linux report that all memory is in use?

Note

This FAQ article is not about AP, it is about all Linux based systems. This characteristic of Linux based systems is universal to all Linux systems, not just systems running AP.

  • Memory is almost infinitely faster than reading from a hard disk, so modern high performance operating systems, such as Linux, will cache things into memory if they are read from disk. Over time, you should see a Linux system (via some tools) report an almost 100% “memory utilization” regardless of much memory is actually needed by a process or how much memory is installed in the system. This can be a little strange to users that are new to Linux and come from operating systems that do not cache (such as Windows), however this is normal and is good for the system as actually makes it much faster. This does not mean your processes are using up all the memory the system has, this is simply modern caching which all modern Linux kernels will do.

  • Why Linux does this:

    • Hard drives are slow. Even the fastest hard drive is never even close to the speed of RAM. If hard drives were fast, we wouldnt need RAM. So we load programs into memory. As memory has gotten cheaper, and performance demands have increased, operating system vendors have increased the use of RAM over reading from hard drives to improve performance. One way they do this is by caching “reads” from the hard drive (they cache other things too). In the case of caches reads, the operating system will store, temporarily, information it has been asked to read from the hard drive into memory. This makes it much faster the next time the operating system wants to “read” that information, it doesnt have to go back to the hard drive to get it, it can get it from memory. Which results in a huge performance increase.

    • Caching is different from process utilization. Actual memory in use by processes, or process utilization, which will be discussed more below is different from caching. Modern operating systems will use memory for processes (actual use), and also to “cache” things that they have accessed from disk. Most users are familiar with process utilization, which is what may cause them to think that Linux is “using up all their memory”. When in reality the amount of memory in use by the processed by be considerably less than the memory in use.

      It is the later use of memory, caching, that typically “uses” up the memory on the system and creates this illusion that all memory is in use. This memory is actually not “in use”, or prevented from being used by other processes on the system. Its really “free memory”, for the moment a process needs this memory the cached information is dropped and made available to the application. So in reality, the system is “using” considerably less memory that it may appear to be using because its making use of memory, temporarily, thats not actually in use. Its really a very clever enhancement, and something all operating system vendors are implementing. As memory has continued to get cheaper, some products don’t even have hard drives anymore, and just use RAM. Smart Phones for example, and even some modern tablets just use memory.

      So, to determine how much memory is actually being used by your processes (as opposed to all memory being used by processes and the cache), you will need to use a tool that can tell you how much memory is cached, and how much is actually being used by your programs. Once such tool is “free”. The application “top” which is popular for looking at memory usage is not a good tool for this as it will incorrectly report that more memory is in use than is actually being used by processes.

  • Here is an example of using the “free” tool:

    free -m
    
                             total       used       free     shared    buffers     cached
    Mem:                     12002      10199       1803          0        573       8185
    -/+ buffers/cache:       1440      10562
    Swap:                    14015          0      14015
    

    In this example the total amount of memory in use is 10GB, however 8GB of that is cached. So the system isn’t using 10GB of memory. Of the 12GB of memory on the system, just slightly under 10GB is actually free (1.8 GB isnt used at all, and 8GB is cached).

    This is very typical of a Linux based system, in that its really using much less memory that some tools report, because of this use of cached reads.

    Remember that cached memory is always available to any program that needs it. So the memory is not “used”, its just being temporarily taken advantage of because nothing else is using it to make the system faster. Linux will just make use of the memory available on the system to cache information until any program requests it, at which time that cached data is dropped and the memory is made available to the application.


How can I find out what process is using swap?

  • Swapping in Linux is handled by the kernel, all Linux kernels will pull things out of memory and write them to the disk swap based on need depending on how much memory you have, swappiness setting on the system, and so on. Therefore, its not possible to find out which process is using swap, processes dont use swap, the kernel will write memory pages as needed to swap, processes dont control this (although a process could request memory that is not “swapped” out to disk). Linux will also use swap and memory to cache file reads, over time all Linux kernels will use 100% of memory to cache as much as possible. Memory is infinitely faster than RAM, so this is how modern high performance operating systems work. You should see near 100% memory utilization on all modern Linux kernels over time, regardless of much memory is actually needed by a process. This does not mean your processes are using up all the memory the system has, this is simply modern caching which all modern Linux kernels will do.

    If you have additional questions about Linux swap you may want to ask your Operating System vendor.


How are malware domains aged out?

  • The actual algorithm is sensitive information and we can’t go into the specifics as that would give the bad guys an advantage to game the system. The short answer is infected domains are aged out depending on the extent to which the domain is still serving malware (more on this in a moment, this is actually pretty difficult to prove that a domain is not serving malware), if its been seen in other malware, past experience with the domain, IP range, or network and the sophistication of the malware. Some sites are long term sources of malware, and act as “clearing houses” for attackers, others may simply be victims of a compromise that clean up their systems the same day, and others may be negligent operators that don’t care. For this reason the process varies depending on a number of characteristics.

    Its important to remember that all Internet based malware scans are incomplete, regardless of the technology used, the system itself is not being scanned, merely publicly discoverable resources. Attackers can hide malware in orhpaned URLs, they may use authentication to hide the malware from all crawlers, the malware may behave differently if connected to via a crawler or browser, it may require a special cookie to reveal itself, they may encrypt or obfuscate it and they may simply take the malware or domain down for a few days or weeks in hopes of being delisted by simple scanners.

    For this reason we do not use a naive algorithm that simply removes malicious domains based on simplistic criteria. Our first priority is to help our customers protect their systems, if a domain has been serving malware its a good idea to treat it with kid gloves. If you know the domain is safe, you can always whitelist that domain.

    The best way to delist a domain thats on our malware lists is to contact politely us. If you need our help, just ask. If we can get in contact with the domain owner we can determine more clearly if the domain is no longer infected, otherwise domains are aged out based on the criteria described above.


How are malware domains added?

  • They are collected from our honeypots.


Do you use third party malware domain lists?

  • No, but we do share our information with other projects.

    You can use the google safebrowsing lists with clamav which is an excellent third party malware list. AP enables this by default in clamav. False positives on the google lists should be reported to google.


How are spam domains added?

  • They are collected from our honeypots.


How are spam domains aged out?

  • The actual algorithm is sensitive information and we can’t go into the specifics as that would give the bad guys an advantage to game the system. The short answer is spam domains are aged out depending on the extent to which the domain is still serving spam and the nature of the spam thats served, past experience with the domain, IP range, or network and the sophistication of the spamming attack captured on the honeyports. Some sites, networks and IPs are long term sources and hosts of spam, others may simply be victims of a compromise or some form of multi-system spamming attack that clean up their systems the same day, and others may be negligent operators that don’t care. For this reason the process varies depending on a number of characteristics.

    For this reason we do not use a naive algorithm that simply removes spam domains based on simplistic criteria. Therefore, our first priority is to help our customers protect their systems, if a domain has been used as part of a spamming attack, and is actually serving up spam (we don’t block so called “joe job” spams) its a good idea to treat the domain a a spam source.

    The best way to delist a domain is to contact us. If we can get in contact with the domain we can determine more clearly if the domain is no longer part of a spamming operation, otherwise domains are aged out based on the criteria described above.


Do you use third party spam domain lists?

  • No, but we do use other sources, we do however share our information with other projects.


Both atomic and asl yum channels are enabled, is this normal?

  • That depends, AP does not need the atomic channel and will not install nor enable this channel. If you have the atomic channel enabled on your system then someone enabled this yum channel. You do not need it for AP. In general its perfectly safety to run both channels (we do).

    The atomic yum channel is our open source yum repository. All the software in the atomic yum repository is not supported and provided as is, with no warranty. If you have issues with software in the open source atomic channel please post your questions in the General Help forums: https://www.atomicorp.com/forums/viewforum.php?f=1&sid=56518c30b96faf5235e2f4ef5e902d11

    Software in asl channels is fully supported. If you require assistance with AP software please send a support request to support@atomicorp.com.


What are the IPs AP will use to update itself?

  • You will want to allow access to www0 thru www6.atomicorp.com. The IPs for these hosts may change in the future.


I can’t upload files via web

  • Check and make sure you haven’t run out of drivespace. This may seem like an obvious and simple problem that one wouldn’t easily overlook, but we’ve had a number of cases where users setup /tmp partitions and filled them up. If you fill up your /tmp partition apache won’t let you upload anything! Thats not an AP issue, thats Apache and its right - theres no place to put the file.

    AP will log this event, but since AP isn’t designed to report when you run out of drive space it will detect this as a pretty major error and a broken connection with your HTTP session. Which will look like this:

    [Fri Oct 01 17:33:21 2010] [error] [client xxx.xxx.xxx.xxx] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "38"] [id "340152"] [msg "Request Body Parsing Failed. Multipart parsing error: Multipart: writing to "/tmp/20101001-173321-8ZuEbMzo8r8AABWjEW8AAAAe-file-NvPOwz"
    failed: check your application or client for errors, this is not a false positive."] [severity "NOTICE"] Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_PROCESSOR_ERROR" required.
    [hostname "www.example.com"] [uri "/horde/imp/compose.php"] [unique_id "8ZuEbMzo8r8AABWjEW8AAAAe"]
    

    This would means that you ran out of drive space in /tmp.


Do you have pre-defined access policies , or do we have to configure these policies?

  • Yes, currently we use Trusted Path Execution (TPE), and the untrusted users group by default. Members of the untrusted users group can only execute commands owned by root. In addition non-root users can only see processes owned by them. Grsec has an additional RBAC and Process ACL system available.


If predefined can you give us a sample policy that mitigates the critical server file access when mod_perl is called via a client, or in other words how hard is your tuning. (intrusion log..etc)?

  • TPE would automatically prevent an untrusted user, such as apache, from executing commands owned by apache. It would log to syslog, an example entry follows:

    Nov 11 14:53:10 server4 kernel: grsec: From 10.249.64.1: denied untrusted exec of /tmp/w00t by apache [uid/eid: 48/48] /home/httpd/vhosts/testhost.atomicorp.com/httpdocs/modules/phpBB/index.php
    

I’m seeing files owned by apache in /tmp

  • If you see files with names like this:

    tmp/dos-218.254.50.104
    

    That are very small, and only contain an integer for example the contents of the file tmp/dos-218.254.50.104 are “2671” or some other number, then you can ignore these files. These are locking files used by the web DOS protection system in AP.

  • If you see files with names like this:

    tmp/20120314-104701--CliB38AAAEAAEehOeMAAAAA-file-Y6rewB
    

    These are temporary files generated by apache as a user uploads a file, via apache, to the system. Generally apache will clean up these files with a few seconds once the file is scanned by the WAF, but if you see them accumulating on your system you may have MODSEC_KEEPFILES set to “on”. This means that the AP WAF will keep any files it has been asked to scan, regardless if the files are allowed to be uploaded to the system or not.


Why do they call it Europe?

  • Because its a beautiful name. And its local, to some of us. (this is also why if you look carefully in AP you’ll see we consider 127.0.0.0/8 to be in the EU. Its an Easter Egg. And no, AP wont block 127.0.0.1 if you block the EU, we always whitelist localhost.).

    Yes, we have a sense of humor too, and we hope this FAQ has been helpful, but if you still require assistance after reading this FAQ please don’t hesitate to contact support. We’re here to help, and hopefully to put a smile on your face as well.