Atomic Protector Configuration
Introduction
Atomic Protector is configured to a secure set of defaults upon installation. Most users do not need to change these settings.
Note
Manual modification of the /etc/awp/config file is not supported. Please change these setting through the Atomic Protector Web Console.
Post Installation Configuration
At this point you should have Atomic Protector on your system. If you do NOT have Atomic Protector installed, please follow the installation steps before proceeding.
Accessing Configuration Settings via Atomic Protector Web Console
Step 1: Log into the Atomic Protector Web Console
Step 2: Click on the Configuration tab
Step 3: Select ‘Atomic Protector Configuration’
From here you can change all of the AP Configuration settings, which are broken into classes and are documented below or links are provided to specific documentation pages for those options.
Accessing Configuration Settigs via Command Line
Configuration settings are stored in /etc/awp/config. After modifiying the configuration file, please save it and run the following command:
awp -s -f
Authentication Information
USERNAME
This is the username AP will use to download updates. This should b the same username you use to log into the License Manager.
PASSWORD
This is the password AP will use to download updates. This should be the same password you use to log into the License Manager.
UPDATEPATH
Default path used to download rule and signature updates.
APHOME
Path to the AP Directory, usually tis is /var/awp.
CONFIGURED
Internal flag to force the system through configuration mode.
UPDATE_SERVER
TODO
UPDATE_PATH
TODO
HTTP_PROXY
TODO
HTTP_PROXY_PORT
TODO
HTTP_PROXY_USERNAME
TODO
HTTP_PROXY_PASSWORD
TODO
AP Web Settings
APW_AUTO_LOGOUT
Time, in minutes, AP Web may be open and idle before the user will be logged out. Set -l to disable auto logout.
ALERTS_USE_DB
Set to ‘yes’ to retrieve security event data from database, ‘no’ to retrieve from files.
AP_DB_RETENTION
This value is used only for the purpose of keeping the incoming alert table clean. If AP_DB_ARCHIVE is set to “yes”, archived events will be searchable via the Events Search window, or accessible via any event links found elsewhere in AP Web (such as the Blocklist window), even after they have been removed form the table.
AP_DB_ARCHIVE
AP will store old data in monthly archive table if this is set to ‘yes’, or simply delete past retention data if it is set to ‘no’ once the AP_DB_RETENTION period is reached for the data.
Data Paths
PATH_EVENT_LOG
Path to security event log.
PATH_DISABLED_SIG
Path to disable signatures list.
PATH_SEC_MODULE
Path to security module status data.
PATH_SIG_UPDATE
Path to signature updates status data.
PATH_VULNERABILITY
Path to vulnerability status data.
PATH_VULNERABILITY_REPORT
Path to vulnerability report data.
PATH_VULNERABILITY_TEMPLATES
Path to vulnerability templates.
PATH_RSS
URL to the Atomicorp Security Bulletins RSS feed. You shouldnt change this unless told to do so by Atomicorp support personnel.
IP_WHITELIST
Path to file containing whitelisted IP addresses.
PATH_BLACKLIST
Path to blacklist data.
Path_GEOBLACKLIST
Path to Geo-blocking data.
PATH_TLD
Path to TLD list.
PATH_SYSCHECK
Path to system file check data.
PATH_WEBAPP_DB
Path to web app database.
AP General Settings
NOTIFY
Determines if AP will notify by email or not. Set this to yes if you want AP to email you, and no if you do not.
The customer email address set by the user to send alerts to. This is also set by the user during installation.
HOSTNAME
Hostname for the system. This is also set during installation.
ADMIN_USERS
This defines special SSH users. This is not to be confused with users that can log into the AP web console, or any other “admin” user on the system.
This setting allows you define special administrative users that AP will check to make sure they can SSH into the system (users other than root). If this is defined, AND the users exist, AND they have valid SSH keys, password auth and root logins will be automatically disabled. This list is not used to restrict what users can ssh into the system, its just a list of special users that should always be allowed to ssh into the system. AP uses this list to check these accounts to make sure they are working correctly, to ensure that those users can still log into the system when changes are made to the ssh settings via AP (for example, disabling password authentication, AP will check this list of users to make sure they have SSH keys installed). This is an important fail safe feature, and you should list all your administrative users (other than root) in this list to help ensure they will be able to log into the system.
Usernames are seperated with spaces. Example:
joe bob karen
Note
Users are not defined by default. Additionally, this setting has NOTHING to do with AllowUsers in sshd.
If an admin user is not defined, AP will NOT allow SSH settings to be modified.
Note
For example, if no admin users are defined, AP will not allow password authentication to be disabled nor will it allow root logins to be disabled. This is a critical safeguard to prevent users from accidentally locking themselves out of the system.
If an admin user or users are defined, and if password authentication is disabled, AP will also check to make sure the admin user or users have ssh keys installed in the correct place, and that their permissions are valid. If the keys are not installed, the permissions are wrong, or they are not installed in the right place, AP will not allow any SSH configuration changes to take place and will ensure the defaults are used. Again, this is a critical safeguard to prevent users from accidentally locking themselves out of the system. AP can not test the keys themselves for validity as an authentication credential, as it only has access to the public key. Therefore, it is the users responsibility to ensure the SSH key pair works correctly for the account.
Please see the article SSH KEYS for courtesy information about using SSH keys with SSH.
SYSTEM_TYPE
Defines a basic service policy for the system.
Setting the profile to anything other than ‘custom’ will configure AP to disable the following services:
portmap
nfs
nfslock
rpcidmapd
cups
gpm
xfs
pcscd
mcstrans
kdump
isdn
hplip
hidd
messagebus
haldaemon
bluetooth
avahi-daemon
autofs
apmd
Options associated with this configuration setting:
webserver: You should use this setting for all system types except for the three below.
cpanel: setting this to cpanel, will configure the system for cpanel.
directadmin: setting this to directadmin, will configure the system for directadmin.
custom: If this is set to custom, no service will be automatically disabled and no special configuration changes are made to the system to work with non-package managed control panels. Do NOT use this setting with platforms like cpanel or directadmin. It will void support on your system.
AUTOMATIC_UPDATES
Configures the update frequency for rules and signatures downloaded through the AP/ updater.
Note
Updates can be run manually with awp -u
UPDATE_TYPE
Configures the behavior of AUTOMATIC_UPDATES event. There are three options with this setting:
All: This will upgrade all AP software, rule and signatures updates.
Exclude-kernel: This will upgrade all AP software, rule and signatures updates but not upgrade the kernel.
rules-only: This will exclude all software updates, including updates to AP. This will prevent AP from updating any rpm package updates and kernel updates and will only install rule and signature updates.
Note
Some rule and signature updates may not work without AP updates, so if you set this to “rules only” be sure to regularly check your system for any software updates for AP to be fully protected and to ensure compatibility.
RESTART_APACHE
Sets the restart policy for actions involving the web server. Updates to mod_security, or mod_evasive policies will require a web server restart to go into effect.
This setting has three options:
Yes: Restart Apache when needed.
Graceful: Use the ‘graceful’ method which tries to wait for all clients to finish being served before restarting Apache. If Apache has a stuck thread or worker Graceful may not complete.
No: Do not restart Apache.
Note
If you set this to “No”, updates that require apache restarts will not be applied, such as new WAF rules. If you set this to “No” you will need to schedule regular restart intervals to install the latest rules. Only the latest rules are supported with the WAF.
AP_USER
Sets the user to run AP web activity under. This can be either “tortix” for use with AP-Web, or “psaadm” for use with the Plesk AP module. Note: this setting has been deprecated.
FEED_TYPE
This setting allows you to toggle between different WAF feeds. Currently this is only used by AP Lite, and supports the following options: [Default: real-time]
real-time
90-day delayed feeds
FEED_SOURCE
This setting allows you to toggle between different WAF feeds. [ Default: subscription ]
COMPLIANCE
This enables a compliance module based on one of the five standards (CIS, DISA, DHS, NISPOM, PCI). It is not recommended by Atomicorp. It should only be used if you are required by a third party regulator. [Default: off]
KERNEL_CHANNEL
Select the kernel channel, valid options are: [Default: tortix-kernel]
Disabled
Tortix-kernel
tortix-kernel-xen (for xen environments only)
ALLOW_NFS
This will disable the service checks that would normally disable NFS services when SYSTEM_TYPE is set to “webserver”, “cpanel” or “directadmin”.
Note
This does not enable or configure NFS service, please consult your vendor for support with configuring NFS.
Note
You will need to reboot your system if you have locked the kernel to prevent kernel modules from loading.
DOWNLOADER
Set the downloader backend. Internal or Curl. [Default: internal]
REPUTATION_REPORT
Allow sending of statistical information on local events and event sources to Atomicorp.
REPUTATION_FREQUENCY
How often reputation reports will be sent.
PURGE_LOGS
Maximum days to retain logs.
AP Firewall Settings
Please see the AP Firewall page for more information about configuring the AP firewall.
AP Kernel Settings
Note
If you are not using the AP Kernel these settings in the AP Web Console will have no effect.
ALLOW_kmod_loading
The default configuration for AP is to disable Loadable Kernel Modules (LKM) after the system has booted (S99). This is intended to provide additional protection from attempts to load LKM rootkits by “locking” the kernel and preventing any additional changes to the kernel once it has been configured.
Setting this flag to “yes” and rebooting the system will allow kernel modules to be loaded and unloaded dynamically after a reboot. We do not recommend you set this to “yes”, as a properly configured server should not require the kernel to be dynamically modified. If you need to load custom modules in your kernel, please see this article which explains how to do this securely, and without needing to open this hole in your system.
A number of known and in the wild attacks on Linux servers take advantage of kernel module loading being allowed, which can also be triggered by non-root users and are used to compromise Linux systems.
Note
The secure and recommended setting is “no”.
Additionally, in Linux when you change this option to allow kernel module loading, that is if you unlock the kernel, you MUST reboot the system. This is a default failsafe that ensures that the Linux kernel is locked.
MAX_USER_WATCHES
Maximum number of inotify watches. [Default: 16384]
GRKERNSEC_DISABLE_PAX
Enabling this option will allow you to run PaX in soft mode, that is, PaX features will not be enforced by default, only on executables marked explicitly. You must also enable PT_PAX_FLAGS or XATTR_PAX_FLAGS support as they are the only way to mark executables for soft mode use. [Default: no]<
GRKERNSEC_DETER_BRUTEFORCE
If you say Y here, attempts to bruteforce exploits against forking daemons such as apache or sshd, as well as against suid/sgid binaries will be deterred. When a child of a forking daemon is killed by PaX or crashed due to an illegal instruction or other suspicious signal, the parent process will be delayed 30 seconds upon every subsequent fork until the administrator is able to assess the situation and restart the daemon. In the suid/sgid case, the attempt is logged, the user has all their processes terminated, and they are prevented from executing any further processes for 15 minutes. It is recommended that you also enable signal logging in the auditing section so that logs are generated when a process triggers a suspicious signal. [Default: no]
Note
This option is available in AP 4.0 and up.
GRKERNSEC_CONSISTENT_SETXID
If you say Y here, a change from a root uid to a non-root uid in a multithreaded application will cause the resulting uids, gids, supplementary groups, and capabilities in that thread to be propagated to the other threads of the process. In most cases this is unnecessary, as glibc will emulate this behavior on behalf of the application. Other libcs do not act in the same way, allowing the other threads of the process to continue running with root privileges. If the sysctl option is enabled, a sysctl option with name “consistent_setxid” is created.
ENABLE_TPE
Trusted Path Execution(TPE) will allow you to choose a gid to add to the supplementary groups of users you want to mark as “untrusted” or “trusted”. These users will not be able to execute any files that are not in root-owned directories writable only by root.
TPE_GROUP_POLICY
The TPE group policy indicates the mode to enforce on the system. These are “trusted”, which is an Unless Allow, Deny configuration where only users in the “trusted” group can execute commands that are not owned by the root user. It is the more aggressive and constricted mode. The default “untrusted” mode is an Unless Deny, Allow policy where the TPE security controls only apply to users in the “untrusted” group.
TPE_UNTRUSTED_USERS
Users in this group will have the TPE policy applied if the system is configured to operate in “untrusted” mode.
TPE_TRUSTED_USERS
Users in this group will NOT have the TPE policy applied if the system is configured to operate in the “trusted” mode.
DISABLE_PRVILEGED_IO
If you say yes here, all ioperm and iopl calls will return an error. Ioperm and iopl can be used to modify the running kernel. Unfortunately, some programs need this access to operate properly, the most notable of which are XFree86 and hwclock. hwclock can be remedied by having RTC support in the kernel, so real-time clock support is enabled if this option is enabled, to ensure that hwclock operates correctly. XFree86 still will not operate correctly with this option enabled, so DO NOT CHOOSE YES IF YOU USE XFree86.
AUDIT_MOUNT
Log all mount() and umount() actions.
AUDIT_CHDIR
Log all chdir() calls. This is a high volume setting, and is disabled by default.
AUDIT_PTRACE
Log all attempts to attach to a process via ptrace().
AUDIT_TEXTREL
Log text relocations with the filename of the offending library or binary. This is a high volume setting, and is disabled by default.
CHROOT_CAPS
When enabled, the capabilities on all root processes within a chroot jail will be lowered to stop module insertion, raw i/o, system and net admin tasks, rebooting the system, modifying immutable, files, modifying IPC owned by another, and changing the system time.
Note
EL6 boots the system into a chroot. Enabling this protection will cause the first tty on the system to “echo” all input that should not be “echoed”. For example, the password field will echo from the console on tty1. This may also cause problems with serial consoles that use the first tty (which is normally the default case).
The solution here is to either disable this protection, or to use a different tty.
See this post for a more detailed explanation of the technical and security issues with disabling this protection.
CHROOT_DENY_CHMOD
When enabled, processes inside a chroot will not be able to chmod or fchmod files to make them have suid or sgid bits.
CHROOT_DENY_CHROOT
When enabled, processes inside a chroot will not be able to chroot again outside the chroot.
CHROOT_DENY_FCHDIR
When enabled, a well-known method of breaking chroots by fchdir’ing to a file descriptor of the chrooting process that points to a directory outside the filesystem will be stopped.
CHROOT_DENY_MKNOD
When enabled, processes inside a chroot will not be allowed to mknod.
CHROOT_DENY_MOUNT
When enabled, processes inside a chroot will not be able to mount or remount.
CHROOT_DENY_PIVOT
When enabled, processes inside root will not be able to use pivot_root().
CHROOT_DENY_SHMAT
When enabled, processes inside a chroot will not be able to attach to shared memory segments that were created outside of the chroot jail.
CHROOT_DENY_SYSCTL
When enabled, an attacker in a chroot will not be able to write to sysctl entries, either by sysctl(2) or through a /proc interface.
CHROOT_DENY_UNIX
When enabled, processes inside a chroot will not be able to connect to abstract (meaning not belonging to a filesystem) Unix domain sockets that were bound outside of a chroot.
CHROOT_ENFORCE_CHDIR
When enabled, current working directory of all newly-chrooted applications will be set to the the root directory of the chroot.
CHROOT_EXECLOG
When enabled, all executions inside a chroot jail will be logged to syslog. This is a high volume setting and is disabled by default.
CHROOT_FINDTASK
When enabled, processes inside a chroot will not be able to kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, getsid, or view any process outside of the chroot.
CHROOT_RESTRICT_NICE
When enabled, processes inside a chroot will not be able to raise the priority of processes in the chroot, or alter the priority of processes outside the chroot.
EXEC_LOGGING
When enabled, all execve() calls for users in the group execlog (1007) will be logged (since the other exec*() calls are frontends to execve(), all execution will be logged). This is a high volume setting and is disabled by default.
EXEC_LOG_USERS
Users in the group execlog will have all execve() actions logged to syslog if EXEC_LOGGING is enabled. This is a high volume setting, and is disabled by default.
DMESG
When enabled, non-root users will not be able to use dmesg(8) to view up to the last 4kb of messages in the kernel’s log buffer.
EXECVE_LIMITING
When enabled, users with a resource limit on processes will have the value checked during execve() calls.
FIFO_RESTRICTIONS
When enabled, users will not be able to write to FIFOs they don’t own in world-writable +t directories (i.e. /tmp), unless the owner of the FIFO is the same owner of the directory it’s held in.
FORKFAIL_LOGGING
When enabled, all failed fork() attempts will be logged.
HARDEN_PTRACE
When enabled, TTY sniffers and other malicious monitoring programs implemented through ptrace will be defeated.
Certain Parallels products have a bug that requires that this protection be disabled. These products have a bug that incorrectly reports that users are running a debugger, when they are not if this protection is enabled. This is a bug in Plesk, and not in AP. Please report this bug to Parallels if you wish to use these feature.
You can read morea about this bug in Plese at this forum
IP_BLACKHOLE
When enabled, neither TCP nor ICMP destination-unreachable packets will be sent in response to packets sent to ports for which no associated listening process exists. [Default: y]
This feature supports both IPv4 and IPv6 and exempts the loopback interface from blackholing. Enabling this feature makes a host more resilient to DoS attacks and reduces network visibility against scanners. The blackhole feature prevents RST responses to all packets, not just SYNs.
Note
Under most application behavior this causes no problems, but applications (like haproxy) may not close certain connections in a way that cleanly terminates them on the remote end, leaving the remote host in LAST_ACK state. Because of this side-effect and to prevent intentional LAST_ACK DoSes, this feature also adds automatic mitigation against such attacks. The mitigation drastically reduces the amount of time a socket can spend in LAST_ACK state. If you’re using haproxy and not all servers it connects to have this option enabled, consider disabling this feature on the haproxy host. traceroute may also not complete when directed at a system that has this safeguard enabled. This is because traceroute works by sending UDP packets to ports on the system that do not have a service (a high port for example, 12345). The system will then send back an ICMP destination-unreachable packet. If traceroute does not get this packet it will continue to try high ports and eventually conclude, wrongly, that the server is not up. When this option is enabled, two sysctl options with names ip_blackhole and lastack_retries will be created. While ip_blackhole takes the standard zero/non-zero on/off toggle, lastack_retries uses the same kinds of values as tcp_retries1 and tcp_retries2. The default value of 4 prevents a socket from lasting more than 45 seconds in LAST_ACK state.
LASTACK_RETRIES
When enabled, prevents a socket from lasting more than 45 seconds in LAST_ACK state. The default value of 4 prevents a socket from lasting more than 45 seconds in LAST_ACK state. [Deafult: 4]
LINKING_RESTRICTIONS
When enabled, /tmp race exploits will be prevented, since users will no longer be able to follow symlinks owned by other users in world-writable +t directories (i.e. /tmp), unless the owner of the symlink is the owner of the directory. users will also not be able to hardlink to files they do not own.
RESOURCE_LOGGING
When enabled, all attempts to overstep resource limits will be logged with the resource name, the requested size, and the current limit. Due to high volume alerts you can consider disabling this option. [Deafult: disabled]
ROMOUNT_PROTECT
By setting this option to 1 at runtime, filesystems will be protected in the following ways: No new writable mounts will be allowed, Existing read-only mounts won’t be able to be remounted read/write, Write operations will be denied on all block devices. This is best used in embedded or appliance type environments. [Default: disabled]
RWXMAP_LOGGING
When enabled, calls to mmap() and mprotect() with explicit usage of PROT_WRITE and PROT_EXEC together will be logged when denied by the PAX_MPROTECT feature.
SIGNAL_LOGGING
When enabled, certain important signals will be logged, such as SIGSEGV, which will as a result inform you of when a error in a program occurred, which in some cases could mean a possible exploit attempt. [Default: enabled]
SOCKET_ALL
When enabled, you will be able to choose which users will be unable to connect to other hosts from your machine or run server applications from your machine.
SOCKET_USERS
Users in the socket group be unable to connect to other hosts from your machine or run server applications from your machine.
SOCKET_CLIENT
When enabled, users in the client group will only be able to create outbound connections, and will be prevented from creating servers on the system (clients can not listen for incoming connections).
SOCKET_CLIENT_USERS
Users in the client group will be unable to run server applications from your machine. This is in a comma delimited format.
SOCKET_SERVER
When enabled, the server-only policy group will be enabled on the system. Users in the servers group will be able to run servers on the system, but be unable to connect to other hosts from the machine.
SOCKET_SERVER_USERS
Users in the server group will be able to run services on the system, but be unable to connect to other hosts from the system as a client. This is in a comma delimited format.
TIMECHANGE_LOGGING
When enabled, any changes of the system clock will be logged.
ClamAV Settings
Please see the `clamAV`_ wiki page for more information about configuring ClamAV.
PSMON Settings
PSMON_ENABLED
Allows the Process monitoring daemon to be enabled/disabled. This will monitor services that are configured to start on boot and are managed by the OS via the chkconfig or systemctl systems. If you want AP to stop monitoring a process, see the psmon article.
Note
Not supported on systems that does not use package managed PERL installations.
PSMON_NOTIFY
Enable/Disable email notifications for PSMON. The default is to use the $NOTIFY setting.
PSMON_EMAIL
Email address notifications for restart events will be sent to. The default is to use the value set for EMAIL.
PSMON_FROM
From: line used for notifications of restart events. The default if to use psmon@hostname of the system.
OSSEC Settings
Mod Security Settings
Please see the Atomic WAF page for documentation on these settings.
PHP Settings
These settings do not import existing settings. If you already have configured PHP, or are using another tool to do so, those changes will not be displayed by AP. This option exists for AP to manage these functions and settings.
Note
If you want AP to manage these settings do not change them manually in php.ini, and do not use a third party tool to manage these settings. Additionally, when PHP functions are disabled, and an pplication tries to use them. Apache will ONLY log that in the domain’s error_log file. It will not log this in the global error_log. Please check the domain’s error_log file if your application is not working properly.
PHP_CHECKS
Enable/Disable PHP check enforcement mode. [Default: No]
If this is set to “no”, AP will not be configured to manage any PHP settings, and the rest of the PHP settings will no effect. To enable, or disable PHP functions, this must be set to “yes”.
Note
Setting this to “no” will still test for vulnerabilities, but will neither fix them, nor make any changes to your PHP configuration.
PHP_SAFE_MODE
Enable/Disable PHP Safe_Mode
Note
PHP 5.3 and later has deprecated this feature.
PHP_REGISTER_GLOBALS
Enable/Disable register_globals.
PHP_URL_OPEN
Enable/Disable url_fopen. Please see this page for information on this function and a serious vulnerability that can be created by allowing this function in PHP.
PHP_URL_INCLUDE
Enable/Disable URL includes
PHP_EXPOSE_PHP
Enable/Disable expose_php [Default: no]
PHP_DISPLAY_ERRORS
Enable/Disable display_errors [Default: no]
PHP_MAIL_XHEADER
Enable/Disable X-PHP-Originating-Script that will include UID of the script followed by the filename. [Default: yes]
ALLOW_curl_exec
Enable/Disable the curl_exec() function
ALLOW_curl_multi_exec
Enable/Disable the curl_multi_exec() function
ALLOW_dl
Enable/Disable the dl() function
ALLOW_escapeshellcmd
Enable/Disable the escapeshellcmd() function
ALLOW_exec
Enable/Disable the exec() function
ALLOW_ftp_exec
Enable/Disable the ftp_exec() function
ALLOW_fsockopen
Enable/Disable the fsockopen() function
ALLOW_leak
Enable/Disable the leak() function
ALLOW_passthru
Enable/Disable the passthru() function
ALLOW_pcntl_exec
Enable/Disable the pcntl_exec() function
ALLOW_pfsockopen
Enable/Disable the pfsockopen() function
ALLOW_phpinfo
Enable/Disable the phpinfo() function
ALLOW_popen
Enable/Disable the popen() function
ALLOW_posix_mkfifo
Enable/Disable the posix_kill() function.
ALLOW_posix_kill
Enable/Disable the posix_kill() function
ALLOW_posix_setpgid
Enable/Disable the setpgid() function
ALLOW_posix_setsid
Enable/Disable the setsid() function
ALLOW_posix_setuid
Enable/Disable the setuid() function
ALLOW_proc_close
Enable/Disable the proc_close() function
ALLOW_proc_get_status
Enable/Disable the proc_get_status() function
ALLOW_proc_nice
Enable/Disable the proc_get_status() function
ALLOW_proc_open
Enable/Disable the proc_open() function
ALLOW_proc_terminate
Enable/Disable the proc_terminate() function
ALLOW_shell_exec
Enable/Disable the shell_exec() function
ALLOW_show_source
Enable/Disable the show_source() function
ALLOW_system
Enable/Disable the system() function
SSH Daemon Settings
Please see the`SSH debugging`_ page in case you can’t log into your AP server via SSH.
Note
This does not import existing settings from SSH. The purpose of these settings to enforce the sshd configuration settings, based on these settings. Therefore if you change sshd settings, and they do not match what is set in AP, AP will set them to the settings defined in AP. The use of third party products to change these settings is not supported.
SSH_PROTOCOL
Note
Do not change this setting unless you know what you are doing.
SSH supports several legacy protocols (1 and 1.5), along with the current SSH protocol, 2. 1 and 1.5 have fundamental weakenesses that can cause SSH sessions with those protocols to be compromised, therefore we recommend you leave the protocol setting of “2”.
CUSTOM_SSH_PORT
Use a custom ssh port. [Default: no]
SSH_PORT
This will tell SSH to change its default port of 22 to a different port. If you set this to “no”, that will tell SSH to use the default port of 22. For example, if you wanted to change SSHs port to “2222” you would enter “2222” in this field. [Default: no]
Note
This does not import existing settings. If you already have a custom port set, that port number will not show up here. This option exists for AP to manage this function, if you do not change this option to a port number AP will not make any changes to this option in sshd
SSH_STRICTMODE
This tells SSH to check the ownership and permissions on ssh public key files. This prevents a user from accidentally setting the permissions on the file so that other users can add their keys to another users key file. We highly recommend you enable strict modes. [Default: yes]
SSH_IGNORE_RHOSTS
This tells SSH to ignore rhosts file. rhosts files tell SSH to trust another host completely, which means a user logging in from that host will not asked for a password. Allowing rhosts files is very insecure, and we recommend you leave this enabled. [Default: yes]
SSH_PUBKEY
This setting tells SSH to allow the use of public keys, instead of passwords, for authentication. Public keys are more secure than passwords, provided that the public key itself has a strong password. Keys can provide a cheap two factor authentication system (what you have, and what you know). [Default: yes]
SSH_ROOTLOGINS
This setting tells SSH to allow root logins. If you set this to yes, root will be allowed to ssh in, if you set this to no, root will not be allowed to ssh in. We recommend you set this to “no”. [Default: yes]
SSH_PASSWORD_AUTH
This enables/disables password authentication via SSH. For this to work, you must define at least one ADMIN_USER. [Default: yes]
Options that can be set on this setting:
yes - Allows password authentication
no - Does not allow password authentication, but AP will check to make sure at least one valid ADMIN_USER exists with keys installed. If one does not, AP will NOT disable password authentication, and will try to prevent other applications from doing so. This is an important fail safe to prevent accidental lockout from your system.
override - Does not allow password authentication, but will NOT check to make sure at least one valid ADMIN_USER exists with keys installed. Warning: This will lock you out of your system if you do not have valid key based authentication configured for the system, and AP will not check to ensure your keys are valid (not recommend, define an ADMIN_USERS instead).
SSH_PRIV_SEPARATION
This ensures that SSH runs with privilege separation. [Default: yes]
SSH_GSSAPI_AUTH
Specifies whether user authentication based on GSSAPI is allowed. [Default: no]
SSH_GSSAPI_CLEANUP
Specifies whether to automatically destroy the user’s credentials cache on logout. [Default: yes]
SSH_BANNER
AP can configure SSH to display a banner to users when they log in. This tells SSH what file to use for the banner. AP comes with a standard banner you can use that is provided in the /etc/awp/banner file. [Default: /etc/awp/banner]
SSH_USEDNS
Specifies whether sshdshould look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. [Default: yes]
SSH_ALLOWAGENTFORWARDING
This setting configures SSH to allow X11 forwarding. This will allow the server to communicate with an X11 desktop, which will allow the server to open windows, control the keyboard and otherwise operate on the users desktop as if it was the users machine. [Default: no]
THis can present a security risk if the server is not completely trusted, as malicious processes can control the users desktop.
SSH_ALLOWTCPFORWARDING
This setting configures SSH to allow port forwarding from a client. This will allow a client to “tunnel” to a port on the server over an SSH connection. [Default: no]
This can present a security risk as this allows users to bypass any firewall policies that would otherwise prevent them from connecting to ports that are blocked.
Denial of Service Settings
MODEV_ENABLED
Enable/Disable mod_evasive (DoS protection)
Note
Also see the Mod Evasive page for important documentation about configuring the DOS protection system for Apache.
MODEV_DOSHashTableSize
The hash table size defines the number of top-level nodes for each child’s hash table. Increasing this number will provide faster performance by decreasing the number of iterations required to get to the record, but consume more memory for table space.
MODEV_DOSPageCount
Threshhold for the number of requests for the same page (or URI) per page interval.
MODEV_DOSSiteCount
Threshhold for the total number of requests for any object by the same client on the same listener per site interval.
MODEV_DOSPageInterval
Interval for the page count threshhold. [Default: 2]
MODEV_DOSSiteInterval
Interval for the site count threshhold. [Default: 2]
MODEV_DOSBlockingPeriod
Number of seconds to block a client IP. Clients will be returned a 403 error.
APPINV_CRON
Interval to run the web application inventory engine. [Default: daily]
MySQL Security Settings
MYSQL_CHECKS
Enable/Disable enforcement mode for Mysql security settings. Setting this to no will implement check-only mode. [Default: yes]
MYSQL_DISABLE_LOAD_DATA
Enable/Disable mysql local-infile [Default: yes]
MYSQL_ENABLE_LOG_ERRORS
Enable/Disable mysql /var/log/mysqld.log error log [Default: yes]
MYSQL_ENABLE_LOG_WARNINGS
Enable/Disable mysql log warnings [Default: yes]
MYSQL_DISABLE_SYMBOLIC_LINKS
Enable/Disable mysql symbolic links[Default: yes]
MYSQL_QUERY_CACHE
Mysql query cache settings [Default: 32m]
Note
This must be in multiples of 32. For example, 64, 128, etc.
Plesk Security Settings
FW_PLESK_UPDATES
Enable/Disable Plesk keyserver update firewall policy. Default:[no]
PSA_DISABLE_CRONTAB
This setting will disable the ability to manage cron jobs in Plesk. Default: [no]