Atomic Endpoint Defender FAQ

How can I buy an Atomic Endpoint Defender (AED) license?

  • To purchase a license for AED, just visit the Atomic Endpoint Defender page and click the Buy Now icon, or click on this link.

Can I try Atomic Endpoint Defender (AED) before I purchase it?

  • Absolutely! We offer a free, no risk and no obligation 10 day trial. Just click here to get your trial license now!

What is the benefit of Subscribing to AED?

  • Peace of mind knowing that a team of security experts will work tirelessly to ensure that you have a security solution that will protect your system, and rapid support for all your security needs.

    Access to the best Linux security product available, that includes a full SIM with a stand alone web gui, a fully integrated web application firewall, event correlation, intelligent log reduction and alerting, a built in vulnerability scanner with automatic vulnerability repair, virtual patching, compliance monitoring, self healing, anti-spam protection, anti-malware protection, upload malware protection (Web and FTP), realtime malware protection, automatic redaction, a secure and hardened kernel, Stack Protection, Heap Protection, a Role Based Access Control system and many many more features!

    And most importantly, full support. If we distribute any component, be it a kernel, rules, modules, etc., we will support issues you may have with your integration, with drivers, etc. We focus on building software such as AED that works on the widest range of hardware, with the most advanced and modern security features that will work on all platforms. This includes firewall extensions for STEALTH and MATCH support, the strongest stack protection in the world, special defenses against kernel module rootkits, cutting edge countermeasures against the latest threats and more!

    With AED, you wont have to do it all yourself, we’re here to help you.


What is the SLA for critical security or support issues in AED?

  • If there is a security issue with AED, in general we will release a fix within 24 hours of the issue being reported to us.

I need help!


MODSEC version is not current. False reporting has been disabled

  • This means your modsecurity rules are not up to date. Before reporting a false positive, make sure your rules are up to date. To do this, either click on the “Update” button in the AED web console, or run the command “aum -u” from the command line as root. Its possible your issue has already been addressed, and if not, just update your rules and AED will let you report the false positive. We’ll then get right on it and get you a fix ASAP!

How can I give atomicorp support access to my system?

  • To provide us with access, please follow the process below. Do not send us your root password to log into your system. We do not need it, and we will delete it if you send it to us (we do this for your protection). Just follow the process below, which will provide us with secure access without the need to know your root password.

Step 1) Do not send us your root password to log into your system. We do not need it.

As part of our security policies we will not use passwords to log into your system, and we will not store passwords in our support system. Our policy requires our support engineers to delete this information if you send it to us. Just follow the process below, that will install cryptographically strong keys that we will use to authenticate to your system instead of using a password. This will protect you as we wont have your root password, and no one will be able to steal it from us to access your system.

Step 2) Become root on your system by running the following command:

su -

Step 3) Run the command below, as the root user to install out SSH public keys, which will allow us to log into your system securely:

wget -q -O - https://www.atomicorp.com/installers/key |sh

If you do not get any output from this command it is likely that wget does not support SSL.

Step 4) (Optional) Add to AllowUsers in sshd_config

If you use AEDs admin user feature, or use sshds AllowUsers feature make sure you add the “atomic” user to the allowed users. If our tool does not add the user “atomic” that is because you allow root logins, and the tool will simply add our keys to the root account.

Step 5) Configure your firewall to allow access

If you need to open firewall access, please see the email sent with the IPs we will be logging in from.

Step 6) If this is for a new install, please follow the additional instructions in that email. We may need additional information.

If this is for an installation, please make sure you follow the installation emails instructions.

Step 7) Send us the IP address and SSH port for the system

Step 8) And finally, remember to send an email to support AT atomicorp DOT com with the IP address(es) of the system(s) you want us to log into, and if you run SSH on a non-standard port please include that information as well.

If you have sent this information to us in the past, please make sure you send it with any new request. As part of our procedures, our support team must confirm the IP address for each request before logging into any system as an important safeguard to ensure we are accessing the correct system, and have permission to do so.


Can I just set up access myself?

  • Yes, although as an internal policy we do not allow our support engineers to use customer passwords. That prevents your passwords from being recorded in our systems, preventing any accidental exposure of those passwords. We recommend you use the the process above, but if you are able to setup ssh key based access yourself, you can download our keys from the URL below:


How can I verify the integrity of the ssh keys?

  • The installer will download the keys over a TLS encrypted channel. Each member of our support team has a unique key, we do not use shared keys or credentials. Therefore, you will see a number of keys downloaded.


Can I set a password for the atomic account?

  • Yes. We do not use passwords to log into the system, we use SSH keys only. By default, SSH will not allow password authentication to accounts without passwords (it will require SSH keys instead). So unless you have configured your system to allow empty passwords, it is not necessary to do this.

    However, if you do this, you will need to let us know what the password is so that we can use sudo.


How can I remove atomicorp access to my system?

  • If you followed the process above, just remove the “atomic” user when you are finished, or if you allow root ssh login access then you will need to remove our ssh keys from the /root/.ssh directory. The script above will not provide us with any passwords to your system, it will simply install our keys as the “atomic” user (or if you allow root access, as the “root” user). Removal of those keys will also remove our access to the system.

Wheres the AED Web GUI?

  • You can access it on your system at this URL (change www.example.com to either your systems name or IP address)

    https://www.example.com:30000
    

    Make sure your firewall is configured to allow access to the TCP port 30000.


Does AED have any PHP dependencies?

  • No. AED uses its own PHP libraries which are installed in /var/asl and have nothing to do with the systems PHP libraries.

    The AED PHP libraries rpm packages will start with the name “asl-“. Do not change the AED PHP rpms, they are only used by AED.


Does AED install PHP on my system?

  • No. AED will not install, replace, upgrade, change or remove PHP on your system.

Does AED replace PHP on my system?

  • No. AED will not replace, install, upgrade, change or remove PHP on your system.

What are the asl-php rpms?

  • AED has its own, independent PHP engine that is only used by AED web console daemon, tortixd, to power the AED web console. AED does not use your operating systems PHP installation, and AEDs independent PHP engine is not used by your web server, web applications or Operating system. AED will not remove, replace, modify or upgrade or otherwise change your existing PHP installation. The asl-php RPMs are a completely separate independent isolated PHP engine that is not used by your operating system, or web server (apache, nginx, litespeed or any other web server), nor will they have any effect on any other application on your system, including any web or PHP applications.

    These rpms will not and do not have any effect on your operating systems and are only installed in /var/asl and are only used by AED.

    The AED PHP libraries rpm packages will always start with the name “asl”, for example:

    asl-php-cli-5.4.17-15.el6.art.x86_64
    asl-php-5.4.17-15.el6.art.x86_64
    asl-php-process-5.4.17-15.el6.art.x86_64
    asl-php-gd-5.4.17-15.el6.art.x86_64
    asl-php-pecl-apc-3.1.13-4.el6.art.x86_64
    asl-php-common-5.4.17-15.el6.art.x86_64
    asl-php-mysqlnd-5.4.17-15.el6.art.x86_64
    asl-php-pdo-5.4.17-15.el6.art.x86_64
    

    Do not change, remove, configure, block the installation or upgrade of, or otherwise modify the AED PHP rpms or their configuration files, they are only used by AED for its web console.

    If you are having problems with your operating systems PHP, webservers PHP handler, webservers PHP applications or other PHP applications: AED did not install, upgrade, replace, configure or remove any part of your systems or web servers PHP installation. Contact your PHP vendor for assistance.


My system has experienced a kernel panic.

  • We have documented several issues that may cause kernel panics on the wiki along with solutions in the Kernel Panic article.

What should I do if I believe a system has been compromised?

  • First, stop and ask yourself what you want to do. Do you want to prosecute or do you want to just find the problem and fix it? This is a critical question you have to ask yourself because if you want to prosecute you must preserve evidence, and the actions you take to fix the intrusion may destroy or make that evidence inadmissable. If you want to prosecute, contact us to discuss your situation as you may need professional help to build a case. Also, if you choose to prosecute, you should know that in some jurisdictions the personnel working on your case may need special licenses to do this, otherwise they may be committing a felony (Michigan for example requires a Private Investigator license to perform computer forensics that will be used in court, failure to have this license is a felony.)

    If you want to find out what happened and just clean up, please continue with this checklist.

    First, start with the simple case - the compromise may have occurred by the attacker simply stealing a users password and logging into the system. We have put together a wiki article that provides guidance here for those cases: Compromised System FTP

    If you know that an attacker did not simply log into the system with stolen credentials please read this Wiki article: Compromised System

    In most cases we have seen, attackers are stealing users passwords and keys via keyloggers and trojans and just logging in. In those cases, there is no technical vulnerability in your system, the issue lies with your users and their computers. So, check you logs first to see if someone simply logged into your account or your users accounts. You’d be surprised at how often we see that happen.

    If you find yourself in this situation we recommend you explore two factor authentication options such as SecureID, OTP generators on your cell phone (not on your computer, if the computer has been compromised so has the OTP!) and other hardware tokens.

    You can also use an operating system that is more secure for your desktop such as Linux, Solaris, BSD or MacOS.


Do you have pre-defined access policies , or do we have to configure these policies?

  • Yes, currently we use Trusted Path Execution (TPE), and the untrusted users group by default. Members of the untrusted users group can only execute commands owned by root. In addition non-root users can only see processes owned by them. Grsec has an additional RBAC and Process ACL system available.

How long are major releases supported?

  • AED major releases (4.x, 5.x) are supported for three (3) months after a new major release is made available.

How can I upgrade a trial?

  • Just log into the license manager using the same credentials you used to setup your trial and purchase a license. You don’t need to do anything else. The system will automatically convert your system from a trial to a full license, and you won’t have to reinstall or install anything.

    You can access the license manager here


Do the VPS licenses need to be used on one physical machine or can the VPS boxes be located on different physical machines in different locations?

  • They can be located on diferent physical machines in different locations, or on the same machine.

If we use more than 5 licenses, do we have to add additional licenses 5 at a time, or can we add just 1 at a time after we purchase the initial 5?

  • You can add single licenses through the license manager.

Do VPS licenses include support for the kernel?

  • VPS licenses do not include support for the kernel. If you want to use the secure AED kernel, then you must purchase a full AED license.

Can I use AED as a reverse proxy for my other servers?

  • Yes. However, you must purchase a reverse proxy license for this to work in AED.

    If you wish to use AED as a reverse proxy for other servers, please contact us for support and a license.


What Linux distributions do you support?

  • As of September 2017, AED is officially supported with the following Linux distributions:

    • Centos 6
    • Centos 7
    • Redhat Enterprise Linux 6
    • Redhat Enterprise Linux 7
    • CloudLinux 6
    • CloudLinux 7
    • Amazon EC2 (We support RHEL and Centos on EC2, we do not support AMI and other customized distributions)

Note

Beta versions are unsupported.

Note

AED requires software package management, which all of the supported operating systems provide. If package management has been disabled on your system, you will not be able to install AED. Older versions of these distributions are not supported.

  • When an operating system or distribution is no longer supported by the vendor we also no longer support that operating system unless you have an extended support contract from us, for that platform. Please contact sales@atomicorp.com if you need an extended support contract.

Is AED compatible with AWS instances?

  • Absolutely. AED is fully supported on AWS, including the secure kernel.

AED does not support my version of my operating system

  • We support versions of operating systems per the list above, and of those we only support operating systems which are still supported by the OS vendor.

    We do this because of the serious security issues associated with running an operating system that is no longer supported, as well as the problems associated with lack of bug fixes for platforms that have been abandoned by their Vendors. For example, if a serious vulnerability were to be discovered in openssh and there was no patch for your system, AED may not be able to protect your system adequately. Some vulnerabilities are beyond even our capabilities to defend against. We are always looking out for your security - and unsupported OSes are a serious risk to operate

    For newer versions of operating systems we work as fast as possible to support these new distributions.


Do you support custom builds of apache, or other custom non-standard Linux distributions or hybrids?

  • Yes, only through extended support contracts. If you do not have an extended support contract there is no support. Please contact sales@atomicorp.com and we can put together a proposal for your project and price out ongoing support for your custom configuration.

Does AED require a control panel?

  • No, AED does not require any control panel product (Plesk, Cpanel, etc.). You can use AED with, or without a control panel. If you do use a control panel, AED works with all major control panels, and the specific list of supported configurations is provided below.

Does AED work with Plesk?

  • Absolutely! Atomicorp was founded by two Plesk founders. You won’t find a security company that knows more about Plesk, or cares more about making security products that work with Control Panels like Plesk. AED works with all Plesk versions from 9 and the way up to the latest version of Plesk, 12.

Can you use AED without plesk?

  • Yes, AED uses its own GUI and does not require any control panel to work.

Will I lose any functionality in Plesk if I use AED?

  • No. AED will only add new functionality to your system.

If predefined will your policy fit into a PLESK system? Since Plesk uses its own chroot enforcements on some deamons?

  • Atomicorp was founded by Plesk founders. AED is designed to integrate in that environment and with other control panels too.

Does AED work with Directadmin?

  • Yes. AED works with and is supported with Directadmin.

Note

If you are not using the systems RPMs, and are using a custom built Apache, then you will need to use the currently beta version of AED for custom Apache environments. You can read more about it here: https://www.atomicorp.com/forums/viewtopic.php?f=21&t=4828


Does AED work with Virtualmin?

  • AED works with Virtualmin and is a supported configuration.

Does AED work with CPanel?

  • AED works with CPanel and is a supported configuration

Does AED work with Interworx?

  • AED works with Interworx and is a supported configuration

Does AED work with Apache?

  • Yes, AED works with Apache.

Does AED work with LiteSpeed?

  • Yes, AED works with Litespeed.

Does AED work with NGINX?

  • Yes, AED works with Nginx. Please see this page for more information.

Does AED work with IonCube?

  • Yes AED works with IonCube.

Does AED work with Zend Optimizer?

  • AED works with Zend Optimizer

Is Ipv6 supported?

  • Not at this time. Additionally, AED does not load any network IPV6 modules by default. Therefore, if you must use IPV6 you will need to ensure the modules are loaded on boot before S99.

Does AED work with X11/Xorg?

  • Yes, AED works with X. To configure AED with X, please see the X with AED article.

Is AED compatible with ConfigServer?

  • AED does not support any of the ConfigServer products, and CSF (ConfigServer Firewall) in particular is known to cause major compatibility issues on a server running AED. AED is a complete stand-alone security product, which includes a powerful firewall, and you do not need to run any additional security software, including CSF, in conjunction with AED.

Does AED support ipset?

  • Yes, AED supports ipset as of version 4.0 of AED. To enable it, just set “FW_ENABLE_IPSET” to “yes” in the configuration screen.

Is AED easy to install?

  • AED was designed to be easy to install and use. You just run one command and the AED installer will walk you through questions to configure itself for your unique needs. Just follow the instructions on the AED installation page.

    If you have any questions, please contact us. We’re always happy to help our customers.


Is AED safe to install?

  • Yes. AED was designed for high SLA environments and comes with robust support for a company that understands the needs of high SLA environments. AED has numerous fail safes built into it to make it both easy to install and safe to use. For example, if AED detects that your kernel has an error on boot, it will reboot the system into the last known working kernel. This a feature no Linux distribution includes, so installing AED will actually make sure your system more stable and more reliable.

    AED is also easy to uninstall, and is designed to work with your existing operating system and not replace any core components.


Will AED replace core components of my system?

  • No. AED will install additional software on your system, and will not replace anything, including the kernel.

Does AED need to be installed on a system before Plesk/Cpanel/etc. is installed?

  • No, AED can be installed on a system that already has Plesk, Cpanel or any other control panel installed. AED does not require a bare system, and is designed to be installed into already operating systems that have been configured for use, and have third party software already installed. AED is an enhancement and can be installed on any supported Linux system.

Does installing AED require any downtime?

  • No, AED does not require you to take your system down. It is designed to be installed on running systems. You will want to reboot the system into the secure kernel, but you can do that any time. AED will operate normally without the secure kernel, and does not require it to function, however without the secure kernel you will still be vulnerable to the same kernel level weaknesses and vulnerabilities that exist in all non-AED kernels. Therefore, we recommend that you run the secure kernel, which will require a reboot.

I just purchased an installation from you, what now?

In order for us to conduct your installation, we will need you to open up a case with Support with the following information:

  • Confirmation, from you, that the system meets all the minimum requirements for AED.

  • Access to the system. Please see the FAQ “How can I give Atomicorp access to my system?”

  • The IP address and SSH port for the system.

  • The mysql root (or admin) password for the system.

  • Your Atomicorp License Manager Credentials

  • If you have specific IPs you would like whitelisted, please provide us with the list, with a single space between each IP (example: x.x.x.x y.y.y.y z.z.z.z). Please note, AED only supports IPv4 addresses at this time.

  • We will attempt to install the product. In the event we encounter difficulties due to unusual software/hardware configurations, we will attempt to contact you for further information. Due to our high customer volume, timely response is necessary (within 30 minutes), or we reserve the right to reschedule the installation.

It is OK to install CS4 with AED?

  • Just say “no” when it asks if you want to download and install clamd when you run the installation script. AED already provides clamd.

Does AED works with php sites running under fast_cgi?

  • Yes, AED works with systems using fcgi, suphp, and itk. It also works just fine with systems that use none of these. AED integrates fully and safely into Apache.

Is mod_ruid2 supported?

  • Partially, when using AED. If you are using a third party modsecurity build, this is not supported as it will not contain the necessary patches to make mod_ruid2 work correctly with mod_security.

    If you are using the latest version of AED, you will be able to use mod_ruid2 provided you do not enable any rules that use mod_security’s DBM system. This includes the advanced rules, and the search engine protection rules. Specifically, mod_ruid2 is not compatible with the security model mod_security uses to create, write and store its DBM files. mod_ruid2 will attempt to save these as the user of the context apache is currently running as. This causes problems for the DBM databases, as they are global databases and not per user databases. This breaks the DBM collection tracking system.

    Therefore, you can not use these types of rules with mod_ruid2.

  • For third party builds, you will also encounter these issues, which will make mod_ruid2 fail to work correctly at all:

    • Under heavy load mod_uid2 when used with mod_security can cause a crash. Specifically, mod_ruid2 can cause an AcceptMutex to be held by another UID, and this will cause Apache to crash.
    • mod_ruid2 is not compatible with the security model mod_security uses to create, write and store its log, audit and DBM files. mod_ruid2 will attempt to save these as the user of the context apache is currently running as. This causes problems for the DBM databases, as they are global databases and not per user databases. This breaks the DBM collection tracking system. Storing the logs as the user of the apache context can be insecure, as it can makes it possible for an attacker to delete or modify the logs preventing security tools from using these logs to make decisions about possible attacks and compromises of the system. In general, logs that contain security information should not be stored as the user carrying out the attack for this reason. Modifying logs is a well known method for covering up attacks and compromises.

Does AED works with php sites running under suphp?

  • Yes, AED works with systems using suphp, fcgi, and itk. It also works just fine with systems that use none of these. AED integrates fully and safely into Apache.

How easy is it with AED to debug and use modsecurity?

  • Very easy. AED includes an easy to use web based graphical interface that allows you to view alerts, modify rules, and report false positives all with one click. We typically can resolve a false positive in less than one hour when reported through the AED Web interface.

If I face problems with the installation/setup of AED do you provide support?

  • Absolutely! We fully support all our products. AED licenses come with email and web based support, using an easy to use case and bug management system that is associated with your account. You can log in through our support portal directly from the atomicorp website, or via email. Phone support is also available with an extended support contract.

What are the minimum system requirement for AED?

  • If all of the AED security features are turned on, we recommend that your system have a minimum of 1GB of RAM. AED includes advanced web application and antispam security features that do best with this minimum requirement.

    Our servers run without issue with 2GB of RAM on Dual Core P4s or single core AMD 64bit CPUs.


I also had previously installed rkhunter and chkrootkit, should I have uninstalled those prior to installing AED?

  • The secure kernel operates with around a 3-5% of additional overhead on Intel processors. AMD processors implement the features we emulate on Intel processsors in hardware, so there is no additional overhead.

Is there an install log for AED?

  • Yes, the AED installation will generate this log file:

    /tmp/tortix-install.log
    

What are testing channels for?

  • For the AED Channels, Beta Releases, and free Atomic Channels.

Note

Please keep in mind that the atomic channels are not supported. The Atomic repository provides free software.


What are bleeding channels for?

  • Alpha and less releases. You shouldn’t use bleeding code unless you are prepared to roll up your sleeves and debug the builds. They are also not supported.

How do I install AED?


How can I reinstall AED?

  • The cleanest way to reinstall AED is to first uninstall it, then run the installer again. The process is:

    1. Run this command as root:

      /var/asl/lib/uninstall
      
    2. Then install AED fresh by following the instructions above.


How can I disable AED?

  • Disable ModSecurity by running the following command:

    mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled
    

  • Disable mod_sed by running the following command:

    mv /etc/httpd/conf.d/00mod_sed.conf /etc/httpd/conf.d/00mod_sed.conf.disabled
    

  • Disable OSSEC by running the following command:

    /etc/init.d/ossec stop
    

  • Disable Clamd by running the following command:

    /etc/init.d/clamd stop
    

  • Restart Apache by running the following command:

    /etc/init.d/httpd restart
    

  • Remove the hardened proftp by running the following command:

    yum remove psa-proftpd-1.3.2a-1.el5.art
    

  • Boot into a non-AED Kernel

  • Reboot the system by running the following command:

    reboot
    

Also, its important to recognize that AED is a threat manager that repairs vulnerabilities on your system. Disabling AED will not undo any vulnerability repairs you have instructed AED to fix. If you want to undo a vulnerability repair in AED, do not uninstall AED. Simply change the action in the AED GUI and run AED in Fix mode to undo the repair.


How do I remove or uninstall AED?

  • If you are running AED 4.x run the following command as root:

    /var/asl/lib/uninstall
    

Note

Because the AED uninstaller is just that, an uninstaller, it is also designed to remove the the AED kernel. Before you reboot, you must check to make sure you have a working non-AED kernel installed on the system before you reboot, or you will not be able to reboot your system.

  • AED will not remove any non-AED kernels, ever. It wont remove existing kernels on install, or during uninstall. It also wont install or upgrade non-AED kernels. So for most users this isn’t as issue, however if you have removed your non-AED kernels or do not have a working non-AED kernel on your system, then you wont be able to boot your system. Please contact your OS vendor for assistance with re-installing their kernel if you have removed it.


How can I enable password based authentication?

  • Follow the process below:

    Step 1) Log into AED

    Step 2) Click on the “Configuration” tab

    Step 3) Select “AED Configuration”

    Step 4) Scroll down to “SSH daemon configuration”

    Step 5) Change SSH_PASSWORD_AUTH to “yes”

    Step 6) Click the update button


How can I migrate AED to a new server?

  • Regarding your AED license you don’t need to do anything special. The licensing manager will allow you an additional install on one (1) test or development server, so from a licensing point of view - you don’t need to do anything special.

    Regarding migration, we recommend you install AED on the new system and run through the entire configuration process. If you want the AED configuration to use your other systems configuration then just copy over the /etc/asl/config file to your new system to migrate your settings. Doublecheck them manually to make sure you have everything setup for your needs, if you copy over your config your basically telling the new server to be completely identical to the old one and that may not be exactly right for you.

    Once you copy over the config and have everything setup as you want then run this command as root:

    asl -s -f
    

Signatures & Modules window. What do they mean?

  • The Signatures & Modules window lists the state of all AED components, such as if they are active, inactive or have updates waiting.

    • Green: Component is active and up to date.
    • Yellow: Component is active, but updates are available such as rule, signature or software updates. To force an update just click the “Updates Available” link, or you can wait for AED to install the updates automatically based on your configuration. (Please see the FAQ below on configuring automatic updates, AED is configured by default to automatically update all its components).
    • Red: Component is inactive, either because it has been disabled, or is not installed. For example, if the system is not using the AED kernel the “Kernel Protection” will show as red. Or if a component has been uninstalled or otherwise removed, such as if mod_security was removed from the system WAF will show as red. AED looks at the actual condition of the system and is reporting its state in this window. This is a “fail safe” to ensure that the actual state of the system is reported to the user, even if the configuration may be set to one state AED will independently check the system to see if it really is in this state.

Will AED automatically update the rules and signatures?

  • Yes, by default it will do this daily. AED will update all the rules and signatures available automatically. Occasionally you may see AED report that updates are available. AED will install these updates for you at the next scheduled interval you have configured for your system. Or you can manually update these by clicking the “Updates Available” link.

Will AED automatically update itself?

  • By default, AED will also automatically keep itself up to date (the core components and the rules). To check this setting, log into the AED GUI, click on the Configuration Tab and then Click on “AED Configuration”. Scroll down to UPDATE_TYPE and check to make sure it is set to “all”.

    You are recommended to check the forums to see if an update to AED has been released, and if there are any special upgrade instructions you will need to follow for that release.


How can I set the update interval?

  • Log into the AED GUI, click on the Configuration Tab and then Click on “AED Configuration”. Scroll down to AUTOMATIC_UPDATES. You can set updates to “none”, “hourly” and “daily”. The default is “daily”.

How can I set AED to only update the rules and not AED itself?

  • If you only want AED to keep its rules and signatures up to date, but not to automatically upgrade AED, log into the AED GUI, click on the Configuration Tab and then Click on “AED Configuration”. Scroll down to UPDATE_TYPE. Then set UPDATE_TYPE to “rules only”.

How do I upgrade AED?


How do I get firewall upgrades and updates?

  • To allow AED to download updates, please ensure that any firewall you use allows outbound connections to the following hosts on TCP port 443:

    • www.atomicorp.com
    • www2.atomicorp.com
    • www3.atomicorp.com
    • www4.atomicorp.com
    • www5.atomicorp.com
    • www6.atomicorp.com
    • www7.atomicorp.com
    • www8.atomicorp.com
    • updates.atomicorp.com

  • Atomicorps server pool grows to accommodate increasing demand. As a result, the IP addresses often change, and because these IP addresses can change we do not publish a list of IPs. Doing so can cause problems for any sites that may have hard coded them. Be sure to monitor this FAQ as it contains the currently valid list of hosts.

  • You will also need to make sure that you allow DNS queries outbound, as AED will lookup the list of current update servers to download updates from.

  • Please see the AED firewall documentation page for information about configuring the AED firewall. By default, AED will not block anything outbound, so if your server is having problems connecting out this is either because you are blocking the port through the AED firewall, you have another firewall that is doing this (either on the server, or up stream) or you are experiencing network connectivity issues.

I cannot connect to the update server?

  • This can happen for a number of reasons due to configuration and network issues on your server, on your local network or upstream. This list includes the most common reasons, but is not a complete list. Please contact your network provider with connectivity issues, and your OS provider for OS configuration assistance.

    • DNS is not configured correctly on your system - If you do not have DNS correctly configured on your system, updates will fail. One simple way to test this is to run this command:

      nslookup www.atomicorp.com
      

    • No network connectivity - Check to make sure your system has network connectivity. We know this sounds fairly obvious, but we’ve had cases where the issues was the systems network was either not started, or was misconfigured so it wasnt properly connected a network.

    • Routing misconfigured - Check to make sure you can connect to our servers. Run this command as root on the server:

      openssl s_client -host www.atomicorp.com -port 443
      

      If you can connect to our servers you will see output similar to this:

      CONNECTED(00000003) depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.",
      OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
      verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Virginia, businessCategory = Private Organization, serialNumber = 0697126-1, C = US, ST = Virginia, L = Chantilly, O = ATOMI CORP., CN = www.atomicorp.com verify return:1
      

      If you do not see this, then you are not connecting to our servers and either you have a routing problem, or a firewall problem

    • Firewall blocking connections - Check to make sure its not your firewall thats blocking the connection. The simplest way to do this is to temporary disable your firewall:

      1. If you are using the AED firewall, run this command:

        /etc/init.d/asl-firewall stop
        
      2. If you are using some third party firewall the command below may disable it, but check with your firewall vendor for assistance with disabling your firewall:

        /etc/init.d/iptables stop
        

      Note

      To re-enable either of these change the command “stop” to “start”.

    • Upstream router or firewall blocking connections - If its none of these, then someone may be blocking your connections upstream. Please contact your network provider for assistance.

Where is the license manager?


How can I reset my license manager password?

  • To reset your license manager password, please follow this process:

    1. Please visit this page to reset the license manager password.
    2. Now change your license manager password in AED

Note

Remember to update your license manager password in AED. If you do not do this, AED will no longer be able to download updates!


How can I reset my support portal account password?


How can I update my license manager password in AED?

  • Your license manager username and password are used to log into the Atomicorp servers to download updates. These are not to be confused with your AED GUI username and password, which is used to log into your AED GUI.

    If you change your license manager password, you will need to change those credentials in AED as well, otherwise AED wont be able to download updates!

    Your license manager username and password credentials are only used by AED itself to log into the Atomicorp servers to securely download updates for your system.

  • This process is only to change the internal credentials used by AED to log into the Atomicorp servers.

    Step 1) Log into the AED GUI

    Step 2) Click on Configuration

    Step 3) Click on AED Configuration

    Step 4) In the “Authentication Information” section, check to make sure the USERNAME and PASSWORD variables are set to your license manager credentials. Those are the credentials you use to log into the license manager.

    Step 5) Then click the “Update” button to update your configuration.


How can I reset my AED GUI password(s)?

  • Run the following command as root:

    /var/asl/bin/asl-web-passwd <your user name>
    

Note

Your AED GUI username and password are only used to log into your AED installation. These are not to be confused with your License Manager credentials, which are used by AED itself to log into the Atomicorp servers to securely download updates for your system. This procedure does not change your License Manager credentials.


How can I create new accounts in the AED GUI?

  • Run the following command as root:

    /var/asl/bin/asl-web-useradd <new user name>
    

Note

Your AED GUI username and password are only used to log into your AED installation. These are not to be confused with your License Manager credentials, which are used by AED itself to log into the Atomicorp servers to securely download updates for your system. This procedure does not change your License Manager credentials.


What is the default username and password for AED Web?

  • The default username and password are your license manager credentials, that you created when you signed up for a license. We recommend you change this password to something unique that you will remember.

    You can also generate usernames and passwords by running this command as root:

    /var/asl/bin/asl-web-setup
    

    And you can also create and configure user accounts from inside the AED GUI.


How can I change the port tortixd listens on?

  • Manually change the port number on this line:

    Listen 30000
    

    In the following file:

    /var/asl/etc/httpd/conf.d/ssl.conf
    

Does AED modify /etc/hosts.deny?

  • Yes, as part of active response (when enabled) AED will automatically add attackers IPs to /etc/hosts.deny. AED will only add deny entries. It will not and can not add allow entries. If AED is configured to expire shuns it will also automatically remove these IPs once the shun period has passed.

Does AED modify /etc/hosts.allow?

  • No.

I want to have greylisting. What do I do?

  • Those are all freely available from the atomic repository. They are not part of AED and not supported through an AED license. If you need support for these packages contact sales@atomicorp.com and we can put together a custom support package for you. Follow the process below:

    Step 1) Install ClamAV and SpamAssassin by running the following command:

    yum install clamd spamassassin
    

    Step 2) Edit required_hits in /etc/mail/spamassassin/local.cf if you want to change the default tagging threshold (default is 5).

    Step 3) Install qmail-scanner by running the following command:

    yum install qmail-scanner
    

    Step 4) Edit SA_DELETE in /etc/qmail-scanner.ini if you want to delete mail.

    Step 5) Install Pyzor, Razor, and DCC for SpamAssassin by running the following command:

    yum install pyzor razor-agents dcc
    

    Step 6) Install greylisting by running the following command:

    yum install qgreylist
    

    Step 7) Start Clamd and SpamAssassin by running the following commands:

    service clamd start
    service spamassassin start
    

    Step 8) Reconfigure qmail-scanner to make sure it uses all your custom settings by running the following command:

    qmail-scanner reconfigure
    

    Step 9) Make sure Clamd and SpamAssassin are started at boot time by running the following commands:

    chkconfig --level 345 clamd on
    chkconfig --level 345 spamassassin on
    

How do you view/find/install the extra modules/areas for statistics reporting?

  • Atomic Scanner is a separate project which is not available in the stable repository yet and is not currently supported. You can install the atomic-scanner package from the testing repository.

vmware-tools will not compile

  • On older Linux distributions, such as EL5 and Centos 5, VMWare(TM) has compiled its product using an older compiler. AED uses the a newer and up to date Linux kernel, and these newer kernels must be compiled using modern compilers. For example, certain features in the kernel require a newer compiler to build and work correctly, such as the new KERNEXEC protections which can only be built using a modern compiler. Older compilers do not support the plugin structure this, and other newer features in the kernel require.

    When VMWares module compiler script tries to compile the VMWare modules against one of these modern kernels it may fail if VMWare has used an older compiler for their product. Their script expects the system to have the same version of compiler installed as was used to compile the kernel. Older versions of RHEL and Centos, versions 4 and 5 do not include these newer compilers. So the system will have a modern kernel installed, but not the corresponding compiler use to build it.

    Solutions (in order of ease and least impact to system):

    1. Use VMWares offical open-vm-tools - VMWare also makes available a package called “open-vm-tools” that will build and work correctly with a newer kernel, using an older and different compiler. You can download the source code from this site:

    2. Upgrade your compiler - If you wish to use vmware-tools instead, and not VMWares open-vm-tools, then you must upgrade your system to the same version of the compiler used to compile the kernel. Unfortunately, neither Redhat not Centos provide modern compilers for RHEL 5 and Centos 5. To upgrade your compiler on these older platforms may require heavy modification to your system, as other components will need to be upgraded as well (tool chains for example) and this can have adverse effects on the system. Upgrading your compiler is beyond the scope of support Atomicorp can provide for VMWares product. Contact VMWare for assistance or uses vmwares open-vm-tools (option 1) which provides the same functionality.

    3. Use our RPM of open-vm-tools - We provide, as a courtesy, the open source open-vm-tools (VMWares official open source vmware tools package) in the AED repository as an RPM for currently supported platforms. This package is not supported by Atomicorp.

      You can install that by running the following command:

      yum install --enablerepo=tortix-kernel open-vm-tools
      

/usr/bin/vmware-config-tools.pl

  • If VMWare tools will compile, but you get an error from VMWares tools that it can not find kernel headers, you simply need to install them. Run this command as root to install the kernel source and headers:

    yum -y install kernel-headers kernel-devel
    

  • If you have previously installed both, and VMWare is complaining that it can not find the source for the kernel, you simply need to upgrade the kernel-devel package. Run this command as root to do this:

    yum -y upgrade kernel-headers kernel-devel
    

  • If your system does not install anything with either of these commands, check to make sure a third party has not excluded kernel updates from being installed on your system.

What is included in the open-vm-tools?


Why does Linux report that all memory is in use?

Note

This FAQ article is not about AED, it is about all Linux based systems. This characteristic of Linux based systems is universal to all Linux systems, not just systems running AED.

  • Memory is almost infinitely faster than reading from a hard disk, so modern high performance operating systems, such as Linux, will cache things into memory if they are read from disk. Over time, you should see a Linux system (via some tools) report an almost 100% “memory utilization” regardless of much memory is actually needed by a process or how much memory is installed in the system. This can be a little strange to users that are new to Linux and come from operating systems that do not cache (such as Windows), however this is normal and is good for the system as actually makes it much faster. This does not mean your processes are using up all the memory the system has, this is simply modern caching which all modern Linux kernels will do.

  • Why Linux does this:

    • Hard drives are slow. Even the fastest hard drive is never even close to the speed of RAM. If hard drives were fast, we wouldnt need RAM. So we load programs into memory. As memory has gotten cheaper, and performance demands have increased, operating system vendors have increased the use of RAM over reading from hard drives to improve performance. One way they do this is by caching “reads” from the hard drive (they cache other things too). In the case of caches reads, the operating system will store, temporarily, information it has been asked to read from the hard drive into memory. This makes it much faster the next time the operating system wants to “read” that information, it doesnt have to go back to the hard drive to get it, it can get it from memory. Which results in a huge performance increase.

    • Caching is different from process utilization. Actual memory in use by processes, or process utilization, which will be discussed more below is different from caching. Modern operating systems will use memory for processes (actual use), and also to “cache” things that they have accessed from disk. Most users are familiar with process utilization, which is what may cause them to think that Linux is “using up all their memory”. When in reality the amount of memory in use by the processed by be considerably less than the memory in use.

      It is the later use of memory, caching, that typically “uses” up the memory on the system and creates this illusion that all memory is in use. This memory is actually not “in use”, or prevented from being used by other processes on the system. Its really “free memory”, for the moment a process needs this memory the cached information is dropped and made available to the application. So in reality, the system is “using” considerably less memory that it may appear to be using because its making use of memory, temporarily, thats not actually in use. Its really a very clever enhancement, and something all operating system vendors are implementing. As memory has continued to get cheaper, some products don’t even have hard drives anymore, and just use RAM. Smart Phones for example, and even some modern tablets just use memory.

      So, to determine how much memory is actually being used by your processes (as opposed to all memory being used by processes and the cache), you will need to use a tool that can tell you how much memory is cached, and how much is actually being used by your programs. Once such tool is “free”. The application “top” which is popular for looking at memory usage is not a good tool for this as it will incorrectly report that more memory is in use than is actually being used by processes.

  • Here is an example of using the “free” tool:

    free -m
    
                             total       used       free     shared    buffers     cached
    Mem:                     12002      10199       1803          0        573       8185
    -/+ buffers/cache:       1440      10562
    Swap:                    14015          0      14015
    

    In this example the total amount of memory in use is 10GB, however 8GB of that is cached. So the system isn’t using 10GB of memory. Of the 12GB of memory on the system, just slightly under 10GB is actually free (1.8 GB isnt used at all, and 8GB is cached).

    This is very typical of a Linux based system, in that its really using much less memory that some tools report, because of this use of cached reads.

    Remember that cached memory is always available to any program that needs it. So the memory is not “used”, its just being temporarily taken advantage of because nothing else is using it to make the system faster. Linux will just make use of the memory available on the system to cache information until any program requests it, at which time that cached data is dropped and the memory is made available to the application.


How can I find out what process is using swap?

  • Swapping in Linux is handled by the kernel, all Linux kernels will pull things out of memory and write them to the disk swap based on need depending on how much memory you have, swappiness setting on the system, and so on. Therefore, its not possible to find out which process is using swap, processes dont use swap, the kernel will write memory pages as needed to swap, processes dont control this (although a process could request memory that is not “swapped” out to disk). Linux will also use swap and memory to cache file reads, over time all Linux kernels will use 100% of memory to cache as much as possible. Memory is infinitely faster than RAM, so this is how modern high performance operating systems work. You should see near 100% memory utilization on all modern Linux kernels over time, regardless of much memory is actually needed by a process. This does not mean your processes are using up all the memory the system has, this is simply modern caching which all modern Linux kernels will do.

    If you have additional questions about Linux swap you may want to ask your Operating System vendor.


How are malware domains aged out?

  • The actual algorithm is sensitive information and we can’t go into the specifics as that would give the bad guys an advantage to game the system. The short answer is infected domains are aged out depending on the extent to which the domain is still serving malware (more on this in a moment, this is actually pretty difficult to prove that a domain is not serving malware), if its been seen in other malware, past experience with the domain, IP range, or network and the sophistication of the malware. Some sites are long term sources of malware, and act as “clearing houses” for attackers, others may simply be victims of a compromise that clean up their systems the same day, and others may be negligent operators that don’t care. For this reason the process varies depending on a number of characteristics.

    Its important to remember that all Internet based malware scans are incomplete, regardless of the technology used, the system itself is not being scanned, merely publicly discoverable resources. Attackers can hide malware in orhpaned URLs, they may use authentication to hide the malware from all crawlers, the malware may behave differently if connected to via a crawler or browser, it may require a special cookie to reveal itself, they may encrypt or obfuscate it and they may simply take the malware or domain down for a few days or weeks in hopes of being delisted by simple scanners.

    For this reason we do not use a naive algorithm that simply removes malicious domains based on simplistic criteria. Our first priority is to help our customers protect their systems, if a domain has been serving malware its a good idea to treat it with kid gloves. If you know the domain is safe, you can always whitelist that domain.

    The best way to delist a domain thats on our malware lists is to contact politely us. If you need our help, just ask. If we can get in contact with the domain owner we can determine more clearly if the domain is no longer infected, otherwise domains are aged out based on the criteria described above.


How are malware domains added?

  • They are collected from our honeypots.

Do you use third party malware domain lists?

  • No, but we do share our information with other projects.

    You can use the google safebrowsing lists with clamav which is an excellent third party malware list. AED enables this by default in clamav. False positives on the google lists should be reported to google.


How are spam domains added?

  • They are collected from our honeypots.

How are spam domains aged out?

  • The actual algorithm is sensitive information and we can’t go into the specifics as that would give the bad guys an advantage to game the system. The short answer is spam domains are aged out depending on the extent to which the domain is still serving spam and the nature of the spam thats served, past experience with the domain, IP range, or network and the sophistication of the spamming attack captured on the honeyports. Some sites, networks and IPs are long term sources and hosts of spam, others may simply be victims of a compromise or some form of multi-system spamming attack that clean up their systems the same day, and others may be negligent operators that don’t care. For this reason the process varies depending on a number of characteristics.

    For this reason we do not use a naive algorithm that simply removes spam domains based on simplistic criteria. Therefore, our first priority is to help our customers protect their systems, if a domain has been used as part of a spamming attack, and is actually serving up spam (we don’t block so called “joe job” spams) its a good idea to treat the domain a a spam source.

    The best way to delist a domain is to contact us. If we can get in contact with the domain we can determine more clearly if the domain is no longer part of a spamming operation, otherwise domains are aged out based on the criteria described above.


Do you use third party spam domain lists?

  • No, but we do use other sources, we do however share our information with other projects.

Both atomic and asl yum channels are enabled, is this normal?

  • That depends, AED does not need the atomic channel and will not install nor enable this channel. If you have the atomic channel enabled on your system then someone enabled this yum channel. You do not need it for AED. In general its perfectly safety to run both channels (we do).

    The atomic yum channel is our open source yum repository. All the software in the atomic yum repository is not supported and provided as is, with no warranty. If you have issues with software in the open source atomic channel please post your questions in the General Help forums: https://www.atomicorp.com/forums/viewforum.php?f=1&sid=56518c30b96faf5235e2f4ef5e902d11

    Software in asl channels is fully supported. If you require assistance with AED software please send a support request to support@atomicorp.com.


What are the IPs AED will use to update itself?

  • You will want to allow access to www0 thru www6.atomicorp.com. The IPs for these hosts may change in the future.

I can’t upload files via web

  • Check and make sure you haven’t run out of drivespace. This may seem like an obvious and simple problem that one wouldn’t easily overlook, but we’ve had a number of cases where users setup /tmp partitions and filled them up. If you fill up your /tmp partition apache won’t let you upload anything! Thats not an AED issue, thats Apache and its right - theres no place to put the file.

    AED will log this event, but since AED isn’t designed to report when you run out of drive space it will detect this as a pretty major error and a broken connection with your HTTP session. Which will look like this:

    [Fri Oct 01 17:33:21 2010] [error] [client xxx.xxx.xxx.xxx] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "38"] [id "340152"] [msg "Request Body Parsing Failed. Multipart parsing error: Multipart: writing to "/tmp/20101001-173321-8ZuEbMzo8r8AABWjEW8AAAAe-file-NvPOwz"
    failed: check your application or client for errors, this is not a false positive."] [severity "NOTICE"] Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_PROCESSOR_ERROR" required.
    [hostname "www.example.com"] [uri "/horde/imp/compose.php"] [unique_id "8ZuEbMzo8r8AABWjEW8AAAAe"]
    

    This would means that you ran out of drive space in /tmp.


Do you have pre-defined access policies , or do we have to configure these policies?

  • Yes, currently we use Trusted Path Execution (TPE), and the untrusted users group by default. Members of the untrusted users group can only execute commands owned by root. In addition non-root users can only see processes owned by them. Grsec has an additional RBAC and Process ACL system available.

Does AED include SELinux?

  • Yes. SELinux is available in the AED kernel.

    AED also includes a powerful self-learning Role Based Access Control (RBAC) System designed by the grsecurity project that is superior to SELinux. This RBAC was designed, and our company provides funding to the grsecurity project to account for weaknesses in SELinux, so we recommend you use the RBAC system in AED if you need the same capabilities as SELinux.

    However, if you wish to use just SELinux AED will work with SELinux just fine.


If predefined can you give us a sample policy that mitigates the critical server file access when mod_perl is called via a client, or in other words how hard is your tuning. (intrusion log..etc)?

  • TPE would automatically prevent an untrusted user, such as apache, from executing commands owned by apache. It would log to syslog, an example entry follows:

    Nov 11 14:53:10 server4 kernel: grsec: From 10.249.64.1: denied untrusted exec of /tmp/w00t by apache [uid/eid: 48/48] /home/httpd/vhosts/testhost.atomicorp.com/httpdocs/modules/phpBB/index.php
    

I’m seeing files owned by apache in /tmp

  • If you see files with names like this:

    tmp/dos-218.254.50.104
    

    That are very small, and only contain an integer for example the contents of the file tmp/dos-218.254.50.104 are “2671” or some other number, then you can ignore these files. These are locking files used by the web DOS protection system in AED.

  • If you see files with names like this:

    tmp/20120314-104701--CliB38AAAEAAEehOeMAAAAA-file-Y6rewB
    

    These are temporary files generated by apache as a user uploads a file, via apache, to the system. Generally apache will clean up these files with a few seconds once the file is scanned by the WAF, but if you see them accumulating on your system you may have MODSEC_KEEPFILES set to “on”. This means that the AED WAF will keep any files it has been asked to scan, regardless if the files are allowed to be uploaded to the system or not.


Why do they call it Europe?

  • Because its a beautiful name. And its local, to some of us. (this is also why if you look carefully in AED you’ll see we consider 127.0.0.0/8 to be in the EU. Its an Easter Egg. And no, AED wont block 127.0.0.1 if you block the EU, we always whitelist localhost.).

    Yes, we have a sense of humor too, and we hope this FAQ has been helpful, but if you still require assistance after reading this FAQ please don’t hesitate to contact support. We’re here to help, and hopefully to put a smile on your face as well.