Atomic Endpoint Defender Server Prerequisites

Operating System

  • AED is tested on up to date versions of the supported operating systems. This means that you will need to have all vendor patches installed for AED to work correctly. Below, we have outlined a list of supported Operating Systems:

    • CentOS 6/7

    • RedHat 6/7

    • CloudLinx 6/7

    • Amazon EC2 (We support RHEL and CentOS EC2, we do NOT support AMI and other custom distributions)

      Note

      AED will not install on a system that is missing vendors updates, and will generate an alert during the installation process.

  • Third Party Modifications to the OS

    Note

    Third Party modifications to operating system (OS) files are not supported. For example, third party replacement of glibc would not be supported.


Hardware

  • Memory: AED requires at least 2 GB of memory. 4 GB of memory is highly recommend to make use of all of AEDs features.
  • CPU: AED does not require a CPU, however the use of 64-bit CPUs is highly recommended.

File Systems

Minimum free disk space requirements per partition:

Directory Minimum Free Space Required
/var Varies (See Note Below)
/usr 500 MB
/tmp 10 MB (See Note Below)
/etc 100 MB
/boot 30 MB (See Note Below)

Note

/var AED follows the Linux standard which is to use /var for any logs. AED will keep records as long as you desire, therefore the minimum disk space requirements will depend on your data retention requirements. You should monitor your database and /var partitions drive usage and prepare accordingly to add more space based on event volume for your system. If you run out of space in the /var directory, the AED web console may not work correctly, and other parts of AED may fail as well. AED will also record other events, such as file changes and software updates in a special monitoring system, this data is also stored in /var. Please see the AED FAQ for further details about tuning this system should you wish to use less drive space for this. Please see the AED configuration page for settings to control the amount of days worth of data AED will keep in the database and in the stored logs in /var/asl: https://www.atomicorp.com/wiki/index.php/AED_Configuration

Note

/boot Warning: The 30MB minimum is just that, a minimum. This is the minimum free space necessary to install the AED kernel (which currently uses approximately 15MB of disk space), and to provide some additional space for a possible upgrade of that kernel. When upgrading kernels AED will attempt to retain the previous kernels installed on the system, in case there is a need to use older kernels. On systems where a lack of space exists in /boot it may not be possible to either install newer kernels, or keep older kernels. Redhat recommends that /boot be set to a minimum of 250MB to ensure there is adequate space to install and retain kernels. If your system only has 30MB of space available, you should expect to run into issues in the future with disk space issues on /boot. At best you may only be able to install 2 kernels on your system. We highly recommend you increase the size of /boot to allow for additional kernels to be installed on your system, to provide you with both maximum flexibility as well as a fall back option to earlier kernels should you run into an issue with a different kernel.

Note

/tmp Your operating system uses /tmp to process temporary files. For long term use of AED, and the operating system, /tmp should be as large as necessary for your OS. The actual amount of space needed in your /tmp partition will vary substantially depending on what you are doing with your OS. AED needs some amount of free space in /tmp for installation, and may need to use /tmp as part of ongoing activities. However, this partition is primarly used by your OS, not AED, and a full /tmp partition may result in very adverse effects by your OS. Please contact your OS vendor for assistance with sizing you /tmp partition to meet your OSes needs.

  • AED will log and record security events on the system. The amount of space required for this will vary depending on the amount of events that occur on your system. AED will record all of its events in the /var partition. Therefore, you should have adequate free space available in the /var partition for your system. We recommend at least 5GB of space in this partition, but this is a minimum. You should allocate more space if you intend to keep logs for extended periods of time. You may need to increase this depending on the amount of events that occur on your system and the archive period you have set in your AED Configuration.
  • AED components will be installed in the /boot, /usr, /etc and /var partitions. A minimum of 100MB of free space is required to install AED, and additional space is required in /var as described above.

Database

Supported Databases Versions Supported
Centos Supported with official versions
Centos 7 MariaDB 5 and 10
Redhat RHEL 5, 6, and 7
Cloud Linux CloudLinux 5, 6, and 7
CPanel MySQL 5.0, 5.1, 5.5

Note

AED is NOT tested or supported with other database versions than the ones documented above.

Configuring MySQL

  • Old Passwords: This option should not be enabled in MySQL. If the following option is enabled (see below), you must disable or remove this option.

    old_passwords = 1
    
  • MySQL Root Credentials: You will need your mysql root (superuser) credentials to install AED. Please note that if your system is setup to only allow logins to your mysql superuser account from a specific IP, or from socket connections only, you will need to change this to allow logins as your mysql superuser account from the source IP address you configure AED to use. If you use 127.0.0.1 as your mysql address (Recommended), then AED will use 127.0.0.1 as your source IP. If you use a non-localhost IP, then you will need to configure mysql to use.

    Note

    On Plesk systems, the MySQL root name is changed by Plesk to “admin”. Please contact Parallels if you have questions.

  • Skip-name-resolve: If you have skip-name-resolve enabled in mysql, then mysql will not resolve localhost and network logins will always fail if you have mysql configured to only allow superuser logins from “localhost”. You will find that command line logins work, provided a host IP is not provided (127.0.0.1) as mysql treats localhost as file socket only

  • Query Caching: When using mysql, querying caching must be enabled. The following setting in mysql must be set for AED to perform correctly. Failure to set this will result in significant performance impact to AED, and the system. Add the following to /etc/my.cnf.

    query_cache_size=32m
    
  • NOTE Restart MySQL at this point.

  • Skip-Networking: MySQL must not be started with –skip-networking. AED chroots itself, and wll ue the localhost network socket to take to MySQL, and not the file system socket. Therefore, networking must be enabled in MySQL.

  • Max Connections: Setting this too low will cause unnecessary timeouts of the database and will adversely impact AED, including but not limited to shunning, the event reporting system, GUI, search engine and other database driven elements of AED as documented at the URL below: https://www.atomicorp.com/wiki/index.php/AED_error_messages#OSSEC-dbd_Reports:_Lost_connection_to_MySQL_server_during_query This should be set at a minimum to the number of concurrent mysql connections you would expect your mysql server to handle at its busiest. If you continue to get lost connection errors, you will need to increase this limit. For example:

    max_connections = 2048
    
  • Wait Timeout: Setting this too low will cause unnecessary timeouts of the database and will adversely impact AED, including but not limited to shunning, the event reporting system, GUI, search engine and other database driven elements of AED as documented at the URL below: https://www.atomicorp.com/wiki/index.php/AED_error_messages#OSSEC-dbd_Reports:_Lost_connection_to_MySQL_server_during_query

    This should be set to 28800 or higher:

    wait_timeout=28800
    
  • Interactive Timeout: Setting this too low will cause unnecessary timeouts of the database and will adversely impact AED, including but not limited to shunning, the event reporting system, GUI, search engine and other database driven elements of AED as documented at the URL below: https://www.atomicorp.com/wiki/index.php/AED_error_messages#OSSEC-dbd_Reports:_Lost_connection_to_MySQL_server_during_query

    This should be set to 28800 or higher:

    interactive_timeout = 28800
    

    Note

    AED is tested with a standard MySQL installation with query_cache enabled as described above. If additional changes are made to the configuration of MysQL, it may result in a sub-optimal performance of AED.

Warning

Inside of your my.cnf file make sure sql_mode does not equal only_group_full_by as this will prevent operations of OSSEC.


Advanced

Virtual Private Servers (VSP)

Kernel: VSP systems that use Virtuzzo or OpenVZ will not have their own kernel (a VSP shares the host kernel). Therefore, there is no free space requirement for a VSP for /boot as the kernel will not be installed.

Firewall: Oftentimes, VSP providers have limitations on firewall capabilities. If your firewall does not start, then your container may be on a limited system. Please see this Odin KB article to configure your openvz/Virtuzzo hardware node.

CPanel

If you do not have CPanel installed, you must have mod_uniqueid installed for Mod Security to work correctly. Please contact CPanel support if you are not sure how to enable this feature on CPanel.

Support Software

Shell: AED does include some shell scripts. These scripts are written in “bash”. If the default shell on the system has been changed from bash to some other shell these scripts may not work correctly.

WGET: To install AED you must have a working copy of wget on your system, with working HTTPS support (this means that your version of wget supports SSL, which AED uses to download all the software it uses securely). AED will not install correctly without a working copy of wget as mentioned previously.

How to install WGET

  • As root run this command

    yum install wget
    
  • Test to make sure wget supports TLS/SSL by running the following:

    wget https://www.atomicorp.com/test-file.html
    
  • If your wget supports SSL it will download the file test-file.html, and if you examine the contents of the file you will see the following:

    If you can read this, your test worked.
    
  • If you do not see the sentence above, then your wget likely does not not support SSL. If you see an error like this:

    HTTPS support not compiled in.
    

This means your system can not securly download software, which is a serious vulnerability. You will need to contact the parties that have crippled your system for a solution to replace the crippled version of wget with a non-crippled version that supports SSL.

  • If you see an error like this:

    Resolving www.atomicorp.com... failed: Name or service not known.
    

This means your system does not have DNS setup, or otherwise can not resolve our server. Please contact your hosting provider for assistance with DNS on your system.

Third Party Software

OSSEC: Do NOT install OSSEC from third party sources. AED will replace and manage OSSEC on your system. If you have issues using or installing AED, you will need to uninstall this third party software or disable features in those products.

ClamAV: Do NOT install ClamAV from third party sources. AED will install the latest version of ClamAV on your system. If you are having issues using or installing, you will need to uninstall this third party software or disable features from those products.

Mod Security: Do NOT install Mod Security from third party sources. Do NOT enable Mod Security in CPanel. This will cause CPanel to overwrite the enhanced Mod Security and will cause duplicate rules to be installed on your system. Please uninstall any third party source of Mod Security before installing AED.

Note

If you are using Litespeed, you do not have Mod Security on your system. You may have a module from Litespeed that acts like Mod Security. You do not need this module, please remove it and follow the instructions HERE to setup Litespeed with the T-WAF. The T-WAF will fully protect Litespeed, as Litespeed does not support the full rule language and will leave your system vulnerable to attacks.

Firewalls: In Linux, you can only safely use one tool to manage your firewall. If you are using multiple tools, then they will conflict with each other. For this reason, if you use a third party firewall with AED, then you can not use AED to manage your firewall as well.

Therefore, AED is NOT supported with any third party software that manipulates or manages the Linux firewall, iptables, ipset. This is includes the following:

  • CSF
  • APF
  • Parallels
  • The iptables service (not the command line tools, just the service)
  • Firewalld
  • Any other firewall management tools

If you have any third party software of this nature installed you will need to:

  1. Uninstall this third party software before you install AED. If you cannot uninstall it you must disable any firewall features in these products.
  1. Remove ALL firewall rules implemented by these products.

Additionally, you cannot use third party firewall management tools to manipluate the firewall on the system, for example fwbuilder.

If you want to use any third party firewall software with AED, then you must disable the AED firewall and active response. Please note that any firewall related issues will be unsupported.

Iptables Daemon

Disable the iptables service. Running the iptables service with AED will cause conflicts. To stop the service run the following commands:

service stop iptables
chkconfig --del iptables

If you had this service enabled when you installed AED, you will experience problems with your firewall. The service will need to be disabled, as mentioned above, and flush any remaining firewall rules. Please follow the steps below:

  1. Run the two commands above

  2. Stop the AED firewall by running:

    service asl-firewall stop
    
  3. Flush any remaining firewall rules by running:

    rm /etc/asl/firewall/running.fw
    
  4. Restart the AED firewall by running:

    service asl-firewall start
    

Firewalld

Disable the firewalld service. You will not need to run the firewalld daemon service with AED. If the daemon is running it will cause conflicts, so please disable the service on your system by following the steps below:

  1. Run the following commands:

    service stop firewalld
    chkconfig --del firewalld
    
  2. Stop the AED firewall by running:

    service asl-firewall stop
    
  3. Flush any remaining firewall rules by running:

    rm /etc/asl/firewall/running.fw
    
  4. Restart the AED firewall by running:

    service asl-firewall start
    

Apache

AED is fully compatible with Apache 2.0, 2.2, and 2.4. AED will automatically install the WAF module into Apache for standard supported vendor Apache builds, and supported control panel builds.

PHP

Supported versions of PHP are our version, your OS vendors’ official version, as well as cPanels’ version made through EasyApache.

PERL

Supported versions of PERL are our version and your OS Vendors’ official version.

Note

Third party and source installs or PERL are NOT supported.

ConfigServer

AED does not support any ConfigServer products. IF you have these on your system, they will need to be unistalled prior to your installation of AED to ensure that AED installs correctly. We have more information on the ConfigServer products HERE.

Fail2Ban

fail2ban is not necessary and should not be used with AED. The use of fail2ban with AED may result in problems with your firewall, and could cause your system to be unreachable. If you have fail2ban installed on your system, uninstall it. Again, you will not need it with AED.