Monday, 26 November 2012 10:38
This release includes our new Advanced Firewall capabilities, including a vast new array of firewall Target & Condition flags for ASL kernel environments through the xtables-addons package. This package will be automatically installed once ASL has been upgraded to 3.2. The ASL updater is the recommended method to ensure the system is in sync with the recommended ASL release. Please see the Upgrade Instructions at the end of this announcement for full upgrade instructions and guidance.
Redhat 6, CloudLinux 6, and CentOS 6 platforms will need to be on a minimum of Release 6.3 to access necessary dependencies to upgrade to ASL 3.2.
Updating the WAF to 2.7.1 will require an update of existing rules to a 2.7.1 compatible format. ASL generated exceptions will automatically be updated to this format when the policy is updated by: /var/asl/bin/asl -s -f. Cpanel systems will also need to run "/scripts/easyapache --build" after running "asl -s -f".
Please see the Upgrade Instructions at the end of this announcement for full upgrade instructions and guidance.
New firewall targets:
- ACCOUNT target is a high performance accounting system for large local networks.
- CHAOS confusion on the other end by doing odd things with incoming packets.
- CHECKSUM This target allows to selectively work around broken/old applications.
- DELUDE target will reply to a SYN packet with SYN-ACK, and to all other packets with an RST.
- DHCPMAC In conjunction with ebtables, DHCPMAC can be used to completely change all MAC addresses from and to a VMware-based virtual machine.
- DNETMAP allows dynamic two-way 1:1 mapping of IPv4 subnets.
- ECHO target will send back all packets it received.
- IPMARK Allows you to mark a received packet basing on its IP address.
- LOGMARK target will log packet and connection marks to syslog.
- RAWDNAT arget will rewrite the destination address in the IP header, much like the NETMAP target.
- RAWSNAT targets provide stateless network address translation.
- STEAL Like the DROP target, but does not throw an error like DROP when used in the OUTPUT chain.
- SYSRQ target allows to remotely trigger sysrq on the local machine over the network. (This can be useful when vital parts of the machine hang)
- TARPIT Captures and holds incoming TCP connections using no local per-connection resources.
- TEE target will clone a packet and redirect this clone to another machine on the local network segment.
New Match flags:
- condition - This matches if a specific condition variable is (un)set.
- dhcpmac - Matches the DHCP "Client Host" address (a MAC address) in a DHCP message.
- fuzzy - This module matches a rate limit based on a fuzzy logic controller (FLC).
- geoip - Match a packet by its source or destination country.
- gradm - This module matches packets based on grsecurity RBAC status.
- iface - Allows you to check interface states.
- ipp2p - This module matches certain packets in P2P flows.
- ipv4options - The "ipv4options" module allows to match against a set of IPv4 header options.
- length2 - This module matches the length of a packet against a specific value or range of values.
- lscan - Detects simple low-level scan attemps based upon the packet's contents.
- psd - detect TCP and UDP port scans.
- quota2 - implements a named counter which can be increased or decreased on a per-match basis.
- pknock - Pknock match implements so-called "port knocking", a stealthy system for network authentication
- Kernel update to 188.8.131.52
- WAF update to 2.7.1
- Tortix-waf update to 2.7.1
- Add the xtable-addon package for 184.108.40.206 kernel
Additional new features:
- Add advanced firewall module
- - New logging capabilities for fast mode
- - New advanced portscan detection added
- - Updates to bad packet detection
- - Updates to Stateful Packet Inspection options
- - New firewall capabilities to block invalid packets
- Added WAF inline documentation
- Update to asl, update list modules help dialog
- Update to aum, add error messages to detect host resolution & timeouts w/ distributed update checks
- Update to aum, install firewall extensions for ASL kernel environments
- Update to hids_check, if ossec.conf is not detected, create it (hids_temlate_generate)
- Update to hids_check, only run whitelist check if config exists
- Update to kernel_check, add GID setup for grsec groups
- Update to cpanel build hook, link against /opt xml and pcre libraries
- Feature Request #117, ASL Web, add notes field to report false positives
- Feature Request #614, ASL Web, Auto-clear the cache, or use versioning to prevent caching when code changes
- Feature Request #708, automatically enable mod_uniqueid for cpanel
- Feature Request #712, add mod_evasive and mod_sed for source environments
- Feature Request #824, enable safebrowsing configuration in freshclam
- Feature Request #850, ASL Web, Create individual WAF rule score for reports - and not roll up into 60118
- Feature Request #861, ASL Web, Add "interface" columb to firewall rules manager
- Feature Request #882, ASL Web, Add the autocomplete=off flag to the web login form on port 30000 as an option
- Feature Request #911, Add initial feedback on asl -u for yum events
- Feature Request #916, Add proxy support for FreshClam configuration
- Feature Request #924, ASL Web, Set timezone in ASL web console to system timezone
- Feature Request #927, AUM, replace wget with internal function
- Feature Request #937, mysql checks for load-infile
- Feature Request #938, added support to ssh_check to manage UseDNS
- Feature Request #939, add checks for telnet, rsh, rlogin. New function, check_open_port to test for open services
- Feature Request #946, check for cron scripts belonging to web server users
- Feature Request #948, Non-root UID 0 accounts check
- Feature Request #950, add checks for running syslog/rsyslog/klog daemons
- Feature Request #971, monitor tortixd in psmon.
- Feature Request #972, add support for generating Modsec 2.7 compatible rules
- Feature Request #964: If cpanel does not have mod_security2.so installed fix mode will restore it
- Feature Request #974: firewall, add drop & log for invalid packets
- Feature Request #976: enable syncookies in firewall by default
- Feature Request #XXX, Add service checks for: anacron, avahi-dnsconfd, canna, cups-config-daemon, FreeWnn, iiim, mDNSResponder, and sbadm (independent SSH daemon used by server beach)
- Bugfix #807, make vhost domain excludes case insensitive
- Bugfix #905, Duplicates Include conf.d/*.conf in httpd.conf
- Bugfix #915, fix for username/password support on yum w/ authenticated proxies
- Bugfix #926, ASL Web, FP reports on HIDS events not sending full event
- Bugfix #932, disabling local t-waf redirect does not clear rules
- Bugfix #933, FW_OUTPUT_MTA off will not clear rules
- Bugfix #940, asl -u does not generate tortix_waf.conf.
- Bugfix #953, add database drop event to uninstall. Convert mysqladmin in database setup to batch process. Mysqladmin cant handle the TTY (or lack thereof) from the wget method
- Bugfix #961: add ability to clear the firewall policy
- Bugfix #969: ASL Web, Report False Positive popup does not correctly display URL
- Bugfix #XXX, add full path to ifconfig
- Bugfix #XXX: fix for monitoring plesk maillog. Retire monitoring /var/log/psa/maillog
- Bugfix #XXX, reset disable_functions if set to warn-only (undo basically)
- Bugfix #XXX, disable proxy settings if they were first enabled then disabled
- Bugfix #XXX, add redundancy for setting permissions on cpanel & directadmin script build hooks
- Bugfix #XXX, add Safebrowsing token to clamav template
As the root user, follow these steps and run these command as the root user. Do not use sudo.
yum clean all
Step 3 (Cpanel Only)
If you do not have cpanel installed, you do not need to run this command. Step 2 is not necessary for non-cpanel environments, skip to step 3.
If you have cpanel installed, run this command:
/var/asl/bin/asl -s -f
Product Release Notes
Please see the Product Release Notes for important information.
Tuesday, 02 October 2012 12:52
This release includes our new "Crawler Protector". This system automatically, and securely, detects search engines sorting out the attackers pretending to be search engines from the real search engine crawlers. It will both block the attacks, and automatically prevent the real crawlers from being blocked by your security system. This helps to protect not just your server, but also your search engine ranking. No other security solution can do this, so make sure you are using the latest version of ASL to take advantage of this powerful capability. You can enable this new feature by enabling these two options in ASL, Detect Search Engines and Autowhitelist Search Crawlers.
We've also added in Symlink Protection. ASL includes a new secure capability to prevent users from creating "symlinks" to files they do not own. Unlike the slow, and insecure Apache patches that attempt to do the same thing, this secure system is implemented in the kernel, making it both lightning fast and extremely effective at preventing this type of attack from working. Documentation on this new feature is available here.
Additional new features:
- New spam malware signatures: This signature set detects both spam malware tools, as well as spam domains.
- Intelligent web brute force protection: Unlike simple systems that can only protect applications protected with htaccess, this system natively detects authentication failures in popular web software such as WordPress, Joomla, MediaWiki, vBulletin, PHPBB, Drupla, Typo3, Plesk, Cpane, Magento, Zencart, MODX and more!
- Faster WAF: We've made all sorts of enhancements to the WAF to make it even faster!
- Proxy support for updates: ASL can now use proxies for all its updates, including authenticated proxies.
- Enhancements to the T-WAF system: This simplifies the forwarding system for local and remote HTTP services
- New geographic distributed update system: This will allow ASL to go to the nearest or fastest update server, and adds in additional redundancy for updates.
- New False Positive reporting enhancements
- Enhanced open port tracking system: This detects if a new process is started on the system and is listening for connections from remote hosts
- Over 50 new features, enhancements and improvements made to ASL
- Auto-whitelist installation IP prompt during configuration
- Extended version update checks to support the distributed update system
- Add support to WAF for Auto-Whitelisting search engines
- Add reset button to Rule manager in ASL Web
- Add distributed updates support to AUM
- Add flush function to asl-firewall, this will clear all rules (ASL or otherwise)
- Add status support to asl-firewall, this will display the current firewall policy
- Update, hids_check, change from /var/log/psa/maillog to /usr/local/psa/var/log/maillog
- Update to firewall blacklisting, convert from Add to Insert event
- Increased memory limit of asl_db_rotate to 256m
- Update to T-WAF, changed local proxy mode from Redirect to DNAT
- Added multiple IP detecton to local proxy T-WAF
- Updated configuration setup, this moves ASL Web installation into configuration and reorganizes the configuration layout for better integration in ASLe.
- Add proxy support to AUM, HTTP_PROXY, HTTP_PROXY_PORT, HTTP_PROXY_USERNAME, HTTP_PROXY_PASSWORD
- Add basic HTTP Proxy tokens. This is only going to be implemented in AUM at this time
- Added aum, the Atomic Updater Modified
- Added permissions check to /var/asl/data
- Removed IP fowarding requirement in the T-WAF
- Add support for dynamic /etc/asl/config updates
- Add support for dymamic template updates
- Merge Anti-Evasion WAF groups into a single group
- Deprecated ip_forward requirement in T-WAF
- Deprecate WAF_ENABLE setting, this is no longer necessary
- Deprecate recursive setfacl, this could take a very very long time. New behavior is just to do the top level audit
- Feature Request #721, Add ossec signatures as asl -u updates
- Feature request #864, catch the tortix database already exists error database-setup will now prompt to re-install the database if it detects that it exists
- Feature Request #877, disable SafeBrowsing in freshclam by default
- Update to ASL Web, add HIDS rules to fp handling
- Add asl-port-check to dynamic updates
- Add dynamic updates for base config
- Add dynamic updates for firewall modules
- Add dynamic updates for templates
- Deprecate PSA_WAF_ENABLE (now part of T-WAF)
- Deprecate internally distributed asl-port-check
- Feature Request #721, add ossec signatures to update event
- Updates will now track the release field and in the -v output
- Update to open port tracking system
- Feature request #853, return error if DAZUKO use is detected, and ASL kernel / modules are not present
- Feature Request #857: Extend --permissions-check to all ASL config files and session dirs
- Add rkhunter update routine for recommended ALLOWHIDDEN, ALLOWDEV, ALLOWPROCDELFILE, ALLOWHIDDENDIR, and SCRIPTWHITELIST
- Add in "requested" option to the FW_TCP_ECN setting
- Update to T-WAF embedded reporting
- Update to HIDS suspicous process detector
- Update ASL Web to automatically determine the time-zone
- Update default for TCP_WINDOW_SCALING to yes/enable
- Feature Request #545, adds x-frame denial to ASL-Web
- Feature Request #547, Add secure session to cookies to ASL-Web
- Feature Request #548, Add httponly to session cookie to ASL-Web
- Feature Request #625, protect ASL session, temporary and log directories from change of ownership/perms
- Feature Request #705, enforce alpha-numeric passwords during configuration
- Feature Request #779, provide option to configure the SSH port
- Feature Request #848, make permissions checks more efficient
- Support exclude-kernel when initiated during installation to both it & configuration update type.
- Correct NULL condition for managing rules without config tokens in /var/asl/rules/modsec/waf_rule_config
- Add reporting to -u event. This updates security modules data
- Eliminate benign GC warnings
- If HTTP_PROXY is a white space, treat it like it is disabled
- Remove unimplemented exclude element from asl.repo template temporarily.
- Bugfix #884, update to support legacy function type.
- Bugfix #884, add phase: element to vhost WAF rule management
- Add function to create waf-config if it does not exist
- Directory, and subdirectories in that dir
- Check for existance of /proc/sys/net/ipv6/conf/all/accept_source_route (needed for older kernels)
- Fixes for removing old asl_waf.conf files, updates for newlines in proxy statements
- Add Listen directive and trailing slash on proxy directives
- Correct order of asl_waf output for plesk configs
- ASL Web, Fixes disabling a rule for multiple vhosts
- Add output rule to accept all from localhost
- Change permissions-check to not do a generic chmod in the /var/asl/data directory
- Only reload firewall rules via fix mode
- correct condition where clamav would not be disabled in psa-proftpd when clamav was set to no
- Change output policy from drop to reject by default
- Bugfix #867, suppress output from HIDS cleanup event
- ASL Web, Fixes scrollbar in connections window; removes presence check for stateful rule in firewall rules
yum upgrade asl asl-web
Sunday, 23 September 2012 13:36
Got Root Labs is now a part of Atomicorp.
Monday, 10 September 2012 11:17
This release introduces the first phase of our distributed update architecture. ASL systems will now support fastest mirror/rollovers in the event of an outage to alternate ASL update servers. As part of the transition for supporting this infrastructure, ssl certificate verification is required to be disabled in yum (this is already the default for el5). This will be re-enabled in a future update, so please do not modify this setting until then. AUM is now the default updater used in ASL, it can be invoked directly otherwise asl will maintain backwards compatibility with the old -u/-ck/-uf update flags.
- - Add distributed updates support to AUM
- - Add flush function to asl-firewall, this will clear all rules (ASL or otherwise)
- - Add status support to asl-firewall, this will display the current firewall policy
- - Update, hids_check, change from /var/log/psa/maillog to /usr/local/psa/var/log/maillog
- - Bugfix #XXX, eliminate benign GC warnings
- - Bugfix #XXX, If HTTP_PROXY is a white space, treat it like it is disabled
yum upgrade asl asl-web