Difference between revisions of "ASL installation"
(→'''Testing the Kernel''' (Not for VPS users)) |
m (→Step 2: Run the Automated ASL installer) |
||
| (86 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | = Introduction = | |
| + | ASL is designed to integrate with your existing operating system. Customized environments that deviate from OS vendor designed standards, and packaging should consult with our services group for a custom solution. | ||
| + | == Before You Start == | ||
| + | '''Please note: If you purchased a Rules Only subscription, please go to, and follow the instructions here: https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Optional_Manual_Installation '''. These are instructions to install [[ASL]]. | ||
| + | If you purchased Atomic Secured Linux, then continue to the steps below. | ||
| − | == | + | == Prerequisites == |
| − | + | Please ensure that your system meets all prerequisites before installing ASL. The [[ASL prerequisites]] page includeds important information outlining the systems requirements for ASL to install and function correctly, as well as recommendations for it to perform optimally. | |
| − | + | = Installation and Downloads = | |
| − | + | == Command Line installation== | |
| − | + | === Step 1: Read the Notes === | |
| + | Confirm that your system meets the ASL requirements, which are documented on the [[ASL prerequisites]] page. | ||
| − | + | Note: ASL will harden your system, so when building a new system or installing other software, we recommend you install ASL last so that it can harden your system with all software installed. | |
| − | Step | + | === Step 2: Run the Automated ASL installer === |
| − | Step | + | '''Pre Step 1)''' |
| − | + | If the system does not have mysql or mariadb installed, run these commands as root: | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | RHEL/Centos 6: | |
| − | + | ||
| − | '' | + | ''yum install mysql-server'' |
| − | + | ''service mysqld start'' | |
| + | ''systemctl enable mysqld'' | ||
| − | + | RHEL/Centos 7: | |
| + | ''yum install mariadb-server'' | ||
| − | + | ''service mariadb start'' | |
| − | + | ''systemctl enable mariadb'' | |
| − | + | '''Step A)''' | |
| − | + | Become root on your system. To become root run this command: | |
| − | + | ''su -'' | |
| − | + | then enter your root password. | |
| − | + | '''Step B)''' | |
| − | + | ||
| − | + | ||
| − | + | Cut and paste the command below, and run this command as root: | |
| − | + | ''wget -q -O - https://updates.atomicorp.com/installers/asl |sh'' | |
| − | + | Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system. | |
| − | + | '''Note: You must have a version of wget installed that supports HTTPS to install ASL, as described on the ASL prerequisites page.''' | |
| − | + | If you do not get any output from the installation command it is likely wget on your system was replaced with a crippled version that does not support SSL. Please see this article to test if your wget supports SSL if you are unsure: | |
| − | + | https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#wget | |
| + | See the [[unattended installs]] article for advanced instructions for unattended installations. | ||
| − | + | === Step 3: (Optional) If you have installed the ASL kernel === | |
| − | + | Once the installation is complete, if you want to use the secure ASL kernel you will need to reboot your system to boot into the new hardened kernel that comes with ASL. '''You do not have to use this kernel to enjoy the other features of ASL''', but we recommend you use the hardened kernel as it includes many additional security features that are not found in non-ASL kernels. | |
| − | + | Note: The secure ASL kernel is not required to run ASL, but it will make your system more secure and protect your system from attacks that your regular kernel can not. | |
| − | + | ||
| − | + | ==== VPS based systems ==== | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | If you are using a [[VPS]] based virtualization technology, like openvz or Virtuzzo, you can not install any kernel in a VPS. VPS' do not have a kernel, they share the host systems kernel. Therefore, you will not be able to install any kernel in a VPS, including the ASL secure kernel, and do not need to reboot. | |
| − | + | ==== Cloud Linux ==== | |
| − | + | '''Cloudlinux requires that you use their default kernel with their product.''' Therefore, you should not use the secure ASL kernel with Cloud Linux. Please see the link below to ensure you have your system configured to use the appropriate Cloud Linux kernel with their product. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | https://www.atomicorp.com/wiki/index.php/Kernel#Setting_which_kernel_to_boot | |
| − | + | Note: When using the Cloud Linux kernel ASL will report security vulnerabilities in the Cloud Linux kernel. These security vulnerabilities are real. The Cloud Linux kernel does not include the necessary security enhancements to protect you from these vulnerabilities. Please direct any questions regarding Cloud Linux vulnerabilities to Cloud Linux support. | |
| − | + | === Before you reboot === | |
| − | + | ==== Check to make sure you can log in ==== | |
| − | ''' | + | Check to make sure you haven't locked yourself out of your system. If you told ASL to lock down SSH, make sure you can log into your system. Don't close out your current session, '''log in with a new session'''. This way you can confirm that you haven't installed bad ssh keys, or otherwise configured your server so you can't log in. |
| − | + | If you are rebooting into the secure ASL kernel, make sure you have an alternative means to log into your system should your system encounter an issue rebooting. For example, a diverse means such as serial port access, or a KVM system, and not SSH or other direct network based remote access. If a Linux system fails to reboot, network based protocols like SSH will not work. | |
| − | + | ==== Cloud Linux ==== | |
| − | + | '''Cloudlinux requires that you use their default kernel with their product.''' Therefore, you should not use the secure ASL kernel with Cloud Linux. Please see the link below to ensure you have your system configured to use the appropriate Cloud Linux kernel with their product. | |
| − | + | https://www.atomicorp.com/wiki/index.php/Kernel#Setting_which_kernel_to_boot | |
| − | + | Note: When using the Cloud Linux kernel ASL will report security vulnerabilities in the Cloud Linux kernel. These security vulnerabilities are real. The Cloud Linux kernel does not include the necessary security enhancements to protect you from these vulnerabilities. Please direct any questions regarding Cloud Linux vulnerabilities to Cloud Linux support. | |
| − | + | == Control panel installation== | |
| − | + | ||
| − | + | ||
| − | + | === Plesk === | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | === Step 1: Read the Notes === | |
| − | + | ||
| − | + | Confirm that your system meets the ASL requirements, which are documented on the [[ASL prerequisites]] page. | |
| − | == Post-Installation Quickstart/Configuration == | + | Note: ASL will harden your system, so when building a new system or installing other software, we recommend you install ASL last so that it can harden your system with all software installed. |
| + | |||
| + | === Step 2: Install ASL from Plesk === | ||
| + | |||
| + | To install Atomic Secured Linux using the Plesk extension: | ||
| + | |||
| + | Step 1: In the Extensions Catalog, select the 'Security' category and click on 'Atomic Secured Linux' | ||
| + | |||
| + | Step 2: Click the 'Install' button to install the extension | ||
| + | |||
| + | Step 3: After the extension is installed, click the 'Go To Extension' link | ||
| + | |||
| + | Step 4: Click the 'Install' button to install Atomic Secured Linux | ||
| + | |||
| + | == Step 4: Post-Installation Quickstart/Configuration == | ||
| + | |||
| + | === Log into the GUI === | ||
| + | |||
| + | https://YOUR_SERVERS_IP:30000 | ||
| + | |||
| + | You can view alerts, block attackers, configure ASL and use its many features from the GUI. | ||
| + | |||
| + | The username and password are the same credentials you created when you purchased your license. You can change the ASL control panel credentials by following the process [https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_can_I_reset_my_ASL_GUI_password.28s.29.3F here], and you can add additional users by following [https://www.atomicorp.com/wiki/index.php/ASL_FAQ#How_can_I_create_new_accounts_in_the_ASL_GUI_.3F this process]. | ||
| + | |||
| + | === Log into the support portal === | ||
| + | |||
| + | Finally, we highly recommend you click on the "Support" tab in the ASL GUI, or go to this URL to log into your support account: | ||
| + | |||
| + | https://www.atomicorp.com/support/support-portal.html | ||
| + | |||
| + | The support system uses the same username and password used to install ASL (your ASL username and password). Please make sure you can log into the support portal to make use of the support portals features such as case management, bug tracking and the knowledge base. | ||
| + | |||
| + | === ASL FAQ === | ||
| + | |||
| + | And also, please read thru the [[ASL FAQ]]. It covers just about everything anyone has every asked us about, regarding ASL. Seriously, its got answers to nearly anything you might want to know about [[ASL]], and we really have documented the answer to nearly every question anyone has every asked us about ASL. | ||
| + | |||
| + | == Command Line == | ||
| + | |||
| + | If you're a command line person you can also run or re-run many of ASL's features from the command line. Here are a few highlights: | ||
| + | |||
| + | 1) Configure/Re-Configure ASL | ||
| − | |||
asl -c | asl -c | ||
| + | 2) Scan the system for vulnerabilities, malware and other security issues. | ||
| − | |||
asl -s | asl -s | ||
| − | 3) | + | 3) Scan the system for vulnerabilities, malware and other security issues and have ASL fix the system. |
| + | |||
asl -s -f | asl -s -f | ||
| + | |||
| + | You can also find out about all the command line options in asl by running this command: | ||
| + | |||
| + | asl -h | ||
| + | |||
| + | = Upgrading ASL = | ||
| + | |||
| + | Please see the [[Upgrading ASL]] page for details. | ||
| + | |||
| + | = Troubleshooting = | ||
| + | |||
| + | Please see the [[ASL Troubleshooting]] article. | ||
| + | |||
| + | We also recommend you read the [[ASL FAQ]]. | ||
| + | |||
| + | |||
| + | = Important Notes = | ||
| + | |||
| + | == Kernel == | ||
| + | |||
| + | See the [[Kernel]] page for additional information on the ASL kernel. | ||
| + | |||
| + | == Cpanel == | ||
| + | |||
| + | Do not enable modsecurity in cpanel, and do not use cpanel to upgrade or install modsecurity. CPanel does not use the latest version of modsecurity, and ASL is only tested and supported with the latest version supplied by ASL. ASL will automatically upgrade modsecurity if necessary. | ||
| + | |||
| + | Enabling modsecurity in cpanel will replace modsecurity with an older, and incompatible version and is not supported. This will likely also break your modsecurity configuration, as CPanel does not include all of the patches and enhancements in modsecurity that ASL comes with. | ||
Latest revision as of 19:22, 27 April 2020
Contents |
[edit] Introduction
ASL is designed to integrate with your existing operating system. Customized environments that deviate from OS vendor designed standards, and packaging should consult with our services group for a custom solution.
[edit] Before You Start
Please note: If you purchased a Rules Only subscription, please go to, and follow the instructions here: https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Optional_Manual_Installation . These are instructions to install ASL.
If you purchased Atomic Secured Linux, then continue to the steps below.
[edit] Prerequisites
Please ensure that your system meets all prerequisites before installing ASL. The ASL prerequisites page includeds important information outlining the systems requirements for ASL to install and function correctly, as well as recommendations for it to perform optimally.
[edit] Installation and Downloads
[edit] Command Line installation
[edit] Step 1: Read the Notes
Confirm that your system meets the ASL requirements, which are documented on the ASL prerequisites page.
Note: ASL will harden your system, so when building a new system or installing other software, we recommend you install ASL last so that it can harden your system with all software installed.
[edit] Step 2: Run the Automated ASL installer
Pre Step 1)
If the system does not have mysql or mariadb installed, run these commands as root:
RHEL/Centos 6:
yum install mysql-server
service mysqld start
systemctl enable mysqld
RHEL/Centos 7:
yum install mariadb-server
service mariadb start
systemctl enable mariadb
Step A)
Become root on your system. To become root run this command:
su -
then enter your root password.
Step B)
Cut and paste the command below, and run this command as root:
wget -q -O - https://updates.atomicorp.com/installers/asl |sh
Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system.
Note: You must have a version of wget installed that supports HTTPS to install ASL, as described on the ASL prerequisites page.
If you do not get any output from the installation command it is likely wget on your system was replaced with a crippled version that does not support SSL. Please see this article to test if your wget supports SSL if you are unsure:
https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#wget
See the unattended installs article for advanced instructions for unattended installations.
[edit] Step 3: (Optional) If you have installed the ASL kernel
Once the installation is complete, if you want to use the secure ASL kernel you will need to reboot your system to boot into the new hardened kernel that comes with ASL. You do not have to use this kernel to enjoy the other features of ASL, but we recommend you use the hardened kernel as it includes many additional security features that are not found in non-ASL kernels.
Note: The secure ASL kernel is not required to run ASL, but it will make your system more secure and protect your system from attacks that your regular kernel can not.
[edit] VPS based systems
If you are using a VPS based virtualization technology, like openvz or Virtuzzo, you can not install any kernel in a VPS. VPS' do not have a kernel, they share the host systems kernel. Therefore, you will not be able to install any kernel in a VPS, including the ASL secure kernel, and do not need to reboot.
[edit] Cloud Linux
Cloudlinux requires that you use their default kernel with their product. Therefore, you should not use the secure ASL kernel with Cloud Linux. Please see the link below to ensure you have your system configured to use the appropriate Cloud Linux kernel with their product.
https://www.atomicorp.com/wiki/index.php/Kernel#Setting_which_kernel_to_boot
Note: When using the Cloud Linux kernel ASL will report security vulnerabilities in the Cloud Linux kernel. These security vulnerabilities are real. The Cloud Linux kernel does not include the necessary security enhancements to protect you from these vulnerabilities. Please direct any questions regarding Cloud Linux vulnerabilities to Cloud Linux support.
[edit] Before you reboot
[edit] Check to make sure you can log in
Check to make sure you haven't locked yourself out of your system. If you told ASL to lock down SSH, make sure you can log into your system. Don't close out your current session, log in with a new session. This way you can confirm that you haven't installed bad ssh keys, or otherwise configured your server so you can't log in.
If you are rebooting into the secure ASL kernel, make sure you have an alternative means to log into your system should your system encounter an issue rebooting. For example, a diverse means such as serial port access, or a KVM system, and not SSH or other direct network based remote access. If a Linux system fails to reboot, network based protocols like SSH will not work.
[edit] Cloud Linux
Cloudlinux requires that you use their default kernel with their product. Therefore, you should not use the secure ASL kernel with Cloud Linux. Please see the link below to ensure you have your system configured to use the appropriate Cloud Linux kernel with their product.
https://www.atomicorp.com/wiki/index.php/Kernel#Setting_which_kernel_to_boot
Note: When using the Cloud Linux kernel ASL will report security vulnerabilities in the Cloud Linux kernel. These security vulnerabilities are real. The Cloud Linux kernel does not include the necessary security enhancements to protect you from these vulnerabilities. Please direct any questions regarding Cloud Linux vulnerabilities to Cloud Linux support.
[edit] Control panel installation
[edit] Plesk
[edit] Step 1: Read the Notes
Confirm that your system meets the ASL requirements, which are documented on the ASL prerequisites page.
Note: ASL will harden your system, so when building a new system or installing other software, we recommend you install ASL last so that it can harden your system with all software installed.
[edit] Step 2: Install ASL from Plesk
To install Atomic Secured Linux using the Plesk extension:
Step 1: In the Extensions Catalog, select the 'Security' category and click on 'Atomic Secured Linux'
Step 2: Click the 'Install' button to install the extension
Step 3: After the extension is installed, click the 'Go To Extension' link
Step 4: Click the 'Install' button to install Atomic Secured Linux
[edit] Step 4: Post-Installation Quickstart/Configuration
[edit] Log into the GUI
You can view alerts, block attackers, configure ASL and use its many features from the GUI.
The username and password are the same credentials you created when you purchased your license. You can change the ASL control panel credentials by following the process here, and you can add additional users by following this process.
[edit] Log into the support portal
Finally, we highly recommend you click on the "Support" tab in the ASL GUI, or go to this URL to log into your support account:
https://www.atomicorp.com/support/support-portal.html
The support system uses the same username and password used to install ASL (your ASL username and password). Please make sure you can log into the support portal to make use of the support portals features such as case management, bug tracking and the knowledge base.
[edit] ASL FAQ
And also, please read thru the ASL FAQ. It covers just about everything anyone has every asked us about, regarding ASL. Seriously, its got answers to nearly anything you might want to know about ASL, and we really have documented the answer to nearly every question anyone has every asked us about ASL.
[edit] Command Line
If you're a command line person you can also run or re-run many of ASL's features from the command line. Here are a few highlights:
1) Configure/Re-Configure ASL
asl -c
2) Scan the system for vulnerabilities, malware and other security issues.
asl -s
3) Scan the system for vulnerabilities, malware and other security issues and have ASL fix the system.
asl -s -f
You can also find out about all the command line options in asl by running this command:
asl -h
[edit] Upgrading ASL
Please see the Upgrading ASL page for details.
[edit] Troubleshooting
Please see the ASL Troubleshooting article.
We also recommend you read the ASL FAQ.
[edit] Important Notes
[edit] Kernel
See the Kernel page for additional information on the ASL kernel.
[edit] Cpanel
Do not enable modsecurity in cpanel, and do not use cpanel to upgrade or install modsecurity. CPanel does not use the latest version of modsecurity, and ASL is only tested and supported with the latest version supplied by ASL. ASL will automatically upgrade modsecurity if necessary.
Enabling modsecurity in cpanel will replace modsecurity with an older, and incompatible version and is not supported. This will likely also break your modsecurity configuration, as CPanel does not include all of the patches and enhancements in modsecurity that ASL comes with.
