Deep Dive – How CloudLinux improves security and stability on shared hosting environments
20 Feb 2024, by Slade Baylis
There are many advantages to hosting a lot of websites on a single server. Primary among these is that it allows you to optimise your costs and make sure your servers are being utilised to their full potential rather than having resources sit idle; it enables you to provide hosting more optimally thus reducing the price for everyone; and it also makes managing websites at scale much easier. However, without protection against it, there are risks to hosting more than one website on a server.
Some of these risks include having one website use up all the resources of the server, which affects the performance of all the other hosted websites, to even presenting a security risk for everyone through cross-site infections. Without protection against it, it’s possible that if one website gets infected, it could potentially move laterally and infect other hosted websites!
That’s why this month we’ll be talking about CloudLinux – specifically CloudLinux OS Shared - which is a commercial Linux distribution that aims to help improve multitenancy on Shared Web Hosting (SWH) servers.
What’s the difference between Shared Web Hosting and using your own VM?
When looking to host a website or application, one of the first questions that needs to be answered is how much horsepower it’ll need. For applications and websites that are going to be fairly heavily utilised - as in, used by a lot of people a lot of the time, or if the things it’s going to be doing are resource intensive - then it’s likely that a dedicated server or VM (Virtual Machine) is the best option.
There are many reasons for having your own server. Some of these advantages include that it gives you full control over the environment, allowing you to configure things exactly as required; that you’re able to install whichever software is required by your application and website; and that you’re able to configure and optimise your server’s performance for your website specifically.
However, for a lot of companies, their online systems and websites are fairly lightweight and don’t require a lot of resources - so having their own server is usually overkill. For these lightweight and relatively simple websites, not only would a dedicated server or VM (Virtual Machine) usually have more resources than required, but these systems will need to be maintained and monitored. If your service isn’t a “managed service” – which is a service wherein that sort of advanced support is included – then that responsibility will fall on you, meaning that it’s up to you to keep things updated to ensure you’re not vulnerable to threats like ransomware, thus adding further expense.
And this is exactly why “Shared Web Hosting” solutions were developed – they aim to solve this problem by allowing multi-tenanted hosting environments to be set up, allowing companies to lease a smaller part of a web server, one that is used by multiple organisations (or “tenants”) at a time. By only leasing a smaller part of a web-server, these Shared Web Hosting (SWH) environments are able to be provided much more economically, which works perfectly for smaller organisations that don’t have large IT budgets.
As mentioned above, in the early days, there were potential risks that presented themselves when using Shared Web Hosting (SWH) environments - with the two main issues being the potential for cross-account access, as well as the risk of “noisy neighbours” affecting your website's performance. Due to these risks, solutions to these problems were created - one of which was the development of the operating system called “CloudLinux”.
What is CloudLinux?
As mentioned, CloudLinux is an operating system. Specifically though, it's a commercial Linux-distribution that has been created to solve some of the previously common issues with shared hosting environments.
Developed back in 2009, its aim was to make Linux – the most common and well-known open-source operating system – secure, stable, and profitable for website hosting companies. Since then, it has grown to be used by more than 4000+ companies, which collectively run more than 20 million customer websites!
Preventing “noisy neighbour” problems and keeping websites performing well using LVE
In that aim to make servers more stable, one of the primary features they went on to develop is called “LVE”, which stands for “Lightweight Virtualized Environment”. This feature has similar roots to container-based virtualisation, wherein applications are hosted in containers rather than on servers directly.
In basic terms, LVE allows administrators to allocate and limit server resources – such as CPU, RAM, Disk I/O, and even the number of simultaneous connections – so that any one account only has the ability to use resources up to a predetermined limit. Prior to this, any account on a shared hosting environment would be able to use as much CPU, RAM, or disk space as they wanted, meaning that one particularly busy website could use up all the available resources! If this happened, not only would the server slow down to a crawl, but so would all the other websites hosted on that same server.
For shared environments - which is to say environments where more than one organisation is hosting their services on a single server - it’s unacceptable to have one organisation’s website affect the performance of the websites for others. This issue – of one website affecting the performance of another through excessive resource consumption – is commonly referred to as “noisy neighbour” due to the parallel of a next-door neighbour causing you problems by being louder than is reasonable.
Improving server security using CageFS and SecureLinks
In their aim to make servers more secure, several features were implemented to solve some previously common security issues. Key among them was CageFS - which is a feature that helps ensure that each account is isolated from each other.
CageFS is a virtualised per-user file system, created to contain each account and prevent them from viewing or accessing the data stored within other accounts. Through this, each account only ever has access to the information contained within itself, preventing a large number of information disclosure attacks that are potentially possible on other platforms. This “caging” of tenants from one another helps prevent security breaches from malware that attempts to sprawl across your customer’s sites, which would otherwise cause severe harm.
However, there are certain information disclosure attacks that CageFS isn’t able to prevent, such as attacks that look to exploit a feature on Linux called “symbolic links”. A symbolic link – also referred to as a “symlink” – is a file that links to another file or folder somewhere on a device. They are used due to the ability to easily find or refer to another file or folder without having to duplicate that data to multiple locations. The potential issue here exists when users attempt to create symlinks to files or folders they shouldn’t have access to.
On shared servers, certain processes require higher privileges in order to work correctly – and with this higher level of privilege the potential exists for users to manipulate these processes to create symlinks to data they shouldn’t have access to. However, this is where the "SecureLinks" feature from CloudLinux comes in – as with this feature these sorts of attacks are able to be prevented by keeping malicious users from being able to create symlinks to files or folders they don’t own.
And finally, we come to one of the other key selling points of CloudLinux, that of their "Hardened PHP" service. As a quick introduction, PHP is a programming language that’s mainly used for web development. It’s been around since 1993, and as such, there have been many iterations and updates to it over the years. As these updates are released, older versions of PHP are deprecated and become EOL (End of Life), meaning that they no longer receive feature or security updates – thus making them a security risk for any organisations that have applications built on these older versions.
The good news is that this Hardened PHP feature from CloudLinux aims to act as a temporary solution for organisations that are still reliant on older versions of PHP. This is achieved through the CloudLinux team releasing their own versions of these older PHP versions, with security fixes from later versions “ported” back to earlier versions. Porting in this context refers to the process of adapting software or code from one platform or version onto another piece of software.
Through this porting of security updates, companies are able to more securely run their applications on older versions of PHP, giving them time to be able to either plan a full transition onto new applications, or update their existing applications to work with newer versions.
The upcoming EOL of CloudLinux 6/7 and the upgrade pathways for those running them
Some of our clients are already aware, but for those of you whom are not, in the not too distance future – specifically on the 30th of June, 2024 – two older versions of CloudLinux, 6 and 7, are going to be going EOL. As mentioned above, the term EOL is used to describe software that is no longer going to be receiving either feature or security updates. This means that it is very important for organisations that are using these older versions to plan to upgrade to versions that will continue to be supported.
Our recommendation is for this process to be less of an “upgrade” and more of a “build and migrate” process – that is, build a new replacement server side-by-side with the original server, and then schedule in a migration of all your accounts over to that new server. There are some major advantages to doing it this way, such as the fact that it allows you to start with a fresh slate on a new server set up to our recommended specification that will best for your particular needs.
Whilst there is the potential to upgrade from CloudLinux 7 to CloudLinux 8 without requiring a full rebuild of the server, the software that’s available for this upgrade process is in beta and has been known to have issues here and there. Due to these potential complications, our recommendation is for organisations to start fresh and build a new replacement server to migrate to.
If you are in the position of needing to perform this replacement and migration, let us know, as we’ll be able to help you plan out this process – we’ll be able to advise what you’ll need to do in the planning phase beforehand, and also what common issues to look out for.
Have further questions about CloudLinux?
If you want to know more about CloudLinux, or want to get started with it, let us know! We’ll be happy to answer any questions you have and help get you started on the right foot.
You can reach us via email at sales@micron21.com or via phone at 1300 769 972 (Option #1).