Good afternoon, over the past few weeks we have been investingating a technology called CageFS, this was developed and created by the wonderful folks over at CloudLinux. CageFS in addition to the OS CloudLinux, which we use exclusively across our fleet of shared, reseller and VPS servers. The goal of installing CageFS is two fold, secure our servers and your account, that might be an oversimplification of what is really an important upgrade for everyone involved.
Today, security is mentioned just about everywhere from unauthorized credit card, too ATM transactions and even your WordPress blog site. Unfortunately security cannot fall under the same set of rules as “set it and forget it”, security is constantly evolving daily. It’s our job to stay on top of those changes and keep you, as our customer, as safe as we possibly can.
CageFS has been publicly available since August of 2011 and reached product maturity a few years later. According to CloudLinux, CageFS is a virtualized file system and a set of tools to contain each user in its own ‘security zone’. Each customer will have its own fully functional CageFS instance with all system files, tools, etc.
As a customer you shouldn’t notice any major changes or issues only improvements, this is a seamless introduction. In fact, if we didnt blog about this change you may never know we’re utilizing CageFS.
In the list below here are the primary differences between a CloudLinux server with CageFS as opposed to one without:
- Utilization of /tmp – Previously all users wrote to the systems /tmp directory, which on occasion would get full from a runaway script or poorly coded application. With CageFS each user writes to a /tmp directory inside thier home directory, improviing both security and reliability.
- User and system access – You are litterally in your own environment now. No looking at other users, thier process, or what happening on the server. You will not be able to view what other users are logged in via SSH and you will still have access to the core binaries.
- Commands – A user under CageFS has a very limited set of commands they are able to run fro the shell. Essentially you should have everything you will need. For example, here is the output of the ‘top’ comand on a non-CageFS server:
There are a number of other changes, check out the documentation, but thoeses are the major changes we are excited about. CloudLinux does a great job of keeping thier blog active and up to date with releases and changes.
CageFS was thoroughly tested before moving into our live environment, we are very confident in its ability to perform operate, and reliablity. However, no software is bug free, especially a program as integrated with the OS as CageFS. We do anticipate some strange or even unexpected behaviors so please dont hestiate to report any oddities you may notice.
One last note, we will do our absolute best to keep your account and websites as safe and secure as possible. However, we cannot protect against everything which is why it’s important to take your own security very seriously.