How InterShield Works

Posted at April 18, 2018 at 3:46 pm by Ylber Popaj

How InterShield Works
You may have become familiar with our InterShield blog posts. It has become a special security series of ours which serves of high importance to us and Web Hosting our customers. Due to its ongoing success and popularity, we have decided to describe the step by step process of which InterShield follows.

A request to access a website comes in, someone has entered http://domain.com into a browser.

Step 1: Check IP address against known blacklists

Using litespeed web-server and the RBL rule, Interserver InterShield queries our own internal RBL blacklist. This blacklist contains known bad ips; ips that have been blocked for bad activity, hacking, uploading malware and a number of other activities. The RBL updates frequently, removing IP’s that have not been seen in a while and ensuring good bots like googlebot are not blocked. The request is made without a slowdown, and the request is cached so the lookup doesn’t need to happen again for some time.

Note: If the IP is in the RBL, we log the request for review later, and deny it. Otherwise the request passed.

Step 2: Check for known hacking strings

Using request filter in litespeed, we quickly process rules without causing a delay from Atomic Got Root, a commercial mod_security ruleset, as well as interserver’s own internal rule. These update frequently and by using litespeed the rules process extremely quickly and do not cause a request delay. If the request is blocked, we log the request for review later, note the IP address that was blocked and deny it. Otherwise the request is passed.

Step 3: Check for post content, such as uploads

Any request with a post content is scanned quickly by Clamav using a cluster of servers to quickly scan the request. This will either return a pass or fail result. If malware, is detected we log request and ip for review later, otherwise we pass it. To speed up the request further a checksum of the file is used first, and if the file has been scanned before the file does not need to be scanned again. Finally, the request is sent for processing. Scripts, like PHP scripts, have secondary rules that also scan the file as running if it is not a known file checksum to search for potential malware that may exist in an account already. Notices are sent the account owner through the contact email set in the contact section of the control panel.

Further protection:

Under cpanel, all accounts are isolated from each other. No account can see the files, process or memory – including temporary files of another account.

InterServer Exlusives: Addon domains are further isolated from each other with in the cpanel account.

Additionally the option for dropping PHP privileges is available so that the php scripts being called can not modify files with in your own account.

 

You can leave a response, or trackback from your own site.

Leave a Reply