You might be familiar with our InterShield blog posts. It has become a dedicated security series of ours, which holds great significance for both us and our valued hosting clients. Due to its continued success and popularity, we have decided to provide a step-by-step explanation of how InterShield operates.
Step 1: Checking the IP Address Against Known Blacklists
Using the LiteSpeed web server and the RBL (Real-time Blackhole List) rule, WebHostingPeople’s InterShield queries our internal RBL blacklist. This blacklist contains known malicious IPs that have been blocked due to their involvement in malicious activities, such as hacking, malware uploads, and other suspicious actions. The RBL is frequently updated, removing IPs that have not been seen in a while and ensuring that good bots, like Googlebot, are not blocked. The request is processed without causing any delays, and the result is cached to reduce the need for repeated lookups.
Note: If the IP is listed in the RBL, we log the request for later review and deny it. Otherwise, the request proceeds.
Step 2: Checking for Known Hacking Strings
Using request filters in LiteSpeed, we swiftly apply rules without causing any delays from Atomic Got Root, a commercial ModSecurity ruleset, as well as WebHostingPeople’s internal rules. These rules are regularly updated, and the use of LiteSpeed ensures that the rules are applied very quickly, avoiding any request delays. If the request is blocked, we log the request for later review, make a note of the blocked IP address, and deny the request. Otherwise, the request proceeds.
Step 3: Checking for Post Content, Such as Uploads
Any request with post content is rapidly scanned by ClamAV using a cluster of servers to perform a quick scan. This results in either a pass or fail outcome. If malware is detected, the request is logged along with the IP address for later review; otherwise, the request proceeds. To further expedite the process, a checksum of the file is used first, and if the file has been scanned before, it does not need to be scanned again. Finally, the request is sent for processing. Scripts, such as PHP scripts, have secondary rules that also scan the file during execution if it is not a known file checksum, searching for potential malware that may already exist within an account. Notifications are sent to the account owner via the contact email specified in the control panel’s contact section.
Additional Security Measures:
Under cPanel, all accounts are isolated from each other. No account can access the files, processes, or memory of another account, including temporary files. WebHostingPeople Exclusive: Addon domains are further isolated from each other within the cPanel account. Additionally, the option to drop PHP privileges is available to prevent PHP scripts from modifying files within your own account.
