CageFS appears to be a chroot jail, or perhaps a “container”-based approach (though a container is merely a special type of chroot jail, with some extra kernel support).
I am ambivalent about CloudLinux. They have some interesting exploit mitigation tech in their kernel, but it’s a huge swath of changes and it doesn’t go through the normal kernel development process and is a small team (I think the kernel work is mostly one very prolific developer). That kind of thing makes me nervous; the mainline Linux kernel has thousands of eyes on every release. If we’re talking security, I’ll take the thousands of eyes over one (admittedly very clever) developer.
I have no knowledge of Immunify, but they’re claiming AI-powered security, so I’m immediately skeptical. Like, I want to dismiss it outright, but can’t without more info. Firewalls are of extremely limited utility in a world-facing server. You can’t block ports that are needed for services, and you shouldn’t have anything listening on public ports that aren’t needed for services, so what are you gonna block with the firewall? There is some utility in a tool like Fail2ban (maybe they’d consider that AI, I dunno!), where an attack on any port results in blocking everything from the IP initiating the attack for a specified period. That’s useful…if an attacker comes around, poking at ssh, fails to get in there, and then starts poking at Webmin, Usermin, FTP, mail, etc. they get a lot of bites at the apple. If they get shut down on the first service they don’t get any other chances with other services, or at least it becomes slow enough that even a very advanced brute force password search from high resource attackers (e.g. someone who can turn a botnet against your server) is unrealistic.
In short, beware any company trying to sell security in product form. Security is a process, not a single product. You need vigilance, to insure you’re always up to date, you need strong passwords, you need popular tools with history and more than one person paying attention to their security, and you need a layered approach and to always think about what an exploit of one service or server could do to your other services or servers (i.e. are you sharing passwords across systems or accounts? do you have ssh keys on public servers that have access to other servers, so exploiting one would exploit others?).
I won’t say we’re doing everything that could be done for security in a default installation, but there are a lot of tools at your disposal immediately after installation, and most people don’t really ever dig in and get the most out of them. You’ve got a firewall (firewalld or iptables, depending on init system), fail2ban, a pretty tight default config for ProFTPd and ssh (with optional jailkit for chroot jails, also pretty locked down by default), SSL/TLS available on most protocols including mail and FTP, Let’s Encrypt for getting good certificates, 2FA for Webmin, and probably some other stuff.
To take security further I’d recommend the following, in no particular order:
- Minimize attack surface. Turn off stuff you aren’t using. Turn it off in Features and Plugins, and then turn off the related service.
- Strong passwords.
- Update religiously.
- Be aware (of what’s supposed to be happening on your system so you know when things look weird, of the security updates for your OS of choice, etc.).
That alone already gets you above 95% of system administrators. Sometimes we’ll see people talking about PHP versions that have been EOL for years or asking us questions about Virtualmin versions that are years out of date. Even software with a good security history (which we mostly have, and have for many years), that’s insanely dangerous. And, relatedly, anything that distracts from those things is counter-productive. So, if you buy some security product, and spend a bunch of time configuring it, and while you’re distracted an exploitable version of WordPress sits on your server for a week, your site (at least) is toast. If you also missed a kernel update during that time that happened to fix a local root exploit (very rare, but does happen), your whole server might be toast. But, more layers is better than fewer…I just know there’s a lot of snake oil in the security product industry. Be careful out there, do your research, and be wary of big claims that aren’t reasonably within the scope of what a security product can do. A lot of it is overpriced and under-delivers.