Category Archives: Security

Hardware Upgrades Complete!

Our goal is to provide the best performing, most reliable service that we can and a lot of this comes down to the hardware that we use. Newer hardware can easily provide performance benefits but proper deployment of it is crucial as far as reliability and security is concerned. We always try to avoid any service interruption whenever possible and building redundancies into our infrastructure has allowed us to do this more easily.

Over the past five months, we’ve been working diligently to overhaul our entire hosting infrastructure.  The individual server upgrades were a big part of this process and these were all completed by the end of July. Behind the scenes, though, our work has gone far beyond just the server upgrades. We’ve also upgraded every other piece of hardware that has a role in providing our services. All switches, power distribution, and even cabling has received upgrades in some form or another.

  • Switches – All of our public and private network switches have been replaced which provides greater performance and continued security updates. This was done without impacting any services and zero downtime on our public network. Our private network has received an even bigger overhaul with it now being entirely 10G, allowing for even better backup performance.
  • Power Distribution – All of our in-rack PDUs have been replaced with new zero U PDUs. This has saved at least 4U per cabinet and cleaned them up considerably. The new PDUs also have additional control and monitoring features. Because all of our gear has redundant power, we were able to swap these out without any power loss or downtime.
  • Cabling – As a result of the PDU changes, we wanted to re-cable everything to clean it up and allow for even better airflow. New slim Cat6A cables handle 1G connectivity and most 10G connectivity is over DAC.

Many other items were upgraded over these past few months as well. I just wanted to provide a brief look behind the scenes here that you wouldn’t otherwise know about. We’re very focused on providing the best service possible and our continual hardware upgrades play a large role in this.

Forcing HTTPS Connectivity

Once you have an SSL certificate installed, it is good standard practice to make sure that all requests on your website use HTTPS. Our last post concerning mixed content covered one aspect of this. One other important element, which we’ll discuss here, is to force HTTP requests to use HTTPS instead. This way, if someone tries to visit your site via http://domain.com the request will be redirected to https://domain.com.

There are many different ways to accomplish this but if you’re using something like WordPress, for example, you might want to see if the functionality is built-in or if a plugin is available that could make this process easier. In this case, the Really Simple SSL plugin for WordPress is a great option and can even correct mixed content issues automatically.

Another common but easy way to handle this is by adding a simple mod_rewrite rule to your site’s .htaccess file. There are a lot of perfectly valid variations of these rules to get the desired result. A good generic option is:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Continue reading

HTTPS & Mixed Content

With Chrome now labeling sites accessed via regular HTTP as “Not Secure”, SSL/TLS support is becoming even more common. However, simply installing an SSL certificate doesn’t necessarily result in your site showing up as “Secure” (Chrome) or with a green padlock (Firefox). Instead, you might see the following in the Firefox URL bar:

And in Chrome you might see this in the security overview (Menu -> More Tools -> Developer Tools -> Security):

Although not immediately clear from the Firefox URL bar, you can see from Chrome that the issue is with mixed content being loaded. This means that although the page was accessed via HTTPS, regular HTTP content is being loaded within it. For this example, the page in question has the following code in it:

<img src="http://demo.dathorn.com/logo.png">

Continue reading

Critical Drupal Updates

Although these Drupal vulnerabilities were posted to our script security forum, which we recommend you subscribe to, we wanted to give this situation as much visibility as possible. Over the past month there have been two critical Drupal updates released. Both of these address a remote code execution vulnerability, which is at the very top of the scale as far as severity is concerned. The most recent update was just released yesterday (April 25th) and further details on it can be found here. You need to make sure that your Drupal is updated to either version 7.59 or 8.5.3. Drupal 6 hasn’t been officially supported for more than 2 years and should be updated to at least 7.x.

The first vulnerability has been heavily targeted by bots for over a week now. We do have web application firewall (WAF) rules in place to defend against this but the WAF shouldn’t be considered a long term solution. The best option is always to update your scripts as soon as possible. Failure to do so may result in a complete compromise of the cPanel account in question. We’re still evaluating this latest vulnerability for inclusion in our WAF rules.

If you have any questions or run into any issues please drop us a ticket via our portal.

Important Linux Kernel & WordPress 4.7 Updates

A rather serious Linux kernel vulnerability (CVE-2017-6074) was publicized on Wednesday (2/22). This vulnerability has been present since 2006 so it affects a large number of systems and distributions, many of which are no longer maintained. Thanks to KernelCare, our servers were all patched within a few hours of this having been published without any service impact.

If you use or manage any other Linux systems, hosting related or otherwise, you should make sure that they have been patched as well. This vulnerability could ultimately result in a local user compromising the entire system. Likewise, if you’re using devices or operating systems that aren’t being maintained and thus won’t be patched at all, now would be a good time to upgrade.

While on the topic of security updates, I do also want to mention the critical WordPress 4.7.2 update that was released about a month ago. If you are running WordPress 4.7 and have some how managed to not upgrade to 4.7.2 by now, you should do so immediately.

As always, we will continue to stay on top of these security updates, keeping you safe and informed.

Critical PHPMailer & SwiftMailer Security Updates

Although the PHPMailer vulnerability was posted to our Script Security Forum a couple days ago, the widespread and critical nature of these warrants a post here as well. PHPMailer and SwiftMailer are both libraries used for sending emails. A very large number of scripts use one of these two libraries, including WordPress, Drupal, SugarCRM, Joomla and many others. Both libraries contain similar remote code execution vulnerabilities that can be exploited under certain circumstances.

It is very important that you make sure all instances of these libraries are updated. This will, unfortunately, be difficult to pinpoint in some cases since many plugins also include these libraries. Every core script, plugin and theme that you use should be investigated to determine whether or not these libraries are included and require updating.

All instances of PHPMailer must be updated to 5.2.21 or higher, which can be downloaded here.

All instances of SwiftMailer must be updated to 5.4.5 or higher, which can be downloaded here.

This would also be a good time to examine your plugins and themes to make sure they are all being actively maintained. As a general rule, if they haven’t received any updates within 6 months you should be concerned. If they haven’t received any updates within the past year, they probably shouldn’t be used at all.

The ongoing use of abandoned projects are one of the bigger risks that face websites like those powered by WordPress. While such a plugin may appear to be all good and up-to-date from within the WordPress admin panel, the developers may not have touched it in years and the project page may no longer even exist. As such, a regular audit of these is a very good idea and in general you should stick to more popular options when possible.

If you run into any issues with updating or have any questions please feel free to post a comment here, post on our forums or submit a ticket via our portal.

cPanel & WHM Two-Factor Authentication

We’re excited to announce that two-factor (2FA) authentication is now available for all of our cPanel and WHM users! Two factor authentication adds an additional layer of security to your logins by requiring a security code in addition to your username and password to login. This security code is provided by an application on your mobile device once setup on your account.

WHM users can find the “Two-Factor Authentication” link on the left menu under the “Security Center” as seen below.

whm-two-factor-auth

On this page you can go to the “Manage Users” tab to view and modify any cPanel users under your reseller account that have 2FA enabled. You can also go to the “Manage My Account” tab to setup 2FA on your own WHM account. Continue reading

Happy Halloween & Web Hosting Nightmares

We’ve finally made it to the last day of October and we all know what that means, Happy Halloween! Given the timing I thought it would be appropriate to discuss something scary that was discovered earlier this month…

dirtycow

The so eloquently named “Dirty COW” (copy-on-write) vulnerability that came to light a couple of weeks ago is what nightmares are made of when you’re a web host. This vulnerability (CVE-2016-5195) had been lurking in the Linux kernel since 2007 until it was publicized and patched earlier this month. All of our servers were patched within hours of this discovery thanks to CloudLinux’s KernelCare which allows us to apply such hotfixes without rebooting. Continue reading

Reminder: Password Security

As you may have heard, the full database from LinkedIn’s 2012 compromise was posted last month, resulting in more than 150 million additional user logins having been publicized. In light of all these login credentials being leaked from LinkedIn and other services, I wanted to (again) remind everyone of the importance of maintaining secure passwords and also provide some good general guidelines to follow.

Unique Passwords

Never re-use passwords for any reason. Every login that you setup must use an entirely unique password otherwise a compromise of one service compromises your logins for other services. This is becoming more of an issue as these incidents continue to occur. The last thing you want is for an online community compromise to result in the compromise of your email or bank logins.

Limit Access

Do not share your login information with others if it can be avoided. Doing so increases the risk of a compromise significantly since you have no control over how or where that login might be used. If you must provide your login information to a 3rd party you should set a temporary password and then reset it once the 3rd party no longer needs access. Continue reading

Critical Joomla Security Update

On Monday, December 14th, Joomla 3.4.6 was released to address a critical remote code execution vulnerability (CVE-2015-8562) that exists in all prior versions from 1.5.0 through 3.4.5. Hotfixes are also available for the older, unsupported 1.5 and 2.5 branches. It is imperative that you update all Joomla instances immediately. This was a zero day vulnerability that was actively being exploited prior to it having been discovered and patched. As such, it is remotely possible that your Joomla was already compromised.

We posted this to our forums and in our portal on Monday to give our clients a heads up but given the critical nature of this we figured another post couldn’t hurt. At that time we also deployed mod_security rules which we believe to sufficiently protect all Joomla instances hosted by us unless you have specifically disabled mod_security on the domain, which is not the default or recommended. As always, though, it is still important that these latest patches be applied immediately in order to secure your Joomla instances.

If you have any questions or concerns please don’t hesitate to contact us and we hope everyone has a Merry Christmas!