“Google has listed your server as a malware source! Its been hacked into, and is being used to spread malware!”

 
I’m sure this is a message that you never hope to get in your mailbox. But, how confident are you about your server security? Verizon’s Data Breach Investigations Report for 2012 states that there is a 31% increase in server hacking attempts, and 20% increase in malware attacks in comparison to 2011 statistics.

 
One of the most important mitigation steps proposed by Gartner technology research group is the use of firewall. The report shows the necessity to employ firewall as a security layer for our servers. Firewalls come in two broad categories: Hardware and Software. Making this choice is primarily a factor of what your requirements are and what your budget is.

 
Here I am presenting a quick overview on these two kinds of firewalls so that you can make an informed choice. 
Read the rest of this entry »

WordPress powers 48 of the top 100 blogs online. More than that, WordPress actually powers 19% of the web as a whole.

Such a strong community of users and developers means that the platform is sure to evolve even further and provide us with lots of features that are yet to be developed.

Unfortunately, this creates some dangers as well. The cases where a blog owner loses complete access to their site are not uncommon.

WordPress as a whole (a website management platform) is very well designed. It doesn’t have any preposterous security issues that beginning programmers could exploit. The problems, however, arise when you try to tweak your settings of WordPress by adding new plugins or themes.

This doesn’t mean that you should settle for the default installation, not use any plugins, and only blog using the default theme. You need to be careful when installing new stuff on your blog, as well as when setting up your blog for the first time.

Read the rest of this entry »

In the world of eCommerce, security is paramount. Fear of fraud continues to keep millions of consumers from shopping online. SSL Certificates give you an easy, cost-effective way to protect your visitors and earn their trust.

To enable SSL on a website, you will need to get SSL Certificate that identifies you and install it on the server. SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details.

What are the types of SSL Certificates?

An SSL Certificate is necessary to protect websites and enable them for data security. However, there are different types of SSL Certificates and the website owners often are unsure of the type of certificate they need for their online security needs.

Dedicated SSL Certificates

Dedicated SSL Certificates are those being purchased directly from Certificate Authorities to be used solely by the owner for his domain. This is perfect for those who are confident in making their businesses go big time, quickly. It also cannot be used with other domains or even on the same location’s subdomain due to its focused security functionality, which can be very costly.

Shared SSL Certificates

From the very sense of the word, Shared SSL certificates are those security tools that you can share to other people. It would be either that you might share your certificate with others, or you share SSL certificates that are owned by companies or businesses. You may have it free or at a lesser price, but you will not have ownership with it as the name appears belong to a different person. A shared SSL certificate is used by multiple sites on the same IP address so that each site doesn’t have to get their own certificate.

Free SSL Certificates

Free SSL certificates are being offered by some companies and businesses for the benefit of customers. But there are chances that these certificates, being free of charge, may not offer the kind of protection that paid certificates have. Be sure to check if the company where the SSL tool coming from is reputable and credible.

Extended Validation (EV) SSL Certificates

Extended Validation SSL Certificates are the first SSL Certificates to adhere to industry-wide certification guidelines established by leading Web browser vendors and Certificate Authorities, including Network Solutions. An EV SSL Certificate is more than just a transaction protector. Apart from creating secure transactions, it also reassures visitors about the business a site conducts. Among the new features of EV SSL Certificates is the color-coding of the Web browser’s address bar to signal secure connections.

Organization Validation (OV) SSL Certificates

This assures the validity of a Web site by verifying that the applicant is a legitimate business. Before issuing the SSL certificate, the CA performs a rigorous validation procedure, including checking the applicant’s business credentials (such as the Articles of Incorporation) and verifying the accuracy of its physical and Web addresses. An Organizationally Validated SSL Certificate is an excellent website security option for any business conducting online transactions and accepting sensitive data, such as credit-card numbers, from customers.

Domain Validation (DV) SSL Certificates

Domain SSL Certificates are fully supported and share the same browser recognition with OrganizationSSL, but come with the advantage of being issued almost immediately and without the need to submit company paperwork. This makes DomainSSL ideal for businesses needing a low cost SSL quickly and without the effort of submitting company documents.

Wildcard SSL Certificate

A Wildcard SSL Certificate can help you if you want to secure your multiple sub-domains over multiple servers all by one single certificate. It saves you time and money over buying and managing of individual certificates for every sub-domain.

Instant SSL Certificate

An Instant SSL Certificate is one of the most cost-effective fast-installed SSL Certificate to secure a webserver. Customers could be assured about a complete security of the transaction data till it reaches the intended webserver. All Instant SSL orders include a dynamic TrustLogo site seal which allows visitor to verify your business credentials in real-time - leading to increased visitor conversion rate, lower Web site abandonment and an increase in average purchase price.

Essential SSL Certificate

An Essential SSL Certificate is highly trusted in the industry as a quick, reliable solution for web security. It can be of significant value to you if you are an e-merchant as it secures E-commerce sites in no time.

Code Signing Certificate

A Code Signing Certificate facilitates the protection of software code and content for the software publishers and the users downloading it. It typically allows the software developers to include their digital signatures and information with the software.

Depending on the type of SSL Certificate applied for, the organization will need to go through differing levels of vetting. Once you have done the SSL install, it activates the https protocol (over port 443) and you can access a site securely by changing the URL from http:// to https://. When an SSL certificate is installed on a website, you can be sure that the information you enter (contact or credit card information), is secured and only seen by the organization that owns the website.

The above is a very rough outline on SSL certificates , if you have any questions, we would be happy to talk to you!

About the Author :

Nimi K M works as a Software Engineer in Bobcares. She joined Bobcares in April 2012. She loves reading books and listening to music in his free time.

Blog edited by :

Appu Joseph Xavier works as a Software Engineer in Bobcares. He joined Bobcares in April 2012. He loves to watch movies in his free time.

LiteSpeed Web Server is the leading high-performance, high-scalability web server . It is completely Apache interchangeable, so it can quickly replace in your existing web delivery platform. The important security features and its configurations are given below:

a) SSL (Litespeed administration security)

We need to secure the administration area. We will do this by adding a SSL connection to the administration port and configuring the server to accept connections to that port from our IP only (or from a group of IPs).

b) DDoS Protection

LiteSpeed web server is much less vulnerable to HTTP Denial Of Service(DoS) and Distributed Denial of Service (DDoS) attacks, thanks to the IP level throttling, connection accounting and its outstanding performance and scalability.

This is a server level setting that affects all virtual hosts. Virtual host setting will not override the server setting. If you want to block a certain IP or network, put * or ALL in “Allowed List” and list the blocked IP or network in Denied List. If you want to only allow certain IP or sub-network, put * or ALL in Denied List and list the allowed IP or sub-network in Allowed List. The setting of the smallest scope that fits for an IP will be used to determine whether to block or allow. Trusted IP or sub-network must be specified in the Allowed List by adding a trailing “T”. Trusted IP or sub-network is not affected by connection/throttling limits. Only server level access control can set up trusted IP/sub-network.

c) SuEXEC

This is another way of security. In this we have to enable SuEXEC in LiteSpeed server with applications including CGI, FastCGI, LSAPI, PHP, Python, RubyOnRails.

d) File system protection

LiteSpeed web server will serve a static file only if the following conditions are satisfied:

# “.ht*” and “.svn*” are not allowed in a decoded URL, this will deny accessing some important hidden files and directories.
# The file permission must configured with the required permissions.
# The file will not be in the Access Denied Directory list
# It does not contain symbolic links, if symbolic linking is not allowed.

e) Chroot Jail
“chroot” can change the root directory for a process. A changed root process and its children process cannot access any file beyond the new root directory. It is like putting a process in a jail, so this mechanism is called “chroot jail”. The litespeed webserver run inside the chroot jail.

The above is a very rough outline of the Litespeed web server, and if you have any questions, we would be happy to talk to you!

About the Author :

Manu George E works as a Software Engineer in Bobcares. He joined Bobcares back in March 2011. He loves reading books, watching movies and listening to music in his free time.

While considering the cPanel options to make a server secure, we can check the below options available with the cPanel. You will be able to manage each and every options below from the WHM interface. By a proper configuration of their values, we can make a server secure enough.

Security settings

SSH configurations

Brute force Protection

Password strength configuration

Open base_dir in PHP

Apache mod user

SSH keys

Compiler access

Shell Fork Bomb Protection

Anonymous FTP

Exim configurations

Firewall configurations

Analyzing the settings

Scanning the system

Chkservd

Updating the settings

System updates

SSH configurations

SSH configuration will allow/deny root level access to the hosts to the server. Adding the services that should be allowed for the IP’s is also enabled in WHM. You will be able to add the allow hosts and deny hosts with the services in the host access control interface. A proper configuration of this will help in making the server isolated from hackers. Normally, for shared servers, it is recommended to given shell access to administrator user only.

Wheel/sudo user management will also come under this. We can restrict the commands for the users in sudoers file. By allowing only limited commands to groups and managing those groups will also help to increase security level of the server. For cPanel, the wheel users can be managed from the WHM interface.

Reference : http://docs.cpanel.net/view/WHMDocs/DenyAccess

Brute force Protection

Enabling brute force protection will help in brutes attempts to hack a system. In cPanel, we can set the limit of attempts from the WHM interface. If the failed logins for more than that limit is exceeded, then the IP will be logged in the database and will block the access to the system then. The particular IP will be able to check it again after a predefined time. This is a very sensitive protection layer available in the cPanel.

Reference : http://docs.cpanel.net/twiki/bin/view/WHMDocs/CPHulk

Password strength configuration

Password strength configuration for the all the passwords that can be used in cPanel can be set by the administrator user from the WHM interface. For every passwords, we can set this value. Also, a common value can be set to all. If this is enabled and a good strength configuration is enabled, the users will not be able to use weak passwords and thus we can avoid account level hackings. Using weak passwords is one of the main security threat when a server is considered.

Reference : http://docs.cpanel.net/twiki/WHMDocs/PwordStrength

Open base_dir in PHP

PHP open base dir protection prevents the users to open files outside their home directory. If this is not allowed, the fopen() can be used by the users to open files which are not owned by them. This can also be attained by the disabled functions option in the PHP configurations. Disabling the function allow_url_fopen will prevent the remote file injection/access in the server using PHP scripts. This can be done in the global PHP configuration file.

Reference : http://docs.cpanel.net/twiki/WHMDocs/TweakPhp

Apache mod_user

Apache mod_user dir protection is another option which is not directly dealing with the server security but can affect the accounts. Apache’s mod_userdir allows users to view their sites by entering a tilde(~) and their username as the url on a specific host. For example “http://test.cpanel.net/~fred/” will bring up the user fred’s domain. The disadvantage of this feature is that any bandwidth usage used by this site will be put on the domain it is accessed under (in this case test.cpanel.net). mod_userdir protection prevents this from happening.

Reference : http://docs.cpanel.net/twiki/bin/WHMDocs/TweakModuserdir

Compiler access

Compiler access should be disabled for unprivileged users. In default, this will be disabled for all the users. Enabling this option to a user will allow the usage of working C compilers in the system. This will allow users to compile the scripts. Normally, this should be enabled only for root user.

Reference : http://docs.cpanel.net/twiki/bin/view/DisableCompilers

Shell Fork Bomb Protection

If this is disabled for the users having shell access, they will be able to utilise the resources of the system without any limit. So, enabling this option will prevent this from happening. Normally, this will be disabled in the server for all the users. Also, it is not recommended to allow the shell access for the cPanel users in shared servers.

Reference : http://docs.cpanel.net/twiki/bin/view/WHMDocs/ShellFork

Anonymous FTP

Anonymous FTP will enable the users or visitors to use anonymous ftp logins to upload contents. With this, the users will be able to gain access to the account. So, it is recommended to disable this option from the WHM. For all the cases, authorized access is recommended. Also, secured access to the server services will encrypt the connection to the server (SSL to be installed for the server and the services).

Reference : http://docs.cpanel.net/twiki/bin/CpanelDocs/AnonymousFTP

Exim configurations

Enabling sender verification will check for the validity of the sender. The mail will be delivered only if the sender is valid. Other wise the mail will be rejected. This will be a good option which will help in rejecting spam mails. There are further more options in the Exim configuration editor that can help in better working of the mail server.

Reference : http://docs.cpanel.net/twiki/bin/WHMDocs/EximConfig

Firewall configurations

CSF and LFD

For cPanel, CSF and LFD can contribute much in security. The mostly used firewall with the cPanel is CSF. By configuring the CSF properly, we can avoid trespassing to the servers. LFD is the other option available with the csf. LFD has a lot of options that can be enabled to detect the actions on the server. If this is enabled, it will mail all the alerts to the specified mail address with the details. By checking and fixing all those alerts on the server is highly recommended.

For monitoring these services, the cPanel have the option Chkservd in the service manager. From this interface, you can enable the checking and monitoring of almost all the services running in the cPanel. Also, you will be able to add custom service to chkservd. The main advantage of this service is that, it will automatically restart the added service if this is found to be stopped by any cause. Also, if the monitoring for the service is enabled, it will mail the details to the contact email regarding the status of the service and the restart attempts made. These alerts will let you know which all services were down/up. If a service is found to be down, it will alert you and you can start investigating on the root cause using the time stamp of the mail.

Reference : http://docs.cpanel.net/twiki/view/ApiDocs/ApiChkservd

Scanning the system

Security scan feature in cPanel will let you know the current status of the server configuration including the firewall settings in the server. It will also let you know a detailed report of each and every configurations. By analyzing this, we can tweak the configuration and can make it better. Configuring the settings according to this report for cPanel servers is highly recommended.

Reference : http://docs.cpanel.net/twiki/view/SecurityandVirusScanning

System updates

Enabling this feature on the WHM will update all the software automatically and thus patch the vulnerabilities. This will be done automatically and thus we can ensure that the system is up to date always. Also, enabling Linux environment security in the cPanel will help in adding attributes to system files and thus can avoid modification of files. This option will give attributes to the sensitive files. Any update that includes system file modification will be allowed only after disabling LES. So, this seems to be an important option that should be enabled on the server.

Reference :http://docs.cpanel.net/AllDocumentation/UpdateServerSoftware

The above is a very rough outline of cPanel security configuration, if you have any questions, we would be happy to talk to you!

About the Author :

Sambhu PS works as a Software Engineer in Bobcares. He joined Bobcares back in February 2011. He loves reading technical blogs, plays violin plays, table tennis and listens to music in his free time.

Blog edited by :

Nimi K M works as a Junior Software Engineer in Bobcares. She joined Bobcares in April 2012. She loves reading books and listening music in her free time.

Some critical vulnerabilities were reported in the Remote Desktop Protocol, that allows remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.

Read more on Microsoft RDP Vulnerability.

Parallels has come out with a security advisory in relation to this vulnerability Read the rest of this entry »

While discussing PHP permissions in the last blog, we concluded that SuPHP servers ideally needed PHP file permissions of just 600.

Out of many means to set the permission/ownership, the quickest is to set the permissions, using a script. You may set this script as a cron that runs daily or weekly, to take care of the the permissions. The script is now written for a server that has cPanel installed. Slight modifications to it, would make it work with other control panels, or even on servers that do not have any control panels.

The script also allows certain accounts to have custom PHP permissions, so that any custom application that needs specific permissions can be run, and such accounts would not be affected by the script.

The PHP permission script primarily does the following :

1. Changes the ownership of any PHP files(within public_html) under the ownership of nobody to the ownership of the user.

2. Changes permission of PHP files with 444 or 440 permission to 400.

3. Changes permission of all PHP files except those having 000 or 400 permissions to 600.

Steps to use this script :

1. Create /usr/local/customscripts folder

mkdir /usr/local/customscripts

2. Create the script file /usr/local/customscripts/php-perms.sh using your favorite editor.

vim /usr/local/customscripts/php-perms.sh

3. Give execute permission to the script

chmod -v 755 /usr/local/customscripts/php-perms.sh

Script given below can be used in cPanel servers which has suPHP enabled.

#!/bin/bash
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin;
cd /usr/local/customscripts/;
for i in $(cut -d " " -f 2 /etc/trueuserdomains)
do
if [ ! -f /home/$i/customperm.txt ]
then
find /home/$i/public_html -type f -user nobody -group nobody -name *.php -exec chown -v “$i”:”$i” {} ;
find /home/$i/public_html -type f -perm 444 -o -perm 440 -name *.php -exec chmod -v 400 {} ;
find /home/$i/public_html -type f ! -perm 600 ! -perm 400 ! -perm 000 -name *.php -exec chmod -v 600 {} ;
fi
fi
done > php-perms-log.txt

You may add this as a cron job, as outlined in the following blog : cPanel adding cron job. This measure you take for PHP security would work only if you periodically keep setting the PHP permissions right. I would suggest to set is as a cron that runs every day, or say every 12 hours.

Script compatibility : Known issues

Some custom applications like the shopping cart Interspire has the practice of setting permissions to some uploaded files(images) to the permission set for its configuration file. Say you set 777 permission to the configuration file, it will give the permission of 777 to the uploaded images. If you set 600 permission to configuration file, it will set 600 permission to all uploaded images.

In such cases, or even other cases, where you need to have custom permissions for certain accounts, you may create a file by the name customperm.txt in the home directory of the account (like /home/cpanel_username/customperm.txt). The presence of this file will make sure that the script does not act upon PHP files within that account, and you can continue to have custom PHP permissions

Otherwise, the script works just fine in all of the production shared servers, and has helped in the overall manageability of PHP permissions and have added to the PHP file security!

About the Author :

Sherin George works as a Senior Software Engineer in Bobcares. He joined Bobcares back in September 2006. He loves reading technical blogs, and listens to music in his free time..

Parallels have released fixes and micro updates for vulnerabilities in old Windows Plesk 8 and windows Plesk 9. Another recent vulnerability in Plesk panel was reported and its micro update was released a couple of days ago.



The details of the Plesk Panel vulnerabilities can be found here :

Parallels Plesk SQL injection vulnerability for Linux servers - panel version 9.5

Vulnerability in Plesk versions 8 / 9 for Windows server, which as per the KB applies to the following old versions : Read the rest of this entry »

In February this year, a well known Web Hosting News Site reported Cybercrime-Linked Web Host VolgaHost Goes Offline . The post goes on to say

Is this news important to a WebHost company owner?

Your server’s reputation is EVERYTHING in this industry. Read the rest of this entry »

Server hacking is a common problem that webhosts face. The intrusion can be caused by several reasons like malicious scripts, vulnerabilities in the server etc.

It would be of real help, if we had a good tool to find such scripts running in the server. iScanner is one such tool. Read the rest of this entry »