In February this year, a well known Web Hosting News Site reported Cybercrime-Linked Web Host VolgaHost Goes Offline . The post goes on to say

Is this news important to a WebHost company owner?

Your server’s reputation is EVERYTHING in this industry. If someone posts an article on the net with verifiable proof, that your servers are not secure, it can sink all the marketing money you spent on advertising your business. The harm that BotNets can cause to your business is severe, and unless you take sufficient precautions, your servers can easily become part of a BotNet, and cause your business real bad reputation.

We here at Bobcares have seen a lot of servers listed in block lists due to malware, and have successfully brought them back to good reputation.

In this 3 part article series, I will cover the following points that you MUST be aware of as a WebHost company owner, to defend yourselves against BotNets:

1. How to know if your servers are used for malicious traffic
2. What are the options available to you
3. A case study in preventing malicious traffic

How to know if your servers are used for malicious traffic.

Why do some hosts allow malicious traffic to originate from their servers? Answer is simple. They are unaware of it. Most hosting providers are never aware of malware traffic originating from their servers, until their servers get reported in major malware tracking websites.

Malicious traffic usually manifests through outbound SMTP spam traffic, outbound HTTP attack traffic or bi-directional bot control traffic through IRC or HTTP protocols. Only through comprehensive monitoring of your servers, can you find out if any malicious traffic is going on in your network or if any files are planted to enable that.

There are 3 ways in which you can do the monitoring:

a. Using an Intrusion Detection System
b. Using a System Health Monitor
c. Subscribing to popular malware/spam tracking sites

Using an Intrusion Detection System

An IDS (Intrusion Detection System) keeps a constant watch on the critical files and monitors which all processes are running in your system. There are a wide variety of tools a system administrator can deploy on a web host network. But at the minimum, your IDS should be able to detect suspicious processes, modifications to critical files and creation of any suspicious files in world-writeable directories.

At the basic level, for cPanel servers, a well configured Login Failure Daemon (LFD) can do this for you, and for Plesk servers OsSec can be configured to detect suspicious files and processes. Ideally, each of your servers should be equipped to analyse the network traffic and notify you based on latest signatures of malicious traffic. For network traffic monitoring, you can use tools like SnortCenter, BotHunter, etc. For comprehensive malware scanning, you can use LMD (using iNotify), ClamAV (with ASL rules), etc.

No matter which IDS you choose to use, only through optimal configuration and customization for your server’s traffic and usage patterns, can the IDS give you consistent correct results for any malicious activity.

Using a System Health Monitor

A system health monitor should be employed exactly as a heart rate monitor is employed in a hospital. Just like a human body has several parameters like temperature, heart rate, blood pressure etc. that can give an indicator to the health of a person, servers have several parameters like process count, mail queue size, bandwidth usage per service etc. which can be gauged to know the health of a server. For each of these indicators, there is a desirable value, and when these parameters show a value which is not expected, an alarm should be raised.

For example, in one of the networks we manage, we configured Nagios to raise an alarm if the number of processes in each service goes above or falls below certain threshold values. This restraint will bring to our notice any attempt to create a malicious process masqueraded as an innocuous process.

Using tools like Munin, you can visualize the activity of your server through intuitive graphs so that you will immediately notice if there is a spike or dip in usage patterns which is abnormal.

Subscribing to popular malware/spam tracking sites

All efforts described above, were to prevent your servers from being listed in Malware reporting websites. But, if there’s bad news, you should be the first one to hear it, and efforts should be made so that you resolve it well before your clients get to know about it. There are hundreds of honeypots run by organizations in the net and though the majority of the internet uses only the popular ones, the less popular ones also are influential to some extent. It is practically impossible to manually check all these sits every few hours. So the way to keep track of your server’s reputation will be to use IP Reputation Monitoring programs or subscribe to a service that does this for you.

There are several scripts available on the net that you can run on your server and check your IP against a list of block lists. For Nagios, there are plugins that can do the scanning for each of your servers, and show you an alert if one of your servers are listed in any of the block lists.

Alternatively you can choose to subscribe to a third party services like DNSStuff.com’s or WhoHostsIt.com’s RBLalert service.

This concludes the first part of the 3 part series. In the second part, we will look into the options that are available to you as a web host owner, to prevent your server from being used as a malware origin.

About the Author:

Visakh has been with Bobcares from May 2004, and has extensive experience in administering various control panels and operating systems used in web hosting industry. He loves Bash scripting and uses his skills to automate Linux web hosting servers. He is a die hard fan of systems/process streamlining and draws on his experience in auditing ISO 9001:2008 Quality Management Systems & ISO 27001:2005 Information Security Management Systems. He is an avid reader, and loves topics on technology, humour and philosophy.