The Night is Dark and Full of Terrors.
The year 2018 has started from a discovery that even CPU can be vulnerable. And yet a lot of website owners don't recognize the degree of threat. So let's assess the danger and see how can the one protect their server w/o investing 100s of hours in learning. Quick overview of Internet dangers and easy, practical ways to protect:
- be up2date
- establish network protection
- do malware scan
- properly isolate within
- do proper password protection
- protect your identity with valid SSL
- start caring about security!
2. The Night is Dark and Full of Terrors
• 60k sites hacked daily
from internetlivestats.com
3. The Danger is Real
• 90k attacks each minute
Wordfence.com
• 43%+ attacks target small businesses
reported in Symantec Threat Report
• 52% SMBs see web server as the
most vulnerable point
reported in State of Cyber Security in SMB by Ponemon
Institute
4. Are you Up2date?
3.8 mln attacks a month via known
vulnerabilities
from WordFence WP attack report
22% of WP hacks done via outdated plugins
from Sucuri’s Hacked Websites Report
76% websites have known vulnerabilities
9% websites have critical known
vulnerabilities
from Symantec Internet Security Threat report
48% websites run on PHP 5.5 and older (no
security updates)
from Plesk stats
5. Be 100% Up2date
OS Web Server
& App Engine
CMS CMS Plugins
* Hardened PHP
yum-cron / UnattendedUpgrades
yum / apt
(plesk WordPress Toolkit)(system updates) (multiple PHP)
6. Beware of JS dependencies
• 77% sites use vulnerable JS libs
from State of OpenSource Security by Snyk
Node Securityorm
7. Are you penetrated?
Top Attacks are:
• 19% SQL Injections
• 13% XSS
• 8% DoS
from Web Hacking Incident Database
9. Are you already infected?
Jan’18:
• password logging malware on 2k websites
Feb’18:
• crypto-mining malware on 4k websites
• ionCube malware at 19k sites in US
reported by WebARX
Overall:
• 20k websites infected every week
from Sucuri’s Website Hacked Trend Report
13. Keys under doormat?
8% breaches via weak password
from wptemplate.com’s Safety and Security of
WordPress Blog
35 mln brute force attacks each month
from WordFence.org’s WordPress Attack Report
15. Protect your identity
• 80% devices faced MITM attempts
from Zimperium Global Threat Report
• 76% sites have no valid certrificate
from Plesk stats
16. Secure!
Protocol Certificate Push
✓up2date
ciphers
and TLS
✓ SSLLabs A or A+ rank
https://www.ssllabs.com/ssltest/
✓HTTPS/FTPS
✓ Trusted Cert
✓HSTS
✓HTTP ➤ HTTPS
✓HPKP
✓OCSP Stapling
✗ self-signed cert
✗ ”multitenant” cert
(i.e. in LE)
Hi,
Plesk manages over 10 mln websites worldwide and we regularly investigate security breaches at our customers’ web servers. So we collected some observations which I would like to share.
There are many talks about security. And YET end-customer awareness remains VERY LITTLE.
When users start their website, they might think about its look, user experience, and even SEO.
But thoughts about security might come too late and they come at a price. When I talk to our hosting partners, many share the same observation - customers start thinking about security only AFTER being hacked
This security UNAWARENESS might seem surprising nowadays. ALL media channels shout about data breaches almost DAILY.Last year it was about PayPal, Equifax, HBO, Disqus, Uber, Nissan, and including most discussed US elections case of course.
But perhaps way too many people got a FALSE impression that hackers hunt governments and enterprises, not their lovely Mom-and-Dad shop website.
BUT the data indicate quite the opposite – small businesses are targeted and thus need to care about their security
Huge portion of those hacks are done via some outdated software.
Those who monitor security news, they would know that practically every software had a security issue at some point.
There are no software w/o vulnerabilities. Just some vendors are more open than others, more proactive in security testing, fix faster than others.
For example, in Plesk we have a security fix at least every month. Approx. same rate is in any software of decent size.
Thus being up2date is critical.
The problem of not being up2date starts from being unaware about update availability. And then it is about inability to deploy an update.
For example, we have been informing our customers about important security updates in OS, many of them were not comfortable enough in Linux shell to call YUM or APT and apply updates themselves.
That required us to automate a range of tasks for users – so now we inform users about updates and we deploy updates on demand or automatically. We update operating system, update PHP, update applications. Even kernel can be updated thanks to integration with KernelCare.
Finally, many people are afraid of updates because of compatibility issues. Because They depend on some legacy software. And that can be solved - for example CloudLinux would backport security fixes to outdated PHP versions and Patchman would backport security fixes to old versions of CMSes.
For JavaScript the security story gets a little bit special. JavaScript code utilizes multiple 3rd party libraries, each of those might have its own vulnerabilities. And even if not, each of them might use other libraries. And they will use other libraries. And so on and so on.
You remember story about “LEFTPAD”? One library through recursive INCLUSIONS appeared to be used in THOUSANDS of projects. Now imagine IF it had a security flaw... Even more than that – there has been a social experiment injecting MALICIOUS SPYWARE into other libraries, so it appeared included into multiple projects.
In such case an intruder doesn’t even INTRUDE – we bring them at our house ourselves...Luckily there are already few tools for tracing JavaScript dependencies.
Once website has a vulnerability, it will likely be exploited.
Since most of exploits are automated bots, we can see server exploit attempt in minutes or even seconds once the server is deployed. A friend of mine once had to re-deploy server 6 or 7 times just because server image had vulnerability and server got infected before she was able to close the hole.
So beyond being up2date we need network protection.
That would be web application firewalls, monitoring your traffic and prevent potentially harmful requests.
Mod_security Web Application Firewall is very common example. It is free, it runs at your server and it needs special rules to recognize dangers. Those special rules are shipped from vendors like OWASP, Comodo or Atomic, for free or commercially.
Should some intruder be too annoying, the one might configure fail2ban to block them upon certain number of attempts.
It might seem difficult for an average user to connect all those technologies together, so there are solutions wrapping its complexity in a nice way. For example, Immunify360 from CloudLinux or Plesk itself.The other kind of integrated solutions run as a cloud service, so they proxy your traffic and also act as a CDN. That allows them to handle DoS attacks more efficiently
It might be critical to NOT OVERDO with filtering and protection, as it might start cutting legitimate traffic. For example, we previously discovered that
OWASP rules were known to block WordPress from normal operations. Atomic would be better option for WordPress users
Or misconfigured fail2ban used to block connections from Nginx reverse proxy. That happened at Plesk
Or once we had a website where CloudFlare and local mod_security started clashing with each other
So the best would be to work with solutions which already integrate several tiers in aligned manner
The vulnerability might result in different kinds of exploit
but one of most frequent impacts is that you have got some malware installed,
potentially stealing sensitive data of your customers or involving a server in an unwelcome activity,
like something from this list.
To stop infection, it shall be discovered
and there is a range of remote services doing such scan, but being outside they won’t be able to cure a server.
Others – like Sucuri, SiteLock, Immunify360 and Revisium would scan from inside server in addition or instead of external scan.
Access to server internals would allow both deeper scan and also elimination of infected files.
Attack might not just become from outside.
The most challenging case are multi-tenant environment – shared hosting.
Only part of vulnerabilities can result in remote exploit. But once malicious user has account at a server, a wide range of local exploits becomes available for them.
To protect, we need to carefully setup each of 3 layers:
First of all, only use scripting engines running code under user privileges. There is no good way to isolate properly otherwise. So in Plesk we recently stopped offering mod_php, mod_perl and mod_python to protect users.
The noisy neighbor problem has been the most effectively solved by CloudLinux. I probably wouldn’t overstate saying that CloudLinux gave 2nd life to shared hosting, stopping users from taking resources of othersUnfortunately CloudLinux was not avaialble for Ubuntu users, but plain cgroups can do similar job to some limit. It might be configured manually or via Plesk.
And at file level the best solution would be to keep a tenant within their folder. So CageFS from CloudLinux is again a piece of art.
And if user cannot be caged, then proper access privileges are critical for each and every file. In Plesk we can tune WordPress to all available secure best practices and we can do similar job for generic sites.
SELinux and AppArmor might act as additional defense line regulating who can access what, but they require careful setup to avoid clash with legit operations.
Docker would be a new way of addressing the same problem, but it is not yet widely adopted in hosting world.
Yet it many cases you don’t really need vulnerability to get exploited. Most common password is still “123456”. But even if password is not exactly trivial or a vocabulary word, still past data breaches result in leaking passwords. for example one of our customers used the same password for web app login and for Plesk. So once web app was cracked, the intruder also got access to the whole server.
So lets restrict where from the servers can be accessed. Lets have have good passwords and enable 2-factor authentication. And lets enable fail2ban to block abusers trying multiple passwords.
Some might be concerned about social login for privacy issues, but from security perspective it greatly reduces chances of being hacked.
And the last risk is that you web server won’t be hacked. But your users will be. Intruder might pretend being us to collect sensitive data of our users.
While thanks to Google, we would see victorious statistics about 70% or even 90% of HTTPS traffic, proper SSL certificate remains relatively rare.
Since availability of free certificates, price isn’t an issue.
But Lets Encrypt certificates are short-term and thus require due automation for timely renewal, which might be difficult for site owners.
Control Panels can solve renewal problem conveniently for Lets Encrypt certificates, or alternative free certificates from DigiCert in Plesk or Comodo in cPanel. The rest would be proper TLS configuration on server and forcing users to connect over SSL.
But the biggest challenge to security would be not technology, but people. We had a session couple years ago here at World Hosting Days and asked hosters and developers in the room who is responsible for security. They pointed to each other
Of course, developers would do their best to write secure code and provider will provide initial secure setup,but a lot has to be performed continuously.
So except of fully managed servers, once project development is complete, a customer might be left alone with their server.
So how can they be guided through complicated security topic?
We in Plesk were trying to help our customers with security guidelines, communicating them in documentation, social media and forum.
At some point we have decided that we can guide customers through best practices automatically and then we built The Advisor which unintrusively walks a user through all best practices, security included.
CLICK
Now loop is complete and a customer is well equipped against intruder