dediserve news

Bash Vulnerability AKA SHELLSHOCK

What we know:

There is a critical vulnerability that affects the GNU Bourne Again Shell (Bash), used in many *nix based operating systems. The vulnerability relates to how environment variables are processed and allows for Remote Code Execution, allowing an unauthenticated attacker to run commands on vulnerable systems. Web servers should be considered high priorities for patching. Security researchers are actively investigating the issue, and are highlighting the ease with which it can be exploited.

What we don’t yet know:

If other operating systems based on *nix platforms are also vulnerable, such as Mac OS X and Android, as well as embedded devices (such as “Internet-of-things” devices).

The detail:

This vulnerability has the ID CVE-2014-6271 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271, and has been given an Exploitability score of 10.0 – the same as Heartbleed.

There are patches available for many of the major Linux distributions, such as:

 

You can verify if a system is vulnerable by entering the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

 

If the system is vulnerable, the output will be:

vulnerable
this is a test

 

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

 

dediserve partner with Cloudflare & deploy Railguns

railgun-map

As a CloudFlare Optimized Partner, we are thrilled to offer the CloudFlare Railgun™ technology to all our customers for free.

Railgun is CloudFlare’s latest performance optimization technology that gives you significant improvements in site load times. Grab a cloudflare account by clicking here and any sites you add to cloudflare will automatically be enabled with Railgun!

What is cloudflare?


What is Railgun?
Railgun accelerates the connection between each CloudFlare data center and an origin server so that requests that cannot be served from the CloudFlare cache are nevertheless served very fast.

Approximately 2/3 of requests to sites on CloudFlare are served directly from cache from the data center that is physically closest to the person surfing the web. Because CloudFlare has data centers around the world this means that whether you are in Bangalore, Brisbane, Birmingham or Boston web pages are delivered quickly even when the real, origin web server is thousands of miles away.

CloudFlare’s ability to make a web site appear to be hosted close to web surfers is key in accelerating web surfing. A web site might be hosted in the US, but accessed mainly by web surfers in the UK. With CloudFlare the site will be served from a UK data center eliminating the costly delay caused by the speed of light.

But the other 1/3 of requests made to CloudFlare have to be sent to the origin server for processing. This happens because many web pages are not cacheable. This can be because of a misconfiguration, or, more commonly, because the web page changes frequently or is personalized.

Quick facts

  • Web optimization that eliminates delays caused by the speed of light
  • Works for all websites, including dynamic sites
  • Achieves 99.6% compression ratio
  • On average, 200% performance increase

Read on for additional details and instructions:
Railgun ensures that the connection between our network and the CloudFlare network is as fast as possible. Railgun achieves a 99.6% compression ratio for previously uncacheable web objects by using techniques similar to those used in the compression of high-quality video. The average website can expect a 1.43x performance increase.

We have made it simple for our customers to get the benefits of Railgun with one click. For additional information and instructions on how to activate, visit the knowledgebase

If you are an existing cloudflare customer directly and wish to access our railgun servers for your servers hosted with us, simply open a ticket with them and they will enable it on your account.

optimized-partner

dediserve GUI URL Update

To better reflect the function of the dediserve GUI, we felt a URL change would be appropriate.

Old URL: billing.dediserve.com

New URL: https://manage.dediserve.com

The old URL should push you to the new one automatically. If you have any trouble, clear your browser cache, and try again, if any issue persists do please open a ticket and let us know.

Additionally, we took this opportunity to improve security and assurance with a full Extended Validation SSL Certificate (EV).

dediserve-EV

Warning – The Heartbleed Bug

heartbleed

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL as such we recommend you patch your server immediately, this will require a quick reboot once done. Please follow the steps below to apply the necessary patch.

For all managed server customers this is being done automatically for you.

What is it?
This is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

How to stop the leak?
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

How do I fix the vulnerability?

Remediation of exposed servers

For Debian/Ubuntu servers:

apt-get update and apt-get upgrade

For RHEL/CentOS based servers:

yum update and yum upgrade

Here are the links with the release notes that contain the package names of the fixed versions:

Debian: http://www.debian.org/security/2014/dsa-2896
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Fedora: https://lists.fedoraproject.org/pipermail/announce/2014-April/003206.html
CentOS: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

For any customers running cpanel  Cpanel/WHM repos have an updated openssl too so simply run update from within WHM.

Run Update System Software under the Software heading in WHM

Windows servers – IIS is not vulnerable as it does not use the OpenSSL library

Security update For Linux Based Servers

cloud

We would strongly recommend you follow the steps described below to ensure your Cloud Server remains secure.

A high-severity vulnerability has recently been discovered in the Linux kernel which potentially allows a local user on the system to gain root access (find out more here: CVE-2013-2094). Any Linux server regardless of web host will be affected by this issue. Please remember to back up your server before making any changes to avoid any data loss.

2.6.37 – 3.8.10 Kernels are vulnerable, however the change that introduced this flaw into the kernel was backported by Redhat into the 2.6.32 Kernel which is supplied with RHEL packages. Servers running CentOS 6, Fedora 18, Ubuntu LTS 12.04 and Debian 6 are all vulnerable and we would strongly recommend you update your VPS, Hybrid Server or dedicated server if you run these operating systems.

–          To update CentOS and Fedora, run, “yum update” and type “y” when prompted.

–          To update Ubuntu/Debian, run “apt-get update & apt-get upgrade ” and type “y” when prompted.

Once the new kernel is installed, you will need to reboot your server to apply the fix. Please note that running these commands will update all software on your server (not just the affected kernel); please make sure that following the reboot, you check that all services (websites, mail, ftp, etc.) are running correctly.

W3TC and WP Super Cache Vulnerability Discovered in WordPress

cloud

The team at the research firm Sucuri announced a serious vulnerability to W3TC and WP Super Cache yesterday afternoon. (Update: it appears the vulnerability was first reported on WordPress.org about a month ago.) The vulnerability allows remote PHP code to be executed locally on a server for anyone running either of the two most popular WordPress caching plugins. This is a serious vulnerability as it could allow an attacker to execute code on your server.

Here are the versions of each plugin that are vulnerable:

  • W3 Total Cache (version 0.9.2.8 and below are vulnerable, version 0.9.2.9 and up are not vulnerable) / upgrade here
  • WP Super Cache (version 1.2 and below are vulnerable, version 1.3.x and up are not vulnerable) / upgrade here

If you are running either of these plugins you should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade). The vulnerability is serious enough that we recommend you disable the plugins until you have completed an upgrade.

Technical Details

The attack takes advantage of several functions in these plugins including: mfunc, mclude, and dynamic-cached-content. An attacker can execute a PHP command running on the server by pasting a comment to a WordPress blog running a vulnerable version of W3 Total Cache or WP Super Cache. For example, if you are running a vulnerable version of the plugins, the following will result in your current PHP version being printed in the comment:

<!--mfunc echo PHP_VERSION; --><!--/mfunc-->

While this is harmless, the same mfunc call in either plugin can run other arbitrary commands on your server. This could be used to gain access to the server, execute arbitrary database commands, or remotely install malware. Again, this is a very severe vulnerability and all W3TC and W3 Super Cache users should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade).

Should you have any additional queries, please open a support ticket through your account and speak to us on how best to proceed.

Improving FTP Protection With Clam AV

Over the last couple of months we have covered alot of security Issues with regards how to best secure and manage your cloud server.

We have covered such topics as:

This Blog post is going to offer an additional layer of security for customers using the Fedora 12 Operating system on your Cloud server.By using the popular opensource Clam AV software with some modifications , we are going to have it scan all files FTP’d to our fedora 12 server and delete any files that look like malware.

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It comes pre-installed in virtualmin with that template and can be activated within your virtualmin control panel.

For the sake of this tutorial im assuming ProFTP has been set-up on the server.

Installing Clam AV

Login to your server via SSH and run the following commands off your server command line.

yum install amavisd-new clamav clamav-data clamav-server clamav-update clamav-scanner

Clamdscan expects the configuration file /etc/clamd.conf which doesn’t exist – therefore we create a symlink from /etc/clamd.conf to /etc/clamd.d/amavisd.conf:

ln -s /etc/clamd.d/amavisd.conf /etc/clamd.conf

Next we need to create the system startup links for clamd and start it up:

chkconfig –levels 235 clamd.amavisd on
/etc/init.d/clamd.amavisd start

Configuring PureFTPd

We first need to open /etc/pure-ftpd/pure-ftpd.conf and set CallUploadScript to yes , this can be done using your vi editor.

vi /etc/pure-ftpd/pure-ftpd.conf

Next we create the file /etc/pure-ftpd/clamav_check.sh (which will call /usr/bin/clamdscan whenever a file is uploaded through PureFTPd)…

vi /etc/pure-ftpd/clamav_check.sh

chmod 755 /etc/pure-ftpd/clamav_check.sh

Now we start the pure-uploadscript program as a daemon – it will call our /etc/pure-ftpd/clamav_check.sh script whenever a file is uploaded through PureFTPd:

pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh

To ensure it starts everytime you b

oot your server you need to slighly modify your rc.local file.

vi /etc/rc.local

Simply copy and paste the following line into that file at the bottom.

/usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd/clamav_check.sh

For it to Kick in , simply restart your FTP client.

/etc/init.d/pure-ftpd restart

You have now added an additional layer of security to your fedora 12 server.

What other tutorials would you like to see? Let us know in the comments section below.

How to create your own VPN Server in the cloud…

Want to connect to your cloud servers over a secure, encrypted tunnel, or perhaps you’d like to push all your traffic through such a tunnel, ensuring the total privacy of your online activities?

With the Dediserve cloud – it could not be simpler! Follow these 5 simple steps and you will be running your own cloud VPN solution or service in just a few minutes!

1. From your cloud virtual datacentre GUI, or our order form, order a machine with at least 512MB of ram and choose the template for ClearOS 5.1 OpenVPN

2. Once the server builds, open your web-browser to https://your.server.ip.xx:81/admin

3. Run through the easy. 5 step install wizard – simply accept the defaults at every step.

4. Create a User under the Directory Menu

5.Connect using your new VPN service!

 

ClearOS Template for OpenVPN in the cloud

You’ll find full documentation on OpenVPN here, as well as linked to clients, config options and more!

http://www.openvpn.net/index.php/access-server/docs/admin-guides.html

Configuring Your SSL Cert With Cpanel

The theme for this weeks blog post are going to be security related, we hope to over the coming weeks build up a useful portfolio of tutorials and helpful guides you can use as reference on your server with us. Today i will be covering install SSL certs on your cpanel server, cpanel is the most common control panel running on our customers servers, and we offer a pre-built cpanel template to allow you to deploy your cpanel server on our cloud in mintues.

How to generate a CSR in cPanel

1. Login to your cPanel control panel.

2. Find and click on SSL/TLS Manager.

3. Click on Generate, view, upload, or delete your private keys.

    4. Scroll to the bottom of the page to the Generate a New Key Enter the domain you want to create an SSL Certificate for in the Host text box or select the domain from the drop down menu. This should be the name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., www.domain.com or mail.domain.com)

    5. Click the Generate button.

    6. The private key will be saved in cPanel so there is no need to copy it. Click Return to SSL Manager.

    7.Click on Generate, view, or delete SSL certificate signing requests.

    8.In the Generate a New Certificate Signing Request section, enter the following information:

    9. Host – The domain that you enetered or selected when generating the private key.

    Country

    State – The state in which your organization is located. Do not use an abbreviation.

    City – The city in which your organization is located.

    Company – The legally registered name of your organization/company.

    Company Division – The name of your department within the organization (frequently this entry will be listed as “IT,” “Web Security,” or is simply left blank).

    Email – Your email address where the CSR will be sent.

    Pass Phrase – Make up a password to be associated with the certificate. You will need to remember this password later.

    9. Click the Generate button. The CSR will display in the window.

    10. Copy and paste the entire CSR (including the BEGIN and END lines) into the Dediserve order form.

    We are currently doing a special promotion of a FREE SSL cert with all new machines, existing customers can also avail of a one time special offer of just €6.95 ex VAT per annum for the Rapid SSL certificate.

    Simply open a support ticket once you have signed up for the server, with your SSL details and we will generate the cert for you.

    Firewalls Now Live

    The dediserve cloud platform now includes the ability to firewall your cloud machine. Included completely free of charge with every account, you can now easily and quickly configure your firewall rules from your dediserve control panel or API.

    Simple click on the “firewall” icon in your control panel under the “billing info” tab to the right hand side.

     

    You will then be presented with the firewall configuration page.

    Set the default firewall rule to “drop”, this will close all the ports on your machine, you can then simply open the ports you like, including the standard 80 (http) , 21 (FTP) etc.