When I say POODLE, what do you think of? Is it a fluffy dog? In most cases, I would be referring to the fluffy dog, but for this article, we will be focusing on a security vulnerability. I’m not sure if you’re aware, but if you’re currently using SSL version 3.0, you will need to perform some updates to your SSL daemon on your server. SSL stands for Secure Sockets layer. A SSL is what every ecommerce site should have. It allows for you to securely process payments through your website. In fact, if you’re taking orders from your clients, you should be using a SSL. SSL’s add another layer of security and trust for your clients. If you’ve not read my post on PCI compliance and you’re running an ecommerce site, you should read my post on PCI compliance here: (Insert link to PCI compliance post)

 

With SSL’s as with any piece of software on the internet, there are different versions. SSL version 3.0 is nearly 18 years, however, SSL version 3.0 is no longer secure and remains in widespread use across the internet. Nearly all browsers support SSL version 3, and in order to work around bugs, within HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. This retrying of failed connections within SSL v3, allows the POODLE exploit to be initiated. This POODLE exploit works due to the nature of the failed connections and allows for a possible leak of your customers data when processing orders. You can read more about the specifics of the attack here:

 

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

 

Browsers and websites should turn off SSLv3 in order avoid compromising users’ private data.  The most straight forward method is to disable SSL 3.0 entirely, which you can see how to do at the links below, however, this can cause a myriad of computability issues. Therefore, the recommend plan of option is to enable TLS_FALLBACK_SCSV. Using the links below, they will show you how to properly secure your servers SSL daemon. These options resolve the issue of retrying failed SSL connections. It also prevents hackers with knowhow from downgrading from TLS 1.2 to 1.1 or 1.0.

 

 

For WHM/cPanel servers –  https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

 

For DirectAdmin servers – http://forum.directadmin.com/showthread.php?t=50105

 

For Plesk servers – http://kb.sp.parallels.com/en/123160

 

Follow Us :
Share :

I have a question for you. Does your server have a firewall running on your server? For those who do know what a firewall is, let’s go to our good friend Wikipedia:

‘In computing, a firewall is a network security system that controls the
incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted.’

As avid readers of the blog know, I like to ground these ideas with every day analogies. You can think of a firewall like a door to your home. When the door is opened, people can walk directly into your house. Should you want to keep people out, you close and lock the door. This is the way a firewall works on a server. You place the firewall onto your server to keep intruders from the internet from accessing your data.

Firewalls can be either hardware or software based. If you go with a hardware based firewall, the firewall is connected to your switch that allows for traffic to be filtered upon a rule set you determine. You would use a hardware based firewall if you had a dedicated server. A software based firewall is installed within your server. It still blocks traffic based off rule sets you create, but it just does it from within the server and not out in front like a hardware based firewall.

For the rest of this article, I will provide you the steps to install CSF, which is short for ConfigServer Security and Firewall. This firewall is supported across many different Operating Sytems, RedHat Enterprise, Centos, CloudLinx, Fedore, Virtuozzo, VMWare, to name a few. You can read more about the supporeted systems here: http://configserver.com/cp/csf.html

This firewall can be installed with the following steps on your Linux based server:

mkdir /usr/local/src <– Creates the directory to install CSF

cd /usr/local/src <– Changes your location on the server to the newly created directory

wget http://www.configserver.com/free/csf.tgz <– downloads the CSF software to your server

tar xfz csf.tgz <– Extracts the software
cd csf <– Changes your location on the server to the CSF directory

./install.sh <– Installs the CSF firewall

CSF, when installed, and configured properly, places a preset list of rules onto your server. These rules can be configured directly within the csf.conf file or the csf configuration file. If you have a cPanel based server,  you want to ensure that you have the following ports opened for inbound and outbound:

# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,143,443,465,587,993,995,2078,2082,2083,2086,2087,2095,2096”

# Allow outgoing TCP ports
TCP_OUT =”20,21,22,25,37,43,53,80,110,113,443,465,587,873,995,1167,2086,2087,2089 ”

Those ports cover most of the ports you will need for your cPanel or non-cPanel server to function. You can read more about ports and their functions here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Once you do that, you may want to limit the amount of connections each user can make to your server. This can be set by changing CT_Limit in your csf.conf to the number of connections you want each user to be able to make. For example, CT_Limit = “150” will only allow each user to make 150 connections to your server.

You may also want to remove port 22 from TCP_IN along with setting your SSHD_config file to do only public_key authentication. Why would you do this? This will lock down your server from the outside and only allow people who have SSH keys installed into your server to gain access using SSH.

CSF can be configured in a multitude of ways to add another layer of security to your server. I highly recommend going to http://configserver.com/cp/csf.html and using the forums to learn more about the many features of CSF and how tweaking the settings can help ensure you’re providing a stable, safe and secure server environment

Follow Us :
Share :

If you’ve been a follower of the blog, you know that I’ve written a post on the importance of having backups of your data. I compared having a backup solution to having insurance on your automobile. This post was a generalized approach to backup solutions. For this week’s post, I will delve deeper into the realm of backups. More specifically, we will discuss the different types of server backup options that currently exist. This post will be of a more technical nature then my previous posts, but I assure you, if you stay for the entire post, you will have a better idea of server backups and the myriad of options that are available to you.  

 For more info and to setup cloud backups for your server, visit http://www.turnkeyvault.com

 

Shall we begin? There are a few different methods that exist for creating server backups:

 

1. Bare metal backup/restore
2. Cloud backups
3. Virtual server backups

 

I will go through of each these methods to give you an inside look into each option. Let’s dive right in with bare metal backups and restores.  

 

Bare Metal backup/restore

 

In disaster recovery, a bare metal restore is the process of reformatting a computer from scratch after a catastrophic failure. This process entails reinstalling the operating systems, applications and if possible, restoring data and all settings. Bare metal restores allows you to restore to an uncofingured server as the backup includes all information to setup the machine and move the data over. This results in a ready to go backup server.

 

At a deeper level, bare metal backup/restores work by taking a “snapshot” of the server. This snapshot includes every file and folder that exists on the server including all hidden files and directories. This snapshot is then pushed to an offsite location where the entire image can be deployed at a moment’s notice.  If you have a Windows server or even a Linux server, bare metal restores will copy the entire operating system structure. Usually, these backup images are the rather large as they are an exact replica of the your running server.

 

For example, let’s say that you have a full power outage at your company. Upon the power returning, you realize that your main hosting server has lost all data. It can’t find the boot record to load the operating system and all files have been removed. Since you’ve purchase a bare metal backup solution, which you can view our current offers here: http://turnkeyvault.com/server_backups.php , you simply login to your bare metal software. You then select the server you want to restore and viola. The operating system is re-installed with all applications. It’s as if you’ve never had the major system failure

 

Cloud backups

 

When I say cloud backup, what immediately comes to mind? I personally imagine a white, puffy cloud in the sky that resembles a vault. Was that what came to mind for you? If not, that’s quite all right. A cloud backup is a piece of software that takes a snapshot of your server and then stores the backup in the cloud. What exactly do I mean by the cloud? The cloud is a piece of software that is stored off-site that can be accessed from any location. Cloud backups allow for greater flexibitily then a local disk or tape backup. A disk backup or tape backup has the limitation of only being able to access the data locally. This could mean data is being stored on a different server that is stored in your local office. In order to access the backup, you would have to drive into your office, connect the two servers and then migrate the data over.

 

Do you already see the disadvantage to this type of local system? What if you’re traveling and have a disaster and need to restore your data? How will you do it if your business only keeps local backups? This is where a cloud backup comes into play. Since the backup is stored offsite and can be access via an internet connection, you can restore your data from anywhere in the world. This allows for greater flexibility in your backup solution. Also, another disadvantage to local backups is the size or space requirements for the backups. Say you have 1TB of data you need backed up, but you only have 500GB worth of space. What will you do? More than likely, you would just add a new device to your backup software. This may be an additional hard drive, a USB drive or maybe a network attached storage.

 

Well with a cloud backup, depending on your vendor, you can usually just increase the resources of the cloud storage to accommodate your increasing space needs. This allows for you to be able to rapidily add more space to your backup server to accomdate  your increasing data space requirements. Now, in no way am I advocating that you should remove your local backup options, but instead add another layer of backups to your current system such as a cloud backup. Having local backups and cloud backups are a GREAT way to maintain business continuity.

 

 

Virtual server backups

 

Virtualization is one of the best things ever done for servers, as it allows for one physical server to act as several servers. This dramatically reduces computing costs and boosts efficiency. One of the main challenges with the backup of virtulized servers is the backup of the virtual servers data and the main hostnode data. When I say, hostnode, I’m referring to the original server that contains all of the virtualized servers. The reason you need to keep backups for both the host and the virtual servers can best be summed up with an example.

 

Your business has decided to virtualize all of the servers in your office. Your IT department recommends going with VMware. Fast forward a few months and you have a major system failure within the host node. Your main hard drive dies and you lose all virtual servers that were stored on the server. Luckily, you have a backup of the hostnode and just restore the backup for the hostnode, however, upon checking the server, you notice an error. Sure, your main host node sytem files were restored, but all your virtual servers data is missing.

 

This example illustratres the need to have a backup of the physical hostnode and the virtual servers. The physical hostnode contains the system files that VMWare needs to run. The virtual servers would also need a backup to restore the user data that has been created in the virtualized server. Usually the virtualized servers have a different type of operating system then a normal, non virtualized server would contain. You would need some virtualized server backup software  that can handle creating backups of the virtualized servers as well as, the main host node itself.

 

You could have local backups of both the hostnode and the virtualized server that you can restore. You could go the bare metal route for the host node as well as virtualized servers or even the cloud backup method. It’s just important that you have backups of both the node and the virtual servers.

 

 For more info and to setup cloud backups for your server, visit http://www.turnkeyvault.com

Hopefully after reading this post, you feel a bit better about the different backup options that exist and can come up with a backup solution that fits your company needs.

Follow Us :
Share :

Griffin is from Williamsport, Pennsylvania where he joined the United States Army as a Signal Support Specialist. He learned many aspects of the Technology field during his six years of service. With two tours overseas, Griffin was able to perfect his craft in installations and in radio communications. Upon returning home, Griffin went to college to learn more about technology. He recently graduated with his first degree in Mobile Applications Development, and did not stop there. He is currently finishing from his second degree in Networking.

I wanted to learn as much as I could possibly learn, but the only way to gain a craft such as this is hands on experience. I was given a flyer for a job at Turnkey Internet. I was very excited to get an opportunity to work for the company. There is so much knowledge within Turnkey Internet. I love the people that I work with. It is a very personal work experience, and I have been able to learn so much from the employees. I did not go out and find myself a job, but instead I found myself a home with Turnkey Internet.

Follow Us :
Share :