Blog Header Banner

Archive for the ‘cloud security’ Category

It’s 2016 – Is Your Office Server or Web Site Being Held Hostage?   no comments

Posted at May 5, 2016 @ 6:07am cloud security

ransomwareThe latest wave of computer security news may sound like the headline of a new Bruce Willis movie – but Ransomware is now part of the daily conversation between not only security experts, but unfortunately by office managers and PC users across the globe having to deal with the ramifications.

This year malware infections, more specifically ransomware, have seen an exponential growth. They are also becoming more sophisticated, using newer methods that are not only harder to detect, but also require less user interaction.

Security researchers report attackers are not only upgrading their malware to make it more unbreakable, they are also using unique methods of distribution. In some cases, these methods require no user interaction at all.

In the past, most ransomware infections occurred via phishing attacks, which required a user to click on a malicious website or email link. But these newer attacks are less dependent on user interaction and more dependent on unpatched vulnerabilities or poor security practices.

These new breeds of ransomware are utilizing more advanced methods to attack computers and encrypt their files, before you even realize what’s happened. You are then forced to either pay the ransom or hope you have a backup recent enough to prevent any lost data.

To protect yourself you need to follow best practices, such as

  1. backup your servers and PC’s
  2. backup your servers and PC’s
  3. see item (1) and (2) above (seriously!)
  4. keep your software and systems patched and up-to-date
  5. Have a corporate gateway firewall with advanced threat protection
  6. Have / Install / Update local AntiVirus and Malware Software protection
  7. Always avoid opening un-expected emails or attachments
  8. Avoid clicking to web sites you don’t recognize (especially if sent in email)
  9. if you aren’t backing up your servers and PC’s already – stop reading and visit https://turnkeyvault.com/

It’s pretty simple – the same things that protect your office data and servers from most threats apply here, but the damage of ransomware encrypting and disabling all your corporate data within seconds or minutes is real and has lead to some high profile cases including hospitals being locked out of all their data due to ransomware!  Don’t let your business fall victim to the bad-named villain of a Bruce Willis movie – ransomware is among the most costly cyber threats actively attacking businesses right this very second.

Make no mistake – backing up your data is a must have in any security policy, and utilizing a secure remote cloud based backup solution such as  TurnKey Vault is ideal.  Make sure whatever backup solution you deploy offers data encryption, supports both desktop PC’s and Macs, as well as Linux and Windows based servers.  A backup solution like TurnKey Vault offers live cloud replication which will get you back on your feet in minutes in case of a true disaster by creating a live cloud-based copy of any PC workstation or Server accessible from anywhere over the Internet to get you access to your data and applications quickly.  If ransomware takes over your office network you can spin up a backup live copy of your servers and PC’s with TurnKey Vault from a time before the ransomware took over your office – and will have you saying “Yippee Ki-Yay” just like Bruce Willis as the ransomeware data hostage takers wont ever see a dime, and you will have all your data safe and secure.

 

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Drupal Web Site Security Alert : Forged Password Reset URLs   no comments

Posted at Mar 24, 2015 @ 8:57am cloud security,Web hosting

turnkey_internet_hosts_drupal_web_hostingWhile you may have been urged by Drupal to update your software late in 2014 due to SQL injection attacks in compromised Drupal 7 sites. Drupal has released version 6.35 and 7.35 to address a few newly discovered vulnerabilities within their software.

Listed in an advisory by Drupal’s security team, Drupal stated one of the vulnerabilities they are addressing has allowed password reset URLs to be forged. This allows malicious users to gain access without knowing the password.
In Drupal 7 this vulnerability is segragated to sites where accounts have been imported or edited in ways that will result in the password hash, in the database being the same for multiple user accounts.

In Drupal 6 this vunlnerability can be exploited on sites where administrators have created multiple user accounts with the same password. As well as where accounts have been imported or edited in ways that will result in the password hash, in the database being empty for at least one user account. Drupal 6 sites having an empty password hash, or a password with an easily compromised string in the database are extreamly prone to this vulnerability.

The second vulnerability Drupal’s team has patched is the ability for malicous users to devise a URL, sending visitors to a 3rd party website.

Drupal modules use a destination query to redirect users to a new destination after completing an action. Malicious users can use this destination parameter to construct a URL that will fool users by redirected them to a 3rd party website. Several URL related API functions in Drupal 6 and 7 can be fooled into passing through external URLs when that was not the intention, leading to open redirect vulnerabilities.

This vulnerability is has been down played as a large amount of the destination parameter are not vulnerable to the attack. Although, all confirmation forms built using Drupal 7’s form API are vulnerable! Drupal has also stated some Drupal 6 confirmation forms are vulnerable too.

Drupal versions affected:

Drupal core 6.x versions prior to 6.35

Drupal core 7.x versions prior to 7.35

How to rectify these vulnerabilities? Update to the latest versions.

If you use the Drupal 6.x upgrade to Drupal core 6.35

If you use the Drupal 7.x upgrade to Drupal core 7.35

For those using TurnKey Internet’s Web Hosting with Drupal can simply login to your cPanel control panel, click on the Softaculous icon, and update your drupal version from there as well as from the Drupal Control panel of your installated copy on your web site.  If any questions contact our customer service team, or keep posted on our help desk at http://helpdesk.turnkeyinternet.net/

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Written by admin on March 24th, 2015

Tagged with , , , , ,

How to Setup a Firewall on your Cloud Server – CSF / CPanel, and more!   no comments

Posted at Feb 21, 2015 @ 12:02pm cloud security

firewallI have a question for you. Does your server have a firewall running on your server? For those who do know what a firewall is, let’s go to our good friend Wikipedia:

‘In computing, a firewall is a network security system that controls the
incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted.’

As avid readers of the blog know, I like to ground these ideas with every day analogies. You can think of a firewall like a door to your home. When the door is opened, people can walk directly into your house. Should you want to keep people out, you close and lock the door. This is the way a firewall works on a server. You place the firewall onto your server to keep intruders from the internet from accessing your data.

Firewalls can be either hardware or software based. If you go with a hardware based firewall, the firewall is connected to your switch that allows for traffic to be filtered upon a rule set you determine. You would use a hardware based firewall if you had a dedicated server. A software based firewall is installed within your server. It still blocks traffic based off rule sets you create, but it just does it from within the server and not out in front like a hardware based firewall.

For the rest of this article, I will provide you the steps to install CSF, which is short for ConfigServer Security and Firewall. This firewall is supported across many different Operating Sytems, RedHat Enterprise, Centos, CloudLinx, Fedore, Virtuozzo, VMWare, to name a few. You can read more about the supporeted systems here: http://configserver.com/cp/csf.html

This firewall can be installed with the following steps on your Linux based server:

mkdir /usr/local/src <– Creates the directory to install CSF

cd /usr/local/src <– Changes your location on the server to the newly created directory

wget http://www.configserver.com/free/csf.tgz <– downloads the CSF software to your server

tar xfz csf.tgz <– Extracts the software
cd csf <– Changes your location on the server to the CSF directory

./install.sh <– Installs the CSF firewall

CSF, when installed, and configured properly, places a preset list of rules onto your server. These rules can be configured directly within the csf.conf file or the csf configuration file. If you have a cPanel based server,  you want to ensure that you have the following ports opened for inbound and outbound:

# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,143,443,465,587,993,995,2078,2082,2083,2086,2087,2095,2096”

# Allow outgoing TCP ports
TCP_OUT =”20,21,22,25,37,43,53,80,110,113,443,465,587,873,995,1167,2086,2087,2089 ”

Those ports cover most of the ports you will need for your cPanel or non-cPanel server to function. You can read more about ports and their functions here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Once you do that, you may want to limit the amount of connections each user can make to your server. This can be set by changing CT_Limit in your csf.conf to the number of connections you want each user to be able to make. For example, CT_Limit = “150” will only allow each user to make 150 connections to your server.

You may also want to remove port 22 from TCP_IN along with setting your SSHD_config file to do only public_key authentication. Why would you do this? This will lock down your server from the outside and only allow people who have SSH keys installed into your server to gain access using SSH.

CSF can be configured in a multitude of ways to add another layer of security to your server. I highly recommend going to http://configserver.com/cp/csf.html and using the forums to learn more about the many features of CSF and how tweaking the settings can help ensure you’re providing a stable, safe and secure server environment

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Written by Jeremy on February 21st, 2015

Tagged with , , , , , ,

Monitoring Your Dedicated Hosted or Cloud Hosted Servers   1 comment

Posted at Dec 19, 2014 @ 9:01am Ask the Expert,cloud security,colocation

server-monitoring-ny-datacenterEarlier on the blog, I wrote to you about having backup software. I compared having backup software to having car insurance. You never know you need it until you actually need it. Does that make sense? I hope that last line wasn’t too confusing. Well, I have another question for you to start this article.

 

Do you currently have any monitoring software for your server?

 

Now, depending on where you host your website or rent your server from, the host may provide a basic type of monitoring software. For example, if you purchased a dedicated server, Virtual Private Server(VPS), Cloud Server etc. from us, Turnkey Internet, your server will be automatically be setup on a basic ping monitoring software. This works off using ICMP which is a basic protocol used across the industry to monitor servers. I won’t get too off-base with this post, so you can read more about ICMP at the link below:

 

http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

 

Now, you may be asking, “what if I bought a reseller or basic hosting account? Is that only ping monitored?” In our system, all our reseller and hosting servers have another level of monitoring attached to them. This includes ping monitoring, memory monitoring, drive space monitoring, snmp monitoring, and bandwidth monitoring to just name a few. We also can setup content checks. That means we can setup a monitor that will look if a site contains a word or piece of text. If it doesn’t find the word, the server will alarm for us.

 

You may be asking why? Why write an article on monitoring software? Well my friends, in slaying tickets each week, I come across many different issues across different clients. Some of these issues could have been prevented and others would have had a smaller impact if preventative measures were taken. Let me give you an example to really drive this one home.

 

Let’s say you have a website named, jeremysdomain.com and purchased it directly from Turnkey Internet with a dedicated server.  Your site will be used to as a life force for your business. You will take orders online. You place promotions online among other items. Next thing you know, you go to your site and it doesn’t load. In fact, it just times out completely.

 

You can still ping your server, but your site is fully off-line. You open a ticket with the helpdesk and they inform you that your server is overloaded due to a large spike in bandwidth. This resulted in your server running low on memory and your server crashing. The engineers fix the issue and inform you that you may want to consider some monitor software that will constantly check to see if your server is having issues other than a failed ping.  The entire process takes about an hour to get the server back online.

 

Let’s look at the situation with monitoring software. You start a promotion on your website. As your promotion gets into full swing, you receive an email notification stating that your server is alarming for multiple items. The engineers inform you that your bandwidth is beginning to max on the server which results in your server running low on memory. The engineers schedule a time with you to take the server offline and increase the memory in the server. Your site is down 15 minutes for the upgrade and back online within minutes. Your promotion never skips a beat and your customers never even notice the issue.

 

If having backup software for your server is like having insurance on your car, then monitoring software would be like having a super, upgraded alarm system in your car that checks your oil level, your tire pressure, your electrical components in your car among many other tiems

 

Do you have monitoring software? If not, go to http://turnkeymonitoring.com/ and you can see some of options available to you.

 

Until next time Turnkey Lovers…

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Written by Jeremy on December 19th, 2014

Tagged with , , ,

Web Hosting Backup – Do You or Don’t You?   no comments

Posted at Nov 12, 2014 @ 9:18am backup,cloud security,Web hosting
web hosting and server backups

server backups

Jeremy here again and I just have one quick question for you: Do you have insurance on your data? You may be thinking what exactly I mean by insurance of your data. It’s not like you’ve bought a car and have to pay car insurance every month. No, what I’m referring to is assurance that your data is 100% safe and secure should any issue arise and the need arise to restore your data.

 

What do I mean by any issue? A few examples are listed below:

 

  1. Your site gets exploited and all files removed
  2. The server your site is located on crashes
  3. Someone accidentally terminated your account by mistake
  4. Your main hard drive becomes corrupted and all data is lost

 

Those examples stated above are just a few of many that could occur on your server. These issues won’t just occur on a dedicated server, but it could occur on a Virtual Private Server(VPS), a shared server such as a reseller server or SEO server, but for shared servers, we will assume for this article, that you’ve been hosting with your reseller account/basic hosting/SEO accounts with Turnkey Internet where all our shared servers are backed up on a weekly and monthly basis. The backups are pushed off to a different server and stored away from the server containing your data and stored in a safe location, but what about customers with dedicated servers or a VPS? What do those clients do if they haven’t purchase any backup software(insurance) for their server? What happens if they crash?

 

You see, most clients who come to us stating they need a backup of their server because they’ve made some change and corrupted their system, are a step behind the ball. Do you really want to have to tell your clients/customers, that their data is lost because no backup was made? You basically have egg on your face at that point. So what do you do? At this point, your options are pretty limited. You would have to have some local backups stored on your local PC or Mac that you can upload back to the server and restore.  Instead of focusing on what to do after, we will focus on what to do to prevent this from every occurring.

 

Some clients that I’ve worked with assume that we keep a backup of all of their data from day 0 and that’s just not the case because data can only be stored so long – but generally a month to three months, or more is common.   Let’s keep the focus on a VPS or Dedicated server. When checking out on our site, Turnkey Internet, for a VPS or Dedicated Server, backup software options are always presented. Some clients take advantage of this and purchase backup software or insurance for their data, but on a few occasions, you will find a user who doesn’t. Maybe they think that they won’t put a lot of data on the server and they won’t need backups or maybe they just feel that they will never have need for backups. That, my friend, is a very foolish way to view the matter.

 

Let me frame it in another way that can really ground this for you. Let’s say you go purchase a new car and do not purchase insurance. You drive off the lot and right as you’re making a right to take your new car back home, BAM, an accident occurs. Now, if you have full insurance on the car, it’s no big deal and your insurance covers the entire matter for you minus the deductible, but what if you don’t have insurance on the car? You have to pay for your own damage on your car and possibly the other persons damage to their vehicle. You could be out thousands of dollars for which all could have been avoided by having insurance on your vehicle.

 

This is the same for your data. Having backup software is like having insurance for your data. Should an issue arise that you need to restore data, your data is safe and secure on an entirely different server. You won’t have to worry about egg being on your face as your data will be 100% secure

 

Do you currently have insurance for your data?  If not, you may want to consider viewing some of our backup options at: http://turnkeyvault.com/server_backups.php

 

Until next time

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Written by Jeremy on November 12th, 2014

Tagged with , , , , ,

PCI DSS Compliance in the Cloud for Web Sites, Servers, And Colocation   no comments

pci-dss compliant datacenter

pci-dss compliant datacenter

Active readers of the blog will know that I tend to write articles that you can apply to your everyday hosting. In the past, I’ve written you articles on backing up your software, determining if you need a dedicated server, what exactly is DNS and the list goes on. The one common thread these articles have is that each article assumes you have some type of hosting or possible server. In fact, these articles assume that you’re selling or possibly interested in selling products online. When you branch to selling your products online, you need to be aware of some type of mysterious item called Payment Card Industry Data Security Standard or PCI DSS. This will be the focus of our post today so let’s jump right into it.

 

What is Payment Card Industry Data Security Standard (PCI DSS)?

 

The payment card industry data security standard is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment for their customers. PCI DSS compliance is there to ensure that cardholder data is not stolen and shared around the globe. As a store owner, whether this be a website or a physical store, it’s your responsibility to ensure your customers data is protected and secure. PCI  DSS compliance is a standard set by the PCI Security Standards Council(PCI SSC). You can read about the standards here:

 

https://www.pcisecuritystandards.org/

 

PCI compliance against common belief isn’t actually a federal law in the United States, however, some U.S. states refer directly to the PCI DSS. For example, in 2007, Minnesota enacted a law that prohibits the retention of payment card data. In the 2009, Nevada followed suit. In the state of Nevada, merchants  are now required to comply with the PCI DSS standard. This allows those merchants to be shielded from liability should a breach in security occur. The following year, in 2010, Washington state incorporated standard into law. However, merchants are not required to abide by the PCI Compliance, but those are who, are shielded from liability. You can read more about this here:

 

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard#Mandated_compliance

 

 

Now that we’ve covered what exactly PCI DSS compliance is, let’s see if this currently applies to your situation.

 

Do I need to be PCI DSS compliant?

 

To answer this question, I must first ask you one back. Are you currently taking online payments from your customers? If so, yes, I would HIGHLY recommend becoming PCI DSS compliant especially if you’re based in the United States or the UK.  To take this either further, yes, you’ve setup your ecommerce site and you’ve begun taking payments. At this point, you need to decide between two options

 

  1. Allowing a 3rd party website known as hosted payment gateway to process payments
  2. Taking payments directly from your website

 

Each method has its pros and cons. Using a 3rd party or a hosted payment gateway is the safer route. The hosted payment gateway will store, process and transmit the account data. You will then use the 3rd party’s Merchant ID to collect the money and greatly simplify your PCI DSS compliance. Of course, there are different type of hosted payment gateways which we won’t get into for this article but they are listed below:

 

  1. Redirect method that sends your customer to a different site to process payment and then return them back to your site once payment is completed
  2. Iframe method places a payment form that’s fully hosted by your payment provider into your website. The customer stays on your site and is never redirected
  3. Direct post method sends the data directly to the payment service provider

 

If you decide to take payments directly on your website, you will be storing, processing and transmitting account data to your server. You will have to sign up for your own merchant account and comply with the highest level of the PCI DSS standards. As you can see from above, if you’re taking online payments, you will need some PCI compliance to provide your customers with a safe state of mind when providing payments to services off your website.

 

Now that you know what PCI DSS compliance is and know that if you’re running an ecommerce site, what are the steps that you need to take to achieve the PCI DSS compliance

 

Steps to PCI DSS compliance

 

Listed below are steps to PCI DSS compliance. You can go to https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs to get a further in depth guide to the steps you would need. These steps below should be taken as a general guide

 

  1. Build an maintain a secure network
    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do no use vendor-supplied defaults for system passwords and other security parameters
    3. Protect cardholder data
      1. Protect stored cardholder data
      2. Encrypt transmission of cardholder data across, open public networks
      3. Main a vulnerability management program
        1. Use and regularly update anti-virus software or programs
        2. Develop and maintain secure systems and applications
        3. Implementing strong access control measures
          1. Restrict access to cardholder data by business need to know
          2. Assign a unique ID to each person with computer access
          3. Restrict physical access to cardholder data
          4. Regularly monitor and test networks
            1. Track and monitor all access to network resources and cardholder data
            2. Regurarly test security systems and processes
            3. Maintain an information security policy
              1. Main a policy that addresses information security for all personnel

 

Following those general steps whether you’re processing payments directly on your website or using a 3rd party payment gateway, will help to ensure that your customers account data is protected and secure. It will also help to ensure you’re complying with PCI DSS standards and while PCI DSS standards aren’t federal law in the United States, complying merchants will greatly reduce the risk they could suffer from liabilities from a data breach

 

Currently, here at Turnkey Internet, we’re 100% PCI DSS compliant. All of our payments are secure and consistently monitored and updated to ensure that all customer data is secure. Being PCI DSS compliant at Turnkey Internet allows us to offer our customers a piece of mind that non PCI DSS compliant merchants can’t offer. Personally, if a company isn’t compliant it makes me wonder if I can truly trust the merchant with my secure account data.

 

Hopefully this article will help guide you to a PCI DSS compliant ecommerce website that will ofer the same piece of mind that Turnkey Internet offers all of our customers.

 

Listed below are some references that will provide you greater details on the process of becoming PCI DSS compliant

 

Until next time

 

https://www.pcisecuritystandards.org/index.php

https://www.pcisecuritystandards.org/smb/

https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

 

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Written by Jeremy on October 28th, 2014

Tagged with , , , ,