Site Blog - Security
09
Jul
We all were witnesses of a great panic and a lot of accusations of how weak and non-safe is e107 recently. The reason was a massive attack against most of the e107 based (community and non-community) sites and e107.org itself.
Let's summarize the facts first. It's true that a number of security holes was recently reported, and some of them were bad - really bad. I'll write in a separate post the sad story behind some of the reports, which caused SO MUCH damage to a lot of e107 based sites and hosting companies (sad, because it was done by PHP security adviser owner of php-security.org - a popular person - who acted as a teenager - understand totally unprofessional). I'm pretty much sure this story triggered the start of the attack against e107 but this is not a subject of this article. The reaction of the core development team was fast enough - we did quick fixes, we released number of quick patches and security releases. We were already prepared with a notification system which delivered the information about the recent available security patches direct to site owners' administration area. We also published a lot of information (news on e107.org), all the information we got. I don't think the whole could have been done better. The panic came AFTER the last security patch. It was caused by a number of bot attacks which were trying to go through an ALREADY PATCHED security hole (the so popular recently contact.php). Bots were following (exactly) the INSTRUCTIONS pointed in one of the advisories - php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution- vulnerability/index.html (do you remember the sad story I was talking about earlier?) What exactly happened? The bad guys used the fact that this vulnerability was first published and spread around the World Wide Web without the knowledge of e107 core development team. They attacked and infected servers (not secured enough - see below). All infected servers was made attackers. They infected more servers, etc. The number of infected servers was low at the beginning of the attack - at this time patch was already available. The problem is people do not pay enough attention on this even if shown on the top of their site administration panel, so patching required time. Those who were late, lost the game. Unfortunately those who weren't late, didn't win the game. They were attacked by all infected servers. Although the hole was patched, attacks became DDOS. They affected all servers which can't handle such attacks. What can do e107 CMS about all this? Near nothing, nor any other CMS/PHP script can do more. e107 core development team could do one thing only - security patch, preventing php code execution in this particular case. Neither development team nor PHP itself are able to help you stop the requests to your site. I hope everyone understand this. I saw all kind of advises as 'delete contact.php', 'add .htaccess rules', etc. This could work in very short term. Here are blocked requests from the logs on this server: Treasures/Download/Free-e107-Plugin-Corllete-Lab-Gallery/contact_php Treasures/Download/Free-e107-Plugin-Corllete-Lab-Gallery/contact.php Treasures/Download/Free-e107-Widget-Blank-Simple/show/contact_php As you see, there is only one solution - server security software. Solution? I can point server owners/shared hosting companies to a solution based on our current experience. It involves an installation of a free software package on a Linux web server, best suitable for RedHat or derivative Linux platforms (read more details about different software requirements below). The solution is fully integrated with Cpanel/WHM server management system. Additionally, the company behind some applications of this package is offering low cost Cpanel configuration services which allows you to order installation and configuration of all required software on a dedicated server(s) for a very fair price. Learn more about the ConfigServer Cpanel services. I'll try to explain how the whole is working in few words. Real time protection (active scanning) Requests to the server are being analyzed (e.g mod_security rules, suhosin) and temporary blocked if recognized as a hacking attempt. Temporary blocked IPs doesn't have access to the server for 300 seconds (default value). Additionally, number of temporary blocks are resulting in permanent block (csf.deny file). Permanent blocks are added to the server's iptables. The default max number of permanent blocked IPs is 100. You could increase the number if required but be careful: DENY_IP_LIMIT configuration variable comments wrote ... This can be important as a large number of IP addresses create a large number of iptables rules (4 times the number of IP's) which can cause problems on some systems where either the number of iptables entries has been limited (esp VPS's) or where resources are limited. You should find the appropriate number based on your server resources and the strength of the (eventually) current attack against your server. Server monitoring (on-demand scanning) ConfigServer Firewall comes with Login Failure Daemon (lfd) which effectively blocks IPs based on the number of login failures. You should start number of cron jobs for various checks (e.g. rkhunter, Chkrootkit which is not listed here etc). In the end you should be able to be informed about the state of your server just reading email reports once per day. eXploit Scanner (if installed) will add additional server monitoring (beside its active scanning, it's able to perform scanning of files, directories and user accounts for suspected exploits, viruses and suspicious resources). Just a side note - I'm not saying people who has the software below will be 100% secure. There is no such a thing when you are plugged-in to Internet. I'm just saying you'll be as much secured as possible, it'll work for you in most if not in all cases. This article is not intending to explain How to protect yourself (installation/configuration instructions) but what to install to be protected. Links to appropriate resources are provided together with every product listed below. Atomic ModSecurity & ModSecurity Rules Overview and installation instructions: http://www.configserver.com/cp/csf.html Additional help by configuring the rules: http://www.atomicorp.com/wiki/index.php/Mod_security This is a part of the Atomic Secured Linux (ASL) project. Mod Security is an open-source web application firewall. Atomic Rules are set of predefined mod_security rules which are updated on a regular basis. For a Cpanel users, the best option is to install mod_security via the Easyapache module. See below why. ConfigServer ModSecurity Control (cmc) Product page: http://www.configserver.com/cp/cmc.html The product provides you with an interface to the cPanel mod_security implementation from within WHM. It gives you additional GUI control over your ModSecurity installation. Suhosin Product page: http://www.hardened-php.net/suhosin/ Suhosin is an advanced protection system for PHP installations. It is designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. iptables SPI firewall (ConfigServer Firewall - csf) Product page: http://www.configserver.com/cp/csf.html You'll find full feature list and all required installation instructions. You pretty much need 3-4 shell lines: rm -fv csf.tgz wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh ClamAV Product page: http://www.clamav.net/lang/en/ It's an open source (GPL) anti-virus toolkit for UNIX, nothing more or less. ConfigServer eXploit Scanner (cxs) Product page: http://www.configserver.com/cp/cxs.html This is the only non-free product in this list. You may or may not buy & install it. I suggest you install it. It does active scanning of files as they are uploaded to the server. It has Cpanel GUI control panel. MailScanner Product page: http://www.mailscanner.info/intro.html MailScanner is an e-mail security and anti-spam package for e-mail gateway systems. It supports Clam Anti Virus. Rootkit Hunter Product page: http://www.rootkit.nl/projects/rootkit_hunter.html Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running various tests. Fine tuning I'll update this section in the future with information about what could break your e107 site installations and how it can be tweaked/re-configured. Summary - be smart, not paranoid Panic creates paranoid thoughts. You need to find the balance between security and flawless working web applications on your server(s). People using hosting services want to be secure and not to block the access of half of the world to their sites. I'll try to keep an updated list here in the future of common needed for e107 installation configuration changes needed to make the CMS and its plugins work well (and not to block/ban innocent visitors). Anyway, the idea is you should be safe enough against both exploit & DOS attacks. I can confirm that the access the contact form on FS is blocked (403 error) very efficient from mod_security currently. There are many blocked daily attempts and no CPU overload on this server. This is the reason I decided to share all this. It may (it should) work for you as well.
Comments12 Jul
pllsystem Secure server configuration - stop the madness
I am suffered that way from the shared hosting company's approach. I quote my mail FYI:
After 1.5 years of using iweb shared hosting I was satisfied with your service. Although you cannot provide working SOA mail after each query you can set something up. Due to the latest hacker attack you suspended my whole account two times. And suggested buying dedicated server to scale the sessions instead of doing anything against the real problem and work on your server secure configuration. (Alhough I bought unlimited bandwidth + unlimited domain hosting package - your server cannot cope with the amount of visit) While I am continuously moving to hosting24.com and will finish with iweb at the and of our session I think you can pay attention to that on secure server configuration and maybe your approach will change and will not lose more customers. http://free-source.net/blog/Secure%20server%20configuration%20-%20stop%20the%20madness I think is that can help in such situation. I am still convinced that it is not only an e107 CMS problem. All kind of sites can be DDOS attacked and you should better developing instead of blaming your customers.  12 Jul
 SecretR Secure server configuration - stop the madness
Good one, although the problem is not so simple.
I'll give you an example. Let's say hosting company is hosting 50+ e107 (WP, Joomla! or whatever CMS) sites on their server. The idea behind the shared hosting is that you are limited (no matter the plan) to a certain CPU/traffic usage. Every machine has its limit. Hosting companies are calculating those limits and are trying to get the max profit per server (which means - clients). If those 50+ sites become high traffic sites (current DDOS attack) at one and the same moment there is nothing which can handle the situation. This is a real life example - I read it on e107.org forums (guy with 80 e107 sites). Even when sites were deleted/moved server CPU were still at 99.99%. Don't understand me wrong, I'm not defending your host company, I'm just saying I understand the problem they may have. It's a business and business is cruel. My point with this article is that in the ideal world where everyone think about security, and people who should defend Internet (security specialists) don't help bad guys to do bad things, hosting companies/server owners would stop the attack at the beginning, there will be a low number of infected sites acting as attackers. We don't live in the ideal world, our world is far from perfect and the only thing we could try is to make it little bit securer than it's now.  27 Jul
Brynn Neilson Secure server configuration - stop the madness
We ended up removing contact.php, installing fail2ban and writing our own log analyzer that uses IPTABLES to block hackers that try to access contact.php in dodgy ways.
However I think it's important to build the security into e107 for users that don't have access security tools - perhaps an e107 "real-time security" plugin. e107 already has some of it with the flood and multiple login banning. It wouldn't be so hard to add a log filter that could be updated with the latest known attacks against e107 and it could automatically block those servers from access or redirect them to a black hole. Would be cool to get a report each day that says something like "Your e107 real-time security system sent 3 hackers into black holes today and redirected 4 others to download 600MB files from Microsoft. TCP connections were kept open for another 3 hackers just to annoy them and use up the resources of their servers." Actually, I'll have a chat with my programmers tomorrow and see if we can build it. brynn :-) 27 Jul
SecretR Secure server configuration - stop the madness
@brynn, just let me know when you have working PHP (pluginized) defense, I know Steve is currently working on something similar (much more basic).
03 Aug
 steved Secure server configuration - stop the madness
I'll certainly be interested to hear about things we can do to e107 to help security. As SecretR says, protection at the server level is best, if you can do it. I'm looking at ways of making e107's built-in security features more effective, and a small positive out of the recent attacks is that I've learned a lot, which will be added to 0.8 at least.
You must be logged in to make comments on this site - please log in, or if you are not registered click here to signup
|
Blog categories |
Member Login
|
|
SecretR
