How to properly secure website and server

How to properly secure website and server

Nowadays Internet is full of things and people that want to use results of somebody’s work for their own profit. Modern website and e-commerce business owners face the problems with hacking attempts (both successful and not), data theft, money robbery and even usage of their server and website as a base for crypto-mining software working on the background. The cases are really various and in most of the cases they are not seen with the naked eye. It starts to be notable when the results and the harm done by it begin to cause significant problems, which affect on the end user’s impressions.

What are the reasons of hacks and malware integrations?

Outdated versions of software and application

85% of the hacks done today are caused by open vulnerabilities in outdated versions of the software and application. You’ll laugh, but that’s also one of the easiest ways to break through. Why? Cause all such vulnerabilities are public and are posted for everyone. Why do you think developers of various products and tools we use, constantly deliver newer and newer patches and modifications? Because hackers never sleep…)

Breaking through such vulnerabilities is pretty straightforward: all you need to have is simple bot (it’s software application that runs automated tasks or scripts over the Internet), configured in a way to go through all known backdoors and try to upload or do something. You don’t need to perform some kind of cunning actions, like it’s shown in movies.)

Zero-day vulnerability

What’s that? It’s an exposure, which is unknown to all parties, that are responsible for the product and who are interested in it’s further patching, upgrading, etc. These parties usually are:
– Team, responsible for project maintenance
– End users

So as a conclusion – zero-day vulnerability is a backdoor no one is aware of. It’s just there, like a hole covered with a small rug. No one knows about it, cause no one has put their feet there and felt the pain of crush.

Breaking through it is not so easy as it is with outdated software, as such fragility is usually hidden from everyone. But when it’s located by someone with bad intentions – the only thing that’s left is wait and feel the consequences.

However attackers are loving zero-day vulnerabilities ‘cause, there is still no security patch to stop them (at least for now), and the only thing that may block them is the level of exploitability the exposure allows.

Suspicious plugins and extensions

Many current Content Management Systems (CMS) allow to expand their functionality by adding plugins. The biggest quantity of plugins are developed for WordPress, Magento, OpenCart, etc. The tricky thing here that these extensions are also one of the biggest vulnerabilities or even malware sources that may harm your website, application or even the whole business.

What is the plugin itself? It’s some additional code, designed as a separate service, that allows to expand some core functionalities of the website or just add another feature to it. Where are they downloaded from? In most of the cases, they’re found by website owners somewhere in the Net or just with the first Google link that forwards them to GitHub.

The thing that is not considered here is that every piece of code added to your system has a potential to be a risk. When you download some kind of plugin from the Internet and set it up on your website without being aware of what’s inside it and who is it developed by – all you do is granting that potentially risky or even malware code full access to your website and its data. So if the plugin has a vulnerability (and in the majority of the cases faced by us it’s just like that) or is not a plugin at all (meaning that it’s just a wrapping for the malware) consider that your website and data are already penetrated.

Bad code

As well as the plugins: every piece of code added to your system has the potential to be a risk. That’s why in professional and qualitative development companies there is a separate QA department and vulnerability researchers department, which are constantly looking for potential exposures and bugs that may cause such exposures to appear.

How to get yourself protected?

Actually, I think it’s enough to talk how websites can be compromised and hacked, I think it’s time to tell you how to close such backdoors and prevent hackers and malware from gaining access to your system.

WAF

Web Application Firewall (WAF) is a tool for filtering, monitoring and blocking HTTP / HTTPS traffic to and from a web application. In simple words that’s a pretty dumb tool, that allows to cycle the traffic through certain rules configured inside it. WAF passes the traffic further if it doesn’t violate any of the specified rules and blocks it immediately if it does.

Although you need to acknowledge the fact that WAFs are not perfect and can be bypassed when for example a zero-day vulnerability exploits an attack vector that is not yet handled by any of the WAF’s rules.

Update it & don’t let it be default!

As we said above one of the most spread and easy backdoors is outdated software. It is incredibly important to keep your website updated as soon as a new plugin or CMS version is available. We mentioned above that vulnerabilities can be easily detected by bots, but what we didn’t mention as besides that such bots can crawl the whole Net and detect the sites with outdated software and open exposures and then get their bad and dirty hands in it.

Default settings of basically all CMS’s are a mess. For example, some CMS allow to setup any kind of extensions to any kind of user. So one day you just come by to check on your business and see that some user installed some extension and all your data is gone. Don’t let it come to that, review the security settings of the CMS carefully before going live, as it’s just worth it.

Extensions / plugins selection

So how do you know which plugin is bad and which one is good? The first thing you should look at is the frequency of updates done for this plugin. If the last update was done around 1 year ago – then you should suspect something bad. Probably the author has already stopped working on that extension and there won’t be any further updates as well as security measures upgrades, right? You need to understand that in most of the cases plugin’s actions are tied up with the business logic of your website. So what’s the point of installing potentially risky functionality to your website, that won’t only be a backdoor for hackers, but also can become a problem for the business in total?

Also you should look at the author of the plugin. The larger user base, the more extensions and the better rating author has the less likely his / her extensions will damage your business and their reputation by inserting malicious code. And less likely hackers will try to break in into plugins developed by experienced authors, as invest / profit variable for them will be too low.

Passwords

`admin / admin`, really?!) Sometimes hackers don’t need to think about something outstanding to break through, as website owners just leave the door open for them. By following this link you can see the list of the most common passwords used in 2017, and if yours is among them – then you should change it. I mean, right now. Right this second!

The guys in WP Engine did an awesome research regarding myths surrounding passwords. It’s awesome, check it out!

There is a golden rule for passwords – CLU:

– C for Complex
Your favourite sports team or birth date is definitely a bad idea! All that information can be easily found on any social page you have, so using that as a password for your personal and business sensitive data is definitely not a good idea.)
– L for Long
Try to use passwords that are up to 12 characters long. Most of the modern online login systems limit the number of unsuccessful login attempts, so breaking through will cause a problem with 12- and more characters password, as most of the crack algorithms are based on simple permutation.
– U for Unique
Yes, that’s right, the best and the most secure way is to have unique password for each service. Having one password for everything means having a single point of failure for everything, as getting access to single service means getting access to your whole e-world.
– V for Vendetta
Oops, not the right place for that…)

I expect you to ask a question: “How am I supposed to store all that? I can’t remember all long and unique passwords!” Well, in modern world there is a huge bunch of various tools designed for safe storage of your passwords and logins. We use offline KeePass for that and there is a better looking version of this app called KeeWeb.

Users permissions and accesses

Having strict policy for on-site users’ privileges and accesses will low the chance of hacks and intrusions by `rogue` user accounts. Do not allow multiple access for 1 account and configure logging for all users actions in order to track changes and actions of the users. We’re not saying about tracking each click of the user and looking from behind of his back to steal his credit card data, we’re talking about actions done on the website, so you easily spot unusual behavior, catch anomalies and confirm with the person that their account hasn’t been compromised.

Secured server

Security is a complex term, consisting of different aspects and security layers, and each of them cuts and filters certain data and activity.

One of them is servers security which should work in full cooperation and coordination with the code. Here we’re talking about:
– separating php-pools for each website running on the server
– adjusting directory and files permissions
– setting up intrusion prevention tool
– disabling directories listing
– etc.

External backups

What should will you do if everything is gone? Of course many modern website owners know pretty much about backups and they know it’s really important. The only thing they don’t consider is that keeping backups on the same server is not a good idea at all.

Why? That’s one of the main security risks, as backups kept on the web-server always contain some old and unpatched versions of your CMS and extensions which are publicly available. So hackers receive an easy way to access your server along with all its data. In our opinion the best way to keep your backups will be to use some external storage or even external backup service. Besides security risk backups stored on the same hardware with your website are kinda useless, as:
– If hardware fails, it will fail with all backups and you won’t have a way to restore your site
– If hacker comes in, he receives access to everything. And then attacker can easily infect or delete the backup copies as well as the live site. The rest is history…)

The things highlighted above are basic and are common for the majority of cases. But don’t consider the above as a full list of actions that will cover all possible exposures of your server. Ignoring basic application side security approaches described few paragraphs above, like basic updates of the plugins and software, leads to nothing but repeats of the hacks or intrusions.

We’ve already told you enough about the possible methods to break in your server and described how you can deal with it, so if you think that your website or server is not secured or you’ve already noticed some suspicious activity, then you should definitely think about the above security measures.

Many of the specified above can be done by experienced and technically-savvy website owners, developers and system administrators. But what should you do if you don’t have a clear understanding of what, where and how? Well, we’re glad to announce a little upgrade of our services, as now ITsyndicate begins to provide website and server security hardening as well as website malware clean up.

So now we come to a topic named…

HOW IT WORKS

A schema for security layers configured by ITsyndicate in order to get website and web-server protecrted.

The above security schema shows how we’ll configure security layers for your web-server. The idea of such layering works and has proven itself in various cases. So let’s start from the beginning:

WAF

which takes the first bullet in such setup and does majority of dirty work like:
– instant blocking of the hackers
– DDoS attacks mitigation and prevention
– virtual patching and hardening
– prevention of zero-day exploits

This layer is constantly improved, as research done every day enhances detection and further mitigation of evolving threats. Besides that you’re able to configure a set of your own custom rules on this level, to be sure that your application’s bottlenecks and potential backdoors (if you’re aware of them) are secured.

After traffic has passed WAF security level and it’s filtered from all suspicious, bad and unknown requests it goes to…

Server firewall

What’s the point? Server firewall will only let through the traffic which has already been checked by WAF. So if some kind of handyman finds a way to get around WAF he / she won’t be able to go further as server firewall won’t pass it. So main features of server firewall are:
– allow traffic only from WAF
– allow traffic to go only through specified ports (custom configured for each case)

We forgot to mention SSL certificate, right? No, we didn’t!) Keep in mind that SSL doesn’t do anything to protect your site or server against any kind of attacks, or stop it from distributing malware. SSL certificate encrypts the data sent from Point A to Point B (for example web-browser and web-server). What for? Encryption prevents anyone from being able to fit into the chain and steal the data sent from A to B. Such attack is usually called Man in the Middle. Also Google has begun to force all website owners to move from regular and old HTTP to HTTPS, you can read more about it in one of our previous blog posts.

After first two security layers are passed it comes to server-side security layers, configured by our team. First one here is…

Web-server security layer

where we configure a set of rules that blocks users from accessing some of site’s folders directly. Also we restrict any kind of code execution in upload directories. Then it comes to…

PHP FastCGI Process Manager security layer

which in its turn has:
– a set of forbidden functions, execution of which will be blocked
– block for execution of the code inside of images
– a rule to run PHP process from different users with disabled permission to perform WRITE operation to the files

And last but not least…

FileSystem security layer

where we set:
– permissions for web root folder, so it’s only READable for web-server and WRITable for sFTP
– WRITE operation for users is allowed only to /uploads directory.

Besides that, we’re constantly monitoring your website for the presence of various vulnerabilities, signs of website hacks, intrusions and also warnings from blacklist authorities. If we see anything suspicious going on – we’ll contact you right away to indicate and begin resolving the issue. Besides that, the above security solution will detect downtime and changes of your DNS settings, core file integrity, and SSL certificates and we’ll alert you if anything suspicious is found. Below you can see the full list of malwares and security issues that can be detected and resolved with the security solution we provide:
– Notorious website hacks
– Issues and anomalies with the web-server and website security
– Warnings from blacklist authorities
– SSL Certificate changes
– SQL injection
– DNS Record Changes
– Core file totality
– Spam injections from Blackhat SEO
– Malicious redirects inserted into the JYJcode / configs
– Dirty search engine results
– Hidden and malicious iFrames
– Mobile malware infections
– Phishing lures
– Hijacked Websites
– Obfuscated JavaScript injections
– Redirects targeting mobiles
– Drive-by-Download injections
– Email spam abuse
– Pharma hacks
– Desktop AntiVirus Blacklisting (i.e., AVG, Norton, McAfee)
– Infected database / SQL Injections
– Website defacements
– Embedded trojans
– Cross-Site scripting (XSS) Infections
– Search engine blacklisting (Google, Bing, Yahoo, etc)

If you’d like to know more about us, our services or just get in touch to know if we like playing ping pong or not – feel free to contact us via [email protected] ! We’ll be glad to talk and tell you about our best practice approaches and experience!

(c) Nick Perzhanovskiy, 2018

Live long and prosper *</:)

About the Author
ITsyndicate contact form

Contact us if you have any questions!