“This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”
This vulnerability impacts openssl versions 1.0.1 and 1.0.2-beta. ServInt customers may have this vulnerability if they are running CentOS 6. CentOS 4 and 5 do not have versions impacted by the Heartbleed vulnerability. Read more
DDoS attacks sound like something out of one of those cheese-ball 1980s “hackers break into somebody’s computer and ignite a world war three” movies — you know, the ones that feature 400 baud modems and TRS-80s with cassette drives — but “distributed denial of service” (DDoS) attacks are very real, and are a growing problem.
ServInt, like everybody else in the hosting industry, has seen an uptick in DDoS activities on its network over the last couple of years. And while DDoS hasn’t been a major problem for us, it’s something we’re working hard to stay ahead of — which is what brought it to my attention, and what got me to make the effort to understand DDoS attacks better.
What is a DDoS attack?
A DDoS attack occurs when hackers gain control of multiple computers (that’s what makes these attacks “distributed”) and force them to make some form of system resource-dependent request of a target computer or website. The volume at which these requests are made quickly overwhelms the computer that is being targeted, and eventually the site or computer ceases functioning.
This is not the place — and I am certainly not the author — to go into the specifics of how this all works. Here’s an article that does a good job summarizing the different kinds of DDoS attacks.
What’s more important to you and me is: how can all this affect ServInt customers, and what measures does ServInt take to address the problem? Read more
As part of our ongoing efforts to support Internet privacy and good governance, ServInt is donating the first month of all revenues earned from participating new VPS and dedicated hosting accounts added on Feb. 11 to the Electronic Frontier Foundation. We’re taking this extraordinary step because — on “The Day We Fight Back” against NSA bulk surveillance — we want the world to know we’re serious about our commitment to Internet freedom and fairness. Following is a brief review of just some of the reasons why — reasons that hopefully will show you why you need to get involved, too.
Let’s start by stating the obvious: NSA spying is wrong. It’s wrong because no government should ever monitor all of its citizens’ online activities just because any one citizen might be using the Internet to break the law. If only for this reason, you should join ServInt in observing “The Day We Fight Back” on February 11.
But there is another reason to join in the global crusade against the NSA’s “bulk surveillance” tactics — a reason that has more to do with the real-world impact the NSA’s activities could have on your online business. In other words, if you think legislative and regulatory activism is all about pie-in-the-sky idealism, think again. Here is the real dollars-and-cents reason why you should join us. Read more
This past weekend, I had to take a long road trip to help somebody with an interstate move. As I often do when I’m struggling to keep my eyes open after many hours on the road, I tuned in some talk radio. As luck would have it, I managed to catch a half-hour or so of Glenn Beck’s daily radio program. On this occasion, Mr. Beck was spending a good portion of his time selling a new e-mail service — one which he claimed would “never, ever, ever” surrender any content to Uncle Sam unless the government first came armed with a warrant. For this privilege, Mr. Beck expected listeners to subscribe to his TV channel, for the modest annual fee of $99.95.
Let me make one thing perfectly clear: I am not writing this blog post to discuss Glenn Beck’s politics, or even his (considerable) marketing acumen. No, I’m reserving my precious blog column-inches to call Glenn Beck out for something that is well within my professional wheel-house: the fact that he is misinformed about how e-mail service providers are actually obligated to work with law enforcement, and, more importantly, the fact that he is not helping in the effort to get the NSA out of America’s e-mail inboxes.
To be fair, Glenn Beck is promising one thing that is under his control (though there are any number of e-mail service providers who offer it without the $99.95/yr price tag): that his service will not scan its customers’ e-mail accounts for the purpose of serving ads that match content included in those e-mails. However, Mr. Beck’s other claim — that his e-mail service will only yield to government inspection upon presentation of a warrant — well, let’s spend a moment looking at that more carefully. We’ll start by examining how Glenn Beck himself describes his offering, in a recent online “broadcast”:
(Note: I’m not going to provide any links to Beck content in this blog post. It’s easy to find plenty of Glenn Beck-sanctioned information about his e-mail offer with a simple web search.)
Beck says: “Everybody is scanning your e-mails, so they can… target you for the Feds…”
We say: The NSA scans a portion of all internet traffic, large enough that it could possibly contain most or all e-mail traffic sent inside the United States. This is being done without the consent of ISPs, web hosts and other e-mail providers. In addition, all e-mail service providers/web hosts are required, by law, to surrender any e-mail content they may have if they are served with a warrant by law enforcement. In fact, as detailed by our COO, Christian Dawson, in this post, there are circumstances where law enforcement can force e-mail service providers to hand over your old e-mails without a warrant. You cannot avoid the NSA scanning, or law enforcement searches, no matter how much you pay Glenn Beck.
Beck says: “The NSA and Google (scan your e-mail), and they’re in bed with each other.”
We say: Beck is conflating things here. Gmail does scan its users’ e-mail accounts, in order to serve them with targeted advertising — which they see as the price users of its e-mail service pay to get Gmail for “free.” Separately, documents released by Edward Snowden suggest that the NSA has been eavesdropping on e-mail traffic headed into and out of the Google network, completely unbeknownst to Google. In addition to that, Google, like all e-mail service providers, is required by law to respond to warrants and legal, warrantless requests requiring them to share e-mail content, if they have any. These things are not related to one another.
Beck says: “We’re not surrendering any lists, any emails, anything, without a warrant…”
We say: As I mentioned before, there is nothing Glenn Beck can do to prevent the NSA from “reading” his customers’ e-mail, or to avoid legal warrantless demands for old e-mails — so there’s not much to that promise.
So what’s the takeaway here? If you want to protect your e-mail from unlawful inspection by the government, sending Glenn Beck $99.95 won’t accomplish anything. But a few minutes of your time might. Our COO has written two recent blog posts about things you can do that won’t cost you a dime, and could make a huge difference: supporting the USA FREEDOM Act and keeping abreast of developments surrounding ECPA. Do yourself, and your country, a favor by checking these posts out and contacting your congressmen to urge their support as required. Glenn Beck is right about one thing: unauthorized, extra-legal snooping into e-mail accounts is unethical, un-American, and just plain wrong. We just wish he would use his considerable influence to help change things for the better.
In a previous article, SSH Key Authentication, I explained how to generate an SSH key so you could automatically log into your server instead of using a password. This is convenient for you (no more typing the password) and very inconvenient for potential hackers. If you turn off password authentication (because you’ll no longer need it), no amount of password guessing will let a hacker in.
The previous article showed you how to add the key to your cPanel server, but what if you’re not running cPanel? Don’t worry, the process is just as easy for no-panel servers. I’ll show you how.
Adding the Key Read more
The USA FREEDOM Act: NSA Data Collection, the Escalation of Encryption, and Curbing the Digital Arms Race
On October 29, 2013, the USA FREEDOM Act was introduced to end the mass gathering of phone record data by the NSA.
H.R.3361/S.1599 is a bipartisan effort authored by Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, and Rep. James Sensenbrenner Jr. (R-Wis.) that seeks to curb the mass targeting of communications by American citizens by clarifying the language in Section 215 of the USA PATRIOT Act.
How does this affect you?
ServInt supports the USA FREEDOM Act because the same limitations that the bill places on the phone surveillance activities of NSA apply to other forms of communication, specifically Internet traffic. Not only should this bill get the NSA out of your phone calls, it should get them:
• out of your inbox
• out of your search history
• out of your text logs Read more
A great way to keep potential threats at bay and make your server more secure is to employ TCP Wrappers. TCP Wrappers are a form of access control you can use – in conjunction with a firewall – to lock out unwanted users and increase your server security.
TCP Wrappers are similar to a firewall, in that you can allow and deny IPs or hosts, but different as they provide some additional options as well. TCP Wrappers use access rules in the hosts.allow file to allow or deny connections to network services that use the tcp_wrappers library, libwrap.
For example, you may want to allow someone access to FTP files to your server, but not want to allow them SSH, WHM, or any other kind of access. TCP Wrappers allow you to grant them access to FTP, or another specific feature, while denying them access to everything else. Read more
Over the weekend, my wife got a phone call from her parents telling her that her web site wasn’t working. When asked for clarification, her parents said that “Google has a big warning sign up where your site used to be.” Most of you already know what was going on: my wife’s site had been hacked. She called me to see what I could do to (cough) fix the problem.
What she didn’t know was that site hacks, while extremely common, aren’t necessarily easy to fix. Especially by me! For each hack, there are multiple phases of activity, each of which can be achieved via literally thousands of possible methods. Keeping track of them all is a job for which specialized technicians train their whole professional lives — so I hung up the phone and stuck my head into our Director of Network Compliance’s office.
“Hey, Mike,” I said. “I think my wife’s web site has been hacked.”
I was a bit disappointed by Mike’s I’m-not-surprised reaction — then again, he sees this stuff hundreds of times a day. But he was kind enough to spend a few minutes with me, explaining what might have happened, and how it fit in with well-understood patterns in hacking. Read more
All ServInt VPS and Flex accounts now come with free malware detection software from StopTheHacker — a service with an annual cash value of $120. Each customer receives one free subscription for each server they lease through ServInt.
The free StopTheHacker subscription for ServInt customers includes Basic STH service for one domain complete with a weekly scan utilizing standard malware detection measures.
The free malware detection software from StopTheHacker allows ServInt customers to determine whether the pages under monitored domains are being affected by known malware and viruses, and will also check to see if those domains are being blacklisted by major search engines. Read more
As you dig deeper into server administration, you’ll eventually need to log into your server via SSH as root. Logging into your server as root allows you to easily accomplish many tasks, but it demands a certain level of security precaution.
SSH root logins offer a huge potential security vulnerability. The root user is the administrative user of a server and has full access to the server. If compromised, the root account provides the malicious user with complete control. Anyone logged into a server with root access can write, erase, edit, upload or download any file. It is an all-access pass to your server, and simply guarding your root password isn’t enough to protect yourself.
There are two ways to mitigate this security concern. Read more