Hello Folks,
I believe we have passed the point of medieval brute force SPAMMING attempts and we have entered a new phase which is more of a surgically orchestrated type of spamming.
I have personally observed that lately there has been an increase in the amount of hacking attempts and spamming being done through the Web servers.
Here is a few things we are doing at Successful Hosting in order to minimize such incidents.
1)FTP — we are now utilizing mod_ban of Proftpd with these settings:
If a user attempts to login to any of the servers and mistypes their password 5 times within 1 minute, their IP will be banned for 5 minutes. All will reset automatically after 5 minutes.
This setting is geared towards minimizing brute force dictionary attacks on the FTP level.
2)FTP — we have configured FTP to support TLS (Secure Authentications) One of the patterns we have recently found is that Spyware Bots installed on our client’s Pc’s sniff out the FTP passwords of their hosting accounts, which are than used to upload either more malware in the form of infected index.html/php files containing Iframe JavaScript type of code, or by uploading Spamming software into the cgi-bin directory which can be triggered through some call via remote IP’s — this is what I consider surgical spamming as compared to general.
You as a client can use a program such as FileZilla which supports TLS authentication and strictly use it while forcing TLS communication.
FileZilla page http://filezilla-project.org/
Simply setup your server configuration as
FTPES — FTP over Explicit TLS
Your communication will be 100% secure after using such above method.
3)PHP — we are already using PHP in a mod_fastcgi configuration which allows each PHP process to run under the username of the spawning account.
This type of setup eliminates the need of you having to setup files/directories with world write permission as many different Hosting Companies advise for.
Also, we advise that unless you have a specific need to turn off Safe_mode which is the default method of how we run PHP, you leave such default setting in place.
Please keep on upgrading often your applications, and tighten up security on the application level as much as possible. We have already integrated the latest EasyApps bundle, and Parallels (our vendor) has made a commitment to keep on upgrading EasyApps packages in a consistent matter.
4)Apache — we have as test mode introduced mod_security onto web01/5/6/10
We run mod_security 1.9.5 on Apache 1.3 Thus far, we have noticed a considerable drop on the amount of hacking attempts being done through PHP injections or Iframe/JavaScript attacks. mod_security is known to make certain applications run into warnings etc, and we do have a full method of opting out of mod_security.
Soon, after some further testing we will apply mod_security onto all the rest of the servers.
Hope this notification will give you some more insight on what we are doing to face the new challenges being brought upon by the Internet and what you can do as owners of a Successful Hosting account to increase the security overall.
Thanks.