How to install firewall using ConfigServer Firewall (CSF) on CentOS cPanel server

ConfigServer firewall is a popular linux firewall security suite. It is pretty easy to install, flexible to configure and secure with extra checks. CSF helps to control exactly what traffic is allowed in and out of the server and protect the server from malicious attack.

The CSF installation includes control panel user interface available via WHM and login failure daemon process (lfd) that runs periodically to scan the latest log file entries for login attempts  that continually fail within a short period of time. Such attempts are often called “Brute-force attacks” and the daemon process responds very quickly to such patterns and blocks offending IPs quickly.

So, login to your server via ssh and let’s start CSF installation by retrieving the package files using wget command:

# wget http://configserver.com/free/csf.tgz

Unpack the archive:

# tar xfz csf.tgz

Navigate to the uncomperssed csf directory:

# cd csf

Run the installer:

# sh install.sh

It will create configuration file and add all required cPanel services to allow list. Let’s disable testing mode by editing main CSF configuration file. Open the file using any editor (vi, nano, etc):

# nano /etc/csf/csf.conf

and change

TESTING = “1″

to

TESTING = “0″

When done, restart CSF:

# csf -r

Now CSF is installed and ready. You can simply manage it via cPanel WHM interface WHM > Config Security & Firewall:
CSF Installation

 

You may want to visit “Check server security” page next, allow/block IP addresses, flush blocks, restart login failure daemon and much more.

CSF Installation

 

For more information about CSF, see: http://configserver.com/cp/csf.html

WordPress 3.6.1 Maintenance and Security Release

wordpress-3-6-1

WordPress have released a new version of their PHP blogging framwork, Spetember 11, 2013, which contains important

maintenance and security updates. Host Byte recommends that whether you’re hosting with us or not, take the time to update your version of wordpress and avoid the dangers of hacking. Read on for more information about the release

Specifically the new release these security concers:

Block unsafe PHP unserialization that could occure in limited situations and setups, which can lead to remote code execution.
Prevent a user with an Author role, using a specially crafted request, from being able to create a post ‘written by’ another user.
Fix insufficient input validation that could result in redirectin or leading a user to another website.
Adjusted security restrication around file upload to mitigate the potential for cross-site scripting.

For more information on the changes, see the release note or consult the list of changes.

Are All SSL Certificates the Same?

The number of businesses that use SSL have increased tremendously over the past few years and the reasons for which SSL is used has also increased, for example:

  •  Some businesses need SSL to simply provide confidentiality (i.e. encryption)
  •  Some businesses like to use SSL to add more trust or confidence in security and identity (they want you to know that they are a legitimate company and can prove it)

As the reasons companies use for SSL have become wider, three different types of SSL Certificates have been established:

  • Extended Validation (EV) SSL Certificates
  • Organization Validation (OV) SSL Certificates
  • Domain Validation (DV) SSL Certificates

Extended Validation (EV) SSL Certificates are issued only when a Certification Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name plus the CA conducts a very THOROUGH vetting (investigation) of the organization. The issuance process of EV Certificates is standardized and is strictly outlined in the EV Guidelines, which was created at the CA/Browser Forum in 2007, specifies the required steps that a CA must do before issuing an EV certificate:

  1. Must verify the legal, physical & operational existence of the entity
  2. Must verify that the identity of the entity matches official records
  3. Must verify that the entity has the exclusive right to use the domain specified in the EV Certificate
  4. Must verify that the entity has properly authorized the issuance of the EV Certificate

EV Certificates are used for all types of businesses, including government entities and both incorporated & unincorporated businesses. Takes about 10 days to issue.

A second set of guidelines are for the actual CA and it establishes the criteria to which a CA needs to be audited before being allowed to issue an EV Certificate. It is called, the EV Audit Guidelines, and they are always done every year to ensure the integrity of the issuance process.

Organization Validation (OV) SSL Certificates are issued only when a Certification Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name plus the CA does some vetting (investigation) of the said organization.  This additional vetted company info is displayed to customers when the Secure Site Seal is clicked on, this gives enhanced visibility to who is behind the site which in turn gives enhanced trust in the site. Takes about 2 days to issue.

Domain Validation (DV) SSL Certificates are issued when the CA checks to make sure that the applicant actually has the right to the specific domain name.  No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal. DV certs can be issued immediately.

What SSL Actually Does for You?

SSL is the acronym for Secure Sockets Layer and is the Internet standard security technology used to establish an encrypted (or safe) link between a web server (website) and your browser (i.e. Internet Explorer, Chrome, Firefox, etc…). This secured link ensures that the data/information that is passed from your web browser to the web server remain private; meaning safe from hackers or anyone trying to spy/steal that info. SSL is the industry standard and is used by millions of websites to protect and secure any sensitive or private data that is sent through their website. One of the most common things SSL is used for is protecting a customer during an online transaction.

To establish a secured SSL connection on a web server it requires an SSL Certificate to be properly installed. When completing the process to activate SSL on your web server you will be asked to complete a number of questions to verify the identity of your domain and your company. Once properly completed, your web server will create 2 types of cryptographic keys – one is called a Private Key and the other is called the Public Key.

The Public Key isn’t a secret and it’s placed into something called a Certificate Signing Request or most commonly referred to as the CSR. The CSR is a file that contains all the data of your details. Once this CSR is generated, you can begin the SSL application process. During this process, the Certification Authority (CA) will go through the validation process to verify your submitted details and then once verified will issue an SSL Certificate with your details and allow you to use SSL. Your web server will automatically match the CA issued SSL Certificate to your Private Key. This means you are now ready to establish an encrypted and secure link between your website and your customer’s web browser.

SSL protocol is complex, but the complexities always remain invisible to your customers. Instead the browser they are using provides them with a key indicator letting them know that their session is currently protected by an SSL encryption – sometimes it is the lock icon in the lower right-hand corner, or the addition of an “s” in https rather than just http, on high-end SSL Certificates, a key indicator is the green bar in the browser. Clicking on the indicators will display all the details about it. All trusted Certification Authorities issue SSL Certificates to either legit companies or legally accountable individuals.

Generally speaking, SSL Certificates include and display (at least one or all) your domain name, your company name, your address, your city, your state and your country. It also always has an expiration date of that particular certificate and of course the details of the Certification Authority responsible for issuing the certificate. Browser connect to a secured site and then retrieves the site’s SSL Certificate and first makes sure that it has not expired, then it checks to see if it was issued by a known Certification Authority that the browser trusts, and then that it is actually being used by the website that is was actually issued to. If any one of these parameters does not check out properly, the browser will display a warning to the user to let them know that this site is not secure by SSL. It says to leave or proceed with extreme caution. That is the last thing you would want to say to your potential customer. That is why SSL is of high importance to any successful company doing business on the web.

Email Spam? No Please!

Woke up this morning and found hundreds of unread mails in your inbox? You curse the person who sent you those emails and miserably begin reading each one.  But hold your horses! Do you know how many out of those are Spam Emails? It’s a common misconception that emails in your ‘Inbox’ folder cannot be spam; however spammers these days are extremely smart. Read on to know what Spam is and how you can safeguard yourself.

 

Firstly, what is Spam?

Everyone knows that Email Spam is Junk Email you receive from unknown senders. Clicking on links within the email might direct you to a phishing website or sites that host malware. Spam email may also include malware as scripts or other executable file attachments.

Email Spam Defined

By definition, email spam is any email that meets the following three criteria:

  • Anonymity: The address and identity of the sender are concealed
  • Mass Mailing: The email is sent to large groups of people
  • Unsolicited: The email is not requested by the recipients

In short, spam email is any email which was sent to a user and many others with malicious intent. The source and identity of the sender is anonymous and there is no option to cease receiving future emails.

But why would anyone send me SPAM?!

Haven’t we all asked ourselves this question at some point of time? Spammers don’t really love you. The truth of the matter is that spam email is a simple Math game. The more spam emails a spammer sends, the more likely he or she is to get recipients to respond to the email. If a spam email sender has a list of five million email addresses, only a small fraction of those need to reply to the spam message in order for it to result in significant financial turnover for the spammer.

How does MONEY come into the picture here?

If a person’s sending you Spam, there’s always some gain involved for him. No one would want to waste their time sending zillions of junk to random people. On most occasions, your spammer has committed to a firm that he’ll provide them with your email address so that they can send you their newsletters, etc. Once your email address gets verified, the concerned firm pay the spammer for the mails he sent out.

So now how do I save myself from being Spammed?

The best way to avoid spam is not getting on spammers’ lists in the first place. But obviously, not everyone is that fortunate. Don’t fret; there are a couple of things you can do in order to prevent your email inbox from spam.

1. Try Disposable Email Addresses

Using your real, primary email address anywhere on the web puts it at risk of being picked up by spammers.  A disposable email address will forward all mail to your real address. But won’t that also send you spam? Not really. If you dispose of the email address, you won’t receive any spam :)

2. Every Checkbox isn’t meant to be Ticked!

When you sign up for something on the Web, there is often some innocent-looking text at the end of the form saying something like: “YES, I want to be contacted by select third parties concerning products I might be interested in.” Quite often, the checkbox next to that text is already checked and your email address will be given to you don’t know who.

To avoid that,

  • Look closely at every form you fill on the Web and
  • Make sure all relevant checkboxes are not ticked.

Sometimes, the text will read: “NO, don’t give away my email address,” and the checkbox will consequently be unchecked by default. Check it.

3. Disguise your Email Address

Sounds silly, but it sure does work! To avoid ending on a spammer’s mailing list when you post to a web forum or a newsgroup, you can disguise your email address by inserting something obvious into it.

If your email address is me@example.com, you can modify it to read me@EXAdelete_thisMPLE.com, for example. You will not get spam at that email address since all messages to it will bounce, but people who want to send you an email can still do so after they remove “delete_this” from the address.

Obscuring your email address does make sending mail a bit more difficult. But this is not always a disadvantage.

4. Domain Owners: Set up Throwaway Addresses to Fight Spam

If you own a domain, you have a great anti-spam tool at hand: your mail server. You simply need to enable the “Catch-All” feature in your email which when activated allows you to catch all of the emails sent to your domain, whether the ID exists or not.

You can use this feature to create throwaway email addresses on the fly:

  • If you need to give an email address to sign up for something, make one up.

For example, if you sign up for a newsletter at About, enter “about@example.com” as your email address.

5. Enable Privacy Protect

You can also enable the ‘Privacy Protect‘ option for your Domain Name, your Domain provider replaces your Contact Details in the Whois information with it’s generic contact details, thus, masking your personal contact details. Host Byte provides this service free of charge and is enabled by default for most domain extensions. You can learn more about this here.

Remember – Receiving spam is very easy and getting rid of it is equally difficult!

THAT’S A SPAM EMAIL!!

Just for the record, Host Byte doesn’t contribute to any of the spam in your inbox and we provide all our users with a default Anti-Spam filter which checks all your incoming and outgoing emails. Your incoming emails are filtered using ‘PostScreen’ and the outgoing ones are filtered using ‘Commtouch’.

“Like almost everyone who uses e-mail, I receive a ton of spam every day. Much of it offers to help me get out of debt or get rich quick. It would be funny if it weren’t so exciting.”
Bill Gates finds spam rather exciting, do you? ;)