security

Another crack at reducing spam

 

There are pathological people who are quite happy to spoil something good for everyone else if it is to their advantage. The internet in general is a great example of that and spam in particular.

On a good day, I receive about twice as many spam emails as legitimate emails. On a bad day it is worse.

Add to that there are constant attacks on the server and websites by people who are trying to hack a site so it will send spam, adding to the problem, and it is an ongoing pain in the arse.

RBL SPAM filtri | DNSBL | DNS blacklist | Hitrost.com
It makes a blog post more interesting to have some sort of image, but don’t be fooled, this is grossly inaccurate. The ratio of spam to legitimate email (for me) should be reversed.

In an effort to reduce the incoming spam count I have enabled one of the RBL’s (Realtime Black Lists).

The risk is always that it causes too many false positives – marking legit email as spam – and becoming a headache in itself.

If this works, it should be obvious within a day or so. Stand by for an update 😛

cPanel phishing scam

 

No matter who you are hosted with, please don’t be taken in by a new phishing scam trying to get your cPanel login.

It is a pretty convincing copy of a genuine notification that you have filled your disk space and has the subject WARNING The domain “(example).com.au” has reached their disk quota.

At first I thought the 123host server was sending them, so I was confused as the accounts weren’t full and the date was wonky. I eventually discovered that one of the links in the email is to a site with a fake cPanel login (the pink highlight). 

A good thing to help spot a fake, though they may fix this, is that the dates are inconsistent (yellow highlight).

Screenshot of fake cpanel email

Four customers had contacted me asking why their disk is full, in each case it wasn’t.  So this is definitely a thing.  I have since had a bunch more reports of the same thing.

You can always check how much disk space you are using in cPanel.

If you receive one of these ignore it.  If you are a 123host.com.au customer you can send it to me to double check for you if you want.

If you have received it, clicked the link and entered your cPanel login details, you need to let me (or your hosting service) know URGENTLY so your cPanel password can be changed.

Bastards!

WooCommerce oops!

 

A critical vulnerability has been discovered in WooCommerce prior to version 5.5 (the current version). You can read about it here, but they don’t give much info on what might happen.  I dug into the code and I think that if someone exploited this on your store, they could have access to order, customer, and administrative information via a cleverly crafted search string.

CloudLinux - CloudLinux Blog - New vulnerability discovered - the fix for CVE-2016-8655 for CloudLinux OS 7 is here with KernelCare



It is extremely important that if you have WooCommerce installed you upgrade to 5.5.1 as a matter of urgency.  Once these vulnerabilities become public, the baddies know about and start using them.Please don’t ignore this.  And while you are at it, check that WordPress is at version 5.7.2

If you subscribe to the 123Host WordPress Management service, I have already upgraded WooCommerce for you.

Anxiety is over-rated

 

Running a server is a mix of learning, fun, puzzle solving and terror. A lot of people rely on 123host (or any hosting company for that matter) to keep everything working so their business can operate.

What users might not realise is how much house-keeping is involved in keeping a server running smoothly. One of the most important aspects is keeping the software up to date.

And the most crucial component of any operating system is the kernel

The Linux kernel is the main component of a Linux operating system and is the core interface between a computer’s hardware and its processes. It communicates between the 2, managing resources as efficiently as possible.

When the kernel is updated the server needs to be restarted to have the changes become effective. I had been holding off a reboot for a long time, but as part of the upgrade to disk storage a reboot became necessary.

I hate it.

The server is going to be offline for a period. In the past it hasn’t restarted cleanly. The world could end. What if…?

I had sent everyone an email warning it would happen Friday night. Due to circumstances in the data centre, it didn’t. I don’t like bombarding people with emails so I gritted my teeth and set 6:30PM Sunday to reboot, figuring it is likely a time when fewest customers are doing any work on their sites.

Expecting a 5 minute downtime I clicked “restart” and waited, shunning all attempts by my partner to talk to me…even the offer of chocolate was spurned (just kidding, I took the chocolate).

And then…in less than 2 minutes, the server was up and running again. TWO.MINUTES!

Needless anxiety indeed.

Relieved

Another layer of security

 

I confess to now being security paranoid. I hope I don’t become obsessive…then again, it might not be a bad thing.

In order to share bits of code, passwords, whatever there is now a resource at https://paste.123host.com.au. Paste your bits in there, click “send” and you will be given a URL to share with the recipient.

NOTHING is seen or retained by the server (or me) unless I get the URL

If you check the “burn” box the data will only be viewable once.

123host – keeping the internet safe for kittens.

WordPress management

 

While doing some research for a recent email to all customers about a severe WordPress bug, I came across a solution that allows me to manage the administration side of your WordPress site without having to log in to it.

The tasks I look after on your behalf include

    • Updating WordPress
    • Update plugins
    • Update themes  (on request. I am reluctant to update themes in case it over-writes your customisation)
    • Ensure https compliance
    • Monthly report to you
    • other things…

123host is pretty much all-inclusive.  I have always disliked the way some hosting businesses start with a cheap base price and then charge extra for every little thing.

However, subscribing to this service is quite expensive for me, and I pay based on the number of sites connected, so if you would like to have me manage the trickier part of your WordPress dashboard, the cost is $66 inc GST per year* per site.  This isn’t much more than about $1 per week for peace of mind!

* yeah, the fine print - these prices were correct when I wrote this, it might have changed.

123host – weeks ahead of the pack

 

I have been banging on about SSL certificates here and here and it turns out I was quite prescient.

In January 2017 Google is shifting the balance of internet security and the Chrome browser will report http:// websites as being not secure compared to https:// websites, it is likely all browsers will follow suit. You can read the Google blog post here

I am not going to go too deeply into SSL certificates and what it all means, you can read this if you are interested – but do note that their business model is now broken as SSL certificates are free – for everyone.

The good news is that if your hosting is with 123host you already have a free SSL certificate installed and you have https:// available whether you are using it or not.

Go ahead and try your domain but put https:// in front of it instead. There should be no error or warnings unless the domain is less than 24 hours old – certificates are checked and issued every night.  You’ll see a padlock next to the url

SSL enabled URL

So what do you do next? If you are using WordPress go into the dashboard and change the URL from http:// to https:// in two places there.  If the links in your blog have been constructed properly it should all just work.

If you have a custom website of some sort simply start using https:// instead.  Again it should all work assuming it has been built properly.

If you are having any problems with https:// on your site open a ticket and the security gnomes will go into action.

Don’t ignore this. If you do, after January 2017 people will see something like this if they visit your site in Chrome.


Google error message

If you don’t act now and need my help in 2017 I will charge for any work done.  How’s that for forcing the issue :o)

Free SSL for everyone!

 

https

If you recall a few months ago I announced Free SSL certificates now available.  This was pretty cool, Lets Encrypt started making SSL certificates available for free.  This is huge, the sale of SSL has been big business for a long time, way overpriced.  As often happens, someone has come along and disrupted the model and it has collapsed.

Now free SSL certificates are becoming the norm.  So much so that an upgrade to the 123host server happening as I write this, is automatically applying a free certificate for every single domain.  Even yours!

What does this mean?  Why SSL?  To find out you can read this article.

So what do you need to do to have your site use the certificate that is available?  Just use https:// instead of http:// and you will see a green padlock appear in the address bar, like this

SSL

If you are using WordPress you can make this the default URL by going into the dashboard > Settings and change the URL in two places by just putting the s in there and making it https://

wpurl

Easy Peasy.

If you aren’t using WordPress and you need some help, open a support ticket https://support.123host.com.au – did you see what I did there?

Vote 123host

 
For those of you not in Australia, today is election day here. To all Australians I urge you to vote wisely, vote early, vote often. For me it was easy to choose 1st and 2nd preferences and then I had to decide who I loathed least…in descending order.  Don’t ya’ love democracy?

If you haven’t voted, here are the latest 123host announcements and electoral policies.

When elected, 123host promises to continue to follow up the handful of ‘something is a bit slow’ reports promptly. We will also rapidly discover that for a couple of days the network was running on half duplex before it was reset to full duplex.

As part of our new communications policy we will also explain the difference between half duplex and full duplex by likening it to using a 2 way radio Vs a phone – you can skip this paragraph if you don’t want your brain to bleed. Half duplex conversation only goes in one direction at a time, that is what happens on a radio – you talk, you release the button, you listen. Repeat. Full duplex is like a phone, you can talk back and forward without having to wait for the other end to finish…that is sometimes called a political debate.

123host has always been a strong supporter of backups and our policies have continually reminded you, our appreciated supporters, of the value of backups. In recent times we have been requested by constituents to rescue them when something has gone wrong. By increasing the expenditure on backups we promise to continue to provide regular backups and to keep them offsite.

Unlike other candidates 123host is always transparent and tells the truth, so here are our two technical policy paragraphs about backups. There are three levels carried out – daily, weekly and monthly. Just how it sounds, that is how often a backup is carried out and then over-written. A monthly backup is done at the beginning of each month, similarly one is done at the beginning of each week. If you suddenly realise you need something you accidentally deleted a couple of weeks ago, these are your saviours. Then there is a daily backup enabling a restore from any of the last 7 days.

If you are running as an independent and have your own policy statement that includes personal backups, be like 123host and keep your backups off the main server. The whole idea is to have them available if something goes horribly wrong e.g. The Shooters Party wins the election. It is pointless having your backups on the original computer if it has been burned, stolen or shot at by the new Prime Minister.

I want you to hear from our Minister for Security, that’s me. I’m not talking about the security of our major political donors, we will always look after them. No, I want to address the security of the traffic to and from your website. If you aren’t collecting sensitive information or orders for products this may not interest you, but it is worth reading.

SSL certificates (Secure Socket Layer) provide encryption between the browser and the server to theoretically stop snooping on the data going back and forth. I say ‘theoretically’ because there is nothing that is 100% secure. The URL becomes https:// instead of http:// and there is usually a padlock icon in the address bar like this SSLYou can read about SSL here  – note the prices for their SSL certificates.

At 123host we are going forward with 3 word slogans and the next one is “Free SSL certificates” – we will not enter into any discussion on whether that is really an abbreviated 5 word slogan. Yes, each and every 123hosted citizen is now entitled to a free SSL certificate. In your cpanel area under Security you will see our new department called ‘Let’s Encrypt SSL’, no appointment needed. If you get stuck, open a support ticket – no cash donations required.

Longer term 123host voters have all received election material explaining that we have changed allegiances and have formed a coalition with a new domain wholesaler. The amalgamation will take about a year all up, and has been quite a pain in the proverbial. But we shall persist with what we know is good and decent and right. So when and if you receive an email with an EPP code (the password) for your domain, please promptly forward it to support@123host.com.au. You will then receive a ballot paper asking if you approve the domain transfer, in this plebiscite (as in the possible upcoming ‘real’ plebiscite) vote YES to approve. The 123host party will monitor the situation closely and stay in close communication with people affected.

Finally, 123host has always been the party of great customer service but we have had to take a tough love policy recently with people who have failed to keep their party membership up to date. When an invoice is 14 days overdue your service is suspended. We are a compassionate party so your service will be unsuspended for a week and you’ll receive a gentle reminder – no thugs in our party. If there hasn’t been a payment or something worked out the next suspension will stick. You receive another reminder, gently but eerily threatening that if it it isn’t all sorted out in a few days, everything will be deleted. We don’t like having to do that, but we do also understand that sometimes projects don’t quite work out.

If you need time to pay or something is going wrong, speak to the party leadership. We are a party for the people.
Thank you for listening citizen.
Steve
Leader and benign dictator at 123host.com.au

Free SSL certificates now available

 

There is a lot of great free stuff on the web.   Free, as in you don’t have to pay for it.

WordPress is free.  Facebook is free.  Skype is free.  And now SSL certificates are free.

If you are buying hosting or already have hosting with 123host, just ask and I will issue your domain(s) with a free SSL certificate.  SSL certificates are installed automatically on even numbered hours.