Welcome to Vastspace, provides Reliable Web Hosting since 2014

Welcome to Vastspace

Archive

An infected attachment

If you have received an email with an attachment especially with a *doc extension. This email may have sent from someone who has corresponded with you before with the same subject.

Their computers could have been infected by malware and sending you a trojan/malware.T his trojan steals contacts, credentials, banking information, etc.

We suggest you take the following preventive measures;

  1. Do not open any attachment on an email especially with doc extension, Scan the with your latest anti-virus if you are safe to open it.
  2. Do a full system scan on your computers and smart devices.

My personal opinion on CSF firewall

CSF firewall is available free and most cPanel users might have a copy because it is free? Today, I’m sharing my experiences. Not on how you install CSF or what are the items but opinions on hows the firewall serves its purposes.

For the last decade, CSF has been the part and parcel of cPanel users. However, I’m not actually fond of installing CSF. It is not that CSF has not served its purpose, it is all about individual perception and expectation. why? Let me shares;

a. I have seen CSF in test mode since day one. If you have installed CSF, you will know CSF is in TEST mode by default.

b. Block everyone in the office, cannot send and receive emails. So if your coworkers are sharing the internet through the same router, shared public IP address will be blocked if someone has entered the wrong password a few times.

c. No or non-optimised settings on CSF. Users have left the settings by default or minimum settings were done because they are difficult to understand in layman terms.

So, my experiences are never good with CSF installed. 90% of the time, require troubleshooting if someone has installed CSF. If you have a fully managed hosting service or you have planned to sacrifice your personal time (as they can be very time consuming) to adjust and tweak it.

Many failed logins in your logs?

Recently, you may have realized there were many failed login transactions in your logs. These failed logins have account users you don’t even know them before.

As long as you are hooked up with the internet, your servers and you are bound to these types of failed login transactions known as brute-force attacks. This type of attack will usually happen to a default port or a port used by the users you cannot apply restriction or minimum restriction.

Why are the ports do you see them often? Like the port 22 for SSH remotely; Ports 25. 110, 143 & 587 for emailing; Ports 8880 & 8443 use by Plesk; Ports 2082, 2083, 2086, 2087, 2092 & 2093 use by cPanel; Port 21 for FTP; Ports 80 & 443 for the webserver. Port likes 22 used by SSH, can be changed to another port number to avoid such and we encourage you to do that.

However, most ports you don’t as they are known as default for such services to be delivered. Hence, you are seeing more failed login transactions from these attackers attempted to steal your credentials to gain access to your account.

The key is using a strong password. If you have cPanel and Plesk control panels, you can reinforce users to adopt a higher strength of password used. This is a must and this is primary security practise for end-users. With a strong password, you have made these malicious activities very difficult.

If you have fully managed hosting, you can request the hosting support team to implement a 3rd party solution to bar these attacks. However, this often happened to users have basic managed or self-managed packages. hosting providers will not support 3rd party solutions. You can either do it yourself with the available resources from the internet or you paid someone to get it done. 

There are applications or functions from the control panel makers. For Plesk, you can install fail2ban & cPanel is cphulk. The problem for fail2ban & cphulk is not a bulletproof solution, very often users start to have login problems with these 2 applications.

This scenario has happened to 2 types of situations, you are a shared hosting user or an office has many users sharing the network through the same router. While most users do not have static IP internet, thus it is not possible to grant access to that IP. Hence, if you have 50 coworkers in the office, you just need one user to key in a wrong password for his or her mailbox or access the server from a computer has a backdoor, since everyone has the same public IP address, as soon as the IP address is blocked, he or she will become the culprit has paralyzed the rest of 49 users sending and receiving emails.

Thus, we must have to get a balance of both. There are pros and cons either way. Ultimately, strong password is the solution to this. If you insist to have such protection you must have static IP internet and they are more expensive.

Before I go, cphulk in a VPS virtualized by Virtuozzo and OpenVZ will not work. cPanel has decided not to support this type of virtualization due to the iptables settings are inconsistent with different providers. 

 

Change your SSH port

It is common to see the default ports are brute-forced attacks entries in your log files. Some of the common ones like part 25, 110 etc. Not limited to port 22, the default port for SSH.

If you have a VPS or a dedicated server, you will have SSH with root access. For convenience, they are delivered with SSH default port 22. However, we encourage the user to change their SSH port from the default 22 to another port, and it is not conflicted with other services.

In today’s example, we use port 1222. Since we have decided to use port 1222, we have to make sure you can connect to port 1222, so we must open up the port 1222 in order to SSH remotely.

For CentOS using firewalld we do this;

  • sudo firewall-cmd –permanent –remove-service=ssh
  • sudo firewall-cmd –permanent –add-port=1222/tcp

For CentOS using iptables do this;

  • iptables -A INPUT -p tcp -m tcp –dport 1222 -j ACCEPT
  • Remember to save

Now port 1222 is opened. We can proceed up the SSH port. Edit using vi /etc/ssh/sshd_confug

go to #port 22 press ‘i to update to port 1222 and save it with this command, press ESC mah=ke sure you are loner seeing the word  ‘insert’ at the left below screen use this command to save :wq

Now, we reboot the server and all the services will be restarted with the new value. Congratulation! You have changed your SSH port to 1222. Should you face any difficulty with this please contact our support team.

 

If you have received “I have bad news for you Email Scam”?

Document extracted from https://www.pcrisk.com/, you can learn more from https://www.pcrisk.com/removal-guides/13972-i-have-bad-news-for-you-email-scam

The “I have bad news for you Email Scam” email is categorized as being part of a spam campaign used by cybercriminals (scammers) who attempt to threaten and trick people into paying money. Typically, scammers send an email stating that they have recorded a compromising video or image of the recipient and, if their demands are not met, they will proliferate the material to everyone on the user’s contacts list…….

vBulletin zero-day exploited

CVE-2019-16759 has been released. It is a vulnerability found on VBulletin version 5.0 – 5.5.4. Vbulletin is a popular forum web application.

While waiting for fixes, we suggest all Vbulletin websites should have a web application firewall like Sucuri installed.

For the vulnerability, you can find details here https://nvd.nist.gov/vuln/detail/CVE-2019-16759

Exim vulnerability CVE2019-15846

Guess by now you have heard about the Exim vulnerability on version 4.91 and earlier.  Exim mail server is widely used in cPanel. If you are using cPanel with the latest updates, your Exim is probably patched.

You can ensure the cPanel Exim is patched by logging to your VPS or server as root through SSH Type this command:

rpm -q --changelog exim | grep CVE-2019-15846

If you get a response like this – Applied upstream patch for CVE-2019-15846
Your Exim is patched with the new build 4.92 #5

However, for those still using EA3, the update is blocked and you need to migrate to EA4. You can do it from your WHM. The migration from EA3 to EA4 is pretty straight forward. The only reason, some is still in EA3 is because they have concerns on their website PHP compatibility since EA4 support minimum PHP 5.5 which is EOL too.

We strongly recommended you should upgrade to EA4 to get the Exim update immediately. Alternatively, if you have to use a lower PHP version, you can consider using CloudLinux since they have hardened the lower PHP versions ad the lower versions are available from the PHP selector.