| Posted by Tomcatf14, 05-24-2012, 07:58 AM | | Recently, a lot of my client's site has been defaced on the index page level. What do you guys do to reduce or prevent this?
Does deploying a security appliance IPS/IDS helps?
|
| Posted by gigatux, 05-24-2012, 08:45 AM | | Typical 'scriptkiddie' defacing often doesn't actually involve an intrusion of such. It's usually worth putting some on though.
The simplest form of defense is to keep any software you're running up to date (e.g. Wordpress, with ALL plugins and themes, and hosting software), keep the kernel up to date, keep PHP up to date etc. Of course, passwords need to be nice and secure too.
If you have lots of clients on your server, you might also want to review how you're actually doing the hosting, e.g. using SuEXEC or some kind of method whereby PHP scripts run as individual usernames rather than 'nobody'.
|
| Posted by JoshuaD, 05-24-2012, 12:10 PM | | Tomcatf14, I am sorry to hear that your clients have fallen victim to such attacks. With the given circumstances, have you looked into Web Application Protection?
To help further, you stated many clients, are they all running the same or simliar software?
|
| Posted by Tomcatf14, 05-24-2012, 02:01 PM | | I have done everything that I could within my resources to protect the clients (mod_security, firewall, bruteforce, suexec, suphp) but I could not control it if the client does not want to patch their web application. It is actually costing me time and resources to restore the site for them if their page is being defaced.
The most common attack is across the same web application type within the same server. Eg. All wordpress websites in the same server will be defaced at the same time.
Do you think deploying a security appliance with IPS/IDS functionality will help? WAF is too a bit too expensive comparing with IPS/IDS
|
| Posted by Tomcatf14, 05-24-2012, 02:02 PM | | Most of the affected clients run a generic web application, Wordpress is the most common.
What idea do you have for WAP?
|
| Posted by gigatux, 05-24-2012, 04:01 PM | | You could always charge a nominal fee to the client to perform a restore. Not entirely ideal, but you can never always protect from your clients being hacked.
|
| Posted by zobe, 05-24-2012, 08:07 PM | | I just paid my webhost for that, they charged me $15.
|
| Posted by gigatux, 05-25-2012, 02:22 AM | | I personally don't think that's too unreasonable. Restoring a backup and checking that it works is a pretty manual process.
With the OP's situation, if he has asked hostees to upgrade any software they have been running but they have not done so, and their account gets hacked, then I think it's especially reasonable to charge this nominal fee.
|
| Posted by Tomcatf14, 05-25-2012, 03:51 AM | | Charging them would not be a problem but customer perception for this issue is always the problem on the hosting provider's side.
It will require effort to convince the customer that this is not a server problem. I would say, 10/10 clients would blame the server first before anything else.
|
| Posted by gigatux, 05-25-2012, 04:00 AM | | I agree with you. All depends on how much you charge really. If you provide a real budget solution (say, $1/month for a website) then simply economics says that you can't possibly keep your business afloat if you have to continually do restores.
A potential solution is to direct the client to a fully managed hosting solution where you charge more, but offer then the piece of mind that you will keep their software up to date and take on the risks that full management takes.
|
| Posted by Tomcatf14, 05-25-2012, 04:12 AM | | The hosting fees by my company is one of the highest in the industry. If possible, I do not want dirty our hand to manage the web application. We are very good in servers but not web.
|
| Posted by gigatux, 05-25-2012, 04:17 AM | | Fair enough, and it's good to know your strengths and weaknesses.
I guess it's just a decision for you to make then whether it's worth doing some management and keeping happy customers, or letting them know it's their responsibility (possibly even recommending a third party management company).
|
| Posted by Tomcatf14, 05-25-2012, 04:22 AM | | I am checking if there is anything that we can on the server's side to protect the customer from these attacks.
|
| Posted by Srv24x7, 05-25-2012, 07:38 AM | | If this is happening frequently for the sites and even though if you had all the things like mod_sec , firewall in place there is definately some kind of cmd shell script located inside the server. You need to scan the entire server using some tools like maldet , check the logs like message log how those index files were uploaded or replaced.
|
|
 Add to Favourites
 Print this Article
|
