WAFs -v- Endpoint Plugins

I’ve been reading some misleading articles on the subject of Endpoint vs Cloud Security, most notably this from Wordfence . Ironically I have used Wordfence a lot, their free plugin is often my first choice as a recommendation for someone with a $10 a month hosting account that doesn’t want to spend an equal amount on security, it does a great job at protecting most sites from the most common brute force attacks and blocking vulnerability scanners. Godaddy actually pre-install a similar but lightweight (no bloatware) plugin, Limit Login Attempts on all new installations of WordPress, great for purpose.

But this latest post of theirs, discussing bypassing, is disingenuous in the extreme, we all know that’s easily mitigated and is actually quite rare to even see it. “Security” plugin vendors only like to talk about Layer 7 ddos attacks, which is obvious as that is the niche they have carved out for themselves and they really don’t handle them at all well which is quite ironic. And they offer zero answers for layer 3/4 attacks and again rely on the host, Where as a WAF (Website Application Firewall) such as Sucuri’s sucks it all up (L7 & 3/4) for you, often with clients never knowing anything about it. While relying on a “security” plugin alone, your host could be taking you offline or charging you for extra bandwidth.

You have to remember that any “security” plugin is using your sites precious resources for any of their filtering and mitigation, sometimes slowing the site down during regular browsing, which should be a worry for anyone concerned with SEO as Google, prefers faster sites.

But just so I had some evidence to back this up, I ran some tests, setting up 2 Ubuntu 16.04 servers at DigitalOcean with private networking enabled, one with a default install of WordPress, the Genesis theme and no other plugins and the other an attack platform with wrk installed, easily setup and run:

apt-get update
apt-get install git
apt-get install make
apt-get install gcc
apt-get install luajit
git clone https://github.com/wg/wrk.git
cd wrk
make ./scripts/WITH_LUAJIT=/usr ./scripts/WITH_OPENSSL=/usr
./wrk -t32 -c100 -d30s http://10.128.26.XX

Emulating a classic DDoS attack, here is how the attacks played out, rebooting between each attack, firstly before the attack was launched, I am showing 654260 available memory.

victim-no-load

Firstly I tried an attack by blocking all but Sucuri’s IPs using UFW (my prefered method), the attack had zero effect on the victim, available memory stayed the same, wrk just gave up, Then I tried again under load with Sucuri Firewall’s bypass prevention code added to the .htaccess,

<FilesMatch ".*">
 Order deny,allow
 Deny from all
 Allow from 192.88.134.0/23
 Allow from 185.93.228.0/22
 Allow from 2a02:fe80::/29
 Allow from 66.248.200.0/22
</FilesMatch>

in it’s simplicity it’s most peoples prefered option to prevent bypass and works in nearly all situations, unlike UFW/IPTables which wont. It wasn’t pretty, but the site stayed up, with available memory dropping to 561380, whilst serving 129279 403 block messages in 30 seconds.

victim-load-with-bypass-prevention

Then I removed the bypass prevention codes and hit the site with WordFence only in it’s default installation, and crashed the site in the first few seconds, responding to only 29 requests, before server timeout errors were served. With available memory dropping to 114228. notice also how the database is being effected, unlike where the bypass prevention codes were used.

victim-load-with-wordfence

I did run an attack head on at the site while it was behind the Sucuri firewall, the website didn’t see a thing, after a few 403 errors were served by the firewall, the IDS kicked in, and the victim would never have noticed. I also ran an attack against the “naked” site, this went down in 4 seconds.

For fun I attacked the WordFence alone protected site, but increased the time to 120 seconds, mySQL needed restarting to recover site function.

This was not a real DDoS attack of course, I only launched a single application from a single server, but a very good replication of one, it was crippling against Wordfence, as if it wasn’t even installed, it even behaved slightly worse than the naked site, while their suggestion is to pass that mitigation onto the host works, they do charge for that as an additional service, and in many cases just shut your site down due to excess resource usage, that would be the case for any hosting less than $30 a month.

I’d suggest that Wordfence have no understanding of the concept of defence in depth, and rather than complementing a real firewall, they are trying to make out that their plugin is the answer to all your WordPress security concerns, which it just is not, Daniel Cid, CTO of Sucuri discusses this dangerous marketing method.

Disclaimer, I do work for Sucuri as the Sucuri Firewall support team lead.

Reinventing the Web

Tim Berners-Lee
Tim Berners-Lee

We’ve seen some successful technical “reinventions” of the Web such as HTTPS/2 and HTML5 making sites faster and more responsive, but this “Web’s Creator Looks to Reinvent It” initiative is not new, but I will come to that later.

There are a number of issues that have concerned many people, not just in the IT Security industry, but many regular internet users.

Snowden’s leaks, whatever you may think of the rights and wrongs of him making these disclosures, the lengths government agencies go to snoop are a concern to anyone that understands them.

Facebook have been accused of meddling in US elections and Google has been caught out manipulating Brexit searches. There are many other cases, promises that they are not, it’s too complex to understand etc.. But really do you belive them, maybe you don’t care.

Google does have many alternatives, a couple are duckduckgo.com which addresses the bias and startpage.com which address the privacy issues, but neither have picked up many users, maybe if the close to half of English users who support leaving the EU were aware there was an alternative un-biased search engine they would use it. I tend to use Google a lot, as I use a lot of tools that they only have (Dorks etc.), But I am sure that is not the case of the loyalty shown by the majority of users, I think just familiarity and lack of knowledge of an alternative.

Facebook, now that’s an interesting one, they really have a monopoly in the Western world, there were a few competitors in the early days, but they are all gone now. Facebook has become a huge part of peoples lives, I default to skype if needing to contact friends or family, but there are some who will only respond to Facebook messenger contact.

There have been a number of open source alternatives, and to reinvent the Web as Tim Berners-Lee suggests an open source alternative to Facebook is what would be needed. The most upto date and vibrant alternative is the diaspora project, much of the initial funding came from Mark Zuckerberg (Facebook founder). It works, I have set up a few diaspora servers myself, but it is impossible now to unhook a large enough proportion of the population from Facebook, and get their involvement in anything else now, it is the nature of social networking.

Put it another way, not one of the top ten celebrities on facebook have a diaspora* account. I bet none in the top 100, but it would take me too long to confirm that.

I suspect that this very well meaning group of the technically able can create alternatives, but they do not have the ability to get people to switch over?

Enabling HSTS

HTTP Strict Transport Security is a very simple to deploy addition to HTTPS, it doesn’t enforce SSL itself but it uses pre-populated lists such as Google’s here.  Allowing clients browsers to check against, simply that the site only delivers content over https://, with no exceptions, this ensures that Man in the Middle attacks are not possible. While the only possible vulnerability this site would have had for an MitM attack would be on the contact me page, it’s nice to see the shiny A+ compared to my old banks B rating.

ssllaps-hsts

for me it’s just an exercise and vanity, but as you can see it will be nice when the banks follow suit, as they are mostly really insecure (don’t online bank on public WiFi, really don’t do it till they start employing HSTS and stop using insecure cyphers).

The steps to enable HSTS for Apache

Enable Headers and restart Apache:

$ sudo a2enmod headers
$ sudo service apache2 restart

Make sure the site is serving all content over https / port 443, either in your vhost config with something like:

<VirtualHost *:80>
 ServerName yourdomain.com
 Redirect permanent / https://yourdomain.com/
</VirtualHost>

or adding this to your .htaccess:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

Check for any mixed content issues (insecure stuff loading in your now secure page), this tester will point you in the right direction.

And again in the .htaccess, add the required header itself.

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>

15552000 is about 6 months in seconds, and satisfies the ssllabs tests, lower will work for Google, even as low as 6 weeks, but as enabling  HSTS is difficult to reverse, it will make little difference and you might as well earn an A+ rating.

Run a test at https://www.ssllabs.com/ssltest/analyze.html and check near the bottom for:

Strict Transport Security (HSTS) Yes
 max-age=15552000; includeSubDomains; preload

If you see that, all is good, add your domain to be included in the Google Chrome’s HSTS preload list here https://hstspreload.appspot.com/

All the other browsers “feed” from the centralised list, as of today I’ve not been added, there is no reason I won’t be.

Using an SMTP mail relay to secure a network

Small businesses with Exchange Server or other mail servers tend to have their mail server physically located in their office (in a DMZ), which is great for performance and communicating with each other, but they tend to run all their anti-spam and virus filtering on the same server. This brings up a number of issues.

  1. Windows Server anti virus and anti spam products tend to be resource intensive.
  2. Legislation in most locals require that all email is archived for x number of years, if you receive 80% spam on your email, it means that to.
  3. Your DNS MX record is being advertised to the world, while security through obscurity is never the answer, why advertise your public IP.
  4. RBLs will blacklist your public IP if you are found to have a spam producing virus, causing your outbound mail to bounce, it can take weeks to get off GMail and Hotmail’s spam lists.
  5. Some ISPs are not reliable, while a small office maybe unhappy about not having internet access for half a day, missing emails can have a greater business impact.
  6. It’s rare, but some ISPs will block port 25 which is used to relay mail between servers if they see what they consider as abuse, normally sending a warning first.

mail_relay

The answer to these risks is hosting a mail relay off-site, maybe even 2 if you want that resilience, but over the last 5 years, apart from reboots forced by updates taking 10 minutes every few months, I’ve not seen a customer impacting outage.

Your office mail server can block all incoming and outgoing SMTP traffic except between the mail relay, deleting the most obvious spam and all the viruses before the mail is delivered to your office. Also filtering outgoing email, ensuring you are not spreading viruses in the company’s name, and enforcing any other security policies you may have in place. Most abuse against an Exchange Server is against port 25, the public will not even see it exists. It will make it far less obvious what your public IP is.

You can block on your firewall all smtp traffic on the network except between the Server and the Relay, if someone brings in a an infected laptop and joins your network, it wont get you RBL listed, and the ISP wont block your port 25.

I have for more than a decade used Symantec Endpoint Protection for this purpose, but their SMTP relay can only be installed on bare metal or in a virtual machine, also for some strange reason require separate IP addresses for inbound and outbound and the costs are not so low for these to be hosted outside the office, and the performance and usability is no better than a free mail relay package such as MailScanner, which can easily be installed on a small cloud instance, as a guide I have 50 (heavy) users using one $20 a month DigitalOcean instance, and the processor and memory never goes over 20% and 600 (more regular) users using 2x $40 instances at different data centers.

This mitigation in no way suggests that you do not run anti-virus software on the workstations, this is still essential as not all virus infection come from email, and you should still have anti-spam filtering to fine tune the removal of the less obvious spam as it is simplest to set the relay to only delete the obvious, Microsoft own filter is usually ample for this.

While MailScanner itself is free, some of the RBL and signature subscriptions can be pricey, but a default installation which include amongst others Clam AV. Spam detection and Spamassassin is fine in most cases, also unlike Symantec’s pricing model, most additions to MailScanner are not charged at a per user license model.

This model works just as well in a distributed environment if you have a co-located mail server. Even adding a mail relay to a heavily firewalled website that wanted to hide the real IP of the host which was previously being leaked in automated emails from the site leading to a level 3/4 DDoS attack.

If you want assistance in setting such a configuration up, I am always available for hire, and if you have a suggestion to improve on this model, I am always willing to learn.

Hacking the Hackers

Well not quite hacking as most people think of it, but technically it is, and it’s great.

There is a common theme when you have cleared up some malware for someone, likely they have spent a while confused by what’s going on,  and again by the cleanup, maybe hit in the pocket and if it’s the first time, they can take it personally, if their confidentiality was breached it will be very personal.

Often when i get into conversation with victims, they will say “can’t we hack them back?”, when a mail server was recently hacked and hurt a client’s reputation by sending out millions of spam, the question was “can’t we bounce the spam back at them?”, in nearly all cases even if we could, we wouldn’t know who “them” was.

What I might do if they now have a firewall in place is get them to enjoy looking at their audit reports, at the wasted effort hackers are going to as the firewall deflects all the bad actors, such as this:

audit

While that can give some satisfaction, tying up the resources of the criminal hackers bots, it really is nothing compared to what Illusive Networks have developed, while honeypots are not a new idea, often designed to monitor the behaviour of automated attacks, Illusive have developed a system that will trick human hackers into believing they have stuck gold, giving them access not to just a fake network and server, but to the data as well, drawing them in deeper, taking advantage of a addictive behaviour problem seen in criminal hackers.
illusiveWhy I call this hacking, well it is, this is social engineering,  human hacking, ironically it’s well known that humans are easier to hack than machines, so Illusive really have turned the tables.

Current offerings are not for small businesses, but I do hope someone does develop something similar for the majority. Apart from what I expect is a very effective proactive  method of defense, there will be a certain satisfaction for intended victim when looking at those audits.

You can read more about Illusive Networks here at TechCrunch.

Powered by WP Tutor.io

CISSP PMP