Categories
Security Wordpress

Hacked Again

My site was hacked again the other day – this is common enough for WordPress sites.  If you’re not on top of it you could have it hacked, pretty much automatically.

This part I knew.  It still got hacked, and I learned a few more things.

1 Back up your site!  This could mean a DB and files backup (plugins, themes & uploads folder) but it really should be more thorough.  Use something like UpdraftPlus to create scheduled backups.  If you’re running VestaCP, you may have daily backups of your whole user setup.  All of this is a good start!

Don’t Panic

Now at this point if something happens, there is no need to panic when something goes south!  You can definitely recover from bad stuff, even if you need to get help.  You’ve done good already and are ahead of the game.

2 Upload those backups to an offsite location – Google Drive, OneDrive, S3, a local drive on your personal system through SFTP or whatever.  It should be set-and-forget.  This is not something you want to have to remember to do.  You will have to either only backup once a week or use some technique to thin backups.  If you need daily backups, you probably don’t need daily backups going back several months!  Figure out what makes sense for your storage capacity and security.  Check it occasionally to make sure it’s working.

3 Know how to restore your backups – and know how to do it in a worst case scenario – i.e. you can’t run WordPress because it’s still hacked.  Learn how to do it from the command line or from uploading a known good set through SFTP.  VestaCP has a fantastic web-based restore tool but if you are using older backups, you might need to understand how to do it on the command line.  It’s not easy, but it’s in your hands.  Remember, don’t panic.  You’re in charge.

4 Install a security plugin.  Sucuri and Wordfence are two highly recommended ones, and they will help you get set up and harden your site against attacks.  They can help you recover after attacks as well, by restoring plugins and themes from known good sources.  The basic (and very comprehensive) plugin features are free.  Just install it and set it up.

5 Monitor.  If you have something like Jetpack (you should) it will tell you about your site being offline.  Something like Sucuri can let you know if your site has changed (e.g. if it’s been hijacked to forward to a malware/scamware site).  If you get alerts quickly, restoring to the previous day’s backup is MUCH easier and quicker than having to go back to find out exactly when the hack happened, in case you don’t see your site for weeks at a time – like me.

6 When you have a success story, write down what you did and what you wish you did.  Publish it just like I’m doing now.  Help others, especially your future self to recover from what could otherwise be disasters.


Update 1: Reinfected today – but I was instantly notified by email.  I restored via my control panel, which took about 3 minutes.  I also firewall banned the IP address I got in the security report, so it wouldn’t happen again.

Lessons:

  • #5 above is amazing.  I didn’t lose anything because I acted quickly. I was able to restore from a backup that was a few hours old because Sucuri emailed me immediately.
  • Sucuri didn’t harden my upload directory like they said it would.  It was still infected from a zip file upload and php file in that directory.  I added the following .htaccess file to my uploads directory:
<Files *.php>
Deny from all
</Files>
  • Apparently there is a decent free web app firewall called BulletProof.  It will do the next step and block attackers and brute force.  Although I haven’t had these types of attacks, (probably because I have host access and I can use fail2ban and handle my own firewall) I am investigating it.  It’s definitely ugly but maybe with some research it will be worthwhile to install.
  • Sucuri’s site scanner works pretty good, it showed a dropped infected file that hung around after cleanup.  You can click all of the files that show up and delete them (or ignore them) en masse.
  • When you do a restore, such as with VestaCP, it does not remove additional files, this is good but note that it will leave infected files in place.
Categories
Apps Browser Desktop Security

Password Keeper

I’ve been a huge fan of 1Password since the beginning. I bought several versions and upgrades for multiple machines and never regretted it.

Something happened with version 7 though, and I haven’t been as happy with the change.

What happened was subscriptions.  Now, I have a number of software subscriptions, very very few make me content.  If I stop, do I lose my stuff?  Can I stop and start again at the same price?  Do I have an option to pay up front and own my license – and more importantly, my data?

1Password makes it as hard as possible to answer those questions. They want you over a barrel.

Since I wanted a Windows version, there I was, over that barrel.  A purchase was too expensive and gave me fewer features, so I paid for a year ($35 USD) but yes, it was definitely worth it.  Fantastic integrations with everything (all browsers and mobile), online storage with browser access, and solid security.  But now something else showed up. 

That something is BitWarden.

BitWarden offers almost the same features, and is open source.  The 100% free version includes online storage, binaries for every platform (including Linux), a good browser-based interface, and amazing integration with everything.  You can even host the “online” portion yourself so you can use it in-house if you prefer, and never store your secrets on the cloud.

Some features are limited – like file attachments, one-time passwords and some other stuff require a subscription, but it’s only $10 USD a year.

File attachments I don’t really need.  One-time passwords (two factor authentication) is really important these days, and integration is… well, it’s nice.

It has undergone an independent security audit.  It’s reassuringly secure.  There is no warrant canary clause that I can see, though.

What’s missing, since you are paying less than a third of the price – if you choose to pay at all?

Vaults

1Password’s vaults are simple.  Create a bunch of them and share them as you like. 

BitWarden has a very convoluted and confusing version of this called “Organizations”.  The free version allows (just) 2 users to share access to one organization. Once you share it though, it blends all of the shared entries in with yours, with no way to filter it.  So if you have an entry called “Gmail” in both your home vault and the organization, have fun.  There is a small share icon next to the Organization one by that’s it.  It would be nice to have a search filter (to steal the VS Code syntax, something like @shared) or a smart list.

You can have “Collections” which are pretty much a security subgroup of Organizations and this allows you to… ok, no seriously… It sounds like it was designed for big companies, not family groups.  Even the terminology is frightening.

If you pay ($1/month) you can get up to 5 users.  Personally I would bump those up by 1 each level, 3 for free and 6 for personal.

1Password lets you move stuff between vaults with a right-click.  BitWarden, I have no clue.

Software Licenses

You can store license information in a secure note record, with all the details except icons, but they aren’t differentiated in any way.

Tags

There are none.  No extra filtering or grouping, one folder for each entry and that’s it.  You can mess around with an extra text field for each entry but this is all manual, nothing automatic here.

UI

There is no drag and drop! Want to put something in a folder? Open the record, edit the record, choose a folder, save. Do it again.

And those folders.  You’d think folders should be in a sidebar, kinda since that’s the default UI for folders in everything since, well, ever… nope.  They’re almost at the bottom of a list when you exit out of everything.

Favorites are at the top of that same big old list.

Super linear and clumsy, especially when you have a large screen like a tablet or desktop to work with.

Premium

Sharing and extra features are split between two different subscriptions.  It’s even split between annual and monthly payments.  When you get one you don’t get the other, you need both!

This does mean that you don’t pay for what you don’t need.  But you can end up with people in an organization some with premium some without.

Confusing.

Conclusion

Even with its many shortcomings, I can’t help but be excited about this product.  It’s more than a little confusing and lacked a little foresight but when you want to fill a password, boom it’s there. 

It’s about 80 cents a month for the full meal deal, and if you don’t want to pay that, you really don’t have to.  Security researchers even recommend that you use a separate app like Authy to maintain your passwords and 2FA information in different apps.

Maybe what I like most is that it answers those disturbing questions about subscription software.  If I stop, I don’t lose my stuff (file attachments, maybe?).  If I stop, I can restart at the same price.  I can own the license (for the basic features at least).  I can even host my own server if I want.

It’s free and it’s fantastic.  Spend some time (an hour, tops) and learn it, that will pay off many times over.

Categories
Linux Networking Security Server

More hack attempts

After my last experience, I checked my logs and noticed quite a load of failed attempts on my mail server.  It looks like a brute force script kiddie attack, which I’m pretty sure will fail on my machine.

Still, I want to kick out these morons.  So after some research, I found fail2ban.  The installation was simple enough, and with a little bit of configuration (in jail.local, not jail.conf!) I had it up and running… but the attacks continued.

I wrote a simple perl one-liner to parse out all of the failed login attempts, run them through sort and uniq to get the repeat offenders (twice is enough, kids) and append that to the hosts.deny.  That worked, but not ideal.  I’d rather have iptables-level blocking (using DROP instead of REJECT to waste as much of their time as possible).  But fail2ban wasn’t catching them for some reason.

I set up a secondary rule and it still failed – until I discovered fail2ban-regex! With that command you can test your rules at any time instead of waiting for the next attempt to come in.  Great!  It turns out the regex wasn’t quite right for the messages I was getting.  I simplified the regex until it caught the failures.  But it still wasn’t working live.  Grr.

fail2ban works on log files.  It scans for repeated attempts to determine if there’s an attack going on.  This would work great unless the logging daemon compresses the messages with something like “last message repeated x times”.  And this happens a lot, especially when under attack and you actually need it!  You can not turn this feature off with sysklogd.  The last key was to replace sysklogd with syslog-ng and POW, the banstick came out to play.

Debugging wasn’t very easy, because the failures are silent.  Until I found fail2ban-regex I had about 4-8 hours between tweaks to the regex to see if it worked.

At least now I have a self-setting ban trap that uses iptables-level blocking.

If you’re reading this and you’re learning to be a script kiddie,  you are learning to be a loser.  You are creating nothing of value.  You could vanish from the Internet and not only would it become a better place, but the situation would improve.  Is that really what you want?  Instead, why not keep on learning about security but do this the right way, on your own machine or a VM and learn to strengthen the Internet, not ruin it.  You might actually be actually appreciated and valued by others on the net.

Categories
Linux Networking Security Server Uncategorized

Hack Attack

Someone mentioned they got a bounce from my domain’s email. I went to take a look at the error and discovered a couple of hosts trying to brute force login to my SMTP server. Some quick config changes to create a blacklist, and a fail2ban install and it has stopped now.

Lesson 1: check your logs often
Lesson 2: use SASL
Lesson 3: use complex and random passwords
Lesson 4: install and configure fail2ban or blacklist the bozos with iptables or hosts.deny or something.

I got most of these right the first try, especially the middle two.

Eternal vigilance, they say…