There are a lot of concerns in the minds of experts while moving to cloud computing. The first one is information or data security. While cost and ease of use are two great benefits of cloud computing, there are significant security concerns that need to be addressed when considering moving critical applications and sensitive data to public and shared cloud environments. Prior to any move to the cloud, it’s simple common sense and good practice to ensure that the necessary security procedures, standards, guidelines and processes are already in place at home to ensure the technical security of data.

In a cloud, data can be moved through data centers in different international locations in response to varying levels of demand. Data located in any country may be governed by the laws of that country and there are sophisticated regulatory demands on businesses to ensure the security of the information they hold and generate. Furthermore, organizations have legal obligations to preserve data and ensure that it is available for any legal proceedings—called
electronic discovery—even if the customer is not in direct possession or control of that data. Therefore, cloud customers must seek contractual assurance regarding the geographical storage and transit of their cloud-based data, to ensure compliance with existing as well as the inevitable introduction of new laws governing Therefore, cloud customers must seek contractual assurance regarding the geographical storage and transit of their cloud-based data, to ensure compliance with existing as well as the inevitable introduction of new laws governing.

Physical Security

The cloud provider is responsible for providing platform and infrastructure security. Physical access should be strictly controlled by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. As a result, an organization is responsible for managing:

• The physical location of the data center (affecting which country’s law applies);
• The security of the data center
• The trustworthiness of system administrators; and
• The documented information security program that protects the confidentiality, integrity, and availability of data and systems, including, but not limited to, configuration, patching, incident response, and business continuity management.

Environmental Controls

Cloud computing clusters architecture should be designed with resiliency and redundancy in mind,
helping minimize single points of failure and the impact of common equipment failures and
environmental risks. Dual circuits, switches, networks, and other necessary devices are utilized
to provide redundancy. Facilities infrastructure at the data centers has been designed to be
robust, fault tolerant, and concurrently maintainable.

Operational Security

Network Security: Most of the cloud computing providers employs multiple layers of defense to help protect the network perimeter from external attacks. Enforcement of network segregation using industry standard firewall and ACL technology can prevent network attacks.
Operating System Security: You have to make sure that a standard hardened operating system (OS), and security fixes are uniformly deployed to the entire infrastructure.
Access Control: Authentication controls and Authorization controls are very much required in host levels and application levels to prevent unauthorized access.

Data Security Lifecycle

The Data Security Lifecycle consists of six phases as shown in the diagram given below:
Data security: Confidentiality, Integrity, Availability, Authenticity, Authorization, Authentication, and Non-Repudiation.
Location of the data: There must be assurance that the data, including all of its copies and backups is stored only in geographic locations permitted by contract, SLA, and/or regulation. For instance, use of “compliant storage” as mandated by the European Union for storing electronic health records can be an added challenge to the data owner and cloud service provider.
Data remanance or persistence: Data must be effectively and completely removed to be deemed ‘destroyed.’ Therefore, techniques for completely and effectively locating data in the cloud, erasing/destroying data, and assuring the data has been completely removed or rendered unrecoverable must be available and used when required.
In addition, the destruction of information is more difficult to guarantee in a shared environment. Encryption, and the provision of different encryption keys for each customer in a public cloud may go some way to mitigate this, but not all cloud providers can offer this.
It is wise to ensure that data isn’t held in a proprietary format and is readily transferable to other systems as required. The format of information entrusted to a provider should be agreed and be documented in the contract.

Cloud Computing Attacks

Denial of Service attacks: Some security professionals have argued that the cloud is more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks much more damaging. Twitter suffered a devastating DoS attack during 2009.
Side Channel attacks: An attacker could attempt to compromise the cloud by placing a malicious virtual machine in close proximity to a target cloud server and then launching a side channel attack.
Authentication attacks: Authentication is a weak point in hosted and virtual services and is frequently targeted. There are many different ways to authenticate users; for example, based on what a person knows, has, or is. The mechanisms used to secure the authentication process and the methods used are a frequent target of attackers.
Man-in-the-middle cryptographic attacks: This attack is carried out when an attacker places himself between two users. Anytime attackers can place themselves in the communication’s path, there is the possibility that they can intercept and modify communications.

Cloud computing therefore offers real benefits to companies seeking a competitive edge in today’s fast growing economy. A lot of providers are moving into this area, and the competition is driving prices even lower. Attractive pricing, the ability to free up staff for other duties, and the ability to pay for “as needed” services will continue to drive more businesses to consider cloud computing. The decision to move to cloud-based services should fit into the organization’s overall corporate objectives. A cloud provider must be able to deliver the security, availability, audit and reporting configurations you require. It is therefore essential that enterprises seeking the benefits of cloud computing ensure that their cloud providers can deliver the levels of security and control that they need and should expect.

Issue :

How can you access cPanel like, say, http://domainname.com/xyz ? This is for security purposes.

Solution :

This can be done but not recommended as it would not be of much effect security-wise.
Even if you change it, cPanel/WHM would still run on the standard ports (2082/2083 & 2086/2087) which is known to everyone. If you have a valid cPanel license then you can contact their support and get the ports changed. This coupled with a strong password (change regularly) should be good enough.

However, coming back to the original question, you can achieve it in the following way :

Go to /usr/local/apache/conf/httpd.conf
Find the following line :

ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi

Comment it out by adding a ‘#’ at the beginning and add the following line below that line :

ScriptAliasMatch ^/?xyz/?$ /usr/local/cpanel/cgi-sys/redirect.cgi

Issue :

SFTP users can view server files and folders by simply changing the path to ‘/’. How can this be avoided?

Solution :

SFTP means FTP access over SSH.
You will have to chroot the individual users in order to prevent them from viewing files outside their chroot jail.
Normal FTP access has chroot isolation at the ftp daemon level.

We all know about the huge password breach that happened last month. Click here to read an article on this by Slashdot with some amazing statistics.

Issue :

Following message occurs every time when trying to connect to an own dedicated server from other servers.

Access Denied: Referrer Check

Functions in cPanel / WHM are available only directly through the cPanel and WHM interfaces or through our XML API. It appears that this request is coming from a referring site and might be malicious. Administrator Note: If new ips
were recently bound to this server manually you must restart cpsrvd.
If you wish to continue to this page, you may do so but please note that allowing other sites to tell you which actions to perform in cPanel / WHM could be a security risk. Continue at Your Own Risk!

Fix :

The message says it all. Isn’t it?

But if you still want to prevent this message from coming up every time you try to connect then disable the following option in WHM >> Tweak Settings >> Security section :

Only permit cpanel/whm/webmail to execute functions when the browser provided referrer (Domain/IP and Port) exactly matches the destination URL. This will help prevent XSRF attacks, but may break integration with other systems, login applications, and billing software. Cookies are required with this option enabled.

Rkhunter Installation

Rkhunter is a tool used to check trojans, rootkits, and other security problems.
Here are the installation steps:-

root@server1 [~]#wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
root@server1 [~]#tar -zxvf rkhunter-1.2.7.tar.gz
root@server1 [~]#cd rkhunter-1.2.7
root@server1 [~]#./installer.sh

You can scan the server by using the following command:-

root@server1 [~]#/usr/local/bin/rkhunter -c

You can update the rkhunter database by issuing the following command:-

root@server1 [~]#rkhunter –update

Chrootkit Installation

Chrootkit is a tool used for scanning the trojans in the server.

Here are the installation steps:-

1) Download the source package

root@server1 [~]#wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

2)Check the MD5 SUM of the download for security.

root@server1 [~]#ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
root@server1 [~]#md5sum chkrootkit.tar.gz

3) Extract the source file and install it.

root@server1 [~]#tar xvzf chkrootkit.tar.gz
root@server1 [~]#cd chkrootkit*
root@server1 [~]#make sense

4) Scan the server.

root@server1 [~]#./chkrootkit

Issue :

When an user tries to access a non-existent page or when a new account is created and no index page is uploaded then the following information can be viewed :

Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.8 Server at domain.com Port 80

Fix :

Disable the Server Signature via WHM >> Main >> Service Configuration >> Apache Configuration >> ServerSignature

OR

Add the following lines in the httpd.conf file :

ServerSignature Off
ServerTokens Prod
FileETag None

Nessus is one of the best vulnerability scanning tool available today. It is available free of cost for personal use. It can detect potential vulnerabilities in an individual system or a network.

In the Unix/Linux environment,  Nessus consists of two parts :-

nessusd – It is the daemon which does the scanning.
Nessus  – the client which controls the scanning and provides the report to the user.

Source and guidelines for the installation is available on the official Nessus website – www.nessus.org

Once you are done with the installation you need to make sure that the nessusd daemon is up and running. After that an user needs to be added. This can be done using the command ‘nessus-adduser’ (of course, without the quotes).
The figure below explains it quite well:

Adding an user

This user will be able to login to the client and run the scan.

Then you can start the client by entering the command ‘nessus’ through the console.
You will be presented with an interface like in figure 2 .

This screen shot was taken while we were running a scan for one of our clients.

Figure 2

You just need to fill in the fields and click ‘Log in’

Please note that you might have to update the plugins and for that you need to get your scanner registered online. The process takes just a couple of minutes and the instructions are available at http://www.nessus.org/plugins/index.php?view=register-info

Then you need to click on the tab ‘Plugins’

Figure 3

Enable all the plugins as shown above in figure 3. If you do not enable the required plugins then the scan will not return the desired results.

Certain plugins might cause freezing of the network from which you are running the scan . So, make sure  you have the system administrators ready in case you run into any trouble.

Now, you need to mention the ‘target’ machine on which the scan is going to be run.  Please refer to figure 4 below :

Figure 4

Now, you can go ahead and ‘Start the scan’ . You can see the progress of the scan on your screen as shown in figure 5.

Figure 5

Once the scan is completed, you will be presented  with a report as the one given below in figure 6.

Figure 6

This report can be exported to html or pdf format also.

For reference, I am pasting parts of the pdf that we got after scanning the client server.

The above part depicts the summary of the scan on the whole.

The one below shows the part which explains one of the vulnerability and the suggested solution.

Likewise, you will get a detailed report about the potential problems and the suggested fixes.
If all the vulnerabilities are fixed then the server is most likely to achieve PCI compliance.

I hope this article would be helpful for some people out here. If you have any further queries then do get back to us. We would be happy to help you.

Today, I am going to discuss how we at InstaCarma were able to help one of our clients in achieving PCI Compliance and hence increase their customer base..

Now, this client is basically a provider of e-commerce based hosting solutions. They deal with plenty of sensitive and important data. Hence, becoming PCI Compliant was mandatory for them. Recently they were getting too many potential customer queries whether they are PCI Compliant. Achieving this has helped them grow their business by almost 50% in last couple of quarters.

A PCI Scan tells you what could be potentially insecure about your server. This is particularly important where storage of sensitive data occurs. Therefore, PCI Compliance is something which is preferred by most credit-card companies these days.

The PCI Security Standards Council talks about 12 basic requirements broadly divided into 6 categories. This is called the PCI-DSS (Payment Card Industry Data Security Standard)

This is required in order to avoid data frauds where card information is stored.

You can find these details at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Following are the important steps that we took in order to ensure that their cPanel servers pass the PCI Scan :-

- Installed a firewall : A server is not likely to pass the PCI Scan if there are unnecessary open ports. We installed CSF on the server. Alternatively, APF can also be used. We closed all the ports except for the ones required for the essential services. Certain standard ports like 2082, 2086 and 2095 could produce a negative result. So, we configured WHM to use the secure ports only.

- Updating the packages : Just run /scripts/upcp to update all the packages. Also, we had to make sure that Apache , PHP and MySQL were running the latest version.

The suggested versions are :

MySQL 4.1.22 or above
PHP 5.2.5 or above
Apache 1.3.39 or above ( Certain scans might require Apache 2.0.x )

OpenSSL 0.9.7j or above

cPanel suggests that you should keep cPAddons up to date as well.

- Disabled mod_userdir : If a site on the server can be accessed as http://serverip/~username

then it means that mod_userdir is ‘enabled’. We can disable it through WHM > Security Center > Apache mod_userdir Tweak

- SSL : At least, one SSL certificate from a recognized certificate authority is required. We

installed SSL for Apache. SSL can be installed for other services as well.

- Apache Setup should not be revealed: We all have seen the ’404 Error’ page at some point. Information about the Apache Setup

should not be available on that page. This can be achieved by adding the following lines to the ‘httpd.conf’ file :

ServerSignature Off

ServerTokens Prod

FileETag None

- Disable SSLv2 and other weak encryption methods : Some services doesn’t allow you to

choose between SSL protocols but most PCI Scan overlook it.

The Weak SSL cipher issue has been an headache for people who want to pass the scan.

Thankfully, cPanel 11.24 has got an in-built solution for that.

Just go to WHM > Apache Configuration > Global configuration and copy paste the following :

ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1

- mod FrontPage – It is likely to cause a scan failure. Therefore, we kept it disabled.

- Separate services – cPanel recommends that you keep services separate like MySQL server on

a local subnet, remote DNS only, no local BIND etc

- 2 factor authentication – This is another suggestion by cPanel that we adopted. A 2-factor

authentication procedure which requires a key and a passphrase.

- Besides all these, another important measure that we took was running the Nessus Scan.

It is a wonderful freely available tool to find any vulnerabilities on your server. You can find the details on the official Nessus website – http://nessus.org

Nessus basically consists of two parts, the server and the client. Once you are done with the two installations you need to add an user for the scanner and then you can start a scan on any remote server. The scan might take a while. It will give you a detailed report about all the package related vulnerabilities and any security loopholes. The best thing about Nessus is that it will also give you suggestions on how to fix those.

Thus, Nessus will tell you almost everything that needs to be done in order to achieve PCI Compliance.

I will be discussing about the installation and working of Nessus in the coming articles.

Let me tell you that different scan companies have a different approach . Hence, the requirements vary and they might have many more than the ones mentioned above. But these are the very basic ones that need to implemented for sure. I hope this article would be helpful for those looking forward to achieving PCI Compliance.

Moodle 1.9.5 and Moodle 1.8.9 – update has been released to patch some security issues. Four serious security vulnerabilities (1 critical, 3 major) have been discovered and fixed recently.   There are no reported exploits yet, and they do not affect all sites, but still it is recommended hat you upgrade your sites to these latest versions as soon as possible (or otherwise ensure that these issues are not active in your site).

release notes:

http://docs.moodle.org/en/Moodle_1.9.5_release_notes

http://docs.moodle.org/en/Moodle_1.8.9_release_notes