Security Round Up: 2019 Q1
As a new policy started last year as part of the massive DDOS attacks against our company and other customers, we have started a Security Round Up event every quarter to alert our customers to how we think we are doing as part of our efforts to ensure those events never repeat.
This is also a reminder to ourselves that we are not invincible, our networks are not impenetrable, and we, like everyone else, are human and prone to mistakes.
Since January 1st, 2019, we have seen minimal attacks on our network. The current data indicates standard SSH intrusion attempts that fail and result in a network in Russia or China being blocked for 7 days (or more). Our standard policy now is that when SSH authentications are failed more than 4 times in 4 minutes we lock the IP address out for 5 minutes. If an additional attempt is made beyond the 5th try (which SSH produces a cool-down warning not to try again), the ban begins at 5 minutes. Every attempt to connect with an authentication string thereafter results in a 24 hour ban being consecutively added. Some networks are banned from all of our servers for 570 years (which is the maximum).
Also as part of our efforts to give back to the IT community, our server automatically alerts and notifies network administrators (the abuse contacts listed on AbuseX.org) that we have blocked their network and the reasons for the block. If they can confirm that the problem is resolved, we then unblock their networks again and flag the network as “Low Rep” for 8 weeks. If their network again abuses one of our servers, the lock out and subsequent bans are permanent. Of course, we apply a generous amount of common sense to this policy – if a network, for instance, is a corporate network and they suffer 2 network intrusions that cause it, we’re a lot more forgiving than it being a home network that a ISP refuses to police.
As per our last update, we have installed mandatory security software on every website as an extra layer of security that displays some of it’s statistics directly for our customers to see – live. Feedback we have gathered so far indicates that customers are responding very well to this software and love knowing when and how hackers are attempting to break into their website. The software also alerts them when a user’s password on their website has been found in an online database and automatically locks that account from being able to login until the password as changed. This, alone, has prevented countless website intrusions that some of our customers were plagued with.
Lastly, since our last update, there has been only one DDOS attempt on our network in the magnitude of 50Gbps. It failed and no client saw one second of downtime.
There has, however been downtime. Since our last update, we have taken our servers offline 2 times for approximately 1 hour each to update software on network infrastructure and the server itself. We are now planning updates with the data center. When the data center schedules network maintenance, we schedule security maintenance for our servers during the window to automatically begin when network connectivity is lost. This is custom software that Michael has written for the company that I don’t believe he has any plans of ever releasing. However, it has been immensely helpful to the company by providing one of the most secure methods of updating.
Finally, we have taken extra strides to try and educate our clients and alert them to the best security practices when administering their websites and email accounts. Since we have launched this campaign, there has been a grand total of ZERO (0) website, email, or hosting compromises across the entire Goldsboro Networks infrastructure. We’ve been absolutely amazed at the results this has produced and we thank all of our customers for heeding our warnings and instructions!