How to set-up fail2ban for a WordPress site

What is Fail2ban

Fail2ban is a tool which you can use to reduce the impact of attacks on your servers. Typically you configure it to monitor a log file for suspicious activity.  Then once the activity crosses a threshold you can have it take an action, such as block the source IP address in your firewall.  It’s a good way to stop attacks early but doesn’t entirely prevent them.

Why use it to protect WordPress

Due to it’s popularity, WordPress is often the target of automated attacks.  We often see bruteforce attacks targeting xmlrpc.php or wp-login.php, these rely on making a huge number of requests in the hope that one will eventually be successful.  Using strong passwords, especially for accounts with admin access is important to reduce the risk from attacks.  Fail2ban can be used to slow attackers down.  This helps for two reasons: it makes them less likely to succeed; it reduces the load on the server caused by processing these requests.

Other options

Blocking an attack as far upstream as possible is always advantageous to save resources so we would typically favour a Web Application Firewall or Webserver configuration over using fail2ban or a WordPress plugin however every site, server and customer is different so it will depend on the exact configuration used and required.

Install & config fail2ban (for Ubuntu)

sudo apt-get install fail2ban

Fail2ban works by having a jail file which references the log file, a filter and an action.  By default fail2ban will protect sshd.  If you are restricting SSH access in another way then you might want to turn this off.  You can do so by creating the following as /etc/fail2ban/jail.local

[sshd]
enabled = false

Fail2ban doesn’t come with a filter for WordPress.  I’d like to credit these two articles for providing a good starting point.  We see requests to ‘//xmlrpc.php’ (note the double slashes) fairly frequently so tweaked the below to also flag them.  As this is detecting any requests to wp-login/xmlrpc it will flag legitimate admin users when they login etc.  We’ll look to account for this with the jail configuration.

You can create the filter as /etc/fail2ban/filter.d/wordpress.conf

[Definition]
failregex = ^<HOST> .* "(GET|POST) /+wp-login.php
            ^<HOST> .* "(GET|POST) /+xmlrpc.php

The jail file has most of the configuration options:

  • logpath, in this case the path to your Apache access log
  • action, adjust this if you’re using a different firewall or want to be sent email instead, you can see available options in /etc/fail2ban/action.d/
  • maxretry, the number of requests within findtime seconds to ban after
  • bantime, the number of seconds to ban for, with this action how long they’re blocked in iptables

As mentioned, the filter will catch both malicious and legitimate users.  We’re configuring maxrety fairly high and bantime relatively low to minimise the probability and impact if we do block a legitimate user.  Whilst this allows attackers to make roughly one request every ten seconds this is a fraction of what they’d make without fail2ban.

You can create the jail file as /etc/fail2ban/jail.d/wordpress.conf

[wordpress]
enabled = true
port = http,https
filter = wordpress
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/all-sites-access.log
maxretry = 12
findtime = 120
bantime = 120

Restart fail2ban to load in your new config

sudo systemctl restart fail2ban

Checking your fail2ban set-up

Show the jails

sudo fail2ban-client status

Show info about the WordPress jail

sudo fail2ban-client status wordpress

List the f2b-wordpress iptables chain (this will be created the first time fail2ban blocks an IP and contain blocked IPs)

sudo iptables -v -n -L f2b-wordpress
sudo ip6tables -v -n -L f2b-wordpress

View the log to see any IPs banned or flagged

sudo less /var/log/fail2ban.log

 

Feature image by Jussie D.Brito licensed CC BY-SA 2.0.

CentOS 8 End of Life and what to do about it

It’s July 2021 and there are just 5 months to go until CentOS 8 goes End of Life (31 December 2021).

Ordinarily our blog posts on software going End of Life are pretty cut and dry. This time drastic changes to CentOS’ future direction has complicated what would otherwise be a simple set of decisions.

In this post we’ll cover a few things. Firstly, we’ll recap a little of how this situation arose. Then we’ll take a look at what the changes are and why they might not be quite so bad. Then we’ll dive into your options for dealing with these huge changes…

  1. A brief recap.
  2. What do I do now CentOS 8 support is ending.
  3. Switching to RHEL.
  4. Switching from CentOS 8 to CentOS Stream.
  5. Can I downgrade to CentOS 7 from CentOS 8 to avoid CentOS 8 End of Life?
  6. Alternatives to CentOS 8 and Centos Stream.
    1. AlmaLinux.
    2. Oracle Linux.
    3. RockyLinux.
    4. Other options.
  7. WHM, cPanel and Plesk.

CentOS 8 End of Life – a brief recap

Unless you’ve been living under the proverbial digital rock, the opening sentence of this post won’t come as a surprise. You’ll also know of the ongoing saga concerning Red Hat bringing CentOS 8 End of Life forward 8(!) years. For those that have been under that rock, here’s what you missed in as few sentences as possible:

  • CentOS is the community-driven free (as in beer) downstream binary compatible repackaging of the (paid for) Red Hat Enterprise Linux (RHEL) distribution provided by Reb Hat Inc.
  • CentOS actually ‘joined’ (read ‘was acquired by’) Red Hat back in 2014 which gave Red Hat ‘power/ownership’ over the distribution.
  • IBM acquired Red Hat for $34B in July 2019, now giving it power over the CentOS project too.
  • Sept 2019 CentOS 8 is released with an End of Life date of 31 May 2029 and people are encouraged to switch over from the previous CentOS 7 release.
  • Dec 2020, just 15 months into the CentOS 8 distribution life cycle, Red Hat announces that CentOS 8 will no longer exist and will instead become CentOS Stream. CentOS 8 will receive no updates/support after 31st December 2021, cutting it’s original End of Life date by 8 years! CentOS Stream will also move to being an upstream development branch of RHEL instead of a downstream stable distribution, a complete change from the position CentOS 8 held.

It’s fair to say many people weren’t too happy with this. And who can blame them? Such a violent shift in focus for the distribution would have been enough to cause major ripples throughout the SysAdmin world on its own. Add to that the huge change of CentOS 8’s End of Life date and you really get the perfect storm of Linux Distro drama.

Was it really that bad?

Sort of. No. Yes. Maybe. Whilst this may become a historic text-book example of how not to communicate a product change, the reality is that the move to CentOS Stream is a culmination of years of work changing the way RHEL is delivered. Red Hat has now embraced a Continuous Integration delivery model – branded by Red Hat as ‘Always Ready RHEL’.

CentOS Stream is a natural extension of that work. It’s also a clear ‘bottom line’ lead business decision to reduce the brand and dollar cost CentOS put on RHEL. CentOS Stream will occupy a valuable slot in the RHEL development lifecycle. Rather than be a downstream burden, CentOS Stream will now lead development for the paid distribution.

There is a harsh reality though – CentOS Stream will be less stable than before. But in being slightly less stable it can address some valid complaints. Namely, it can now deliver feature updates faster than before and it will allow community members a chance to affect the downstream product (in this case RHEL).

It’s even possible that CentOS Stream could be far more ‘stable’ in terms of bugs or feature changes (not just version number changes) than other distros. That’s thanks to the move towards testing, CI and rigorous Quality Control under the ‘Always Ready RHEL’ development model. Only time will tell.

None of that matters though when the feelings of those invested in the project have been clouded by poor communication and perceived breach of trust these changes have caused.

What do I do now CentOS 8 support is ending?

Broadly, your choices are split into 4 categories:

  1. Switch over to the paid RHEL distribution
  2. Stay on CentOS 8 and switch over to CentOS Stream
  3. Roll back/rebuild on the CentOS 7 release, which enjoys support out until June 2024
  4. Switch to another distribution

When assessing your options, consider why you’re using CentOS 8 in the first place. There are good reasons to be using this distro. Knowing exactly what your reasons are will help inform your decision as to what steps you take next.

We’ll briefly look at options 1-3 but focus our attention mostly on 4. This is where there has been the most rapid development and your choices can evolve quickly.

What about cPanel?

We’ll cover that too. Jump forward to the cPanel section if that’s your main use case for CentOS.

Switching to RHEL

Lets start with the elephant in the room – the big drawback to switching to RHEL is cost. Pricing is varied depending on your use case but, as an example, a single server that comes with Red Hat’s famed support starts at $799 for a one year subscription.

A single server license without support will set you back $349 for a one year license.

It would be silly to focus solely on price though. Red Hat offer a huge range of discounts for licensing depending on your use case. Recent offerings, following the change of direction for CentOS, even cut the cost out completely if you’re under a certain size (though there are other caveats to this too).

Cloud providers like Azure, AWS and GCP also offer competitive on-demand pricing that takes care of managing licenses for you.

Another often missed aspect is Red Hat employees are amongst the most active contributors to many core Linux software, including the Kernel itself. Red Hat literally pays it’s people to fix issues in Linux itself, and a huge range of other open-source software. You get access to that kind of expertise, influence and speed of action when you take up their support offerings.

RHEL also has a huge focus on security with tools like SE Linux (love and hate it in equal measure!). Those who need to meet compliance requirements can enjoy automated tools and dedicated help and advice on where they need to make changes.

In short, RHEL is absolutely top of the pile. If you can afford the price!

Switching from CentOS 8 to CentOS Stream

What happens if you just do nothing and stay on CentOS 8? Will it automatically switch to CentOS stream?

In a word, no.

Thankfully, the process to switch is simple and officially endorsed by the CentOS team.

That’s not to say you won’t run into trouble but for the most part the process is simple.

The deeper question is should you switch to CentOS Stream? With the switch to being an Upstream development branch of RHEL, and a semi-Rolling Release at that, the move away from ‘stability’ may make this distro a non-starter for you.

Some have made the counter-argument; if your use case is so brittle that it is unable to handle even minor point version changes to an operating system, then it’s you who is doing something wrong. But the reality is there are situations when stability really is key. In those cases CentOS Stream may not a viable option for some.

If you are struggling with this decision then get in touch and we’d be happy to help you through the process.

Can I downgrade to CentOS 7 from CentOS 8 to avoid CentOS 8 End of Life?

If by downgrade you mean simply change some settings and migrate back down a release, then no.

If you want to switch back to CentOS 7 then you’ll need to perform a full reinstall of CentOS 7 on new physical/virtual hardware. Then migrate data over from your CentOS 8 servers. Not fun!

There may be good reason to do this, particularly if you were happy on CentOS 7 previously. CentOS 7 also retains it’s original End of Life date of 30th June 2024, so by switching back you can eek out as much time on a CentOS distribution as possible.

Likewise, some software is validated only against certain distributions and even certain releases. If you find yourself in that situation then migrating back to CentOS 7 could certainly be a valid option. It could also be a way give you more time to migrate your applications/assess your options.

Before doing so, we’d advise a very careful assessment of the costs and benefits of doing this. Jumping back to CentOS 7 might be the pragmatic choice but it may be worth putting your resources towards a longer term solution. That solution could be migrating to one of the CentOS replacements or maybe to a different distribution altogether.

Alternatives to CentOS 8 and CentOS Stream

Here we come to the core of the discussion but one where the answers are evolving very rapidly.

If you’ve decided that:

  • RHEL isn’t for you
  • you don’t want to move to CentOS Stream
  • downgrading to CentOS 7 seems a waste of time/resources
  • you still want a downstream distribution that is binary compatible with RHEL (just like CentOS 8)

…then what are your choices?

We’ll now focus on the ‘big three’ options shaping up to be viable candidates to replace CentOS. Then we’ll consider switching to a different distro altogether. Finally, we’ll mention a few other options that might be worth evaluating.

AlmaLinux

It was a tough choice to decide which of the alternative CentOS distributions to mention first. We could claim we’re going in alphabetical order, but the truth is AlmaLinux is shaping up to be the strongest option for replacing CentOS 8.

The project is backed by CloudLinux but will be ‘owned’ by an entirely separate and community led organisation called The Alma Linux Foundation.

What makes this such an attractive alternative is the cold hard cash backing the project. CloudLinux have committed $1 million a year until 2029 to support the project. They already have a decade long track record of supporting a downstream binary compatible RHEL clone, so they enter the field with a proven level of trust.

Importantly for many businesses AlmaLinux also has the option to receive paid support, provided by CloudLinux themselves.

Add to that the recent cPanel announcement of support for AlmaLinux in it’s current release version and AlmaLinux offers a comprehensive replacement for CentOS 8.

But the successes don’t stop there – secure boot shipped in the latest AlmaLinux 8.4 release and official images for the major cloud providers are now available.

If this sounds like the solution for you, there’s a simple migration script, as well as a stable release boasting binary compatibility with RHEL 8.4.

Oracle Linux

If we were being truly objective, Oracle Linux was already a viable candidate to replace CentOS and should have been first mention. But it’s Oracle, and even they have to address their own reputation in their own Oracle Linux FAQ.

Yes, Oracle Linux is free. It comes without any deliberate attempts to hold back features. And it offers an enterprise grade distro backed by the option for paid support. But it’s Oracle, so, you know…

To return to trying to be fair; Oracle Linux has a proven track record of bringing updates to their release faster than CentOS did. It also has paid options for cool technology like live kernel patching.

Switching is simple and reliable and you aren’t forced to pay for a support subscription. This is absolutely a 100% free, open source and feature rich CentOS replacement.

You’ll just have to decide for yourselves if you really want to get into bed with Oracle 🙂

RockyLinux

RockyLinux comes with one huge bonus – it’s founded by CentOS founder Gregory Kurtzer. Who better to lead the development of a CentOS replacement than the original founder himself?

RockyLinux has a slightly different approach to AlmaLinux, remaining fiercely free of any single external entity’s control/influence. It also has a broad range of supporters/sponsors contributing to the financial health of the project.

Recently the team released it’s first Rocky Linux Stable Release and has made available it’s first cloud offering, on GCP.

This is definitely one potential alternative worth assessing for your CentOS 8 replacement needs.

Other options

Ubuntu

If you know you’ll be replacing CentOS then it’s worth considering whether you want to stay on a distribution of the same derivative or switch to something else entirely.

One of the most popular and well supported options is an Ubuntu LTS variant. Ubuntu is based on the Debian branch of the Linux Family Tree. It enjoys huge developer, application and server provider support. Ubuntu also has massive ‘mindshare’ and deep penetration into the ‘consumer’ Linux market. This means it has a huge community, a well deserved level of trust and is familiar to most Linux users.

Ubuntu LTS releases deliver 5 years of updates free of charge, with extended support options available as paid extras. It is backed by Canonical who offer a range of support and services should you have Enterprise level needs.

Ubuntu’s popularity meant it was the first non-RHEL based distro to receive full cPanel support after CentOS announced it’s change of direction. Unfortunately, it’s still going to be some time until you can run cPanel on an Ubuntu server. We’ll discuss in the cPanel section below.

Debian

Debian is the grandfather of the Linux world. It’s been around forever and it’ll be around forever. Our recommendation above, Ubuntu, is built from a Debian base.

Debian pursues ‘freedom’ with an almost zealot-like religious fervour and has long been leading the fight for open-source software. It’s fair to say the current free software movement owes a great debt to Debian’s leadership over the decades.

Aside from being huge advocates for freedom, Debian also delivers a rock solid distribution that mirrors the ethics it espouses. It’s legendary focus on stability and support throughout the OS lifecycle rightly earns Debian a place on our recommended list.

Not only that, Debian is available for almost every architecture, every cloud service and every piece of hardware it’s possible to run a computer system on. Along with that comes an uncountable number of experts ready to help you whatever your needs.

It’s not as ‘fancy’ as some distros, nor as easy for newcomers, but Debian is part of the bedrock of the Linux world and a stellar choice for replacing a CentOS system.

OpenSUSE

The author can’t do justice to OpenSUSE, having last played with it over a decade ago. What we can say is that modern OpenSUSE offers an extremely well rounded alternative to Debian or RHEL based distributions.

OpenSUSE’s commitment to open-source and software freedom goes further than most. It has tools like the Open Build System and OpenQA, as well as excellent technology such as YaST or MicroOS.

It’s fair to say OpenSUSE doesn’t have as large a share of the pie as other distros but it’s Enterprise offerings more than make up for that with their excellent range of options.

WHM, cPanel and Plesk

Whilst Plesk has supported several operating systems for some time now, the 800lb Gorilla of the web hosting world, cPanel/WHM, was staunchly a RHEL derivative only.

That was until CentOS announced it’s change of direction and the curtailing of support for CentOS 8.

As of version 102 cPanel will officially support Ubuntu 20.04.

Version 102? Aren’t we only on version 98 now?

Yes, which means you can’t install cPanel on Ubuntu…yet.

But given cPanel versions bump up by 2 roughly every couple of months, and there are 6 versions to go…expect Ubuntu support somewhere around Oct-Dec 2021.

Wrapping it all up…

Well, this was a bit of a bigger post than our usual OS End of Life notices! And with 5 months to go things are still evolving rapidly.

We ourselves will be carefully monitoring the developments on the various replacement distros over the coming months. We’ll also be keenly exploring the opportunities afforded by companies like cPanel supporting different distributions such as Ubuntu.

If you need to jump ship right now but need to maintain compatibility with CentOS 8, you should consider AlmaLinux. It’s certainly leading the race to be a true CentOS 8 replacement, if you ignore Oracle’s offering.

Having read this post you might feel that the choices open to you right now might seen overwhelming. If you want some help deciding then we encourage you to get in touch with us. Our team of expert System Administrators have years of experience guiding customers in complex choices like this one.

We’d love to help you find the right solution for your needs!

 

Feature image by Trim Nilsen licensed: unsplash

PHP EOL

PHP 7.3 will go end of life on 06 Dec 2021

PHP 7.3 goes end of life (EOL) on the 6th December 2021 meaning known security flaws will no longer be fixed and sites are exposed to significant security vulnerabilities.

It is important to update them to a newer version. We would recommend updating to either:

  • 7.4 supported until 28 November 2022
  • 8.0 supported until 26 November 2023

As with any upgrade you will want to test your site on the new version before migrating. You may need to get your developers to update some code, check plugins and app versions for the new PHP supportability:

PHP 8 is still very new and untested but a lot of CMS’s are supporting it. WordPress 5.6 has stated that they are “Beta compatible” with PHP 8.0 however there is still a way to go for a number of plugins.

Not sure what version your server is on? Maybe it’s time for a Server Audit so you have a full picture of your infrastructure – We produce a traffic light report telling you the good, the bad and the ugly…

Otherwise want a hand with your PHP upgrade? Get in touch!

Dead Flowres

Ubuntu 16.04 End of Life April 2021

On April 2021, Ubuntu 16.04 reaches end of life (EOL); We recommend that you update to Ubuntu 20.04.

Technology and security evolves, new bugs are fixed and new threats prevented, in order to maintain a secure infrastructure it is important to update all software and systems.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies, which new releases of software depend on, leading to compatibility issues.

Leaving old Ubuntu 16.04 systems past April 2021 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

Ubuntu End of life dates:

Ubuntu LTS (long term support) operating systems come with a 5 year End Of Life policy. This means that after 5 years it receives no maintenance or security updates.

  • 16.04 : April 2021
  • 18.04 : April 2023
  • 20.04 : April 2025

Faster:

Upgrading from Ubuntu 16.04 to Ubuntu 20.04 will, instantly, speed up your site.

  • Apache 2.4 -> Apache 2.4.41
  • MySQL 5.6 -> MySQL 8.0
  • PHP 7.0 -> PHP 7.3

Still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!

MySQL 5.6 End of Life 05 Feb 2021

Official support for MySQL 5.6 ends on the 05 Feb 2021. After this date, known security flaws will no longer be fixed leaving you exposed to significant security vulnerabilities.

We recommend you upgrade to MySQL 5.7 or newer. Some operating system maintainers backport security patches however this is not always guaranteed so do your research.

Before upgrading

As with any software upgrade, there are risks when jumping to new software versions. These are some things you can do to reduce issues:

  • Review the MySQL changelogs for changes that effect you.
  • Make sure your software and settings are compatible with the new version of MySQL.
    • For example, if you have a WordPress site you can see this on their requirements page. You should also double check that your plugins and themes are also compatible.
    • For Jira and Confluence you might need to change your database collation and character set.
    • If you have a lot of custom site code, you should check with your developers.
  • Consider carrying out a test upgrade.  This is a decision for you based on the complexity of your software, your roll back plan and the cost of down time to you.
  • As with any upgrade, we strongly recommend that you run a full backup of your server(s) first.
  • Look at what new features you can benefit from as you move forward! 🙂

Leaving old MySQL 5.6 systems past February 2021 could leave you at risk to:

  • Security vulnerabilities of the out of date system.
  • Software incompatibility.
  • Compliance issues (PCI).
  • Poor performance and reliability

Not sure where to start upgrading MySQL 5.6? Contact us to help.

CentOS

CentOS 6 goes End Of Life on 30 Nov 2020

CentOS 6 goes End of Life (EOL) on the 30th November 2020.
We recommend you upgrade to CentOS 7 or 8 before this date.

Technology and security evolves. New bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.  Once an operating system reaches end of life, it no longer receives updates, so will end up left with known security holes. Old operating systems don’t support the latest technologies, which new releases of software depend on, this can lead to compatibility issues.

There are some big changes between versions 6, 7 & 8.
In particular:

  • CentOS 7 & 8 require a lot more disk space than CentOS 6
  • CentOS 8 ships with Python v3 by default meaning old Python scripts may need to be re-written
  • Both CentOS 7 & 8 ship with old versions of PHP (v5.4 & v7.2 respectively)

CentOS has a slow rolling release (five years between versions 7 & 8) while PHP is currently releasing new versions quickly (yearly) and only supporting them for 3 years. This makes supporting PHP on CentOS tricky but also brings opportunities…

Old PHP sites that need to run code which requires a old version of PHP can do so by running CentOS as RedHat will actively backport important security updates into old versions of PHP.

Modern PHP sites/frameworks that are typically kept up to date (such as WordPress) can struggle as PHP 5.4 went EOL on 3 Sep 2015 and PHP 7.2 goes EOL in four months meaning your site is already running sub optimal before even going live.

FeaturesCentOS 6CentOS 7CentOS 8
Web ServerApache v2.2.15Apache v2.4.6Apache v2.4.37
PHPv5.3.3v5.4v7.2
Pythonv2.6.6v2.7v3.6.8
DatabasesMySQL v5.1.x, PostgreSQL v8.4.x MariaDB v5.5.x, PostgreSQL v9.2.xMariaDB v10.3.x, PostgreSQL v9.6.x/10.6.x
Minimum / Recommended disk space1GB / 5GB10GB / 20GB10GB / 20GB

Leaving old CentOS 6 systems past November 2020 leaves you at risk to:

  • Security vulnerabilities of the out of date system.
  • Making your entire network more vulnerable.
  • Software incompatibility.
  • Compliance issues (PCI).
  • Poor performance and reliability.

CentOS End of life dates:

  • CentOS 7: 30th June 2024
  • Cent0S 8: 31st May 2029

Not sure where to start? Contact us to help with your migration.

PHP 7.2

PHP 7.2 will go end of life on 30 Nov 2020

PHP 7.2 goes end of life (EOL) on the 30th November 2020 meaning known security flaws will no longer be fixed and sites are exposed to significant security vulnerabilities.

It is important to update them to a newer version. We would recommend updating to either:

  • 7.3 supported until 06 December 2021
  • 7.4 supported until 28 November 2022

As with any upgrade you will want to test your site on the new version before migrating. You may need to get your developers to update some code, check plugins and app versions for the new PHP supportability:

PHP 8.0.0 is due for general availability launch (GA) target of 26 Nov 2020. An early test version is available now but please DO NOT use this version in production, it is an early test version.

Upgrade from PHP 7.2 before the 30th November 2020.

Want a hand? Get in touch!

Removing support for TLS 1.0 and TLS 1.1

TL;DR

For security reasons, it is best practice to disable TLS 1.0 and TLS 1.1, but before you do this you may need to weigh up the risks to traffic from old browsers.

After disabling TLS 1.0 and TLS 1.1 any visitors using old browsers won’t be able to access your site.  If you are accepting credit card payments through your website then your customers security is more important but if you have a public information site then this may not be the case.

Don’t I always want the best security?

Please don’t get us wrong. We are NOT advocating blindly reducing security. This post is very much a response to customers that come to us wanting changes that will break their sites in order to get a perfect score or tick a compliance box. We can usually come up with a best of both worlds once we show the exact implications of the change.

What’s the fuss about?

GlobalSign’s What’s Behind the Change? paragraph sums this up nicely:

Various vulnerabilities over the past few years (e.g., BEAST, POODLE, DROWN…we love a good acronym, don’t we?) have had industry experts recommending disabling all versions of SSL and TLS 1.0 for a while now. PCI Compliance was another driving factor. On June 30, 2018, the PCI Data Security Standard (DSS) required that all websites needed to be on TLS 1.1 or higher in order to comply.

The RFC 7525 from 2015 stipulates that implementations should not use TLS 1.0 or TLS 1.1:

   o  Implementations SHOULD NOT negotiate TLS version 1.0 [RFC2246];
      the only exception is when no higher version is available in the
      negotiation.
      Rationale: TLS 1.0 (published in 1999) does not support many
      modern, strong cipher suites.  In addition, TLS 1.0 lacks a per-
      record Initialization Vector (IV) for CBC-based cipher suites and
      does not warn against common padding errors.
   o  Implementations SHOULD NOT negotiate TLS version 1.1 [RFC4346];
      the only exception is when no higher version is available in the
      negotiation.
      Rationale: TLS 1.1 (published in 2006) is a security improvement
      over TLS 1.0 but still does not support certain stronger cipher
      suites.

Qualys SSL Labs have reduced their grading for servers which support TLS 1.0 or TLS 1.1

Assessing the risk

Who won’t be able to access my website if I disable TLS 1.0 or TLS 1.1? Generally speaking browsers before 2013 will have trouble.  Most popular clients affected are old Android phones and old versions of Windows with Internet Explorer 10.  For the exact Android versions and other affected clients this is a nice breakdown.  As you’d expect the number of visitors with these old clients will vary according to your user base.  It’s best you check your site’s analytics to inform your decision.

Again, you can take into account how important encryption is for your website.  For example, at the time of writing it’s interesting to note that paypal.com has removed support for TLS 1.0 & 1.1 whilst google.com has not.

Summary

So what does this mean?  Lets give some examples…

If security is important to you; perhaps you have an e-commerce site taking payments or you are a IT consultancy like ourselves where people wish to share private information. You must disable old SSL/TLS protocols so that the only way people can communicate with your site is as secure as possible.

If accessibility is important to you; perhaps you are trying to share public information, be it a marketing or public resources site. It maybe worth supporting old protocols to allow your message to be shared as wide as possible.

Remember; it maybe typically called a sales “funnel” but traffic doesn’t have to end up in just one place. Users not supporting the right levels of security can be redirected to alternative pages where they can be contacted in other ways.  Why lose a sale when you don’t have to!

 

We’ve intentionally painted with broad strokes in this blog post.  We’re happy to give specific advice if you contact us and feel free to leave a comment 🙂

AWS Logo

Amazon Linux 1 goes EOL 30 June 2020

On the 30th June 2020, Amazon Linux 1 goes End of Life (EOL). We recommend you upgrade to Amazon Linux 2.

Technology and security evolves. New bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date. Once an operating system reaches end of life, it no longer receives updates, so will end up left with known security holes. Old operating systems don’t support the latest technologies, which new releases of software depend on, this can lead to compatibility issues.

Leaving old Amazon Linux 1 systems past June 2020 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

Changes in AWS Linux 2:

  • Apache / HTTPD 2.2.34 -> 2.4.41
  • PHP 5.3 -> PHP 5.4
  • MySQL 5.5 -> MariaDB 5.5
  • SystemVinit -> systemd

As well as new features like:

  • Long term software OS and support until 2023
  • Access to the latest software like PHP 7.2 via the amazon-linux-extras tool.

Not sure where to start? Contact us to help with your migration.

Magento Logo

Magento 1.x EOL June 2020

Magento v1 (all versions up to and including v1.9.4.3) will stop receiving software security updates after June 2020. Don’t leave it too late to migrate if you haven’t already.

This affects both editions of Magento…

  • Open Source (formerly “Community Edition”)
  • Commerce (formerly “Enterprise Edition”)

We recommend you upgrade to the latest version of Magento 2, currently version 2.3.3.

v2 was released in November 2015 and has proven itself to be a huge upgrade on v1. It has improved performance, improved page caching, inbuilt rich snippets for structured data, enterprise-grade scalability, a new file structure with easier customization, CSS Preprocessing and a much more structured code base.

Magento have a number of Migration Tools available to assist you with moving from v1 to v2.

And of course, if you need an help with your migration please do feel free to contact us to discuss your requirements.