MySQL 5.6 End of Life 05 Feb 2021

Official support for MySQL 5.6 ends on the 05 Feb 2021. After this date, known security flaws will no longer be fixed leaving you exposed to significant security vulnerabilities.

We recommend you upgrade to MySQL 5.7 or newer. Some operating system maintainers backport security patches however this is not always guaranteed so do your research.

Before upgrading

As with any software upgrade, there are risks when jumping to new software versions. These are some things you can do to reduce issues:

  • Review the MySQL changelogs for changes that effect you.
  • Make sure your software and settings are compatible with the new version of MySQL.
    • For example, if you have a WordPress site you can see this on their requirements page. You should also double check that your plugins and themes are also compatible.
    • For Jira and Confluence you might need to change your database collation and character set.
    • If you have a lot of custom site code, you should check with your developers.
  • Consider carrying out a test upgrade.  This is a decision for you based on the complexity of your software, your roll back plan and the cost of down time to you.
  • As with any upgrade, we strongly recommend that you run a full backup of your server(s) first.
  • Look at what new features you can benefit from as you move forward! 🙂

Leaving old MySQL 5.6 systems past February 2021 could leave you at risk to:

  • Security vulnerabilities of the out of date system.
  • Software incompatibility.
  • Compliance issues (PCI).
  • Poor performance and reliability

Not sure where to start upgrading MySQL 5.6? Contact us to help.

CentOS

CentOS 6 goes End Of Life on 30 Nov 2020

CentOS 6 goes End of Life (EOL) on the 30th November 2020.
We recommend you upgrade to CentOS 7 or 8 before this date.

Technology and security evolves. New bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.  Once an operating system reaches end of life, it no longer receives updates, so will end up left with known security holes. Old operating systems don’t support the latest technologies, which new releases of software depend on, this can lead to compatibility issues.

There are some big changes between versions 6, 7 & 8.
In particular:

  • CentOS 7 & 8 require a lot more disk space than CentOS 6
  • CentOS 8 ships with Python v3 by default meaning old Python scripts may need to be re-written
  • Both CentOS 7 & 8 ship with old versions of PHP (v5.4 & v7.2 respectively)

CentOS has a slow rolling release (five years between versions 7 & 8) while PHP is currently releasing new versions quickly (yearly) and only supporting them for 3 years. This makes supporting PHP on CentOS tricky but also brings opportunities…

Old PHP sites that need to run code which requires a old version of PHP can do so by running CentOS as RedHat will actively backport important security updates into old versions of PHP.

Modern PHP sites/frameworks that are typically kept up to date (such as WordPress) can struggle as PHP 5.4 went EOL on 3 Sep 2015 and PHP 7.2 goes EOL in four months meaning your site is already running sub optimal before even going live.

FeaturesCentOS 6CentOS 7CentOS 8
Web ServerApache v2.2.15Apache v2.4.6Apache v2.4.37
PHPv5.3.3v5.4v7.2
Pythonv2.6.6v2.7v3.6.8
DatabasesMySQL v5.1.x, PostgreSQL v8.4.x MariaDB v5.5.x, PostgreSQL v9.2.xMariaDB v10.3.x, PostgreSQL v9.6.x/10.6.x
Minimum / Recommended disk space1GB / 5GB10GB / 20GB10GB / 20GB

Leaving old CentOS 6 systems past November 2020 leaves you at risk to:

  • Security vulnerabilities of the out of date system.
  • Making your entire network more vulnerable.
  • Software incompatibility.
  • Compliance issues (PCI).
  • Poor performance and reliability.

CentOS End of life dates:

  • CentOS 7: 30th June 2024
  • Cent0S 8: 31st May 2029

Not sure where to start? Contact us to help with your migration.

PHP 7.2

PHP 7.2 will go end of life on 30 Nov 2020

PHP 7.2 goes end of life (EOL) on the 30th November 2020 meaning known security flaws will no longer be fixed and sites are exposed to significant security vulnerabilities.

It is important to update them to a newer version. We would recommend updating to either:

  • 7.3 supported until 06 December 2021
  • 7.4 supported until 28 November 2022

As with any upgrade you will want to test your site on the new version before migrating. You may need to get your developers to update some code, check plugins and app versions for the new PHP supportability:

PHP 8.0.0 is due for general availability launch (GA) target of 26 Nov 2020. An early test version is available now but please DO NOT use this version in production, it is an early test version.

Upgrade from PHP 7.2 before the 30th November 2020.

Want a hand? Get in touch!

Removing support for TLS 1.0 and TLS 1.1

TL;DR

For security reasons, it is best practice to disable TLS 1.0 and TLS 1.1, but before you do this you may need to weigh up the risks to traffic from old browsers.

After disabling TLS 1.0 and TLS 1.1 any visitors using old browsers won’t be able to access your site.  If you are accepting credit card payments through your website then your customers security is more important but if you have a public information site then this may not be the case.

Don’t I always want the best security?

Please don’t get us wrong. We are NOT advocating blindly reducing security. This post is very much a response to customers that come to us wanting changes that will break their sites in order to get a perfect score or tick a compliance box. We can usually come up with a best of both worlds once we show the exact implications of the change.

What’s the fuss about?

GlobalSign’s What’s Behind the Change? paragraph sums this up nicely:

Various vulnerabilities over the past few years (e.g., BEAST, POODLE, DROWN…we love a good acronym, don’t we?) have had industry experts recommending disabling all versions of SSL and TLS 1.0 for a while now. PCI Compliance was another driving factor. On June 30, 2018, the PCI Data Security Standard (DSS) required that all websites needed to be on TLS 1.1 or higher in order to comply.

The RFC 7525 from 2015 stipulates that implementations should not use TLS 1.0 or TLS 1.1:

   o  Implementations SHOULD NOT negotiate TLS version 1.0 [RFC2246];
      the only exception is when no higher version is available in the
      negotiation.
      Rationale: TLS 1.0 (published in 1999) does not support many
      modern, strong cipher suites.  In addition, TLS 1.0 lacks a per-
      record Initialization Vector (IV) for CBC-based cipher suites and
      does not warn against common padding errors.
   o  Implementations SHOULD NOT negotiate TLS version 1.1 [RFC4346];
      the only exception is when no higher version is available in the
      negotiation.
      Rationale: TLS 1.1 (published in 2006) is a security improvement
      over TLS 1.0 but still does not support certain stronger cipher
      suites.

Qualys SSL Labs have reduced their grading for servers which support TLS 1.0 or TLS 1.1

Assessing the risk

Who won’t be able to access my website if I disable TLS 1.0 or TLS 1.1? Generally speaking browsers before 2013 will have trouble.  Most popular clients affected are old Android phones and old versions of Windows with Internet Explorer 10.  For the exact Android versions and other affected clients this is a nice breakdown.  As you’d expect the number of visitors with these old clients will vary according to your user base.  It’s best you check your site’s analytics to inform your decision.

Again, you can take into account how important encryption is for your website.  For example, at the time of writing it’s interesting to note that paypal.com has removed support for TLS 1.0 & 1.1 whilst google.com has not.

Summary

So what does this mean?  Lets give some examples…

If security is important to you; perhaps you have an e-commerce site taking payments or you are a IT consultancy like ourselves where people wish to share private information. You must disable old SSL/TLS protocols so that the only way people can communicate with your site is as secure as possible.

If accessibility is important to you; perhaps you are trying to share public information, be it a marketing or public resources site. It maybe worth supporting old protocols to allow your message to be shared as wide as possible.

Remember; it maybe typically called a sales “funnel” but traffic doesn’t have to end up in just one place. Users not supporting the right levels of security can be redirected to alternative pages where they can be contacted in other ways.  Why lose a sale when you don’t have to!

 

We’ve intentionally painted with broad strokes in this blog post.  We’re happy to give specific advice if you contact us and feel free to leave a comment 🙂

AWS Logo

Amazon Linux 1 goes EOL 30 June 2020

On the 30th June 2020, Amazon Linux 1 goes End of Life (EOL). We recommend you upgrade to Amazon Linux 2.

Technology and security evolves. New bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date. Once an operating system reaches end of life, it no longer receives updates, so will end up left with known security holes. Old operating systems don’t support the latest technologies, which new releases of software depend on, this can lead to compatibility issues.

Leaving old Amazon Linux 1 systems past June 2020 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

Changes in AWS Linux 2:

  • Apache / HTTPD 2.2.34 -> 2.4.41
  • PHP 5.3 -> PHP 5.4
  • MySQL 5.5 -> MariaDB 5.5
  • SystemVinit -> systemd

As well as new features like:

  • Long term software OS and support until 2023
  • Access to the latest software like PHP 7.2 via the amazon-linux-extras tool.

Not sure where to start? Contact us to help with your migration.

Magento Logo

Magento 1.x EOL June 2020

Magento v1 (all versions up to and including v1.9.4.3) will stop receiving software security updates after June 2020. Don’t leave it too late to migrate if you haven’t already.

This affects both editions of Magento…

  • Open Source (formerly “Community Edition”)
  • Commerce (formerly “Enterprise Edition”)

We recommend you upgrade to the latest version of Magento 2, currently version 2.3.3.

v2 was released in November 2015 and has proven itself to be a huge upgrade on v1. It has improved performance, improved page caching, inbuilt rich snippets for structured data, enterprise-grade scalability, a new file structure with easier customization, CSS Preprocessing and a much more structured code base.

Magento have a number of Migration Tools available to assist you with moving from v1 to v2.

And of course, if you need an help with your migration please do feel free to contact us to discuss your requirements.

Toy Story Jessie running in front of a large green arrow

Debian 8 Jessie EOL 30th June 2020

On the 30th June 2020, Debian 8 “Jessie” goes End of Life (EOL). We recommend you upgrade to Debian 10 “Buster” (skipping Debian 9 if possible).

Debian 8 was one of a few OS’s that supported PHP 5, even after official support by the PHP developers ended in 2018. Debian 10 supports PHP 7.3, which may require  some rewriting of code for your website or application, so it best to start planning your upgrade now!

Technology and security evolves. New bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.  Once an operating system reaches end of life, it no longer receives updates, so will end up left with known security holes. Old operating systems don’t support the latest technologies, which new releases of software depend on, this can lead to compatibility issues.

Leaving old Debian 8 systems past June 2020 leaves you at risk to:

  • Security vulnerabilities of the out of date system.
  • Making your entire network more vulnerable.
  • Software incompatibility.
  • Compliance issues (PCI).
  • Poor performance and reliability.

Debian End of life dates:

  • Debian 9 “Stretch”: June 2022.
  • Debian 10: “Buster”:  No date given as yet –  based on previous releases our best guess is 2024.

Increased Speed:

By moving from Debian 8 to Debian 10 you should notice a speed increase due to the newer software.

  • Apache 2.4.10 -> Apache 2.4.38
  • PHP 5.x -> PHP 7.3
  • MySQL 5.6 / 5.7 -> MariaDB 10.3

Not sure where to start? Contact us to help with your migration.

 

Feature image by Loren Javier licensed by CC by 2.0

Cyber Security

A small business cyber security plan

October is National Cyber Security Awareness Month (NCSAM).  #BeCyberSmart #CyberAware

Security is everyone’s responsibility, so whether you’re a small business, medium enterprise, SaaS provider or web agency, grab a cuppa and learn some of the ways, we at Dogsbody, recommend improving your security.

You are 9 times more likely to be a victim of fraud than burglary.

With 15 years of experience behind us we feel qualified to produce our very own small business cyber security plan.

A small business cyber security plan

Security (cyber or otherwise) all boils down to risk.

The only way to keep a system 100% safe is for it to be in a sealed room, inaccessible to people, to the internet or the outside world and even then, someone could almost certainly gain access to the room if they really wanted too.

Security isn’t just about protecting from the hacks we are aware of, it’s also about attempting to protect users from the threats which haven’t yet been discovered or made widely available.

Implementing preventative or early detection systems with the right security practices for your people, processes and IT systems should mean you become more tuned to spotting attacks or hacks, giving you a better chance to protect yourself and your business.

“100% secure is just not possible”

Technology is a constantly moving beast. So are the methods used to try to gain unauthorised access to your systems.

Your staff may be reasonably savvy about emails which impersonate companies, however as an example of the speed of technology, the Dogsbody team has seen AI now being used to fake people’s voices and scam people out of £1000’s.

Scammers are coming up with new methods to extract cash or assets from companies as fast as security experts are mitigating them.

In this article, we look at each of the three principle areas of risk for your business – People, Systems and Processes; as well as some of the things you can implement immediately to reduce your exposure.

Computer security, cybersecurity or information technology security (IT security) is the protection of computer systems from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. – wikipedia.org

Risk #1- people

Image of technician working at three monitors - Educating people is a huge part of any small business cyber security plan

Humans are fallible (likely to make errors or fail). Nobody’s perfect, after all.

However there are some actions for which there are no excuses … weak passwords is one of them! Any small business cyber security plan has to put passwords at the centre of the plan.

The good news is that there are so many ways to make strong unique passwords for every single login. The video below contains a useful method for creating incredibly strong, yet memorable passwords:

Find out how easy passwords are to crack. Get scared.

Password reuse and poor passwords are unacceptable and easily preventable. We have talked before about using a password manager and 2 Factor Authentication (2FA) where available. Get to understand these tools (or talk to us!) and figure out how best to include them within your business.

Education is key

Having clear processes and good security training is another way to help make sure everyone is on the same page.  Free cyber security training courses, videos and online resources are readily available from reputable sources:

Social Media – your online life

Social media allows us to find out basic details about people and companies within seconds. Using a combination of Google and Linkedin allows everyone to know who you work for.

Whilst this is great for networking, it does mean that you and your team need to be careful about what you share and and who you share it with.

If you are reading this article and rolling your eyes and think this security advice just doesn’t matter, spend three minutes watching this (brilliant) video and you might just change your mind:

Frightening huh? And hopefully thought provoking too.

Have processes in place to check when dealing with all contacts via email and phone. Are you speaking to who you think it is?.

It is also sensible to avoid giving out personal data over the phone or via insecure methods such as Slack and email.

Risk #2 – systems, servers & devices

Image of two people breaking into a safe - Small business cyber security plan - Lock it down

There is something or someone trying to access your data every minute of every day.

Implementing preventative and early detection systems into your workflow may help mitigate a situation before it starts.

Devices, including servers, work laptops, home laptops, mobile phones, routers, printers, internet of things (IOT) devices (including that wifi connect light bulb) can all be used against you and your business.

Dogsbody’s #1 tip: keep your devices up-to-date

Updates for all of these devices are released regularly to address bugs, code improvements and security vulnerabilities.

If you’re not updating (patching) regularly, then you are putting yourself at a higher risk of being exploited by a known vulnerability.

Don’t be that person or company.

End of life

Be aware of software end of life (EOL). For example mobile phone hardware usually outlives its supported software meaning it’s open to new security vulnerabilities.

We often talk about ‘end of life’ software in our newsletter. Last month, we confirmed Python 2.7 and PHP 7.1 are going to be end of life soon. Once software is no longer supported, there are no guarantees about the security holes this software could lead too.

Restrict access

Only give access to the areas people need to do their job whether that is physical (rooms, offices), Documents (read only and write only) or devices/servers, it will make it easier to spot an intruder. Separate users means you can see who made a change giving you an audit trail should anything go amiss. Remember to remove old users.

Proactive monitoring

Monitor everything: cpu, memory, disk io, disk space, ports etc. We monitor all of these metrics (and more) on behalf of 100’s of customers.

Use our free tool to monitor some of your external resources too – StatusPile allows you to build a status page of status pages.

A spike or alert across any of these metrics could mean a server is being attacked. If you respond quickly, attackers can be blocked before they cause too much damage.

Back up

We’ve written about backup strategies before. This is such a fundamental part of business.

Don’t be that company that can’t recover from an event like this:

Image of burnt out server rack - Off site backups are essential

If you lost everything where do you go?

Off site backups – simply have them, know where they are and keep them up to date.

Make sure you check them regularly. Is everything being backed up correctly? Are they actually working when you perform a restore? Is the retention policy set correctly?

It’s not good enough to set and forget – new infrastructure gets added, access codes change. Be diligent and don’t lose your business when something goes wrong.

Standardised builds

Have (documented) standard builds for servers, workstations, laptops and other network infrastructure.

Insecure configurations can allow malicious users to obtain unauthorised access, so it is important to ensure the secure configuration of all systems is set up and maintained.

If you need help, talk to us – we do this every day!

Know what you don’t know

That may sound like a crazy heading – but we really mean it. If you don’t test your infrastructure regularly, you don’t know what’s really going on. Involve a third party, get an expert to ethically hack into your systems. This process is of course known as penetration testing.

Penetration tests take many different forms. Testing once a year is a step in the right direction, however infrastructure changes regularly and rightly so, patches must be applied and users added and removed, its a constantly moving beast, so it makes sense to have regular penetration tests. Whilst they give you peace of mind – they will also give your customers peace of mind too.

Protect your email

Make it harder for impersonators to send spam which looks like it comes from your business by setting up your email correctly.

Public wifi is a notorious place for hackers to lurk

Know the risks of public wifi.

Usually it’s free and often, it’s not secure. Avoid visiting sensitive sites such as banks, accounts packages, work ticketing systems when connected.

Company VPN’s can be used if you need to do this regularly. Personal VPN applications are good too for personal browsing.

Risk #3 – processes

Image of white lever arch files

Processes have been intertwined within the previous two sections. We’ve discussed standardised builds, communications. device and social media policies.

It’s now time to mop up some of the areas we’ve not yet mentioned.

How would you respond to an emergency if your digital channels were down?

If and when something does go wrong have you considered how you would communicate with your customers?

Host your status page on a completely separate hosting provider to all your other business activities and remember, to make the password accessible for when you are offline.

Status pages are for facts. Do not speculate or discuss issues that have not been confirmed.

Image of Dogsbody Technology Status Page

Crisis communications is a consideration for all businesses.

Documentation

You rarely hear people talking about the joys of documentation, however it’s a necessary evil of business and absolutely could be your saviour one day.

Here at Dogsbody, we do it as a matter of course. Without shared documentation, IT systems are left exposed. employees leave, employees get sick. It’s essential others can understand how your IT infrastructure works.

Server build documentation is the recipe for your servers. If a server was down and the only way to recover it was to rebuild it – would you know how to? Is it clear how it was set up … who had access … and how the operating system was configured?

Having a build guide document in place means anyone can pick it up and get it back online quickly.

Subscribe for service updates

Subscribe to your providers service updates, notifications, emails and/or RSS feeds, monitor Status pages, hang out on tech forums – as a Linux managed server provider, our team are always reading blogs, security updates and notices – its just part of the day job.

The Government National Cyber security centre release weekly threat reports as well as advice on all security topics.

___________

That wraps up our small business cyber security plan. We hope it makes you think about how your business approaches online security.

If we can help answer any questions, please don’t hesitate to get in touch.

Python 2 will go end of life on 01 Jan 2020

Quick Public Safety Announcement, Python 2.7 goes end of life 01 Jan 2020.  This is the end of the road for Python 2.x – there won’t be a version 2.8.

This means any Python code that’s still on 2.x needs updating to Python 3.  Any code that isn’t moved over won’t receive security updates so will inevitably become insecure.

Identify your code

If you’ve got a lot of code it’s worth taking the time to check what’s where and which version of Python it’s using.

Python 3 was released at the end of 2008.  Adoption has been slow, a factor has been that all of your dependencies need to support Python 3 before you can.  Now that we’re over 10 years down the road this is much less likely to be an issue.

You can start off by checking code that has been written more recently.  Hopefully this will have been written for Python 3.  A survey by JetBrains shows that between 2017 and 2018 the number of developers that mostly used Python 2 fell from 25% to just 16%.  It’s also interesting to note the divide between use cases.  Data science having better adoption than both web and dev-ops.

Don’t forget old code

Unfortunately the numbers above are for code that developers are writing now.  We’re also concerned with code that was written many years ago and hasn’t recently had any major changes.  Looking at the number of packages downloaded instead of what developers are mostly using gives a different picture.  The numbers are closer to 50/50 with the trend between data science and dev-ops still clear.  TensorFlow is most often downloaded for Python 3 whilst botocore is heavily Python 2.  Boto is heavily used in API access to cloud providers such as AWS.

If all of your recent code is Python 3 it’s worth having a good dig around for places old code might be hiding.

What are the steps to update to Python 3?

  • The first step to update code is to make sure any packages you’re using support Python 3.  A tool such as caniusepython3 should show you where the issues are.
  • After that depending on the complexity of your code you can update it by hand or use a tool such as Futurize to help with the conversion .

A key part of smoothly updating is to have a good testing process so you can quickly find and fix the bits that unexpectedly break.  See the porting guide for more info.

 

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

PHP 7.2

PHP 7.1 will go end of life on 1 Dec 2019

PHP 7.1 goes end of life (EOL) on the 1st December 2019 meaning known security flaws will no longer be fixed and sites are exposed to significant security vulnerabilities.

It is important to update them to a newer version. We would recommend updating to either:

  • 7.2 supported until 30 November 2020
  • 7.3 supported until 6 December 2021

As with any upgrade you will want to test your site on the new version before migrating. You may need to get your developers to update some code, check plugins and app versions for the new PHP supportability.

If you love a pie chart, Jordi Boggiano has provided this great overview of the PHP versions out there.

PHP VersionsUpgrade from PHP 7.1 before the 1st December 2019.

Want a hand? Get in touch!