On April 2021, Ubuntu 16.04 reaches end of life (EOL); We recommend that you update to Ubuntu 20.04.
Technology and security evolves, new bugs are fixed and new threats prevented, in order to maintain a secure infrastructure it is important to update all software and systems.
Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies, which new releases of software depend on, leading to compatibility issues.
Leaving old Ubuntu 16.04 systems past April 2021 leaves you at risk to:
Security vulnerabilities of the system in question
Ubuntu LTS (long term support) operating systems come with a 5 year End Of Life policy. This means that after 5 years it receives no maintenance or security updates.
16.04 : April 2021
18.04 : April 2023
20.04 : April 2025
Faster:
Upgrading from Ubuntu 16.04 to Ubuntu 20.04 will, instantly, speed up your site.
https://www.dogsbody.com/wp-content/uploads/still-life-3267352_640.jpg427640Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2020-11-26 11:30:212020-12-01 11:29:07Ubuntu 16.04 End of Life April 2021
Official support for MySQL 5.6 ends on the 05 Feb 2021. After this date, known security flaws will no longer be fixed leaving you exposed to significant security vulnerabilities.
We recommend you upgrade to MySQL 5.7 or newer. Some operating system maintainers backport security patches however this is not always guaranteed so do your research.
Before upgrading
As with any software upgrade, there are risks when jumping to new software versions. These are some things you can do to reduce issues:
Make sure your software and settings are compatible with the new version of MySQL.
For example, if you have a WordPress site you can see this on their requirements page. You should also double check that your plugins and themes are also compatible.
If you have a lot of custom site code, you should check with your developers.
Consider carrying out a test upgrade. This is a decision for you based on the complexity of your software, your roll back plan and the cost of down time to you.
As with any upgrade, we strongly recommend that you run a full backup of your server(s) first.
Look at what new features you can benefit from as you move forward! 🙂
Leaving old MySQL 5.6 systems past February 2021 could leave you at risk to:
Security vulnerabilities of the out of date system.
Software incompatibility.
Compliance issues (PCI).
Poor performance and reliability
Not sure where to start upgrading MySQL 5.6? Contact us to help.
https://www.dogsbody.com/wp-content/uploads/MySQL.png11181280Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2020-11-23 13:23:482020-11-23 13:56:21MySQL 5.6 End of Life 05 Feb 2021
CentOS 6 goes End of Life (EOL) on the 30th November 2020.
We recommend you upgrade to CentOS 7 or 8 before this date.
Technology and security evolves. New bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date. Once an operating system reaches end of life, it no longer receives updates, so will end up left with known security holes. Old operating systems don’t support the latest technologies, which new releases of software depend on, this can lead to compatibility issues.
CentOS 7 & 8 require a lot more disk space than CentOS 6
CentOS 8 ships with Python v3 by default meaning old Python scripts may need to be re-written
Both CentOS 7 & 8 ship with old versions of PHP (v5.4 & v7.2 respectively)
CentOS has a slow rolling release (five years between versions 7 & 8) while PHP is currently releasing new versions quickly (yearly) and only supporting them for 3 years. This makes supporting PHP on CentOS tricky but also brings opportunities…
Modern PHP sites/frameworks that are typically kept up to date (such as WordPress) can struggle as PHP 5.4 went EOL on 3 Sep 2015 and PHP 7.2 goes EOL in four months meaning your site is already running sub optimal before even going live.
Features
CentOS 6
CentOS 7
CentOS 8
Web Server
Apache v2.2.15
Apache v2.4.6
Apache v2.4.37
PHP
v5.3.3
v5.4
v7.2
Python
v2.6.6
v2.7
v3.6.8
Databases
MySQL v5.1.x, PostgreSQL v8.4.x
MariaDB v5.5.x, PostgreSQL v9.2.x
MariaDB v10.3.x, PostgreSQL v9.6.x/10.6.x
Minimum / Recommended disk space
1GB / 5GB
10GB / 20GB
10GB / 20GB
Leaving old CentOS 6 systems past November 2020 leaves you at risk to:
Security vulnerabilities of the out of date system.
Making your entire network more vulnerable.
Software incompatibility.
Compliance issues (PCI).
Poor performance and reliability.
CentOS End of life dates:
CentOS 7: 30th June 2024
Cent0S 8: 31st May 2029
Not sure where to start? Contact us to help with your migration.
https://www.dogsbody.com/wp-content/uploads/coin-2357072_1280.jpg6821280Dan Bentonhttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngDan Benton2020-07-20 11:30:422020-11-16 17:09:50CentOS 6 goes End Of Life on 30 Nov 2020
It is important to update them to a newer version. We would recommend updating to either:
7.3 supported until 06 December 2021
7.4 supported until 28 November 2022
As with any upgrade you will want to test your site on the new version before migrating. You may need to get your developers to update some code, check plugins and app versions for the new PHP supportability:
PHP 8.0.0 is due for general availability launch (GA) target of 26 Nov 2020. An early test version is available now but please DO NOT use this version in production, it is an early test version.
Upgrade from PHP 7.2 before the 30th November 2020.
https://www.dogsbody.com/wp-content/uploads/PHP_Logo.png350722Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2020-07-14 09:07:502020-11-16 17:07:51PHP 7.2 will go end of life on 30 Nov 2020
For security reasons, it is best practice to disable TLS 1.0 and TLS 1.1, but before you do this you may need to weigh up the risks to traffic from old browsers.
After disabling TLS 1.0 and TLS 1.1 any visitors using old browsers won’t be able to access your site. If you are accepting credit card payments through your website then your customers security is more important but if you have a public information site then this may not be the case.
Don’t I always want the best security?
Please don’t get us wrong. We are NOT advocating blindly reducing security. This post is very much a response to customers that come to us wanting changes that will break their sites in order to get a perfect score or tick a compliance box. We can usually come up with a best of both worlds once we show the exact implications of the change.
Various vulnerabilities over the past few years (e.g., BEAST, POODLE, DROWN…we love a good acronym, don’t we?) have had industry experts recommending disabling all versions of SSL and TLS 1.0 for a while now. PCI Compliance was another driving factor. On June 30, 2018, the PCI Data Security Standard (DSS) required that all websites needed to be on TLS 1.1 or higher in order to comply.
The RFC 7525 from 2015 stipulates that implementations should not use TLS 1.0 or TLS 1.1:
o Implementations SHOULD NOT negotiate TLS version 1.0 [RFC2246];
the only exception is when no higher version is available in the
negotiation.
Rationale: TLS 1.0 (published in 1999) does not support many
modern, strong cipher suites. In addition, TLS 1.0 lacks a per-
record Initialization Vector (IV) for CBC-based cipher suites and
does not warn against common padding errors.
o Implementations SHOULD NOT negotiate TLS version 1.1 [RFC4346];
the only exception is when no higher version is available in the
negotiation.
Rationale: TLS 1.1 (published in 2006) is a security improvement
over TLS 1.0 but still does not support certain stronger cipher
suites.
Who won’t be able to access my website if I disable TLS 1.0 or TLS 1.1? Generally speaking browsers before 2013 will have trouble. Most popular clients affected are old Android phones and old versions of Windows with Internet Explorer 10. For the exact Android versions and other affected clients this is a nice breakdown. As you’d expect the number of visitors with these old clients will vary according to your user base. It’s best you check your site’s analytics to inform your decision.
Again, you can take into account how important encryption is for your website. For example, at the time of writing it’s interesting to note that paypal.com has removed support for TLS 1.0 & 1.1 whilst google.com has not.
Summary
So what does this mean? Lets give some examples…
If security is important to you; perhaps you have an e-commerce site taking payments or you are a IT consultancy like ourselves where people wish to share private information. You must disable old SSL/TLS protocols so that the only way people can communicate with your site is as secure as possible.
If accessibility is important to you; perhaps you are trying to share public information, be it a marketing or public resources site. It maybe worth supporting old protocols to allow your message to be shared as wide as possible.
Remember; it maybe typically called a sales “funnel” but traffic doesn’t have to end up in just one place. Users not supporting the right levels of security can be redirected to alternative pages where they can be contacted in other ways. Why lose a sale when you don’t have to!
We’ve intentionally painted with broad strokes in this blog post. We’re happy to give specific advice if you contact us and feel free to leave a comment 🙂
https://www.dogsbody.com/wp-content/uploads/red-metal-padlock-157203.jpg10351553Jim Carterhttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngJim Carter2020-05-19 10:51:392020-05-19 18:09:45Removing support for TLS 1.0 and TLS 1.1
Amazon Linux 1 (Amazon Linux AMI) extended maintenance support period ends on June 30, 2023. After this date Amazon Linux 1 will no longer be supported.
Following customer feedback back in 2020, Amazon extended the end-of-life date of its Amazon Linux 1 and announced a maintenance support period – This Period is coming to an end.
This post has been updated with the latest information
Technology and security evolves. New bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date. Once an operating system reaches end of life, it no longer receives updates, so will end up left with known security holes. Old operating systems don’t support the latest technologies, which new releases of software depend on, this can lead to compatibility issues.
Leaving old Amazon Linux 1 systems past June 2023 leaves you at risk to:
Security vulnerabilities of the system in question
Making your network more vulnerable as a whole
Software incompatibility
Compliance issues (PCI)
Poor performance and reliability
Amazon Linux 2022 includes many of the same packages that were present in Amazon Linux 2. Some of these package versions were updated for Amazon Linux 2022.
Changes:
MariaDB -> 10.5.16
Python -> 3.9
You can upgrade to either version of Amazon Linux – points to note are
Amazon Linux 2
3 years of support – End of Life: 30 Jun 2025.
CentOS based
Amazon Linux 2022
Fedora Based.
5 years of support
Uses DNF instead of YUM for updates
Not sure where to start? Contact us to help with your migration.
https://www.dogsbody.com/wp-content/uploads/800px-Amazon_Web_Services_Logo_1-1.png7191300Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2020-02-10 11:20:272023-01-18 14:05:08Amazon Linux 1 goes EOL 30 June 2023
Magento v1 (all versions up to and including v1.9.4.3) will stop receiving software security updates after June 2020. Don’t leave it too late to migrate if you haven’t already.
This affects both editions of Magento…
Open Source (formerly “Community Edition”)
Commerce (formerly “Enterprise Edition”)
We recommend you upgrade to the latest version of Magento 2, currently version 2.3.3.
v2 was released in November 2015 and has proven itself to be a huge upgrade on v1. It has improved performance, improved page caching, inbuilt rich snippets for structured data, enterprise-grade scalability, a new file structure with easier customization, CSS Preprocessing and a much more structured code base.
Magento have a number of Migration Tools available to assist you with moving from v1 to v2.
And of course, if you need an help with your migration please do feel free to contact us to discuss your requirements.
https://www.dogsbody.com/wp-content/uploads/Magento-Logo.png6301200Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2020-01-20 11:04:502020-01-20 12:21:00Magento 1.x EOL June 2020
On the 30th June 2020, Debian 8 “Jessie” goes End of Life (EOL). We recommend you upgrade to Debian 10 “Buster” (skipping Debian 9 if possible).
Debian 8 was one of a few OS’s that supported PHP 5, even after official support by the PHP developers ended in 2018. Debian 10 supports PHP 7.3, which may require some rewriting of code for your website or application, so it best to start planning your upgrade now!
Technology and security evolves. New bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date. Once an operating system reaches end of life, it no longer receives updates, so will end up left with known security holes. Old operating systems don’t support the latest technologies, which new releases of software depend on, this can lead to compatibility issues.
Leaving old Debian 8 systems past June 2020 leaves you at risk to:
Security vulnerabilities of the out of date system.
Making your entire network more vulnerable.
Software incompatibility.
Compliance issues (PCI).
Poor performance and reliability.
Debian End of life dates:
Debian 9 “Stretch”: June 2022.
Debian 10: “Buster”: No date given as yet – based on previous releases our best guess is 2024.
Increased Speed:
By moving from Debian 8 to Debian 10 you should notice a speed increase due to the newer software.
Apache 2.4.10 -> Apache 2.4.38
PHP 5.x -> PHP 7.3
MySQL 5.6 / 5.7 -> MariaDB 10.3
Not sure where to start? Contact us to help with your migration.
October is National Cyber Security Awareness Month (NCSAM). #BeCyberSmart #CyberAware
Security is everyone’s responsibility, so whether you’re a small business, medium enterprise, SaaS provider or web agency, grab a cuppa and learn some of the ways, we at Dogsbody, recommend improving your security.
You are 9 times more likely to be a victim of fraud than burglary.
With 15 years of experience behind us we feel qualified to produce our very own small business cyber security plan.
A small business cyber security plan
Security (cyber or otherwise) all boils down to risk.
The only way to keep a system 100% safe is for it to be in a sealed room, inaccessible to people, to the internet or the outside world and even then, someone could almost certainly gain access to the room if they really wanted too.
Security isn’t just about protecting from the hacks we are aware of, it’s also about attempting to protect users from the threats which haven’t yet been discovered or made widely available.
Implementing preventative or early detection systems with the right security practices for your people, processes and IT systems should mean you become more tuned to spotting attacks or hacks, giving you a better chance to protect yourself and your business.
“100% secure is just not possible”
Technology is a constantly moving beast. So are the methods used to try to gain unauthorised access to your systems.
Your staff may be reasonably savvy about emails which impersonate companies, however as an example of the speed of technology, the Dogsbody team has seen AI now being used to fake people’s voices and scam people out of £1000’s.
Scammers are coming up with new methods to extract cash or assets from companies as fast as security experts are mitigating them.
In this article, we look at each of the three principle areas of risk for your business – People, Systems and Processes; as well as some of the things you can implement immediately to reduce your exposure.
Computer security, cybersecurity or information technology security (IT security) is the protection of computer systems from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. – wikipedia.org
Risk #1- people
Humans are fallible (likely to make errors or fail). Nobody’s perfect, after all.
However there are some actions for which there are no excuses … weak passwords is one of them! Any small business cyber security plan has to put passwords at the centre of the plan.
The good news is that there are so many ways to make strong unique passwords for every single login. The video below contains a useful method for creating incredibly strong, yet memorable passwords:
Find out how easy passwords are to crack. Get scared.
Password reuse and poor passwords are unacceptable and easily preventable. We have talked before about using a password manager and 2 Factor Authentication (2FA) where available. Get to understand these tools (or talk to us!) and figure out how best to include them within your business.
Education is key
Having clear processes and good security training is another way to help make sure everyone is on the same page. Free cyber security training courses, videos and online resources are readily available from reputable sources:
Social media allows us to find out basic details about people and companies within seconds. Using a combination of Google and Linkedin allows everyone to know who you work for.
Whilst this is great for networking, it does mean that you and your team need to be careful about what you share and and who you share it with.
If you are reading this article and rolling your eyes and think this security advice just doesn’t matter, spend three minutes watching this (brilliant) video and you might just change your mind:
Frightening huh? And hopefully thought provoking too.
Have processes in place to check when dealing with all contacts via email and phone. Are you speaking to who you think it is?.
It is also sensible to avoid giving out personal data over the phone or via insecure methods such as Slack and email.
Risk #2 – systems, servers & devices
There is something or someone trying to access your data every minute of every day.
Implementing preventative and early detection systems into your workflow may help mitigate a situation before it starts.
Devices, including servers, work laptops, home laptops, mobile phones, routers, printers, internet of things (IOT) devices (including that wifi connect light bulb) can all be used against you and your business.
Dogsbody’s #1 tip: keep your devices up-to-date
Updates for all of these devices are released regularly to address bugs, code improvements and security vulnerabilities.
If you’re not updating (patching) regularly, then you are putting yourself at a higher risk of being exploited by a known vulnerability.
Don’t be that person or company.
End of life
Be aware of software end of life (EOL). For example mobile phone hardware usually outlives its supported software meaning it’s open to new security vulnerabilities.
We often talk about ‘end of life’ software in our newsletter. Last month, we confirmed Python 2.7 and PHP 7.1 are going to be end of life soon. Once software is no longer supported, there are no guarantees about the security holes this software could lead too.
Restrict access
Only give access to the areas people need to do their job whether that is physical (rooms, offices), Documents (read only and write only) or devices/servers, it will make it easier to spot an intruder. Separate users means you can see who made a change giving you an audit trail should anything go amiss. Remember to remove old users.
Proactive monitoring
Monitor everything: cpu, memory, disk io, disk space, ports etc. We monitor all of these metrics (and more) on behalf of 100’s of customers.
Use our free tool to monitor some of your external resources too – StatusPile allows you to build a status page of status pages.
A spike or alert across any of these metrics could mean a server is being attacked. If you respond quickly, attackers can be blocked before they cause too much damage.
Back up
We’ve written about backup strategies before. This is such a fundamental part of business.
Don’t be that company that can’t recover from an event like this:
If you lost everything where do you go?
Off site backups – simply have them, know where they are and keep them up to date.
Make sure you check them regularly. Is everything being backed up correctly? Are they actually working when you perform a restore? Is the retention policy set correctly?
It’s not good enough to set and forget – new infrastructure gets added, access codes change. Be diligent and don’t lose your business when something goes wrong.
Standardised builds
Have (documented) standard builds for servers, workstations, laptops and other network infrastructure.
Insecure configurations can allow malicious users to obtain unauthorised access, so it is important to ensure the secure configuration of all systems is set up and maintained.
If you need help, talk to us – we do this every day!
Know what you don’t know
That may sound like a crazy heading – but we really mean it. If you don’t test your infrastructure regularly, you don’t know what’s really going on. Involve a third party, get an expert to ethically hack into your systems. This process is of course known as penetration testing.
Penetration tests take many different forms. Testing once a year is a step in the right direction, however infrastructure changes regularly and rightly so, patches must be applied and users added and removed, its a constantly moving beast, so it makes sense to have regular penetration tests. Whilst they give you peace of mind – they will also give your customers peace of mind too.
Protect your email
Make it harder for impersonators to send spam which looks like it comes from your business by setting up your email correctly.
Public wifi is a notorious place for hackers to lurk
Know the risks of public wifi.
Usually it’s free and often, it’s not secure. Avoid visiting sensitive sites such as banks, accounts packages, work ticketing systems when connected.
Company VPN’s can be used if you need to do this regularly. Personal VPN applications are good too for personal browsing.
Risk #3 – processes
Processes have been intertwined within the previous two sections. We’ve discussed standardised builds, communications. device and social media policies.
It’s now time to mop up some of the areas we’ve not yet mentioned.
How would you respond to an emergency if your digital channels were down?
If and when something does go wrong have you considered how you would communicate with your customers?
Host your status page on a completely separate hosting provider to all your other business activities and remember, to make the password accessible for when you are offline.
Status pages are for facts. Do not speculate or discuss issues that have not been confirmed.
You rarely hear people talking about the joys of documentation, however it’s a necessary evil of business and absolutely could be your saviour one day.
Here at Dogsbody, we do it as a matter of course. Without shared documentation, IT systems are left exposed. employees leave, employees get sick. It’s essential others can understand how your IT infrastructure works.
Server build documentation is the recipe for your servers. If a server was down and the only way to recover it was to rebuild it – would you know how to? Is it clear how it was set up … who had access … and how the operating system was configured?
Having a build guide document in place means anyone can pick it up and get it back online quickly.
Subscribe for service updates
Subscribe to your providers service updates, notifications, emails and/or RSS feeds, monitor Status pages, hang out on tech forums – as a Linux managed server provider, our team are always reading blogs, security updates and notices – its just part of the day job.
That wraps up our small business cyber security plan. We hope it makes you think about how your business approaches online security.
If we can help answer any questions, please don’t hesitate to get in touch.
https://www.dogsbody.com/wp-content/uploads/architecture-black-and-white-challenge-277593.jpg16003000Claire Christmashttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngClaire Christmas2019-10-07 11:00:102020-01-16 10:44:06A small business cyber security plan
Quick Public Safety Announcement, Python 2.7 goes end of life 01 Jan 2020. This is the end of the road for Python 2.x – there won’t be a version 2.8.
This means any Python code that’s still on 2.x needs updating to Python 3. Any code that isn’t moved over won’t receive security updates so will inevitably become insecure.
Identify your code
If you’ve got a lot of code it’s worth taking the time to check what’s where and which version of Python it’s using.
Python 3 was released at the end of 2008. Adoption has been slow, a factor has been that all of your dependencies need to support Python 3 before you can. Now that we’re over 10 years down the road this is much less likely to be an issue.
You can start off by checking code that has been written more recently. Hopefully this will have been written for Python 3. A survey by JetBrains shows that between 2017 and 2018 the number of developers that mostly used Python 2 fell from 25% to just 16%. It’s also interesting to note the divide between use cases. Data science having better adoption than both web and dev-ops.
Don’t forget old code
Unfortunately the numbers above are for code that developers are writing now. We’re also concerned with code that was written many years ago and hasn’t recently had any major changes. Looking at the number of packages downloaded instead of what developers are mostly using gives a different picture. The numbers are closer to 50/50 with the trend between data science and dev-ops still clear. TensorFlow is most often downloaded for Python 3 whilst botocore is heavily Python 2. Boto is heavily used in API access to cloud providers such as AWS.
If all of your recent code is Python 3 it’s worth having a good dig around for places old code might be hiding.
What are the steps to update to Python 3?
The first step to update code is to make sure any packages you’re using support Python 3. A tool such as caniusepython3 should show you where the issues are.
After that depending on the complexity of your code you can update it by hand or use a tool such as Futurize to help with the conversion .
A key part of smoothly updating is to have a good testing process so you can quickly find and fix the bits that unexpectedly break. See the porting guide for more info.
https://www.dogsbody.com/wp-content/uploads/endoftheline-e1467806432495.jpg546883Jim Carterhttps://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.pngJim Carter2019-09-09 14:43:572019-09-09 15:38:42Python 2 will go end of life on 01 Jan 2020
