Recently, a client contacted me to share that their web server’s firewall was busy banning IP addresses from port scanners. Sure enough, a quick peek at the server logs show that there were indeed multiple IP bans lately. Most of these were temporary bans as the firewall did not deem these infractions critical enough to be permanent bans. When looking at the notifications, a particular domain in the ban list caught my eye. It was a microsoft.com domain along with an IP address. A WHOIS lookup shows that this IP does indeed belong to the software giant Microsoft Corp, manufacturer of Microsoft Windows and Microsoft Office. The reason for permanently banning this IP was that the IP itself had too been temporarily banned too many times in a certain time frame. So after a few warnings, the server’s firewall permanently banned this Microsoft IP from hitting the client’s web server again.

131.107.0.114 (US/United States/tide544.microsoft.com)

After some more digging around and research, could this be a case where it is a false positive result for port scanning? Since we do not want to hinder any of MSN’s servers, whether it’s Bing.com or MSN search, from crawling our web sites the more important question is actually should I unban this IP address? Anyone else also experience your firewall banning Microsoft IP addresses for port scanning? What would you do?

Tweet This Post

Have you ever wondered what makes the ultimate data center? From a business perspective, the main objective for choosing the right data center is to minimize downtime of its servers. The decision to choose a data center is a critical step and deserves much more consideration than just finding the lowest cost option. As technology advances, online marketers have been patiently waiting for an important feature previously only available at an enterprise level to filter down to the small businesses. It was only a matter of time but the ultimate data center is finally here!

As the demand to publish media (images, audio and video) on the internet increases, content delivery networks used to deliver these larger media files have been increasing in popularity. In short, a typical content delivery network utilizes a network of multiple servers located in different parts of the country (or the world) and would deliver rich media such as video and audio to the end user from a the nearest server. This setup will allow the end user to receive the rich media quicker than if it was served from one single host server.

This type of service has been available for some time but access to it was mainly limited to enterprise level customers. As more and more companies begin to offer content delivery network services, look for cost to decrease and access to become more available to the average business.

For instance, Softlayer, a popular data center with locations in Dallas, Seattle, and Washington D.C. is now offering CDNLayer, its own content delivery network. Rather than serving content directly from the host server to the end-user, CDNLayer moves content from the host server to a node that is geographically closer to the end-user.

As this type of “Closest-to-User” (what I call CtU) delivery technology evolves and becomes ubiquitous, I foresee web hosts adapting this technology for all customers and accounts. Website owners, whether running a dedicated server or a shared hosting account, won’t need to completely understand the technical setup or configure the backend workings of this type of a setup, but rather, should just be able to create and upload good content and let the web host’s CtU delivery technology deliver a speedy and enhanced user experience anywhere and everywhere.

The ultimate data center is already here. Who will take the initiative and offer CtU delivery technology for the average business and become the ultimate web host?

Tweet This Post

For those who run their own servers, the cPanel control panel has been a truly remarkable piece of software that allow non-technical users to perform even the very technical of tasks. But like many types of software, even this tried and true work horse shows a glitch here and there. This latest one threw our IT support team (including cPanel tech support, server management company and experts in various online forums) on a wild goose chase. WHM showed two unauthorized users have gained access to our server! Talk about a worst case scenario security breach! After some internal testing, it seemed that there was more to the cPanel alert than meets the eye.

Normal cPanel (domain owner control panel) users will never notice this reporting glitch but for those who have higher level access to WHM (the server administration panel that controls cPanel), you will rest assured knowing that when WHM is reporting your server has been hacked, it is definitely not the case.

WHM 11 has a feature called cPHulk Brute Force Protection that prevents malicious forces from trying to access your server’s services by guessing the login password for that service. In short, if it detects an IP or account trying to forcefully gain access to WHM or cPanel, it will shut them out for a pre-determined length of time. In addition to a list of banned IP’s, you will also find a table of IP addresses under “Logins” inside WHM >> Security >> Security Center >> cPHulk Brute Force Protection.

During a routine check-up, I noticed 2 IP addresses under the “Logins” table that I did not recognize. A DNSReport on those IP’s returned locations that were no where near our office. Even the reported user names do not match any that we have setup for server logins. As these IP’s were listed under the “Logins” table, panic began to set in.

With the intruder alarm sounding, emergency messages went out to the server management company, cPanel tech support and various tech forums asking for troubleshooting help. Responses were varied from the above and no one was able to pin point exactly what happened and why those 2 IP addresses were reported to have logged into our server.

As I put in a support ticket to cPanel, I also inquired about the “Status” column in the “Logins” table. Here is cPanel’s reply… which I now believe is incorrect information and was one of the factors that threw us for a ride.

Q: When does cPHulk log users under the login section?

A: It logs all logins by cpanel and whm for it.

Q: What does Status = 0 mean?

A: It logs all logins, and for the 0, it means number of retries attempted. Since you have logged in successfully, it is first attempt, so it be 0.

Armed with this info, we set out to discover how the so-called intruders were able to log in to our server.

Based on our own testing, I now know the information provided by the cPanel staff was incorrect. During the test sessions, we could not get Status to be anything but 0, even though there were multiple attempts to log in using the same bogus user ID. As we began to dig around, an IT friend of mine suggested that we test a failed log in to see if this was also logged. Sure enough, it turns out that the “Logins” table inside cPHulk ONLY logs unsuccessful login attempts! So the response from cPanel indicating that it cPHulk reports all logins was definitely incorrect. Thank goodness for that!

There is no other indication that our server was compromised. But based on the interpretation by cPanel tech support of the “Logins” stats inside cPHulk,it would have meant 2 un-authorized users have gained access to the core of our server. Currently, there is no indication of failed or successful logins inside cPHulk. As far a s I can tell, only unsuccessful logging attempts are reported. Most likely, the 2 IP’s in question were probably logged from a script or bot taking a blind stab at gaining access. In fact, 24 hours after the initial discovery, one of the IP’s was back trying to get in once again. This IP has now been blocked server wide at the firewall level.

cPHulk is a great tool. Unlike a firewall, it will still log an offending IP even though the hacking is subtle and not by brute force – as was with our case where the hack attempts were made once a day, every day. Essentially, it helped us isolate a repeat hacking attempt so we can permanently ban the offending IP from our server.

I hope cPanel enhances the already great feature of cPHulk in WHM by differentiating between successful logins and failed attempts in future releases. In the interim, the “Logins” table should be corrected to display “Failed Logins”. If you see any IPs listed under your cPHulk “Logins” table, not to worry. It actually means these IP addresses were not successful at logging in to your server!

UPDATE – June 10, 2008: If you are seeing cPHulk logging un-authorized logins to your server, it’s just a reporting glitch. After a few days of back and forth with technical support, here is a summary that I received from a cPanel Technical Analyst Manager. It should clear up all the confusion with cPHulk reporting. Looks like the above are bugs and will be dealt with in a future release.

1. I have confirmation from cPanel that even the most recent 11.23-Release build is still only logging failed logins. cPHulk is supposed to log both successful and unsuccessful logins. An internal (cPanel) bug report has been submitted to the development team to separate successful from unsuccessful login attempts.

2. The Status column is always 0 for now. This setting is for use in future versions. An internal cPanel bug report has been submitted with development to have this column removed until the setting is used properly.

UPDATE #2 – June 10, 2008: Response from cPanel; “The developers have removed the ‘Status’ column from the interface as well as made it more understandable regarding successful and unsuccessful logins. You should see these changes in newer builds as they make their way through the testing phases.”

Thanks to Todd S., Technical Analyst Manager at cPanel, for a detailed response.

Tweet This Post

Are you getting more and more email spam? Tired of waiting for tons of spam to download to your computer? I know I am bombarded on a daily and even hourly basis with email offers of how I can be richer, bigger, better and longer lasting. It’s not only frustrating but also a waste of time and bandwidth. Here is a proven method to decrease email spam.

This tip is specific to web hosts who offer Cpanel and SpamAssassin but the general setup can be applied to other hosting options as well. So here is what you can do to decrease your email spam.

1. Create a New Mailbox to Collect Mail Marked as Spam
2. Enable SpamAssassin
3. Activate SpamAssassin Filter
4. Watch Your Spam Decrease

1. Create a New Mailbox to Collect Mail Marked as Spam
This is the actual email account that will collect all incoming mail marked as spam. I normally log in to this spam mailbox via webmail once a week just to make sure no legitimate email has been flagged as spam. As an example, let’s call this mailbox spammail@yourdomain.com (yourdomain.com being your own domain name).

2. Enable SpamAssassin
Log in to Cpanel. Go to Mail>>SpamAssassin. If your web host has not enabled SpamAssassin by default, you will see ‘SpamAssassin is currently: Disabled’. Simply click on ‘Enabled SpamAssassin’ to turn on SpamAssassin. Then click on ‘Configure SpamAssassin’.

You will need to adjust ‘Required Score’. Based on the type of spam that I get, I am running a score of 5-6 without having any significant false positive issues. But to be safe, you can start at 8 and lower the score once you can confirm that you are not seeing any missed legitimate emails. The lower the SpamAssassin score, the tighter controls will be.

Next, you will want to add your own ‘rewrite_header subject’. Try this: “SPAM: _HITS_” without quotes. This will modify subject lines of emails flagged as spam to begin with ‘SPAM: SpamAssassin_Score’. This will make it easy to see all your spam marked emails at-a-glance. It will also allow you to identify and forward them to the mailbox that you have created in step #1.

There are blacklist and whitelist settings that you can edit on the configure page but I don’t suggest using them for now. If you really need to whitelist a domain, you can do that here but do know that running a list rule (either black or white) comes at a price. It requires additional server resources. To start, I suggest leaving these as is for now.

Click on ‘Save’ to update your SpamAssassin settings.

3. Activate SpamAssassin Filter
Navigate back to the Mail>>Email Filtering>>Add Filter. Cpanel may be configured differently based on your web host so depending on what options are available, you will want to activate one of these settings.

Option #1
Filter: ‘Subject’ – ‘Contains’ – ‘SPAM:’
Destination: ’spammail@yourdomain.com’
Option #2
Filter: ‘SpamAssassin Spam Header’ – ‘begins with’ – ‘Yes’
Destination: ’spammail@yourdomain.com’

This will tell your mail server to forward all emails marked as spam to your newly created spam mailbox (spammail@yourdomain.com – from step #1). So instead of spam being downloaded to your computer, they will be sent to this dedicated mailbox.

Simply log in to your spam mailbox once in a while to make sure no false positives get through. Once you are satisfied, you can begin decreasing your SpamAssassin Score (as adjusted in step #2).

Watch Your Spam Decrease
Many users have reported that running scores of 4.5-5 still give good results. You should run your own test to see how low of a score you can go. The lower you set your score, the stricter SpamAssassin will be at determining spam. Most of the mass spam emails out there will have scores of 10 & up but as email spammers get more sophisticated, they are finding ways to deliver spam that can by-pass filtering systems like SpamAssassin. You will see some of the HTML image spam emails come through with a very low score (below 5) so in my opinion, there is not a big advantage of running SpamAssassin much below 5… or at least not until you get fed up once again with too much spamming coming through. Since I turned on SpamAssassin a few months back, I have only seen 1 false positive so far. That email was actually not from someone who I communicate with on a regular basis but was in fact, an email newsletter that contained a link to a domain that had been blacklisted by SpamAssassin.

As a safety precaution, I have currently asked SpamAssassin to forward all emails marked a spam to a spam mailbox. Once I am comfortable that SpamAssassin is no longer flagging anymore false positives, I will ask the system to simply delete all mails marked as spam.

Since turning on SpamAssassin, spam reaching my Outlook has decreased by about 50% and I no longer have to wait an extra 10 minutes at the beginning of my day to wait for spam to download to my computer. To begin your day a little more efficiently, do turn on SpamAssassin if you have this option. This is a proven method to decrease email spam.

Tweet This Post