Sucuri CloudProxy Website Firewall Improvements

If you are are a regular reader of our blog you probably know about our CloudProxy Website Firewall, it launched publicly a year ago. Since then, our team has been extremely focused on improving it, making it more effective and efficient for everyday website owners.

If you are not familiar with CloudProxy, I highly recommend reading some of the documentation and benefits of it:

In fact, if you have a website, why not try it out?

Read More

Layer 7 DDOS – Blocking HTTP Flood Attacks

There are many types of Distributed Denial of Service (DDOS) attacks that can affect and bring down a website, and they vary in complexity and size. The most well known attacks are the good old syn-flood, followed by the Layer 3/4 UDP and DNS amplification attacks.

Layer 7 DDOS

Today though, we’re going to spend a little time looking at Layer 7, or what we call an HTTP Flood Attack.

Read More

Google Bots Doing SQL Injection Attacks

One of the things we have to be very sensitive about when writing rules for our CloudProxy Website Firewall is to never block any major search engine bot (ie., Google, Bing, Yahoo, etc..).

To date, we’ve been pretty good about this, but every now and then you come across unique scenarios like the one in this post, that make you scratch your head and think, what if a legitimate search engine bot was being used to attack the site? Should we still allow the attack to go through?

This is exactly what happened a few days ago on a client site; we began blocking certain Google’s IP addresses requests because they were in fact SQL injection attacks. Yes, Google bots were actually attacking a website.

Read More

Sucuri CloudProxy WAF Plugin for WordPress

If you are using our CloudProxy WAF to protect your WordPress websites, we highly recommend that you also install our new CloudProxy plugin for WordPress. It has been public for a few weeks, and now we feel it is ready for production use, hence the announcement. :)

sucuri-cloudproxy-wordpress-waf-plugin

You can download the plugin from WordPress Plugin Directory, or directly in your WordPress wp-admin panel by searching for CloudProxy from the “Add New Plugin” page.

The Sucuri CloudProxy WAF plugin is free from the WordPress repository, and allows direct access to your CloudProxy dashboard from within your WordPress wp-admin panel. It allows you to see your audit logs and security events, clear caching, and overall easier management of your CloudProxy account without the need to login to Sucuri.net.


Note:The CloudProxy plugin doesn’t add any additional security measures beyond what’s offered in the CloudProxy service. The plugin is not required for CloudProxy use.

*ps: if you are not using CloudProxy, you should. Go check out CloudProxy today!

CloudProxy WAF – September Report

*By Tony Perez and Daniel Cid

As many of you are aware we released a website protection tool, CloudProxy WAF/IDS, at the beginning of the year and over the past few months we have been working with the data we’ve been accumulating. We’re finally at a place where we think we can provide better insight into the world of website attacks.

What we’re hoping to do is provide a monthly summary, similar to what you’ll read here that helps you understand the various website attacks we see via our CloudProxy WAF/IDS. It will also, hopefully, shed insight into the growing online threats that website owners face daily.

September 2013

We have some very small and some big sites with us. And the first thing we noticed is that even the smaller sites get attacked quite often. All sites do.

Every web site gets attacked. And that happens daily. Many times per day.


Read More

Sucuri CloudProxy Web Application Firewall (WAF) – Out of Beta

We are happy to announce that after more than a year in testing, Sucuri’s CloudProxy is out of beta.

CloudProxy

CloudProxy is currently available to Sucuri customers, so if you have an account with us, you can subscribe to CloudProxy from your dashboard.

Here is a quick testimonial:

I inherited a couple of websites that were hand coded and getting hacked on a daily bases. Hooked them up to CloudProxy last week and so far the sites have been protected and are not being hacked anymore. At this point, I’d highly recommend this service if you are running an out of date CMS or code and are getting hacked often! Great service!

Linda Kimble Long


Read More

Sucuri CloudProxy WAF – Fake Bots Explained

One of the most common questions we have been getting since launching our CloudProxy WAF is regarding bot activity and why it appears that we are blocking Google and / or Bing bots. Inside the CloudProxy dashboard we provide a full audit log of any request that gets denied access and when a client see’s something like the following in their logs they tend to get concerned:

13/May/2013:09:20:29 +0000] 80.72.37.156 “IP Address not authorized” “POST /wp-login.php HTTP/1.1″ 403 “” “Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)”

In this specific instance they are concerned that we are blocking Bing because of this reference: bingbot/2.0; +http://www.bing.com/bingbot.htm. They are especially concerned when it says Googlebot, like this one:

13/May/2013:18:27:14 -0400] 198.50.161.234 “Spam comment blocked” “POST /blog/wp-comments-post.php HTTP/1.0″ 403 “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Nobody wants to block Google out of their sites.

Read More

Protecting Against WordPress Brute-Force Attacks

It was not long ago that I was sitting on a call with other members of the WordPress community in which we were talking abou brute-force. When asked why WordPress core didn’t offer more out of the box features to address the issue, the response was it’s just not a relavent issue.

As interesting a response as that was, the latest trends seem to contradict that statement head on. It goes to show us that with the technological improvements things like latency and other network considerations are becoming less of a barrier to entry for attackers.

Web Based Brute Force Attacks Are Here

As if we really needed any tangible evidence of such a prominent issue, the first large-scale issue of such attacks first presented itself in October of 2012 when WordPress.com disclosed that some 50,000 sites were compromised using a similar attack:

Per their incident handling process they identified a brute force like attack which made use of a list of compromised email / password combinations derived from a third-party application[s].


Read More

Virtual Hardening with Sucuri CloudProxy

If you read our blog you know that we are really open to providing insight into malware infections, remediation and hardening tips. The goal is to help educate website owners where and when we can. Unfortunately, that education only goes so far. We have learned that when it comes to hardening no single environment is the same and what you tell one person doesn’t necessarily apply to another person.

Take into consideration three of the simple things we tell website owners that use the WordPress platform:

  • Restrict wp-admin access for only certain white listed IP addresses
  • Disable PHP execution inside the uploads directory
  • Disable direct PHP execution inside the whole wp-content directory whenever possible

Although effective for many of them, most are unable to apply them. Reasons include things like static versus dynamic IP’s and lack of understanding of the use of secure tunnels and static IPs proxies. Then you have the challenges of web servers, is it a Windows IIS web server, or an Apache web server? Is it something else? And what if the environment is a hybrid with varying elements, each with specific considerations.

The same applies to guidance we provide other content management system (CMS) applications like Joomla, Magento, vBulletin, osCommerce and many others. The fact of the matter is that it’s hard to provide one solid solution that all website owners, regardless of platform, can use and employ to harden their websites.

Hardening is HARD

The main issue with hardening is that not everyone is technical enough to follow or understand the guidance. Especially when they see long posts like this one: WordPress Security – Cutting Through The BS or WordPress and Server Hardening – Taking Security to Another Level. The reality is that every one of the configuration changes is one potential new headache for the website owner. What works for one, doesn’t work for the other. Perhaps a host doesn’t allow a specific directive or disables specific functions. How do you account for that when talking to the masses?

Then you have to keep up with the growing threats. Is there a new attack vector? Is there a new hardening tip to address that vector? How do you know? How do you apply the hardening in time to avoid becoming vulnerable and exploited?

Enter Virtual Hardening

In our previous post, we talked about the concept of virtual patching: Virtual Patching for Websites with Sucuri CloudProxy, it is the idea that a non-patched web site can still be protected (patched) by a web application firewall (our CloudProxy).

Fortunately, the benefits of our CloudProxy does not stop there. By default, every site under our CloudProxy is already hardened without any work. In our WordPress plugin we have the 1-click hardening. That’s the no-click hardening. You no longer need to run any security plugin or modify your configuration, since all the hardening is done “virtually” by our WAF.

You can automatically restrict access to your administration panel per IP address. All direct access to non-allowed directories are blocked. And all the steps we provide in our blogs are implemented there to all our users.

Go back a few months and look at the Timthumb mass compromise, where thousands of sites were hacked. Any site that was hardened like we recommend would not get hacked through it, even if they had the insecure timthumb installed. And even without any type of virtual patching or custom WAF rule. Just the hardening alone.

That’s what the Virtual hardening offers without any work for web site owners.


If you have questions about virtual hardening, or the Sucuri CloudProxy service, email us at info@sucuri.net and we can get you setup.

Virtual Patching for Websites with Sucuri CloudProxy

All software has bugs, and some bugs can lead to security vulnerabilities. Vulnerabilities can be extremely dangerous when your software is running over the web, allowing anyone to reach and try to attack it. That’s why patching and keeping web applications updated is so important.
Sucuri Cloud Proxy

The reality is there is no shortage of websites running outdated Joomla installs, or outdated WordPress, or name your favorite CMS. There are also plenty of websites running themes/templates with known vulnerabilities, or forgotten plugins that are being exploited in the wild. The #1 excuse for keeping these web applications outdated is that their websites will break.

We often hear things like “My theme was heavily modified, so I can’t update it”, or “I am afraid it will break some functionality if I update this plugin”, or “I modified core files so now I am stuck”, or even “My web developer left us and nobody knows how this piece of code works”.

Read More