Category Archives: Security

Let’s Encrypt

Since Snowden the usage of encryption is steady growing. One of the key points is to encrypt the daily web usage. Each website should run SSL, but for website starter installing an SSL cert and keep it up to date is often to complicated.

And of course it comes with a price, even a standard SSL cert will cost you at least 10 euro per year.

But why paying for an SSL cert when you can have it free?

Since a few weeks we setuped on all shared hosting server Lets Encrypt and did a rollout to see if we could discover any problems. No problem showed up so today we go offical live.

You dont have to do anything, your website will simply recive (or has already) a valid SSL cert. Try it out!

Dont wonder, the SSL cert does not show up within Cpanel. In case you have already an valid SSl cert it wont be replaced. SSL certs installed within Cpanel have priority so there wont be overwritten.

The SSL cert will be automaticly installed and renewed by the system, there is nothing you need to do.

If you have any further questions please contact our support team via email or ticket system.

Will Let’s Encrypt will solve all my SSL needs? 

No it wont. At first it doesent support Wildcard SSL certs, nether any green bar/locker SSL certs. Keep also in mind that it will refresh every 90 days so security plugins for your browser like Cert Patrol to monitor the change of an SSL cert (to avoid malicious ssl certificates)

About Let’s Encrypt:

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

HTTP Strict Transport Security (HSTS)

The HSTS Policy helps protect web application users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server, while the user’s browser has HSTS Policy in effect for that web application

So what we need?

Activate mod headers in apache:

a2enmod headers

HSTS header into VirtualHost:

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

max age set the Time in seconds and includeSubDomains set the HSTS header also into your subdomains (recommended). If you don’t want his just only let it our and close after31536000.

Done.

Secure your TLS with PFS

 

Today’s mostly used SSL is broken. The reason is, RC4 is broken and that is mostly used by SSL active websites. Check your SSL used website about SSL Ciphers (in FF click on the secure bar logo) – you will see for example: RSA_RC4_128_SHA

That means the server uses RSA with RC4 and SHA 128. And that is broken.

But it is getting worse. The NSA is currently building the biggest spy center in the US to save any data they get. Why? It may be true that you can’t break the current secure ciphers now, but what about later?

So what we need is a system which will remain secure in the future. PFS (Perfect-Forward-Secrecy) fulfills this requirement.

How does it work?

When two peers want to establish a TLS tunnel with PFS, after performing the server (or the mutual) authentication, they agree on an ephemeral session key.

The session keys are then used to encrypt the rest of the conversation (session). They are deleted afterwards. The goal of the key exchange phase is to enable the two parties to negotiate the keys securely; in other words, to prevent anyone else from learning these keys.

How do we enable it?

First: Use a long SSL Cert Key. We recommend to use RSA 4096 bits.

Also you realy should look foward to get TLS 1.2 active on your server (should be already supported by every unix on latest version)

Activate PFS

You will need Apache 2.3+ , earlier versions are not supporting PFS.

Replace (or add if applicable) the following configuration directives in your SSL module configuration file (most likely to be found in /etc/apache2/mods-enabled/ssl.conf).

 

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Update your Dovecot mailserver:

ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl_prefer_server_ciphers = yes (Dovecot 2.2.6 or greater)

How does it look later? Have a look at our billing system (SSL labs).

 

***SPAM*** Ransom request: DDoS Attack!

Dear valued customer,

yesterday we have recived a blackmailing from the so called “Armada Collective” (see email at the end of this post).

They demand 20BTC (around 8000 Euro), otherwise our networks in Iceland and Finland will be attacked by ddos.

To state it clear:

We are not going to pay any money to those persons, as blackmailer do not stop in such a case.

We informed immediately the Icelandic Police, the FBI (because there are already other cases active about it) and the local CERTS to be aware of it.

To avoid downtime for our customers, we are starting to implement protections, but we have to see how it works in case of such a strong attack.

Our network in Romania is not affected because our ddos protection can filter these size of attack.

In case of an attack which causes the downtime of your product, please stay calm and wait a moment until our protections can start to work.
For everyone, whose site is down for a long time, we activated the Support Department “DDOS Care Center”, in which we aim for a quick solution for the problem.

Please be aware of the fact, that in case of a ddos attack, the whole network at the location can be affected.

We are working now on it, to prevent the worst case and we will continue, in case the attack starts. Please keep in mind, that such kind of danegeld extortion is a strike against freedom of the internet, which we are fighting for.
To comply with the demand would mean to give up the fight!

We hope to have all of you staying behind this decision, as it can affect you as well as it affects us.

We will update regulary our blog, Twitter

@flokinetehf
and our Network status page:
https://www.billing.flokinet.com/serverstatus.php

———————-

from:

to: info@flokinet.is

Subject: ***SPAM*** Ransom request: DDoS Attack!

Ransom request: DDoS Attack!

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.

If you haven heard for us, use Google. Recently, we have launched some of the largest DDoS attacks in history.
Check this out, for example: https://twitter.com/optucker/status/665470164411023360 (and it was measured while we were DDoS-ing 3 other sites at the same time)
And this: https://twitter.com/optucker/status/666501788607098880

We will start DDoS-ing your network if you don’t pay 20 Bitcoins @ XYZ(modified by us)

Right now we will start small 30 minutes UDP attack on your site IP: 185.100.84.14. It will not be hard, just to prove that we are for real Armada Collective. Check your logs.

If you don’t pay by Wednesday, massive attack will start on your networks in Finland and Iceland, price to stop will increase to 40 BTC and will go up 2 BTC for every hour of attack.

In addition, we will be contacting affected customers to explain why they are down and recommend them to move to OVH. We will do the same on social networks.

Our attacks are extremely powerful – sometimes over 1 Tbps per second.

Prevent it all with just 20 BTC @ XYZ(modified by us)

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

And nobody will ever know you cooperated.


Armada Collective