Practical Technology

for practical people.

January 12, 2017
by sjvn01
0 comments

Why You Must Secure Your Website with TLS

Security isn’t an option on today’s websites. It’s a necessity. Google confers on sites that use HTTPS a higher search ranking. And who doesn’t want a higher PageRank?

But, wait there’s even more reason to lock down your site. Google will soon start marking websites that don’t use HTTPS first as insecure, then as broken. You so don’t want to go there.

To be exact, Google stated: “To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labeled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.”

Then, as 2017 progresses Google will increase the severity of its HTTP warnings, beginning with labeling HTTP pages as “not secure” in Incognito mode. Eventually, Google will label all HTTP pages as non-secure and change the HTTP security indicator to the red triangle that it uses for broken HTTPS.

Besides, even if you bristle at the idea of Google being the boss of you, securing your website just makes good common sense. We’ve known since 2010 when Firesheep showed your login could be stolen over Wi-Fi that the only way to have reliable security is for every website to have an encrypted connection.

To do that you need to add Secure Sockets Layer (SSL), and its far safer successor, TLS (Transport Layer Security), to your site. Both encrypt communications with public key encryption between your server and your end-users’ devices.

To make this happen, you need an X.509 Digital Certificate — generically called an SSL certificate — on your server. A digital signature from a trusted third party, a Certificate Authority (CA), guarantees the Digital Certificate’s authenticity so that your site’s visitors know the server is really the site it purports to be.

There are many CAs. Some of the best commercial ones are Network Solutions; Symantec, now owners of Verisign; and Thawte. Prices for certificates from a major provider range from $50 to $200. You can also get a free certificate, that’s every bit as good if you’re not doing e-commerce, from the non-profit Internet Security Research Group’s Let’s Encrypt.

The big difference between the commercial CAs and Let’s Encrypt is that the commercial businesses back up their security with a warranty of between five-hundred thousand and a million dollars. With Let’s Encrypt, you’re on your own.

You can also self-sign your own certificate. This is fine if it’s just you connecting to your site, but your visitors won’t be certain your site is really the one they intended to visit. As a stopgap security method, self-signed certificates are fine, but no one thinks self-signed certificates are really that secure.

Before deploying any certificate, you must know there are three different kinds of SSL certificates. These are, in order of least to most secure: Domain Validation (DV) SSL Certificates; Organization Validation (OV) SSL Certificates; and Extended Validation (EV) SSL Certificates.

A DV states that the domain is registered by someone with admin rights to the website. If the certificate is valid and signed by a trusted CA, a web browser connecting to the site will inform you that it has successfully secured an HTTPS connection. A DV would be all you’d need to secure a blog or simple website. Typically, self-signed certificates are DVs.

An OV validates the domain ownership and includes related information like the site owner’s name, city, state, and country. It’s the middle tier of certificates, but it’s not often used.

Anyone staging an e-commerce website needs to use an EV SSL certificate. It validates not only the domain ownership and organization information, but the site’s legal existence as well. Sites with an SV SSL certificate can be identified by their green address bar.

So, now that you know why you should do it and some of the technology behind what you’re doing, how do you add SSL/TLS to your site? Cloud host Linode has the answers in a series of useful articles:

Nowadays, the internet can be a dire place. Fortunately, you can make your website a safe and trusted port in the storm for your users while improving your Google PageRank. So, without further ado, secure your website with TLS and start enjoying the benefits today.

Why You Must Secure Your Website with TLS. More>

December 28, 2016
by sjvn01
0 comments

How to Use Fail2Ban to Blunt Brute-force Attacks

WordFence, the WordPress security plugin company, tells me that unsophisticated brute-force attacks have doubled in the past three weeks. While WordFence can help keep your WordPress instances up and running, your server is still getting mauled. What can you do about it? You can use Fail2Ban to patch your firewall against blunt attackers in real time.

It’s a shame that many of you haven’t heard of, never mind use, Fail2Ban. I’ve found it to be a very useful and easy way to protect servers that is just as easy to install and deploy.

How to Use Fail2Ban to Blunt Brute-force Attacks. More>

December 13, 2016
by sjvn01
0 comments

Locking Down WordPress

<Files *.php>deny from all</Files>

Locking Down WordPress. More>

November 28, 2016
by sjvn01
0 comments

Locking Down Your Linux Server

No matter what your Linux, you need to protect it with an iptables-based firewall.

Yes! You’ve just set up your first Linux server and you’re ready to rock and roll! Right? Uh, no.

By default, your Linux box is not secure against attackers. Oh sure, it’s more secure than Windows XP, but that’s not saying much.

To really nail down your Linux system you need to follow the instructions in Linode’s Securing your Server guide.

To summarize, you must?—?first?—?turn off the services you don’t need. Of course to do that, you need to know what network services you’re running in the first place.

Locking Down Your Linux Server. More>

November 10, 2016
by sjvn01
0 comments

Set up OpenVPN on Ubuntu 16.04?—?For Safety’s Sake!

Want to know a really scary IT statistic? Xirrus, a leading Wi-Fi company, recently polled more than 2,000 executives and IT professionals. They found that while 91 percent of respondents know public Wi-Fi is insecure… 89 percent go ahead and use it anyway.

Whoops!

One thing you can do to help clean up this security mess is to provide a virtual private network (VPN) so that your users’ traffic gets protected before hackers can get their digital mitts on it. There are many VPN servers, but OpenVPN is my VPN server of choice because it’s very popular, easy to use, and widely supported. When integrated with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.

Set up OpenVPN on Ubuntu 16.04?—?For Safety’s Sake! More>

October 20, 2016
by sjvn01
0 comments

Clueless CIO cloud confusion continues

You have got to be kidding me. At the Gartner Symposium/ITxpo, the research company’s annual enterprise IT conference, Gartner vice president David Mitchell Smith said, “In many ways we’re nowhere nearer understanding what cloud is.” Oh, come on!

The year is 2016, but Smith continued, “There are still a lot of gray areas and blurriness in the cloud business.” He thinks 80% of vendors’ “private clouds” aren’t strictly speaking cloud, along with 30% of public cloud services.

Listen, if you’re a CIO and you don’t know what a cloud really is by now, then you should be fired.

Unlike what Gartner said, most of you do seem to get it. A recent Uptime Institute survey of 1,000 IT executives found that 50% of senior enterprise IT executives expect most IT workloads to be running on the cloud soon. Of the respondents, 23% expect the shift to happen next year, and 70% expect it to occur within the next four years.

What is going on, and does confuse things if you’re not paying attention, is that many vendors just stick a cloud label on their old offering and expect you to buy their “new” service. This is called cloud-washing. Companies slap a new coat of cloud paint on any old program or service, add 10% to the price, and call themselves a cloud company. I’m looking at you, Oracle.

But Oracle isn’t alone. For example, Adobe Creative Cloud isn’t a cloud. It’s a software rental licensing business model. True, you can share files with its infrastructure-as-a-service (IaaS) storage, but you could always do that with network file sharing or third-party cloud services such as Dropbox.

If you think there’s a Photoshop in the cloud, you’re wrong. To use Creative Cloud, you download a fat client to use it. Despite the name, this is not a software-as-a-service (SaaS) play.

If you’re a system admin who’s nervous about losing his or her job, I can understand pointing out such examples as proof that cloud computing is just marketing hype. I expect better from CIOs.

I mean, the National Institute of Standards and Technology (NIST) defined cloud computing for us in 2011.

Doesn’t ring a bell? OK, here’s a refresher.

NIST tells us: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

NIST continued to say that a cloud must have five essential characteristics: On-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service.

Let’s look closer. With on-demand self-service, users can unilaterally provision or access computing resources as needed. Usually, but not always, you do this with a web browser. Users spinning up a service with ordinary provisioning shouldn’t require any technical support handholding. If a technician has to manually spin up a server for you, you’re not using cloud computing. If you need to call the vendor to get a server instance up, you’re not on the cloud.

By broad network access, NIST doesn’t just mean that that cloud services must be available over the internet. It’s just that the cloud resources must be made available over the network for all devices, from PCs to smartphones, using open standard protocols such as TCP/IP, HTTP, HTML, XML, Java and SOAP. If it needs proprietary network standards or clients, you’re moving away from the standard open cloud to a proprietary solution.

With resource pooling, according to NIST, “The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.”

Ignore the jargon. It means the cloud could be next door, or it might be in the next country. With a hybrid cloud, which uses both private and public cloud resources, it may be both. IT should know the specifics of what’s where. For the ordinary Joes and Janes in accounting, the resources are just in the cloud. From their seats, the cloud is just at their fingertips, the same way the internet is.

Rapid elasticity and expansion are vital. In a cloud, you don’t ask for five more servers; you go out and get them. Your computing resources are dynamically assigned, released and reassigned at your request. In the best clouds, users don’t even know they’re asking for more resources. They just get on with their job, and if their work requires more resources, the cloud simply provides them.

So, for example, if you suddenly need two dozen extra processors to handle an unexpected job, the cloud can deliver those compute resources to your application without any manual intervention. Then, when the job is done, those resources should automatically be returned to the cloud. No fuss, no muss.

Finally, just as with any ordinary utility, such as your electricity, on a cloud you must be able to monitor your cloud systems usage and be billed for it according to your use of the “service.” The only difference is that instead of kilowatt hours, you’re billed for storage, processing and bandwidth usage, and possibly for active user accounts.

If your cloud service doesn’t provide all of these features, what you’re using may not be a cloud.

That may not be a problem. It may still work perfectly well for you. There’s nothing inherently wonderful about a service just because it’s offered over a cloud. But you may want to take a close look at your services. After all, from a practical viewpoint, the big differences between cloud services and other models is that the cloud tends to be cheaper and far more expandable and flexible.

And surely you, as a CIO, already know all that. Right?

This story was first published in ComputerWorld.