Blogroll Category: Technology

I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 192 posts from the category 'Technology.'

Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!

EasyApache 4 updated

CloudLinux - 1 hour 26 min ago

New updated EasyApache packages are now available for download from our production repository.

Changelog:

ea-php53-pear-1.10.1-12.cloudlinux

  • ZC-3484: create symlinks in /usr/bin for ea-php##-pear and ea-php##-pecl.

ea-php54-pear-1.10.1-12.cloudlinux

  • ZC-3484: create symlinks in /usr/bin for ea-php##-pear and ea-php##-pecl.

ea-php55-pear-1.10.1-12.cloudlinux

  • ZC-3484: create symlinks in /usr/bin for ea-php##-pear and ea-php##-pecl.

ea-php56-pear-1.10.1-12.cloudlinux

  • ZC-3484: create symlinks in /usr/bin for ea-php##-pear and ea-php##-pecl.

ea-php70-pear-1.10.1-12.cloudlinux

  • ZC-3484: create symlinks in /usr/bin for ea-php##-pear and ea-php##-pecl.

ea-php71-pear-1.10.1-12.cloudlinux

  • ZC-3484: create symlinks in /usr/bin for ea-php##-pear and ea-php##-pecl.

ea-php72-pear-1.10.1-12.cloudlinux

  • ZC-3484: create symlinks in /usr/bin for ea-php##-pear and ea-php##-pecl.

ea-php56-5.6.36-1.cloudlinux

  • EA-7435: updated to version 5.6.36 via update_pkg.pl.

ea-php70-7.0.30-1.cloudlinux

  • EA-7426: updated to version 7.0.30 via update_pkg.pl.

ea-php71-7.1.17-1.cloudlinux

  • EA-7422: updated to version 7.1.17 via update_pkg.pl.

ea-php72-7.2.5-1.cloudlinux

  • EA-7430: updated to version 7.2.5 via update_pkg.pl.

Update command:

yum update ea-*
Categories: Technology

Beta: ea-libcurl updated

CloudLinux - Wed, 23/05/2018 - 16:11

A new updated ea-libcurl package is now available for download from our updates-testing repository.

Changelog:

ea-libcurl-7.60.0-1.cloudlinux

  • ZC-3769: updated cURL from 7.59.0 to 7.60.0 to fix CVE-2018-1000300. Please find more info about the CVE here.

Update command:

yum update ea-libcurl --enablerepo=cl-ea4-testing
Categories: Technology

Beta: additional kernel modules for CloudLinux 7 and CloudLinux 6 Hybrid updated

CloudLinux - Wed, 23/05/2018 - 15:57

Additional kernel modules for CloudLinux 7 and CloudLinux 6 Hybrid are now available for download from our updates-testing repository.

Changelog:

  • CLKRN-273: rebuild additional kernel modules against the latest stable kernel in order to maintain their compatibility.

Update command:

CloudLinux 7:

yum update kmod-* --enablerepo=cloudlinux-updates-testing

CloudLinux 6 Hybrid:

yum update kmod-* --enablerepo=cloudlinux-updates-testing,cloudlinux-hybrid-testing
Categories: Technology

Beta: CloudLinux 7 and CloudLinux 6 Hybrid kernel updated

CloudLinux - Wed, 23/05/2018 - 15:47

CloudLinux 7 and CloudLinux 6 Hybrid kernel version 3.10.0-714.10.2.lve1.5.17.1 is now available for download from our updates-testing repository.

Changelog:

  • CLKRN-259: added a workaround to avoid crash on OOM stack trace.

To install a new kernel, please use the following command:

CloudLinux 7:

yum clean all --enablerepo=cloudlinux-updates-testing && yum install kernel-3.10.0-714.10.2.lve1.5.17.1.el7 --enablerepo=cloudlinux-updates-testing

CloudLinux 6 Hybrid:

yum clean all --enablerepo=cloudlinux-updates-testing,cloudlinux-hybrid-testing && yum install kernel-3.10.0-714.10.2.lve1.5.17.1.el6h --enablerepo=cloudlinux-updates-testing,cloudlinux-hybrid-testing
Categories: Technology

Zircon - Critical - Unsupported - SA-CONTRIB-2018-037

Drupal Contrib Security - Wed, 23/05/2018 - 15:30
Project: ZirconDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

Beta: Alt-Node.js updated

CloudLinux - Wed, 23/05/2018 - 15:29

New updated Alt-Node.js10 packages are now available for download from our updates-testing repository.

Changelog:

alt-nodejs10-1-1

  • ALTNJS-16: build alt-nodejs10.

Install command:

yum groupinstall alt-nodejs10 --enablerepo=cloudlinux-updates-testing
Categories: Technology

Education - Critical - Unsupported - SA-CONTRIB-2018-036

Drupal Contrib Security - Wed, 23/05/2018 - 15:28
Project: EducationDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

TB Sirate - Critical - Unsupported - SA-CONTRIB-2018-035

Drupal Contrib Security - Wed, 23/05/2018 - 15:28
Project: TB SirateDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

Hotel - Critical - Unsupported - SA-CONTRIB-2018-034

Drupal Contrib Security - Wed, 23/05/2018 - 15:26
Project: HotelDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

iShopping - Critical - Unsupported - SA-CONTRIB-2018-033

Drupal Contrib Security - Wed, 23/05/2018 - 15:25
Project: iShoppingDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

Corporate Site - Critical - Unsupported - SA-CONTRIB-2018-032

Drupal Contrib Security - Wed, 23/05/2018 - 15:23
Project: Corporate SiteDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

TB Nucleus - Critical - Unsupported - SA-CONTRIB-2018-031

Drupal Contrib Security - Wed, 23/05/2018 - 15:22
Project: TB NucleusDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported themes and modules critical by default.

Solution: 

If you use this theme, you should uninstall it.

Reported By: 

Drew Webber

Categories: Technology

SimpleCrop - Critical - Unsupported - SA-CONTRIB-2018-030

Drupal Contrib Security - Wed, 23/05/2018 - 15:02
Project: SimpleCropDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 
Categories: Technology

Baidu Analytics - Critical - Unsupported - SA-CONTRIB-2018-029

Drupal Contrib Security - Wed, 23/05/2018 - 14:59
Project: Baidu AnalyticsDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 
Categories: Technology

Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028

Drupal Contrib Security - Wed, 23/05/2018 - 14:55
Project: Protected PagesDate: 2018-May-23Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:AllVulnerability: UnsupportedDescription: 

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466.

The security team marks all unsupported modules critical by default.

Solution: 

If you use this module, you should uninstall it.

Reported By: 
Categories: Technology

From Zero to Hero: NameHero shares their CloudLinux OS story

CloudLinux - Wed, 23/05/2018 - 12:48

If you'd like to know how CloudLinux OS helps our customers, and how they actually use it, we hope you’ll get acquainted with a wonderful story of Ryan Gray, the CEO of NameHero. Ryan’s journey with CloudLinux began at one of Igor Seletskiy’s cPanel conference sessions where he found out about CloudLinux products and was stricken by our CEO’s approach to business.

Now, Ryan says that CloudLinux OS has become a huge part of NameHero’s success – over the last three years, his company provided hi-speed cloud web hosting services to more than 20,000 websites. With the use of CloudLinux OS, Ryan was able to efficiently load his shared and reseller nodes with 99.9% uptime. Ryan used MySQL Governor, CageFS, and PHP Selector tools to ensure his customers can focus on business objectives and not website security.

Ryan believes that the CloudLinux OS played a major role in his company’s success and strives to maintain his fruitful partnership with our company while we go all-out to do the same from our side.

Ryan is an expert in reseller hosting - take a look at his Reseller Hosting 101 course. He shared with us that he thinks the CloudLinux OS Reseller Limits option will become a perfect opportunity for businesses just like his to prosper and elicit more clients. Similarly to the majority of our customers, Ryan closely collaborates with CloudLinux and tests the software that we offer as soon as it is officially released.

Ultimately, Ryan stressed that the CloudLinux team and our services truly helped NameHero grow into a very successful organization in a short period of time. Our focus at CloudLinux has always been to help service providers deliver the most stable and secure Linux hosting services, and we are excited we can do it for NameHero.

If you’d like to share your story, please let us know by writing to This email address is being protected from spambots. You need JavaScript enabled to view it. document.getElementById('cloak09733dcd3157634722f1d7bcf36e0932').innerHTML = ''; var prefix = 'ma' + 'il' + 'to'; var path = 'hr' + 'ef' + '='; var addy09733dcd3157634722f1d7bcf36e0932 = 'marketing' + '@'; addy09733dcd3157634722f1d7bcf36e0932 = addy09733dcd3157634722f1d7bcf36e0932 + 'cloudlinux' + '.' + 'com'; var addy_text09733dcd3157634722f1d7bcf36e0932 = 'marketing' + '@' + 'cloudlinux' + '.' + 'com';document.getElementById('cloak09733dcd3157634722f1d7bcf36e0932').innerHTML += ''+addy_text09733dcd3157634722f1d7bcf36e0932+'<\/a>'; .

Categories: Technology

Introducing: The Cloudflare All-Stars Fantasy League

CloudFlare - Tue, 22/05/2018 - 20:09
 The Cloudflare All-Stars Fantasy League

 The Cloudflare All-Stars Fantasy League

Baseball season is well underway, and to celebrate, we're excited to introduce the Cloudflare All-Stars Fantasy League: a group of fictitious sports teams that revolve around some of Cloudflare’s most championed products and services. Their mission? To help build a better Internet.

Cloudflare HQ is located just a block away from the San Francisco Giants Stadium. Each time there's a home game, crowds of people walk past Cloudflare's large 2nd street windows and peer in to the office space. The looks in their eyes scream: "Cloudflare! Teach me about your products while giving me something visually stimulating to look at!"

They asked. We listened.

The design team saw a creative opportunity, seized it, and hit it out of the park. Inspired by the highly stylized sports badges and emblems of some real-life sports teams, we applied this visual style to our own team badges. We had a lot of fun coming up with the team names, as well as figuring out which visuals to use for each.

 The Cloudflare All-Stars Fantasy League

For the next few months, the Cloudflare All-Stars teams will be showcased within the large Cloudflare HQ windows facing 2nd street and en route to Giants Stadium. Feel free to swing by on your way to the next Giants game, snap a pic and share with your fans.

 The Cloudflare All-Stars Fantasy League

You can also show the teams support by Tweeting out their hashtag, along with the images provided for each. Go Team Internet!

 The Cloudflare All-Stars Fantasy LeagueThe Distributed Denial of Service (DDoS) Defenders are strong and undefeated. They have a flawless record of batting away malicious DDoS attacks that target millions of websites and APIs around the globe. (see DDoS Protection) #DDoSDefenders

 The Cloudflare All-Stars Fantasy LeagueTeam Athenas is the team for the people: they ensure that U.S. State, County, and Municipal election websites stay online for free, no matter what kind of gnarly pitches get thrown their way. (see Athenian Project) #AthenianProjectAthenas

 The Cloudflare All-Stars Fantasy LeagueThe Argo Argonauts know how to throw the fastest pitches for routing your traffic across the Internet. (see Argo Smart Routing). #ArgoArgonauts

 The Cloudflare All-Stars Fantasy LeagueThe Web Application Firewall (WAF) Masons are the firefighters of the Internet — there is no fire too big for this team to put out. (See Web Application Firewall) #WAFMasons

 The Cloudflare All-Stars Fantasy LeagueThe Workers Bees are the efficient go-getter team that can help you do the impossible on the Edge! These workers can help get anything done from detecting malicious bots to filtering logic at the Edge. (See Workers) #WorkersBees

 The Cloudflare All-Stars Fantasy LeagueThe Stream Rapids are up to bat and ready to knock fast and speedy video hits out of the park, and across the Internet! (see Stream) #StreamRapids

 The Cloudflare All-Stars Fantasy LeagueThe CDN Packets are a team of fast & strong International players — with over 150 teammates (data centers) around the world, they guarantee web content gets delivered safely and as fast as possible. (See Cloudflare CDN) #CDNPackets

 The Cloudflare All-Stars Fantasy LeagueThe DNS Resolvers are here to lead the way to anywhere you want to go on the Internet! They're the fastest in the game and they're out to keep you (and your data) safe and private through the journey. (See 1.1.1.1) #DNSResolvers

Brought to you by the Cloudflare Brand Design team

Categories: Technology

KernelCare is coming to Texas Linux Fest 2018

CloudLinux - Tue, 22/05/2018 - 13:32

Texas Linux Fest is an open source software event held in Austin on June 8 and 9, 2018, at the AT&T Conference Center. Whether you are a Linux enthusiast or a business expert, whether you run your school’s infrastructure or a non-profit organization, Texas Linux Fest is a great place for you to learn and to meet others. There will be more than 30 presentations throughout the two days, and multiple tracks to ensure you can get insights on both, established and emerging technologies.

Texas Linux Fest is a community-run, non-profit conference and KernelCare is excited to be a part of it and to sponsor this great event this year. And don’t forget that if you work for a non-profit organization, you can get KernelCare licenses for free - here, you can learn more about it.

If you visit the event, be sure to stop by the KernelCare booth to talk to Igor Seletskiy, our CEO, to find out more about our rebootless and automated kernel updates solution. KernelCare defends kernels against security vulnerabilities by automatically patching them without downtime. If you’d like to learn more about KernelCare in under 90 seconds, check out this video.

 

Categories: Technology

Rate Limiting: Delivering more rules, and greater control

CloudFlare - Mon, 21/05/2018 - 21:41
 Delivering more rules, and greater control

With more and more platforms taking the necessary precautions against DDoS attacks like integrating DDoS mitigation services and increasing bandwidth at weak points, Layer 3 and 4 attacks are just not as effective anymore. For Cloudflare, we have fully automated Layer 3/4 based protections with our internal platform, Gatebot. In the last 6 months we have seen a large upward trend of Layer 7 based DDoS attacks. The key difference to these attacks is they are no longer focused on using huge payloads (volumetric attacks), but based on Requests per Second to exhaust server resources (CPU, Disk and Memory). On a regular basis we see attacks that are over 1 million requests per second. The graph below shows the number of Layer 7 attacks Cloudflare has monitored, which is trending up. On average seeing around 160 attacks a day, with some days spiking up to over 1000 attacks.

 Delivering more rules, and greater control

A year ago, Cloudflare released Rate Limiting and it is proving to be a hugely effective tool for customers to protect their web applications and APIs from all sorts of attacks, from “low and slow” DDoS attacks, through to bot-based attacks, such as credential stuffing and content scraping. We’re pleased about the success our customers are seeing with Rate Limiting and are excited to announce additional capabilities to give our customers further control.

So what’s changing?

There are times when you clearly know that traffic is malicious. In cases like this, our existing Block action is proving effective for our customers. But there are times when it is not the best option, and causes a negative user experience. Rather than risk a false negative, customers often want to challenge a client to ensure they are who they represent themselves to be, which is in most situations, human not a bot.

Firstly, to help customers more accurately identify the traffic, we are adding Cloudflare JavaScript Challenge, and Google reCaptcha (Challenge) mitigation actions to the UI and API. The existing Block and Simulate actions still exist. As a reminder, to test any rule, deploying in Simulate means that you will not be charged for any requests. This is a great way to test your new rules to make sure they have been configured correctly.

 Delivering more rules, and greater control
Secondly, we’re making Rate Limiting more dynamically scalable. A new feature has been added which allows Rate Limiting to count on Origin Response Headers for Business and Enterprise customers. The way this feature works is by matching attributes which are returned by the Origin to Cloudflare.

The new capabilities - in action!

One of the things that really drives our innovation is solving the real problems we hear from customers every day. With that, we wanted to provide some real world examples of these new capabilities in action.

Each of the use cases have Basic and Advanced implementation options. After some testing, we found that tiering rate limits is an extremely effective solution against repeat offenders.

Credential Stuffing Protection for Login Pages and APIs. The best way to build applications is to utilise the standardized Status Codes. For example, if I fail to authenticate against an endpoint or a website, I should receive a “401” or “403”. Generally speaking a user to a website will often get their password wrong three times before selecting the “I forgot my password” option. Most Credential Stuff bots will try thousands of times cycling through many usernames and password combinations to see what works.

Here are some example rate limits which you can configure to protect your application from credential stuffing.

Basic:
Cloudflare offers a “Protect My Login” feature out the box. Enter the URL for your login page and Cloudflare will create a rule such that clients that attempt to log in more than 5 times in 5 minutes will be blocked for 15 minutes.

 Delivering more rules, and greater control

With the new Challenge capabilities of Rate Limiting, you can customize the response parameters for log in to more closely match the behavior pattern for bots you see on your site through a custom built rule.

Logging in four times in one minute is hard - I type fast, but couldn’t even do this. If I’m seeing this pattern in my logs, it is likely a bot. I can now create a Rate Limiting rule based on the following criteria:

.table-with-last-column-right-aligned tr td:last-child { text-align: right; } RuleID URL Count Timeframe Matching Criteria Action 1 /login 4 1 minute Method: POST
Status Code: 401,403 Challenge

With this new rule, if someone tries to log in four times within a minute, they will be thrown a challenge. My regular human users will likely never hit it, but if they do - the challenge insures they can still access the site.

Advanced:
And sometimes bots are just super persistent in their attacks. We can tier rules together to tackle repeat offenders. For example, instead of creating just a single rule, we can create a series of rules which can be tiered to protect against persistent threats:

.table-with-last-column-right-aligned tr td:last-child { text-align: right; } RuleID URL Count Timeframe Matching Criteria Action 1 /login 4 1 minute Method: POST
Status Code: 401,403 JavaScript Challenge 2 /login 10 5 minutes Method: POST
Status Code: 401,403 Challenge 3 /login 20 1 hour Method: POST
Status Code: 401,403 Block for 1 day

With this type of tiering, any genuine users that are just having a hard time remembering their login details whilst also being extremely fast typers will not be fully blocked. Instead, they will first be given out automated JavaScript challenge followed by a traditional CAPTCHA if they hit the next limit. This is a much more user-friendly approach while still securing your login endpoints.

Time-based Firewall

Our IP Firewall is a powerful feature to block problematic IP addresses from accessing your app. Particularly this is related to repeated abuse, or based on IP Reputation or Threat Intelligence feeds that are integrated at the origin level.

While the the IP firewall is powerful, maintaining and managing a list of IP addresses which are currently being blocked can be cumbersome. It becomes more complicated if you want to allow blocked IP addresses to “age out” if bad behavior stops after a period of time. This often requires authoring and managing a script and multiple API calls to Cloudflare.

The new Rate Limiting Origin Headers feature makes this all so much easier. You can now configure your origin to respond with a Header to trigger a Rate-Limit. To make this happen, we need to generate a Header at the Origin, which is then added to the response to Cloudflare. As we are matching on a static header, we can set a severity level based on the content of the Header. For example, if it was a repeat offender, you could respond with High as the Header value, which could Block for a longer period.

Create a Rate Limiting rule based on the following criteria:

RuleID URL Count Timeframe Matching Criteria Action 1 * 1 1 second Method: _ALL_
Header: X-CF-Block = low Block for 5 minutes 2 * 1 1 second Method: _ALL_
Header: X-CF-Block = medium Block for 15 minutes 3 * 1 1 second Method: _ALL_
Header: X-CF-Block = high Block for 60 minutes

Once that Rate-Limit has been created, Cloudflare’s Rate-Limiting will then kick-in immediately when that Header is received.

Enumeration Attacks

Enumeration attacks are proving to be increasingly popular and pesky to mitigate. With enumeration attacks, attackers identify an expensive operation in your app and hammer at it to tie up resources and slow or crash your app. For example, an app that offers the ability to look up a user profile requires a database lookup to validate whether the user exists. In a enumeration attack, attackers will send a random set of characters to that endpoint in quick succession, causing the database to ground to a halt.

Rate Limiting to the rescue!

One of our customers was hit with a huge enumeration attack on their platform earlier this year, where the aggressors were trying to do exactly what we described above, in an attempt to overload their database platform. Their Rate Limiting configuration blocked over 100,000,000 bad requests during the 6 hour attack.

 Delivering more rules, and greater control

When a query is sent to the app, and the user is not found, the app serves a 404 (page not found) . A very basic approach is to set a rate limit for 404s. If a user crosses a threshold of 404’s in a period of time, set the app to challenge the user to prove themselves to be a real person.

RuleID URL Count Timeframe Matching Criteria Action 1 * 10 1 minute Method: GET
Status Code: 404 Challenge

To catch repeat offenders, you can tier the tier Rate Limits:

RuleID URL Count Timeframe Matching Criteria Action 1 /public/profile* 10 1 minute Method: GET
Status Code: 404 JavaScript Challenge 2 /public/profile* 25 1 minute Method: GET
Status Code: 200 Challenge 3 /public/profile* 50 10 minutes Method: GET
Status Code: 200, 404 Block for 4 hourss

With this type of tiered defense in place, it means that you can “caution” an offender with a JavaScript challenge or Challenge (Google Captcha), and then “block” them if they continue.

Content Scraping

Increasingly, content owners are wrestling with content scraping - malicious bots copying copyrighted images or assets and redistributing or reusing them. For example, we work with an eCommerce store that uses copyrighted images and their images are appearing elsewhere on the web without their consent. Rate Limiting can help!

In their app, each page displays 4 copyrighted images, 1 which is actual size, and 3 which are thumbnails. By looking at logs and user patterns, they determined that most users, at a stretch, would never view more than 10-15 products in a minute, which would equate to 40-60 loads from the images store.

They chose to tier their Rate Limiting rules to prevent end users from getting unnecessarily blocked when they were browsing heavily. To block malicious attempts at content scraping can be quite simple, however it does require some forward planning. Placing the rate limit on the right URL is key to insure you are placing the rule on exactly what you are trying to protect and not the broader content. Here’s an example set of rate limits this customer set to protect their images:

RuleID URL Count Timeframe Matching Criteria Action 1 /img/thumbs/* 10 1 minute Method: GET
Status Code: 404 Challenge 2 /img/thumbs/* 25 1 minute Method: GET
Status Code: 200 Challenge 3 /img/* 75 1 minute Method: GET
Status Code: 200 Block for 4 hours 4 /img/* 5 1 minute Method: GET
Status Code: 403, 404 Challenge

As we can see here, rules 1 and 2 are counting based on the number of requests to each endpoint. Rule 3 is counting based on all hits to the image store, and if it gets above 75 requests, the user will be blocked for 4 hours. Finally, to avoid any enumeration or bots guessing image names and numbers, we are counting on 404 and 403s and challenging if we see an unusual spikes.

One more thing ... more rules, totally rules!

We want to ensure you have the rules you need to secure your app. To do that, we are increasing the number of available rules for Pro and Business, for no additional charge.

  • Pro plans increase from 3 to 10 rules
  • Business plans increase from 3 to 15 rules

As always, Cloudflare only charges for good traffic - requests that are allowed through Rate Limiting, not blocked. For more information click here.

The Rate-Limiting feature can be enabled within the Firewall tab on the Dashboard, or by visiting: cloudflare.com/a/firewall

Categories: Technology

CloudLinux and GDPR

CloudLinux - Mon, 21/05/2018 - 18:51

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in the EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

For the last six months, we were actively working to make all parts of Cloud Linux Inc GDPR compliant.

  • We have reviewed and adjusted our data collection and retention policies.
  • We have signed DPA with all our vendors we use to provide you with our services. This includes payment processing services, ticketing system vendor, our outgoing and incoming mail system providers, as well as marketing services vendors we use.
    • We don't sell or share your information with any 3rd party vendors that we don't use to provide you with services.
  • Our EULAs, website Terms of Use and Privacy Policy were updated to be in line with GDPR
  • Our ticketing system now requires a form submission for each server access, with a click-through binding agreement that includes data processing addendum. You can find a copy of the agreement here.

    Why is this needed?

    When accessing your servers, our support staff might need to run some of the scripts, or access the database for testing/debugging purposes, which might be considered as data sub-processing. As such, we decided it is necessary to establish an agreement that would cover our work on your servers.


For Imunify360, we collect visitors IPs as well as browser metadata and request headers and that can be considered personal information. If you have determined that you qualify as a data controller under the GDPR, and need a data processing addendum (DPA) in place with your qualifying vendors, we want to help make things easy for you.

Here is what you need to do:

  • Download our GDPR-compliant DPA, which has been pre-signed on behalf of Cloud Linux Inc here.
  • To complete the DPA, you should fill in the “Customer” information and sign on pages 7, 13, 15, and 19.
  • Send an electronic copy of the fully executed DPA to Cloud Linux Inc at This email address is being protected from spambots. You need JavaScript enabled to view it. document.getElementById('cloak83642c0877ca95d9c036e90b2e469991').innerHTML = ''; var prefix = 'ma' + 'il' + 'to'; var path = 'hr' + 'ef' + '='; var addy83642c0877ca95d9c036e90b2e469991 = 'signed-dpa' + '@'; addy83642c0877ca95d9c036e90b2e469991 = addy83642c0877ca95d9c036e90b2e469991 + 'imunify360' + '.' + 'com'; var addy_text83642c0877ca95d9c036e90b2e469991 = 'signed-dpa' + '@' + 'imunify360' + '.' + 'com';document.getElementById('cloak83642c0877ca95d9c036e90b2e469991').innerHTML += ''+addy_text83642c0877ca95d9c036e90b2e469991+'<\/a>'; .

 
What data does Imunify360 collect? 

  • We collect:
    • Visitors IP address and browser headers, as well as some other metadata like browser fingerprints and screen resolution;
    • Online property identification data, including domain, server IP, port, protocol and URI in case of HTTP/HTTPS;
    • We might also collect HTTP/HTTPs query parameters, encrypted using one-way encryption (irreversible encryption used for comparison & analysis);
      • If attack is detected, we will collect HTTP parameters without using one-way encryption. We will still encrypt it for the purpose of transferring it to our servers.


If you have more questions on CloudLinux and GDPR, don't hesitate to ask us at This email address is being protected from spambots. You need JavaScript enabled to view it. document.getElementById('cloak1d8ad214501e84a37406a679747675ea').innerHTML = ''; var prefix = 'ma' + 'il' + 'to'; var path = 'hr' + 'ef' + '='; var addy1d8ad214501e84a37406a679747675ea = 'gdpr-questions' + '@'; addy1d8ad214501e84a37406a679747675ea = addy1d8ad214501e84a37406a679747675ea + 'cloudlinux' + '.' + 'com'; var addy_text1d8ad214501e84a37406a679747675ea = 'gdpr-questions' + '@' + 'cloudlinux' + '.' + 'com';document.getElementById('cloak1d8ad214501e84a37406a679747675ea').innerHTML += ''+addy_text1d8ad214501e84a37406a679747675ea+'<\/a>'; .

 

 

Pages

Subscribe to oakleys.org.uk aggregator - Technology
Additional Terms