Friday, August 7, 2020

Because we place a high value on website/server security, we're constantly keeping tabs on developments in security software and services that will help us provide the highest level of confidence to our clients.

For the past year or so, an excellent product called BitNinja has been protecting our services, but recently we opted to run a trial of cPGuard, which features better cPanel integration and some interesting features that BitNinja does not. During our testing, we found that cPGuard was doing a better job at detecting malware as well as dealing with failed email connections more strictly, both of which we felt justified a change.

cPGuard has now been in place for a couple weeks on all of our hosting servers, including Managed VPS. There are two pain points that several clients have experienced, as follows:

Site Suspension for Malware Infection

cPGuard monitors and scans all new files as soon as they are created. If a malware file is detected in your file area, cPGuard will quarantine the file and also attempt to clean it and leave a clean copy in place. If it finds 5 malware files in 3 hours, this suggests a serious problem, and your hosting will be auto-suspended. For this reason it is vitally important that you keep your website secure. This is particularly true for popular CMS (content management system) web apps such as Wordpress, Joomla, Drupal and similar.

If you fail to keep any php/mysql based web app updated and secure, you are asking for trouble. Wordpress is currently the biggest target of hackers because it's immensely popular but also open source, meaning hackers have the ability to review the source code looking for vulnerabilities they can exploit. As a website owner/operator, you must always keep the core system, themes and plugins updated to stay ahead of the bad guys.

cPGuard will protect you against malware, but only as it is infecting your website. You should prevent the malware from being uploaded in the first place, and that requires diligence. Once malware is being uploaded, you run the risk of cPGuard shutting your site down to prevent further damage.

IP address blocked due to email authentication failure

Malicious bot networks are continuously probing mail servers, attempting to gain access to users' mailboxes in order to send spam. A legitimate, untarnished email account that can be compromised is a perfect way for a spammer to send a large volume of spam in a short amount of time, before they are noticed and before the mail server IP has been added to one or more dns blacklist.

cPGuard is quickly blocking failed email connections. These connections are attempts to retrieve incoming email via POP/IMAP that are failing because the credentials (email address and password) submitted are incorrect, or attempts to send outbound mail without using SMTP authentication, or with bad SMTP authentication credentials.

If a legitimate email user has a misconfigured email client that is periodically connecting to check for or send email, this appears to the server as a security problem just like what is described above. If this happens several times in a short amount of time, the user's IP address will be blocked, and anyone sharing the same network and same IP address will be denied access.

If this happens to you, you have the following options to resolve the problem:

  • If you happen to know which email client is misconfigured and failing, correct the settings so that the email client's email connections will succeed, and then log into your MediaServe account from the network where the IP is blocked, and the IP will be automatically unblocked. If you need to unblock an IP address other than your current IP address, select the "Support >> Unblock IP Address" menu option and change the auto-detected IP address to the one you wish to unblock.
  • If you're unsure exactly where the problem is, please make sure you know the blocked IPv4 IP address (a blocked user can visit https://whatismyip.com to get it) and open a support ticket to ask that we help identify the cause of the block. We can search the logs and usually tell you which email account is failing to authenticate, and we can also temporarily whitelist the blocked IP address for 24 hours so you'll have plenty of time to correct it.

We realize this can be a frustrating problem, but to be truly secure we must block failed email connections to keep the spam bots at bay. The server lacks the ability and information to make a judgement call on whether an authentication failure is malicious or accidental.

Webmasters and users should be careful when configuring their email clients for the first time or changing email passwords. If you don't enter the credentials properly in your email client, and you fail to correct it, you could end up blocked after several connection failures. If you reset your mailbox password, it's best to ensure that no email client will auto-connect to check for email before you can update all email clients with the new password (computer, phone, tablet, etc.)



« Back