Hi all,

Has any here used any "security scanners" against their website, looking for possible vulnerabilities? E-commerce sites are running
PCI scans nowadays, but I was wondering if anyone has been doing anything proactively to check for security issues?

I've had some clients get hacked (by using vulnerable versions of purchased/free software) over the years, and I've been thinking lately
about offering some security related service to my clients. I think it may be a hard sell, because many site owners don't think about
security until they've been hacked. (It's like backup services - you don't think much about it, until you lose data.)

Anyway, I was wondering if anyone here has used any services, and if they'd consider paying for any type of monitoring services. My thought
was to package some locally installed scripts (to monitor the site from the inside) and also run monthly external scans.

I appreciate any feedback.

-Jim

Nope, I just run the required PCI scans as needed. I'd take a proactive stance instead...firewalls, monitoring uploads, prevent brute force attacks and etc...

Intrusion Detection can get pricey, and even then it can't catch some of the 0-day exploits that are discovered...

Do you maintain/manage your own servers or do you rely on a third party?

I don't provide hosting - my clients are hosted anywhere they choose - some on shared accounts, some on their own dedicated servers.

So most have the basic security measures provided by the host - firewalls, ports locked down, etc. My idea was to primarily offer monitoring
of the files themselves, looking for changed files and maybe scanning the logs. The idea is that *if* a hack occurs, at least you'd be notified of it
quickly. I've seen some client sites whose websites were hacked for months before they noticed any issues (in some cases the hackers appeared to be collecting
sensitive information).

Anyway, I'm a little doubtful if anyone would pay for the service. Maybe they'd pay for a "one time" install of a script to monitor things....

Thanks for the feedback - anyone else?

-Jim

Hi Jim - there is certainly a lot of fear in the market amongst business owners re: script-kitties so there may be a market for a "security scan" type product, especially one that checks for things like open file permissions on commonly used software. I guess it really depends on how you market it. Most web companies would likely not be interested but you can bet quite a few small business owners would like to know their site passes a basic security test if the price is right.

"Is your Wordpress installed correctly and safely? Get peace of mind for only $99"

One thing we always emphasize to clients is for them to get away from the stupid simple passwords and eliminate the "admin" username login immediately after the site is installed. As I'm sure you already know the biggest problem is not hacking but password guessing. It's amazing how many people use a variation of their name and something like "mypassword" as the login.

I think that this is a good idea - and it's not that expensive either. It's always a good idea to follow the best practices for web, internet and Email security, IMHO.

Well, I'll continue to ponder it. One thing I want to be careful of is to stress that there's no "guarantee" here - I don't want to have someone come back
to me if they get hacked, and say "You told me my site was safe....". Even though I think it's a good idea for any website, it may not be worth the trouble.

Also, whenever I have an idea like this, I ask myself - why aren't other companies selling this service? There are some security scanners out there, but mostly
centered around PCI compliance, which is mandatory for e-commerce now. Otherwise, it doesn't seem to be a big seller. In fact, I don't know any clients that
pay for any services like that - other than PCI, and that was only when they were forced to....

Soo...that could be an indicator of the likelihood of success here..

-Jim

The script looking for basic changes would be ideal, and after checking out your website it looks like you've already written it? I can easily see how this could be done for file based sites (generate an MD5 of the file and store it in a file with the same name a .MD5 suffix. If this file is not present then alert on a new file, otherwise use the value stored in this file for comparisson and alert if there is a change.

But how would you monitor sites that are database driven?


I don't provide hosting - my clients are hosted anywhere they choose - some on shared accounts, some on their own dedicated servers.
This is an issue. If your clients are hosting on shared accounts then they likely won't have access to install a script that would prevent these attacks at the OS level...and would instead have to rely on other means.


Anyway, I'm a little doubtful if anyone would pay for the service. Maybe they'd pay for a "one time" install of a script to monitor things....
You mean something like this: ConfigServer eXploit Scanner (cxs) (http://configserver.com/cp/cxs.html) I use several tools from that site and I haven't had any issues ;)


Also, whenever I have an idea like this, I ask myself - why aren't other companies selling this service?

In this particular instance I'd say its due to the wide range of knowledge and ways to attack a problem (or lack of).
Allot of hosting companies just dont have the experience/knowledge to install/configure the servers properly, let alone securing them.
Other companies, while they may have the knowledge to secure the servers, choose not too because they have too large of a server base to maintain or fear that they might "break" something which will result in hundreds of support calls.
Then you have some companies that view security as a requirement and include this in their basic costs of doing business.

One thing we always emphasize to clients is for them to get away from the stupid simple passwords and eliminate the "admin" username login immediately after the site is installed. As I'm sure you already know the biggest problem is not hacking but password guessing. It's amazing how many people use a variation of their name and something like "mypassword" as the login.

Agreed...and I see hundreds of e-mails a day with people trying to brute force passwords, however if your providers are concerned about security they would install something like ConfigServer Security & Firewall (http://configserver.com/cp/csf.html) - I have my servers setup in a cluster so if someone starts to brute force a password on server A, then after X invalid attempts they are blocked from Server A, as well as Servers B-Z.

Heres a sample block that was put in place last week...there is no username 'berry' on my servers and all users have to use the @domain username...but I still see multiple attempts using common (and misspelled) first names:


Time: Tue Nov 6 06:22:38 2012 -0500
IP: distributed smtpauth attack on account [berry]
Failures: 5
Interval: 300 seconds
Blocked: Temporary Block

Log entries:

2012-11-06 06:22:28 dovecot_login authenticator failed for 23-25-216-129-static.hfc.comcastbusiness.net ([192.168.2.33]) [23.25.216.129]:2477: 535 Incorrect authentication data (set_id=berry)
2012-11-06 06:22:29 dovecot_login authenticator failed for 122.red-80-36-210.staticip.rima-tde.net ([192.168.2.33]) [80.36.210.122]:13052: 535 Incorrect authentication data (set_id=berry)
2012-11-06 06:22:30 dovecot_login authenticator failed for 23-25-216-129-static.hfc.comcastbusiness.net ([192.168.2.33]) [23.25.216.129]:2477: 535 Incorrect authentication data (set_id=berry)
2012-11-06 06:22:31 dovecot_login authenticator failed for 122.red-80-36-210.staticip.rima-tde.net ([192.168.2.33]) [80.36.210.122]:13052: 535 Incorrect authentication data (set_id=berry)
2012-11-06 06:22:32 dovecot_login authenticator failed for 23-25-216-129-static.hfc.comcastbusiness.net ([192.168.2.33]) [23.25.216.129]:2477: 535 Incorrect authentication data (set_id=berry)

IP Addresses Blocked:

23.25.216.129 (US/United States/CT/Plainville/23-25-216-129-static.hfc.comcastbusiness.net)
80.36.210.122 (ES/Spain/52/Zaragoza/122.Red-80-36-210.staticIP.rima-tde.net)