OPcache - Performance Enhancement

OPcache is now enabled by default on all of our cPanel servers to improve performance and loading times.

These changes have been applied to the following PHP Versions…

  • PHP 7.2
  • PHP 7.3
  • PHP 7.4

Migration Center v2.0

Our v2.0 of the Migration Center has now been released to our client area, with a number of new enhancements.

  • Ajax Interface
  • Allows large resellers with thousands of accounts to migrate easily
  • Allow overwrite of existing accounts* (see below)
  • Prevent overwrite of 'misowned' accounts (security fix)
  • More efficient post-migration handling by removing the 'cron' invoked tasks and replaced with hooks

Note:

The 'overwrite account' facility will appear in the client area, as we have coded the solution to this already.

However, there is a bug within the WHMAPI which is preventing this from functioning as expected, and therefore account overwrites may not complete.

We are still awaiting a fix on the following bug which we raised to the development team at cPanel…

https://support.cpanel.net/hc/en-us/articles/360050574194-A-transfer-created-through-the-API-is-not-able-to-overwrite-an-existing-account

If you have any issues with the migration facility, please raise a ticket directly to support@brixly.uk, and request for the ticket to be assigned directly to Dennis Nind for further review.

Elite Module - Sell Plesk Reseller Plans

We are pleased to confirm that we now offer the Plesk Reseller plans through the Brixly Elite module.

To read more about the module, see the following…

https://help.brixly.uk/en/article/brixly-elite-module-how-to-sell-reseller-hosting-and-our-elastic-cloud-through-whmcs-jjcguk/

The following products have been added…

  • Plesk - Reseller Pro
  • Plesk - Reseller Entry

Bolt-Cache Update - Addon Domains

We have improved the Bolt-Cache interface, and have also improved the handling of addon domains which previously had a bug.

The Bolt-Cache interface can now be used to apply the most common caching methods to addon domains, as well as the main domains for a cPanel account.

Security Upgrades - BitNinja

For a number of years, we have used a combination of tools for security on our servers, including CSF, ModSecurity and cpGuard for Malware protection.

We have spent several months planning implementation of the BitNinja suite to bring a number of security and performance benefits to you, free of charge. As such, a number of changes are being implemented to bring you leading-edge protection to your client's sites.

Please note that due to the extent of those changes, this is being done on a gradual rollout spanning the next week or so.

For more information on BitNinja, see the following…

https://bitninja.io

proactive-defense.png

IP Address Blacklisting

Until now, we have taken a fairly aggressive approach to malicious IP addresses and traffic, which consisted of a 'whitelist' and 'blacklist' solution powered by 'CSF', the previously implemented firewall of choice.

However, this has limitations, in that should a 'false positive' be triggered, access is entirely blocked from our servers / network. This can give the false impression of outages and can also be incredibly frustrating.

Another limitation of this method is the fact our client base mainly consists of resellers, who then provide hosting for clients. In the event of a blacklisted IP address, our resellers would then need to request de-list of that IP address via our client area.

We have taken on board the inconvenience of this and have implemented a new solution powered by BitNinja, which works on the concept of 'Greylisting', along with a number of additional intrusion prevention technologies.

BitNinja has created a disruptive technology so there are some concepts that are important to understand in order to comprehend the way BitNinja works.

IP reputation is a very effective way of securing a server. It’s a database with information about various IPs in the world. BitNinja clients use IP reputation information automatically on servers to make security decisions and to find out more about an IP address.

Every server with BitNinja can detect and defend a wide range of attacks. The server can send gathered incident information to our central database. Based on the type, timing, and amount of incidents an IP has in the database, it is categorized into one of the following lists:

Not listed

If there is no information about an IP address, or based on the latest behaviour the IP is not listed.

User Greylist

In traditional IP reputation terminology, we differentiate black and white lists. An IP can be trusted (whitelisted) or absolutely denied (blacklisted). This concept is very inflexible and this is the cause of the bad reputation that IP reputation lists have. If an IP is false-positively blacklisted, its incredibly frustrating that the user of that IP address can’t access the system they want to use and have to undergo an extensive process to whitelist, or remove that IP address reference.

That’s how the concept of greylisting was born.

A greylist is the concept of a list of IPs we think may be malicious but we are not completely sure of it yet.

The greylist contains suspicious IPs that the BitNinja software handles with special care. BitNinja has different CAPTCHA modules for different protocols. The duty of a CAPTCHA module is as follows:

  • Decide if the user is human or not
  • Inform the user about the fact that his/her IP has been greylisted
  • Provide a safe way for the user to delist his/her IP
  • Save any requests made by non-human parties, growing the knowledge base about the IP and the sin list.
  • Honeypotting by pretending to be a vulnerable system so bots will try to connect

In introducing this disruptive technology to our servers, we are implementing a less disruptive method of IP reputation and management to you and your end-users, allowing them to control their IP address reputation themselves, vastly reducing false positives or 'false blocks'.

If there are suspicious incidents derived from an IP address, the IP can be greylisted by some users. If an IP is user-greylisted, it means it is only greylisted by some users, not all BitNinja users. When we have enough information about an IP that is sending malicious requests, we move it to the global greylist. If an IP is globally greylisted, it is greylisted by all BitNinja servers.

Global greylist

If there is enough evidence that an IP is suspicious, the IP address is moved to a global greylist which is then distributed to every BitNinja protected server.

Global blacklists

When an IP is globally greylisted and is still sending malicious requests, we identify it as dangerous. Such IPs are moved to the global blacklist maintained by BitNinja. Any traffic derived from this list will drop packets entirely, causing a timeout. The false-positive rate of the global blacklist is very low, as there are many steps before we decide to blacklist an IP. Blacklisted IPs are moved back to the greylist from time-to-time to check if the traffic is still malicious or the system has been disinfected.

Essential list

The essential list provides protection against the most dangerous IPs. These IPs are often used by the most aggressive hackers all around the world. When an IP generates more than 5000 malicious requests, BitNinja places it on this list. The essential list forms part of the protective layer, defending you and your clients from some of the worlds most aggressive cyber attacks.

Core Benefits

The introduction of this revolutionary technology allows us to further protect you and your clients from attacks, but also…

  • Improved performance and a significant reduction in CPU load
  • Protection against the worlds most malicious offenders
  • A protection 'backbone' with data gathered from thousands of servers hosted worldwide
  • Simple, intuitive method for false-positive reductions

DoS and DDoS Protection

BitNinja allows us to introduce a tertiary layer of protection against large scale denial of service attacks.

We will not use BitNinja standalone for DDoS protection and will continue to offer industry-leading network-level protection at the network level, and application level.

However, BitNinja will allow us to vastly improve our 'application-level' DoS handling by the use of the above greylisting technology. Now, if any IP address opens more than 80 simultaneous hits to any server, that IP address will be added to the greylist to prevent further connections.

Web Application Firewall 2.0

The web is the most vulnerable interface on most servers. Having a powerful web application firewall is an essential part of the defence toolset if you host any web content. The biggest challenge of a WAF is to find the balance between security level and false-positive rate. You don’t want a weak web application firewall, but you can’t afford many false positives either. Finding this balance was the leading cause of the WAF 2.0 BitNinja module to be born.

We have offered WAF protection on our servers for many years, however, the introduction of BitNinja allows us to handle WAF in a far more efficient way.

BitNinja allows us to 'route' traffic through their network, so that the WAF handling is managed externally / outside of the servers which reduces load significantly, taking the dependency away from the physical servers themselves. This works in a very similar way to Cloudflare, yet doesn't require any alterations on your end to benefit from the facility.

Also, ModSecurity which we had previously implemented does have downsides beyond performance degradation. Also, when Apache and ModSecurity tackle large volumes of hits, there is potential for short 'crashes' in Apache itself, causing intermittent downtime. Whilst not frequent, we believe the new solution will resolve this moving forward to improve uptime.

Web Honeypot

Honeypotting is a security technique where you set up a system or subsystem to pretend that there is a vulnerable service available. The attacker, hacker, or bot will easily see that there is a vulnerability and will try to abuse it. As the honeypot is not providing the service it advertises in reality, it will rather collect the attack data and block the attack. This technique is similar for setting up traps against your enemies. This is very effective against both automatized and targeted attacks.

When malware is removed from the server, BitNinja will replace that malware with the honeypot to detect which user is accessing the malware for malicious intent, then blocking that user directly to the blacklist.

Port Honeypot

This module will set up to 100 honeypots on our servers at random ports chosen from the 1000 most popular ports. This module will detect if someone does a deep port scan on your server (except syn stealth scan and some others). The module will also capture any traffic on these honeypots and reply to the requests, so when the attacker tries to exploit one of these fake services, it will generate incidents. This is a very effective way to catch early on both direct attacks and botnet activities.

Malware Detection and Prevention

BitNinja has an excellent module for file-based malware detection. If attackers can break through the defence line of honeypots and the web application firewall, malware detection is the next line of defence to stop them from infecting your sites and accounts.

The BitNinja malware detection platform has been thoroughly tested to ensure there is a far lower rate of false positives than our current implemented solution.

Moving forward, we will be able to protect from unvalidated file uploads, script injection, remote code injection, and CMS (Wordpress, Joomla, Drupal, etc) vulnerabilities

Increased LVE Limits - Memory Limits now increased to 2GB!

We are pleased to announce that we have increased our memory limits on all servers, completely free of charge!

The default LVE limits are now 2 CPU Cores, 2GB RAM for every single cPanel, DirectAdmin and Plesk account on our shared and reseller servers.

Our 'Resource Boost' option has also been doubled, now boosting your accounts to a huge 4 Cores and 4GB RAM for just £3.95 per month!

Reseller Area - Now Available

We have now implemented a 'Reseller Area' in our client area, which provides a centralised interface to the following…

  • Reseller Exclusive Discounts
  • Domain Reseller Module and Setup Instructions
  • Getting Started Guides
  • Brixly Elite module to sell VPS, Reseller Hosting and more

Plesk Reseller Hosting - Now Available!

Capture.PNG

We are pleased to announce the release of our Plesk Reseller Hosting plans, starting from just £8.95 per month!

These are available immediately on the following link…

https://brixly.uk/plesk-reseller-hosting

Only £1 for your first month!

Support Ticket Enhancement - Secure Details field for passwords / secure data

We have now added a new field to our support ticket system, which is available when raising new tickets.

Clipboard - June 14, 2020 1_08 AM.png

This field will be encrypted to ensure the data entered in the field is secure, so is ideal for passwords, private SSH keys or login credentials. Please note that the contents of this field are also automatically purged / removed when a ticket is marked as resolved / closed.

DNSSEC Support - Nameserver Upgrade

We have now upgraded our nameserver clusters in both the UK, and the USA to support DNSSEC.

We have changed our DNS clusters to use PowerDNS as opposed to BIND, which also has some performance benefits on the resolution of domains.

DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography. With DNSSEC, it's not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data.

Every DNS zone has a public/private key pair. The zone owner uses the zone's private key to sign DNS data in the zone and generate digital signatures over that data. As the name "private key" implies, this key material is kept secret by the zone owner. The zone's public key, however, is published in the zone itself for anyone to retrieve. Any recursive resolver that looks up data in the zone also retrieves the zone's public key, which it uses to validate the authenticity of the DNS data. The resolver confirms that the digital signature over the DNS data it retrieved is valid. If so, the DNS data is legitimate and is returned to the user. If the signature does not validate, the resolver assumes an attack, discards the data, and returns an error to the user.

DNSSEC adds two important features to the DNS protocol:

  • Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated.
  • Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key.

cPanel users can create, manage, or delete their domains’ DNSSEC keys in cPanel’s Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor).

To validate the DNSSEC configuration for a domain, use Verisign’s DNSSEC Anaylzer website - https://dnssec-analyzer.verisignlabs.com/