Our servers are not vulnerable to the bug in “bash”

We’ve had a couple of people ask if our servers are vulnerable to the recent security bug in the bash shell, also known as the “shellshock” bug.

The answer is no. All copies of bash on all our servers were updated to a fixed (patched) version yesterday, within an hour of the news becoming public.

Update September 25, 2:58 PM: We’ve also applied a later, stronger version of the fix today. This will soon be announced as Debian Security Advisory DSA-3035-1 .

Upcoming Debian “wheezy” software upgrades

Update October 14: This process described below is complete. All the updates were installed, and we’re now using only Debian wheezy on all servers.

Over the last year, we’ve been slowly upgrading our servers from Debian Linux version 6 (codename “squeeze”) to version 7 (codename “wheezy”).

All the “prominent” software (such as the Apache Web server, MySQL, PHP, the Linux kernel, and so on) was updated months ago, one piece at a time, usually with individual announcements here on our blog. Any software with security or compatibility issues has also already been upgraded.

What’s left at the end of that process are many “minor” packages, each probably used by less than 1% of our customers. We’ll be upgrading the rest of these over the next 30 days.

Read the rest of this entry »

Ruby updated to version 1.9.3

We’ve updated the default version of the Ruby scripting language on our servers from 1.8.7 to 1.9.3.

Read the rest of this entry »

Our SSL servers support “perfect forward secrecy”

If your site uses an SSL certificate from us, our servers now provide an important feature called perfect forward secrecy.

Read the rest of this entry »

Brief MySQL scheduled maintenance August 9 2014 (completed)

Between 9:00 PM and 11:59 PM Pacific time on Saturday August 9 2014, the MySQL database software on each of our servers will be upgraded from version 5.5.35 to 5.5.38. This will cause an approximately 30 second interruption of service on each MySQL-using customer Web site at some point during this period.

This upgrade is necessary for security reasons. We apologize for the inconvenience this causes.

Update 9:43 PM Pacific time: The maintenance was completed and all services are running normally.

PHP 5.4.31 and 5.5.15

The PHP developers recently released versions 5.4.31 and 5.5.15 that fix several bugs. We’ve updated PHP 5.4 and 5.5 on our servers as a result.

Read the rest of this entry »

Sites hosted with us aren’t subject to website “cross-contamination”

One of our customers asked if multiple domain names hosted with us are vulnerable to “website cross-contamination”, a nasty security problem that can happen at many hosting companies when two different sites share the same “account”.

The answer is no. We intentionally handle multiple hosted domain names differently from the way most hosting companies handle extra hosted domain names, avoiding the problem.

Read the rest of this entry »

Blocking more WordPress xmlrpc.php attacks

Over the last few days, we’ve been tracking an ever-increasing distributed attack on the WordPress xmlrpc.php service.

We’ve previously seen and blocked attacks on this file that tried to post spam comments or act as a denial of service amplifier, but this attack is different: it tries to guess WordPress usernames and passwords.

As a result, we’ve applied more aggressive blocking than usual to the attack. It’s remotely possible that the blocking could cause legitimate third-party WordPress “apps” and services to be unable to access your blog (although it can’t cause problems when just visiting WordPress in a normal Web browser); don’t hesitate to contact us if you’re one of our customers having trouble.

Just so it’s clear, we’ve blocked this attack for all our hosting customers. But the rest of this post has some technical details that may help other people trying to do the same.

Read the rest of this entry »

WordPress security plugins that hide the source of blocking

We often get reports from customers saying they’ve been blocked from their WordPress sites with a strange generic error message or blank page.

When we investigate, it’s common to find that it happened because they installed a security plugin that has made a mistake — a “false positive” — and blocked the site owner.

Read the rest of this entry »

Problems with mail forwarding from “@cs.com” addresses

A customer recently reported problems when forwarding mail sent from a “@cs.com” CompuServe address to a Yahoo or Gmail address. Yahoo completely rejects the forwarded message and Gmail puts it in a “spam” folder.

This is caused by a misconfiguration at cs.com, and happens whenever anyone, anywhere, forwards @cs.com mail. It’s not related to our service in particular. However, we’ve reported this to cs.com in the hope that they’ll fix it.

Until they do so, there’s no way to avoid this problem except by having the sender send mail directly to the final destination address, or converting the forwarding address to a mailbox. (This problem is another example of the general rule that “a mailbox is usually more reliable than a forwarding address, because forwarding involves two places where things can go wrong instead of just one”.)

Read the rest of this entry »