IONOS and Arsys have a shared hosting environment with customers that can operate Customer Management System (CMS) products of their liking, being the most prominent WordPress with its ecosystem of plugins and themes and then followed (by a good distance) by Joomla or Drupal.
While most customers use one of our managed products where IONOS takes care of maintenance, regular and security updates, some customers prefer to manage their CMSes on their own. While this means total freedom on what they can install, which plugins, etc they use, it also carries the responsibility of taking care of security updates. To protect these customer’s web applications from being hacked and also to contribute to assure the hosting platform availability we develop, maintain and test Web Application Firewall (WAF) rules.
Why do we need a WAF?
The main reason for using a WAF is because the customer usually focuses on all aspects of their sites (design, usability, functionality…) but puts less emphasis on security. Be it because the customer does not have the necessary knowledge or simply because they are not sufficiently concerned about the continuous threats in the cyber landscape.
This has consequences not only in our customer’s sites which are getting hacked because of having outdated and vulnerable products. It could also affect our own shared hosting platform due to unfiltered attacks that endanger our platform with overload, for example.
modSecurity is an open source web based firewall application (WAF), it can also be considered an HTTP intrusion detection tool. It can be run as an embedded or reverse proxy and it is deployed as an external security layer, which protects, detects attacks and prevents them from reaching web applications. modSecurity is currently deployed at Arsys and IONOS as an Apache module to protect web spaces in their respective Shared Hosting Linux products. At the heart of modsecurity is its flexible rule engine. It implements a rule language which is a specialized programming language designed to work with HTTP transaction data.
For Arsys and IONOS, instead of relying on commercial rulesets, we write our own ones. One of the best things with this approach is that we avoid false positives, and since we stay up-to-date with the latest published vulnerabilities, we are also protected from nearly 0-day attacks, and all of this, and this is the best part, being totally transparent to the customer.
The numbers
We currently cover generic OWASP top ten vulnerabilities, brute force attacks and major CMS published vulnerabilities including plugins and themes. Let’s take a look at the absolute number of blocks since the beginning of April (2 weeks period) from which the following were DOS/Bruteforce attack mitigations.
We can see that on April 3rd and starting April 10th until 11th some considerable attacks were mitigated.
Let’s see now the case of a recently published vulnerability in a major CMS. In this case a critical vulnerability in Joomla CMS allowed attackers to perform unauthorized read-only requests against all available API endpoints on a vulnerable site. The information exposed in those endpoints included system configuration credentials, and thereby most importantly the full credentials used for database connections. With database credentials being exposed, attackers might be able to gain full control over the site. Since this attack involved sending a specially crafted request, the developed rule should block only that to avoid false positives, the results are the following.
Almost 10MM blocks in the following weeks after the vulnerability was published.
This is a brief introduction of how our WAF solution saved our customers‘ sites from being hacked until today and still continues to make our customer’s life easier so they can focus on the important things such as the content of their websites. While a WAF is great to filter known attacks, it fails to catch attacks we didn’t write rules for. Thus, we encourage everyone without deep technical knowledge to rely on a managed product which is regularly maintained and always carries the latest security updates.