Answered by the Webhosting Experts

Firewall Services
at Hivelocity

Keep Bad Actors Out
Whether you’re worried over outside attacks, unauthorized access, or maintaining regulatory compliance, Hivelocity’s Juniper Hardware Firewalls give your server the protection it needs. Keep hackers at bay without depleting your system’s resources.

Configure your server today with one of our hardware firewalls and take back control.

Tags
...
...

Intel CPU Exploits Meltdown and Spectre – What You Need to Know

—-Updated 1/10/18 1:25m EST—–

Ubuntu

Remediation Steps:

Ubuntu 14, 16, 17 

apt-get update 
apt-get dist-upgrade 

reboot to complete the update

—-Updated 1/8/18 10:55am EST—–

ProxMox

Remediation Steps:
Follow the instructions found at https://forum.proxmox.com/threads/meltdown-and-spectre-linux-kernel-fixes.39110/

—-Updated 1/6/18 3:03pm EST—–

Cloudlinux

CloudLinux 6 
Remediation Steps:
Run the following command to patch CloudLinux 6 servers.
yum clean all && yum update kernel-firmware && yum install kernel-2.6.32-896.16.1.lve1.4.49.el6
 
CloudLinux 7 
Update is still in testing. Check back here for more details
 


—-Updated 1/6/18 2:12pm EST—–

OS Specific Information

Redhat (CentOS & ScifiLinux included)

Performance impact details as provided by RedHat- The recent speculative execution CVEs address three potential attacks across a wide variety of architectures and hardware platforms, each requiring slightly different fixes. In many cases, these fixes also require microcode updates from the hardware vendors. Red Hat has delivered updated Red Hat Enterprise Linux kernels that focus on securing customer deployments. The nature of these vulnerabilities and their fixes introduces the possibility of reduced performance on patched systems. The performance impact depends on the hardware and the applications in place.

In order to provide more detail, Red Hat’s performance team has categorized the performance results for Red Hat Enterprise Linux 7, (with similar behavior on Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 5), on a wide varietyof benchmarks based on performance impact:

Measurable: 8-19% – Highly cached random memory, with buffered I/O, OLTP database workloads, and benchmarks with high kernel-to-user space transitions are impacted between 8-19%. Examples include OLTP Workloads (tpc), sysbench,pgbench, netperf (< 256 byte), and fio (random I/O to NvME).

Modest: 3-7% – Database analytics, Decision Support System (DSS), and Java VMs are impacted less than the “Measurable” category. These applications may have significant sequential disk or network traffic, but kernel/device driversare able to aggregate requests to moderate level of kernel-to-user transitions.  Examples include SPECjbb2005, Queries/Hour and overall analytic timing (sec).

Small: 2-5% – HPC (High Performance Computing) CPU-intensive workloads are affected the least with only 2-5% performance impact because jobs run mostly in user space and are scheduled using cpu-pinning or numa-control. Examples include Linpack NxN on x86 and SPECcpu2006.

Minimal: Linux accelerator technologies that generally bypass the kernel in favor of user direct access are the least affected, with less than 2% overhead measured. Examples tested include DPDK (VsPERF at 64 byte) and OpenOnload (STAC-N). Userspace accesses to VDSO like get-time-of-day are not impacted. We expect similar minimal impact for other offloads.

NOTE: Because microbenchmarks like netperf/uperf, iozone, and fio are designed to stress a specific hardware component or operation, their results are not generally representative of customer workload. Some microbenchmarks have shown a larger performance impact, related to the specific area they stress.

Source: https://access.redhat.com/articles/3307751

Remediation Steps: 

  1.  Login to root via SSH and run the following command: yum update.
  2.  Confirm kernel can be downloaded, once accepting the new kernel it should download and install, once complete it will say “Complete!”
  3. Reboot the system to apply the kernel with the command: reboot now


Debian (Ubuntu)

No Updates have been released in regards to the CVE’s we will update this once more information has been provided by Debian and Ubuntu Security Teams.  So please keep in mind to update at your own risk, and please keep in mind itlooks like these attacks have been known for sometime but they do not know if this has been used maliciously in the wild, so if you do not want to hammer performance or cannot afford to, you are advised against this update until further information has been provided to the public and the programming communities can then see what exactly needs to be patched in order for it to be completely secure.

Remediation Steps:  awaiting


Clients with KernelCare (CentOS)

Kernelcare updates are likely going to be out Sunday/Monday for first releases for EL7 (RedHat/CentOS/CloudLinux 7).   You can manually patch your server now if you choose not to wait for kernelcare updates by running CentOS kernal updates via yum update followed by a reboot.   

 

Clients on Sparknode VMs

There are situations where the guests on the Xen Kernel based hypervisors do not reboot properly after updating the guest virtual maching.  We are working on this situation and request you please check back routinetly for updates. 

Windows Based Platforms

Remediation Steps:
Please check into Windows Updates and reboot the server to complete the installation.   With windows there are also registry entries that need to be made, In fact they just added a 3rd one today.  Also AV has to be update to be compatible and there is still issues with the mssql patches, It is also possible that even if the AV is updated the update will not be pulled by windows update which means a 4th registry entry has to be made.

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

https://support.microsoft.com/en-us/help/4072699

https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server


VMware

VMWare has posted information for each version at the link below- 

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html


—-Updated 1/5/18 6:00pm EST—-

It has recently been discovered that most Intel processors contain 2 exploits known as Meltdown and Spectre.  Security engineers within Intel and each operating system’s community are working to provide patches to eliminate this threat. We will provide timely updates regarding the situation as new information and patches are released.

Windows dedicated server customers-  Microsoft has already released a patch so you will want to make sure you have performed your updates today.  We have provided a link below to an article covering how to ensure your anti-virus is not blocking this patch.

Managed Linux dedicated server customers– If you are running CentOS 6.x or 7.x we have updated your kernel already and now you just need to perform a reboot.  We are, however, asking each customer to go ahead and perform one more Yum update themselves prior to the reboot just to be safe.  For our managed customers not running Redhat, CentOS 6 or 7 please be on the lookout for emails from us providing important information regarding our patching your server(s)  and possible instruction to immediately reboot your server.   cPanel has posted their latest updates on the subject here.

Self-managed Linux dedicated server customers– please be diligent in your research of how to patch your particular environment and OS.  We will post timely updates and instruction per OS as it becomes available.  Redhat, CentOS 6 and 7 should be able to patch their servers now by performing a Yum update followed by a reboot.

 You can find more information regarding Meltdown and Spectre at:

Share

Facebook
Twitter
LinkedIn
Email
WhatsApp

Need More Personalized Help?

If you have any further issues, questions, or would like some assistance checking on this or anything else, please reach out to us from your my.hivelocity.net account and provide your server credentials within the encrypted field for the best possible security and support.

If you are unable to reach your my.hivelocity.net account or if you are on the go, please reach out from your valid my.hivelocity.net account email to us here at: [email protected] We are also available to you through our phone and live chat system 24/7/365.

Rapid Restore

Backup your entire server’s data every night and have access to 5 days of rolling restore points.  Restore your server’s data, OS and configuration any time you need it.

Our Rapid Restore service saves the day during accidental data loss, hardware failures and virus contraction. Simply pick your recovery point and restore the data from that day. 

DDoS Protection

While our competitors may advertise DDoS protection, most often, they are merely implementing easily evaded router rules or simply black-holing targeted servers. They consider this “DDoS protecting their network.” However, neither of these solutions should give comfort to any online business. Should your site be attacked, chances are likely both of these options will end with your server being taken offline. At Hivelocity, we take the responsibility of keeping your servers online very seriously. For this reason, we offer two very serious forms of DDoS protection.

FREE

Every solution we provide includes our Filtering Edge of Network System (FENS). FENS is a series of proprietary systems that proactively monitors and protects the entire Hivelocity Network from most common Denial of Service (DOS) and Distributed Denial of Service (DDoS) attacks.

$15/MONTH PER SERVER

For an extra fee, you can enhance your server’s protection further with the addition of our Server Defense System. Our Server Defense System sits in front of your server, inspecting inbound data and looking for malicious traffic. The moment an attack is detected, it instantly begins scrubbing each data packet. Hivelocity’s Server Defense System delivers business continuity even in the face of massive and complex attacks.

Our Server Defense System is like adding an alarm and armed guard to your business, alerting you to and destroying anything attempting to jump that fence. Our Server Defense System utilizes internally developed proprietary systems in addition to Corero’s Threat Defense Smartwalls for data packet scrubbing. Each of our data centers is a scrubbing center with Corero Smartwalls on-premise, allowing us to provide on-prem zero-lag data scrubbing.

SSL Certificates

The security of your online commerce and protecting your customers’ data is as important to us as it is to you. When your customers see the green bar, they will know their connection to you is protected. We offer single domain, multi-domain, and wild-card certificates.

We offer industry leading 128-bit encryption certificates, allowing you to conduct e-commerce with complete security. Inspire confidence in your customers by displaying any number of seals and indicators certifying that your site is secure.

Load Balancing

Adding this service to two servers with identical content will allow you to distribute your load evenly across your hardware. Don’t lose business because you couldn’t handle the demand. Load balance and handle your biggest resource spikes with ease.

Firewalls

Stop attacks, prevent unauthorized access, and achieve regulatory compliance. Our Juniper hardware firewalls offload the work so your server never has to consume resources protecting itself from malicious traffic. A single firewall can be used to protect multiple servers.

Cloud Storage

Cloud storage offers users redundancy and easy accessibility, ensuring your data remains secure and readily available. Scale to as much as you need for only a 20¢/GB.

Cloud Storage is distributed and replicated across many servers, protecting your data from hardware failure. Highly scalable, it can handle thousands of client connections via TCP/IP. Connect to your virtual drive with SFTP, FTP, and SSHMount and in the future NFS and AFP. Cloud Storage is based on a stackable design which is upgradeable up to 2TB per instance.