Do we really need resource comsumption settings for cPGuard?

Do we really need resource comsumption settings for cPGuard?

What do you mean by resource consumption?

Every software needs some resources to run on a system and perform its operations. The amount of resources each program need is different and depends on the task it performs. Softwares that need to run multiple algorithms, do complex computations and has a lot of file and network operations are usually highly resource-intensive (specifically CPU, RAM and Disk IO). An anti-virus scanner come under this category as there are a large number of file read writes, content analysis, pattern recognition and comparisons to be performed.

On a server environment resources and limited and required to be available on-demand for the servers primary task. Therefore antivirus scanners have settings to adjust the resources it can consume or schedule the scanner to run in off-peak hours.

So why cPGuard does not allow users to limit it?

We have strictly maintained a “performance-oriented” approach while building cPGuard and wanted it to run smoothly on the smallest of servers. The cPGuard scanner engine core is built to work fast and consume minimal resources. Some of the major points that help us achieve better performance with lower resources are

  • We scan only relevant files/locations, unlike the competitors where they scan a lot of unnecessary locations and waste server resources.
  • Our core scanner is single-threaded and will not cause a total server spike. So CPU limiting is not required for our scanner daemon
  • Our highly efficient and optimised algorithms leave only a very small memory footprint.
  • Our IPDB rules contain only active attack sources and thus load only minimal rules and reduce network overhead
  • WAF contains only minimal but generic rules which effectively block most and major web attacks

Do you have any proof?

Yes, we have and we can confidently claim our statement. The biggest proof is that in the last 4 years the complaints due to resource usage are close to ZERO. The major portion of most systems that can cause a load spike on the server is the scanner module. Our scanner is fine-tuned to avoid such a scenario and it is one of the fastest scanners available in the market. It is tested and confirmed that the cPGuard scanner engine is more than 7x faster than that of our competitors. The screenshot below of the manual scan option in cPGuard, where it completed scanning 41K+ files in just 7 mins.

 

So is there any advantage with Resource Consumption settings?

Yes, there is if the scanner module is resource hungry. It will help to reduce server load but it will drastically slow down the scanning process and will engage resources for a longer time. As I stated earlier, that is not a problem with cPGuard and you do not need to worry about setting up such values and monitoring our services.

Ok, I have few more questions…

We are happy to address them…feel free to reach our support team and we will be more than happy to answer your questions!

What are the advantages of cPGuard WAF compared to competing solutions?

What are the advantages of cPGuard WAF compared to competing solutions?

What is cPGuard WAF?

The cPGuard WAF module is an important part of cPGuard security suite to protect your websites from malicious traffic and attacks. It is powered by Malware.Expert commercial ModSec rules and are loaded with a wide variety of protection levels. With cPGuard, you can implement the WAF rules quite easily and flexibly and enforce maximum website protection based on your preference. We have rules to protect major attack like the following which is well explained in the following sections

 

  1. WordPress/Joomla and other CMS brute-force attacks
  2. Crawler bots  and exploit/vulnerability scanner prevention
  3. Generic attacks like XSS, SQL injection, WP abuses, etc
  4. Block malicious files upload via web
  5. Zero-day exploits blocking
    etc

What are the important modules of cPGuard WAF?

The cPGuard WAF consists of various types of rules and each can stop different types of attacks. The major advantage in enabling the WAF with cPGuard is, you can select the set of rules that you wish to enable for your websites. So unlike the competing WAF solutions, our rules are quite wisely separated and let the customers to choose the protection level.

  • RBL Protection:- This provides the advanced DDoS protection for POST attacks [ brute-force, script exploits ] and blocks common abusive IP addresses collected through our network of servers with cPGuard installed. We recommend turning this ON if you are getting too many POST attacks as it can help to block many attacks before reaching your application and helps to reduce server load.
  •  Captcha Protection :-  Recommended This ruleset will enforce all users to verify not as bot before accessing the CMS [ like WordPress, Joomla, etc ] login pages or submitting the login credentials. Once they are identified as a real user, they will be able to login to their website. This can greatly reduce the load due to brute-force attacks. You can also define the set of URIs that you wish to protect using the captcha system, which makes the protection more powerful and flexible.
  • WEBSHELL protection:- If you enable this ruleset, your server will be protected from the execution of PHP shells like following
    • Phoenix WebShell
    • FilesMan
    • c99shell
    • b374k
    • WSO
    • Ani-Shell

    Frontpage may open in web shells, but command execution [ like a copy, delete, move, etc ] is blocked. You can enable this rules set if you control all the web apps on your server.

  • SCANNER protection:-  Recommended This will help to keep away bad crawlers from your system. This is a major headache for web hosts and causes unnecessary use of system resources. It can block
    • Bad User-Agents
    • Bad search engine crawlers (Cause High loads)

In addition to the above rules set, the WAF consists of rules to stop brute-force attacks and to enable web-based files scanning.

Why cPGuard WAF is better than the competing WAF solutions?

Our WAF is top-notch to block major automated attacks with less server load compared to the competing WAF solutions. In addition, we cause very minimal or zero false positives in most cases with an option to whitelist rules if they find any isolated issues with any rules.

In general, cPGuard WAF outperform all other competing WAF solutions based on the following points

  • We have very minimal but generic WAF rules. That helps to offer a wide range of protection with very little server load
  • Rules are generic and thus can block the same types of attacks with different vectors
  • We carefully watch the latest exploits and release rules to protect them
  • We have explicit generic rules to protect common CMS systems
  • Our Captcha protection system is one of the best which can stop all brute-force and bot attacks towards your CMSes
  • Cloud-based central system to analyze the latest web threats and to block them 
  • The WAF module is clubbed with IPDB Firewall in the core which will eventually help to stop attacks in the system firewall even before it reaches the application server

Have more questions?

In case you are misleaded by some marketing emails about our software and WAF module and would like to know more, please feel free to reach us. Our team is always happy to answer your questions and explain about the cPGuard software

What are the recent changes in IPDB?

What are the recent changes in IPDB?

What is IPDB Firewall?

In cPGuard, we have multiple modules that work at different layers to stop various attacks. The IPDB firewall module is a system-level firewall that can block many of the attacks before it reaches your application servers.

The main components of the IPDB firewall are

1. The Cloud Advisor:– is a server cluster containing multiple servers dedicated to collecting, building and distributing a list of unsafe IPs. We have a huge list of bad IPs built on data collected from attacks we have blocked (WAF, Bruteforce, CSF and access logs), our partners like Malware.Expert and other 3rd party sources. Our algorithms, after whitelisting major providers like Cloudflare, Google etc to avoid false positives, dynamically score IPs based on various parameters to build a refined list containing only the latest and relevant threats

2. The Server Agent: cPGuard server application downloads the list of bad IPs from the cloud advisor and creates a blocklist using IPSET and IPTABLES to effectively block requests from these IPs. The block list is periodically reloaded to fetch the latest IPs and drop old IPs from the list

What are the recent updates in IPDB?

Over the past few versions after the initial release of IPDB, we have been continuously working on it to enhance the performance of IPDB module. With that said, we were able to bring in so many updations so block more attacks with fewer false positives. Few of the major changes include

  • Refined blacklist Logic:- We now have a better algorithm to mark an IP address as bad and put it into the global blacklist. That helps to eliminate a significant share of false positives from the total blacklist.
  • Enhanced whitelist:- Based on the feedback from our clients, we have added many more major players including search engines, CDN providers, monitoring agents, etc into the blacklist which helped to refine the central list.
  • Better CLI Tools:- For a Linux geek, it is always handy to work from CLI than doing any tasks from GUI. So we have added more CLI tools to handle IPDB using commands
  • Network whitelist:- Now you can whitelist a Network using a defined format. This will help to whitelist a range of your IP address and that makes the tool handier. You can add whitelist from cPGuard settings or via our command line utility
$ /etc/cpguard/scripts/cpgbin allowip <ip address/range>
 
$ /etc/cpguard/scripts/cpgbin allowip 208.xxx.xxx.xxx
$ /etc/cpguard/scripts/cpgbin allowip 208.xxx.xxx.xxx/24 

 

  • New IPDB stats UI:- You can now view requests being blocked in realtime from the new IPDB section in cPGuard UI. We will be rolling out more reports and stats on IPDB in coming versions.

Wait…I have some complaints or suggestions

We would love to hear from you and our team can work based on your feedback. Kindly reach our support team with your feedback and we will process it accordingly.

Contact Form 7 Unrestricted File Upload Vulnerability – How does cPGuard protect your websites?

Contact Form 7 Unrestricted File Upload Vulnerability – How does cPGuard protect your websites?

About the vulnerability

Contact Form 7 is a famous WordPress plugin that helps users to create different contact forms on the website. The plugin has a very big user base and having almost over 5 million active installations. So, any vulnerability to such a popular plugin will cause serious security issues to a big number of websites.

Recently there was a report related to this plugin where some security researchers were able to exploit its vulnerability which allowed them to files of any type, bypassing all restrictions set to allow the type of upload-able file types on a website. Also, it allows web shell injections which create it more dangerous and threatening to the website security.

How cPGuard handles the problem?

Immediately after the vulnerability is announced, our WAF team has started investigating it and released a WAF update to protect our user’s websites from the vulnerability. So far cPGuard WAF has the following set of protections against the particular vulnerability.

  • We have an explicit WAF rule which prevents exploiting the particular vulnerability
  • Our existing WAF rules will prevent uploading PHP files
  • Our existing WAF rules will prevent accessing PHP files from the target location.
  • Our scanner engine can report about the  file uploads/injections 

Do I still need to worry?

Our WAF and scanner engine are powerful enough to block such targeted and generic types of web exploits. Even though cPGuard provides security measures for this problem, we still encourage you to advise your users to upgrade the Contact Form 7 plugin to the latest version, 5.3.2.

If you need any additional details, please  contact our support team.

cPanel Scanner Layers – Incremental File Scanning

cPanel Scanner Layers – Incremental File Scanning

One of the frequent questions that we are receiving recently is, how efficient the scanner is, and what can be the option to do something similar to the Rapid scan offered by another solution. To answer this question we have to explain how the total scanning system works automatically or manually and the total workflow is much faster and efficient compared to any other competing solution.

The scanner levels

In cPGuard, we scan each new/updated files in multiple levels which helps to process the files in various ways, multiple times with the most recent virus signatures, and efficiently process them with very less load. Each of the layers is explained below.

1. HTTP Upload Scanner:- If you have WAF integration enabled, this is the first level of scanning if the file is uploaded/updated via the Web. This scanner will immediately deny file upload if it contains malicious code and notifies the customer. You can find the related log in Web Server ModSec log or under WAF logs in cPGuard WAF.

2. Automatic Scanner:- If you have Virus Scanner enabled under Settings >> Scanner, this will trigger. So this is the background scanner where it keeps track of all uploaded/modified files and scans them.

3. Daily Scanner:- If you have Dialy Scanning enabled from Settings >> Additional Settings, Daily files scanning will trigger every day. This option will scan all files uploaded/updated in the last 24 hours.

4. Weekly Scanner:- If you have Weekly Scanning enabled from Settings >> Additional Settings, Weekly files scanning will trigger every Sunday. This option will scan all files uploaded/updated in the last 7 days.

So how the incremental scanning work?

Like the different scanner level explained above, each layer works differently. So once you have cPGuard installed and configured on your server

  • Run ALL manual scan which will scan all Web Files on your server and take actions on them
  • Enable Daily Scan
  • Enable Weekly Scan
  • Make sure that WAF integration is enabled and works fine

So the above steps make sure that your server will be free from all known virus files. In addition to the scanner layers, our WAF rules are powerful enough to stop uploading/exploiting vulnerable files and add an extra layer of security.

Is the incremental scan really fast? 

Yes, it really works fast and efficiently than any other competing solution. Based on the analysis from multiple servers, it took less than a few minutes to complete daily scanning for 200GB web data and that too without any high load on the server. You can see how many files it scanned and how much time it took for each scan.

Is it possible to schedule Daily and Weekly Scans?

Yes, if you prefer to run the scheduled scans at any particular time you can do it easily. To do it

  • Disable Daily and Weekly scanners from Additional Settings
  • Use the cpgbin CLI utility to schedule Daily and Weekly scans at your preferred time.

More questions?

We are always happy to hear from you…if you need any more clarifications please reach our Support desk.