We are posting a notice pertaining to recent firewall updates that will impact some members. For context, all WebHosting.Coop servers are provisioned behind hardware firewall devices. These devices permit access to known services (your web site and email are examples) and deny requests for services that should never be publicly exposed. The firewalls protect against brute force attacks and other malicious activities. There are various firewall vendors depending on the location. We recently updated access control list and intrusion protection policies that directly impact all protected hosts.
The changes are warranted in light of recent malicious trends and an underlying goal to ensure that the services are compliant based on industry standard guidelines. While there were many changes that will not impact members the four changes below are listed in the order of probability that it will impact one or more members:
- FTP access when using active sessions will work for any IP. If you are behind a firewall or router you will need to set the FTP client to use a passive connection. Most modern clients have an option that will show either passive or active. If there are any issues using a passive connection with your domain name or IP address please set the host name in the client to connect to the servers hostname (ex: lynx.webhosting.coop, sphynx.webhosting.coop, jaguar.webhosting.coop).
- All ports that do not facilitate encryption outside of http (80) are now closed in the hardware firewall devices. This should have a limited impact as all control panel access links are secured with https:// but ports like 2082,2086, and others that allowed access without encryption are now closed.
- 10 failed logins from an IP will trigger a temporary block. This limit was increased from five. If you cannot reach your site after failing to login to email, the control panel, or password protected directories but you can connect to your site from another connection this is the likely cause. Please open a support case and we can whitelist your IP address to remove the block. If you do not have a second internet connection to confirm if you are blocked there are free tools like geopeeker.com that will permit testing your domain to see how it loads from other global locations.
- Secure SHell / Secure FTP - SSH/SFTP access is permitted globally on port 16222. The default is 22. Given the number of automated bots and scanning tools that connect to the well known port this was changed for most member hosts. It is now globally applied for all coop services.
Traffic to the environments is consistent with what we would expect following the changes but there may be out-liners. If you see any connection issues as a result of the updates or errors despite no changes being made otherwise please open a support case and we can review.
Monday, April 27, 2020
Powered by WHMCompleteSolution