Written By Paras Daryanani
2020-11-17
Ransomware has been a critical security issue since 2018 and is constantly evolving, making it increasingly difficult to detect as malware. We have taken this opportunity to share our experience and help you protect your DNN websites from ransomware attacks in the future.
Earlier this year, two of our DNN servers were facing a ransomware attack, resulting in 9 customer websites being offline. All of their data was encrypted, including on-site backups. Thankfully, we had offshore backups available which helped to get the websites back up and running in a matter of hours.
1. Keep your DNN version up-to-date
While DNN is known for excellent built-in security, there are some old versions of DNN that contain vulnerabilities. These vulnerabilities enable hackers to remotely upload and execute the malware on your servers. Keeping your DNN version up-to-date is by far the best way to protect your DNN website from malware attacks. If you don’t already know, the DNN Community just published a landmark DNN release, 9.8.0, which provides a large step up in DNN security, through the removal of outdated Telerik libraries. We would highly recommend upgrading your DNN website to version 9.8.0.
2. Keep Windows up-to-date
While updating DNN may sometimes be difficult due to module compatibility, updating Windows is a no-brainer. From my experience, Windows has some security holes now and then that lets malware through. Over the past few years, multiple vulnerabilities have been discovered in the Windows SMB service, and have subsequently been patched through Windows update. The easiest way to keep Windows up-to-date is to switch on automatic updates out of business hours. Check your Google Analytics reports to find the least busy time on your website and schedule your updates accordingly.
3. Use anti-virus / anti-malware software
After restoring our 9 websites and making sure Windows is up-to-date, we installed MalwareBytes on our servers. This proved extremely effective in detecting malware and quarantining suspicious files immediately.
4. Version control your website root directory
We use git version-control on all of our executable files in our website root directories. This may seem strange and unorthodox, but its extremely effective in detecting files that don't belong in your websites, such as web shells that hackers have somehow uploaded through undiscovered security vulnerabilities in either DNN or Windows. How do you detect files that don’t belong in your website root directory? Just open VS Code, click on Git and you’ll see modified and/or unversioned files. Of course, you could also do this on the command line by running git status or git diff.
If you want to take this a step further, you could set up some sort of automation to send an email alert if any executable files are added or modified in your DNN website.
5. Setup a solid backup workflow
Ransomware is the worst! It’s usually impossible to decrypt your files and get everything back to normal. Hackers will try convincing you that they will undo the damage if you pay them the ransom amount, but be warned that you should not trust them.
Instead, you should take a proactive approach in implementing a solid backup plan. There are many ways to automate backups both on-site and off-shore. We recommend having both in place. Other than that, we recommend encrypting your backups, such that hackers cannot steal your information and threaten to publish it on the web if you don’t pay the ransom. This also means you should encrypt your database storage.
6. Perform a monthly check / sweep
We perform monthly checks on our DNN servers to make sure that everything is running smoothly. In that, we check the MalwareBytes quarantine logs and website root directories for added/ removed or modified files.
We also do dig through the IIS access logs to see where traffic is coming from, followed by blocking certain URL patterns (e.g. /wp-login.php), IP addresses/ ranges etc.
7. Consider using a reverse proxy
In most cases, Windows firewall will protect your server from unauthorised access. Unfortunately, it doesn’t always help with Windows vulnerabilities. To work around this, we route external traffic through an Nginx reverse proxy, through to our DNN sites. The proxy server runs on a Linux machine placed in the same internal network and helps to block common threats as it only forwards HTTP and HTTPS traffic to the windows server running DNN.
That’s all folks!
We know it’s a long list of things to do to secure your DNN website, but it has worked well in our experience. If you need a hand with implementing any of these security measures, feel free to get in touch and we will happily assist you. Until next time, Happy DNN-ing!
This article is cross-posted from the Celestify Blog.