A quick Muse post with a bit of code. I know I know it's been a while and my coding has suffered. Still, some of you may find this useful.
I'm converting a Fusebox 2 application to FW1 and I wrote a simple script to automate some of the shell files I need. FW1 uses a URL convention that looks similar to Fuesbox. In Fusebox you have a 2 part URL param that dictates what your code is supposed to do. For example, fuseaction=reports.users would logically be a "circuit" called "reports" - think of it as collection of code or an application within a suite of applications. The second part of the fuseaction dictates which report exactly is supposed to be run.
FW1 is not dissimilar to this approach although it tends to introduce complexity for complexity sake at times (don't @ me). In FW1 an "action" parameter dictates which controller to run which in turn calls services and views as needed to set up a page or action. So FW1 may have action=reports.users - it looks quite familiar.
Since my Fusebox application is well organized I created a script that builds off the circuit and creates the necessary FW1 files. For each circuit I am going to create:
The script is pretty easy and it's designed to be run within the fusebox application where the FW1 application is accessable via file operations. First some setup:
Next I created some placeholder files for controller, services and DAO. I'm going to read those files into variables.
That's it. The end result is matching DAO, Controller and service files and view folders. Of course I may delete some of them or merge or whatever as my FW1 application takes shape, but having a matching convention with Fusebox let's me examine code from one into the other without a lot of fuss.
I created a script that handles the "second" part of fuseaction and places an CFM in the views folder as a placeholder. Basically "reports.users" should result in a /views/reports/users.cfm file containing HTML. This is where the eventual display code will be housed.
CFWT is growing again. We are looking for one, possibly two senior ColdFusion developers to join our staff. Our group is close-knit, dynamic and knowledgable. Here are a few things you should know.
This position is on a high quality team maintaining, upgrading and enhancing a broad suite of complex applications. Responsiveness, communication, security mindedness and teamwork are key elements of the ideal candidate.
We are not recruiters. We are not generalists either - we focus on the CF stack and try to know "all things ColdFusion". Yes you will work with and for customers but we care about developers and work culture. We try to find what makes you tick and we hope to provide a work environment where you can grow. We want you to want to come to work every day. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here's some items that you need in order to fit in here.
The first month of 2019 has passed and it was full of year end wrap up articles about anything and everything from 2018. Most were fluff articles on pop culture and such. What I found most interesting were the articles that quantified the past year of hacking and security breaches. According to NBC News, Hackers stole nearly half a billion personal records in 2018. There were fewer breaches, but the breaches were bigger and worse and more data than ever was stolen. Crypto-miners have improved as well and not in a good way. Previously I wrote about Cryptojacking and Hacking for Bitcoins. These are malware attacks where hackers install crypto-miners on servers they have compromised. The Crypto-miners use your CPUs to make money for themselves. Hackers have taken this malware to a new level of deviousness. The malware can now target and remove cloud security products as reported here and here.
It's been a banner year for the hackers.
Read More
Here is an example of what is no longer working. Example one is a cfscript based CFC file.
Example two is a cfscript block in a CFML file.
The code causes a Java error at the queryExecute() statement. Many of us are working with Adobe to provide test cases, stack traces, and testing hot fixes in order to get this resolved as fast as possible. Until there is a fix, if your application is using cfscript based queries, you will want to hold off on the update.
CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .
Adobe just released updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Please note that this is most likely the last update that ColdFusion 11 will receive due to it's core support end of life is coming up in April of 2019.
Some New Features
Adobe has updated more features for ColdFusion 2018 and ColdFusion 2016 including new mobile updates and Performance Monitor Updates. It's time to update your servers.
CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .
CF Webtools is actively looking to fill 3 developer positions on our ginormous ColdFusion development team. Each position has a unique set of needs. Here are some facts about working with CF Webtools.
This position is on a high quality team maintaining, upgrading and enhancing a broad suite of complex applications. Responsiveness, communication, security mindedness and teamwork are key elements of the ideal candidate. Some other stuff:
This position is on a team of 2 working on a high end code base with a demanding QA and business analyst team. Your team member here is a rock star and you will learn buckets. You need attention to detail, self-starting, thinking around corners and better than average front end skills are at a premium here. Other items:
For this position we need someone who is good at gleaning institutional knowledge of a system and code. If you like to dig in, find things about about a system and then use that knowledge to help others and make the system better, this is an ideal place for you. Additionally:
We care about developers and work culture. We intend to get to know you and what makes you tick and we hope to provide a work environment where you can grow. We want you to want to come to work every day. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here's some items that you need in order to fit in here.
This is Part 3 in a short series of articles about blocking entire countries from a website. Parts one and two cover CloudFlare and CloudFront.
CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.
We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In my previous two articles I wrote about using CloudFlare and AWS CloudFront. In this article I'm writing about using a slightly better hammer in the Whack-A-Mole method to block entire countries. This is one of the simplest but also least effective methods.
The option many of us have traditionally done is blocking problematic IP's on a case by case basis and in extreme cases blocking entire IP ranges. I've often referred to this as the Whack-A-Mole method. It's reactive and not proactive. A real hacker would not use their own personal IP and there is no guarantee that the IP will always remain with an unscrupulous user. Normally I do not block an IP because bad stuff happened from that IP once. However, I have noticed the same IP or IP ranges launching attacks on multiple unrelated, hosted at different locations, and different client's servers. That's when I start pounding the IP with the ol' Ban Hammer! Also, blocking and entire country with this method would mean being able to know all the possible IP addresses or address blocks assigned to a particular country. This is knowable!
I did some research on this and found a few very helpful resources. Resources like this http://ipdeny.com/ipblocks/ and this https://www.sitepoint.com/how-to-block-entire-countries-from-accessing-website/. These sites keep an updated list of IP addresses assigned to every country in the world. These are made available in the form of individual text files per country. And in the case of the SitePoint page, you can download a pre-scripted config file for many versions of web servers and firewalls. Hammer Time!
In the case of the country our client wants to block there are over 130 IP entries. These are in the form of CIDR IP ranges. This is the good news. The harder part here is that means there would have to be 130 plus entries manually added into IIS or a firewall. And this is for a smaller country. Larger countries, including countries that are known for hacking, have many thousands of CIDR IP ranges. But at least I can download the scripts for Apache and IIS from the SitePoint page and paste them into the respective config files.
What are the downsides to this method? First off I do not know if there would be any performance hit to IIS or Apache if we were to start entering thousands of IP restrictions. I do know that AWS restricts Network ACL's to an absolute max of 40 rules in their VPC's due to "performance issues" if more were added. We're still whacking at moles. IP assignments for countries can change thus you would need to update your static list of IP bans in your web server.
This is an example of how Apache 2.4 is configured.
This is an example of how the IIS XML web.config is configured. The CIRD notation needs to be converted to IP and network mask format.
In conclusion each option; CloudFlare, CloudFront, and IP Banning, each have their benefits and costs. CloudFront was the easiest of the three to setup and if the downsides of the IP address masking isn't an issue then it is likely the most viable solution. The AWS CloudFront solution may be best if you are already on AWS and you have an understanding of AWS Solutions Architecting. Both CDN options have country restrictions (and rate limiting) that will help in preventing potential credit card scammers from misusing your shopping carts. IP Banning is simplistic, it has no additional dollar costs. But it may be a performance hit to your web server if you have a very large number of IP restrictions. You may also have to update the IP lists if IP assignments to a country change. It's also worth noting that all methods can be bypassed via proxies.
CF Webtools is an Amazon Web Services Partner. Our Operations Group can build, manage, and maintain your AWS services. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.
This is Part 2 in a short series of articles about blocking entire countries from a website. See Part 1.
CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.
We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In this article I'm writing about using Amazon Web Services CloudFront to block entire countries.
Amazon AWS CloudFront
AWS CloudFront does offer country blocking. I thought this would be an easy setup, but it isn't. When I tried to setup AWS CloudFront to 'front' an entire website I found there are many pieces that needed to be in place in order for CloudFront to handle the entire website.
Route 53 is needed or any other DNS that allows an ALIAS record for the Zone Apex record. This is because the Zone Apex record (root record) will be set to the URL provided by CloudFront and not an IP address.
Elastic Load Balancing is needed. The CloudFront origin (EC2 server) needs to be behind an TCP Elastic Load balancer. If there is only one site then the ELB target can be the instance itself. If the EC2 instance hosts multiple different sites, then we need to add multiple internal IP addresses to the instance and configure the origin site to be on it's own IP. Then the ELB should be configured to that internal IP address and not instance. If you are passing host headers in the CloudFront 'Behavior' section then you can have a single IP on the web server with multiple sites per usual for virtual name hosting. You have to setup the TCP ELB as TCP port 80 passthrough in order to pass the original IP addresses to the web server.
AWS Certificate Manager is needed to create a new free SSL for the domain name being setup in CloudFront. (I say it's needed because all sites should be using TLS protocols these days.) I found a wild card certificate works well.
Then lastly AWS CloudFront itself can be setup. The settings are a bit tricky. The Origin will be the ELB which will then pass requests to the EC2 instance. If you want or need forms to be posted to the website then you need to select "GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE" option for Allowed HTTP Methods. If you need to allow logins then you have to choose "All" for Forward Cookies.
There are costs to each part. Route 53 charges by zone and number of requests. Elastic Load Balancing charges by the hour and by data transfer amounts. Then Cloud Front charges by data transfer amount.
There are downsides to this method as well. In addition to the AWS method being harder and more complex to setup there are more costs involved. I can pass the original requesting IP address through to the web server, it still comes through in the X-Forwarded-For custom header. In Apache it's easy to globally capture and place this value into log files or the CGI scope. IIS does not allow this to be done at a global level meaning each IIS site must be configured for the custom headers. Additionally, you may need to custom code the web application to read X-Forwarded-For no matter which web server you are using.
After you have all of that setup, configured, and working you can now start blocking countries. This is done in the AWS CloudFront Restrictions section. You can add a Geo-Restriction blacklist or whitelist by country.
Part 3 will cover using IIS and Apache and a slightly better hammer in the Whack-A-Mole method.
CF Webtools is an Amazon Web Services Partner. Our Operations Group can build, manage, and maintain your AWS services. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.