CF Webtools has been asked numerous times to block an entire country or countries by many clients. The issue is that there's a lot of hacker activity from certain identified countries and the client(s) does not do any business with those countries. Typically it's entire server hacking attempts, but more recently it's to use the client's shopping cart to "test" stolen credit cards. This is a very serious problem and as such clients are asking us to help them prevent this from happening. One potential solution is to block the IP addresses that these attacks are coming from. I refer to this as the Whack-A-Mole method because it's just like that arcade game. As soon as you block one IP they switch to another IP address.
We need a better solution. I looked into what we could do and how reasonable and feasible the various options are in terms of technology and cost. In this article I'm writing about using CloudFlare CDN to block entire countries.
CloudFlare
I was not familiar with CloudFlare other than it's a CDN. They do offer advanced services for a price. There is a free tier that has CDN capability and limited Firewall features. The firewall features include the ability to setup 5 firewall rules.
To test the features and capabilities of CloudFlare I created a free account for myself and setup my blog to use CloudFlare. My blogs uptime is not critical like the client's business is and it gets real traffic thus it can be used to test various features.
Using the free firewall features I can block multiple countries in a single firewall rule. The rules allow for chaining filters with AND OR statements. See the example below.
I don't know yet if there is a limit to the number of conditions I can add to a single rule. However, at the moment it seems to be sufficient.The negative side effect that I can see so far is that all the IP addresses that get logged on the origin web server are from CloudFlare. This defeats many clients needs/desires to have a valid IP address of their valid customers. Cloudflare does offer the option to pass through the original HTTP headers, but that is under their top Enterprise plan. They do not provide a cost for this. You need to request an estimate.
CloudFlare does pass through custom headers that has the original IP and other custom headers. However, these are not standard and web servers need to be configured to first read the custom header fields and then the application code needs to be updated to use the custom headers fields. It's far easier to do this in Apache than it is in IIS. IIS does not allow this to be done at a global level meaning each IIS site must be configured for the custom headers. Additionally, you may need to custom code the web application to read X-Forwarded-For no matter which web server you are using.
Another issue is that CloudFlare requires you move your DNS to them. Depending on the client, gaining access to their DNS and registrar can be challenging.
Part 2 will cover using AWS CloudFront to achieve the same results.
CF Webtools is here to fill your needs and solve your problems. If you have a perplexing issue with ColdFusion servers, code, connections, or if you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations @ cfwebtools.com.
On September 11th of 2018 Adobe released a critical security patch to patch a very dangerous flaw (CVE-2018-15961) that could allow an attacker to upload a file that can be used to exploit and take control of the server. Adobe updated their security note to alert everyone that there are active exploits in the wild.
"UPDATE: As of September 28, Adobe is aware of a report that CVE-2018-15961 is being actively exploited in the wild. The updates for ColdFusion 2018 and ColdFusion 2016 announced in this bulletin have been elevated to Priority 1. Adobe recommends customers update to the latest version as soon as possible." - Adobe
Today it is being reported by multiple news outlets including ZDNet that the exploit is in the wild and being used by a nation-state cyber-espionage group.
"A nation-state cyber-espionage group is actively hacking into Adobe ColdFusion servers and planting backdoors for future operations, Volexity researchers have told ZDNet. The attacks have been taking place since late September and have targeted ColdFusion servers that were not updated with security patches that Adobe released two weeks before, on September 11." - ZDNet
This is one more friendly reminder to make sure your ColdFusion servers are patched! Either patch them yourself, have your hosting provider patch them or if they are not familiar or knowledgeable with ColdFusion contact us at CF Webtools to patch your servers. Our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to "operations at cfwebtools.com".
The jokes in our water cooler chat have become a little tired so we are looking for some new material. If you think you are entertaining (and smart and talented) enough to join the Muse' Merry M... er.. Merry Persons, here's what you need to know.
If you are looking for an inside track here is some extra skills that are "nice to have". None of these are non-starters but if you hit one of these bells it could help.
We care about developers and work culture. We intend to get to know you and what makes you tick and we hope to provide a work environment where you can grow. We want you to want to come to work every day. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here are some examples of what we expect.
Today's short note is brought to you by "Don't Do That On Production!" At CF Webtools often times we get called in to help troubleshoot servers that are failing to perform well. We often hear the same sort of symptoms that goes like this. The server has been running fine for months then suddenly for no reason it's slow, CPU usage is high, and it hangs or crashes multiple times per day. This always prompts us to ask the same question. "What was changed just before these symptoms started?" And the answer is usually "Nothing was changed (as far as they knew)". In all reality the person we're talking to may not the be only person with access to make changes to the server. Or they may not in fact have access at all and they are relying on information provided to them by an IT team member. We take notes, assume nothing, and question everything (on the server).
We had this scenario play out a few times in the past few weeks with three servers from three different companies. The reason I'm writing this note is the same problem occurred on each server. The short answer is someone enabled ColdFusion Debugging on the production server. ColdFusion is a very powerful rapid development platform, but it has a few gotchas if you are not careful. Such as enabling debugging on a production server. Debugging output provides a massive amount of information and for obvious security reasons we never want this enabled on a production server. Yes, I know you can restrict debugging output to a certain IP address, but that does not prevent the debugging output from being generated. It's just not displayed. The generation of debugging output takes more CPU power and at times more JVM memory. On a low load web application you may not notice a difference. However, on a high load, high traffic production web application the extra resources needed to generate the debugging output may in fact cause all those symptoms described above.
In each of the cases we saw these past few weeks, we were reviewing the servers settings, looking at the results of Fusion Reactor, and reviewing ColdFusion settings. On the first server we almost missed the fact that debugging was enabled. By the time we were troubleshooting the third server with similar symptoms we were checking to see if debugging was enabled before we did anything else. Disabling debugging resolved the bulk of the performance issues. We then used this time to review each server and offered additional performance tuning recommendations based on each servers resources and application needs.
This falls into the category of "Don't Do That On Production!" Please leave debugging to your development and staging servers.
CF Webtools is here to fill your needs and solve your problems. If you have a perplexing issue with ColdFusion servers, code, connections, or if you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations @ cfwebtools.com.
In another chapter of "The Cloud Never Crashes", I woke up Sunday to one of my AWS instances that was 'crashed' with a notice of "Amazon EC2 Instance scheduled for retirement". Retirement? What does that mean? I went to check my email and realized that the "retired" instance was the email server. Doh! It took me a little while to figure out what they meant. It means this "An instance is scheduled to be retired when AWS detects irreparable failure of the underlying hardware hosting the instance." This serves as a good reminder that the cloud is really someone else's server.
In theory this is an easy fix. The instructions at Amazon claims that stopping and restarting the instance will launch it on new hardware. In practice I could not get the instance to stop. This is where having physical hardware and a power cord to pull would have been nice. Failing to get the instance to stop I could not detach the EBS root volume. Even force detaching the EBS root volume didn't work. This is where daily snapshots of EBS volumes comes in handy. I was able to launch a new EC2 instance and then convert the last snapshot to an EBS volume and attach that to the new EC2 instance. Then I moved the elastic IP from the "Retired" instance to the new instance and hit "start'. Full recovery!
Now I'm left with a hanging EC2 instance that is still "Stopping" and an EBS volume that I cannot use, detach, delete etc. I tried reissuing stop commands a couple times. Eventually I noticed a "Force Stop" option. I do not remember seeing this on earlier attempts. I do not know if this shows up after the first failed stopped attempt or after several. I'm not sure, but I think that sends a trained monkey into the datacenter to pull the power cord. In any case it worked. This let me detach my EBS volume. From there was was able to stop the new instance, detach the EBS volume and attach my original EBS root volume. Now I have full recovery and I was able to clean up the loose ends.
Amazon Web Service has given us a new euphemism. Retired means It's Dead Jim!
CF Webtools is an Amazon Web Services Partner. Our Operations Group can build, manage, and maintain your AWS services. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.
p> You guessed it Thomas, CF Webtools is hiring again. We are looking as many as 4 advanced ColdFusion programmers to add to our already large team of CF folks. Here's the stuff everyone wants to know.
If you are looking for an inside track here is some extra skills that are "nice to have". None of these are non-starters but if you hit one of these bells it could help.
We are a company out to build a positive culture and work environment where you can shine and feel good about what you do. We are looking for developers that match our culture of Can-do, Caring, Communication and Competency. Here are some examples of what we expect.
At CF Webtools we recently went through a round of server upgrades to handle the Authorize.net ending support for older TLS versions. Now USPS, United State Postal Service, is doing the same thing with their Shipping APIs. This is going to be happening for all API's and most likely all this year as PCI requirements for ending support for TLS 1.1 and older at the end of June 2018. This is according to the PCI Security Standards Council.
USPS will be turning off support for TLS 1.1 and older for testing. In advance of the changes to production, TLS version 1.0 and 1.1 support will be discontinued in the lower Web Tools environments and available for testing on 5/22/18: https://stg-secure.shippingapis.com/shippingapi.dll): 06/11/18.
This means that if you are using older methods to make calls to USPS that are not capable of making TLS 1.2 connections then you will NOT be able to process Shipping API transactions.This message explains some security improvements planned for our services. Effective 06/22/18, Web Tools will discontinue support of Transport Layer Security (TLS) version 1.0 and 1.1 for securing connections to our HTTPS APIs through the following URL: https://stg-secure.shippingapis.com/shippingapi.dll. This includes, but is not limited to, all shipping label and package pickup APIs. After this change, integrations leveraging TLS version 1.0 and 1.1 will fail when attempting to access the APIs.
You are receiving this message because the Web Tools UserID associated with your email address has made HTTPS requests over the past year. It is possible that no changes are necessary to retain Web Tools services and benefit from the improvements. Please review the entire message carefully and share with your web developer, software vendor, or IT service provider to determine if your use of the Web Tools APIs will be affected. If you have already updated your security certificates please disregard this message. If you are not sure if any changes are necessary, please ask your IT service provider.
In advance of the changes to production, TLS version 1.0 and 1.1 support will be discontinued in the lower Web Tools environments and available for testing on 5/22/18: https://stg-secure.shippingapis.com/shippingapi.dll): 06/11/18.
Further background: Security research published in recent years demonstrated that TLS version 1.0 and 1.1 contained weaknesses that limited its ability to protect and secure communications. These weaknesses have been addressed in the TLS 1.2 version. Major browser software vendors have been supporting TLS 1.2 for some time. Consistent with our priority to protect USPS Web Tools customers, Web Tools will only support versions of the more modern TLS 1.2 as of the effective date noted above.
Contact us at WebTools@usps.gov with any questions or concerns.
This affects ALL ColdFusion versions 9.0.2 and older! This also affects ColdFusion 10 Update 17 and older. If your server is running any of these older versions of ColdFusion and your server is processing Shipping API transactions with USPS then this advisory applies to your server.
Mitigation Getting compliant depends on age of your server operating system. There are three main ways to get your server to handle TLS 1.2.
CF Webtools has been successfully mitigating this issue for clients servers for the past couple years and we are very experienced in resolving these security related issues. In a previous blog post I tested which TLS levels were supported by various ColdFusion versions on various Java versions and produced an easy to read chart.
If your ColdFusion server is affected by this or if you do not know if your ColdFusion server is affected by this then please contact us (much) sooner than later. Our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.
Adobe has announced the Public Beta of Adobe ColdFusion 2018 is now available. This release brings an all new Performance Monitoring Toolset that is available with both the Standard and Enterprise versions (So I've been told). There's plenty of language improvements and updates and a new Public Beta of ColdFusion Builder 2018. Hurry up while supplies last!
There a large number of changes including an all new ColdFusion Administrator. Here's a partial list of new things according to Adobe:
- ColdFusion (2018 release) has a new User Interface. The new interface is based on a tiled interface. We have also enriched the search experience on the Administrator portal.
- We have removed Server Monitor. We have introduced a tool called Performance Monitoring Toolset, which is more intuitive, includes more features, and provides better visibility of your application's performance.
- We have made significant improvements to the core language features. Here is a brief list of the changes:
- Introduced NULL support
- Introduced closures in tags
- Introduced Asynchronous programming using Future
- Enhanced Object-Oriented Programming with the following:
- Abstract components and methods
- Final component, method, and variable
- Default functions in interfaces
- Covariance
- Semi-colons are now optional in a cfscript code
- Introduced named parameters in functions
- Introduced slicing in arrays
- New operator support using name-spaces for java, webservices, dotnet com, corba, and cfc
- Introduced support for typed arrays
- Introduced string literals and support for numeric member functions
- Introduced negative indices support for arrays
- New functions- ArrayFirst, Arraylast, QueryDeleteColumn, and QueryDeleteRow
- Enhanced CLI and introduced REPL.
- Introduced REST Playground application for testing your REST APIs.
- Added support for REST PATCH verb.
- Filter fields from JSON request.
- Enhance performance through Caching with the newly added engines:
- Memcached
- JCS
- Redis
- Using a custom cache plugin
- New Admin APIs to support the caching engines
- Hibernate upgraded to ver 5.2
- New configuration settings in wsconfig tool
- Updates to ColdFusion Builder.
This is a huge update! Get it while it's hot!