Release-4220: Patch NGINX CVE-2017-7529, PHP5.6 in hypernode-vagrant
Last night NGINX issued a security advisory for versions 0.5.6 – 1.13.2 regarding an integer overflow issue in the built-in range filter module. This issue could potentially allow denial of service or disclosure of worker process memory if abused. Our NGINX build has been patched to fix this issue. The patched version is nginx/1.13.2. We…
Read moreRelease-4199: Various improvements
We’ve fixed a bug where nginx configuration was not correctly re-generated when using Let’s Encrypt and enabling/disabling Varnish. This could have resulted in SSL domains pointing towards Varnish while varnish was disabled/not running resulting in a 502 error. Now depending configurations are re-generated correctly when changes are being applied. We’ve added TLS support for FTP…
Read moreRelease-4176: Enhanced brute-force detection, NeoPi and libfcgi
Today we deployed some changes to the code of our emergency rescue strategy. In case a Hypernode goes down as a result of a saturated PHP-FPM queue we try to detect malicious patterns in the pending requests running on the FPM workers. If the request pattern across the server looks like a brute-force attack or…
Read moreRelease-4164: Varnish 4.1.3 and Nginx 1.13.1
Today we will be gradually rolling out a version update of Varnish and Nginx on the Xenial Hypernodes. Nginx will be upgraded from nginx/1.10.2 to nginx/1.13.1. The changelog for the differences between these versions can be found here. Our current 1.10.2 build has IPv6 disabled, which we expected to be fine since the Hypernodes do…
Read moreRelease-4091: Varnish improvements
We’ve improved how our code manages the varnish installation for Ubuntu 16.04 Xenial and Ubuntu 12.04 Precise nodes. fixed configured vcl being lost on full update (16.04 Xenial) fixed configured vcl being lost between node migrations (16.04 Xenial) fixed varnish getting reinstalled on full update (16.04 Xenial) fixed varnish getting restarted on full update (12.04…
Read moreRelease-4046: whitelisted Ayden’s user agent
We’ve whitelisted the Ayden’s HTTP user agent, from the bot ratelimiting. It’s no longer subject to the bot ratelimiting mechanisms.
Read moreRelease-3981: Deny specific configuration files on magento1 installations
We’ve moved certain security restrictions from the magento2 configuration into the global magento1/2 security configuration file. In specific the following files are no longer reachable from external: auth.(json|lock) package.(json|lock) composer.(json|lock) Gruntfile.js cron.php Hidden files are also denied with a 403 now instead of a 404. Furthermore we’re working hard on the Xenial migration. Many changes…
Read moreRelease-3943: Xenial hypernode-vagrant
Over the past couple of weeks we’ve been very busy preparing to upgrade Hypernode to the latest LTS version Ubuntu 16.04 Xenial. While for Hypernode we highly modify the Ubuntu base, upgrading to this newer version will have many advantages like newer releases of various packages. For Hypernode we build all important parts of the…
Read moreRelease 3914: n98-magerun weak password tester
We’ve released a new version of the Hypernode plugin for n98-magerun, that you can use to test weak admin passwords. As admin accounts are increasingly brute forced, it is essential that you don’t use “guessable” passwords (such as steven123). This plugin will show you weak passwords in your store. More information, run magerun hypernode:crack:admin-passwords –help…
Read moreRelease-3864: IP authentication exceptions on development plans
In this release it becomes possible to whitelist IP addresses on development plans, so that they are exempt from the basic authentication requirements. This may be useful to test external payment providers or other kind of external services which do no support basic auth. The whitelist file is placed in /data/web/nginx/whitelist-development-exception.conf and looks like this:…
Read moreRelease-3774: Mitigate CVE-2017-6074 and firewall known bot networks
Today’s release implements two security measures on Hypernode. Yesterday a new double-free vulnerability was announced in the Linux kernel. We’ve implemented some rules to mitigate this vulnerability until all nodes are running the new patched kernel. Additionally we’ve seen an increase on brute-force attacks on the Magento /downloader. In this release we blacklist a range…
Read moreRelease-3760: Updated monitoring for development plans
We’ve updated the monitoring of development nodes. The alerting for these plans has been changed to only alert during business hours.
Read moreRelease-3732: Let’s Encrypt Nginx configs are generated without www. prefix
Today we will update the hypernode-ssl-config-generator so that it generates Nginx server definitions without a www. prefix in the server name. This additional server_name was unneeded because dehydrated only creates certificates for the domain you specified, not automatically also a www. domain. A new config will automatically be generated the next time you run dehydrated…
Read moreRelease-3728: allow let’s encrypt on dev plans. fix ibdata1 shrink automation
On development plans it’s now possible to use let’s encrypt again. The relevant requests have been made exempt from the basic auth. We fixed a regression in our shrink_ibdata1 automation. A regression had been introduced by the MySQL version update end November. We added an alias `sf2` which shows all magento2 storefronts. It executes `cd…
Read moreRelease-3657: Whitelist Sendcloud
This release contains a change to the default Nginx whitelist that makes SendCloud exempt from the standard bot ratelimit. The FPM slot limit still applies. Users can further configure their ratelimiting settings in the Nginx config in /data/web/nginx. Also in this release: more tweaks to the WAF for yesterday’s RCE mitigation The Cart2Quote development team…
Read moreRelease-3636: New WAF rules to mitigate RCE in two plugins
We’ve added new rules to our web application firewall to block hacking attempts relating to a remote code execution exploit found in the EM_Ajaxproducts and Ophirah_Qquoteadv plugins. We scanned all Hypernodes, if your shop had any of these two plugins installed you will have received an email with more specific information. Other changes in this…
Read moreRelease-3586: Updated composer
We’ve changed our composer update itself with the –stable flag. Freshly provisioned nodes however did not understand this flag yet, due to the initially deployed composer being too old. We’ve updated composer in our repository so that all new nodes will be able to update themselfs to the latest stable composer.
Read more