Vulnerability scanning
Some information regarding the vulnerabilities that BitFolk and its partners scan for.
Overview
It is not possible to give a static, exhaustive and unchanging list of all software bugs and misconfigurations that can cause problems. Issues are being discovered in software all the time, and some of these will present serious risks either to you as a BitFolk customer, or to the rest of the Internet or both. This article aims to give more information about the sorts of problems that are scanned for and why they are an issue. It is not an exhaustive list of all possible security problems that can affect your service, nor a complete list of things that BitFolk may ask you to fix.
BitFolk undertakes to scan its own customer base for some known vulnerabilities, and receives and passes on reports from other organisations who are doing the same on an Internet scale. Where the risk is mainly towards the customer (and/or the customer's users), BitFolk is content to just continually alert you by email of the problem that has been detected. Where the problem represents a risk to the rest of the Internet, BitFolk must insist that you fix the problem in a timely manner.
Please note that the security of your service is your responsibility; BitFolk cannot scan for every possible problem. Even in the cases where BitFolk is not detecting something that it is expected to detect, verifying this is the customer's responsibility. These scans are performed for BitFolk's benefit and the results shared with customers as a courtesy, and should not be considered a professional security assessment.
Partner organisations
Shadowserver
At the moment the only organisation regularly reporting on possible vulnerabilities and misconfigurations is Shadowserver. No customer information is provided to Shadowserver. Shadowserver scans the entire Internet and passes on information regarding BitFolk's IP space. Not all of this is relevant, so further filtering is done at BitFolk's end before any alerts are sent to customers.
Issues which require urgent attention
Some problems can turn your service into a vector of abuse. In particular, UDP-based services can be susceptible to spoofing: an attacker forges a victim's address as the source address of the UDP packet and sends a request to your UDP service, which then responds verbosely. Where the response is much larger than the request this leads to an amplification of traffic. A relatively small number of such misconfigured services can be used in this way to carry out a distributed denial of service attack.
Due to the ease with which such services can be turned into attack vectors, BitFolk does not allow them to be made generally available to the whole Internet. You are required to lock them down with firewalls, ACLs or other appropriate configuration, or to simply shut down the service if it is not actually required.
Timescales
BitFolk would like you to resolve problems as soon as possible but recognises that it may not always be possible to do so immediately. If an active attack is underway then there may not be time to wait for you to respond and BitFolk will suspend your network immediately. Most of the time though there is only the possibility of your service being used as an attack vector. In these cases BitFolk will just keep emailing you alerts for at least 21 days.
If there hasn't been any response for at least 14 days then BitFolk will attempt to contact you in other ways. These can include any alternate or emergency emergency contacts you've included in your address book, as well as SMS messages to cell phone numbers, and so on.
If BitFolk hasn't received a response to any of this after 21 days and the problems still exist then it will regrettably be necessary to suspend the network of your VPS until contact is re-established and a plan for securing the service is agreed.
Common issues in this category
Open portmapper
A UDP-based service which can be used in amplification attacks. No need for it to be world-accessible; this is normally a misconfiguration. Unless your VPS is operating as an NFS server it probably isn't necessary to run portmapper at all.
Open SNMP server
An SNMP server which is publicly accessible either with no community string or the default 'public' community string can be used in an amplification attack and is also most likely giving out a lot of information that you normally wouldn't want to be made public. If intentionally running an SNMP server, you should use a more secure community string and firewall it off as much as possible.
Open DNS resolver
A DNS resolver which provides service to the entire Internet is a UDP service which can be used in amplification attacks, amongst other things. You should firewall it off as much as possible and also deny recursion except to authorised clients.
Some people run open DNS resolvers because they wish to provide service to remote clients on unpredictable IP addresses. This is not acceptable at BitFolk. A better solution would be to provide VPN services to the clients, as that can be authenticated by certificate.
Non-urgent issues
Less urgent problems generally involve some information leak that is most likely undesirable to the customer but of no real concern to the rest of the Internet. BitFolk may alert customers of these problems but will not take further steps to ensure they are fixed.
Common issues in this category
Open database service
A variety of data storage applications, databases and nosql services are commonly misconfigured so as to be available to the entire Internet, either with no credentials or with default credentials. Examples include:
Open Remote Desktop
Leaving an RDP or other desktop-sharing service open to the Internet is fairly common.
Open multicast DNS
mDNS / Avahi servers are sometimes left exposed. In theory these can be used in amplification attacks in the same way as normal DNS servers.
Open TFTP server
As a UDP service this can possibly be used for amplification attacks.
SSLv3/POODLE-vulnerable services
TLS applications that still allow SSLv3 clients are vulnerable to a man-in-the-middle attack. Essentially someone with privileged access to any part of the network between client and your server (such as IT staff or another user on an insecure wifi access point) could use this bug to gain clear access to data in an encrypted TLS conversation.
The fix is generally to disable SSLv3.
Frequently Asked Questions
How do I make the alerts stop?
It isn't possible to opt out of these sorts of alerts. The fact that you're being sent them at all means that BitFolk deems the problem quite serious. Once the problem is fixed the alerts will stop.
If the alert in question is one of the ones that BitFolk will take no further action on then it is always possible that BitFolk has overestimated the seriousness of the issue. If you feel that this is the case then please contact BitFolk to discuss.
Where can I find help fixing the problem?
If you need assistance fixing the problem then it would be best to contact the "users" mailing list, as these are almost always a question of configuration and/or systems administration.
Why am I still being alerted even though I've fixed the problem?
The alert email should contain a timestamp showing when the problem was scanned at. Especially in the case of reports that came from partners it can be a day or so between the scan and the alert, so you may have fixed things after that time.
If you are receiving alerts with scan times after your fix you should contact Support. There may also be a simple way to check for the problem yourself, so it may also be worth checking that your fix is really in place.