Many people tell me that their websites are safe. Why? Because "Who will bother to attack my site?" Or "Our business is too small for anyone to hack." Oh please!
There's this popular fallacy that attackers on the internet always target particular sites. They don't. Yes, some do. I'm looking at you Equifax. But most attacks are made by bots, which don't know a thing about you, your business, or your website.
Bots don't care who you are or what you do. If you're on the web, you're a target.
According to the web security company Imperva, half of all website visitors are bots. Of those, approximately 29 percent of all your "visitors" are there to attack your site.
Contrary to those of you who think your website is too small to be noticed, Imperva found the less traffic you get, the more likely you are to be attacked. "In the least trafficked domains -- those frequented by ten human visitors a day or less -- bad bots accounted for 47.7 percent of visits while total bot traffic amounted to 93.3 percent." Indeed, "Bad bots will try to hack [your site] regardless of how popular it is with the human folk. They will even keep visiting a domain in absence of all human traffic."
Does that sound crazy? For people, yes, but bots aren't people. They're constantly scanning the web and attacking sites over and over again.
Don't believe it? Let's look at the evidence. Honeynet, an international non-profit security research organization, with help from students at Holberton School, recently set up a honeypot to track security attacks on a cloud-based webserver.
This ran on a barebones Amazon Web Services (AWS) instance. It was running no services that would be useful to anybody else. It did not even have a domain name. Shortly after starting the server, they started capturing network packets for a 24-hour period with the best network traffic analysis tool available today, Wireshark. They then analyzed the packet capture file with Wireshark; Computer Incident Response Center's (CIRCL) Border Gateway Protocol (BGP) ranking API; and p0f, a passive TCP/IP traffic fingerprinting program.
In a day, a mere 24 hours, this unnamed, almost invisible web server was attacked more than a quarter of a million times. Think about that for a minute. Now, start locking down your website.
Of those attacks, the vast majority of them, 255,796 connection attempts, were made via Secure Shell (SSH). The researchers then opened a honeypot, a server designed to look like a real website, to collect attack data. To keep the project workable, they chose to open up the web's Hypertext Transfer Protocol (HTTP), SSH, and the Telecommunications Network (Telnet) protocol for attacks.
Telnet, some of you may ask? Who uses Telnet anymore? We do, thanks to badly designed Internet of Things (IoT) devices. Some IoT gadgets use Telnet for configuration and management. That's asking for your devices to be hacked. Telnet had never had any security to speak of.
The majority of the HTTP attacks were made to PHPMyadmin, a popular MySQL and MariaDB remote management system. Many web content management systems, not to mention WordPress, rely on these these databases. Vulnerable WordPress plugins were also frequently attacked. Mind you, this was on a system that even in honeypot mode hadn't emitted a single packet towards the outside world.
Many attempted attacks relied on old malware, known configuration problems, common username/password combinations, and previous well-known attacks. For example, attackers tried to crack the webserver with Shellshock, although patched in 2014, and the Apache Struts vulnerability, which was fixed in March 2017. You can't blame the people who write the bots for using obsolete attack vectors. As well-known security expert SwiftOnSecurity tweeted: "Pretty much 99.99 percent of computer security incidents are oversights of solved problems."
As for SSH, most of the attacks were brute-force assaults running through lists of commonly used usernames and passwords over the entire range, 1-65535, of TCP ports.
Is it any surprise that Imperva has found that one in three website visitors is an attack bot?
Imperva and Holberton also found that "The attack patterns we recorded for HTTP and SSH relied on generic exploit attempts that seemed to scan a range of IP addresses for well-known vulnerabilities. Telnet, on the other hand, relied on even simpler intrusion methods, by bruteforcing with default username and password combinations. Sometimes, these spray-and-pray attacks immediately attempted to download antiquated scripts, or more contemporary trojans, but none of the recorded attempts were covert enough to evade detection or overcome simple protective measures."
These attacks aren't sophisticated. They're being driven by bot and botnets to attack any and all sites they find. These automated hackers are hunting for weak, unprotected websites.
The moral of this story is if you have any web presence -- and I mean any -- you must secure your site with basic security rules. That starts with using firewalls to block all ports to your site except for the ones you use. You must also disable any internet-facing services unless you're using them. Finally, you must keep your software patched and up to date.
Your site will still get hammered on a daily basis, but you'll be safe from the vast majority of automated hackers.