Under Constant Attack

observations about web site trespass and intrusion assailants

Running web sites, even a personal web site such as this, provides detailed insights into one aspect of the extent and the pervasiveness of evil on planet earth. In this instance, the evil is the apparent constant assaults by would be intruders of various sorts on every one of the millions of web sites running all over planet earth. Even this modest personal web site is subject to a constant barrage of web site attackers, trying incessantly to break into it. One has to wonder what exactly all these web site assailants believe they’ll accomplish by breaking in, especially by breaking into a web site such as this. Such speculative questions are relevant because this web site isn’t a bank, a government, or a retailer, with personal customer or citizen information stored in its supporting database.

There seem to be various types of web site attackers though, with varying goals. Some of the attackers are pitiful spammers who mistakenly believe that their desired ability to advertise whatever junk they may be selling, on any and every web site in existence that doesn’t have appropriate security measures in place, would be of some potential financial benefit to them. The persistence of would be spam planting web site attackers implies that somebody somewhere must be generating financial revenue from such activities. Another set of web site assailants give the appearance of being pathetic dark net hooligans who try to break in everywhere they can, seemingly just for sport, most likely while they reside in mommy and daddy’s basement, where they remain slacker slobs living off parental largess. Some of the more organized web site attackers even appear to use automated robotic software tools that crawl the web looking for sites with lax security measures.

It is apparent from the nature of some of the web site attacks that some web site site assailants believe a given web site may be a good one for them to upload commercial spam advertising. With regard to this web site, such attackers couldn’t be more wrong. Their commercial solicitations would be useless on a site like this one. Nobody who actually views and reads this web site would be interested in the junk they are likely to have on offer. Secondly, if there were security holes in this web site where they could upload something such as comment spam, that spam would never make it through this site’s comment moderation queue in any event. Such spam attempts would be deleted instantly, long before they might have any ability to reach publication.

Based on the breadcrumb trails left by many web site attackers, they have at least some rudimentary knowledge of the various content manage systems (CMS) being used to deploy web sites. For example, some web site attackers look for Wordpress vulnerabilities on this web site, apparently because they haven’t taken the time to notice that this web site is implemented with the Drupal CMS. Other attackers realize that this is a Drupal web site and plan their attack points accordingly. One such frequent attack point is the web address /node/add, in an apparent attempt to test basic web site security regarding the scope of users who have the ability to create new content. When that form of probing appears in the access logs, it is met with an instant IP address ban. Even if the attacker changes IP address, an IP address ban at least puts the attacker on notice that they’ve been detected.

Meanwhile, there appear to be a variety of simple, basic, often relatively low tech measures web site administrators can employ to help keep hackers at a distance. Some of these measures are simple, but apparently aren’t used adequately by many web site managers. The first of these site protection measures must surely be frequent, at least daily, access log review. Manual access log review is a simple a nearly necessary human time and expense cost of having a web site visible to the entire planet on the world-wide-web. Web site owners with the resources and large volume traffic could surely build automated tools with heuristic algorithms that detect and repel various types of attempted intrusions, but fifteen minutes of manual access log review per day, can likely keep the majority of potential intruders at bay. It is amazing how easy it is to see the difference between the page navigation behaviors of real humans reading a web site, versus search engine bots, versus human site attackers, versus automated web site attack software robots.

Another form of security measure is to require real human intervention for certain types of processes. For example, this web site doesn’t allow public user registration. Instead, the site requires that a human being use the contact form to send a request for creation of a user account. This provides opportunity for contact and verification of human registration applicants before account creation. Even once the account is created, Drupal provides a highly granular system of access permissions based on roles, so that users have only the least level of access to the system required to make their permitted use of the system possible. In conduction with human verified user account setup, the comments on a site like this are only visible to users that are logged in with an account. As a result, even if a comment spammer ever gained temporary access, none of their spam comments would be publicly visible in any event.

At an equally fundamental level, it seems essential in the internet era to use a software tool, such as the Drupal CMS, that is developed and maintained by technologists who are conscious of and concerned about security as a high priority. Security has to be implemented as fundamentally as the system’s bedrock design level. Following security recommendations published by the community that surrounds a CMS also seems essential.

Of similar importance, there isn’t any such thing as universally invulnerable software. Consequently, it is essential that software such as a CMS platform be maintained constantly, refined when potential vulnerabilities are noticed or detected by its developers, long before web site attackers have any opportunity to try to exploit them. Checking for and installing the latest Drupal CMS core updates, and updates for all of its extension modules is a fundamental security measure. The Drupal CMS even provides automated tools that check for updates, and displays internal administrative warnings when components are out of date. The Drupal administrative systems have evolved to include an excellent suite of easy to use internal tools. Good web hosting services also provide important tools, even through front end site administration systems like cPanel.

Another essential security measure is frequent and regularly scheduled system backups. With backups, at least if a site is attacked, and the intruder gains access that results in site damage, the site can be restored to its “last known good state”, and the vulnerability patched to prevent future intrusions.

What is most notable, however, is that the endeavor of maintaining any web site in the internet era, from personal web sites to business and government sites, requires constant vigilance from potential web site intruders. The average person probably doesn’t realize that there is an ongoing war being waged throughout the internet, every nanosecond of every day, as every web site and every email server on earth is under constant attack. Given the nature of the internet, most often people running web sites are focused primarily on preventing intrusions, stopping the attackers, while aspects of society such a government seem largely lacking any real competency to address the legions of otherwise invisible enemies, real people in our midst, who are constantly trying to trespass into our virtual cyber sphere abodes, everyone’s email servers, everyone’s email accounts, and everyone’s web sites. It certainly would be entertaining if one day there were online sites with background information about such people, like there are about registered sex offenders, just to see them and know more about who they are and the motivations for their various types of web site attacks and intrusions.

Marilyn Perry