Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Staff Recommended Posts

We have one of the most secure servers on the planet now if not the most secure and I am not exaggerating.

People ask me why so concerned with security on a weather forum/site? it doesn't matter what type of site it is, every single server and domain on the planet is being attacked every minute of every day, Scanners, bots, worms, crawlers, spiders, and and our favorite spammers are at work non stop searching for weaknesses and vulnerabilities in systems. Looking to steal your information, even just a email is gold to a spammer or hacker. It is the first step in stealing your identity and exploiting your privacy.. This site alone has 100,000's of lines a day in the logs of these attacks from the email server to the web server and our own applications. Only a strong defense can prevent such attacks from succeeding and the security I implement is on every server and domain I run cause thats what a system administrators job is and today most are failing miserably in their responsibility to the end user. This includes the biggest corporations, trading your security and safety for dollars, and then trading your private info behind your back for more dollars.

Our mail server is now

  • End to End Encryption (EEE) and strict privacy compliance (Required, systems and mail servers that do not support strict TLS cannot connect to our server, they don't qualify and are not worthy)
  • SMTP MTA Strict Transport Security Compliant
  • Using DANE with DNSSEC
  • Dropped TLS 1.1 support, we only support TLSv1.2,TLSv1.3
  • Insecure SMTP port 25  has been removed from configuration and blocked
  • Insecure POP3 port 110 has been removed from configuration and blocked
  • Insecure Submission Port 587 has been removed from configuration and blocked
  • Only secure ports 993,995, and 465 are active now.
  • Reject email from domains with an invalid SPF record, strict SPF policy measures are in effect
  • Lots of other security goodies and custom configs I cant mention

Just a quick test of some major sites: Gmail, Facebook, Verizon and unbelievably Chase Bank (C grade) all pale in comparison. Pro Health Care should be 100% HIPPA compliant and they are not.

They all support weak cyphers and none have SMTP MTA STS enabled which is standard now

Comparison of similar sites: Americanwx and 33andrain aren't even worth mentioning,

Test: Check your email provider

https://luxsci.com/smtp-tls-checker#results

wxdiscomail.PNG

 

wxdiscomail2.PNG

 

On the web server side

  • 100% Secure Header Compliant
  • Dropped TLS 1.1 support, we only support TLSv1.2,TLSv1.3
  • Removed weak cyphers which will effect older devices and browsers
  • WX Disco uses Strict-Transport-Security and is preloaded in all modern browsers (See https://hstspreload.org/?domain=wxdisco.com )

 

headers1.PNG

More tests

https://dnssec-debugger.verisignlabs.com/wxdisco.com

https://www.ssllabs.com/ssltest/analyze.html?d=wxdisco.com

 

  • Thanks 3
  • Love it! 1

Share this post


Link to post
Share on other sites

What does this all mean to members?

  • If your email carrier doesn't support TLS security or have a valid certificate chain then connections to our server are rejected: You cannot not receive or send email to wxdisco
  • if your mail carrier doesn't support SPF or have a valid SPF policy then connections to our server are rejected: You cannot not receive or send email to wxdisco
  • If your mail carrier doesn't support DKIM signing or have a valid certificate then connections to our server are rejected: You cannot not receive or send email to wxdisco
  • If your mail carrier doesn't support DMARC or have a valid policy then connections to our server are rejected: You cannot not receive or send email to wxdisco
  • If your mail carrier does support TLS and weak cyphers IE anything prior to TLSv1.2 then connections to our server are rejected: You cannot not receive or send email to wxdisco
  • If your mail carrier does support EEE (END TO END ENCRYPTION) then connections to our server are rejected: You cannot not receive or send email to wxdisco

Older devices and browsers will not be able to connect to email or the web server meaning you cannot access this site. Any devices or browsers that do not support SNI or TLSv1.2+

  • Pretty much everything before Android 3
  • Pretty much everything before IE 11 / Win Phone 8.1 
  • Pretty much everything before Safari 8 / OS X 10.10
  • Pretty much everything before Java 6u45
  • NO Support: Win XP/Vista

 

Security on this end is only as good as the security on your end. It is 100% your responsibility to make sure your are doing all you can on your end to maintain a secure and private connection to the internet. DO NOT leave it up to others cause as you can see 90% of the system admins in this world are not worthy of that title.

  1. If you are using any of these older devices or applications do us all a favor and get off the internet you lack intelligence and you make the world insecure for all of us
  2.  Please make sure all browsers are always updated to latest versions as well as your devices OS.
  3. Our server meets and exceeds RFC specifications that all should be using but sadly don't.

Good Connections

AOL mail via Yahoo * and any other carrier using Yahoos mail servers like Verizon.net ISP mail and many others

Gmail <> Googlemail

There are a bunch but there are more that are insecure than secure and thats unfortunate.

I have made an exception policy on the mail server temporarily until I setup alternatives but this will be removed and strict security enforced once those alternatives are available.

live.co.uk             
internode.on.net       
extmail.bigpond.com        
live.com               
charter.net            
mx.west.cox.net        
mxin.mygrande.net      
bigpond.com            
grandecom.net          
cox.net                
sbcglobal.net          
prodigy.net            

Amazing how MicroSoft talks about security and privacy meanwhile live.com is one of the most insecure email services on the planet! IDIOTS and more importantly LIARS

If you are having email issues with wxdisco contact me with your email carrier and I will have a look.

Share this post


Link to post
Share on other sites

Of course I have to scan the mail log for the next few days at least to make sure everything is working properly. Some OBS

mx.optonline.net is blocked by the server and will remain so, will not make an exception. Why?

TERRIBLE! Still using SSLv3 and very weak ciphers! NO Modern defenses at all

weaksuace.PNG

weaksuace2.PNG

 

As for the SSL its even worse! There is no cert for optonline.net!

weaksuace3.PNG

And if you analyze the webmail, weak sauce

https://www.ssllabs.com/ssltest/analyze.html?d=webmail.optonline.net&hideResults=on

 

To fix the above is easy and takes a sysop an hour or so, the problem is they either don't know (College grads with degrees are the worst sysadmins) or care about your safety. So just an example of how these carriers and companies put your safety and privacy last if on the list at all. Then everyone cries and screams when 89 million emails are stolen or peoples financial info is mined via hack. Its the responsibility of all system admins to make sure the wall is strong and the majority are failures at their most important job.

Share this post


Link to post
Share on other sites
On 6/26/2019 at 5:38 PM, PlanetMaster said:

What does this all mean to members?

  • If your email carrier doesn't support TLS security or have a valid certificate chain then connections to our server are rejected: You cannot not receive or send email to wxdisco
  • if your mail carrier doesn't support SPF or have a valid SPF policy then connections to our server are rejected: You cannot not receive or send email to wxdisco
  • If your mail carrier doesn't support DKIM signing or have a valid certificate then connections to our server are rejected: You cannot not receive or send email to wxdisco
  • If your mail carrier doesn't support DMARC or have a valid policy then connections to our server are rejected: You cannot not receive or send email to wxdisco
  • If your mail carrier does support TLS and weak cyphers IE anything prior to TLSv1.2 then connections to our server are rejected: You cannot not receive or send email to wxdisco
  • If your mail carrier does support EEE (END TO END ENCRYPTION) then connections to our server are rejected: You cannot not receive or send email to wxdisco

Older devices and browsers will not be able to connect to email or the web server meaning you cannot access this site. Any devices or browsers that do not support SNI or TLSv1.2+

  • Pretty much everything before Android 3
  • Pretty much everything before IE 11 / Win Phone 8.1 
  • Pretty much everything before Safari 8 / OS X 10.10
  • Pretty much everything before Java 6u45
  • NO Support: Win XP/Vista

 

Security on this end is only as good as the security on your end. It is 100% your responsibility to make sure your are doing all you can on your end to maintain a secure and private connection to the internet. DO NOT leave it up to others cause as you can see 90% of the system admins in this world are not worthy of that title.

  1. If you are using any of these older devices or applications do us all a favor and get off the internet you lack intelligence and you make the world insecure for all of us
  2.  Please make sure all browsers are always updated to latest versions as well as your devices OS.
  3. Our server meets and exceeds RFC specifications that all should be using but sadly don't.

Good Connections

AOL mail via Yahoo * and any other carrier using Yahoos mail servers like Verizon.net ISP mail and many others

Gmail <> Googlemail

There are a bunch but there are more that are insecure than secure and thats unfortunate.

I have made an exception policy on the mail server temporarily until I setup alternatives but this will be removed and strict security enforced once those alternatives are available.


live.co.uk             
internode.on.net       
extmail.bigpond.com        
live.com               
charter.net            
mx.west.cox.net        
mxin.mygrande.net      
bigpond.com            
grandecom.net          
cox.net                
sbcglobal.net          
prodigy.net            

Amazing how MicroSoft talks about security and privacy meanwhile live.com is one of the most insecure email services on the planet! IDIOTS and more importantly LIARS

If you are having email issues with wxdisco contact me with your email carrier and I will have a look.

"1. If you are using any of these older devices or applications do us all a favor and get off the internet you lack intelligence and you make the world insecure for all of us."

Ummm, ok, this has been bugging me since I read it a few days ago. Maybe you're joking, but probably not, since you're a programmer and take it very seriously, which we all appreciate. But isn't this just a little harsh...there's some older folks on here (myself included) who did not grow up with computers ( I used a slide rule in college!), and may not be as savvy as you and the younger folks when it comes to stuff like this? Doesn't equate to "lack of intelligence", and therefore seems a bit unfair to some. Or perhaps I'm just overly sensitive, but aren't we trying to make EVERYONE feel comfortable here? 

:smiley:

Share this post


Link to post
Share on other sites
On 6/30/2019 at 1:50 PM, lynniethelurker said:

"1. If you are using any of these older devices or applications do us all a favor and get off the internet you lack intelligence and you make the world insecure for all of us."

Ummm, ok, this has been bugging me since I read it a few days ago. Maybe you're joking, but probably not, since you're a programmer and take it very seriously, which we all appreciate. But isn't this just a little harsh...there's some older folks on here (myself included) who did not grow up with computers ( I used a slide rule in college!), and may not be as savvy as you and the younger folks when it comes to stuff like this? Doesn't equate to "lack of intelligence", and therefore seems a bit unfair to some. Or perhaps I'm just overly sensitive, but aren't we trying to make EVERYONE feel comfortable here? 

:smiley:

You reading it or I explained it wrong. There are still those using IE6 and developers still acquiesce to these people and make it insecure for all. I am sure whatever browser you use @lynniethelurker is fine cause they all auto update now so even if you aren't in the know you are probably on the safe side. Its those who do know and choose to screw everyone else because of their own arrogance and selfishness. I will not kowtow to these individuals and I am sure there are none here. Its not the age of the person that is an issue its the intelligence and everyone here is smart enough to make sure their OS's and browsers etc are up to date even if they don't know it. Its a programmer thing and all of the criticism is directed towards system admins who are at fault for the rampant hacks and privacy breaches make no mistake, thats where the real blame lies.

You're alright in my book old lady :classic_tongue:

  • Like 1
  • Haha 1

Share this post


Link to post
Share on other sites

Sometimes tight security can have unintended negative side effects. Take this morning for instance, auto  payment on the server was denied by BOA because it was an international transaction and needed confirmation by me, for my protection. Of course I was sleeping when this occurred, the best possible scenario :classic_sleep:, and the server was disconnected. Made the payment manually and set  the data center as an exception in my account. Apologies for the downtime, will just do manual payments from now on to be on the safe side.

  • Thanks 2

Share this post


Link to post
Share on other sites

An example of the logs from today and in only a minutes time, note this is going on every second 24 hours a day with literally humdreds of spam and hacker attacks, just a weather forum eh?

Why the security? Trusted is the key word

trusted.PNG

Why the security? Untrusted is the key word. hacker looking for SSLv3 to exploit which optimum still supports and was removed a couple years ago I think for security concerns.

untrusted.PNG

This is 100% common on every server of every domain on the internet every minute of the day. its how its dealt with that sets those that care about their clients/members and those that don't. So @lynniethelurker maybe it seemed harsh my comments but see it from my end, it is imperative to get rid of insecure browsers and devices or yours and mine security and privacy is at risk And if I can change that with my experience and knowledge then I will take the steps necessary.

And of course if there is anyone here who needs advice or guidance on updating their systems or want to know if their devices/browsers are OK then i am always available for support in that area. But the fact that you can connect to our site and mail server does mean its all good most likely.

  • Like 1
  • Love it! 1

Share this post


Link to post
Share on other sites

Will need to shut down the server later tonight for a few minutes while I make changes to the BIOS to mitigate processor vulnerabilities

https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html

Also need to disable a Kernel option which is causing some negative issues, which means a recompile of the custom kernel

Expect this to be done around mid night and will last about 5-10 minutes

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...