SECURITY ALERT: Apache Log4j “Log4Shell” Remote Code Execution 0-Day Vulnerability (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105)

SUMMARY

Updated on 12/29/2021 @ 2:00PM GMT with updated information about Trend Micro Log4Shell Vulnerability Assessment Tool and new CVE-2021-44832.

Jump directly to information on affected/not-affected Trend Micro Products

On December 9, 2021, a new critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed that, if exploited, could result in Remote Code Execution (RCE) by logging a certain string on affected installations.

This specific vulnerability has been assigned CVE-2021-44228 and is also being commonly referred to as “Log4Shell” in various blogs and reports. Versions of the library said to be affected are versions 2.0-beta 9 to 2.14.1.https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/.

On December 14, 2021, information about a related vulnerability CVE-2021-45046 was released that recommended that users upgrade to at least version 2.16.0+ of Log4j 2.

Based on our analysis, the rules and protections listed below for CVE-2021-44228 are also effective against CVE-2021-45046.

On December 18, 2021, information about a potential “3rd wave” and version 2.17.0 has been released and assigned CVE-2021-45105. Information about protection is below and ZDI has a technical blog about it here: https://www.zerodayinitiative.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via-uncontrolled-recursion-in-log4j-strsubstitutor .

On December 28th, yet another RCE (CVE-2021-44832) was discovered and disclosed. Although not as critical as the initial vulnerabilities (CVSS 6.6), it is still recommended that administrators do their due diligence to update to the latest version available (2.17.1).

Background

Log4j is an open-open source, Java-based logging utility that is widely deployed and used across a variety of enterprise applications, including many cloud services that utilize Apache web servers.

The vulnerability (assigned as CVE-2021-44228) is a Java Naming and Directory Interface^TM(JNDI) injection vulnerability in the affected versions of Log4j listed above. It can be triggered when a system using an affected version of Log4j 2 includes untrusted data in the logged message – which if this data includes a crafted malicious payload, a JNDI lookup is made to a malicious server. Depending on the information sent back (response) a malicious Java object may be loaded, which could eventually lead to RCE. In addition, attackers who can control log messages or their parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

The challenge with this vulnerability is widespread use of this particular logging utility in many enterprise and cloud applications. JDNI lookups support multiple protocols, but based on analysis so far, exploitability depends on the Java versions and configurations. From a practical standpoint, just because a server has implemented an affected version of Log4j 2, it does not automatically mean it is vulnerable depending on its configuration.

Trend Micro Research is continuing to analyze this vulnerability and its exploits and will update this article as more information becomes available. A comprehensive blog with more background information can be found here .DETAILS

Protection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor’s patches when they become available.

A new version of Log4j 2 has been released which reportedly resolves the issue: Version 2.17.1 is now availableand is the suggested update. Users with affected installations should consider updating this library at the earliest possible time.

Note: due to additional waves of new exploits, the previous manual mitigation steps published have proven not to be sufficient and have been removed.

Trend Micro Protection and Investigation

In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary rules, filters and detection protection that may help provide additional protection and detection of malicious components associated with this attack servers that have not already been compromised or against further attempted attacks.

The following demo video highlights ways in which Trend Micro can help customers discover, detect and provide protection: https://www.youtube.com/watch?v=r_IggE3te6s.

Using Trend Micro Products for Investigation

Trend Micro Log4j Vulnerability ScannerTrend Micro Research has created a quick web-based scanning tool that can help users and administrators identify server applications that may be affected but the Log4Shell vulnerability.The tool can be found at: https://log4j-tester.trendmicro.com/ and a demo video can be found at: https://youtu.be/7uix6nDoLBs.

Trend Micro Log4Shell Vulnerability Assessment ToolTrend Micro also has created a free assessment tool that can quickly identify endpoints and server applications that may have Log4j using the power of Trend Micro Vision One.This quick and easy self-serve security assessment tool leverages complimentary access to the Trend Micro Vision One threat defense platform, so you can identify endpoints and server applications that may be affected by Log4Shell. The assessment instantly provides a detailed view of your attack surface and shares next steps to mitigate risks.

The free assessment tool can be found at: https://resources.trendmicro.com/Log4Shell-Vulnerability-Assessment.html .

Please note, if you are already a Trend Micro Vision One customer, you do not need to complete the form. Simply log into your console and you will be provided instructions to complete the assessment of your exposure.

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.

Vision One Threat Intelligence Sweeping

Indicators for exploits associated with this vulnerability are now included in the Threat Intelligence Sweeping function of Trend Micro Vision One. Customers who have this enabled will now have the presence of the IOCs related to these threats added to their daily telemetry scans.

The first sweep, “Vulnerable version of log4j….” is slightly different than the others in that instead of specific IOCs, it is looking for specific instances of log4j libraries on systems which can help a customer narrow down or give additional insights on potentially vulnerable systems.

The results of the intelligence scans will populate in the WorkBench section of Vision One (as well as the sweep history of each unfolded threat intelligence report).

Please note that customers may also manually initiate a scan at any time by clicking the 3 dots at the right of a rule and selecting the “Start Sweeping” option.

Vision One Search Queries for Deep Security Deep Packet Inspection

Customers who have Trend Micro Cloud One – Workload Security or Deep Security may utilize the following search query to identify hosts and then additional queries can be made with a narrowed timeframe on those hosts as additional information is learned about exploits.

eventName:DEEP_PACKET_INSPECTION_EVENT AND (ruleId:1008610 OR ruleId:1011242 OR ruleId:1005177) AND ("${" AND ("lower:" OR "upper:" OR "sys:" OR "env:" OR "java:" OR "jndi:"))

Trend Micro Cloud One™ – Conformity

Trend Micro Cloud One – Conformity allows gives customers central visibility and real-time monitoring of their cloud infrastructure by enabling administrators to auto-check against nearly 1000 cloud service configuration best practices across 90+ services and avoid cloud service misconfigurations.

The following rules are available to all Trend Micro Cloud One – Conformity customers that may help provide more insight to customers looking to isolate affected machines (more information can be found here for rule configuration):

Lambda-001 : identifies all Lambdas that are running Java which may be vulnerable.

Approved/Golden AMIs (EC2-028) : can be used to look for vulnerable AMIs that are running Java.

Unrestricted Security Group Egress (EC2-033) : identifies security groups that may be associated with, for example, an EC2 that may be compromised and then has the ability to communicated externally.

Preventative Rules, Filters & Detection

A demo video of how Trend Micro Cloud One can help with this vulnerability can be found at: https://youtu.be/CorEsXv3Trc.

Trend Micro Cloud One – Workload Security and Deep Security IPS Rules

Rule 1011242 – Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

This rule is recommended by default, and please note that the port lists may need to be updated for applications running on non-default ports.

Rule 1005177 – Restrict Java Bytecode File (Jar/Class) Download
Rule 1008610 – Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request

Rule 1008610 is a SMART rule that can be manually assigned to assist in protection/detection against suspicious activity that may be associated with this threat. This is not a comprehensive replacement for the vendor’s patch.

Please also note that rule 1008610 is shipped in DETECT, and must be manually changed to PREVENT if the administrator wishes to apply this. Also, please be aware that due to the nature of this rule, there may be False Positives in certain environments, so environment-specific testing is recommended.

Rule 1011249 – Apache Log4j Denial of Service Vulnerability (protects against CVE-2021-45105)

Trend Micro Cloud One – Workload Security and Deep Security Log Inspection

LI Rule 1011241 – Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
A custom LI rule can also be created to detect patterns as discovered in the future. More information can be found here.

Trend Micro Apex One Integrated Vulnerability Protection (iVP) Rules

Rule 1011242 – Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
Rule 1011249 – Apache Log4j Denial of Service Vulnerability (protects against CVE-2021-45105)

Trend Micro Deep Discovery Inspector (DDI) Rules

Rule 4280: HTTP_POSSIBLE_USERAGENT_RCE_EXPLOIT_REQUEST
Rule 4641 : CVE-2021-44228 – OGNL EXPLOIT – HTTP(REQUEST)
Rule 4642 : POSSIBLE HTTP HEADER OGNL EXPRESSION EXPLOIT – HTTP(REQUEST)
Rule 4643: POSSIBLE HTTP BODY OGNL EXPRESSION EXPLOIT – HTTP (REQUEST) – Variant 2

Trend Micro Cloud One – Network Security and TippingPoint Recommended Actions

Filter 40627 : HTTP: JNDI Injection in HTTP Header or URI

This was released in Digital Vaccine #9621 and has replaced CSW C1000001 that was previously released.

Trend Micro recommends customers enable this filter in a block and notify posture for optimal coverage. Starting with Digital Vaccines released on 12/21/2021, it will be enabled by default. Since it may not be enabled in your environment, Trend Micro strongly recommends you confirm the filter is enabled in your policy.

Filter 40652: HTTP: Apache Log4j StrSubstitutor Denial-of-Service Vulnerability (ZDI-21-1541)
- Covers CVE-2021-45105

What other controls can be used to disrupt the attack?

This attack is successful when the exploit is used to initiate a transfer of a malicious attack payload. In addition to the filter above, these techniques can help disrupt that chain:

Geolocation filtering can be used to reduce possible attack vectors. Geolocation filtering can block inbound and outbound connections to any specified country, which may limit the ability for attackers to exploit the environment. In cases where a business only operates in certain regions of the globe, proactively blocking other countries may be advisable.
For TippingPoint IPS, TPS, and vTPS products
Trend Micro also recommends enabling DNS and URL reputation as a proactive means of securing an environment from this vulnerability. Leveraging Trend Micro’s rapidly evolving threat intelligence, TippingPoint appliances can help disrupt the chain of attack destined to known malicious hosts.

Additionally, Reputation filtering can be leveraged to block Anonymous proxies that are commonly used in exploit attempts. Any inbound or outbound connections to/from an anonymous proxy or anonymizer service can be blocked by configuring a reputation filter with “Reputation DV Exploit Type” set to “Tor Exit” to a Block action.
For Cloud One – Network Security
Anonymous proxies are also an independent, configurable “region” that can be selected as part of Geolocation filtering. This will block any inbound or outbound connection to/from an anonymous proxy or anonymizer service, which can be commonly used as part of exploit attempts.

Domain filtering can also be used to limit the attack vectors and disrupt the attack chain used to exploit this vulnerability. In this case, any outbound connection over TCP is dropped unless the domain being accessed is on a permit list. If the attacker’s domain, e.g. http://attacker.com, is not on the permit list, then it would be blocked by default, regardless of IPS filter policy.

Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.)

Web Reputation (WRS): Trend Micro has added over 1700 URLs (and growing) to its WRS database to block that are linked to malicious reporting and communication vectors associated with observed exploits against this vulnerability.
Ransomware Detection – there have been observations about a major ransomware campaign (Khonsari) being utilized in attacks and Trend Micro detects components related to this as Ransom.MSIL.KHONSARI.YXBLN.
VSAPI (Pattern) Detections: the following detections have been released in the latest OPR for malicious code associated with exploits –
- Trojan.Linux.MIRAI.SEMR
- HS_MIRAI.SMF
- HS_MIRAI.SME
- Trojan.SH.CVE20207961.SM
- Backdoor.Linux.MIRAI.SEMR
- Trojan.SH.MIRAI.MKF
- Coinminer.Linux.KINSING.D
- Trojan.FRS.VSNTLB21
- Trojan.SH.MALXMR.UWELI
- Backdoor.SH.KIRABASH.YXBLL
- Backdoor.Linux.MIRAI.SMMR1
- Coinminer.SH.MALXMR.UWEKG
- Coinminer.Linux.MALXMR.SMDSL64
- Backdoor.Linux.GAFGYT.SMMR3
- Coinminer.Win64.MALXMR.TIAOODGY
- Rootkit.Linux.PROCHID.B
- ELF_SETAG.SM
- Backdoor.Linux.TSUNAMI.AMZ
- Coinminer.PS1.MALXMR.PFAIQ
- Trojan.SH.TSUNAMI.A
- Trojan.PS1.METERPRETER.E
- Coinminer.Linux.MALXRMR.PUWENN

Trend Micro Cloud One – Application Security

Trend Micro Cloud One – Application Security can monitor a running application and stop unexpected shell commands from executing. The product’s RCE configuration can be adjusted to help protect against certain exploits associated with this vulnerability using the following steps:

Log into Trend Micro Cloud One and navigate to Application Security.
Select “Group;s Policy” in the left-hand menu and find your application’s Group.
Enable “Remote Command Execution” if not already enabled.
Click the hamburger icon for “Configure Policy” and then click the ” < INSERT RULE > ” icon.
Input (?s).* in the “Enter a pattern to match” field and hit “Submit” and “Save Changes.”
Double-check that “Mitigate” is selected in your “Remote Command Execution” line item.

Trend Micro Cloud One – Open Source Security by Snyk

Trend Micro Cloud One – Open Source Security by Snyk can identify vulnerable versions of the log4j library across all organization source code repositories with very little integration effort. Once installed, it can also monitor progress on updating to non-vulnerable versions.

TXOne Preventative Rules for Edge Series Products

Several rules for the TXOne Edge Series of products can be found here: https://www.txone-networks.com/blog/content/critical-log4shell-vulnerability .

Trend Micro is continuing to actively research the potential exploits and behavior around this vulnerability and is actively looking for malicious code that may be associated with any exploit attempts against the vulnerability and will be adding additional detection and/or protection as they become available.

–

Impact on Trend Micro Products

Trend Micro is currently doing a product/service-wide assessment to see if any products or services may be affected by this vulnerability. Products will be added to the lists below as they are validated.

Products Confirmed Not Affected (Including SaaS Solutions that have been patched):

5G Mobile Network Security	Not Affected
ActiveUpdate	Not Affected
Apex Central (including as a Service)	Not Affected
Apex One (all versions including SaaS, Mac, and Edge Relay))	Not Affected
Cloud App Security	Resolved / Not Affected
Cloud Edge	Not Affected
Cloud One – Application Security	Not Affected
Cloud One – Common Services	Not Affected
Cloud One – Conformity	Not Affected
Cloud One – Container Security	Not Affected
Cloud One – File Storage Security	Not Affected
Cloud One – Network Security	Not Affected
Cloud One – Workload Security	Not Affected
Cloud Sandbox	Not Affected
Deep Discovery Analyzer	Not Affected
Deep Discovery Email Inspector	Not Affected
Deep Discovery Inspector	Not Affected
Deep Discovery Web Inspector	Not Affected
Deep Security	Not Affected
Endpoint Encryption	Not Affected
Fraudbuster	Not Affected
Home Network Security	Not Affected
Housecall	Not Affected
Instant Messaging Security	Not Affected
Internet Security for Mac (Consumer)	Not Affected
Interscan Messaging Security	Not Affected
Interscan Messaging Security Virtual Appliance (IMSVA)	Not Affected
Interscan Web Security Suite	Not Affected
Interscan Web Security Virtual Appliance (IWSVA)	Not Affected
Mobile Secuirty for Enterprise	Not Affected
Mobile Security for Android	Not Affected
Mobile Security for iOS	Not Affected
MyAccount (Consumer Sign-on)	Not Affected
Network Viruswall	Not Affected
OfficeScan	Not Affected
Password Manager	Not Affected
Phish Insight	Not Affected
Policy Manager	Not Affected
Portable Security	Not Affected
PortalProtect	Not Affected
Public Wifi Protection / VPN Proxy One Pro	Not Affected
Rescue Disk	Not Affected
Rootkit Buster	Not Affected
Safe Lock (TXOne Edition)	Not Affected
Safe Lock 2.0	Not Affected
Sandbox as a Service	Resolved / Not Affected
ScanMail for Exchange	Not Affected
ScanMail for IBM Domino	Not Affected
Security for NAS	Not Affected
ServerProtect (all versions)	Not Affected
Smart Home Network	Not Affected
Smart Protection Complete	Not Affected
Smart Protection for Endpoints	Not Affected
Smart Protection Server (SPS)	Not Affected
TippingPoint Accessories	Not Affected
TippingPoint IPS (N-, NX- and S-series)	Not Affected
TippingPoint Network Protection (AWS & Azure)	Not Affected
TippingPoint SMS	Not Affected
TippingPoint Threat Management Center (TMC)	Resolved / Not Affected
TippingPoint ThreatDV	Not Affected
TippingPoint TPS	Not Affected
TippingPoint TX-Series	Not Affected
TippingPoint Virtual SMS	Not Affected
TippingPoint Virtual TPS	Not Affected
TMUSB	Not Affected
Trend Micro Email Security & HES	Resolved / Not Affected
Trend Micro Endpoint Sensor	Not Affected
Trend Micro ID Security	Not Affected
Trend Micro Remote Manager	Not Affected
Trend Micro Security (Consumer)	Not Affected
Trend Micro Virtual Patch for Endpoint	Not Affected
Trend Micro Web Security	Resolved / Not Affected
TXOne (Edge Series)	Not Affected
TXOne (Stellar Series)	Not Affected
Vision One	Resolved / Not Affected
Worry-Free Business Security (on-prem)	Not Affected
Worry-Free Business Security Services	Not Affected

Affected Products:

Deep Discovery Director

Affected

Please click here for more info

References

Trend Micro Blog – Patch Now: Apache Log4j Vulnerability Called Lof4Shell Actively Exploited
Demo Video on Trend Micro Protection Against Log4Shell
Demo Video on Trend Micro Cloud One Protection
Demo Video on Using Trend Micro’s Log4j Vulnerability Scanning Tool
ZDI Blog on CVE-2021-45105

Source :
https://success.trendmicro.com/solution/000289940?mkt_tok=OTQ1LUNYRC0wNjIAAAGBUlOzNGxvi_7Cbd5hCo7M1KS9OoANyeARcT0Crf9e3bFO1dVGLCxVdccyh8RMRHxGqwXi0k9r967Rv5_FYxQM5l0UeQJXzwl8xR3_Jfab4XyH87irwjo

What is a Keylogger and How to Detect One

What is a keylogger?

A keylogger, which is also known as a keystroke logger or a keyboard capturer, is a piece of software or hardware developed to monitor and record everything you type on a keyboard. In this article, we dive into everything you need to know about them and teach you how to protect yourself from them!

Is a keystroke logger a virus?

It depends. Keyloggers were designed for legitimate purposes. They were originally used for computer troubleshooting, employee activity monitoring, and as a way to discover how users interact with programs so their user experience could be enhanced. However, they’ve since been used by hackers and criminals as a tool for stealing sensitive data such as usernames, passwords, bank account information, and other confidential information.

Generally, a keylogger is insidiously installed alongside an otherwise legitimate program. As a result, users are almost always unaware that their keystrokes a being monitored. Oftentimes, when a user’s computer is infected with a keylogger trojan, the malicious software will keep track of their keystrokes and save the information to their computer’s local drive. Later the hacker will retrieve the stored data. For this reason, keyloggers pose a serious threat to computer security and data privacy.

Keyloggers are separated into the following categories, based on how they work:

API-based

These keyloggers Application programming interfaces (APIs) allow software to communicate with hardware. API-based keyloggers intercept every keyboard input sent to the program you’re typing into.. This type of keylogger registers keystroke events as if it was a normal aspect of the application instead of malware. Each time a user presses or releases a key it is recorded.

Form grabbing-based

Form grabbing-based keyloggers log web form submissions by recording the inputted data when they are submitted. When a user submits a completed form, usually by clicking a button or pressing enter, their data is recorded even before it is passed over the Internet.

Kernel-based

These keyloggers work their way into a system’s core, allowing them access to admin-level permissions. These loggers have unrestricted access to everything entered into a computer system.

Javascript-based

A malicious script tag is injected into a targeted web page and it listens for keyboard events. Scripts can be injected using a variety of methods, including cross-site scripting, man-in-the-browser, and man-in-the-middle attacks, or when a website’s security is compromised.

How do keyloggers get on computers?

Most of the time, they infect computers with outdated antivirus software and ones without any antivirus software at all.

There are several scenarios that you need to be aware of:

Keyloggers can be installed through web page scripts. Hackers utilize web browser vulnerabilities and embed malicious code on a webpage that silently executes the installation or data hijacking.
Phishing. Keyloggers can be installed after users click on a nefarious link or open a malicious attachment in a phishing email.
Social engineering. Some criminals use psychological manipulation to fool unsuspecting people into installing a keylogger by invoking urgency, fear, or anxiety in them.
Unidentified software downloaded from the internet. Sometimes cracked software or applications from unidentified developers will secretly install a keylogger on a computer system.

How to detect a keylogger on my computer?

At this point, you might be interested in learning how you can detect a keylogger on your computer. The truth is, keyloggers are not easy to detect without the help of security software. Running a virus scan is necessary to detect them.

Trend Micro Housecall is an online security scanner that detects and removes viruses, worms, spyware, and other malicious threats such as keyloggers for free.

How to prevent keystroke logging malware?

Keyloggers are dangerous. Preventing them from ever being installed on your computer is a top priority. It is necessary to be proactive in protecting your computer to ensure that your data doesn’t get stolen.

Here are several tips to follow:

Carefully inspect user agreements for software before agreeing to them. There should always be a section covering how your data is used.
Install a trusted antivirus app such as TrendMicro Maximum Security. Always keep your antivirus on and regularly run scheduled scans of your device.
Make sure your security software is up to date.
Make sure your operating system is up to date and all the security patches are installed.
Avoid visiting suspicious websites and don’t click on any unusual links or e-mail attachments from unknown senders.
Only download and install software from trusted developers and sources.

Source :
https://news.trendmicro.com/2021/12/28/what-is-a-keylogger-and-how-to-detect-one/

10 Tips for a Safe and Happy Holiday

They’re not interested in peace on earth, a hippopotamus or their two front teeth. You won’t find them decking the halls, dashing through the snow or even up on the housetop. But that doesn’t mean cybercriminals aren’t out in force this time of year — and they’re relying on you being too wrapped up in your holiday preparations to see them coming.

They’re successful far too often: The last quarter of 2020 saw by far the most ransomware, with attacks in November reaching an all-time high in an already record-breaking year. If 2021 follows suit, this could be the worst holiday season for ransomware SonicWall has ever recorded — but fortunately, there are many things you can do to minimize your risk:

It’s the Most Wander-ful Time of the Year: Travel Tips

Roughly 63% of American adults plan to travel for the holidays this year — a nearly 40% jump over last year, and within 5% of 2019 levels. While it’s easy to become preoccupied by traffic jams, flight delays and severe weather, don’t forget that attackers love to leverage this sort of chaos. Follow these five travel best practices to keep cybercriminals grounded this holiday season.

1. Free Wi-Fi =/= Risk-Free Wi-Fi

When you stop for a coffee during your layover, or stumble into a greasy spoon on hour nine of your road trip back home, you might be tempted to log on to the free Wi-Fi. But unless your organization has implemented zero-trust security, beware. Try bringing a novel and coloring books to keep everyone occupied on the road, and if you must connect, use a VPN to access employer networks and avoid logging in to your bank, email or other sensitive accounts. Because some devices may try to connect to these networks automatically, you may need to disable auto-connect to fully protect against man-in-the-middle and other attacks.

2. Put Your Devices on Lockdown

Due to border restrictions finally beginning to ease in countries such as Canada, Australia, India and South Korea, and the United States, international travel is expected to be robust. In the U.S., roughly 2 million travelers are expected to pass through airports each day over the Christmas holiday. In crowds like this, it’s easy for a device to be misplaced, left behind or stolen. To limit potential damage from smartphones, laptops, tablets, etc. falling into the wrong hands, ensure they’re protected with facial recognition, fingerprint ID or a PIN. (This doesn’t just protect against data theft, it can also help combat regular theft: One study found that locked devices were three times more likely to be returned to their owners.)

3. Don’t Let Criminals Track You

Nearly 43% of Americans and 42% of Brits feel more comfortable traveling this year — but this doesn’t mean they should be comfortable with everyone knowing they’re traveling. Any location data you share on social media can be tempting to those wanting to break into homes or hotel rooms — whether to steal and exfiltrate data, or steal gaming consoles, jewelry, medications or even gifts under the tree.

4. Use Only Your Own Cords/Power Adapters

In our mobile-dependent society, it’s no surprise that cybercriminals have learned how to install malware in airport kiosks, USB charging stations and more. And while that “forgotten” iPhone charge cable might look tempting when your device is running on empty, even those can harbor malware. If you can’t find a secure charging area, ensure your device is powered off before plugging it in.

‘Tis the Season for Giving: Online Safety Tips

Even if you’re not traveling this year, chances are you’re buying gifts. While supply-chain challenges, pandemic considerations and more have made for a unique holiday shopping season, it’s important to put safety first when shopping online. Here are six things to look out for:

1. Holiday Phishing Emails

Perhaps you’ve received an invite to the Jones’ holiday party, a gift card or coupon, or an email from HR with details of an unexpected holiday bonus. If there’s an attachment, exercise extreme caution: It may harbor malware.

2. Spoofed Websites

Unfortunately for your wallet, emails boasting huge discounts at popular retailers are likely bogus. Walmart isn’t offering 70% off, and nobody is selling PlayStations for $100, not even during the holidays. If you enter your info into one of these lookalike retail (or charity) sites, the only thing you’re likely to get is your credentials stolen.

3. Fake Shipping Invoices

You’ve finished your shopping, and your gifts are on their way! But now FedEx is emailing to say your packages may not arrive in time and referring you to updated tracking information. Or your retailer is sending you a shipping label for returns, or verifying your gifts are being sent … to a completely different address. Look closely before you click: These emails usually aren’t from who they say they are.

4. Counterfeit Apps

Is that really the Target app or just a lookalike? Better double-check before you download and enter your payment information. Apple’s App Store and Google Play have safeguards in place to stop counterfeit apps, but some still occasionally get through.

5. Gift Card Scams

These originally took the form of “You’ve won a free gift card! Click here to claim!” In recent years, however, they’ve become more targeted, and may appear to offer gift cards as a bonus from your employer or a holiday gift from a friend. The easiest way to avoid being scammed? If you weren’t expecting a gift card from someone, ask them about it.

6. Santa’s Little Helpers

There are many services designed to send your child a letter from Santa for a small fee. But many times, these so-called “Santas” are really cybercriminals attempting to get you to click on a link and enter your payment information. A recent variation has scammers offering kits designed to take the stress and mess out of your elf’s holiday shenanigans (just move your elf and call it good!)

While the holiday season offers more than its share of scams, many can be put on ice with a little extra due diligence. Keep these holiday best practices in mind, and have a safe and happy holiday!

Source :
https://blog.sonicwall.com/en-us/2021/12/10-tips-for-a-safe-and-happy-holiday/

Ubiquiti UniFi – USG/UDM: Configuring Internet Security Settings

Overview

After reading this article users should gain the knowledge to be able to configure and maintain the IPS/IDS functionality on their UniFi networks. NOTES & REQUIREMENTS:Applicable to the following:

UniFi Network version 5.9+
UniFi Security Gateway platform firmware 4.4.18+
UniFi Dream Machine platform

Introduction

An intrusion prevention system (IPS) is an engine that identifies potentially malicious traffic based on signatures. The signatures contain known traffic patterns or instruction sequences used by malware. This type of signature-based engine can only detect anomalies based on known malicious traffic patterns.

Network Diagram

Intrusion Detection and Prevention

To enable intrusion detection or intrusion prevention, navigate to the Settings > Security section of the UniFi Network application. ATTENTION:

Enabling IDS or IPS will affect the maximum throughput on inter-VLAN and egress traffic.
- USG: 85 Mbps*
- USG-Pro: 250 Mbps*
- USG-XG: 1 Gbps*
Enabling Smart Queues or DPI on top of IPS/IDS will also incur a further throughput penalty to maximum throughput.
UniFi Dream Machine throughput: 850 Mbps*
UniFi Dream Machine Pro: 3.5Gbps*

*Values are rough estimates and can vary depending on configuration.

Threat Management Modes

Intrusion Detection System: When set will automatically detect, and alert, but will not block potentially malicious traffic.
Intrusion Prevention System: When set will automatically detect, alert, and block potentially malicious traffic.

Firewall Restrictions

These restrictions can be found under New Settings > Internet Security > Advanced.

Restrict Access to ToR: When enabled will block access to The Onion Router.
Restrict Access to Malicious IP Addresses: When enabled will block access to IP addresses or blocks of addresses that have been recognized as passing malicious traffic.

System Sensitivity Levels

The “system sensitivity levels” are pre-defined levels of security categories that will be loaded into the threat management daemon. Each level increase requires more memory and CPU usage. Additionally the “custom” level is utilized when manually selection categories.

Whitelisting

The Threat Management Allow List function of the IPS engine allows a UniFi Administrator to create a list of trusted IP’s. The traffic, depending on the direction selected, will not get blocked to or from the identified IPs.

Create a new allow list within Settings > Security > Internet Threat Management > Advanced.

Signature Suppression

The signature suppression function of the IPS engine allows a UniFi Administrator to mute the alerting on certain signatures. This will also disable blocking on traffic matching the designated suppression rule.

Adding a signature suppression rule for all traffic will suppress the signature regardless of host IP.
Adding a signature suppression rule with packet tracking based on traffic direction and by single IP, defined UniFi Network, or subnet of choice.

GeoIP Filtering

NOTE:For GeoIP Filtering to work on the USG, hardware offloading must be enabled. When Threat Management is enabled (under Settings > Internet Security > Threat Management), hardware offloading is disabled. Only one of these two features can be enabled at a time on the USG.

Blocking

Blocking individual countries can be configured on the Threat Management Dashboard section. Blocking is as easy as navigating to the map, clicking on a country, and confirming by clicking “Block”.

Unblocking

Unblocking a country can be by performed on the Threat Management Dashboard by navigating to the left side of the map on the Overview tab. A list of blocked countries will be populated. Simply hover over the county that is to be unblocked and an “unblock” option will appear. Select “unblock” and the country will be taken off of the list.

Traffic Direction

UniFi Network allows configuring the GeoIP filtering traffic direction. Follow the steps below:

1. Navigate to the top of the Threat Management Dashboard and select the direction. Screen_Shot_2019-11-21_at_3.58.16_PM.png

2. Select the traffic direction.

Screen_Shot_2019-11-21_at_4.00.26_PM.png

3. Click Done.

DNS Filters

ATTENTION:

DNS Filtering is only available on the UniFi Dream Machine.
Clients that use VPN, DNS-over-HTTPS, or DNS-over-TLS will have non-standard DNS requests that will not be seen by the UniFi Dream Machine.

The DNS Filter feature allows administrators to select levels of filtering per-network. This ensures that any DNS requests that go out from clients on configured LANs adhere to the filtering levels.

1. To configure DNS Filters, navigate to New Settings > Internet Security > DNS Filters.

2. Enable DNS Filtering by clicking the slider button.

3. Select Add Filter.

4. Choose the desired level of filtering for the LAN.

5. Select which network this filter should apply to and confirm the selection.

6. DNS filtering will be enabled at this point.

Filter Levels

Security

Blocks access to phishing, spam, malware, and malicious domains. The database of malicious domains is updated hourly. Note that it does not block adult content.

Adult

Blocks access to all adult, pornographic and explicit sites. It does not block proxy or VPNs, nor mixed-content sites. Sites like Reddit are allowed. Google and Bing are set to the “Safe Mode”. Malicious and Phishing domains are blocked.

Family

Blocks access to all adult, pornographic and explicit sites. It also blocks proxy and VPN domains that are used to bypass the filters. Mixed content sites (like Reddit) are also blocked. Google, Bing, and Youtube are set to the Safe Mode. Malicious and Phishing domains are blocked.

Deep Packet Inspection

To configure Deep Packet Inspection (DPI) navigate to New Settings > Internet Security > Deep Packet Inspection.

NOTE: Device fingerprinting is not available on the UniFi Security Gateway.

DPI Restrictions

ATTENTION:DPI restrictions are limited to whole-category selections on the UniFi Security Gateway. This restriction is not applicable to the UniFi Dream Machine platform.

1. Click Add Restriction under “Restriction definitions”.

2. In the configuration side-panel select a restriction group to add the rules to.

3. Select a category to block.

4. Select an application from the category or select “All applications” to block the entire category.

5. Ensure that “Enable This Restriction” is selected.

6. Add the restriction group to a network in the “Restriction assignments” section. NOTE:A restriction definition can be applied to many networks. A restriction definition for each network is not required.

To manage the restriction definition, hover over the definition and selection either edit or remove.

Configuring Network Scanners

ATTENTION:Network Scanners are only available on the UniFi Dream Machine.

Internal Honeypot

The “internal honeypot” feature is a passive detection system that listens for LAN clients attempting to gain access to unauthorized services or hosts. Clients that are potentially infected with worm or exfiltration type vulnerabilities are known to scan networks, infect other hosts, and potentially snoop for information on easy-to-access servers. The honeypot will report when hosts attempt to access the honeypot. Reports can be found on the Threat Management Dashboard.

To configure the internal honeypot follow the steps below:

1. Navigate to Settings > Security > Internet Threat Management > Network Scanners.

settings.security.internet_threat_management.network_scanners.png

2. Enable the honeypot service by clicking the slider button.

3. Select “Create Honeypot”.

4. In the popup modal select the network and Honeypot IP.

5. Select “Create”.

Honeypot Services

The honeypot service listens on the following ports:

FTP – TCP Port 21
SSH – TCP Port 22
Telnet – TCP Port 23
SMTP – TCP Port 25
DNS – UDP Port 53
HTTP – TCP Port 80
POP3 – TCP Port 110
SMB – TCP Port 445
MSSQL – TCP Port 1433

Testing & Verification

Intrusion Detection/Prevention

Linux or macOS

Input:

curl -A "BlackSun" www.example.com

Expected alert result:

Threat Management Alert 1: A Network Trojan was Detected. Signature ET USER_AGENTS Suspicious User Agent (BlackSun). From: 192.168.1.172:55693, to:172.217.4.196:80, protocol: TCP

Windows

The DNS category must be enabled

Input:

nslookup blacklistthisdomain.com 8.8.8.8

Expected alert result:

Threat Management Alert 1: A Network Trojan was Detected. Signature ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com. From: 192.168.1.1:53, to: 192.168.1.182:61440, protocol: UDP

Internal Honeypot

A few examples of manually testing the internal honeypot service are below. The following commands may or may not prompt for login credentials. The alerts will appear in the Honeypot section of the Threat Management Dashboard a few minutes after attempting the testing.

Telnet:

telnet <honeypot_ip>

SSH:

ssh <honeypot_ip>

NOTE:Replace <honeypot_ip> with the honeypot IP configured in the UniFi Network application.

Privacy Statement

What information does the IPS/IDS engine send to the cloud?

1. When a UniFi Administrator enables IPS or IDS on the UniFi Network application a token is generated for the gateway. The information listed below is sent over a TLS 1.2 encrypted connection whenever there is an IPS/IDS signature match.

timestamp
interface
source IP
source port
destination IP
destination port
protocol
signature id

2. Every 120-seconds there is a keep-alive to the ips1.unifi-ai.com hostname. This connection is to ensure reliable delivery of the violation message. The keep-alive is a connection to our cloud using port 443 so it is not just an ICMP ping or DNS resolution but a complete 3-way handshake and SSL Key exchange.

What information is kept on our servers regarding IPS/IDS?

The data listed above is only temporarily stored in the IPS Cloud until the UniFi Network application downloads the information. After the information is downloaded by the application, the data is deleted from our cloud except for the attacker IP. The attacker IP information helps Ubiquiti maintain an up-to-date and effective attacker list which will improve Ubiquiti’s services to Ubiquiti customers around the world.

How is the information from alerts used by Ubiquiti?

Ubiquiti will use the alert information to improve its products and services, including generating lists of IP Reputation, Malicious IP addresses, Threat Intelligence and creating blacklists and new signatures for Ubiquiti devices. A sanitized version of IP addresses (Ex: 200.200.x.x) can also be displayed on Ubiquiti Public Threat Map to help the public community to see malicious traffic around the world.

Source :
https://help.ui.com/hc/en-us/articles/360006893234-UniFi-USG-UDM-Configuring-Internet-Security-Settings

Ubiquiti UniFi – Troubleshooting Slow Wi-Fi Speeds

This article will provide suggestions for troubleshooting and resolving issues with slow Wi-Fi speeds on your UniFi network, as well as better understand what Wi-Fi speeds to expect and how to optimize your Wi-Fi configuration.

Introduction

One of the most common Wi-Fi performance concerns reported is slower than expected Wi-Fi speed. This is due to a number of factors:

Speed issues can result from a wide range of network limitations and problems, many of which have nothing to do with wireless.
Declined speed is easy to notice in typical network usage.
Internet speed tests are the most widely—and sometimes the only tool used to evaluate/benchmark network performance: and can be inconsistent and inaccurate.
ISPs and hardware vendors market products with peak theoretical performance that differ from real-life usage.

Measuring Wi-Fi Performance

When looking at Wi-Fi performance it is important to take a step back and consider how Wi-Fi is supposed to work. Wi-Fi offers the benefit of mobility, scalability, and convenience over wired networks at the expense of maximum throughput and stability. With respect to client performance, modern Wi-Fi is designed to allow clients to enjoy the benefits of not being tethered to a wired network while preventing any visible reduction in performance across its area of coverage.

Much of the concern about wireless throughput comes from a lack of understanding about how much bandwidth clients actually use. The difference between 300 Mbps and 500 Mbps may seem significant but the difference in performance would likely never be noticed through client use.

Here are estimated requirements of what throughput client devices need to use without declined performance (for more info see here):

Client Application-specific Bandwidth Requirements

Application	Potential Peak Throughput	Avg. Throughput Used
Web Browsing/Email (Light)	1 Mbps	.25 Mbps
Web Browsing/Email (Moderate)	2 Mbps	.5 Mbps
Web Browsing/Email (Heavy)	4 Mbps	1 Mbps
Apple Facetime Video Call (HD quality)	.7 Mbps	.7 Mbps
Skype Group Video Call (7+ people)	8.5 Mbps	8.5 Mbps
Netflix Video Streaming (HD Quality)	5 Mbps	5 Mbps
Netflix Video Streaming (Ultra HD Quality)	25 Mbps	25 Mbps

UniFi’s products are designed and tested to ensure they can provide for this typical use for many clients simultaneously. Any Access Point (AP) currently being offered in the UniFi product line offers far greater potential throughput than any client application could realistically require.

If a UniFi Access Point fails to provide the speed that it is capable of, this is most often a result of environmental limitations or other bottlenecks in the deployment. UniFi provides many tools that can help users identify these factors and mitigate them with proper configuration.

Prerequisites

The rest of this article assumes that the following prerequisites have been met:

1. Eliminate any bottlenecks

Before working to improve your Wireless performance, it’s important to identify any bottlenecks outside of your Wireless network. A bottleneck is a point in a network infrastructure that limits performance everywhere else. Often poor Wi-Fi speed is incorrectly assumed to be a result of Wi-Fi hardware/config but actually is the result of a bottleneck upstream from the device. Here are some common examples of bottlenecks:

ISP Plan limits performance/speeds far beneath what Wi-Fi is capable of providing. For example, a plan might have a 100Mb/25Mb down/up bandwidth limit on service. Every UniFi device, including legacy devices, is capable of far exceeding this limit. See the image below.
Far too few APs for the number of clients/coverage requirements.
Old/faulty ethernet cables.
Outdated LAN hardware.
Outdated Wireless hardware.
Legacy client devices that don’t support 5GHz.
Too much noise on a single channel.

The following is an example of a common network bottleneck:

Diagram illustrating how Wi-Fi speed test results can be limited by ISP

An easy way to at least rule out any bottleneck is to plug a wired device into the secondary port on an AP and perform the same speed test you are using to test Wi-Fi performance and compare the results to each other. It is normal to see some diminished performance on wireless compared to wired speed tests, but make sure you at least know what your wired network is capable of providing to the AP.

2. Update your UniFi OS Console and UniFi Access Point (AP) Firmware to Current Version

Ubiquiti’s Firmware updates often include performance improvements: make sure that before testing the performance, you update your UniFi OS Console and your UniFi devices to the most current firmware available.

Common Issues/Steps to Fix

This section examines some of the most common issues that cause diminished speeds on UniFi Networks, as well as the steps that will solve them.

Channel Width

Channel width is the most common cause for poor speed test results after setting up UniFi, especially when being compared to a single wireless router the UniFi devices are replacing. Default UniFi config on 5GHz radio is optimized for large environments (40MHz channel width), while most standalone routers are optimized for use as the only AP in a home/office (80MHz).

To properly test the maximum speed of a UniFi AP, switch to 80 MHz. 80 MHz channels are capable of more than double the peak speed of 40 MHz channels.NOTE: These settings only apply to 5GHz. We do not recommend that channel width be increased from 20 MHz on 2.4GHz as this will often cause worse performance.

To change AP to use 80MHz channel width, go to Devices > Click on AP to open Properties Panel > Radios > RADIO 5G (11N/A/AC), Change Channel Width from VHT40 to VHT80, click Queue Changes, then Apply Changes.

Summary: If using a small number of APs, switch 5GHz channel width on APs to 80 MHz for greater peak throughput. In larger environments, note that 40 or 20 MHz channel width is recommended for performance but can limit peak throughput.

Interference/Channel Overlap

The single most potentially negative environmental factor for Wi-Fi performance and stability is wireless interference. Interference can come from external sources like other wireless networks, weather radar, etc. while internal interference can come from devices overlapping with each other on the same channel.

By default, UniFi Devices are set up with auto channel assignments, but this is something you will want to adjust for your deployment if there are concerns about speed/performance.

It is recommended that a full site survey be performed for high-density/high-priority Wi-Fi deployments. If that has not been done or the site doesn’t warrant it, the Network application can help you find a better channel assignment for your APs by performing an RF scan.

To do this, go to Devices > Click on AP to open Properties Panel > Tools > RF Environment and click Scan. User Tips:Running an RF Scan will disconnect any wireless clients currently connected to the AP. Do not run during peak hours if this is a concern. Suggested Channel Settings: 2.4GHz:
Channel width: HT20
Chanel: 1/6/11 Choose one of these channels, an RF scan will help you choose the cleanest one.Transmit Power: Medium5GHz:
Channel width: VHT40
Optional VHT80/VHT160 (It will increase speeds but might cause more interference.)
Chanel: 36/44 | Optional (149/157)
Choose one of these channels, an RF scan will help you choose the cleanest one.
Avoid using DFS Channels unless you understand DFS logic. (DFS Alerts will cause interruptions)
Transmit Power: Medium (High)You could also modify your DTIM Periods if you have more modern devices on the network.
Settings > Wireless Network > SSID > 802.11 Rate And Beacon Controls
DITM 2G Period: 3
DITM 5G Period: 3

This scan will take 5-10 minutes and will populate the 2.4GHz channels first and then 5 GHz channels will subsequently be updated.

Once your RF scan is finished, select 5G and you’ll see a list of channels arranged by channel width and how much each channel is being utilized. Select a channel that appears to have the least noise on it and assign your AP to this channel.

To do this go to Devices > Click AP to select it and open Properties Panel > Properties > Radios > RADIO 5G (11N/A/AC), and choose the desired channel.

If using multiple APs, make sure that each AP does not share the same channel as a nearby AP, and avoid having channels that are adjacent to each other as this can also cause interference.

Summary: Interference/channel overlap can cause performance to decline. To make sure speed test results are not being impacted by interference, make sure APs are assigned to the optimal channel and not sharing or adjacent to the channel of any nearby APs.

Signal Quality

Another factor that can strongly influence Wi-Fi speed is the signal quality between AP and client device. As clients get further away from an access point and the signal gets weaker, to ensure stability/offer the best possible performance, the AP will lower the rate of the data transfer to compensate.

When testing peak throughput, be sure to be standing close enough to the AP without obstructions and make sure the client signal strength is close to the maximum of 99%. If your client devices consistently have poor signal strength on 5GHz try increasing Transmit Power on 5GHz.

To increase TX power on 5GHz, go to device configuration > Radios > Radio 5G (11N/A/AC), and only select “High” from the dropbox under Transmit Power. NOTE: Increasing transmit power on devices can have undesired effects, especially in a very high density environment. Consider starting on High or Auto and only reducing to Medium as needed on a per-AP basis.

Summary: When testing throughput make sure to consider the signal strength between the device and AP, you can find this under the Clients tab in the Network application. If the range on 5GHz is very low, consider increasing Transmit Power on the AP’s 5GHz radio.

Inconsistent/Inaccurate Speedtest Methods

Another cause for poor speed test performance is inconsistent or inaccurate data. When comparing across devices, make sure to use the same speed test method as different speed test apps can vary wildly.

While UniFi does include a speed test, the results are often far lower than reality, especially since UniFi’s available speed test servers are limited and results are very sensitive to the proximity of the speed test server. Try using a popular speed test app or website to test to check your UniFi results. Be sure to test multiple times and do not rely on assumptions or past data to inform your comparison.

If you wish to most accurately assess Wi-Fi speed alone and rule out other factors, try performing an iPerf test between a wired and wireless client/between two wireless clients. iPerf only measures bandwidth between two devices on your network. Note that iPerf can still be limited by the syntax you can use, the number of streams, packet size, etc. so make sure you understand what you’re doing before using iPerf.

Summary: Speedtest results are often inaccurate. Make sure to use consistent speed test methods when comparing between devices, wired vs. wireless, etc. Confirm/test using multiple platforms. UniFi speed tests are often less accurate than other more popular speed test apps.

Client-specific Issues & Limitations

When benchmarking Wi-Fi, it’s important to also compare across devices to ensure that the client itself isn’t limiting performance. Factors like client CPU utilization, network card driver, Wi-Fi specs, software, all can influence speed test results.

Make sure to test with multiple devices. To truly measure peak throughput you must test a device that matches the capabilities of the UniFi AP. For instance, if you are testing with a device check the manufacturer specifications to see how many streams the 5GHz antenna supports i.e. Apple iPhone 7 is 2×2, UAP-AC-PRO has 3×3 5GHz radio, thus this iPhone will limit peak throughput.

If a performance issue with Wi-Fi is isolated to one device, or multiple devices running the same software version, this will almost always point to a problem with the device/software. UniFi doesn’t change how it functions for each variety of client device. Try performing a web search to find other users experiencing similar issues with the same device on other vendor products.

Keep in mind that declined performance on a single device isn’t a sign of a malfunctioning AP. UniFi APs are backwards compatible with older client devices and the fact that devices are able to connect with their older hardware is a sign the AP is working as designed.

Summary: Test multiple client devices when benchmarking Wi-Fi performance. Client-specific issues are common but are largely unrelated to AP configuration/hardware.

Additional Steps

After reviewing each of the previous steps, if the issue does not appear to be resolved, check out this article for some further suggestions to troubleshoot wireless performance.

If you’d like to get suggestions from other UniFi administrators, feel free to post on our community.

For issues that point to an issue with UniFi devices/software with respect to wireless performance, feel free to reach out to UniFi support. Please note that the UniFi support team is not able to optimize networks for customers and will not be able to assist with performance issues that are cosmetic in nature or do not indicate an actual UniFi performance issue i.e. improving speed test results from 400 Mbps to 600 Mbps.

Source :
https://help.ui.com/hc/en-us/articles/360012947634-UniFi-Troubleshooting-Slow-Wi-Fi-Speeds-

Ubiquiti UniFi Network – Troubleshooting Wireless Uplinks

You can wirelessly adopt access points to your UniFi Network. This allows you to extend your coverage without adding cabling in hard-to-reach areas. When within range of your already-adopted access points, simply connect a new access point to power and it will appear as ready for adoption in the Network application.

General troubleshooting

Wireless UAP does not appear for adoption

1. Verify that the UAP is powering properly and is ready for adoption (steady white LED).

2. Connect it via Ethernet cable to your network and wait for it to appear for adoption. If it still won’t appear while connected, please see our general adoption troubleshooting steps.

3. Update to the current firmware version if an upgrade is available.

4. Once the UAP is adopted and running the newest version available, disconnect it from the wired LAN, and wait a few minutes while it connects wirelessly. After that, you may disconnect it from power to move it to its final position. Once it powers up again, the UniFi Network application will recognize it and start broadcasting the network’s WiFi through your wireless UAP.

The UAP is adopted but it will not work when moved to wireless networks

1. Verify that the UAP is receiving enough power from the PoE injector. The LED must be a steady blue. Take a look at the UAP’s datasheet to verify power requirements.

2. Verify that the Uplink Connectivity Monitor is enabled within Settings > System Settings > Controller Configuration > Uplink Connectivity Monitor.

3. Verify that there is at least one wired UAP to act as an uplink and that Enable Meshing is turned on within the UAP’s properties panel > RF > Enable Meshing. And that the meshing configuration is set to Auto; or if set to Manual, that Downlink is enabled.

Wireless uplink requirements

At least one wired access point to serve as the uplink UAP
A power source (i.e PoE injector) for the wireless UAP (downlink UAP)
(Recommended) Newest firmware and Network application versions.

Note: The wireless adoption process takes longer than the wired one; expect to wait a little longer for access point detection and for the adoption process to complete.

Modifying existing wireless uplink connections

You can design the topology to your liking by configuring how the wirelessly connected UAPs are linked. To change a UAP’s uplink:

Select the UAP from the UniFi Devices section to open its properties panel.
Go to the RF tab and select Manual under the Enable Meshing toggle. If the Enable Meshing option is not turned on, do so now to expose the wireless uplink settings.
Select which UAP your wireless UAP will connect to (uplink).

Additionally, you can stipulate the uplink priority to define to which uplink your UAP will connect to if there is service degradation or if its current uplink goes offline. Use the Priority dropdown menus to select from the available uplinks.

Frequently Asked Questions

Can a wireless UAP be the uplink to another wireless UAP?

Yes. This is known as a multi-hop wireless uplink and is supported by UniFi, as long as there is one wired access point to provide the first “hop”. Keep in mind that each wireless uplink will suffer service degradation, so this should only be done when necessary.

Can I connect older UAPs wirelessly?

Yes, you just need to make sure to configure them correctly. Some older UAPs only broadcast on a single band (2.4GHz) and will not work the same as newer models. The following older generation UAPs do support wireless uplink on the band they operate on and do not support multi-hop: UAP, UAP-LR, UAP-PRO, UAP-Outdoor, UAP-Outdoor+, UAP-Outdoor5, UAP-IW.

UAP-AC and UAP-AC-Outdoor do not support wireless uplink or multi-hop.

If you have a UAP that does support wireless uplinking and it is still not working, make sure to take the following into account:

	Dual band uplink UAP to dual band downlink UAP: will uplink on 5GHz.
	Dual band uplink UAP to single band downlink UAP: will uplink on the supported frequency of the single band model.
	Single band uplink UAP to single band downlink UAP: will uplink, as long as the same band is supported on both sides of the link.
	Single band (2.4GHz only models) uplink UAP to dual band downlink AP will not be able to uplink.

If you have several wired UAPs, these should have assigned channels that are different and do not overlap with other UAP channels to minimize interference.

If using all dual band UAPs
- Set the wired UAP (uplink UAP) to static on 5GHz and to a static on 2.4GHz (1, 6 or 11 making sure it’s not a band also set for any of the other UAPs). Leave the wireless UAP (downlink UAP) set to Auto on the 5GHz radio and set a static channel on 2.4GHz not shared by others.
If using all single band UAPs
- Set the wired UAP (uplink UAP) to a static channel on 2.4GHz. Leave the wireless UAP (downlink UAP) set to Auto on 2.4GHz.
If using a dual band UAP as the uplink and single band UAP as the downlink
- Set the wired UAP (uplink) to a static channel on 2.4GHz. Leave the wireless UAP (downlink) set to Auto.
  
  Source :
  https://help.ui.com/hc/en-us/articles/115002262328-UniFi-Network-Troubleshooting-Wireless-Uplinks

Ubiquiti UniFi – USG/UDM: Port Forwarding Configuration and Troubleshooting

With UniFi Network you can forward UDP and TCP ports to an internal LAN device using the Port Forwarding feature on the Dream Machine (UDM and UDM Pro) and USG models.

Requirements

Applicable to the latest firmware on all UDM and USG models.
The Port Forwarding feature is designed to only work on WAN1 on the USG models, but it can use both WAN1 and WAN2 on the UDM-Pro.
It is necessary to manually configure a Destination NAT (DNAT) + WAN firewall rule(s) to forward ports on the WAN2 interface on the USG models, see the section below.

Frequently Asked Questions (FAQ)

Do I need to manually create firewall rules for Port Forwarding?Can I forward ports on the WAN2 interface of the UDM/USG?How does the Port Forwarding feature interact with UPnP?Do I need to manually configure Hairpin NAT?Can I limit which remote devices are allowed to use the forwarded ports? My Port Forwarding rule does not work, what should I do?

Configuring a Port Forwarding Rule

1. Navigate to Settings > Advanced Features > Advanced Gateway Settings and create new port forwarding.

2. Fill in the settings:

Name: webserver
Enable Forward Rule: turn this on when ready to activate this rule
Interface: WAN / WAN2 / Both (UDM Pro only)
From: Anywhere or Limited
Port: 443
Forward IP: 192.168.1.10
Forward Port: 443
Protocol: TCP
Logging: Optional

From:	The clients on the Internet that are allowed to use the Port Forwarding rule. Set to Anywhere by default, meaning all hosts. It is possible to limit the allowed hosts by specifying an IP address (for example 198.51.100.1) or subnet range (for example 198.51.100.0/24).
Port:	The WAN port that the clients on the Internet connect to, for example 443. This does not need to match the port used on the internal LAN host. You can forward TCP port 10443 to TCP port 443, for example.
Forward IP:	The IP address used by the internal LAN host, for example 192.168.1.10.
Forward Port:	The port used by the internal LAN host, for example TCP port 443.

3. Apply the changes.

Note: On the USG models, it is necessary to manually configure a Destination NAT (DNAT) + WAN firewall rule to forward ports on the WAN2 interface, see the section below.

4. The firewall rule(s) needed for the new Port Forwarding rule you created are automatically added.

5. You can verify the automatically created rules in the Settings > Security > Internet Threat Management > Firewall > Internet section.

USG/USG-Pro: Forwarding Ports on WAN2 using Destination NAT

ATTENTION: This is an advanced configuration that requires creating and modifying the config.gateway.json file. See the UniFi – USG/USG-Pro: Advanced Configuration Using JSON article for more information on using the JSON file.

Follow the steps below to forward ports on the WAN2 interface of the USG models. It is necessary to manually create a Destination NAT (DNAT) rule using the Command Line Interface (CLI) and a custom Firewall Rule using the UniFi Network application. Afterwards, the config.gateway.json file needs to be created or updated to incorporate the custom configuration into UniFi Network.

1. Begin by creating a new custom Firewall Rule within Settings > Security > Internet Threat Management > Firewall > Internet section.

2. Create a new Firewall Port Group by clicking Create New Group.

3. Fill in the information and specify the port that needs to be allowed through the firewall (443 in this example) and apply changes.

Name: https
Type: Port Group
Port: 443

4. Navigate to Settings > Security > Internet Threat Management > Firewall > Internet and create new rule.

5. Fill in the information, selecting the previously created Port Group and apply changes.

General
- Type: Internet In
- Description: webserver
- Enabled: turned on when ready to take this rule live
- Rule Applied: After (after predefined rules)
- Action: Accept
- IPv4 Protocol: TCP
- Match all protocols except for this: disabled
Source: Optional
Destination
- Destination Type: Address/Port Group
- IPv4 Address Group: Any
- Port Group: https (select from any previously created firewall port groups)
Advanced: Optional

6. The next step is to access the USG using the Command Line Interface (CLI) and add a custom Destination NAT (DNAT) rule. SSH access to your devices must be enabled within Settings > System Settings > Controller Configuration > Device SSH Authentication.

7. Connect to the USG via SSH.SSH using WindowsSSH using macOS

8. Verify that the WAN2 interface is UP and that it is assigned an IP address by running the following command:

show interfaces ; sudo ipset list ADDRv4_eth2

Click to copy

unifiadmin@usg:~$ show interfaces 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         203.0.113.1/24                    u/u  WAN                         
eth1         192.168.1.1/24                    u/u  LAN                         
eth2         192.0.2.1/24                      u/u  WAN2                           
lo           127.0.0.1/8                       u/u                              
             ::1/128

unifiadmin@usg:~$ sudo ipset list ADDRv4_eth2
Name: ADDRv4_eth2
Type: hash:net
Revision: 3
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16792
References: 1
Members:
192.0.2.1

NOTE: The ADDRv4_eth2 is a special address group that automatically uses the IP address that is assigned to the eth2 interface. On the USG-Pro, the WAN2 interface uses eth3 instead and thus the address group will be ADDRv4_eth3.

9. Enter configuration mode by typing configure and hitting enter.

10. Add the Destination NAT rule for the WAN2 interface of the USG/USG-Pro (replace eth2 with eth3 for the USG-Pro):

set service nat rule 4001 description 'webserver'
set service nat rule 4001 destination group address-group ADDRv4_eth2
set service nat rule 4001 destination port 443
set service nat rule 4001 inbound-interface eth2
set service nat rule 4001 inside-address address 192.168.1.10
set service nat rule 4001 inside-address port 443
set service nat rule 4001 protocol tcp
set service nat rule 4001 type destination

Click to copy

11. Commit the changes and exit back to operational mode by typing commit ; exit and hitting enter.

This is an example of the process:

12. Use the mca-ctrl -t dump-cfg command to display the entire config in JSON format:

mca-ctrl -t dump-cfg

Click to copy

13. The Destination NAT section of the configuration in JSON format can then be used in the config.gateway.json file.

{
       "service": {
                "nat": {
                        "rule": {
                                "4001": {
                                        "description": "webserver",
                                        "destination": {
                                                "group": {
                                                        "address-group": "ADDRv4_eth2"
                                                },
                                                "port": "443"
                                        },
                                        "inbound-interface": "eth2",
                                        "inside-address": {
                                                "address": "192.168.1.10",
                                                "port": "443"
                                        },
                                        "protocol": "tcp",
                                        "type": "destination"
                                }
                        }
                }
       }
}

Click to copy

14. See the UniFi – USG/USG-Pro: Advanced Configuration Using JSON article for more information on how to create and modify the config.gateway.json file.

Troubleshooting Port Forwarding Issues

Refer to the troubleshooting steps below if the Port Forwarding or custom Destination NAT rule is not working. Either of the following options can be the cause: Possible Cause #1 – The USG/UDM is located behind NAT and does not have a public IP address. Possible Cause #2 – The UDM/USG is already forwarding the port to another device or has UPnP enabled. Possible Cause #3 – The traffic from the Internet clients is not reaching the WAN interface of the UDM/USG. Possible Cause #4 – The LAN host is not allowing the port through the local firewall or does not have the correct route configured.

Source :
https://help.ui.com/hc/en-us/articles/235723207-UniFi-USG-UDM-Port-Forwarding-Configuration-and-Troubleshooting

Ubiquiti UniFi – Layer 3 Adoption for Remote UniFi Network Applications

Layer 3 adoption is the process of adopting a UniFi device to a remote UniFi Network application.

You might use Layer 3 adoption for applications located in the cloud (e.g. on Amazon EC2) or NOC.

For regular device adoption, see UniFi – Device adoption.

Overview

In many deployments where it’s not possible to have the UniFi Network host running on-premise, you can run the UniFi Network application in the Cloud or your NOC. For example, for a large-scale project with many devices there are a few possible methods for the adoption of devices:

Take a laptop to the device’s site to perform adoption via Chrome browser (easiest method).
When you’re at the site, open a browser and navigate to Cloud: either the UniFi Remote Access Portal or the UniFi Network application (when launched using Cloud).
Create a virtual application instance on Amazon EC2.
Either configure the DHCP server or DNS server.

Initial setup

Please make sure you’re familiar with how a regular L2 adoption on UniFi works (where the devices and UniFi Network application are on the same network) before attempting L3 (remote) adoption. Also, remember that in order to adopt, the following conditions must be true in order to have internet access and also have access to the router from within the network (locally):

1. WAN port connected to the Internet.
2. LAN port connected locally to access management features on the router (USG or third party).

UniFi APs have a default inform URL http://unifi:8080/inform. Thus, the purpose of using DHCP option 43 or DNS is to allow the AP to know the IP of the UniFi Network application host.

If you encounter discovery issues please use the UniFi – Troubleshooting Device Adoption article to help you troubleshoot the issue.

After installing the Discovery tool plugin (freely available in Chrome Web Store) on a computer running Chrome browser, any locally-available, unmanaged UniFi Devices (i.e., same L2 network as your computer) will appear as “Pending Adoption” in the UniFi Cloud Access Portal as well as your UniFi Network application itself (in the Devices section in both cases). To access the application remotely Remote Access will have to be enabled.

Via UniFi OS

1. Go to https://unifi.ui.com and login with your Ubiquiti SSO credentials.

2. Navigate to the Devices section.

3. The device to be adopted will appear as ready to be adopted. Click Adopt.

Via the UniFi Remote Access Portal

1. Go to https://network.unifi.ui.com/ and log in with your Ubiquiti SSO credentials.

2. Go to the Devices section and locate the model with the Pending Adoption status. Click ADOPT.

3. In the Adopt window that will appear, select the UniFi Network host and the site that will be adopting the device (for multi-site hosts) and click Adopt.

Via the UniFi Network application

1. Launch UniFi Network, go to the Devices section, find the device that is to be adopted with the status “Pending Adoption” and click Adopt under Actions.

DNS

You’ll need to configure your DNS server to resolve ‘unifi’ to your UniFi Network host’s IP address. Make sure that the device can resolve the UniFi Network domain name. For example, if you are setting http://XYZ:8080/inform, then ping from the device to determine if XYZ is resolvable/reachable. Or you may also use FQDN for the application inform URL: http://FQDN:8080/inform

Troubleshooting: Device (with static IP) fails to connect to the L3 UniFi Network application

When configuring a device from DHCP to static in the UniFi Network application, make sure you have put the IP of DNS. If not, then the device cannot contact DNS to resolve UniFi Network’s domain name.
If the device has been reset, make sure that you have “informed” the device twice (using the Discovery Utility) about the UniFi Network application’s location. See steps in the section above.

DHCP Option 43

If using Ubiquiti’s EdgeMAX routers, then DHCP option 43 can be done by just entering the IP address of the UniFi Network host in the “unifi” field on the DHCP-server.NOTE: The UniFi Security Gateway (USG) will not use DHCP option 43 to add the UniFi Network application location when obtaining a DHCP lease on the WAN interface.

To use DHCP option 43 you’ll need to configure your DHCP Server. We provide some third party examples below, but please refer to the manufacturer’s support documentation for up to date instructions. For example:

Linux’s ISC DHCP server: dhcpd.conf

# ...
option space ubnt;
option ubnt.unifi-address code 1 = ip-address;

class "ubnt" {
        match if substring (option vendor-class-identifier, 0, 4) = "ubnt";
        option vendor-class-identifier "ubnt";
        vendor-option-space ubnt;
}

subnet 10.10.10.0 netmask 255.255.255.0 {
        range 10.10.10.100 10.10.10.160;
        option ubnt.unifi-address 201.10.7.31;  ### UniFi Network host IP ###
        option routers 10.10.10.2;
        option broadcast-address 10.10.10.255;
        option domain-name-servers 168.95.1.1, 8.8.8.8;
        # ...
}

Cisco CLI

# assuming your UniFi is at 192.168.3.10
ip dhcp pool <pool name>
network <ip network> <netmask>
default-router <default-router IP address>
dns-server <dns server IP address>
option 43 hex 0104C0A8030A # 192.168.3.10 -> CO A8 03 0A

# Why 0104C0A8030A ?
#
# 01: suboption
# 04: length of the payload (must be 4)
# C0A8030A: 192.168.3.10

Mikrotik CLI

/ip dhcp-server option add code=43 name=unifi value=0x0104C0A8030A
/ip dhcp-server network set 0 dhcp-option=unifi

# Why 0104C0A8030A ?
#
# 01: suboption
# 04: length of the payload (must be 4)
# C0A8030A: 192.168.3.10

User Tip: Find more DHCP Option 43 instructions in the User Notes & Tips section.

SSH

If you can SSH into the device, it’s possible to do L3 adoption via CLI command:

1. Make sure the device is running updated firmware. See this guide: UniFi – Changing the Firmware of a UniFi Device.

2. Make sure the device is in the factory default state. If it’s not, run the following command:

sudo syswrapper.sh restore-default

3. SSH into the device and type the following and hit enter, substituting “ip-of-host” with the IP address of the host of the UniFi Network application:

set-inform http://ip-of-host:8080/inform

4. After issuing the set-inform, the UniFi device will show up for adoption in the Devices section of UniFi Network. Once you click Adopt, the device will appear to go offline or have the status of “Adopting” then proceed to “Provision” and “Connected”.

Source :
https://help.ui.com/hc/en-us/articles/204909754-UniFi-Layer-3-Adoption-for-Remote-UniFi-Network-Applications

Ubiquiti UniFi – How to Create and Restore a Backup

This article describes how to generate a backup of the UniFi Network application as well as how to restore it. This article does not cover the Auto Backup feature. You may see this article for more information on that subject: UniFi – How to Configure Auto Backup.

Note: This article is applicable to current UniFi Network application versions. Instructions on backups for older versions can be found at the bottom of this page in the “Method 3: Restoring from the /data Directory” section. As always, we suggest you update to the newest software and firmware available.

Introduction

The UniFi backup file has an extension of .unifi and contains the settings and the database for the UniFi Network application. The database is not included in a “settings only” backup. The backup also includes the config.properties, system.properties and config.gateway.json advanced configuration files, maps, and any customized files in a site’s portal folder. You can download a backup at any time from the Network application following the steps below.

Generate a New Backup

To generate a new UniFi backup file (.unifi), on your UniFi OS Console:

Access and log into your UniFi OS Console at unifi.ui.com or locally via its IP address.
Go to System Settings > Advanced and enable the Back up Device toggle if disabled.
Click Download to download your backup file.

You can also use the Backup Scheduler to schedule creating a backup at a certain occurrence and time.

Restore a Backup

Method 1: Restore in the UniFi Network application

To restore a backup you have previously generated:

Access and log into your UniFi OS Console at unifi.ui.com or locally via its IP address.
Go to System Settings > Advanced and click the Restore in the “Restore Device” section.
Select the necessary settings in the Restore Backup pop-up window:
1. Select the device on the Device Selection drop-down field which you will restore from a backup.
2. Confirm that you will restore your device either to the latest backup or select another backup from a list by clicking on the here text button.
3. Enter your SSO account password and click Restore to begin the restoring process.

Once you confirm, the backup restoration will begin. This process takes a few minutes. Do not disconnect while the application is working on this. Once the new backup is restored, the application will restart.

Method 2: Restore in the UniFi Startup Wizard

If beginning a new installation, it will be easier to just use the option of restore from a previous backup as soon as the UniFi Startup Wizard launches, and select your .unf file.

Method 3: Restore from the /data Directory

Note: This method is for older Network application versions and is not recommended. For security reasons, we suggest always upgrading to the newest release available. If you still wish to use this method, click on the link below.

Click here to display Method 3: Restoring from the /data Directory.

Change the Inform Address for All Devices in the Network application

ATTENTION:Use this method with caution. After completing these steps the devices will be setting the inform address to the new IP address or FQDN specified.

It may be desired to change the IP address or FQDN that the UniFi devices on multiple sites are reporting to after an application restore. This process is typically used when migrating from one functional UniFi OS Console to a new install.

Download a backup file from the current UniFi OS Console.
Install the Network application on the new UniFi OS Console.
Restore the backup that came from step 1 and let the upload process finish.
Log into the new UniFi OS Console.
On the old UniFi OS Console’s Network application, go to Settings > System > Other Configuration and enable the Override Inform Host toggle.
Type in the new UniFi OS Console’s Hostname or IP Address field.
Select Apply Changes.

After the changes are applied the old UniFi OS Console will send the configuration to adopted and currently connected devices stating the inform host is now what was input in the Hostname or IP Address field.

If this was performed correctly, the devices should start appearing in the new UniFi OS Console. This should not take longer than 5 minutes but can be longer depending on the number of devices, the physical proximity of the devices, and new UniFi OS Console’s technical specification.

Source :
https://help.ui.com/hc/en-us/articles/204952144-UniFi-How-to-Create-and-Restore-a-Backup

GoDaddy Breached – Plaintext Passwords – 1.2M Affected

This morning, GoDaddy disclosed that an unknown attacker had gained unauthorized access to the system used to provision the company’s Managed WordPress sites, impacting up to 1.2 million of their WordPress customers. Note that this number does not include the number of customers of those websites that are affected by this breach, and some GoDaddy customers have multiple Managed WordPress sites in their accounts.

According to the report filed by GoDaddy with the SEC [1], the attacker initially gained access via a compromised password on September 6, 2021, and was discovered on November 17, 2021 at which point their access was revoked. While the company took immediate action to mitigate the damage, the attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.

It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.

According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”

We attempted to contact GoDaddy for comment and to confirm our findings, but they did not immediately respond to our requests for comment.

What did the attacker have access to?

The SEC filing indicates that the attacker had access to user email addresses and customer numbers, the original WordPress Admin password that was set at the time of provisioning, and SSL private keys. All of these could be of use to an attacker, but one item, in particular, stands out:

During the period from September 6, 2021, to November 17, 2021, the sFTP and database usernames and passwords of active customers were accessible to the attacker.

GoDaddy stored sFTP passwords in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are both industry best practices.

We confirmed this by accessing the user interface for GoDaddy Managed Hosting and were able to view our own password, shown in the screenshot below. When using public-key authentication or salted hashes, it is not possible to view your own password like this because the hosting provider simply does not have it.

You’ll also note that the system is using port 22, which is Secure File Transfer Protocol. There are several kinds of sFTP, and this confirms that they’re using sFTP via SSH, which is encrypted, and designed to be one of the most secure ways to transfer files. Storing plaintext passwords, or passwords in a reversible format for what is essentially an SSH connection is not a best practice.

GoDaddy appears to acknowledge that they stored database passwords as plaintext or in a reversible format. These are also retrievable via their user interface. Unfortunately storing database passwords as plaintext is quite normal in a WordPress setting, where the database password is stored in the wp-config.php file as text. What is more surprising, in this breach, is that the password that provides read/write access to the entire filesystem via sFTP is stored as plaintext.

What could an attacker do with this information?

While the SEC filing emphasizes the potential phishing risk posed by exposed email addresses and customer numbers, the risk posed by this is minimal compared to the potential impact of exposed sFTP and database passwords.

Although GoDaddy immediately reset the sFTP and Database passwords of all the impacted sites, the attacker had nearly a month and a half of access during which they could have taken over these sites by uploading malware or adding a malicious administrative user. Doing so would allow the attacker to maintain persistence and retain control of the sites even after the passwords were changed.

Additionally, with database access, the attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the databases of the impacted sites, and may have been able to extract the contents of all impacted databases in full. This includes information such as the password hashes stored in the WordPress user accounts databases of affected sites, and customer information from e-Commerce sites.

An attacker could similarly gain control on sites that had not changed their default admin password, but it would be simpler for them to simply use their sFTP and database access to do so.

On sites where the SSL private key was exposed, it could be possible for an attacker to decrypt traffic using the stolen SSL private key, provided they could successfully perform a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site.

What should I do if I have a GoDaddy Managed WordPress site?

GoDaddy will be reaching out to impacted customers over the next few days. In the meantime, given the severity of the issue and the data the attacker had access to, we recommend that all Managed WordPress users assume that they have been breached and perform the following actions:

If you’re running an e-commerce site, or store PII (personally identifiable information), and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach. Please research what the regulatory requirements are in your jurisdiction, and make sure you comply with those requirements.
Change all of your WordPress passwords, and if possible force a password reset for your WordPress users or customers. As the attacker had access to the password hashes in every impacted WordPress database, they could potentially crack and use those passwords on the impacted sites.
Change any reused passwords and advise your users or customers to do so as well. The attacker could potentially use credentials extracted from impacted sites to access any other services where the same password was used. For example, if one of your customers uses the same email and password on your site as they use for their Gmail account, that customer’s Gmail could be breached by the attacker once they crack that customer’s password.
Enable 2-factor authentication wherever possible. The Wordfence plugin provides this as a free feature for WordPress sites, and most other services provide an option for 2-factor authentication.
Check your site for unauthorized administrator accounts.
Scan your site for malware using a security scanner.
Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins, or plugins that do not appear in the plugins menu, as it is possible to use legitimate plugins to maintain unauthorized access.
Be on the lookout for suspicious emails – phishing is still a risk, and an attacker could still use extracted emails and customer numbers to obtain further sensitive information from victims of this compromise.

Conclusion

The GoDaddy Managed WordPress data breach is likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, and this affects not only site owners, but their customers. The SEC filing says that “Up to 1.2 million active and inactive Managed WordPress customers” were affected. Customers of those sites are most likely also affected, which makes the number of affected people much larger.

For the time being, anyone using GoDaddy’s Managed WordPress offering should assume their sites have been compromised until further information becomes available, and follow the steps we have provided in this article. We will update the article if more information becomes available.

References:

GoDaddy SEC Report: https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm

Note: All product names, logos, and brands are property of their respective owners in the United States and/or other countries. All company, product, and service names used on this page are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

Source :
https://www.wordfence.com/blog/2021/11/godaddy-breach-plaintext-passwords/

Background

Protection Against Exploitation

Trend Micro Protection and Investigation

Using Trend Micro Products for Investigation

Preventative Rules, Filters & Detection

–

Impact on Trend Micro Products

References

What is a keylogger?

Is a keystroke logger a virus?

API-based

Form grabbing-based

Kernel-based

Javascript-based

How do keyloggers get on computers?

How to detect a keylogger on my computer?

How to prevent keystroke logging malware?

It’s the Most Wander-ful Time of the Year: Travel Tips

1. Free Wi-Fi =/= Risk-Free Wi-Fi

2. Put Your Devices on Lockdown

3. Don’t Let Criminals Track You

4. Use Only Your Own Cords/Power Adapters

‘Tis the Season for Giving: Online Safety Tips

1. Holiday Phishing Emails

2. Spoofed Websites

3. Fake Shipping Invoices

4. Counterfeit Apps

5. Gift Card Scams

6. Santa’s Little Helpers

Overview

Table of Contents

Introduction

Network Diagram

Intrusion Detection and Prevention

Threat Management Modes

Firewall Restrictions

System Sensitivity Levels

Categories

Categories and Their Definitions

Whitelisting

Signature Suppression

GeoIP Filtering

Blocking

Unblocking

Traffic Direction

DNS Filters

Filter Levels

Security

Adult

Family

Deep Packet Inspection

DPI Restrictions

Configuring Network Scanners

Internal Honeypot

Honeypot Services

Testing & Verification

Intrusion Detection/Prevention

Linux or macOS

Windows

Internal Honeypot

Privacy Statement

What information does the IPS/IDS engine send to the cloud?

What information is kept on our servers regarding IPS/IDS?

How is the information from alerts used by Ubiquiti?

Introduction

Measuring Wi-Fi Performance

Client Application-specific Bandwidth Requirements

Prerequisites

Common Issues/Steps to Fix

Channel Width

Interference/Channel Overlap

Signal Quality

Inconsistent/Inaccurate Speedtest Methods

Client-specific Issues & Limitations

Additional Steps

General troubleshooting

Wireless uplink requirements

Modifying existing wireless uplink connections

Frequently Asked Questions

Requirements