It is rather concerning that the 503 page is indicating our server is running “Apache/2.2.3” which was released in July 2007. The current release of Apache 2.2 (the webserver software) is 2.2.29. Worse yet, 2.2 is a legacy branch of the software; the current software branch is 2.4 with the current release being 2.4.12. I have brought up on this reflector and in person at Board Meetings for more than 8 months that a cornerstone of IT security is running up to date software. We’ve already been hacked twice before, at least one of which was likely due to substantially outdated software. Yet we still have a server running on seven year old software??????????????????????????????????????????????????????????? Doug K4AC

Barry: Thank you (and Mike) for the update. I wouldn’t agree with the characterization of CentOS 7 or Apache 2.4 as being “Bleeding Edge”. CentOS 7 was introduced on 7/7/2014 and Apache 2.4 was released 02 2/21/2012—hardly new versions. (CentOS 6 was released in 2011.) I’d also note that there are at least four Apache vulnerabilities that have had updates released since the last time the arrl.org server was updated. Two of those issues are rated as moderate and one as important. One significant reason for moving to current software releases is performance. This includes being better able to handle newer attack vectors. While an older version might not be vulnerable to a certain attack, the newer version will typically handle that attack more gracefully.

From a security standpoint, I would strongly recommend turning off version reporting by all of our servers. As an example, here’s the information contained in the response header from arrl.org:

Server Apache/2.2.3 (CentOS) X-Powered-By PHP/5.1.6 While the security vulnerabilities of Apache 2.2.3 may have been patched through April 2014, the 2.2.3 in the response header is going to catch the attention of potential hackers that are then going to begin beating on the server. They may find another vulnerability in that process or effectively make the server unreachable due to the bombardment of their attempts. BTW, PHP 5.1.6 was released on 8/24/2006. The current version is 5.6.4. There are at least 25 PHP vulnerabilities, many for Denial Of Service attacks, that have been reported since the arrl.org server was updated in April 2014 Easy instructions for making the servers more stealth can be found at websites such as http://ask.xmodulo.com/turn-off-server-signature-apache-web-server.html Please send me the raw log file from the arrl.org server (and any other server that was involved in the arrl.org server being unreachable) from Monday. Thanks & 73, Doug K4AC From: Shelley, Barry, N1VXY [mailto:bshelley@arrl.org] Sent: Wednesday, February 18, 2015 11:52 AM To: Rehman, Doug, K4AC; arrl-odv Cc: Keane, Michael, K1MK Subject: RE: [arrl-odv:23969] Re: arrl.org is Down Doug: I apologize for not responding to your post yesterday, but I was out of the office for most of the afternoon. I wanted to provide you additional information after discussing the situation with Michael Keane, K1MK. You are correct; the website is indeed running on CentOS 5.10 / Apache 2.2.3. CentOS is, in the simplest of terms, the Linux operating system. The reason that we are still on CentOS 5.10 is that we need to do a full-scale risk reduction exercise to ensure that the Fathom website doesn't break upon upgrade to a more recent version of CentOS. And if it does break in the process, how to fix it. However, the End-of-Life (EOL) for Maintenance Updates of CentOS 5.10 (and its Apache 2.2.3) is coming Mach 31, 2017 so we must plan on upgrading before then. The current security plan which was attached to the Report of the CFO as Appendix 2 includes all the tasks we need to do in 2015. This upgrade is not a priority for 2015. To do it this year would require us to eliminate/defer some of the steps in the current security plan or increase resources (inside or outside). Neither step is required immediately. That said CentOS is being employed because it provides us with a degree of stability in our production environments. Upgrading individual pieces of CentOS would defeat the purpose of employing it and would likely end up being a maintenance and update nightmare. Having packages in CentoS that are on the "Legacy Branch" is more advantageous from an operations perspective than the alternative of being on the "Bleeding Edge" and having applications continuously breaking. And please understand, the packages in CentOS are in fact being updated with bug and security fixes from upstream, but without applying the sort of upgrades that add or subtract features and change the version number. This is a primary value-added in using the CentOS distribution: having a product team behind CentOS to provide the engineering judgment about which upgrades can safely be applied and which should not be. While CentOS 5 does employ an Apache server that has a feature set and version number that were frozen seven years ago-- it is most definitely NOT a seven year old version of Apache. The version of Apache 2.2.3 on the website was most recently updated with fixes from upstream that were released in April 2014. I realize this was a long answer but I thought it was important to bring all the details to light. 73, Barry J. Shelley, N1VXY Chief Financial Officer ARRL, Inc. The National Association for Amateur Radio (860) 594-0212 www.arrl.org <http://www.arrl.org> From: arrl-odv [mailto:arrl-odv-bounces@reflector.arrl.org] On Behalf Of Rehman, Doug, K4AC Sent: Monday, February 16, 2015 1:49 PM To: arrl-odv Subject: [arrl-odv:23969] Re: arrl.org is Down It is rather concerning that the 503 page is indicating our server is running “Apache/2.2.3” which was released in July 2007. The current release of Apache 2.2 (the webserver software) is 2.2.29. Worse yet, 2.2 is a legacy branch of the software; the current software branch is 2.4 with the current release being 2.4.12. I have brought up on this reflector and in person at Board Meetings for more than 8 months that a cornerstone of IT security is running up to date software. We’ve already been hacked twice before, at least one of which was likely due to substantially outdated software. Yet we still have a server running on seven year old software??????????????????????????????????????????????????????????? Doug K4AC

Up and running here at 1:40 PM. Quick work by staff on a holiday. Jay, KØQB -----Original Message----- From: arrl-odv [mailto:arrl-odv-bounces@reflector.arrl.org] On Behalf Of Sumner, Dave, K1ZZ Sent: Monday, February 16, 2015 12:28 PM To: Rehman, Doug, K4AC; arrl-odv Subject: [arrl-odv:23968] Re: arrl.org is Down IT staff is aware and looking at it, despite the holiday. Dave K1ZZ ________________________________________ From: arrl-odv [arrl-odv-bounces@reflector.arrl.org] on behalf of Rehman, Doug, K4AC Sent: Monday, February 16, 2015 12:56 PM To: arrl-odv Subject: [arrl-odv:23965] arrl.org is Down I just got an email from a member saying that the website is down. I had been using it about 45 minutes ago and it was working. I just tried it and it doesn’t resolve. As the member and I both use Comcast, I unsuccessfully tried via my phone (Verizon) to be sure it isn’t a Comcast issue—it’s not. On one refresh, I did get a 503 error: Service Temporarily Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. ________________________________ Apache/2.2.3 (Novell) Server at www.arrl.org Port 80 Doug K4AC _______________________________________________ arrl-odv mailing list arrl-odv@reflector.arrl.org https://reflector.arrl.org/mailman/listinfo/arrl-odv