DEV Community: Paras Daryanani

7 Tips to Protect your DNN Website from Ransomware

Paras Daryanani — Tue, 17 Nov 2020 12:24:03 +0000

Ransomware has been a critical security issue since 2018 and is constantly evolving, making it increasingly difficult to detect as malware. We have taken this opportunity to share our experience and help you protect your DNN websites from ransomware attacks in the future.

Earlier this year, two of our DNN servers were facing a ransomware attack, resulting in 9 customer websites being offline. All of their data was encrypted, including on-site backups. Thankfully, we had offshore backups available which helped to get the websites back up and running in a matter of hours.

1. Keep your DNN version up-to-date

While DNN is known for excellent built-in security, there are some old versions of DNN that contain vulnerabilities. These vulnerabilities enable hackers to remotely upload and execute the malware on your servers. Keeping your DNN version up-to-date is by far the best way to protect your DNN website from malware attacks. If you don’t already know, the DNN Community just published a landmark DNN release, 9.8.0, which provides a large step up in DNN security, through the removal of outdated Telerik libraries. We would highly recommend upgrading your DNN website to version 9.8.0.

2. Keep Windows up-to-date

While updating DNN may sometimes be difficult due to module compatibility, updating Windows is a no-brainer. From my experience, Windows has some security holes now and then that lets malware through. Over the past few years, multiple vulnerabilities have been discovered in the Windows SMB service, and have subsequently been patched through Windows update. The easiest way to keep Windows up-to-date is to switch on automatic updates out of business hours. Check your Google Analytics reports to find the least busy time on your website and schedule your updates accordingly.

3. Use anti-virus / anti-malware software

After restoring our 9 websites and making sure Windows is up-to-date, we installed MalwareBytes on our servers. This proved extremely effective in detecting malware and quarantining suspicious files immediately.

4. Version control your website root directory

We use git version-control on all of our executable files in our website root directories. This may seem strange and unorthodox, but its extremely effective in detecting files that don't belong in your websites, such as web shells that hackers have somehow uploaded through undiscovered security vulnerabilities in either DNN or Windows. How do you detect files that don’t belong in your website root directory? Just open VS Code, click on Git and you’ll see modified and/or unversioned files. Of course, you could also do this on the command line by running git status or git diff.

If you want to take this a step further, you could set up some sort of automation to send an email alert if any executable files are added or modified in your DNN website.

5. Setup a solid backup workflow

Ransomware is the worst! It’s usually impossible to decrypt your files and get everything back to normal. Hackers will try convincing you that they will undo the damage if you pay them the ransom amount, but be warned that you should not trust them.

Instead, you should take a proactive approach in implementing a solid backup plan. There are many ways to automate backups both on-site and off-shore. We recommend having both in place. Other than that, we recommend encrypting your backups, such that hackers cannot steal your information and threaten to publish it on the web if you don’t pay the ransom. This also means you should encrypt your database storage.

6. Perform a monthly check / sweep

We perform monthly checks on our DNN servers to make sure that everything is running smoothly. In that, we check the MalwareBytes quarantine logs and website root directories for added/ removed or modified files.

We also do dig through the IIS access logs to see where traffic is coming from, followed by blocking certain URL patterns (e.g. /wp-login.php), IP addresses/ ranges etc.

7. Consider using a reverse proxy

In most cases, Windows firewall will protect your server from unauthorised access. Unfortunately, it doesn’t always help with Windows vulnerabilities. To work around this, we route external traffic through an Nginx reverse proxy, through to our DNN sites. The proxy server runs on a Linux machine placed in the same internal network and helps to block common threats as it only forwards HTTP and HTTPS traffic to the windows server running DNN.

That’s all folks!

We know it’s a long list of things to do to secure your DNN website, but it has worked well in our experience. If you need a hand with implementing any of these security measures, feel free to get in touch and we will happily assist you. Until next time, Happy DNN-ing!

8 Reasons to Build a Website with DNN Platform in 2020

Paras Daryanani — Fri, 02 Oct 2020 10:35:48 +0000

Are you evaluating a CMS to use for a new website in 2020? Here are 8 reasons why DNN Platform is a perfect choice.

1. 100% Free and Open Source

Previously DNN Platform was the free and open-source offering of DNN Corp, as opposed to their premium CMS, Evoq. In 2018, DNN became part of the .NET Foundation which essentially means that any changes in DNN Corp will no longer affect the DNN Community. So you can rest assured that DNN Platform is and will always be free and open source.

2. Easy to Use

One of the best features of DNN is that it's extremely easy to use. DNN allows you to quickly create web pages using its 100% frontend editing capability. If you've worked with other CMSs like WordPress, Joomla or Umbraco, you'll recall how you edit content in a backend dashboard, followed by clicking another button to view the modified page. DNN harmonizes content editing and viewing, making it easy for non-techies to easily put content on their website.

3. Great Developer Experience

For developers familiar with .NET development, DNN is quick to get started with. Out of the box it supports WebForms, Model-View-Controller (MVC) and Single Page Applications (SPA) modules. DNN exposes many convenient APIs for developers to use when building new functionality. The development stack is unopinionated, meaning that developers have full freedom to use any third-party vendors and libraries to achieve what they want to.

For example, when building SPA modules, you can use React, Vue, Angular, Svelte or just about any other JS library, without having to worry about whether DNN "allows" it. The same way, you can import and use as many .NET libraries (NuGet packages) as needed. If you're looking to get started with DNN development, there are many starter module templates available on the DNN Community GitHub.

4. Easy for Designers

Are you only familiar with basic HTML / CSS and some JavaScript? Not to worry, as designers and frontend developers can create themes for DNN with little effort and no visual limitations. This means you can 100% customise the look of your DNN website. This is great evidence of DNN's versatility, especially if you were to compare it to WordPress where 90% of all website themes look similar.

5. Versatile and Offers Unlimited Extensibility

DNN Platform, appropriately named, is more than just a content management system. Over the past 10 years, I've built various applications using DNN, including job portals, real estate websites, intranet applications, asset management systems, mobile app backends and automotive sales websites, e-commerce websites and more. Whatever you’re building, you could probably build it with DNN.

6. Extremely Secure

Security has always been a top priority for the DNN Community. DNN has a built-in security analyzer, which audits your site for vulnerabilities, incorrect configurations and permissions for both the filesystem and the database. Each item shows a PASS / ALERT / CHECK / FAIL result, making it easy to secure your DNN site. Note however that the best way to keep your DNN site secure is to always update your website to the latest version of DNN.

7. Getting Closer to .NET 5 (.NET Core)

While it’s not quite there yet, the DNN Community is working hard to bring DNN Platform closer to .NET Core. Over the past few months, DNN Platform has added support for one of the most significant features of .NET Core, that is Dependency Injection (DI). This promotes software development best practices such as loosely coupled architecture, something that DNN was not particularly good at previously.

Other than DI, the DNN community is working on adding Razor Pages support in DNN, to further modernise it. Trust me when I say DNN is by no means outdated.

8. The DNN Community

With a brand new website launched in late 2019, the DNN Community is more active than ever before. There are online meetups every few weeks that you can join to learn more about DNN or to stay up-to-date with the latest developments. You could also attend the yearly conferences, DNN Connect (Europe) / DNN Summit (USA), to meet with like-minded DNN fanatics.

Most importantly, the DNN Community is always there to support you. If you have any questions or need any help with anything DNN related, you can use the forums to get an answer. You can also read the docs at dnndocs.com to check out the tutorials and guides for yourself.

Still not convinced of DNN? Contact Celestify today to book a free tour of DNN and find out what Celestify can do for you. No strings attached.