Security Best Practices
Contents
General Security Practices
Password Protection
Every password with internal access should have a strong yet memorable password. The easiest way for a hacker to gain entrance to a domain or database is through the front door, so keeping that door locked and locked tight is your first line of defense.
The best passwords use a capital letter, a lowercase letter, a number, and a symbol. To test your passwords for strength, try this link.
Software Version Management
Most people use some type of software to manage their domains. Whether it's WordPress. Joomla!, Drupal, or any of the other types of content management software (CMS), they all need to be kept up-to-date to prevent a possible attack.
Encrypt FTP Traffic
There are two best practices to encrypt and protect FTP traffic. First is to cut off any unwanted IPs from use. By default, WCP allow all IP traffic through the domains as an ease of access for new clients, however, it's beneficial to limit the IPs to just those that need access.
To do this in WCP:
- Click FTP Accounts
- Click Default Access
- Change the drop down menu to Blocked
- Click on IP List
- Click Add
- Add your IP (You can find it here.)
The second best option is to encrypt the FTP traffic using TLS. By default, FTP users are forced to use TLS on cPanel servers, but not for WCP servers. To enable TLS follow this wiki.
Read Your Access Logs
Both WCP and cPanel utilize server logs to keep track of who visits the domain and what they do while there. For the most part, this is a "set it and forget it" file, but if you get breached this can tell you what was accessed and when. In both the WCP and cPanel, the logs folders are above the domain root folder. (wwwroot for WCP and public_html for cPanel).
Block Unwanted Traffic
Much like keeping the traffic limited to who needs to be on FTP, keeping unwanted IPs from accessing your server at all is an important tool. For most users, this will want to be used as little as possible so as to not disturb your regular visitors, but if you get breached and recover an IP address in the process it's vital to keep those attackers at bay.
To do this in WCP:
- Click Manage IPs in the bottom right menu
- Click Add under the IP List
- Add the IP address
- Select whether to block or allow this IP
- (optional) Type a reason
To do this in cPanel:
- Click IP Address Deny Manager
- Type an IP address or Domain
- Click Add
Install Software to Mitigate Attacks
For those that use CMS to manage their domains, it's preferred to download a plugin to help mitigate an attack. Below are some well known plugins for various CMS applications.
- WordPress - iThemes
- Joomla! - kSecure
- Magento - MageFirewall
Reseller Security Practices
Encrypt Client Data
For those that use a central domain to handle client transactions, it's best to make sure you keep whatever software used encrypted. The best practice for doing this is getting an SSL installed wherever you have your software. You may also want to make sure that IP access to the software is limited to only those that directly need it.
To order an SSL click here.
VPS Security Practices
Lock Down Unused Ports
By default, all major VPS ports are open for initial ease of access, but it's highly recommended to close off the major prots to either have no traffic or limited traffic. You can go about doing this in one of two ways, manually or by our admin level IPS filtering.
Manually
To manually lock down the ports in a Windows server:
- Go to the VPS Manager in WCP
- Click the Firewall Manager tool
- Click the pencil icon next to the major port
- Either restrict or close the port. If restricting the port, it will automatically add your local IP, but you will need to add any further IPs.
From Support IPS
To block major ports in IPS:
- Contact Support at support@hostek.com
- Give them your security qeustion and answer, billing password, or last 4 of your Credit Card
- Request to be placed in the PCI Compliance zone of the IPS (Note: This can be removed at any time with another ticket)
Install Anti Virus
By default, AVG and ClamAV are installed on our Windows and cPanel servers respectively.
It is recommended that you always maintain an Anti Virus solution on your local workstation/desktop/laptop too.
Encrypt Outgoing Traffic
Like encrypting FTP and HTTP traffic, encrypting other forms of traffic such as SMTP is recommended, and can usually be handled by an SSL certificate.
To order an SSL click here.
Set Up Automated Updates
Most installed softwares on a server also have an automatic update feature, or at least a way to easily update it. Set a scheduled task for Windows or a cron in cPanel to automatically update all browsers, anti virus, and other essentials. Non web related software are just as vulnerable to attack as CMS applications.
Secure Your Mail Server
If you don't use mail on your VPS, make sure your ports (25, 26, 110, 143, 587, 993, 994) are all blocked. Even if you don't use the server for mail, it may be possible to get out.
SmarterMail
If you utilize a SmarterMail instance on your server, please follow the below best practices to keep your server secured.
Force Strong Password Use
- Login to the admin user (The credentials will be in the welcome email sent at purchase)
- Click on Security (sheild icon)
- Find the Advanced Settings subsection, click Password Requirements
- Change the minimum password length (Note: a good length is between 8-16 characters)
- Select Require a number, a capital, a lower case, and a symbol in the password
- Click Save (Note: This will cause the users that fail their password requirements to get locked out of their inbox until they update their password to one that's secure enough. In the meantime, they will still get email service)
Add SPF and DKIM records to Domains
- Within WCP, find the Email subsection
- Click Advanced
- Click SPF, then Enable (Note: This will add a DNS record to your domain that acts as a shield against unauthorized sending on your server)
- Click Domain Keys(DKIM), then Enable (Note: This will add a DNS record to your domain that acts as a shield against unfamiliar domains. This does not stop new senders, but limits senders using false or forged DNS credentials)
Update AntiSpam Settings
By default, the SmarterMail instance will be setup to avoid spam, but it is not optimized to what you may need.
To update these settings:
- Login to SmarterMail as admin user
- Click on Security (sheild icon)
- Click on AntiSpam Administration (Note: You'll see several items under the Spam Check column. These are the spam rules and weights on the server.)
- Depending on how strict you want to be, check the Bayesian Filtering, URIBL:SURBL, and URIBL:URIBL check boxes. These are the three most common spam filters, but for added filtering you can check more URIBL filters.
Block Unwanted IPs
- Click the Security (shield icon) button
- Click on Blacklist
- Click New
- Type in the IP or IP Range
- Specify which ports to block
- Add a description (E.g. Brute Force IP)