Security Best Practices - Revision history

Seanc: /* VPS Security Practices */

2016-05-19T15:41:18Z

‎VPS Security Practices

Coryme: /* SmarterMail */

2015-03-14T18:49:42Z

‎SmarterMail

Coryme: /* Add SPF and DKIM records to Domains */

2015-03-09T20:18:54Z

‎Add SPF and DKIM records to Domains

Coryme: /* VPS Security Practices */

2015-03-09T20:12:38Z

‎VPS Security Practices

Briana: /* Install Anti Virus */

2015-02-18T20:38:52Z

‎Install Anti Virus

Coryme: /* Install Software to Mitigate Attacks */

2015-02-17T01:00:53Z

‎Install Software to Mitigate Attacks

Coryme: Created page with "==General Security Practices== ===Password Protection=== Every password with internal access should have a strong yet memorable password. The easiest way for a hacker to gain ..."

2015-02-17T01:00:24Z

Created page with "==General Security Practices== ===Password Protection=== Every password with internal access should have a strong yet memorable password. The easiest way for a hacker to gain ..."

New page

==General Security Practices==
===Password Protection===
Every password with internal access should have a strong yet memorable password. The easiest way for a hacker to gain entrance to a domain or database is through the front door, so keeping that door locked and locked tight is your first line of defense.

The best passwords use a capital letter, a lowercase letter, a number, and a symbol. To test your passwords for strength, try [https://howsecureismypassword.net/ this link].

===Software Version Management===
Most people use some type of software to manage their domains. Whether it's WordPress. Joomla!, Drupal, or any of the other types of content management software (CMS), they all need to be kept up-to-date to prevent a possible attack.

===Encrypt FTP Traffic===
There are two best practices to encrypt and protect FTP traffic. First is to cut off any unwanted IPs from use. By default, WCP allow all IP traffic through the domains as an ease of access for new clients, however, it's beneficial to limit the IPs to just those that need access.

To do this in WCP:
#Click FTP Accounts
#Click Default Access
#Change the drop down menu to Blocked
#Click on IP List
#Click Add
#Add your IP (You can find it [https://hostek.com/ip here].)

The second best option is to encrypt the FTP traffic using TLS. By default, FTP users are forced to use TLS on cPanel servers, but not for WCP servers. To enable TLS [https://wiki.hostek.com/Enabling_TLS_on_Common_FTP_Software follow this wiki].

===Read Your Access Logs===
Both WCP and cPanel utilize server logs to keep track of who visits the domain and what they do while there. For the most part, this is a "set it and forget it" file, but if you get breached this can tell you what was accessed and when. In both the WCP and cPanel, the logs folders are above the domain root folder. (wwwroot for WCP and public_html for cPanel).

====Block Unwanted Traffic====
Much like keeping the traffic limited to who needs to be on FTP, keeping unwanted IPs from accessing your server at all is an important tool. For most users, this will want to be used as little as possible so as to not disturb your regular visitors, but if you get breached and recover an IP address in the process it's vital to keep those attackers at bay.

To do this in WCP:
#Click Manage IPs in the bottom right menu
#Click Add under the IP List
#Add the IP address
#Select whether to block or allow this IP
#(optional) Type a reason

To do this in cPanel:
#Click IP Address Deny Manager
#Type an IP address or Domain
#Click Add

====Install Software to Mitigate Attacks====
For those that use CMS to manage their domains, it's preferred to download a plugin to help mitigate an attack. Below are some well known plugins for various CMS applications.

WordPress - iThemes
Joomla! - kSecure
Magento - MageFirewall

==Reseller Security Practices==
===Encrypt Client Data===
For those that use a central domain to handle client transactions, it's best to make sure you keep whatever software used encrypted. The best practice for doing this is getting an SSL installed wherever you have your software. You may also want to make sure that IP access to the software is limited to only those that directly need it.

To order an SSL click [https://cp.hostek.com/cart.php?gid=16 here].

==VPS Security Practices==
===Lock Down Unused Ports===
By default, all major VPS ports are open for initial ease of access, but it's highly recommended to close off the major prots to either have no traffic or limited traffic. You can go about doing this in one of two ways, manually or by our admin level IPS filtering.

====Manually====
To manually lock down the ports in a Windows server:
#Go to the VPS Manager in WCP
#Click the Firewall Manager tool
#Click the pencil icon next to the major port
#Either restrict or close the port. If restricting the port, it will automatically add your local IP, but you will need to add any further IPs.

====From Support IPS====
To block major ports in IPS:
#Contact Support at support@hostek.com
#Give them your security qeustion and answer, billing password, or last 4 of your Credit Card
#Request to be placed in the PCI Compliance zone of the IPS (Note: This can be removed at any time with another ticket)

===Install Anti Virus===
By default, AVG and ClamAV are installed on Windows and cPanel servers respectively, but it's recommended to upgrade to a beefier version of anti virus. We allow the installation of almost all major anti virus softwares, and can help with the installation if required.

===Encrypt Outgoing Traffic===
Like encrypting FTP and HTTP traffic, encrypting other forms of traffic such as SMTP is recommended, and can usually be handled by an SSL certificate.

To order an SSL click [https://cp.hostek.com/cart.php?gid=16 here].

===Set Up Automated Updates===
Most installed softwares on a server also have an automatic update feature, or at least a way to easily update it. Set a scheduled task for Windows or a cron in cPanel to automatically update all browsers, anti virus, and other essentials. Non web related software are just as vulnerable to attack as CMS applications.

@@ Line 99: / Line 99: @@
 #Within [https://wiki.hostek.com/index.php?title=WCP#How_To_Login_To_My_WCP_Control_Panel WCP], find the Email subsection
 #Click Advanced
-#Click SPF, then Enable (Note: This will add a DNS record to your domain that acts as a shield against unauthorized sending on your server)
+#*Click '''SPF''', then Enable (Note: This will add a DNS record to your domain that acts as a shield against unauthorized sending on your server)
-#Click Domain Keys, then Enable (Note: This will add a DNS record to your domain that acts as a shield against unfamiliar domains. This does not stop new senders, but limits senders using false or forged DNS credentials)
+#*Click '''Domain Keys'''(DKIM), then Enable (Note: This will add a DNS record to your domain that acts as a shield against unfamiliar domains. This does not stop new senders, but limits senders using false or forged DNS credentials)
 =====Update AntiSpam Settings=====

← Older revision		Revision as of 18:49, 14 March 2015
Line 110:		Line 110:
	#Click on AntiSpam Administration (Note: You'll see several items under the Spam Check column. These are the spam rules and weights on the server.)		#Click on AntiSpam Administration (Note: You'll see several items under the Spam Check column. These are the spam rules and weights on the server.)
	#Depending on how strict you want to be, check the Bayesian Filtering, URIBL:SURBL, and URIBL:URIBL check boxes. These are the three most common spam filters, but for added filtering you can check more URIBL filters.		#Depending on how strict you want to be, check the Bayesian Filtering, URIBL:SURBL, and URIBL:URIBL check boxes. These are the three most common spam filters, but for added filtering you can check more URIBL filters.
		+
		+	=====Block Unwanted IPs=====
		+	#Click the Security (shield icon) button
		+	#Click on Blacklist
		+	#Click New
		+	#Type in the IP or IP Range
		+	#Specify which ports to block
		+	#Add a description (E.g. Brute Force IP)

@@ Line 97: / Line 97: @@
 =====Add SPF and DKIM records to Domains=====
-#Within WCP, find the Email subsection
+#Within [https://wiki.hostek.com/index.php?title=WCP#How_To_Login_To_My_WCP_Control_Panel WCP], find the Email subsection
 #Click Advanced
 #Click SPF, then Enable (Note: This will add a DNS record to your domain that acts as a shield against unauthorized sending on your server)

← Older revision		Revision as of 20:12, 9 March 2015
Line 81:		Line 81:
	===Set Up Automated Updates===		===Set Up Automated Updates===
	Most installed softwares on a server also have an automatic update feature, or at least a way to easily update it. Set a scheduled task for Windows or a cron in cPanel to automatically update all browsers, anti virus, and other essentials. Non web related software are just as vulnerable to attack as CMS applications.		Most installed softwares on a server also have an automatic update feature, or at least a way to easily update it. Set a scheduled task for Windows or a cron in cPanel to automatically update all browsers, anti virus, and other essentials. Non web related software are just as vulnerable to attack as CMS applications.
		+
		+	===Secure Your Mail Server===
		+	If you don't use mail on your VPS, make sure your ports (25, 26, 110, 143, 587, 993, 994) are all blocked. Even if you don't use the server for mail, it may be possible to get out.
		+
		+	====SmarterMail====
		+	If you utilize a SmarterMail instance on your server, please follow the below best practices to keep your server secured.
		+
		+	=====Force Strong Password Use=====
		+	#Login to the admin user (The credentials will be in the welcome email sent at purchase)
		+	#Click on Security (sheild icon)
		+	#Find the Advanced Settings subsection, click Password Requirements
		+	#Change the minimum password length (Note: a good length is between 8-16 characters)
		+	#Select Require a number, a capital, a lower case, and a symbol in the password
		+	#Click Save (Note: This will cause the users that fail their password requirements to get locked out of their inbox until they update their password to one that's secure enough. In the meantime, they will still get email service)
		+
		+	=====Add SPF and DKIM records to Domains=====
		+	#Within WCP, find the Email subsection
		+	#Click Advanced
		+	#Click SPF, then Enable (Note: This will add a DNS record to your domain that acts as a shield against unauthorized sending on your server)
		+	#Click Domain Keys, then Enable (Note: This will add a DNS record to your domain that acts as a shield against unfamiliar domains. This does not stop new senders, but limits senders using false or forged DNS credentials)
		+
		+	=====Update AntiSpam Settings=====
		+	By default, the SmarterMail instance will be setup to avoid spam, but it is not optimized to what you may need.
		+
		+	To update these settings:
		+	#Login to SmarterMail as admin user
		+	#Click on Security (sheild icon)
		+	#Click on AntiSpam Administration (Note: You'll see several items under the Spam Check column. These are the spam rules and weights on the server.)
		+	#Depending on how strict you want to be, check the Bayesian Filtering, URIBL:SURBL, and URIBL:URIBL check boxes. These are the three most common spam filters, but for added filtering you can check more URIBL filters.

@@ Line 70: / Line 70: @@
 ===Install Anti Virus===
-By default, AVG and ClamAV are installed on Windows and cPanel servers respectively, but it's recommended to upgrade to a beefier version of anti virus. We allow the installation of almost all major anti virus softwares, and can help with the installation if required.
+By default, AVG and ClamAV are installed on our Windows and cPanel servers respectively.
 ===Encrypt Outgoing Traffic===

@@ Line 42: / Line 42: @@
 For those that use CMS to manage their domains, it's preferred to download a plugin to help mitigate an attack. Below are some well known plugins for various CMS applications.
-WordPress - iThemes
+#WordPress - iThemes
-Joomla! - kSecure
+#Joomla! - kSecure
-Magento - MageFirewall
+#Magento - MageFirewall
 ==Reseller Security Practices==