Difference between revisions of "Security Best Practices"

From Hostek.com Wiki
Jump to: navigation, search
(Created page with "==General Security Practices== ===Password Protection=== Every password with internal access should have a strong yet memorable password. The easiest way for a hacker to gain ...")
 
(Install Software to Mitigate Attacks)
Line 42: Line 42:
 
For those that use CMS to manage their domains, it's preferred to download a plugin to help mitigate an attack. Below are some well known plugins for various CMS applications.
 
For those that use CMS to manage their domains, it's preferred to download a plugin to help mitigate an attack. Below are some well known plugins for various CMS applications.
  
WordPress - iThemes
+
#WordPress - iThemes
Joomla! - kSecure
+
#Joomla! - kSecure
Magento - MageFirewall
+
#Magento - MageFirewall
  
 
==Reseller Security Practices==
 
==Reseller Security Practices==

Revision as of 01:00, 17 February 2015

General Security Practices

Password Protection

Every password with internal access should have a strong yet memorable password. The easiest way for a hacker to gain entrance to a domain or database is through the front door, so keeping that door locked and locked tight is your first line of defense.

The best passwords use a capital letter, a lowercase letter, a number, and a symbol. To test your passwords for strength, try this link.

Software Version Management

Most people use some type of software to manage their domains. Whether it's WordPress. Joomla!, Drupal, or any of the other types of content management software (CMS), they all need to be kept up-to-date to prevent a possible attack.

Encrypt FTP Traffic

There are two best practices to encrypt and protect FTP traffic. First is to cut off any unwanted IPs from use. By default, WCP allow all IP traffic through the domains as an ease of access for new clients, however, it's beneficial to limit the IPs to just those that need access.

To do this in WCP:

  1. Click FTP Accounts
  2. Click Default Access
  3. Change the drop down menu to Blocked
  4. Click on IP List
  5. Click Add
  6. Add your IP (You can find it here.)

The second best option is to encrypt the FTP traffic using TLS. By default, FTP users are forced to use TLS on cPanel servers, but not for WCP servers. To enable TLS follow this wiki.

Read Your Access Logs

Both WCP and cPanel utilize server logs to keep track of who visits the domain and what they do while there. For the most part, this is a "set it and forget it" file, but if you get breached this can tell you what was accessed and when. In both the WCP and cPanel, the logs folders are above the domain root folder. (wwwroot for WCP and public_html for cPanel).

Block Unwanted Traffic

Much like keeping the traffic limited to who needs to be on FTP, keeping unwanted IPs from accessing your server at all is an important tool. For most users, this will want to be used as little as possible so as to not disturb your regular visitors, but if you get breached and recover an IP address in the process it's vital to keep those attackers at bay.

To do this in WCP:

  1. Click Manage IPs in the bottom right menu
  2. Click Add under the IP List
  3. Add the IP address
  4. Select whether to block or allow this IP
  5. (optional) Type a reason

To do this in cPanel:

  1. Click IP Address Deny Manager
  2. Type an IP address or Domain
  3. Click Add

Install Software to Mitigate Attacks

For those that use CMS to manage their domains, it's preferred to download a plugin to help mitigate an attack. Below are some well known plugins for various CMS applications.

  1. WordPress - iThemes
  2. Joomla! - kSecure
  3. Magento - MageFirewall

Reseller Security Practices

Encrypt Client Data

For those that use a central domain to handle client transactions, it's best to make sure you keep whatever software used encrypted. The best practice for doing this is getting an SSL installed wherever you have your software. You may also want to make sure that IP access to the software is limited to only those that directly need it.

To order an SSL click here.

VPS Security Practices

Lock Down Unused Ports

By default, all major VPS ports are open for initial ease of access, but it's highly recommended to close off the major prots to either have no traffic or limited traffic. You can go about doing this in one of two ways, manually or by our admin level IPS filtering.

Manually

To manually lock down the ports in a Windows server:

  1. Go to the VPS Manager in WCP
  2. Click the Firewall Manager tool
  3. Click the pencil icon next to the major port
  4. Either restrict or close the port. If restricting the port, it will automatically add your local IP, but you will need to add any further IPs.

From Support IPS

To block major ports in IPS:

  1. Contact Support at support@hostek.com
  2. Give them your security qeustion and answer, billing password, or last 4 of your Credit Card
  3. Request to be placed in the PCI Compliance zone of the IPS (Note: This can be removed at any time with another ticket)

Install Anti Virus

By default, AVG and ClamAV are installed on Windows and cPanel servers respectively, but it's recommended to upgrade to a beefier version of anti virus. We allow the installation of almost all major anti virus softwares, and can help with the installation if required.

Encrypt Outgoing Traffic

Like encrypting FTP and HTTP traffic, encrypting other forms of traffic such as SMTP is recommended, and can usually be handled by an SSL certificate.

To order an SSL click here.

Set Up Automated Updates

Most installed softwares on a server also have an automatic update feature, or at least a way to easily update it. Set a scheduled task for Windows or a cron in cPanel to automatically update all browsers, anti virus, and other essentials. Non web related software are just as vulnerable to attack as CMS applications.