Install a firewall and/or login failure tracker
You should always run a firewall allowing traffic only on ports that you use, i.e. HTTP, SMTP, IMAP/POP3. It is also good to run a daemon that keeps track of failed login attempts, and blocks these IP addresses at the firewall. ConfigServer Security & Firewall is an excellent piece of software that does both, and is free for personal use-
You should disable the local infile function, which will help to prevent against unauthorized reading from local files. This matters especially when new SQL Injection vulnerabilities in PHP applications are found. Add the following line to your /etc/my.cnf file under the [mysqld] section, and restart MySQL-
local-infile = 0
- Enable only the PHP modules that your sites require
- Disable risky PHP functions in php.ini, via a line such as "disable_functions=show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, ini_set"
- Use a PHP security module such as suhosin or mod_security
- Disable SSH logins as root user
- Allow only publickey logins for root or all SSH users (no password authentication)
- Change the port on which SSH runs on by editing /etc/ssh/sshd_config and restarting the SSH service. This will thrwart automated dictionary attacks on the standard port 22
- Only allow SSH protocol 2, 1 is outdated and insecure
- Use Apache 2.2 or later
- Run PHP as suPHP. This setting makes PHP run as the user that is using it. This makes abuse easier to track, and prevents a malicious script from affecting other user's accounts
- Set Server Signature to "Product Only". This way the server will not divulge the specific version of Apache it is running in error message or HTTP headers (WHM --> Apache Configuration)
- Only use Apache modules that your website or users need
- Do not use simply passwords, such as words you can find in a dictionary, or passwords less than 8 characters long. Try to include a mix of upper and lower case letters, as well as numbers in your password. Do not use the same password you use for your primary e-mail account as other services
- Make a password rotation schedule, such as every two weeks, monthly, etc, and stick to it
- Set the minimum password strength option in WHM to a value of at least 50 to keep users from setting easily crackable passwords
- Disable "Compiler Access" in "Security Center"
- Enable "Shell Fork Bomb Protection" in "Security Center"
- Set "Password Strength" in "Security Center" to a value of at least 50
- Always follow the security recommendations for hardening your installation when installing any PHP software
- ALWAYS check at least once a week to make sure you are running the latest version of any mainstream PHP software. Outdated versions tend to have security vulnerabilities that WILL get exploited eventually, resulting in lost data, defaced websites, SPAM being sent from accounts, service suspension, and malware warnings in browsers when people visit your site (which are a pain to get rid of)
- Set file permissions securely
- All directories should be 755 or 750.
- All files should be 644 or 640. Exception: configuration files (wp-config.php, configuration.php, config.php) should be 600 or stricter to prevent other users on the server from reading it.
- No directories should ever be given 777, even upload directories
- The above are the #1 reasons customer's websites get hacked
- Supplemental Information:
- There are numerous software packages available to scan and monitor your server and accounts for malicious content
- AVG for Linux
Backups, backups, backups
- Make backups, and make them often. Your web host is not repsonsible for backing up your information unless it is specifically included in your plan, or you pay for the service
- There are backup features standard in cPanel servers. You can make the download and store it on your home computer or workstation
- Make a backup right now, while we're on the subject
- Seriously, do it
- If you have a contact form, make sure it isn't easily exploited by bots. Use a captcha if possible
- Set an hourly e-mail limit per account in WHM/Tweak Settings. 500 should be more than sufficient for most accounts
- Use strong passwords for e-mail accounts
- Check your mail statistics once in awhile to see who is sending the most mail, and at what volume
- Some Linux installations include services which are rarely if EVER used in web hosting environments, and just add another layer of possible security holes
- These include cups, xfs, bluetooth, nfs, rpcidmapd, etc.
- Stop and disable these if you do not need them
Resources / Links