Home > Hosting, Servers & Security >

---

Basic Server Security (18)

---

I wrote this up a while ago in reply to a thread, and mentioned I should turn it into a tutorial.

So here it is!

Everyone's worried about getting their tracking server hacked - and it's something you should worry about. But fortunately there are some very simple steps you can take to make it much, much harder to hack your system.


Make Sure You Have A Really Secure Password

Job #1 is to make sure you have a secure password. Your password should be UNIQUE (don't use it anywhere else), long (over 10 characters minimum, preferably over 15), and non-obvious.

Ideally, use a password generator like LastPass. Failing that, you can generate a pretty darn secure password by using three to five dictionary words chosen randomly (or as randomly as you can) with random numbers in between them.

Did I mention DON'T USE THIS ANYWHERE ELSE? If you use your tracker password ANYWHERE else, you massively increase the chances of getting hacked.


Run No Other Complex Software

Your server with your tracking software on it shouldn't have any other complex software running and exposed to the Web. Landing pages are fine, but do not, repeat do not, run anything like Wordpress on the same box. The more pieces of complex software you have on your system, the more chance someone will find a way in.

Absolutely #1 culprit for this is an out-of-date Wordpress install, but Rails, forum software, and pretty much anything else with more than 100 lines of code to it are vulnerable. Your tracker, simple landing pages, and nothing else are your best approach.


Don't Use FTP

FTP is straight-out not secure, and there's no reason to use it these days. Use SFTP/SCP, which is encrypted and much, much safer.

You can use Filezilla for SFTP, and it works just like FTP.

Make sure you're not running an FTP server on your web server, too. Them Things Ain't Safe.


Server-Specific Stuff

Apache: You should definitely follow this thread and this one too .

LiteSpeed: LiteSpeed is pretty secure by default.

Nginx: Nginx is also pretty secure by default, but some versions have a whacking great vulnerability. If you're on 1.39 or 1.40 of Nginx, get the hell off it and upgrade to 1.41 or 1.50. It's not very difficult to compromise 1.39 or 1.40 of Nginx.

Beyond that, here's a Big List of Security Tweaks for Nginx, and an equally big list for Apache.


Check For Vulnerabilities

One thing I'd recommend for most people is to find out what software you're running on your server - Web server program, version of PHP, FTP server if you're running one (pro tip - don't. SFTP is better and safer), database. Find out what versions you have, then every so often Google for "name of software version number vulnerability". If you find anything that sounds worrying, contact your server admins and politely ask if this could be a problem! Or, if you installed it yourself, upgrade everything whenever a vulnerability is found.


If There's Serious Money On The Line, Hire A Professional

If you're running serious volume, you should almost certainly hire a professional security person to do an audit on your system - basically, once their fee will be less than a couple of days of your profits. They can do things like install IPTables, patch obscure vulnerabilities, and really protect your assets.

Hope that was useful! If you have any more security tips, suggestions or questions - or if you think something in here is wrong or don't understand something - please do let me know below!

---

Another tip that would have saved me in the past, put each domain on a separate cpanel account. So if they get access they will be confined to just that account.

---

Yes indeed, make sure to use suphp and suexec with apache or it won't help.

This is standard on all BH services.

---

Damn good tip. I tend to forget that cPanel exists! If you use it, definitely secure it as bbrock32 and Tyler recommend.

---

Great stuff, just what I needed. Time to get to work!

---

@ Caurmen "Make sure you're not running an FTP server on your web server, too. Them Things Ain't Safe." Can I turn off the FTP server from the WHM?

---

Yep, you can: http://forums.cpanel.net/f34/stop-st...el-121553.html

If you don't have access to SFTP, you can also use this to only turn your FTP server on when you need it.

---

Use SSL on your server. That way your credentials go encrypted over the wire. Use a self signed certificate to do this since they are free.

---

Good tips! I've been hosed twice due to wordpress, its forever been banished to it's own shared hosting account.

---

I find sFTP to be fcking slow compared to FTP. Thats why I still use FTP with with SSH authent.

My webserver is Cherokee.

---

My server was deleted today by some hackers. Luckily I have a backup and will restore will not much data loss. Where do you recommend I find a professional to have a look at security holes on my server?

---

How exactly did they 'delete' your server?

You should talk to your host and figure out how that happened first.

For security hardening you can find someone on odesk/elance etc.

---

Good idea for a thread!

Other tips for those running with in-house management:

• Change ports for SSH and other common services like FTP (if using...)
• Add a different user, add them to sudoers list, then disable 'root' from being able to SSH
• Iptables -- simple but important. Actually really simple if just an affiliate with minimal systems
• Don't run OpenVZ on a host that is below the very top tier, because eventually somebody could attack and steal your shit more easily. Ramnode is maybe ok, otherwise always go KVM or similar.
• Install CSF - it automatically disables suspicious visitors who try to break into a number of systems like SSH (bundled with WHM, but I don't run cPanel/WHM at all)
• Don't use non-cPanel panels. If you're going cPanel-less, go panel-less entirely and know your way around the server (IMO). DirectPanel is not that much cheaper and is worse than cPanel which is why it should be cPanel or nada!
• Go with a host that has DDOS protection if you're going to run a porn site or gaming server (or cloaker/SaaS for IM ) - Ramnode has light protection, OVH is a bit better, and there are some others too.
• Never version-lock your system. Let it update, unless you know 100% what you're doing
• I've had dedis attacked while my VPSes stayed safe. Dedicated hosting does not always mean better safety! It means preferably a full-service management/hardening/monitoring contract at the minimum.
• If ordering hardening services off oDesk or another site, don't give them the root access but instead a sudoer. And let them know that the sudoer is being tracked in a file which they cannot take ownership of.
• Know how to inspect processes and action appropriately.

---

^^ Agree on all points.

If you're only running a click-tracking system and/or landers there really is very little that the server needs to do, and consequently it is very easy to lock it down.

If it's all sorted you can even disable SSH altogether and just re-enable it via the backup console typically supplied.

---

a lot of those tips in the Nginx guide are seriously overkill. regular backups to Amazon Glacier/similar and back LPs regularly to git and you're ready to create a new server in minutes if (or when) you get hacked. locking down your server like a CIA website isnt necessarily appropriate for affiliates. definitely no FTP though.

---

^^ those changes take minutes to apply :-)

---

Could not agree more. And it may be noted that I certainly wouldn't put myself in the "100% know what you're doing" camp. Full-on sysadmin is deep, complex stuff.

---

It looked like the hackers were able to gain access to my server through a website vulnerability, likely an old wordpress version or plugin. Files were quarantined but the infections kept coming back and yesterday the entire public_html was deleted. Everything has since been restored to a clean backup but still a pain in the ass to restore some of the content that was lost.

---

Home > Hosting, Servers & Security >