1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing your site and all your hard work

Discussion in 'Black Hat SEO' started by kazumasama, Mar 12, 2012.

  1. kazumasama

    kazumasama Newbie

    Joined:
    Mar 10, 2012
    Messages:
    28
    Likes Received:
    2
    Occupation:
    Linux Servers & Network Security Engineer
    Location:
    Michigan
    Greetings BHW members! I have seen a few unfortunate members have had the pleasure of getting hacked and losing all their hard work, which equals money lost (nope, I'll pass). I wanted to share some settings and ideas that I use to protect my own site to try and help the less security savvy from losing money, as well as their hard work.

    These are for a Linux Server and WHM/cPanel Servers. I will make one for Windows Servers in a later post.

    Server side:
    1.) If you have it and can afford it, force re-direct your site to your SSL with your htaccess file. Encrypted connection is safer (for the most part) and more trustworthy.

    2.) Firewalls I use. Mod Security (Mod_Sec) and ConfigServer Security & Firewall (CSF). Mod Security for the SQL and Javascript injection protection, and CSF for the bruteforcing and port control. Both are free and open source as well as highly configurable.

    3.) Disable root logins from SSH. Instead create a user, SSH in as that user, then switch to root if needed.

    4.) Switch your SSH port. Keeps the bots at bay because they can't find SSH on the default port 22. Also keeps your blacklist from getting really big from these bots. (cough cough China)

    5.) Install and create cronjobs for Malware Detect (Maldet) and ClamAV anti-virus software that will email you if it finds something suspect. These are also free and open source.

    6.) Don't have insecure permissions like 777. Enough said here. If you have something that won't work without the 777 permission, check your error log and find out why and fix that problem. Don't just 777 permission it as you are welcoming a possible hack depending on what is 777'd.

    7.) Remember to update. Usually there to fix errors or vulnerabilities, not because they like irritating you (although sometimes I wonder lol). If you have a lot to do, like say across (30) WordPress sites, see if you can make a script to do them all at once.

    WHM/cPanel Side:
    1.) Enable mod_userdir Protection:
    "Apache's mod_userdir allows users to view their sites by entering a tilde(~) and their username as the uri on a specific host."

    2.) Enable open_basedir Tweak
    "PHP's open_basedir protection prevents users from opening files outside of their home directory with php."

    3.) cPHulk Enable
    Blocks IP's and sends them to the blacklist for trying to brute force your WHM or cPanel password.

    4.) Disable Anonymous FTP Uploads
    Pretty self explanatory why this is a good idea.

    5.) Create Strong Passwords
    I usually try to pick something that is at least (10) characters long, has a variation of upper & lowercase letters, includes numbers & special characters.

    This is just a good start to some good, basic, security settings that I hope can help someone who is not-so-savvy in the security department. Losing money and hard work is never fun, especially when it can be prevented. Take care! :D
     
    • Thanks Thanks x 1
  2. ihsan2all

    ihsan2all Junior Member

    Joined:
    Feb 26, 2009
    Messages:
    157
    Likes Received:
    41
    Occupation:
    BHW Servant
    Location:
    muhammadihsan.com
    Nice post.

    It seem you have great background on security setting.
     
  3. Kosher1

    Kosher1 Power Member

    Joined:
    Oct 22, 2009
    Messages:
    725
    Likes Received:
    387
    Nice post man.
     
  4. hypefrenzy

    hypefrenzy Junior Member

    Joined:
    Dec 12, 2011
    Messages:
    170
    Likes Received:
    19
    very nice suggestions. this is an area many admins tend to neglect. very important to keep on top of server security. im is a business and it should be protected like any other business
     
  5. ofuture

    ofuture Jr. VIP Jr. VIP Premium Member

    Joined:
    Jul 25, 2011
    Messages:
    2,739
    Likes Received:
    279
    Gender:
    Male
    Occupation:
    Fulfill clients demand!
    Location:
    Clients Heart!
    Home Page:
  6. scorpion896

    scorpion896 Senior Member

    Joined:
    Jan 10, 2009
    Messages:
    929
    Likes Received:
    212
    Nice share, thanks for the tips!
     
  7. savvypro

    savvypro Regular Member

    Joined:
    Jan 14, 2010
    Messages:
    211
    Likes Received:
    133
    Just to add to what has been said...

    For point 3: If you have the ability to disable root logins via SSH. Then use SSH encryption keys instead of just passwords.

    Use Sudo, so that the root user is used as little as possible.

    Changing the SSH port to a non standard port is OK, but a better option is port knocking. And an even better option is an out of bound port knock.

    Disable everything not in use. The easiest way to do this is to have a bare install, where you then add only what you need. Which means less things to monitor, and the things that are on the box are the thing you put there.

    Don't just block inbound ports, block all ports in and out that are not in use.

    A useful feature of SSH is the ability to port forward, ports via/through SSH. Which means you can block inbound access from the Internet to the control panel port, but still have access via SSH.

    Better option is: don?t use a control panel, you will then have one less security vector to worry about.


    Probably the most important:

    4. Do not use FTP (passwords are in the clear). Use SFTP (Secure FTP). Why even bother with securing everything, if you then end up using FTP.
     
  8. kvmcable

    kvmcable Supreme Member

    Joined:
    Dec 28, 2010
    Messages:
    1,355
    Likes Received:
    2,815
    Occupation:
    24 year business owner - old school dude
    Location:
    KFC - BW3
    All very good points although I prefer CSX anti-virus to the free ones. Same reason I prefer Kaspersky to freebie for desktops.

    One more thing I might add is HAC if you're running a dedi. I call this the cya in case they get past everything else. Host Access Control allows you to lock down features to known IP addresses. Because I own and run my own dedis and on many of them I have no clients I lock down WHM, MySQL, SSH, FTP to my office and work IP addresses. So even if someone in my organization gets a trojan and leaks login credentials the hacker has to be hacking from one of my allowed IP addresses. I block all other IPs from these services.

    HAC is basically a .htaccess block that no one can circumvent. One precaution is to make damn sure you set up a proxy or two in case some real shit hits the fan and all your local IPs get changed in one swoop. A private proxy IP in your HAC will allow you to access your server to update all your new IPs if all your local ones get changed without warning. We have Verizon (Frontier) and these SOBs have done territory IP changes 3 times in the last month. My home and store are 30 miles apart and 3 times both have changed on the same evening without warning in the last month. If I didn't have a proxy IP set up I would have been screwed, blocking myself out of my own dedis.

    Anyhow if you want a last line of defense use HAC.
     
    • Thanks Thanks x 1
  9. benjackson

    benjackson Newbie

    Joined:
    Nov 13, 2009
    Messages:
    15
    Likes Received:
    0
    Sounds like you know your stuff, I'll pass it on to my tech quy
     
  10. kazumasama

    kazumasama Newbie

    Joined:
    Mar 10, 2012
    Messages:
    28
    Likes Received:
    2
    Occupation:
    Linux Servers & Network Security Engineer
    Location:
    Michigan
    I'm glad that these helped! Also thanks to savvypro and kvmcable for the extra information!