Security Tips
Posted by Erin
If you run a forum or use a CMS that allows users to upload pictures or other files, make sure that only registered and verified users can upload files. Make sure that your application can detect file types and only allow images (or PDFs for documents).
If you’re using a CMS (like WordPress!) make sure you update it as soon as possible when a new version is released. This will ensure that any security vulnerabilities found in the previous version won’t be exploitable on your site.
FTP login credentials are passed in plain text, so anyone with a network eavesdropping tool can grab your login ID and password. If your server allows for it, you can turn on FTPS (aka FTP-over-SSL/TLS), however you need to make sure your firewall can be configured to allow a range of ports to be opened for data connections.
SFTP (aka, Secure FTP) is supported by several newer FTP clients such as FileZilla. It uses the SFTP server built into most SSH server implementations to transfer files. Another option would be to use WebDAV over https to upload files.
Both POP3 and IMAP pass login credentials in plain text as well. Using the SSL-enabled versions of these email protocols will keep your account safe from being spyed upon or used to send spam.
If your server is running Apache to serve web sites, ModSecurity is a must. It protects web applications against a range of attacks like SQL injection, remote inclusion, PHP application exploits, cross-site scripting, defacing tools, and rootkits.
If you have a cPanel/WHM server, turn off the non-SSL cPanel, WHM, and webmail ports or redirect them to the SSL-enabled ports. This option is in “Tweak Settings” in WHM. “Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.”
The cPanel / WHM hosting control panel system has a random password generator built into its latest versions. A good password is least 8 to 10 (or more) characters, containing upper and lowercase letters, numbers, and special symbols like !@#$% in a random combination with no recognizable words. Its OK if you need to write your password down. Just make sure you store that note in a safe place. Don’t store password lists in a file on your computer. Lastly, change your passwords often. Many corporate organizations and banks require password changes every 60-90 days, for good reason.
A good webhost keeps backups for disaster recovery purposes, because servers, just like other machines, can and do have catastrophic failures. If your host offers it, sign up for extra backup protection. Also, choose one day every week to create and download a backup of your critical files and databases, then burn them to CD/DVD (if feasible). This is so that if the unthinkable happens (it will) and your host’s backup is not available, corrupted, or too old, you will still be protected.
A great majority of my time at work lately has been spent scrubbing iframe and javascript injections out of websites. Basically what happens is this:
1) A user without (or with outdated) anti-virus/spyware protection visits an infected website. This website contains code that loads an attacker’s website in the background in their browser.
2) Malware is downloaded from the attacker’s website and installed on the user’s computer.
3) The malware installs spyware (often disguised as a fake anti-virus tool) on the user’s computer.
4) The spyware records the user logging into their website via FTP.
5) The spyware sends the login data to the attacker, who uses this to inject javascript or iframe exploits into the user’s website.
6) The user’s website is now infected, and their visitors are at risk.
Ad-aware, Spybot Search & Destroy, and Malwarebytes are a few tools that can be used to help keep Windows-based workstations clean of spyware.