Despite the advancement of cloud and web hosting security, the number of cyber attacks continues to grow at an amazing rate.
Why? Hackers love to target ecommerce. The double-digit growth of ecommerce in 2014 and the general proliferation of ecommerce, meant that its primary target for hackers.
Hackmageddon cyber attacks timeline of November shows that ecommerce and retail websites still lead in number of attacks, with touristic and oil and gas targets following behind. As the underlying infrastructure of websites, your hosting environment is clearly the major factor in defending against these attacks.
With VPS hosting being a preferred solution in the ecommerce and business segments, another look on how it could be made more secure might be useful. When rented from reliable providers, a VPS is typically a great resource in terms of both security and price, but the in-house teams are still in charge of most critical areas.
The primary step to creating stable hosting environment is to regulate server configuration and management roles. Upon receiving the access to the VPS server, it is crucial for the administrators to set usernames and passwords for all the accounts used to manage it.
Generating strong passwords and defining username conventions are some of the initial activities IT administrators should regulate in environments where multiple persons are allowed to access the server.
On linux-based servers, different users can be assigned the roles of sudoers, while on Windows-based hosting this is done by adding users to Remote Desktop Groups.
Here, you should make sure you remove remote access from default admin accounts to minimise the options of unauthorized access. This way, only the accounts with sufficient permissions would be able to manage critical areas.
To allow access to the server only from particular locations or ports, you should run a firewall that would monitor traffic and control remote access. Although many users wouldn’t have the option to set the access only for a particular IP or remote access service, some may decide to enable access worldwide in order to get the opportunity to manage it via multiple devices and from different locations.
A useful tool for managing server security and firewall settings is ConfigServer Security and Firewall, which offers multiple security options. Namely, the software includes SPI iptables firewall script, daemon process that monitors login authentication failures, SSH and SU login notifications, as well as some other features intended to facilitate related processes in complex environments.
The developers also offer extensive user guides as well as technical support, which simplifies implementation and maintenance of the tool.
Another critical step to preventing malevolent attacks is to secure MySQL system so as not to allow hackers to read server databases. Although the traffic between MySQL client and the server is secure, all the information is transferred as text and is therefore readable by anyone who potentially sniffs the traffic.
Therefore, the process of securing MySQL system should include the following:
– All MySQL accounts are accessed via strong passwords (minimum 10 characters, mixture of upper/lower, numbers, syntax characters)
– MySQL server should never be run as the Unix root user because this way any user with file privileges may become able to create files as root
– Manage file privileges efficiently, i.e. do not grant them to anyone other than admin users. This also goes for other privileges such as process and super.
– For additional safety, consider the complete list of security steps for MySQL that is available here.
Webserver and PHP configuration
There are different techniques to help you protect the server from malicious activities, and the most important thing here is to know exactly what the major threats for your organisation are. Some of the most widely used web servers, Apache or Nginx all have their own features that should be configured to follow the general security practices of the organisation.
Regardless of the server you use, however, you may want to disable different methods or indexing properties to ensure maximum control over the traffic your server transmits.
With PHP, on the other hand, the key security features should be set after checking for insecure PHP configurations. One of the ways to do so is to use a script such as PHP Secure Configuration Checker or pcc, which assesses the state of php.ini and other related topics.
Since the attacks most frequently happen via vulnerable database configurations and file upload systems, these should be the first ones for security professionals to regulate and make hacker-proof. Some of the steps include exploring built-in modules, restricting information leakage, logging PHP errors and minimising loadable PHP modules.
Regardless of the panel you use to manage your hosting environment, there are several settings you need to add to make sure your databases are managed securely. Since hosting panels is the tool multiple users are likely to have access to, it is yet again important to generate strong passwords and precisely define user roles.
Some of the software tools that should be run in WHM/cPanel are firewall, anti-virus and anti-rootkit, while the additional settings such as spam protection and database backups could be managed using the corresponding options within the panel.
Additionally, you may want to revise FTP server configuration in order to disable anonymous FTP access and make sure you use the version 2 of Secure Shell (SSH). With continuous system monitoring, you will be up to date with the most recent changes such as account creation, software installations or other updates, which enables you to react on time in case any suspicious activity is detected.
Much of the VPS security depends on the organization’s in-house security or IT team, which is why it is essential that all the necessary steps are taken to prevent unauthorized or fraudulent access.
In larger organisations that run multiple websites or different kinds of applications, this can be tougher to manage due to the general complexity of the environment. However, if all the key server properties are properly set, the risks of data breaches could be minimised.