A server is connected to the outside world and is open to a variety of attacks and exploits due to this. Some server security best practices can go a long way in ensuring your server does not fall victim to an attack.<\/p>\n\n\n\n
A new server comes with the latest versions of software. This can help with previously found security risks. Security is an evolving process and you’ll want to follow these best practices to make sure your server is secure.<\/p>\n\n\n\n
Although some of the information applies to shared, Reseller hosting<\/a>, VPS, and Dedicaed plans. In order to follow some of these guidelines you would need to have root access<\/a> first on your server.<\/p>\n\n\n\n The first line of defense for most services that run on your server will be the password strength<\/a> of your passwords.<\/p>\n\n\n\n Ensure that you are always using a strong password for anything that accesses your server. Don’t let these important credentials just lay around for anyone to see.<\/p>\n\n\n\n If you have root access<\/a> on your server, if an unauthorized user logs into your server via the root user, this can be very bad. Sometimes this requires an evacuation to a new server to ensure nothing malicious was left behind.<\/p>\n\n\n\n Limit server access to only those that need it with the iptables firewall available on most Linux servers.<\/p>\n\n\n\n The default APF (Advanced Policy Firewall)<\/a> allows easy management of your iptables rules. There is also the more advanced CSF (ConfigServer Firewall)<\/a> that also controls your iptables but has a more robust feature set.<\/p>\n\n\n\n One common thing to do is close open ports in your server firewall<\/a>. That way only the ports your server need to communicate to the outside world on will be accessible.<\/p>\n\n\n\n You can also enable cPHulk brute force protection<\/a> on your server to automatically block users that repeatedly try to login with invalid credentials to various services.<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n APF or Advanced Policy Firewall should be installed on your server by default. APF allows for easy management of your iptables firewall rules for things such as opening ports in your firewall<\/a>.<\/p>\n\n\n\n Add IP to allowed hosts:<\/p>\n\n\n\n Block IP from server:<\/p>\n\n\n\n Unblock a blocked IP:<\/p>\n\n\n\n Block IP ranges:<\/p>\n\n\n\n Note recommended:<\/p>\n\n\n\n Recommended way to block IP range from accessing port 80:<\/p>\n\n\n\n CSF or ConfigServer Firewall is also allows for easy iptables management. CSF is more recent and a bit more robust than APF. It allows for temporary blocking of IPs, and has both SYN flood protection to help against SYN flood DDoS attacks, as well as LFD which is the built-in module that deals with brute-force login protection.<\/p>\n\n\n\n Allow an IP:<\/p>\n\n\n\n Temp allow an IP:<\/p>\n\n\n\n Block an IP:<\/p>\n\n\n\n Temp block an IP<\/p>\n\n\n\n Unblock a permanent blocked IP:<\/p>\n\n\n\n Unblock a temporary blocked IP:<\/p>\n\n\n\n List temporary blocked IPs and durations:<\/p>\n\n\n\n Remove all temporary IP blocks:<\/p>\n\n\n\n Log all SYN packets from an IP:<\/p>\n\n\n\n CSF’s SYN flood protection counts the number of SYN packets of each TCP connection, if it hits the default limit of 10 per second it will close the connection. This should free the network tables on the server from maintaining a bunch of half-open connections which could lead to additional connections to the server being denied.<\/p>\n\n\n\n To enable CSF SYN flood protection while a suspected attack is going on:<\/p>\n\n\n\n Then add this:<\/p>\n\n\n\n Run this command to restart CSF:<\/p>\n\n\n\n When the attack stops, disable the SYN flood protection so you don’t accidentally block legitimate connections.<\/p>\n\n\n\n By default all outbound ports are blocked. To disable this you can open the range [1:65535] in the following file:<\/p>\n\n\n\n Port ranges are separated by colons 1:100<\/strong> in the following areas: TCP_IN<\/strong>, UDP_IN<\/strong>, UDP_OUT<\/strong>, and TCP_OUT<\/strong>.<\/p>\n\n\n\n You can enable the LFD brute force protection by editing:<\/p>\n\n\n\n Then adding this:<\/p>\n\n\n\n You can use the LF_*<\/strong> settings down further in the file to set the login limits for each service on the server.<\/p>\n\n\n\n When an IP has a packet dropped, it should be logged to:<\/p>\n\n\n\n Example dropped packet message:<\/p>\n\n\n\n Log key:<\/p>\n\n\n\n In order to install CSF, the first thing you’d want to do is remove the APF installation on your server first:<\/p>\n\n\n\n InMotion Hosting customers:<\/p>\n\n\n\n On any server:<\/p>\n\n\n\n In some cases CSF might lock out your access to the server. If this happens, you should be able to log into WHM and navigate to ConfigServer Security & Firewall<\/strong>, and temporarily disable CSF\/LFD so you can log back in.<\/p>\n\n\n\n You should review website access logs for unwanted activity and to block unwanted users from your website<\/a> if you find any. Blocking bad users at the website level is a good step before blocking them in your server’s firewall.<\/p>\n\n\n\n We have an entire section dedicated to keeping tabs on server usage<\/a> and for ways of finding and taking care of malicious activity that you will probably want to review and bookmark.<\/p>\n\n\n\n If you are using a CMS such as WordPress to run your website, make sure you’re protected from things like a WordPress Brute Force attack<\/a> so you admin dashboard is safe as well.<\/p>\n\n\n\n To securely connect to your server directly, you can use SSH<\/a> (Secure Shell) which encrypts your data.<\/p>\n\n\n\n By default, no outside IP addresses will be allowed to connect via SSH to your server for better security. So you will first want to add your IP to the server firewall<\/a> so that you are able to connect.<\/p>\n\n\n\n When working with files on your server especially from a shared network, it’s important to encrypt your login credentials so they are not passed in clear-text. You can also always disable FTP clear\/plain-text authentication<\/a> server-wide to force everyone connecting to your server to use a secure protocol.<\/p>\n\n\n\n You can use the underlying SSH technology to securely connect over port 22 on the server with SCP and SFTP<\/a>.<\/p>\n\n\n\n You can also securely use FTP over SSL with the FTPS<\/a> protocol.<\/p>\n\n\n\n On a server some common applications you might access would be cPanel<\/strong>, WHM<\/strong>, and webmail<\/strong>. Each service can be connected to securely so you’re not transmitting any plain-text data between your computer and the server.<\/p>\n\n\n\n These default server application’s can be accessed from any web-browser and pass credential data in plan-text when accessed from one of these insecure URLs:<\/p>\n\n\n\n To access these same services on your server over https<\/strong>, so that your credentials are encrypted and transmitted securely you would use these URLs:<\/p>\n\n\n\n You can login to WHM<\/a> and then navigate to Tweak Settings > Redirection<\/strong> and turn on Always redirect to SSL<\/strong> to force all cPanel applications to use https<\/strong> by default.<\/p>\n\n\n\n If you didn’t buy a SSL certificate for your server, you might get a self-signed SSL certificate warning<\/a> which is fine, your connection is still encrypted.<\/p>\n\n\n\n Anytime you install another application on your server, which could be as simple as a PHP script you’ve uploaded. You could possibly be opening up a way for attackers to get into your server.<\/p>\n\n\n\n Always make sure that any application you’re using on your server is locked down with at least a username and password, and if possible try to access those applications via a secure login form over https<\/strong>.<\/p>\n\n\n\n It’s recommended to follow the PCI DSS (Payment Card Industry Data Security Standard) guidelines for server security as well. These are the requirements that your server must meet security wise in order to pass a PCI scan, which allows you to accept credit cards and store that information directly on your server securely.<\/p>\n\n\n\n In some cases the security recommendations could be overkill for general purpose websites. But when it comes to the security of your server it’s always better to be safe than sorry. You can look at our article on how to pass PCI compliance scans<\/a> for more information on the common things you can do to help further secure your server.<\/p>\n\n\n\n The most common way that a server’s security is compromised is actually by the 3rd party applications that you load onto your server having an exploit in them. It’s important to stay very vigilant in keeping up with your application’s security updates, as well as any plugins, themes, or other add-on updates that you’re using for that application.<\/p>\n\n\n\n Because these applications are on the Internet and accessible from anywhere, they typically are targeted again and again by hackers until they’re able to find an exploit that allows them access. Once this information is known to the public the application’s developer will typically patch the exploit with a newer version, when you don’t upgrade to the latest version provided by your application you run the risk of being hacked.<\/p>\n","protected":false},"excerpt":{"rendered":"Strong passwords<\/h2>\n\n\n\n
Limit server access<\/h2>\n\n\n\n
APF – Advanced Policy Firewall<\/h3>\n\n\n\n
Example commands:<\/h4>\n\n\n\n
apf -a 123.123.123.123 \"Home IP\"<\/pre>\n\n\n\n
apf -d 123.123.123.123 \"Hitting login.php again and again\"<\/pre>\n\n\n\n
apf -u 123.123.123.123<\/pre>\n\n\n\n
apf -d 123.123.123.123\/24<\/pre>\n\n\n\n
vi \/etc\/apf\/deny_hosts.rules d=80:s=123.123.123.123\/24<\/pre>\n\n\n\n
APF File Locations:<\/h4>\n\n\n\n
\n
CSF – ConfigServer Firewall<\/h3>\n\n\n\n
Example commands:<\/h4>\n\n\n\n
csf -a 123.123.123.123<\/pre>\n\n\n\n
csf -ta 123.123.123.123 15s (s - seconds \/ h - hours \/ m - minutes \/ d - day)<\/pre>\n\n\n\n
csf -d 123.123.123.123<\/pre>\n\n\n\n
csf -td 123.123.123.123 15s (s - seconds \/ h - hours \/ m - minutes \/ d - day)<\/pre>\n\n\n\n
csf -dr 123.123.123.123<\/pre>\n\n\n\n
csf -tr 123.123.123.123<\/pre>\n\n\n\n
csf -t<\/pre>\n\n\n\n
csf -tf<\/pre>\n\n\n\n
csf -w 123.123.123.123<\/pre>\n\n\n\n
SYN flood protection<\/h4>\n\n\n\n
vi \/etc\/csf\/csf.conf<\/pre>\n\n\n\n
SYNFLOOD=1<\/pre>\n\n\n\n
service csf restart<\/pre>\n\n\n\n
Opening Ports<\/h4>\n\n\n\n
\n
Enable LFD Brute Force protection<\/h4>\n\n\n\n
vi \/etc\/csf\/csf.conf<\/pre>\n\n\n\n
LF_DAEMON=1<\/pre>\n\n\n\n
Reading the CSF log<\/h4>\n\n\n\n
\n
Aug 15 07:14:39 server kernel: Firewall: TCP_IN Blocked<\/em> IN<\/strong>=eth0 OUT= MAC=78:2b:cb:1c:00:1d:00:02:17:2c:6c:00:08:00 SRC<\/strong>=190.86.203.61 DST<\/strong>=173.247.251.145 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=1155 DF PROTO<\/strong>=TCP SPT<\/strong>=49528 DPT=2525 WINDOW=8192 RES=0x00 SYN URGP=0<\/code>\n\n\n\n\n
Install CSF<\/h3>\n\n\n\n
Remove APF<\/h4>\n\n\n\n
service apf stop chkconfig --del apf rm -f \/etc\/init.d\/apf rm -f \/usr\/local\/sbin\/apf rm -rf \/etc\/apf<\/pre>\n\n\n\n
Remove WHM Add IP to firewall feature<\/h4>\n\n\n\n
rm -rf \/usr\/local\/cpanel\/whostmgr\/cgi\/apfadd rm -f \/usr\/local\/cpanel\/whostmgr\/cgi\/addon_add2apf.cgi<\/pre>\n\n\n\n
Install CSF<\/h4>\n\n\n\n
yum install -y csf-ded<\/pre>\n\n\n\n
\n
Lost server access<\/h4>\n\n\n\n
CSF File Locations:<\/h4>\n\n\n\n
\n
Limit website access<\/h2>\n\n\n\n
Login to your server securely<\/h2>\n\n\n\n
Secure file management<\/h3>\n\n\n\n
Secure application logins<\/h3>\n\n\n\n
Insecure cPanel application logins<\/h4>\n\n\n\n
\n
Secure cPanel application logins<\/h4>\n\n\n\n
\n
Other server application logins<\/h4>\n\n\n\n
Make your server secure enough to handle credit card data<\/h2>\n\n\n\n
General application security and updates<\/h2>\n\n\n\n