If you’ve been online recently, you may have read the news about hackers demanding a ransom from Dublin’s tram system. Visitors to the Luas website were greeted by the hackers’ message threatening to publish the stolen information unless they were paid one Bitcoin (approximately 3,300 Euros or US $3,800). While the message itself appeared to be harmless, the fact is that the hackers could just as easily have used the domain to spread malware or phishing attempts.
Events like this highlight the importance of web hosting security. Whether you own a personal passion project website or you’re the web host of several businesses with varying sizes, security should be at the top of your checklist. With proper web hosting security, you won’t only be protecting yourself but, more importantly, your clients, customers and visitors, as well.
In this article, I’ll run down some of the best practices for web hosting that you should know. You can also use the points I provided to ask the right questions if you’re looking for web hosting services.
Web hosts should limit access to their machines included in the infrastructure. This access should only be reserved for trained and authorized technicians.
SSH (Secure Socket Shell), or its equivalent, should be utilized when logging into the server. As an added precaution, password-protected RSA keys can be used.
A host can also whitelist authorized IPs for maintenance. Clients can do or modify this through the control panel included in their account.
Logins from the user root should be disabled in order to prevent bad actors from exploiting this access point. Equivalent permission can then be given to authorized admin logins.
A web hosting company should regularly monitor the network for intrusions or unauthorized activity. This helps prevent server or other related issues from eventually growing into a bigger problem.
SSL and Firewall
SSL (Secure Sockets Layer) encryption ensures that sensitive data flowing through a website is kept secure and private. It allows users and visitors to place their trust in a website. However, while it secures the communication between a website and a user, it does not necessarily secure the server from a cyber attack.
A WAF (Web Application Firewall) is required to monitor HTTP traffic flowing through web applications. Unlike a network firewall, a WAF provides more specific security because it understands the specific requirements of a web application. With some configuration, it can even prevent SQL injections, cross-site scripting, vulnerability probing and other techniques.
A DDoS (Distributed Denial of Service) attack is a simple yet effective cyber attack that can plague popular websites. Through this attack, bad actors flood a website’s servers with so much traffic that it becomes unavailable to real visitors.
DDoS is hard to handle when it’s already occurring. Therefore, the best solution will always be for a web host to take precautions against DDoS attacks before they happen. They should also have the proper tools to mitigate DDoS attacks when they do occur.
Malware Detection and Removal
Web hosts should inform clients of the protective actions each party must respectively perform to secure the website. Regular file scans should be performed on client accounts who should then be allowed to see the reports. This is usually a feature in any decent hosting plan. Finally, a hosting company support plan should include help in identifying and removing malware.
Software like ClamAV and rkhunter can be installed to keep malware out a host server.
If you’re an individual looking for a web host, one of the options you’re given is the OS (Operating System) of your web server. There are currently two operating systems to choose from — Windows-based OS and Linux-based OS. Clients choose which of the two they prefer based on their site’s technical requirements.
Needless to say, these two operating systems have respective security advantages over the other.
Windows-based web servers limit access by default. Users are logged in as standard users and will need to request permission and enter a password before they are allowed to enjoy the privileges granted by the main administrator. This can, in theory, prevent an intruder from doing any real damage whether that intruder is a malicious program or an employee.
Additionally, only authorized Microsoft personnel handle these web servers in the event that a security flaw is detected. Not only does this mean that you’re getting assistance from well-trained Microsoft programmers, but you’re also preventing dishonest individuals from exploiting these flaws.
On the other hand, Linux-based web servers come with fewer known threats since the Linux OS isn’t as widely used as its counterpart. Also, most hosting services can install programs that protect Linux-hosted sites from Windows-targeted malware.
In the event that flaws are spotted, the open source community behind Linux usually responds quickly to patch the problem.
Password and User Access
Passwords should be matched with the different user categories for a website. The strongest passwords should be reserved for admin staff and guest authors since they have the most potential to impact the site.
In the event of a suspected hacking attempt, all passwords must immediately be changed. These changes can also be required when updating the CMS (Content Management System).
The importance of formulating strong passwords must be stressed to all users. Alternatively, a password manager can be utilized to both formulate and keep strong passwords. Avoid usernames in the form of “email@example.com” as they’re quite common and easily attacked.
Lastly, the different user categories must be permitted with only the bare minimum level of access privileges they need for their purposes. Never allow unrestricted file uploads and limit these uploads only to what users need. This helps prevent intruders into the site.
Plugins, Applications, and Updates
When selecting plugins and applications for a website, consider their age, amount of installs and updates. This lets you find out whether or not the software is still active. Inactive software may be rife with security issues. Only install software from trustworthy sources to protect from possible malware infections.
Remember to immediately change default settings, such as login credentials, to prevent them being used in hacking attempts. Your CMS, and all installed software for that matter, must be immediately updated whenever the updates become available. This prevents hackers from exploiting the security vulnerabilities possessed by the older version of these software.
An offsite backup is a must for larger sites. These backups should be automatic and frequent in order to maximize site uptime despite server failure.
Automatic backups ensure that they don’t depend on fallible human memory. Frequent backups ensure that they keep up with the latest content from the website.
You might also consider encrypting the data on these backups to add an extra layer of security to sensitive information. These backups will then need to be tested to determine if they work as intended.
Always keep fresh install files for installed software. This ensures that a clean working copy is available in the event that the current software malfunctions or becomes compromised.
About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.