10 Things You Can Do To Make Your Linux Hosted Website More Secure
10. Get cooperation from your Linux host.
Make sure your host is updating their software at the server and network levels. This includes any available kernel updates, as well as updates for packages such as Apache and PHP. Your host should also have a server administrator reviewing the server security logs on a daily basis. These are security steps which, in most cases, can only be executed by your host’s server administrator, so it is vital to ensure that your host is doing their part to secure your website.
9. Use a file integrity checker available for the Linux OS, such as AIDE (Advanced Intrusion Detection Environment).
File Integrity Checkers will notify you of any changes made to your site files and provide an audit trail of what exactly was added, removed or changed, as well as when the changes were made. A skilled hacker can break into a site and make minor changes to your code without adding new files or changing anything about the outward appearance of your site. For example, it’s possible to make a few modifications to a billing script to cause it to silently email all of your customers’ billing information to the hacker before running a charge as normal. Without a file integrity
checker to alert you of this change, it’s possible that the added code would go unnoticed for weeks or months, if it’s ever noticed at all, and during that time all of your customers’ personal information is being gathered by an unknown 3rd party.
8. Use the Unix/Linux command SCP or SFTP instead of FTP.
Avoid using FTP as much as possible, especially your primary FTP account with full access to your hosting account. FTP is an unencrypted protocol, which means that all data sent through FTP, including your username and password, are sent across the internet in plain text. This means that if anyone is monitoring your connection with a packet sniffer such as Wireshark, they can view all of your data as well as capture your account login information, which then gives them free access to your site and all of your files. Instead, use an encrypted protocol, such as SCP or SFTP to transfer your files; they work in exactly the same way, but all of your data is encrypted with public key encryption making it impossible to capture your login information.
7. Review the logs regularly
Review all available server logs, including access logs, traffic logs, and the file integrity checker logs as mentioned above (file integrity checkers are useless if nobody is reviewing the logs they create). One a lot of Linux servers these are in /var/log, among other places. Look for files using a lot of bandwidth or a lot of hits from a certain IP range, as this could indicate a script with modified code or an attempted intrusion. If your host uses a layer 7 firewall such as mod_security, you should also ask them for the entries in the modsec_audit.log for your domain. This will allow you to monitor any hacking attempts and take the necessary steps to permanently block the attacker before they get in.
6. Keep your domains seperate
The idea of hosting multiple domains on one account through add-on domains sounds convenient: you can buy one hosting account and then host and manage multiple domains using one primary username and password! Easy! However, it’s easy to forget that this works the other way as well: a hacker can break into one hosting account and then attack multiple domains using one primary username and password. Easy. Aside from that, hosting multiple domains through the same account really complicates the process of cleaning up after an attack. Not only do you have to check every connected domain for malware or modified files, you also have to try to identify which domain the attacker broke in through and then take steps to secure each domain. On the other hand, when using separate accounts for each domain you can quickly and easily tell which domain was broken into, and you can generally assume that the rest of your unlinked accounts are still secure. If you’re planning to host multiple domains through one host look for a host offering a reseller plan, where you can create separate accounts for each of your domains for a flat monthly or yearly rate. This is much easier to secure and keep secure, provided you keep your reseller password private.
5. Do some spring cleaning on your account
If you haven’t gone in and cleaned out your account in a month or so, you’re probably overdue for some site maintenance. It’s a very good idea to go into your account and clean it out periodically. This includes deleting pages, scripts, databases, mail boxes, email addresses and FTP accounts you no longer use, as well as uninstalling software that you no longer need. Not only does this have the potential to free up some disk space, it’s also a useful security measure. Removing custom scripts, software and pages that you no longer use helps to limit possible entry points for a hacker and leaves you with fewer pages and scripts to secure.Furthermore, in most cases when the owner of a site stops using a 3rd party script, be it WordPress, phpbb, drupal or any others, they stop updating it, which is a serious security risk for reasons we will get into later. Suffice to say it’s best to get rid of any unused files
4. Change your passwords regularly
We could easily write an entire article just on good password practices, but for the sake of brevity we’ll focus on this one guideline that so few people follow. Even if you don’t think your password has been compromised, the longer you use the same password the greater the chance that it has been captured by a hacker. Ideally you should change your FTP/SSH passwords, control panel passwords, software admin passwords, email passwords, and any other passwords once every month or so, but even changing your passwords once every few months is better than not changing them at all. On that note, when changing your passwords you should never use the same password for multiple items, which is another common mistake people make. If you use different passwords for each username or email address, someone getting their hands on your email password can be an inconvenience. If you use the same password for everything and someone gets your email password, you suddenly have a much greater security issue. it’s especially good to never use your account password for 3rd party software, as many 3rd party programs store their admin passwords in clear
text in a config file and a skilled hacker can pull up these config files with relative ease if they manage to get server access. Perhaps most importantly, remember that writing passwords down on a piece of paper is never a good idea. Instead, if you’re having trouble remembering your passwords, consider downloading a free password manager (I recommend Keepass for Linux: http://www.keepassx.org/).
3. Create an ACL for non-public sections of your site
There are some section of your site that the general public simply doesn’t need access to. For example, your WordPress admin directory, your private photo galleries, or maybe parts of your FTP directory. In these cases, it’s often a good idea to create an Access Control List, if you have a Linux host with Apache web server, this can be done using a .htaccess file. An ACL is relatively quick and easy to set up (some hosts may be willing to set it up for you, but some may ask you to create your own through the command line), and allows you to block specific IP addresses or only allow access to specific IP addresses (such as your home IP, your office IP, etc.). This allows only the IP addresses you’ve approved of to access those directories, so even if the password fell into the wrong
hands, the site would still be locked to all but a few specific IP addresses.
2. Keep Permissions Locked Down
Setting the wrong permissions on files can be disasterous: anyone with user level access can access a file with 777 permissions, for example. It’s generally good practice to make sure all permissions are set to 555 (all read and
execute) for directories and 444 (all read) for files unless a specific program requires them to be set to something different. Avoid using very open permissions such as 777, 755, 666 or 644, as these give a lot of access rights to outside users. Ask your host if you need help changing your file permissions or have questions about Linux file permissions, or see the man page for chmod.
1. Keep current with updates from 3rd party vendors.
We’ve already touched on this a couple of times, but it bears repeating: it is absolutely critical that all 3rd party scripts be kept up to date. When asked what he considers to be the greatest security risk in web hosting Wayne C., a support technician at PenguinWebHosting.com, told us “definitely outdated scripts. In my experience they’re the number one reason sites get hacked.” The reason? “When a company updates their web software, things like WordPress and Joomla, they do it for one of a few reasons. It could be that they want to add new features or to add support for newer versions of PHP or something like that, but a lot of times patches are reactive rather than proactive: they patch the software to seal off a security hole. Then in the patch notes, they list all the security updates that were added in that version, essentially highlighting the vulnerabalities in the previous version. With the knowledge of all the security weaknesses in the older version, all a potential hacker has to do is find someone still running the outdated software; they already know what vulnerabilities they can exploit to break in.”