Tips to Secure Your Web Hosting Server: Security, Linux

Email Linked In RSS Feed

Tips to Secure Your Web Hosting Server

Category: Linux & Server Admin Tags: Security, Linux | Written on Jul 22, 2009

A friend of mine, Elliot Swan got hacked - one of his JavaScript files had been modified to contain some sort of advertisement. Here are a few tips you can do to lock your server down, starting with simple things and getting more advanced at the bottom.

  1. Change your web hosting password.
  2. Change your SSH / root login username (if possible) and password.
  3. Change your FTP username (if possible) and password.
  4. If you changed your FTP username, chown the files to the new user through SSH by typing "chown -R username:usergroup YOUR_WEB_PATH". If you don't know the usergroup, check out the current files by typing, "ls -la YOUR_WEB_PATH"
  5. Change your permissions to the lowest number to allow your website to still work, this might be 444, 644, 655, 744, or 755. "chmod -R 755 YOUR_WEB_PATH"
  6. make sure there are no authorized keys found in your "~/.ssh/" folder. Type "ls ~/.ssh", and then "rm authorized_keys" if it is there unless of course you use that for authentication. Authorized keys allows you to ssh without a username and a password, because you put your id on your computer and on the server.
  7. (tip via friend, Grant Wood) There is a linux service called, "aide" that can email you when files are changed, but that is fairly intense to setup.
  8. (tip from friend) Check your log files in /var/log to make sure there is no unauthorized connections that you haven't made.
  9. Update your php.ini file with better PHP settings.
  10. Upgrade any installed CMS or web-based software.

If all else fails, switch web hosts or hire a server admin, because you are screwed.

Comments

#1. Michael Kozakewich http://icosidodecahedron.com on Jul 23, 2009
I had that happen, once. It was fairly odd, because all it would do is input some script tags linking to something on a spammy bank's site. I never looked at what the script wrought, but I imagined it was an ad of some sort.
I had thought it was some sort of PHP injection or something that let them rewrite the file. As it turned out, they had somehow gotten the FTP password. I changed that, and nothing more happened.

It seemed strange to me that they had full access to all my files and only inserted a bit right at the end. Wouldn't it have been better to load a completely new site with some advertisements for them?
The only reason I had found out was that Google mailed me and told me that my site was trying to make their spiders execute malicious code. Oops!
#2. Paul Armstrong http://paularmstrongdesigns.com on Jul 23, 2009
Just a few thoughts on the ones you posted:
2. Or better yet, disable root login
3. Disable FTP and only allow SFTP
6. Authorized keys are secure–but only as secure as the physical security to getting to your personal computer that has the keys on it.
--
And how about some more!
11. Install fail2ban on Linux. It will ban connections from IPs that have multiple unauthorized attempts in a row.
12. Change your SSH port
13. Set your IP Tables to only allow the ports and types of connections you need (HTTP, SSH, SMTP, etc)
14. Subscribe to your operating systems security mailing list to find out when security patches are available.
15. Only allow MySQL connections from localhost
#3. Marc Grabanski http://marcgrabanski.com on Jul 23, 2009
Thanks Paul!
#4. Zachary Johnson http://www.zachstronaut.com on Jul 23, 2009
In a shared hosting environment where there are other users on the same machine as you, file permissions are of critical importance. It can be trivially easy for somebody else to modify your data/code if your permissions are set to world writable, or if they are group writable and belong to the wrong group.

For PHP in shared hosting environments, make sure your PHP code runs as your own user (using PHP-CGI or such). If your PHP runs as the same user as everybody else, they can likely read and/or write to your files.

If you find that you've been hacked you have to seriously consider the possibility that:

1. the code you have written is the vulnerability
2. the hacker has installed a back door to get back into your system

If either of those are the case, then you could do everything listed in this article and in the comments and you wouldn't have fixed anything. The hacker could still get back in.

These days, almost all hackers get in because you haven't upgraded the apps you have installed, you have a security hole in your own app, or your password has been compromised. You should definitely secure your server using tips like this, but you also have to write secure web app code. Your code takes into consideration SQL injection attacks and malicious file names right?

After being hacked, if you can, it is best to wipe out your server OS and start over from scratch from a hopefully clean backup of your site/app.

Another useful note: if your entire site/web app is version controlled with git or svn or whatever... you can easily run status/diff against your site and see any new files or files that have been changed. That will instantly let you spot any shenanigans with your code/file data. (It won't however help you with database data or system files.)
#5. Marc Grabanski http://marcgrabanski.com on Jul 23, 2009
All good points zachary:
- Your app code is very important -- I did mention to upgrade any CMSs or installed packages.
- If you have the option of restoring your server from the ground up, great.
- SVN / git diff also is a great tip.
#6. Miles Johnson http://www.milesj.me on Jul 23, 2009
You can also change the port in which SSH is accessible, which blocks nearly all attempts from that direction.
#7. Marc Grabanski http://marcgrabanski.com on Jul 23, 2009
Miles: yeah Paul mentioned that, too. Thanks for re-iterating =)
#8. Thomas the UX dude http://www.webproductblog.com/ on Sep 01, 2009
Thx very much for that list! Since I am more User Interface guy there are some really new things there for me :)

cheers,
Thomas
#9. Xiong Chiamiov on Sep 29, 2009

I would suggest not using the root account at all - use sudo to divy up priviledges to various accounts, and lock the password for root. Allowing only certain users to ssh in and forcing login by publickey also does wonders.


For my ftp setup, I have users chrooted into their home directories, and then I've mounted (with --bind) directories they need to access into their ~, so they can access only those folders. Pretty nifty.

#10. Andrew Weismen http://profitableinternetmarketing.org on Oct 04, 2009
Wow! Thanks for the info.. Speaking of hacking, my email address, ym and twitter account is hacked by a single hacker..Selling some stuff that can drop your weight. I am only using my personal computer, so i guess nobody had took advantage with my email or other accounts left un-logged out.. I am just wondering if it is safe to engage in online banking?? I am also worried with my online bank accounts..thanks.

Thanks.

This is a nice site!!
#11. Marc Grabanski http://marcgrabanski.com on Oct 16, 2009
Andrew: The nice thing about something like Mint.com vs online banking is that mint doesn't actually allow you to transfer or interact with your money. It is simply reporting and viewing transactions and budgets in a better way.
#12. linux http://linuxcritic.com on Dec 18, 2009
A good selection of tips, changing your security of your root from SHA1 to Blowfish is also a good idea.
#13. check up http://www.dorahospital.com/check-up/ on Jan 10, 2010
thank you. in many places between this and did not find was information. You have a very successful Congratulations to prepare an article

Leave a Comment

Other Reading - Categories