iWeb's servers are provided unmanaged, with the exception of managed hosting offers (where some parts of the IT infrastructure security are included in the package). As such, securing servers is considered the client's responsibility. To help you secure your server(s), here are some tips, recommendations and best practices to follow to increase the security of your assets and IT architecture. Our Technical Support team is available 24/7 and may help you to implement some of these.
These tips and recommendations do not cover the entire scope of an IT infrastructure security. They focus on the server's security side, not the client side. They represent the most important ones for companies who have their IT infrastructure publicly accessible, like web hosting companies.
1.1- Use Strong passwords: Make sure to choose a password that has mixed cases (capital letters and small letters), special characters and numbers. Preferably, the password should be at least eight characters. (see this online tool; do not use the suggested passwords).
1.2- Change your passwords regularly: This is what defines a password expiration policy. The frequency of changing a password depends on what the passwords are used for (read this article for additional details).
1.3- Use public key authentication when possible: It's recommended to use public key authentication to replace the password authentication mechanism if possible.
1.4- Implement two-factor authentication when possible: Implement an additional security level for your authentication mechanisms.
1.5- Store your credentials and keys securely: You can use a password manager to securely store your passwords (see some examples), or store them locally on an encrypted partition using encryption tools such as TrueCrypt, BitLocker, FileVault for Mac, ...).
2- Users & groups
2.1- Delete users and groups that are no longer in use: Check the list of the users and groups configured for your server and/or applications and delete all the ones that are no longer in use.
2.2- Enforce role separation: If your server and IT infrastructure are managed by a group of people (administrators, web developers, ...), or if part of your IT infrastructure management is outsourced, role separation (also called separation of duties) will help restrict the amount of power held by a member of the team. It helps to also put a barrier in place to prevent fraud or errors which may cause security issues. A user account should have just enough access to do what they need to do for their role and not more.
3- Services & packages
3.1- Remove services and software packages that are not required for your server: To avoid an unnecessary security risk related to those packages and services now and in the future.
3.2- Limit the access to your services when possible: Some services should be only accessible from few IP addresses. So instead of leaving the service open and accessible from all around the world, you should limit the access using the firewall (see below), the service configuration parameters or using TCP wrappers.
3.3- Secure the services running on your server: Apply the security best practices provided by the services packages providers. (Example: cPanel, Plesk, SQL Server, Apache, ...)
4- File system, Files and directories
4.1- Set the right permissions: The right pemissions have to be set for all folders, files and partitions on your file system (more details in this article Understanding Linux File Permissions). Do not use the SUID bit unnecessarily especially for files owned by root. It is better to use 'sudo' when unprivileged users need access to an administrative function.
4.2- Assign the right ownership: To protect your valuable data and ensure the integrity of your file system, you have to identify and assign the right ownership to the users and groups allowed to read, modify or even execute commands and scripts.
4.3- Monitor your file system's integrity : For the protection of critical systems, monitoring file integrity is important especially if you are required to be compliant (PCI-DSS, ...). File integrity monitoring will help you answer some questions: Who made the change, What has been changed, When it was changed, What was the previous value, ...
4.4- Scan your server for viruses, rootkits, backdoors and local exploits: Specifically for customers specializing in shared webhosting, where different users (end clients) are allowed to upload files, manage their websites, install packages and software (CMS, plugins, ...) in their space. Most shared hosting environments contain a huge number of compromised websites, unpatched packages, and used by users who do not take the necessary actions to protect their websites. Scanning your server to detect, prevent and clean the filesystem from any malicious files (Backdoors, viruses, ...) is important.
4.5- Encrypt your data when needed: If you are required to be compliant (PCI-DSS, ...) or you only want to protect your valuable data and prevent unauthorized viewing of those assets, sensitive data encryption is best practice.
5- Operating System and Software
5.1- Apply the vendor’s recommended security best practices: Most of the software providers have Knowledge Management Systems where you can find a list of recommendations and best practices to secure your installation.
5.2- Keep your software and operating system up-to-date: This is one of the basic principles of any IT infrastructure administration. Keeping your infrastructure packages and software up-to-date will help you avoid any trouble (end-of-life) or security issues caused by outdated packages and software.
5.3- Apply vendor’s Security Patches as soon as they are available: This is applicable for any type of software or package installed by you or your clients on the server. For example, if you have installed third party software packages, such as Joomla! or WordPress or other software, be sure to keep them updated and patched. Please note that Joomla! and WordPress are not supported, beyond installation, by iWeb (See the list of supported software).
5.4- Install software from trusted sources and providers: Installing software or any packages from untrusted sources creates a significant risk for your IT infrastructure and asset security.
6- Firewall, IDS and IPS
6.1- Secure your infrastructure using a firewall: You can choose between software or hardware firewalls to protect your servers. Our technical support team can help you to install and configure a software firewall in your server.
You may choose from our hardware firewall offers http://iweb.com/managed/firewalls due to certain benefits over a software firewall. Please communicate with our Sales experts to help you choose the right solution that fits your needs.
6.2- Ensure that the firewall is running: To keep your servers and IT infrastructure secure, the firewall has to be up and running at all times.
6.3- Secure your infrastructure using a WAF (Web Application Firewall) when needed. See our WAF offers here: http://iweb.com/managed/firewalls
6.4- Use an Intrusion Detection System (IDS) when needed: Different solutions and flavors exist to implement a host-based or a network-based IDS based on your needs and compliance requirments. Read this article for more details about IDS.
6.5- Use an Intrusion Prevention System(IPS) when needed: Choose an IPS that includes detection and prevention phases. Please communicate with our Sales experts if you need help to choose the right IPS solution from our offers.
7- Secure code
7.1- Integrate the secure coding best practices to your development processes: The Open Web Application Security Project (OWASP) published a Quick Reference Guide which provides a comprehensive checklist that can be integrated into your development life cycle. It's available on their website.
8- Regular Audits & Vulnerability scans
8.1- Audit your servers and check the logs regularly: Auditing your server regularily is an important component of your IT infrastructure Management Lifecycle. This will help you to ensure that the minimum security requirements are always met and your users and administratora are compliant with your security policies. It will also enable you to identify any security issues that have to be fixed.
8.2- Scan your server for vulnerabilities: To identify vulnerabilities in your software and packages installed on your server(s), regular vulnerabiliy scans are important. Hackers are always scanning the internet to discover vulnerable servers and websites. Be proactive and fix any security issues before they are exploited by the bad guys.
9.1- Ensure your data is backed up regularly and securely: It is useful to keep regular backups in case your server has been compromised. Both WHM and Plesk have easy-to-use backup systems to create user data backups.
iWeb also provides Idera/R1Soft backups, either in shared or dedicated format. For more information and pricing, please contact our sales team by email: firstname.lastname@example.org
If your server is ever compromised, you can simply restore your data from the earliest clean backup. See our backup solution offers http://iweb.com/managed/hosted-server-backup