Security - Web Hosting Curriculum [9/10]

WEB HOSTINGModule 9: Security

INTRODUCTIONSecurity is an important part of hosting. It protects your content and site as well as the information of visitors. There are a number of things you can do to keep your site secure.

You want to make sure you use secure passwords for all of your logins, be careful logging into your account on public wifi networks, and check your computer for viruses that might try to steal passwords.

If you use software like WordPress, make sure to keep it up to date with the latest version. With ecommerce sites, you can inquire about SSL (Secure Socket Layers), which protects online payment information.

MODULE OBJECTIVESUpon completion of this module, you should be able to:

• Define security and hacking• Describe the ways sites get hacked• List web hosting security best

practices• Recognize secure passwords• List the ways to secure a website

• Apply your knowledge to improve your website’s security

INTRODUCTION TO SECURITY & HACKING

Hacking means identifying the weakness in computer systems and/or networks and exploiting them to gain access.

An example of hacking is by passing the login algorithm to gain access to a system.

Hackers are usually skilled computer programmers with knowledge of computer security.

You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature.

Google quarantines approximately 10,000 websites

a day via its Safe Browsing technology.

Let’s analyze how…

COMMON WAYS SITES GET HACKED

ACCESS CONTROL• Brute force attack: The attacker attempts to guess the possible

username and password combinations in an effort to log in as the user.

• Social engineering attempts phishing pages designed to capture a user’s ID/username and password combination

• Cross-Site Scripting (XSS) or Cross Site Request Forgery (CSRF) attack: The attacker tries to intercept the user credentials via their own browser.

• Man in the Middle (MITM) attack: The attacker intercepts your username and password while working via insecure networks and your credentials are transferred between one point to another via plain text.


SOFTWARE VULNERABILITIES When it comes to websites, exploitation of a software vulnerability is

achieved through a cleverly malformed Uniform Resource Locator (URL) or POST Headers.

Via these two methods, an attacker is able to enact a number of attacks; things like Remote Code Execution (RCE), Remote / Local File Inclusion (R/LFI), and SQL Injection (SQLi) attacks. There are a number of other attacks, but these are some of the more common attacks we’re seeing affecting today’s websites.


THIRD PARTY SERVICESThe most prominent form are ads via ad networks leading to malvertising attacks. It extends beyond that to services you might use, including things like a Content Distribution Network (CDN).

The problem with the exploitation of third-party integrations and services is that it is beyond the website owner’s ability to control. We assume when we integrate third party providers that they are ensuring the service you consume is safe, but like everything else there is always the chance of compromise.


Let’s see..PAYING ATTENTION?

Select one or more of the options. Then move on to the next slide to check your answer.

The attacker intercepts your username and password while working via insecure networks and your credentials are transferred between one point to another via plain text.

The attacker tries to intercept the user credentials.

The attacker attempts to guess the possible username and password.

What is a Man-In-The-Middle Attack?



The attacker intercepts your username and password while working via insecure networks and your credentials are transferred between one point to another via plain text.

The attacker tries to intercept the user credentials.

The attacker attempts to guess the possible username and password.

What is a Man-In-The-Middle Attack?

Correct! This is an MITM hacking attack!

WEB HOSTING SECURITY BEST PRACTICES

1 - STRONG PASSWORDS

Ensure that you are always using a strong password for anything that accesses your server. Don't let these important credentials just lay around for anyone to see.If you have root access on your server, if an unauthorized user logs into your server via the root user, this can be very bad. Sometimes this requires an evacuation to a new server to ensure nothing malicious was left behind.


2 - LIMIT WEBSITE ACCESS

You should review website access logs for unwanted activity and to block unwanted users from your website if you find any.

Blocking bad users at the website level is a good step before blocking them in your server's firewall.

If you are using a CMS such as WordPress to run your website, make sure you're protected from things like a WordPress Brute Force attack so you admin dashboard is safe as well.


3 - LIMIT SERVER ACCESS

Limit server access to only those that need it with the iptables firewall available on most Linux servers.

The default APF (Advanced Policy Firewall) allows easy management of your iptables rules. There is also the more advanced CSF (ConfigServer Firewall) that also controls your iptables but has a more robust feature set.

One common thing to do is close open ports in your server firewall. That way only the ports your server need to communicate to the outside world on will be accessible.

You can also enable cPHulk brute force protection on your server to automatically block users that repeatedly try to login with invalid credentials to various services.


4 - LOGIN TO YOUR SERVER SECURELYTo securely connect to your server directly, you can use SSH (Secure Shell) which encrypts your data.

By default, no outside IP addresses will be allowed to connect via SSH to your server for better security. So you will first want to add your IP to the server firewall so that you are able to connect.

When working with files on your server especially from a shared network, it's important to encrypt your login credentials so they are not passed in clear-text. You can also always disable FTP clear/plain-text authentication server-wide to force everyone connecting to your server to use a secure protocol.

You can also securely use FTP over SSL with the FTPS protocol.



False

True

True or False:Limiting web access and server access are different security measures.



False

True

True or False:Limiting web access and server access are different security measures.

Correct!

PASSWORD SECURITY

Ideally, each of your passwords would be at least 16 characters, and contain a combination of numbers, symbols, uppercase letters, lowercase letters, and spaces. They should be free of repetition, dictionary words, usernames, pronouns, IDs, and any other predefined number or letter sequences.

The security-savvy community evaluates password strength in terms of "bits," where the higher the bits, the stronger the password. An 80-bit password is more secure than a 30-bit password, and has a complex combination of the aforementioned characters. As a result, an 80-bit password would take years longer to crack than a 30-bit password.

Ideal passwords, however, are a huge inconvenience. How can we be expected to remember 80-bit (12-character) passwords for each of our various Web accounts?

SOFTWARE SECURITY

Firewalls are the “first line of defense” when it comes to the internet. In the old days, they used to be represented by physical machines that served as the authenticators of users and traffic. Today, most of them are software packages that can be installed on servers and perform just as well or, in some instances, even better.

Any server system should lay behind a firewall just as should your hosting provider’s hardware. Examples of great firewall software solutions include Netfilter for Linux-based systems and McAfee’s Data Center Security (which also does much more).

FIREWALLS

SOFTWARE SECURITY

Once people and traffic have been authenticated by the firewalls on the perimeter of the network, they will be the responsibilities of antivirus software. These software solutions will make sure all the files that are brought into, or taken from, the servers in the network do not contain viruses, Trojans or scripts that can put the safety of the files and data that is being accessed at risk. Any malicious wares are blocked, files that are infected are either cleaned or quarantined (worst case scenario: they are deleted).

Symantec Solutions, AVG and McAfee make some of the most reliable antivirus software on the market today.

ANTIVIRUS/ ANTIMALWARE

SOFTWARE SECURITY

One way of making sure that only users that are intended to do so can access a server is by using SSH keys. Instead of asking them to input their passwords, this method makes sure that they are “legit” by using a pair of cryptographic keys that can be used for verification purposes by an SSH server.

In this method, a private and public key pairs are created before the authentication can be performed. As you can guess, the private key is kept secretly and securely by the visitors or users wanting to access the servers and the public keys are shared with everyone.

The public keys for all users are placed in a special directory on the server. When the users connect to the server they will need to prove they are who they say they are by providing the corresponding private key. Once it has been verified that the two keys match, the users will be allowed to proceed with their uploading, downloading or browsing.

SSH KEY AUTHENTICATION

SOFTWARE SECURITY

In some instances there are malicious codes that embed themselves in a server’s registry and create services that run every time you reboot (or restart the server) or at programmed time intervals.

No matter how many times the antivirus software clear the files, they will all start again once the service kicks in.

This means, you should make use of service auditing software to make sure that no hidden services are running and kick-starting the malware. Once these rogue services are detected it is only a matter of finding the appropriate and specifically-designed tool to clean them up.

SERVICES AUDITING SOFTWARE

SSL and Secure Certificates provide security for your website by encrypting communications between the server and the person visiting the website.There are two main reasons why you would need an SSL Certificate.

1) You want to accept credit card payments on your website. 2) You may have confidential information that you want to keep secure while it is being accessed via

the web.

SSL Certificates also help to protect your passwords from being intercepted, when typed into a secure login page.

SSL

SLL USING cPANEL

1. Log in to your cPanel account2. Click on SSL/TLS Manager in the

Security section 3. Click on 'Manage SSL Sites' under

Install and the Manage SSL for your website (HTTPS) menu

4. Copy the certificate code you received from the Certificate Authority

5. Click on the Autofill by Certificate button, which appears next to the certificate entered, and the system will attempt to fetch the domain name and the private key.

6. Copy and paste the chain of intermediate certificates (CA Bundle) into the box under Certificate Authority Bundle (CABUNDLE)

7. Click on the 'Install Certificate' button

PRACTICE TASK

Take some time to research and complete this task.

1. Setup SSL for your domain using the free SSL feature in cPanel

2. Look into recommended security plugins for WordPress

3. Take personal steps to improve your online security

ASSESSMENT

Explain the most common ways websites get hacked and practical steps to avoid this.

CONGRATULATIONS!You should now be able to:

• Define security and hacking• Describe the ways sites get hacked• List web hosting security best

practices• Recognize secure passwords• List the ways to secure a website

• Apply your knowledge to improve your website’s security

Security - Web Hosting Curriculum [9/10]

Technology

Transcript of Security - Web Hosting Curriculum [9/10]