How can I keep my account safe from hackers, scammers and spammers?

Transcription

1 How can I keep my account safe from hackers, scammers and spammers? The question is a good one and especially important if you've purchased shared hosting (such as HostDime offers) since what effects your account will end up affecting others, also. Keep in mind that the following tips are general in nature and don't discuss programming techniques if you are the sort to write your own code. So what can you do to help keep your data and your account safe? First you need to realize that it doesn't matter if you're only planning on hosting a small site with pictures of your dog to share with family and friends. Hackers, scammers and spammers do not care. Your account can be put to good use no matter how small it is once it has been found and exploited. Even if you keep your site off of search engines, your site can and will be found by nefarious individuals. General Tips: Don't place files or directories into your site's web root (public_html) if you aren't actively using them. Remove old files and directories as soon as you are finished with them. A lot of people make the mistake of leaving old scripts, files and directories in place after their site no longer needs those items. Hackers, scammers and spammers may be able to use this old or forgotten content to compromise your site. However, they cannot exploit these items if they aren't hosted on your site anymore. This is why it is critical that you regularly look through your site for old content that is no longer needed. This advice also applies to other content and features on your site. Have you stopped using a database? Remove it. Did you retire your e- mail account in favor of a new one? Delete it once you are sure you don't need it. Is there a subdomain you no longer need? Get rid of it (and be sure to remove the directory the subdomain's content was stored in, too). Scammers love to exploit scripts and other content to install mini phishing sites and then use those sites to collect people's sensitive data or use your account to send out spam. If you do nothing else, take this to heart, because we have to help people all the time who have had their sites exploited because of some old piece of content that they weren't even using any more. It is so much easier to spend a little time now to keep your account safe than it is to clean it up and secure it after it has been exploited. If you haven't really taken a look at the files on your site lately, please do so now. Don't ever leave files and directories with write and execute permissions (777 permissions) in your

2 web root. A lot of people don't really think about it too much, but leaving directories and files that are readable and writable by others or other scripts is dangerous. Many hackers, spammers and scammers exploit insecure scripts to place and run files from your web hosting account. Our web servers use something called suphp to improve security. suphp makes PHP scripts run as your cpanel account user. That means that PHP scripts do not need files to be set to 666 or 777 permissions in order to work. In fact, our servers will display a 500 (Internal Server) error for security reasons if you have files or directories in your web root that are set above 755 and someone or something tries to access them. If the installation directions for a script you want to use ask you to set files or directories to 666 or 777, then set those items to 755 instead. The script will work properly with the items set to 755. Of course many scripts require a place to write temporary or permanent data that won't be removed until the script is finished with it. For example if you have a script that allows people to upload pictures to a gallery or other files to share with members of your community, that script needs some place to put those files. The "lazy" and insecure way is to have a predictably named data, tmp or upload directory inside the script directory. Many scripts do this because it is the only reliable way to be sure the script will have some place to write those files. However, it makes it child's play for hackers, scammers and spammers to write their own files to that location or access data you don't want them to have. The best scripts will offer a variety of methods for storing data and binary files. A good script will at least permit you to move and rename the data directory (or directories) and files outside of the web root. Remember, anything in your site's web root (public_html) may be directly accessible from the web if someone knows the exact path and file. If you place a script's data directory in your home directory (on cpanel servers this is the one you start in when you first log into your main FTP account, the one "above" public_html) and can rename the directory and data so they are hard to guess you can cut down on hackers, spammers and scammers ability to exploit any weak scripts they may find. This is because they won't be able to easily guess the location of any files they manage to write to that location and, more importantly, the files cannot be directly accessed or run from a web browser. Of course it's not iron- clad security, but it will keep many of the commonly exploited issues at bay. Another method some scripts use is to store all data (including uploaded binary files) in a database. This has the advantage of not requiring the script to write to files hosted inside your account, however it does have some other drawbacks. Typically, data stored in a database table field can't be over a certain size and if your script can't break

3 the data into "chunks" automatically then your files and data won't be able to be any larger than the limit imposed by us (the host). Also, storing binary data in a database can increase the load your site places on our servers if the data is accessed frequently. Also, there are ways to use.htaccess files to help block these sorts of exploits, but they aren't foolproof so it is best to keep any data directories and files outside of web root if at all possible. Treat all scripts and files as if they are dangerous. You should treat all scripts as if they are exploitable, because they are. Even a script that has undergone extensive security testing by independent third parties and the developers can be exploited. New bugs and security flaws are found every day and your previously secure script may now be at risk. Files and other content uploaded by users should be treated as if they are dangerous until you've had a chance to verify that they aren't. Even well- known and respected members of the community may still accidentally provide you a file with a virus or other malware without realizing it. Keep an eye on all content on your site and be prepared to remove anything that you find to be unacceptable. Vigilance is key. Again, don't install anything you aren't 100% sure that you need and want on your site and make sure you keep a close eye on content being added to your site. If you loose users due to a security breach you may never get them back again. Regularly inspect directories and files looking for anything unusual and remove questionable content. Backup your data regularly! I cannot begin to stress how important this is for the safety and security of your site. How often you back up depends on your comfort level and with how often the content on your site changes. If you have forums that are visited regularly and you don't want to loose posts, backing up the changed data every day is important. However, if you don't have any dynamic content on your site or if you can live with losing a certain amount of data, perhaps weekly or even monthly backups will do. Regardless, be sure to always make a backup any time you install or remove any data, just to be safe. The backup you make can be used to get your site back up and running quickly if your site ever is hacked or data is accidentally lost. You've probably heard this many times, but it is probably the single most important thing you can do to keep your account and data safe. We do not recommend making large backups in the middle of the day. They can be quite time consuming and increase the load on your server. You can always go into cpanel to download the nightly backups we make. Downloading that won't place as much load on the server.

4 Keep up with security and bug fix releases for all scripts that you use. However, do not upgrade to major new versions right away. Just because the scripts you use are secure and working well now does not mean that everything will remain that way forever. You need to regularly monitor the web sites of the developers of any scripts you use. Watch for security and bug fix patches and smaller point (0.0.x) releases. You should not wait to install these. Do so as soon as you can. Hackers look for slightly outdated versions with a confirmed security flaw and try to exploit it, often on the same day a new release is out or sometimes even earlier than that. On the other hand, try to avoid major new releases (x.0.0 or 0.x.0) for a while. These new releases often have new, untested code and patches to fix security flaws and bugs will be forthcoming shortly. Wait for one or two minor point releases before upgrading if you can. Waiting can be difficult as the major new releases could have glitzy new features that you may really want. Avoid the temptation as long as you can. If you wait a bit, not only will you have a more secure script, but you'll give third party developers time to update their themes, modules or other add ons (if you use any). Try to keep the number of third- party modules and add ons to a minimum. The script you are using may not exactly meet your needs. Often there are third- party developers who release modifications, modules or add ons for popular scripts. These mods can add many new features. However, you should avoid the temptation to install tons of these mods because the mods may not go through the same rigorous security testing as the main script and having too many can make upgrading the script difficult. Try to find scripts that most closely meet your needs without modification and if you must add mods, pick just a few so you aren't discouraged from upgrading to the latest minor point release with security bug fixes. Use secure, hard to guess passwords at all times This is another sometimes painful, but important, step you should take to keep your data safe. Don't use the same password everywhere and make sure you don't use recognizable words or other data that can be guessed (like your birthday or dog's name). Make sure the passwords are long and include both letters and numbers (and where possible non- alphanumeric characters or upper and lowercase letters). Ideally, you should change your passwords periodically and not leave a written record around for someone to steal. Many hackers, scammers and spammers use brute force attacks trying to gain access to your scripts and account using combinations of obvious choices. Even passwords you might assume would be hard to

5 guess like "p4ss- w0rdz" are going to be tried by good brute force crackers. If you can't memorize every password, you may want to consider a password/data management program. Many home computer password managers can keep your data safe by encrypting it and generating random secure passwords for you. Just make sure the password manager you use encrypts data using a strong well- known encryption method and make sure the password to access that data is itself highly secure and unique. Also be sure to keep offline backups of the encrypted data files somewhere. Here are a few that you might want to look at: 1Password: Roboform: Keepass: Password Gorilla: Of course many online scripts have features that help make it more difficult for brute force password stealing attempts (using captcha and by locking an account for a certain amount of time if the correct password isn't entered in a certain number of tries). If your script offers it, be sure to turn on these brute force deterrence tools. Remember, though, your password is often the only thing between hackers and your very sensitive data, so treat passwords like the frontline defense they are! This goes for your moderators and any other admins or people with access to sensitive information on your site. Tips to avoid spam and spammers: There are a number of things you can do to help make it difficult for spammers to spam you and others. Don't put your unobscured e- mail address anywhere on the web. If you must post an e- mail address in a public place where others can see it, be sure to obscure it from spam bots. The best way to do this is to write your address in a way that humans can figure out, but that spam bots won't understand. For example: aric at hostdime dot com or aric*removethispart*@*removethispart*hostdime.*rem OVETHISPART*com Alternately, you can create a small graphic file of your e- mail address (but make sure users can see the e- mail address in ALT tags or click on the picture to send you e- mail). Many scripts allow users to contact other users via e- mail without directly exposing either user's e- mail

6 address. Note that some e- mail harvesters can detect basic obfuscation techniques, so these aren't foolproof. However, they will result in you getting less spam than you would if you simply posted your address normally. Avoid use of contact forms Although there are some contact form scripts that are reasonably secure, spammers and scammers often find ways to turn even small errors in the contact form code into a springboard to send thousands of spam and scam e- mails, perhaps without your knowledge (until it is too late). No matter what you decide to use be sure to completely avoid any contact forms that use Matt's Archive formmail as a base for the contact form code. Matt has acknowledged that the script is full of bugs that can be exploited. See the item above about obscuring your e- mail address if you post it on your site. This will let most people contact you if need be without making your site a haven for spammers and scammers. Avoid guestbooks and other scripts that allow people to publicly post content without first being approved by you. Guestbooks and even forums can be used by spammers and scammers to post links to nefarious sites. If you can avoid these scripts altogether, do so. If not, make sure you find a guestbook or forum script that makes it more difficult for spammers and scammers to post. Captcha images, e- mail validation and moderation of new member messages can all help. Keep in mind that many spammers and scammers often use a real, valid e- mail address and a real human to complete the registration process and then go dormant for a time before having a bot post hundreds of spam/scam messages. Avoid setting up and using "obvious" e- mail addresses. Your first instinct may be to set up an e- mail address like "sales@..." or "contact@..." but try to avoid this if you can. Spammers latch onto these e- mail addresses quickly once they realize the domain is active. If you need to have a sales e- mail address, try using the name of the employee who is responsible for sales or some variation on the "sales" theme. For example:

7 or This isn't going to stop spammers, but it will make it more difficult for them to find these e- mail addresses to spam them, especially if you follow the tips above about obscuring e- mail addresses. Set your catchall (default) e- mail address to :fail: HostDime has special anti- dictionary attack tools in place that will stop spammers from finding all the active e- mail addresses in your account, but only if you set your default e- mail address in cpanel to :fail: (this should not be confused with your contact address in cpanel (which we use to contact you in case of problems with your account). Dictionary spam attacks work by sending hundreds or thousands of e- mails to every possible permutation of addresses at a domain and monitoring the result. A bot notes all the bounce messages that come back and removes those addresses from its spam list. Any addresses that don't bounce are then added to a "good address" spam list. Our solution checks of several bounces in a row from a particular location and then temporarily bans all e- mail from that sender. This disrupts the spammer's attack since they can only check a few e- mail addresses before being banned for a time. However, it only works if you have mail sent to non- working addresses set to :fail: The items discussed in this post are not meant to be exhaustive, but if you follow them you will keep your account and data much safer than if you ignore these tips. We strongly encourage you to follow these practices regularly to help avoid data loss and account suspension. Of course if you think your account may have been hacked or used by a spammer or scammer it is important to open a ticket via your CORE account and let us know of the issue so we can investigate. Please feel free to comment on this doc on our blog post at: your- web- hosting- account- safe- from- hackers- and- spammers/