AlpineWeb Design Home
Check Domain Name Availability
Customer Login | Help Desk | Contact Us
Support Home Documentation Knowledgebase Help Desk Order Forms Make a Payment Contact Info
Home
About Us
Domain Name Services
E-Commerce
Internet Hosting
SEO
Partners
Policies
Rates & Fees
Order Forms
Make a Payment
Contact Info
Site Map
 

    Support Home > Knowledgebase > Security >

Security Best Practices

The security of our servers is of paramount importance. We have a strict security policy that encompasses many areas including a security-hardened operating system, functional isolation of each server, and careful monitoring and updating of applications. However, our customers must also share in the responsibility of keeping each of their server accounts secure by using good passwords, avoiding insecure scripts and applications, and following other security best practices.

Some of you may have seen reports of distributed server scans that are initiated by potential hackers. Essentially, these hackers scan Internet servers for vulnerable scripts and/or vulnerable users (users with weak passwords). One of the most popular of these scans is trying to login into SSH as common users like 'root', 'guest', 'admin', or 'test' and then attempting to crack weak passwords (it's even easier if no password has been configured for one of these users). We think it is important to make you aware of these scans and also provide you information that will keep you from becoming a victim of one of these attacks.

One of the benefits of our VPS & MPS plans is root access. Every VPS/MPS account is provisioned with a root user. Because the root user has significant flexibility and power, it is important that this feature be used carefully.

One of the single most important things you can do to secure your VPS/MPS account is select good passwords for all users -- especially the root user! Choose a password that uses a variety of characters on the keyboard. Specifically, choose a password that meets the following criteria:
  • Your password has both upper and lower case letters.
  • Your password has digits, punctuation marks, or other symbols (do not use a word where some letters are simply replaced by digits such as bl0wf1sh).
  • Your password is not based on your login.
  • Your password is not a real word (e.g., something you'd find in a dictionary or a list of proper nouns).
  • Your password is seven or eight characters long.
  • Your password is something you can memorize; if you can't seem to memorize something with strange characters, make your password longer, preferably 12 characters or more; adding just one or two characters to your password length has a huge effect mathematically on the strength of your password.
  • Change your password at least every six months and change it immediately if you've had to login over plain text for any reason.
  • REQUIRE SSH USERS TO LOGIN WITH A PRIVATE KEY INSTEAD OF A PASSWORD.
For additional information on choosing a strong password, see:
Choosing a Password
Second, you should always login to your VPS server as a user OTHER THAN 'root' (either as the admin user created during account provisioning or some other user you've added) and then 'su' to root when you need to do something as root. Additionally, never run a website as root (where the website files are owned by the root user).

Lastly, it is important to secure access to applications that are frequently the subject of scans (like SSH). Here are a few important tips for securing SSH:
  • Set "PermitRootLogin no" in sshd_config: now *any* root login attempts will fail. You should login to a user account (with a good password!) and then 'su' to root as needed. sshd_config is located in the /etc/ssh/ directory.
  • There are other settings in sshd_config that can be modified; refer to the ssh_config man page. Specifically review MaxStartups, which specifies the maximum number of concurrent unauthenticated connections to the ssh daemon, and PasswordAuthentication, which can be set to 'no', thus requiring SSH users to login with a private key instead of a password. sshd_config is located in the /etc/ssh/ directory.
For details on the above recommendations and other tips for securing your VPS servers, please visit the following URLs:

For additional information on securing root and using private keys, see: Please contact our Technical Support Department at support@alpineweb.com or call 1-603-356-8797 if you have any questions regarding these changes or need help identifying the administrative user.

image


DocumentationDocumentation Home
Help Desk
Knowledgebase

Business Services
PC Data Backup Support
Sugar CRM

Domain Name Services
Domain Name Service
Domain Name Registration
Domain Name Transfer
Domain Name Redemption

Web Hosting
Getting Started Guides
Basic Hosting
Starter Hosting
Signature Hosting
Virtual Private Servers
  • FreeBSD VPS v2/3
  • Linux VPS
Managed Private Servers
  • FreeBSD MPS v2/3
  • Linux MPS





image
Authorized viaVerio Reseller         Authorize.net         Miva Certified Business Partner        
Homepage | About Us | Privacy Policy | Rates & Fees | Contact Us | Sitemap

All contents © Copyright 1997-2010 AlpineWeb Design