Security

From DreamHost
Jump to: navigation, search

DreamHost automatically keeps its server up to date with security patches. Nevertheless, there are steps you can take to ensure the security of your website.

Enhanced User Security

Main article: Enhanced User Security

The Enhanced User Security setting prevents a user's home directory from being accessed by other Dreamhost users. This option is enabled separately for each user, in the panel under Manage Users. It is strongly recommended to enable this option unless it is necessary for other users to access your data. If Enhanced User Security is disabled, incorrectly set permissions can allow any Dreamhost user to read or possibly modify your data, including passwords held in configuration files.

IP-based restrictions to Panel

You can limit access to the Panel to certain IP addresses by editing your profile (upper right corner of the panel) then clicking on the security tab. This adds an extra layer of security tied to your email account. If your username and password were compromised, an attacker would also need to either use your computer to access the panel or also have a way to check your email account to add an additional IP address to the whitelist.

Databases

Your database holds all of the key information of your website and failure to protect it means not only potential loss of private information such as usernames, email addresses, and more, but also allows an attacker to possibly add entries which could create spam are malware links on your site (or worse). Therefore, great consideration must be taken to the means of accessing your databases for routine maintenance. The default configuration of phpMyAdmin is not secure, but can be improved greatly by using it locally over an SSH tunnel.

Keep software updated

Websites are often hacked via security holes found in old versions of web software, such as web forums, wikis and blogs. It is the user's responsibility to keep her/his website's applications updated to the latest version.

DreamHost's one click application installs are automatically updated, if the Simple Install option is chosen. Other one-click installs must be updated via the control panel.

File permissions

By default, all DreamHost users on the same account are placed in the same unix group, making it easy to share files between users in the same account. Although users sharing an account usually trust each other, this creates a security risk: if one user's blog or forum install is hacked, the other users are suddenly vulnerable.

A good practice is to create separate user account for each website, and set the permissions on the website directory to rwx-----x (chmod 701). This prevents websites from accessing each other's data in the event that one is hacked.

You can safely remove "other" access from PHP scripts entirely. DreamHost uses suExec to run PHP scripts as your own user, rather than as the Apache user. You can safely chmod 700, or even chmod 500 if the file doesn't need to be modified.

Non-script files (like .html and .jpg) are read as the Apache user and must be readable by all users (e.g. chmod 606 for read/writable, 604 read-only). To prevent other Dreamhost users from reading these files, enable Enhanced User Security.

DreamHost SSH server key fingerprints

SSH server key fingerprints are available in the DreamHost Panel under Users > SSH Keys.

See Also

External Links