Security

From DreamHost
Jump to: navigation, search

Overview

The following information helps users keep their data and account secure.

Panel security

Increasing panel-access security

In your panel, navigate to the (Panel > ‘Billing & Account’ > ‘Security’) page to perform the following:

DreamHost recommends that you update your passwords often – every 90 days is a good time frame. If you would like more information about password security, please review the following articles:

Using Account Privileges

Another way to keep your panel secure is to allow another user access only after assigning them through your account privileges. This allows you to grant access to specific areas in your panel without sharing your login information. You can learn more about this feature in the following article:

Keeping your websites secure

Databases

Your database holds all of the key information of your website. Failure to protect it means not only potential loss of private information such as usernames, email addresses, and more, but also allows an attacker to possibly add entries which could create spam or malware links on your site (or worse). Therefore, you must consider how your database(s) are accessed for routine maintenance.

Note2 icon.png Note: The default configuration of phpMyAdmin is not secure. To secure this connection, you must add an SSL certificate to your site and access phpMyAdmin via HTTPS.


Keeping your software updated

Websites are often hacked via security holes found in old versions of web software, such as web forums, wikis, and blogs. It's your responsibility to keep the website's applications updated with the latest version.

DreamHost's One-Click Installs are automatically updated, if you select the option to auto update. If you do not enable the auto upgrade feature, you are responsible for keeping your applications up to date.

Some applications (e.g., Joomla) do not provide an upgrade path from older versions, which will then need to be updated manually. Please check with the application’s developers for further assistance on upgrading.

Setting file permissions

When setting up file permissions, DreamHost recommends that you set the permissions to the following:

Files – chmod 644
Directories – chmod 755
Executables – chmod 755

Here is an example on how this should look:

exampleuser@exampleserver:~/websitehelp.support/example_permissions$ ls -al
drwxr-xr-x 2 exampleuser pg5034488  10 Apr 22 09:13 example_directory
-rwxr-xr-x 1 exampleuser pg5034488   0 Apr 22 09:14 example_executable.cgi
-rw-r--r-- 1 exampleuser pg5034488   0 Apr 22 09:12 example_file.php

View the following article for further details:

Assigning a unique user to each domain

DreamHost recommends that you host each of your individual sites with its own unique web user. The reason for this is that if one of your sites becomes compromised, the exploit won't expand to your other sites.

Enhanced user security

The Enhanced User Security setting prevents a user's home directory from being accessed by other DreamHost users. This option is enabled separately for each user in the panel, and it's strongly recommended that you enable this option unless it is necessary for other users to access your data. If it is disabled, incorrectly set permissions can allow any DreamHost user to read or possibly modify your data, including passwords held in configuration files.

You can find more information in the following article:

Managing your files on the server

When connecting to your server to manage your files, DreamHost recommends that you use either SSH or SFTP. FTP is not secure and should not be used unless absolutely necessary.

SSH

SSH, secure shell, is the prefered method for connecting to your machine. SSH encrypts the communication from the local machine and the destination machine. This means that your password is not being transmitted in plain text, which is what TELNET does.

SSH must be turned on for your users. View the Enabling Shell Access article for details.

SFTP instead of FTP

Since FTP is not secure, SFTP is only recommended when connecting to your server. View the SFTP article for details.

Serving your files securely

There may be situations when you wish to serve your files securely, such as if you are running a eCommerce website: obviously, you wouldn’t want to send vital information over the internet without protection.

To add an extra layer of security, you can set up secure hosting and purchase a SSL certificate. You can find more information about how to set up these services in the following article:

Confirming SSH key fingerprints

When your DreamHost account is moved between hosts, it generates an SSH spoofing warning similar to the following:

% ssh example.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for example.com has changed,
and the key for the corresponding IP address  173.236.241.100
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
12:34:56:78:90:ab:cd:ef:gh:ij:kl:mn:op:qr:st:uv. 
Please contact your system administrator.
Add correct host key in /home/exampleuser/.ssh/known_hosts to get rid of this
message.
Offending RSA key in /home/exampleuser/.ssh/known_hosts:60
 remove with: ssh-keygen -f "/home/exampleuser/.ssh/known_hosts" -R example.com
RSA host key for example.com has changed and you have requested strict
checking.
Host key verification failed.

You can confirm your new fingerprint on the (Panel > ‘Users’ > ‘SSH Keys’) page of your panel.

Securing email

DreamHost recommends using encryption when connecting and sending email. Without secure settings, your password and email are sent in plain text and could be intercepted. If you would like more information on the secure protocols for email, please review the following articles:

Securing DreamObjects

When uploading files to your buckets via the panel, they are automatically set to private. When using an S3 client, you must double check your settings as the permissions are set to whatever you define in the client.

You can read about DreamObjects in the following article:

See also