Security

From DreamHost
Jump to: navigation, search

DreamHost automatically keeps its server up to date with security patches. Nevertheless, there are steps you can take to ensure the security of your website.

Enhanced User Security

Main article: Enhanced User Security

The Enhanced User Security setting prevents a user's home directory from being accessed by other Dreamhost users. This option is enabled separately for each user, in the panel under Manage Users. It is strongly recommended to enable this option unless it is necessary for other users to access your data. If Enhanced User Security is disabled, incorrectly set permissions can allow any Dreamhost user to read or possibly modify your data, including passwords held in configuration files.

IP-based restrictions to Panel

You can limit access to the Panel to certain IP addresses by editing your profile (upper right corner of the panel) then clicking on the security tab. This adds an extra layer of security tied to your email account. If your username and password were compromised, an attacker would also need to either use your computer to access the panel or also have a way to check your email account to add an additional IP address to the whitelist.

Databases

Your database holds all of the key information of your website and failure to protect it means not only potential loss of private information such as usernames, email addresses, and more, but also allows an attacker to possibly add entries which could create spam are malware links on your site (or worse). Therefore, great consideration must be taken to the means of accessing your databases for routine maintenance. The default configuration of phpMyAdmin is not secure, but can be improved greatly by using it locally over an SSH tunnel.

Keep software updated

Websites are often hacked via security holes found in old versions of web software, such as web forums, wikis and blogs. It is the user's responsibility to keep her/his website's applications updated to the latest version.

DreamHost's one click application installs are automatically updated, if the Simple Install option is chosen. Other one-click installs must be updated via the control panel.

File permissions

By default, all DreamHost users on the same account are placed in the same unix group, making it easy to share files between users in the same account. Although users sharing an account usually trust each other, this creates a security risk: if one user's blog or forum install is hacked, the other users are suddenly vulnerable.

A good practice is to create separate user account for each website, and set the permissions on the website directory to rwx-----x (chmod 701). This prevents websites from accessing each other's data in the event that one is hacked.

You can safely remove "other" access from PHP scripts entirely. DreamHost uses suExec to run PHP scripts as your own user, rather than as the Apache user. You can safely chmod 700, or even chmod 500 if the file doesn't need to be modified.

Non-script files (like .html and .jpg) are read as the Apache user and must be readable by all users (e.g. chmod 606 for read/writable, 604 read-only). To prevent other Dreamhost users from reading these files, enable Enhanced User Security.

SSH key fingerprints

On occasion your DreamHost account may be moved between hosts, causing a SSH spoofing warning...

% ssh atagar.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for atagar.com has changed,
and the key for the corresponding IP address 69.163.209.156
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
55:13:77:f1:00:91:8c:fa:96:a1:dc:37:73:81:b5:d1.
Please contact your system administrator.
Add correct host key in /home/atagar/.ssh/known_hosts to get rid of this
message.
Offending RSA key in /home/atagar/.ssh/known_hosts:60
  remove with: ssh-keygen -f "/home/atagar/.ssh/known_hosts" -R atagar.com
RSA host key for atagar.com has changed and you have requested strict
checking.
Host key verification failed.

You can confirm your new fingerprint in the SSH Keys secton of the panel.

See Also

External Links