MojoHost and MMX are pleased to celebrate the 10th Anniversary of the .XXX TLD with…
Every week brings more articles about the dangers which can be faced online, and lots of advice about how to personally stay safe online. Many of these articles overlook the importance of keeping your websites and systems safe. Sure, there are hundreds of companies that will sell you high-priced consulting for how to defend your systems against state-level attackers, but a few simple tips and good habits will protect your sites and online presence against the vast majority of real attackers which actually affect webmasters and site operators.
What’s in a password
As with any kind of online service, the single most important thing you can do to protect your sites is to use good passwords with your hosting providers. It goes without saying that using a hard-to-guess password is essential, but with a critical service like your hosting provider, it is also good to use a unique password. You should never share the same password between your hosting provider and any other service. If you have ever used the same password for multiple providers, you should consider checking with “Have I Been Pwned” to see if your account may have been compromised in a data breach. Have I Been Pwned is a great, free service that aggregates the data contained in many data breaches and makes it easy and free to determine if a particular email address has been compromised. If it has, you should change your hosting password (and all your other passwords!).
The second factor
Even with a strong and unique password, turning on two-factor authentication makes a lot of sense for your hosting accounts. Two-factor authentication requires a second piece of information, in addition to your password, in order to allow you to log in. This means that even if your password is somehow compromised, an attacker would physically need access to your second factor in order to log in. Fortunately, these days a cell phone provides an excellent second-factor device. We strongly recommend that you use a second factor that’s generated on your phone, via an Authenticator app, rather than choosing to use SMS messages. This is because an attacker can trick the phone company into granting access to your phone number, allowing them to receive the SMS messages, while an Authenticator app would require physically stealing your phone, an impractical hurdle for an online attack.
It may seem that all of these extra layers of protection are overkill, but remember that your web hosting account provides a very high-profile attack target. This is because an attacker who manages to successfully compromise your hosting account would be able to wreak a significant amount of havoc with your sites and data. At MojoHost, we also proactively reach out to our customers if we get a request that seems suspicious in order to try and independently verify any major changes or implement alterations that could be suspicious. It’s also a good idea to request a similar policy from any other providers you work with.
Time for spring cleaning
In addition to these protections on your infrastructure provider account, it is also important to be mindful of internal tools which you and your tech team may install on your systems. For example, it may be the case that you have installed a tool to collect performance data or analyze logs, to see trends or just to make managing your sites easier. There is a multitude of tools that every webmaster needs, but many of them have a much lower level of security than software that your visitors interact with. A large number of successful attacks start not with the public part of a website, but by compromising an internal control panel or tool. Such systems are rich pickings for attackers because they often have very broad access to your systems precisely to enable complex and in-depth management tasks or data analysis.
At MojoHost we recommend that you keep a list of all of your management and analysis tools, and periodically ensure that they are up to date. We also recommend that you add extra security to each of these tools via a more complex and integrated login system for you and your staff. There are some people who say that you don’t need to secure these systems if the URLs for them are hard to guess: this is awful advice. With the advent of wide-scale online crawling, you should assume that any URL, no matter how complicated, will probably be discovered by automated bots and scanners. A hard-to-guess URL can certainly help increase the difficulty of attacking your systems, but it’s no substitute for real security via a secure login. At MojoHost, we’re happy to help set up good additional layers of security on your internal systems and tools systems in order to ensure that your online services are defended in depth.
The wall, the Firewall
In addition to protecting your servers by securing your hosting account and preventing any backdoor access through internal systems, you should also consider using a service that scans all of your incoming requests for attacks and hides the IP addresses of your servers. Such systems, like MojoHost’s MojoShield product, are often called Web-Application Firewalls (or WAF). A WAF takes the security benefits of a firewall and moves it to remote data centers all around the world, making sure that bad traffic is filtered long before it even gets to your server.
A WAF like MojoShield can do all the sorts of things that a normal firewall can do, such as blocking IP addresses or allowing access to certain parts of your site only to trusted administrators. However, a WAF can also do a lot more. With a distributed product like MojoShield, we are constantly learning from the attacks seen across our network, so that your site is already protected from the newest attacks without having to apply individual updates. In addition, because the IP address of the WAF is the public address of your site visible to the public internet. This means that the actual direct IP address of your server is hidden, known only to the WAF provider. As a result, anyone who wants to launch a DDoS attack, or even just scan your server, has no idea what server to attack. Such protections significantly decrease the number of attacks against your server as well as reduce the load on your servers’ CPUs, since all the hard work is done in the WAF and your server only sees good traffic.
Following the three simple steps of using good passwords, enabling two-factor authentication, and protecting your server via a WAF, will result in a highly secure web hosting setup. Team MojoHost is always working hard to ensure that our customers’ sites are not just fast and reliable but also protected. So reach out to us and we’d be thrilled to chat about security (or anything else hosting-related). Staying safe: #ThatsGoodMojo.