FOCUS Servers are secure. Only people with valid userids
and passwords may access the server. It is your responsibility
to keep these codes secure and to maintain strong
passwords.
Server Security
The security of our servers is of paramount importance.
We have a strict security policy that encompasses
many areas including a security-hardened operating
system, functional isolation of each Server, and careful
monitoring and updating of applications. However,
our customers must also share in the responsibility
of keeping each of their hosting accounts secure by
using good passwords, avoiding insecure scripts and
applications, and following other security best practices.
Hackers
A website or server may be "hijacked" by
hackers. Essentially, these hackers scan Internet
servers for vulnerable scripts and/or vulnerable users
(users with weak passwords). One of the most popular
of these scans is trying to login into SSH as common
users like 'root', 'guest', 'admin', or 'test' and
then attempting to crack weak passwords (it's even
easier if no password has been configured for one
of these users). We think it is important to make
you aware of these scans and also provide you information
that will keep you from becoming a victim of one of
these attacks.
Passwords
Always use a strong password. Choose a password that
uses a variety of characters on the keyboard. Specifically,
choose a password that meets the following criteria:
-
Your password has both upper
and lower case letters.
-
Your password has digits, punctuation
marks, or other symbols (do not use a word where
some letters are simply replaced by digits such
as bl0wf1sh).
-
Your password is not based on
your login.
-
Your password is not a real
word (e.g., something you'd find in a dictionary
or a list of proper nouns).
-
Your password is seven or eight
characters long.
-
Your password is something you
can memorize; if you can't seem to memorize something
with strange characters, make your password longer,
preferably 12 characters or more; adding just
one or two characters to your password length
has a huge effect mathematically on the strength
of your password.
-
Change your password at least
every six months and change it immediately if
you've had to login over plain text for any reason.
-
For additional information on
choosing a strong password, see: Choosing
a Password
Virtual Server Users - Additional
Points
Root Access
One of the benefits of our Virtual Server plan is
root access. Every Virtual Server account is provisioned
with a root user, just like a Dedicated Server. Because
the root user has significant flexibility and power,
it is important that this feature be used carefully.
Logging-in Security
Always login to your Virtual Server as a user OTHER
THAN 'root' (either as the admin user created during
account provisioning or some other user you've added)
and then 'su' to root when you need to do something
as root. Additionally, never run a website as root
(where the website files are owned by the root user).
SSH
Lastly, it is important to secure access to applications
that are frequently the subject of scans (like SSH).
Here are a few important tips for securing SSH:
-
Set "PermitRootLogin no"
in sshd_config: now *any* root login attempts
will fail. You should login to a user account
(with a good password!) and then 'su' to root
as needed. sshd_config is located in the /etc/ssh/
directory.
-
There are other settings in sshd_config
that can be modified; refer to the ssh_config
man page. Specifically review MaxStartups, which
specifies the maximum number of concurrent unauthenticated
connections to the ssh daemon, and PasswordAuthentication,
which can be set to 'no', thus requiring SSH users
to login with a private key instead of a password.
sshd_config is located in the /etc/ssh/ directory.
If you have questions about implementing
any of these things, please contact
Technical Support. We hope this information will
assist you in keeping your hosting accounts secure.
SECURITY
: Server Security