Steps to secure your server and platform from hackers

Platform and server security is a large part of any magento developers job. I would say I spend about 50% of my time on it one way or another. Time in prevention, software updates, or remediation. To prevent the later part lets go though this check list one by one and discuss why and how do each one.

Of course start by keeping your software both platform and server up to date. If you have not done this start here then do the below.

This article is focused around the magento 2 platform running on centos with WHM/Cpanel installed. It can also apply to other platforms.

  1. Install Armor Anywhere These guys are a team of ethical hackers 50+ strong that monitor the darkweb forums for exploits people have found and scan your system to see if your vulnerable and let you know if you are what to do to patch it. Its software you install on the server that monitors everything scans all the files read more by following the link above.
  2. Follow this guide put out by cPanel https://documentation.cpanel.net/display/EA/Apache+Module%3A+SuPHP
  3. Install SuPHP as per the article above. If you have a cpanel server log into easyapache and enable it there otherwise put in a ticket with hosting provider.
  4. Enable 2 factor authentication in WHM -requires a 6 digit code that is sent to your device authenticator app. We have a non networked powered down device that is only powered up and networked for authentication then turned back off and back in a locked safe.
  5. Remove FTP to force SFTP connections through the SSH port. log into whm from the home page click on service manager then search for FTP un-check both of the boxes.
  6. Disable password authentication. SSH ports now require a key be installed on the server to connect that you have to get out of WHM after getting though the 2 factor – how someone would get around this is beyond me.. They would need to have your device as it is the only access point with the authenticator to get in. Only can be undone by restarting the server directly connected via laptop at the data center.
  7. I change the SSH port to random
  8. Install ClamAV for cPanel
  9. Enable 2 factor on cpanel
  10. Save the passwords for the server in a password protected file.
  11. Using ‘Host Access Control’ restricted WHM, Cpanel, SSH, cpdavd to your IP, and your hosting companies IPs.
  12. Disable Symlink https://documentation.cpanel.net/display/EA4/Symlink+Race+Condition+Protection
  13. Disable non used php version  php 5.5,5.6,7.0,7.1
  14. Enabled Jail shell
  15. In WHM search for security and open the security adviser make sure you follow the suggestions
  16. Setup Mod_Security
  17. Set production files as read only
  18. DISABLE SSH LOGIN FOR THE ROOT – Very important! USER https://mediatemple.net/community/products/dv/204643810/how-do-i-disable-ssh-login-for-the-root-user

  19. Use SSH Agent Forwarding to SSH from servers to servers instead of copying your SSH private keys on servers. On GNU/Linux use ssh-agent or GnomeKeyring with ForwardAgent yes under
    a trusted Host entry in your .ssh/config file6
    . On Windows PuTTY’s Pageant supports SSH
    Agent Forwarding
  20. Install Two-Factor Authentication for admin. Many times I have seen platforms become compromised by a sql injection that creates an admin user. Once they have an admin account they can using the marketplace download a file editing program that allows them to upload files aka virus’s malware, etc. This is a must have. If your platform of choice is magento 2 then log into ssh and run this.
    composer require msp/twofactorauth:3.0.0
  21. Do not transfer account using cpanel to cpanel account transfer. Copy the files and database separately.
  22. Do not use any of the same passwords on the new account. Change database passwords as well as account passwords
  23. enable a jailed shell environment for all new and modified users, use the Use cPanel® jailshell by default option in WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings).
  24. When you compile Apache, include the suEXEC module to ensure that CGI applications and scripts run as the user that owns and executes them
  25.  In WHM go to security adviser to make sure you pass all the checks

Leave a Reply

Your email address will not be published. Required fields are marked *