Application Security

For most users, taking routine precautions will prevent security problems. But security breaches still happen because perfection isn’t possible: new exploits appear every day, some of which have no immediate defense. Luckily, for many kinds of attacks, it’s possible to recover with a minimum of downtime and data loss.

This section describes how WebFaction secures servers, your security responsibilities, and what do if your account is compromised.

Cooperative Security

Maintaining security isn’t a matter of flipping a switch. Security is an ongoing process that requires cooperation between system administrators and users. It’s the responsibility of WebFaction system administrators to protect the security of the server, while it’s the responsibility of WebFaction customers to protect the security of their applications.

The WebFaction system administration team is dedicated to maintaining the security of servers by:

  • keeping common system software up-to-date,
  • securing server-wide utilities and services against known vulnerabilities, and
  • monitoring the server for suspicious or disruptive activity.

Because there are few strict limits on what you may do with your account, we need your help to apply similar practices and protections to your account and applications.

Prevent Attacks

To prevent attackers from compromising your account, you should take some routine precautions that are known to reduce your likelihood of becoming a victim of hackers:

  • Keep software up-to-date, including plugins and templates. The vast majority of compromised sites are caused by continuing to run old, unsecured versions of popular software. Stay informed about new versions of software you use. Many applications, like WordPress, have a dashboard that advises when new versions are available. Others have mailing lists or blogs that update only upon the release of new software versions or important news.

    If you’ve stopped using some software (or an add-on, like a plugin or template), then shut it down or remove it. Forgotten software is often out-of-date, insecure software. One way to reduce your risk is to eliminate possible avenues of attack. Removing unused software does that.

    See also

    For more information about updating common application types, see Update Applications.

  • Choose strong passwords, then keep your passwords secret.

    See Strengthening Passwords for important information about choosing passwords.

    To keep your passwords secret, avoid giving them away. A common way hackers gain access to accounts is by tricking people into giving away their security details. Be extremely suspicious when asked for your passwords. For example, WebFaction will never ask you for your account, email, or database passwords; such a request is likely an attempt to take control of your account.

    Another way hackers gain access to accounts is by finding passwords in unsecured places, like public pastebins and version control repositories. If you must store a password, then take great care to store it such that only you can access it. For example, if a configuration file contains a database password, then set the permissions on that file so that only you can read the file.

  • Review your account’s settings on a regular basis. Periodically log in to the WebFaction control panel and review your settings. Look out for unexpected or unusual changes to your account, and make sure you’ve removed unused applications, databases, SSH or FTP users, and mailboxes. Also make sure your contact information is up-to-date. If your contact information isn’t up-to-date, we cannot contact you if your account is compromised.

  • Look for unusual account activity. Periodically log in to your SSH account and review your crontab and running processes. By regularly logging in, you’ll know what’s normal, so you can recognize if things have gone awry.

    To review your crontab and running processes:

    1. Open an SSH session to your account.

    2. Review your running processes. Enter ps -u username -o pid,command, where username is your username, and press Enter. A list of process identifiers (PIDs) followed by the command for each process appears.

      See also

      For more information about understanding your running processes, see Monitoring Memory Usage.

    3. Review your crontab. Enter crontab -l and press Enter. A list of recurring jobs appears, with lines consisting of the job’s schedule and the command to be run.

      See also

      For more information about scheduling tasks with cron, see Scheduling Tasks with Cron.

  • Keep your own backups of your account data. Backups provide a point of reference to compare your account against, if you suspect a problem. Also, in the event of a security breach, backups protect you against data loss and help to reduce recovery time.

  • If you suspect a security problem, contact WebFaction. If for any reason you suspect your account has been compromised, then open a support ticket. The support team can help you investigate, and refer the problem to system administrators when needed.

Respond to Attacks

In the event of a security breach, don’t panic, but act quickly by following the guidelines in this section.

  1. If you have discovered an attack on your account or server and WebFaction has not contacted you already, then open a support ticket and set the priority to Urgent.

    Note

    If WebFaction contacted you about the attack, then some of the following steps may have been completed for you. The message from the support team contains details regarding your specific case, some of which may supersede this guide.

  2. Disable any compromised sites:

    1. Log in to the WebFaction control panel.
    2. Click Domains / websites ‣ Websites. The list of websites appears.
    3. Click the name of an affected site. The site’s settings appear.
    4. In the Status section, click Disabled.
    5. Click the Save button.
  3. Disable suspicious jobs in your crontab:

    1. Open an SSH session to your account.
    2. Open your crontab in a text editor. Enter crontab -e and press Enter. A list of recurring jobs appears, with lines consisting of the job’s schedule and the command to be run.

    See also

    For more information about scheduling tasks with cron, see Scheduling Tasks with Cron.

    1. For each suspicious line in your crontab, comment out the line by inserting a # at the beginning of the line.
    2. Save and close the file.
  4. Stop suspicious processes:

    1. Open an SSH session to your account.

    2. Review your running processes. Enter ps -u username -o pid,command, where username is your username, and press Enter. A list of process identifiers (PIDs) followed by the command for each process appears. Make a note of the PIDs for suspicious processes.

      See also

      For more information about understanding your running processes, see Monitoring Memory Usage.

    3. Send the signal to immediately halt the processes you identified in the previous step. Enter kill -9 pids, where pids is one or more PIDs separated by spaces, and press Enter.

  5. Change your SSH, database, email, and control panel passwords.

    Note

    If you’re using SSH keys, your should remove your existing keys and create new ones. To remove your keys and create new keys:

    1. Open an SSH session to your account.
    2. Enter rm $HOME/.ssh/authorized_keys and press Enter.
    3. Follow the directions in Using SSH Keys to create and set up new keys.
  6. Reinstall compromised applications from known, secure sources. It’s much safer to reinstall an application than to attempt to make a compromised application safe to use again. Instead, reinstall the software from a trusted source, such as:

    • the control panel’s one-click installer,
    • an official, secure distribution website (from HTTPS URLs where possible),
    • an uncompromised version control repository, or
    • a backup from before the attack took place.

    If you’d like to restore from a backup and do not have one of your own, please contact the WebFaction support team; a WebFaction backup may be available.

  7. Update your applications and any add-ons, like plugins and templates. Review all of your applications and confirm that you’re running versions without known vulnerabilities. If you are running vulnerable software, update it to a newer version without that vulnerability, or stop using the software. Do not continue to run vulnerable software.

    See Update Applications for WebFaction documentation for updating common software packages.

  8. When you’ve finished securing your applications, you can re-enable your sites:

    1. Log in to the WebFaction control panel.
    2. Click Domains / websites ‣ Websites. The list of websites appears.
    3. Click the name of an affected site. The site’s settings appear.
    4. In the Status section, click Enabled.
    5. Click the Save button.

    Note

    If the option to re-enable your sites is not available, then your site may be locked. Contact WebFaction support for assistance.

Update Applications

We’ve created guides to updating some common application types: