The security of your Directadmin server is one of the most important, but also one of the hardest things to improve. This is part fiveof a serie of posts where we will take a look at the security of your Directadmin server and try to bring the security to a next level.
Part five: SFTP, FTPS and securing websites
In this last part of our tutorials about securing the Directadmin server we’re going to explain why FTP is not recommended. We’re also going to look at any possible ways to prevent website hacking, at a non- system administrator level.
The biggest disadvantage of the FTP protocol is a real security issue, it can only handle usernames and passwords in plain text. That’s why we don’t recommend using FTP at all. Instead, you can instruct your clients to use SFTP or FTPS, depending on your choice.
SFTP is the most secure way of using FTP. It is FTP over SSH and therefor really secure. We would recommend the use of SFTP for security reasons, but wouldn’t recommend it in a shared hosting environment at this moment. The reason for this is that it is hard to explain your clients to use a different FTP client and also you have to enable SSH access for your Directadmin users to enable SFTP. Therefore we aren’t going into details about SFTP. If you want to configure it, you can use the guide from Directadmin:
FTPS, or FTP over TLS is a protocol that encrypts the login of your FTP session to prevent your FTP login to be stolen in a man-in-the-middle attack. FTPS is easy to use for your clients, almost every FTP program will allow you to connect over TLS.
To allow only connections with FTP over TLS there is a change you have to make to your ProFTPd configuration. Backup the configuration and change one line with sed:
cp -p /etc/proftpd.conf /etc/proftpd.conf.non-tls.backup sed -i 's/TLSRequired off/TLSRequired on/g' /etc/proftpd.conf
Now restart ProFTPd to load the changes:
service proftpd restart
Try to connect to your server without TLS and the server will give you an error:
550 SSL/TLS required on the control channel
Prevent website hacks
Last but not least, we’re going to give you some tips to prevent websites from being hacked. We already secured the system to prevent most of the common hacks, but there is still room for improvement on another level.
This is one of the hardest parts of the security because you have to motivate your clients to act! You’re not really in control but you can motivate your clients to take action. It is important that your client tries to do:
- Choose a strong password and keep it safe
- Keep the software scripts up to date
- Keep the PC virus free
- Use 777 permissions for folders with extreme caution
- Backup the website
As a server administrator, you can help your clients to do this. Some tips to help your clients are:
- Create a clear welcome message when you setup their hosting package, including some basic tips and tricks to be secure.
- Make great tutorials, with pictures or videos, to explain your clients how to make backups, how to keep their PC virus free, how to use 777 permission, and more. Make the tutorials easy to follow and place them at a commonly used place in your client portal, website or controlpanel.
- Scan your servers to check for outdated installations of a CMS, such as Joomla, WordPress and Drupal. Notify your clients about their outdated installation, the risks of the installation and provide them a small tutorial about updating the installation.
- Send out an email when there is news about a known vulnerability for a common used CMS.
When you take these steps and try to inform your clients they will be more satisfied with your services and your servers will contain less outdated installations which increases the security of your servers.
This was the last part of the five part series about securing a Directadmin server. We hope you enjoyed reading it and would like to know if you got any questions or comments.
Thank you for reading and don’t forget to subscribe!