How to choose a secure password that is easy to remember

What makes a strong password ?

  • It should be more than 8 characters
  • It should contain alphabets, numbers and special characters like @#$%^&
  • Use capital as well as small letters
  • Do not use dictionary words or common words like 123, password, pass, your birth date, your name, etc
  • Do not use same password for all your logins. Use a base word to help you remember your password but the password should not be exactly same.

How to create a password that is strong and easy to remember :

  1. Choose a base word lets say I choose I hate pass
  2. Now add some capital letters I Hate Pass
    Make the 1st letter of every word capital.
  3. Add special characters I@Hate$Pass
    Replace the spaces with special characters.
  4. Add some numbers I9@Hate8$Pass16
    Add the the number of character in alphabets of 1st letter of each word at the end of word. Like here I is the 9th letter in alphabets so I added 9 after I similarly 8 for H and 16 for P.
  5. That’s it ! You have a strong password ready. Not you can modify the pattern slightly to use the same base word multiple times. For eg : while adding the number in the 4th step take the value of the last character in the word like 5 for E from Hate and 19 for S from Pass.

How to protect your AjaXplorer installation

AjaXplorer helps you turn your web server into a powerful file management system : install once and access your files from anywhere. Organize, preview and share them, easily and securely. AjaXplorer comes fully equiped with a complete users management system, securing the whole installation at once. It can also be interfaced with existing authentication mechanisms, to implement a “Single-Sign On” system and make users life easier. Install AjaXplorer via Softaculous with just one click.

ajaxplorer logo

Here are some basic recommendations for securing your AjaXplorer installation :

1. Protect your folders from direct web access :

Under the main AjaXplorer installation folder, the following folders contents must be hidden from the web server. It is by default the case if you are using Apache, as .htaccess files are part of the distribution.

  • ajaxplorer_install/conf
  • ajaxplorer_install/data/[all subfolders except “public”], that is the default container for the « shared links » public files.

Note:  concerning the .htaccess files under Apache, be sure to allow override of the Limit directives on your web server (contact your Webmaster).

If you can, do not use the default « files » folder placed inside the distribution, but create a repository pointing to a folder outside your web « document root ».

2. Basic security rules :

HTTPS usage is recommended by AjaXplorer, but you have to configure your server for that, it cannot be done automatically by AjaXplorer.

Always use strong passwords. There is a password minimum length option that is set to 8 characters by default.

3. Check for upgrade :

Security issues are always released with high priority by the AjaXplorer team, use the integrated upgrade tool to check if updates are available and apply them! You can also upgrade your AjaXplorer installation using Softaculous.

Soruce : http://ajaxplorer.info

5 steps to secure your WHMCS installation

WHMCS is an all-in-one client management, billing & support solution for online businesses. Handling everything from signup to termination, WHMCS is a powerful business automation tool that puts you firmly in control. Get started with WHMCS by installing it with one click via Softaculous.

whmcs logo

WHMCS has many features built-in to help keep your data safe, but here are several simple extra steps you can take to secure your WHMCS installation even further.

1. Change your WHMCS Admin Folder Name :

Malicious users who visit your site and recognise a WHMCS install will know that they can try logging into your admin area @ /admin/ To protect against this, you can rename the admin folder to something else. You then must tell WHMCS what the name of that folder is for things to work by adding the following line to the configuration.php file :

$customadminpath = "custom_admin_folder_name_goes_here";

Please note that if you have already created a cron job, or one has been created for you, you will need to update the path on the cron as well. eg :

php -q /home/mylogin/public_html/secure/myfoldername/cron.php

You can configure this step on the install form itself while installing WHMCS via Softaculous, just choose the “Admin Folder” you desire.

2. Password Protect the Admin Directory :

Add a second layer of protection to the admin directory by setting up .htaccess password protection. Most users can do this via the Password Protect Directories option in cPanel. Remember to keep your .htaccess username/password distinct and unique.

3. Move the attachments, downloads & templates_c folders :

The three folders “attachments”, “downloads” and “templates_c” need to be writeable by WHMCS and therefore require the permissions 777 (writeable by all). When folders have this permission level it is safer to place the folders outside of the public accessible folder tree on your website. WHMCS allows you to do this. If you do move the folders, then you must tell WHMCS where they have been moved to by adding the following lines to the configuration.php file :

$templates_compiledir = "/home/username/templates_c/";
$attachments_dir = "/home/username/attachments/";
$downloads_dir = "/home/username/downloads/";

In the above example, “username” is the cpanel username and so the 3 folders are located in the home directory, above public_html.

Note that if you are running suphp or phpsuexec you should not make the mode changes as the folders will already be writeable. In fact, you cannot set folder or file permissions to be 777 when running suphp or phpsuexec – the highest permissions are 755 for both folders and files.

If you are installing WHMCS via Softaculous the files will be in the data directory i.e. outside the public accessible folder tree by default.

4. Move the crons folder :

The “crons” folder contains the domain synchronisation file so this should also be moved outside the public accessible folder tree to prevent outside users from triggering it.

WHMCS allows you to do this. If you do move the folders, then you must tell WHMCS where they have been moved to by editing the /crons/config.php file and specifying the path to the WHMCS root directory, for example:

 $whmcspath = '/home/username/public_html/whmcs/';

In the above example, “username” is the cpanel username and whmcs is located in the directory “whmcs”.

5. Restrict Access by IP :

For added security, if your staff use fixed IP addresses, you can add even more protection to your admin area by restricting access to a specific set of IPs. This is done by creating a file with the name .htaccess within your WHMCS admin directory, with the following content:

order deny,allow
allow from 12.34.5.67
allow from 98.76.54.32
deny from all

You can specify as many different allow from lines as you require. Or you can even allow entire IP subnet’s by specifying just the first part of an IP, for example: “12.34.”. This is called Htaccess IP Restriction.

Source : http://www.whmcs.com

Checking for SSHD Rootkit hack

Since the past few days the SSHD Rootkit issue has caused havoc amongst server admins. It is still unknown how the attackers manage to get root access to the servers and modify the keyutils-libs package. This has been affecting mainly 64 bit Operating Systems with control panels like cPanel, Direct Admin, Plesk, Webuzo, etc.

We recommend every server admin to check whether your server has been affected. To do so please type the following command :
root> ls -la /lib*/libkey*
If the list displays any of the following files, your server may be compromised :

  • libkeyutils.so.1.9
  • libkeyutils.so.1.3.2
  • libkeyutils-1.2.so.2

The symlink of /lib64/libkeyutils.so.1 will be pointing to one of the above files instead of the following correct ones e.g. libkeyutils-1.2.so

In order to remove this, you will need to do the following :
1) Remove the wrong file which is there on your system, e.g.
root> rm -rf /lib64/libkeyutils-1.2.so.2

2) Remove the symlink as well, e.g.
root> rm -rf /lib64/libkeyutils.so.1

3) Make a symlink to the correct file :
root> ln -s /lib64/libkeyutils-1.2.so /lib64/libkeyutils.so.1

Then restart the system. Restarting the services will do no good. So please restart the system.

Though there is a possibility of the server being re-infected I have personally found from more than 20 servers I manage, that servers with NON-STANDARD SSH ports were not infected.
Hence please do change the SSH port for your servers safety.

Talk back: Have you noticed the SSHD rootkit on your servers? What have you done to clean up your infected servers? Please do share with everyone.

Protect your Simple Machines Forum from SPAM

Simple Machines Forum SMF in short is a free, professional grade software package that allows you to set up your own online community within minutes.

SMF Logo

Its powerful custom made template engine puts you in full control of the lay-out of your message board and with our unique SSI – or Server Side Includes – function you can let your forum and your website interact with each other. It is designed to provide you with all the features you need from a bulletin board while having an absolute minimal impact on the resources of the server. SMF is the next generation of forum software.

Once you have installed SMF one more task remains is to restrict bots from your forum. SMF can be installed with one click via Softaculous.

How to restrict bots from your SMF installation :

1. Email Activation

  • Turn on email activation for all new registered members.
  • Login to Admin panel » Administration Center » Registration » Settings
  • Choose the method of registration for new members.
  • This will not allow new members to post unless they activate their account.

2. Code Verification before posting for new members

  • Login to Admin panel » Administration Center » Security and Moderation » Anti-Spam
  • Change the value for “Post count under which users must pass verification to make a post” value to 10 (or more if you want).
  • This will ask the user to pass verification unless they reach the above amount of posts.

3. Code Verification for new Registrations

  • Login to Admin panel » Administration Center » Security and Moderation » Anti-Spam
  • Enable “Require verification on registration page”
  • This will make all the new registrations to enter a verification code in order to register on your forum.
  • Choose among the various verification methods available.

4. That’s it !!

  • We have made the registration process difficult for the bots.
  • And even if they manage to register they wont be able to mess up due to code verification added in step 2.

Source : codefap.com

How to make your WordPress installation Secure

WordPress Logo

WordPress is one of the most popular blog today. As it is the most popular application there are numerous hackers who are honing their skills to make it to the big leagues.

WordPress is pretty secure and they provide frequent updates but we can make the installation more secure by following some simple steps :

1. The most easiest way is to be updated with WordPress

WordPress provides security updates immediately if a loop hole is detected, so being updated with WordPress will help you to be more secure. It hardly takes a minute to update WordPress with Softaculous.

2. Generic admin username

Most users make a mistake by continuing with the default username for the administrator account ie is admin. Its a common username and every hacker would know that. Choose a username other than admin you can use your name i.e. john as your username. You can choose the username on the install form.

3. Choose a Strong Password

Using a simple password is a bad idea. Use a password that is more secure to let the hackers stay away from you. Use a combination of alphabets, numbers and special characters.

4. Secure permissions to the config file

The wp-config.php file contains all the configuration and settings of WordPress, exposing this file to hackers is a very big threat to your blog they could easily inject malware into your blog or delete the content on your blog. The solution for this is to revoke the permission to the config file. The WordPress config file is wp-config.php  which located in the root directory of your installation. Change the permission to something safe like 0600 if suPHP is enabled on your server. You can ask your host to confirm which permission is suitable on your server.

5. Backup regularly

Backing up your installation is very important because if your installation is hacked you can restore your installation from the backup. You should always take a back up of your database and files, it is recommended to take a weekly backup of your data there are several plugins that will do it for you or you can use Softaculous to backup and restore your installation.

6. Plugins

Make a point to update the plugins when there is an update available. It is always a good idea to be updated. Also, if you are not using a specific plugin, delete it.