March 13, 2014

Posted in:

Best Practices for Software Installations

Lock-iconA year ago, we posted a blog about securing WordPress advising against not leaving the out-of-the-box settings as is. This past week, more than 162,000 WordPress sites saw the repercussions of not following best practices: a DDoS attack as outlined in a blog post by Sucuri.

It’s easy for developers and server administrators to deploy software with the default settings. However, that often leaves portions of the software open to exploits and security vulnerabilities. In other words, just because a feature is set by default it doesn’t mean you are going to need it or that it is a appropriate to leave active. Case in point with the XML RPC pingback with WordPress. This can apply to virtually any software whether it’s WordPress, Joomla, phpMyAdmin, ColdFusion, SQL, etc. It even goes as far as default Linux installs where PermitRootLogin is enabled in SSH by default.

The problem with leaving default services on and open to the Internet is that these services will be scanned and attacked. Remember, hackers don’t care what your business does, who your customers are or who you are and the attacks are often not personal. The attackers are fishing for data and hoping to find that one server or service which was left open which they can enter through. This is where secure passwords come in but the best practice is not exposing unnecessary services, features and ports to the Internet (whether by disabling or removing them). For example, a phpMyAdmin installation can be as simple as downloading the ZIP file and dropping it in a web accessible location. Unfortunately, by doing this, it poses a security issue. It only takes one insecure password or commonly guessed password in MySQL for a hacker to take control of an account. If the version of phpMyAdmin becomes outdated, a hacker can exploit your website or worse, compromise your server from a known vulnerability.

What does Edge recommend? As a general rule, if the service/feature/port doesn’t need to be exposed to the Internet, don’t expose it. Yes, it’s kind of ironic hearing that from a web hosting company such as Edge. If the service/feature/port does need to be exposed, lock it down. Ideally, locking down access would be done via VPN but if that’s not an option, IP restrictions would the second best approach.

And as always, be sure to read the documentation for any software that is being installed. Understand the best practice configurations and keep up to date with security patches. Whether through an RSS feed from the vendor or viewing sites such as Exploit-DB, staying current is important in ensuring your applications and data remains secure.

Go back