Table of Contents
This chapter describes the features we provide to help increase your system security, and offer tips and suggestions on what you can do to help ensure your system remains secure.
The Symbiosis system is comprised of many components, each working together to deliver a complete solution to your hosting needs. Different systems and components of your server will generate email notifications to alert you of important events and warnings. It is important that such emails are read.
By default all system-generated emails will be delivered to the root user of your primary domain. (This is the first domain which is configured when your machine is setup, and will probably be a name such as example.vm.bytemark.co.uk.)
Rather than make it mandatory that you read the root mailbox it is suggested that you configure email forwarding such that mail sent to root@example.vm.bytemark.co.uk is delivered to your personal email address.
A common means of compromising machines what is called a "dictionary attack", this involves a remote user (or computer) trying to connect to a server with a collection of thousands of usernames and passwords.
This dictionary of usernames and passwords will include common choices such as a username of "test" and a password of "test", along with many other less-likely looking candidates. The Symbiosis Firewall has a blacklisting program that detects attacks via various protocols, including SSH, and configures the firewall to block further connections. This is documented in Section 19.6, “Blocking abusive remote hosts”.
This important security measure can catch you out if you repeatedly attempt to access the server using incorrect credentials, as you’re likely to find your own IP address becomes blacklisted. See Section 25.2, “Firewall problems?” for help with this situation.
The best defence is to ensure that when you add users, or change system passwords, that you never ever choose simple passwords which might be liable to be guessed, or included in an attackers' dictionary.
There is a regular test on all the passwords used to access email and FTP under Symbiosis, the output of which will get sent to the root email account. Please see the note in earlier in this chapter regarding email notifications.
Over time security bugs can be found in software packages, and if such a problem is discovered in a package you’re using then your machine is at risk until it has been updated.
The Symbiosis system is configured to automatically download and install appropriate security updates to the packages in the base operating system and from the Symbiosis repository itself.
However if you’ve chosen to install additional applications such as Wordpress you must ensure that you look for updates regularly. Often this can be done by subscribing to the application’s announcements mailing list.
When granting FTP access to your machine, it is important to bear in mind that the person who uses that login can trivially access other files on the system. Various methods could be used, including uploading PHP or CGI scripts.
There are ways to mitigate the effect of this access, including setting permissions such that sensitive files are not world-readable, and hashing passwords. However the safest way to manage this problem is to ensure that only trusted users are given FTP access.