{"id":326,"date":"2021-07-23T12:27:51","date_gmt":"2021-07-23T12:27:51","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/basic-security-concepts\/"},"modified":"2021-07-23T12:27:51","modified_gmt":"2021-07-23T12:27:51","slug":"basic-security-concepts","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/basic-security-concepts\/","title":{"rendered":"Basic Security Concepts"},"content":{"rendered":"<\/p>\n
\n
<\/div>\n
\n

Overview<\/h2>\n

This document describes some basic security concepts that you can use to protect your system from cross-site request forgeries (XSRF) attacks. XSRF attacks occur when a malicious user exploits the trust between a website and a user\u2019s browser. When a malicious user exploit that trust, they can run unauthorized commands on a website.<\/p>\n

XSRF attacks rely on two items:<\/p>\n

    \n
  • Access to authentication credentials.<\/li>\n
  • Surreptitious execution of a command via a URL.<\/li>\n<\/ul>\n

    For more information about XSRF attacks, visit Wikipedia\u2019s XSRF article.<\/p>\n

    Authentication methods<\/h2>\n

    We recommend that you use cookies as an authentication method for cPanel & WHM logins. An HTTP-authenticated session does not<\/strong> terminate unless you terminate the web browser application session. If you use HTTP authentication, the browser caches the login credentials until the system terminates the application.<\/p>\n

    Some browsers allow you to flush login credentials. However, do not<\/strong> rely on this method, and it does not exist in all browsers. When a web browser caches login credentials, the credentials become susceptible to XSRF attacks.<\/p>\n

    For more information, read our Email Deliverability documentation.<\/p>\n

    Validated cookies<\/h3>\n

    Malicious users can steal cookies and use them in XSRF attacks. Most browsers do not<\/strong> provide any protection to mitigate this attack. We provide an option that allows you to validate the incoming IP address as part of the cookie during the authentication process.<\/p>\n

    On subsequent authentication requests, the server compares the IP addresses to the original values in the cookies. A mismatched value causes an error that results in a re-authentication request.<\/p>\n

    \n
    Important:<\/div>\n
    \n

    When you use validated cookies, we recommend that you disable service subdomain access. If you do not<\/strong> disable service subdomain access, any attempt to access interfaces via a service domain will cause the system to record the local host\u2019s IP address (usually 127.0.0.1<\/code>), which renders IP address validation useless.<\/p>\n<\/p><\/div>\n<\/div>\n

    To disable service subdomains, disable the following settings in the Domains<\/em> section of WHM\u2019s Tweak Settings<\/em> interface (WHM<\/em> >> Home<\/em> >> Server Configuration<\/em> >> Tweak Settings<\/em>):<\/p>\n

      \n
    • Service subdomains<\/li>\n
    • Service subdomain creation<\/li>\n<\/ul>\n

      Require SSL<\/h3>\n

      You can also require your users to log in via SSL or TLS to improve your system\u2019s security. If users log in to their accounts over ports 2082<\/code>, 2086<\/code>, or 2095<\/code>, the system sends authentication credentials in plain text. The authentication credentials become easy to steal, read, and use again later.<\/p>\n

      For more information about how to access cPanel & WHM services securely, read our How to Log in to Your Server or Account documentation.<\/p>\n

      Security tokens<\/h3>\n

      cPanel & WHM includes security tokens to help combat XSRF attacks. The system inserts unique security tokens into the URL for a single login session. Any requests that a user makes without the appropriate token produce an error and result in a request for re-authentication. This action effectively stops XSRF attacks because the malicious URL will not<\/strong> contain the appropriate token.<\/p>\n

      \n
      Warning:<\/div>\n
      \n

      Security tokens may cause problems with custom scripts and some third-party applications that integrate with cPanel & WHM. We strongly<\/strong> recommend that you verify that third-party applications are compatible with security tokens before you enable them. If you must<\/strong> use applications that are not compatible with security tokens, we recommend that you use URL referrer checks instead.<\/p>\n<\/p><\/div>\n<\/div>\n

      URL referrer checks<\/h3>\n

      The HTTP referrer identifies the URL of the page from which a user originated. Referrer checks only function correctly when you enable the blank referrer check, and typically result in a large number of false positive alerts. However, if you must<\/strong> use third-party applications that are not compatible with security tokens, you can use referrer checks in place of security tokens.<\/p>\n

      \n
      Warning:<\/div>\n
      \n

      If you cannot use security tokens on your server, we strongly<\/strong> recommend that you enable the following options in the Security<\/em> section of WHM\u2019s Tweak Settings<\/em> interface (WHM >> Home >> Server Configuration >> Tweak Settings<\/em>):<\/p>\n

        \n
      • Blank referrer safety check<\/li>\n
      • Referrer safety check<\/li>\n<\/ul><\/div>\n<\/div>\n

        Password strength<\/h2>\n

        Weak passwords provide insignificant protection against brute force attacks. Brute force attacks occur when a malicious user guesses the password for a specific account via the trial-and-error message. This process is most often an automated process that uses dictionary terms. Use WHM\u2019s Password Strength Configuration<\/em> interface (WHM<\/em> >> Home<\/em> >> Security Center<\/em> >> Password Strength Configuration<\/em>) to set your user\u2019s minimum password strength.<\/p>\n

        \n
        Note:<\/div>\n
        \n
          \n
        • We strongly<\/strong> recommend that you set a value of 50<\/code> or higher.<\/li>\n
        • The minimum password strength requirement only<\/strong> applies to passwords that cPanel & WHM creates and modifies. A user with shell access may use the passwd<\/code> command to set a weak password.<\/li>\n<\/ul><\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

          Overview This document describes some basic security concepts that you can use to protect your system from cross-site request forgeries (XSRF) attacks. XSRF attacks occur when a malicious user exploits the trust between a website and a user\u2019s browser. When a malicious user exploit that trust, they can run unauthorized commands on a website. XSRF …<\/p>\n","protected":false},"author":1,"featured_media":327,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/326"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=326"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/326\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/327"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}