Category Archives: Website Security

Setting up SSH access using keys for cPanel and WHM

The internet has become an extremely unsafe place. Numerous methods of attack are public access and anyone can try them. At the same time, new common vulnerabilities are discovered almost daily. Software developers do their best to close all new vulnerabilities, but it is next to impossible to keep. Bots, bots and more bots are scanning servers for different security holes and once they find one on your server, believe me, they will use 100% of it. Your server will work for proxy, spam sending or even bitcoin mining…maybe even without your knowledge.

GlowHost does it’s best to prevent attacks. We have been providing hosting for many years and have skilled professionals in this area.

Also, GlowHost is working in partnership with security firms and runs daily scans of all servers in order to find suspicious software. We do this day in and day out, constantly, and we are not going to stop. We do our best to secure our customers, because we care.

The latest issue we have noticed floating around the Interwebs is that the SSH service can be easily hacked if password authentication is enabled. At the time of this writing, most hosting companies know about this problem, but are being very quiet about it as there is no known fix other than forced key access, and how the attackers are able to do this is not 100% clear. Because the service has vulnerabilities, we had to close that feature in order to protect our customers. In order to keep this security measure in place, but still allow a secure connection, you can use an SSH key. Below I will describe how to set up SSH access using keys and gain access to the server.

Requesting SSH Access

In order to use SSH on a shared account, you will need to contact our support team to grant you access. It’s simple and painless! Once that’s set up, you’re good to proceed.

Creating SSH keys

First of all, you need to login to WHM (login details are in your welcome letter from GlowHost). In the search field type “Key” (1 in the image example below) to filter the menu options and click on “Manage root’s SSH Keys” (2).

If you don’t have WHM access, you can do the same from cPanel -> SSH/Shell Access. Functions are the same as in WHM.

Now you will see keys set up on your server. Please do not remove keys belonging to the GlowHost technical team. If you do, we won’t be able to access your server and provide you with managed service.

Click on the “Generate a new key” link (3).

Creating keys

Now you will see fields to generate a new key pair. Enter the following information in the respective text box:

Name: Just the name of the key. Usually used to identify the owner.
Key Password: You can keep it blank, but we do advise strongly to create a password so nobody else can access the server using your key.
Key Type: RSA
Key length: No less than 2048 bits for RSA.

ssh_2

Click the Generate button. Keys will be created.

That’s it! You have now keys. Go back to “Manage root’s SSH Keys” section. There you will see that your key has been created.

You need to click on “Manage Authorization” and at the new page click “Authorize” in order to make the public key work.

Authorize key

Now you need to get the private key to your PC and keep it in a safe place. The public key will remain on the server. You can use one public key on different servers, like the lock you have on your home or your car, while your private key is the only one you can use to access the server (or open your locks).

In the same “Manage root’s SSH Keys” area, you will see the newly generated private key. Click on “View/Download key” button near the key that you have created before.

You will see two options. In case you are a Mac/Ubuntu/Other Linux user – just copy the text from the window to a file on your PC. You can name it key.ppk.

Download the key

If you are a Windows user, you will need to enter the passphrase you used while creating the key and convert the key to a format that Windows software (generally PuTTY) understands. Now copy the key in key.ppk file to your machine.

Using the key to access your server in MacOS.

1. Find the “Terminal” application in launchpad and start it.

2. Copy the key from your browser as described above.

3. Run the following command in your machine. Replace “USERNAME” with your username on your local computer:

vim /Users/USERNAME/.ssh/mykey.ppk

You will see the text editor appear. Press “shift” and “A” simultaneously.

Press “Command” and “V” simultaneously to paste the key.

Press “ESC”, then type :wq (including the colon) and press enter. This will save the key.

4. Once done here, type the following command:

chmod 700 /Users/USERNAME/.ssh/mykey.ppk

Now you are ready to connect to the server via SSH! Just run this command from the terminal window (replace USERNAME with your actual username on your local computer):

ssh -i /Users/USERNAME/.ssh/mykey.ppk root@<server’s IP address> -p<port number>

The <server’s IP address> and <port number> should be in your welcome letter (This may come as an IP address or a hostname). The system will also ask you for the passphrase.

Using the key to access your server in Windows.

1. While MacOS has an integrated terminal, you will need special software on Windows. Please download “Putty.exe.”

2. Run PuTTy. Expand the “SSH” node in the left bottom and click “Auth”. Now you need to show PuTTy the way to the downloaded private key by using the Browse button. It can have *.ppk extention or even *.txt – both will work.

ssh_6

3. Click on “Session” in the top left. Enter the “IP”, “Port” (both are in your welcome letter – this may come as an IP address or a hostname) and “Saved Sessions” (Which is a custom name for you to save this information) fields. Click on the “Save” button. You now have the session saved and don’t need to add the key again.

Connect

4. That’s it. Click “Open”, and the server will ask you for the passphrase you have used. Enter that and you will connect to the server.

We love to hear feedback and comments. Please post below to tell us what you think!

 

Pesky Spam in your web stats got you down? Get rid of referrer spam for good.

Pesky Spam in your web stats got you down?
As some of you may have noticed lately your web stats may have been artificially bloated by referrer spam, the most prevalent I have seen lately is due to a script called surf.php

Referrer spam serves one purpose, to get people to look at the referring site. This is usually done when someone sees a high-ranking referrer in their web stats, or, if a site has an automated script that lists and/or links back to whatever it thinks is a “top referrer.”

So spammers have once again decided to ruin a good thing for everyone by exploiting this automated link-back that some scripts have built-in, and have decided to artificially bloat your traffic stats in hopes that your site will link back to theirs. Not only is this annoying, but it wastes your server’s CPU resources due to extra logging and other processing associated with these idiots who cannot get legitimate traffic to their sites. It also can eat up disk space due to larger logs.

So what can be done?
Well if you run Apache web server like most of us do you are in luck. you can block these referrers for good using our friend .htaccess.

First you need to figure out who the referrers are that you want to ban. Mine might look like this:

http://www.xtreamsurf.com/surf.php
http://www.parrotsurf.net/surf.php
http://www.advertising-surf.net/surf.php
http://www.aussieearners.com/surf.php
http://arobuhits.biz/surf.php

Please note:
For this article I have spelled “Referrer” as “Referrer.”  Somehow “Referer” (notice, only one “r”) made it into the HTTP standard even though it is spelled incorrectly. Inside of the .htaccess file you are about to create you should specify:

SetEnvIfNoCase Referer

instead of the correct spelling:

SetEnvIfNoCase Referrer

You can substitute “ReferrerSpam” below with whatever you want to call it, so long as your deny from line matches what you have specified for your environmental variable.

Once you have a list of your spammers, and have taken mental notes on the above, open up your .htaccess file and add these lines:

## Tag our known referrer spammers
SetEnvIfNoCase Referer “.*.xtreamsurf.com” ReferrerSpam
SetEnvIfNoCase Referer “.*.parrotsurf.net” ReferrerSpam
SetEnvIfNoCase Referer “.*.advertising-surf.net” ReferrerSpam
SetEnvIfNoCase Referer “.*.aussieelearners.com” ReferrerSpam
SetEnvIfNoCase Referer “.*.arobuhits.biz” ReferrerSpam

## Block our known referrer spammers
order deny,allow
deny from env=ReferrerSpam

Notably, the sites above are actually known referrer spammers (at the time of this writing) so feel free to add them to your own rules.

Making sure its working properly:
If you want to test it out put a link to your site that is doing the blocking (siteA), from another site that you might have (siteB). Next add siteB to the it to the deny rules for siteA. If you click the link to siteA from siteB you should get the 403 “Forbidden” page that Apache serves up to those that you dislike.

That’s all there is to it. For information on mod_setenvif see the official Apache website at the previous link.