Security recommendations for your Managed Server
Ensuring data integrity and confidentiality is crucial for any application or environment. Therefore, we would like to provide you with an overview of recommendations and best practices that are easy to implement within your usual workflows. With these practices in place, you can have a significant impact on the security of your environment with very little effort.
Passwordless authentication
A best practice for ssh
and sftp
access is to use a public / private key
based authentication.
After setting your ssh
and sftp
up for the key based authentication, Nine will happily disable the possibility
to use a password based authentication. This will also negate all ssh
and sftp
brute force attacks to your system,
which is an improvement over the brute force protection that is already in place
for all Managed systems.
Use different SSH users for each environment
The user www-data
is provided for administrative purposes. It is acceptable to use this user in a single project
environment. However, if you intend to run multiple projects or versions, or grant access to contractors, it is
advisable to create additional users for each project or environment, such as a staging
or test
environment.
The creation of additional user accounts is documented in this support article.
Use different databases and database users for each environment
The application frontend is the most vulnerable target for attacks. To minimize the risk of a successful attack causing harm to other environments, it is strongly advised to use separate databases and database users for each environment.
The same principles that apply to the previously described SSH users also apply here. The main objective is to grant the minimum necessary privileges.
Restrict access to specific IP addresses
If you're using a dedicated IP address range or VPN, we gladly restrict access to specific services or your whole environment to your dedicated IP address(es).
Avoid using insecure connections and protocols
Data confidentiality can only be achieved if the data transmission channel is properly secured. Therefore, TLS secured connections should always be preferred.
FTP is one of the most widely spread insecure protocols. Without futher extensions, FTP transfers credentials and data in plain text, making it easy for third parties to intercept this information. We strongly recommend using the FTPS or FTPES extensions, which use TLS encryption, instead of the plain text protocol FTP.
If you're using our Managed Service FTPAdmin2, we gladly disable plain text FTP for you.
Use TLS certificates for all your web projects
We recommend to use TLS connections for all web projects, including test environments. We cover the vast majority of use cases with the free Let's Encrypt integration and offer a variety of TLS certificates for more specific use cases.
HTTP Header for your application
Origin / Access-Control-Allow-Origin
The Origin and Access-Control-Allow-Origin go hand in hand and allow to control what sources can include and access your web application.
Content-Security-Policy
The Content-Security-Policy controls the resources the user agent is allowed to load for a given page, which can be used as a mitigation against Cross-Site-Scripting (XSS) attacks.
Strict-Transport-Security (HSTS)
The Strict-Transport-Security causes browsers to access websites only with the https protocol.
Yelp released an interesting blog post from their engineering point of view, we recommend reading the article for larger deployments and especially if you plan to include subdomains in the policy.
Cloudflare - Attack detection and prevention, performance improvements
The web frontend and web application, which are the most prominent attack targets, can be protected by a CDN. A world-wide distributed CDN not only provides automatic attack detection and mitigation against various attack vectors but also improves the delivery times of your content globally. The CDN uses caching mechanisms to deliver content directly without hitting the backends, effectively reducing load times and system load.
Cloudflare utilises various attack vector detections and implements mitigations for popular CMS/CRM platforms such as Wordpress, Drupal, Joomla, Typo3, and Magento.
As a Cloudflare partner, Nine is available to provide guidance and assistance in configuring the world's most widely used CDN.