Security

Old List

  • Remove email accounts from the server where crypto dealing sites are. Find another host for emails. see wordfence article 
  • Keep crypto-dealing domains in separate cPanel Accounts – done, also clickforafrica.org is on a totally separate server to the others with its own cPanel also. 
  • ———— trying below on clickforafrica first ————-
  • Enable HTTP Strict Transport Security – in .htaccess – see here.
  • Add content security policy. -htaccess again. see here. Good CSP intro here.
  • [cfa] X-Frame-Options – stop clickjacking attacks. see here, also has other stuff (incl. XSS protection, below). Intro here.
  • [cfa]X-XSS-Protection – Here – and htaccess here
  • [cfa]X-Content-Type-Options – here and use this for the 3 altogether (as above).
  • [cfa]Referer Policy – here – htaccess and possible problem here.
  • [cfa]Feature Policy – here – restrict feature availability (e.g. camera, geolocation) to self.

A scan via securityheaders.com showed many faults. We are on shared hosting so I don’t have full access. Most can be done via .htaccess though, so I have put links above to help with that. Found a security headers plug-in for WP too – will check that out and see if it will save time. It has all the ones we failed on.

Create user with sudo and disable root.

adduser <username>

add to sudoers
usermod -aG sudo username
(-a means append user account and -G specifies a group to add the user to)

# check (use – or -l to get non-root shell)
su - username

then do something to check sudo ok
sudo apt update

check new user can login via ssh! Then
sudo vim /etc/ssh/sshd_config
uncomment PermitRootLogin and set its vallue to no.
(if vim doesn’t like you, install nano and use that instead).
save and close, then restart sshd
sudo service sshd restart