Server Level Hardening

Each eHermits Inc. server is hardened in four areas:

• Server Level Security Suite
• Physical Security
• Security Policies
• WordPress Security Plugins

Attention in each area is vital to keeping your site, email and personal information secure.

This page describes the Server Level Security Suite that comes with every Home, Pro and Pro+ account.

Firewall and Brute Force Protection:

Advanced Firewall (APF) is installed and configured on all servers. All ports which are not needed for operation of the server are blocked off, and we employ both ingress and egress filtering methods to provide the highest level of protection against attacks. The firewall automatically updates using the Spamhaus DROP list to block traffic consisting of stolen ‘zombie’ netblocks and netblocks controlled entirely by professional spammers. We also configure Brute Force/Login Failure Detection (LFD) which detect brute force login attacks against your server and then works with APF to block the attacker. Additionally, CPHulk is enabled which protects against brute force attacks directed at cPanel services.

Spam Prevention and Anti-Virus Protection:

Your server to scans all email for malicious software using ClamAV. This software currently detects over 60,000 viruses, worms and trojans and is used by major enterprises and Universities worldwide. Anti-virus definitions are updated hourly to ensure your server is always protected.

Each server uses a variety of highly effective methods to prevent spam on your server. The first is the use of Realtime Blackhole Lists (RBLs) for spam prevention. We configure your server to use a hand-picked selection of RBLs which block known spam-hosts, open proxy servers, open mail relays, hijacked/infected servers and the like from sending mail to your server. The RBL selection was designed to eliminate spam without blocking legitimate mail. We also harden the mail server configuration as another layer in spam prevention. These settings are adjustable at the account level so that you have fine control over which emails get through and which are marked as spam.

Advanced spam filtering techniques such as an Optical Character Recognition engine are employed to detect spam in email as images/PDF, checksum-based collaborative filtering technology, and SMTP dictionary attack protection.

Server Hardening and Optimization:

The Linux TCP/IP stack is optimized for maximum performance and then harden the system against syn flood attacks, spoofed packets, DNS poisoning, and ICMP DOS/redirect attacks. At the filesystem level we ensure proper directory permissions and protect temporary directory and shared memory space against attacks. Because we specialize in WordPress, we are able to tighten the security even further than a generic host.  At the Operating System level, we remove all unnecessary packages, disable unused services and processes, and configure system daemons (including SSH, HTTP, and BIND) for increased security.

HTTP Intrusion and DOS Protection:

Your eHermits, Inc. server is configured with suPHP, mod_security and mod_evasive to prevent against web application and denial of service (DOS) attacks. suPHP prevents the execution of unknown PHP files dropped into your server directory. Mod_security is a intrusion detection and prevention engine which provides protection against a wide range of attacks, both known and unknown, against web applications. Mod_evasive allows Apache to provide evasive action in the event of an HTTP DoS attack, DDoS attack or brute force attack. We install a customized rule set to minimize the risk of false positives.

Security Audits:

Each eHermits Server is configured with the intrusion detection software Rootkit Hunter and Chkrootkit.  These tools perform nightly security audits to ensure your server is safe.  Other tools scan your php files for common security abuses, such as sendmail vulnerabilities and common security exploits.