Knowledge Base

Knowledge Base / XFilesharing Pro / How to ...

Securing your server

07/20/2017 06:38 AM
How can I protect my server/site from being hacked?


I. Protecting from SSH password brute-forcers

First of all, we highly recommend to avoid using password-based SSH authentication due to recently increased brute-forcers activity. Instead of that, we suggest you using an asymmetric key based authentication schema by proceeding with the following instruction:

1. Generate a public / private keys pair in your SSH client
Note: never give your private key to anybody! If you need to provide an access to your server to someone else, ask him to provide his public key and do what's stated in next step.

2. Login on your server with SSH, and copy-paste your public key in /root/.ssh/authorized_keys. If you don't have a such directory and / or file, then you have to create a one.
3. Now try to login on your server by using your private key. If this system is properly working, then you don't have to enter any passwords (unless you have specified the one during step 1) at this moment.
4. Open /etc/ssh/sshd_config on your server, uncomment "PasswordAuthentication yes" and change it to "no" in order to completely disable password-based SSH authentication on your server
5. Restart your SSH server with 'service sshd restart'.

II. Protecting from XFileSharingPro site hacking

1. Make sure that you're using as least the version 2.5 which has bullet-proof Anti-CSRF, Anti-XSS and Anti-SQL injection techniques out of the box
2. If you're using the Security mod, consider enabling "Perform session IP check"
3. Use the following recommended settings in order to protect yourself from end-users account brute-forcers:

Show captcha after XX failed logins/h -> 1
Ban after XX failed logins/h -> 5
Ban after XX ip changes/h -> 10

III. Preventing data losses in the case of unauthorized access to end-user accounts

As a last defense line, we suggest to setup a timeout that controls how soon the files requested to be deleted are actually deleted (admin_settings -> Keep files in trash for XX hours).