20 Mar

Important: Password Security Policies

The password is the single most common security measure for digital systems, both online and off-line. The problem is that it is becoming increasingly less secure as hackers gain more and more powerful tools to simply crack them. A great deal of attention has gone towards the creation of secure passwords, what constitutes them, and whether or not it is feasible to retain a bunch of random alphanumerical strings inside your head all the time.

How are passwords cracked?

Most accounts that have their passwords compromised are not done so by another human being directly. Instead a computer will be tasked with guessing your password, so planning should go in to understanding and then deterring a computer from cracking your password. A hacker has a variety of malicious tactics available to them when trying to crack your password. These would be the two most common attacks you see on the Internet today:

  • Brute Force Attack: The attacker runs a script that tries again and again to randomly crack your password by sheer brute force. A long password with multiple character sets is the best protection. The higher your password entropy the less likely your password will be compromised by a brute force attack.
  • Dictionary Attack: The attacker utilizes dictionaries of known words or passwords and a script to try them in thousands of combinations until one matches up with the correct password. Don’t use common words, or keystrokes such as anyone’s name or phone number. Use a combination of multiple character sets to reduce the likelyhood of multiple entries pulled for a dictionary matching up successfully.

In recent time, We have been working on having more security on our cPanel servers and have applied few new security policies.

Password Strength – An password of any kind must set to 80% strong at least. System will not accept your password until it matches the security policy. To setup an strong password, you can use Lowercase/Uppercase letter, signs/symbols and number.

Password Age – Passwords must be changed every 90 days. Our system will automatically ask user to change their password every 90 days.

These two measures should allow you to secure your cPanel and related services. In the meantime, if you have any questions about account security, please contact us at TetraHost Support.

08 Jul

Compose an HTML Message in Web Based Mail

cPanel Webmail provides instant access to your email without the use of a local email client. You will need to login to cPanel and use the tool “Email Accounts” to view the username for your specific email account. The password needed to login should be already noted. If not, the password will need to be reset.

Visit the following URLs to access cPanel Webmail directly:

http://www.domain.com/webmail
http://www.domain.com:2095
http://webmail.domain.com

We provide three different web based mail client which you can use to access mails. The Three mail clients are:

Squirrelmail
Horde
Roundcube

The mail client will allow you to incorporate typical word processor functionality such as Bold, Italic, bullet points, images, font color, etc. By default HTML Compose options isn’t enabled and to enable it, follow the steps below for your preferred web based mail client:

Inside Roundcube:
1) Click the plus icon to create a new message
2) Select HTML from the “Editor Type” dropdown(available below Subject Line)

Inside Horde:
1) Click “New Message”
2) Enable “HTML composition” by ticking the option from right side.

Unfortunately, cPanel do not have HTML Composing enabled for Squirrelmail thus it is not available. We request our client to use Roundcube or Horde to have the ability to use HTML compose.

21 Jul

Using a Custom PHP.ini File and Make PHP Changes

The php.ini file is the default configuration file for running applications that require PHP. It is used to control variables such as upload file’s size, timeouts, and resource limits. We use suPHP(pronounced sue-p-h-p) environment in all our servers which allows our user to have their own custom php.ini file and change certain PHP settings as per their CMS requirement.

Below are some of the most common lines that are altered when making custom PHP changes:

  • memory_limit
  • upload_max_filesize
  • post_max_size
  • max_execution_time
  • max_input_time
  • register_globals
  • magic_quotes_gpc
  • date.timezone

 

To being creating your very own custom php.ini file:

php.ini Setup Process:
1. Create a file called php.ini from your local machine with the PHP values you want to modify.
2. Upload the newly created php.ini file to your cPanel account under the public_html folder.

Note: Make sure the file name is correctly setup which is php.ini

suPHP Path Setup Using .htaccess:
Create a .htaccess file and put the following code: suPHP_ConfigPath /home/username/public_html and upload the file to your cPanel account under the public_html folder.

Note 1: Make sure to change the cPanel username with the actual account username.

Note 2: If you already have an .htaccess file then you can just modify the .htaccess file by accessing it using File Manager and setup the path. FYI .htaccess is an hidden file so please make sure you enabled the option that says “Show Hidden Files(dotfiles)” while accessing File Manager.

 

Once you have completed the above steps your php.ini file will be active. Any entries you placed in the file will be used in place of the entries from the server’s main php.ini file.

Some examples of what may be changed by using a custom php.ini file are:

upload_max_filesize = 10M
post_max_size = 10M
max_execution_time = 30

Should you require any further assistance with creating a custom php.ini file then check in with one of our fantastic support people at http://tetrahostbd.com/contact.

18 Sep

Domain example.com has exceeded the max defers and failures per hour

In cPanel 11.32, a new feature is added to limit the ability of exploited or hacked sites to send out spam emails.

If you are receiving an error similar to “Domain example.com has exceeded the max defers and failures per hour (5/5 (100%)) allowed” in an email bounce back, it means that outgoing email from your domain has triggered a rule in the server that will stop any further email from going out of the server. This happens when a domain account sends out emails that either fail or get deferred. cPanel will regularly monitor the emails sent through all email accounts on your domain, and if, over the past hour, more than 100% of the attempted deliveries have failed, outbound email will temporarily be limited.

Let see how cPanel describe about this new feature of cPanel:

The maximum percentage of a domain’s outgoing mail that can consist of failed or deferred messages. Once the domain exceeds this percentage, it is temporarily blocked from sending mail.

This error is derived from an hourly monitoring system from cPanel, where any blocked domains are allowed to send email again at the top of every hour. For example, if you received this error at 2:45pm, the block will release at 3:00pm and the domain will be able to send emails out once more.

To solve the issue immediately for a domain, we have to remove the following file:

/var/cpanel/email_send_limits/max_deferfail_exampledomain.com

and restart the exim service. Please note, this will need to be done by a system admin with root permission to server.

19 Nov

Manage Email Account

You can easily create e-mail accounts from your hosting account’s Control Panel (cPanel). Here is what you need to do:

  • Step 1: Log into your cPanel
  • Step 2: Once at the main page, click on the Email Accounts icon.

  • Step 3: In the fields provided, type the name of the account, the password and the disk space you would like to assign to the mailbox.

  • Step 4: Click on the Create Account button to create the mailbox.

You will be taken to a page which asks you for confirmation. Click on Yes to create the mailbox.

 

How to remove mail accounts

 To delete a mail account, simply click on the Delete button next to it.

You will be taken to a page which asks you for confirmation. Click on Yes to delete the account. If you want to change password or quota of a previously created account then use the Change Password and Change Quota option.

20 Sep

Learn: About Web Accessibility [VIDEO]

Photo via itjil

Web accessibility and web design go hand in hand. If you’re creating a website, it must be  accessible to those with disabilities, as well as cross-browser compatible. Sure, this isn’t breaking news, it’s still required learning for designers/developers of all stripes.

Here’s a free introductory tutorial on learning web accessibility from treehouse, an online school that teaches technology. They’ve got loads of (paid) courses that will get you up to speed on a wide variety of design and development topics, such as creating a web app, starting a business, or building a website.

Part 1 of 16 of their web accessibility tutorials series is below, and you can watch the rest of the videos in order right here.

02 Feb

Joomla! Protection

Joomla! is a great CMS that is used worldwide. Now-a-days many user prefer to design their site with Joomla. It is designed simply but still has lots of feature in it. Being one of the most popular CMS can attract bad people to do bad things as well. Actually the issue is not related with the Joomla script but with the extra module/plugin that is available on market for Joomla. At the end it is the site owner responsibility to protect his/her site by hardening the security. I will try to give some security tips on this article and by following these steps you will be able to enhance the security of your Joomla site significantly.

Don’t Forget to Update: Never forget to update your Joomla to latest version. Older version are more valnureable then the newer version.

Rename the default htaccess.txt file: Joomla does come with a default htaccess.txt which has some rules in it. The rules in it will block the majority of well-known attacks against your website.In order to rename the file, Login to your cPanel >> Go to File Manager >> find the htaccess.txt file on your home directory and rename it to .htaccess

File Permission of Configuration File: Make sure to have 600 permission which means read and write permission for the user only on your configuration.php file. You should be able to change the permission from cPanel File Manager.

Install Security Plugins: On the following two links you will find some extension which will help you to secure your Joomla site many way, please try them.

http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection
http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection

Change Default Database Table Prefix: 

Most SQL injections that are written to hack a Joomla! website, try to retrieve data from the jos_users table. This way, they can retrieve the username and password from the super administrator of the website. Changing the default prefix into something random, will prevent (most / all) SQL injections. You can use the EasySQL for Joomla, if you without phpMyAdmin component in order to do this. Download the component to your PC and install it by going to your Admin panel. Now follow the below steps:

i. Go to Components >> Easy SQL
ii. Now, pull down the Command Menu and select REPLACE PREFIX.
iii. Here you will see something following: REPLACE PREFIX `jos_` TO `newprefix_`
iv. You now have to remove the word “newprefix” and set to something else per your choice.
v. Once you set the new prefix, click on EXEC SQL and you are done!

Please make sure you are following the steps properly.

Change Admin Username: By default your administrative username is admin. The majority of the attackers would expect the username to be admin. Changing it will protect you against many attacks. Here is how you can change the username:

i. Login to your Joomla Admin Panel
ii. Go to User Manager from the Home Page
iii. Now, select the Admin User and Click on EDIT
iv. Here you should see the Username field and it will show you the current username, change it to something else and Click on SAVE

From now, you will have to use the new Admin Username to login.

Password Protect Administrator Directory: You can protect your Joomla Administrator folder with Directory Protection feature of cPanel which will add extra layer of security. You can enable the protection by going cPanel >> Password Protect Directories.

Limit Admin Access: As Joomla administrator folder is one of the most important folder, so we suggest to limit the admin access with IP. Only the allowed IPs will be able to access the admin folder. Here is how to do this:

i. Create a .htaccess file under the Joomla administrator folder
ii. Put the following code in it

order deny,allow
allow from 0.0.0.0
deny from all

Please change the allow IP with your IP. You can find your IP by accessing the following site: http://www.whatismyip.com

Backup Regularly: TetraHost do take weekly backup of your content but it is always better to take regular backup of your working database and Joomla contents. Unfortunately if it got hacked then, you can easily restore your site from the latest backup you’ll have for it.

Uninstall Unused Extension: It is recommended that you uninstall any unused extensions complete from the account. It will reduce the chance for getting attacked.

That’s it! You are protected now. If anyone have any more tips please share with us by commenting on this article.