We strive to implement the best security practices we can at VPS.NET, to protect your Cloud Servers and Cloud Hosting accounts. It makes our job much simpler. Unfortunately there's one thing we can't control; your computer and your passwords. It's startling the amount of hack jobs we see that aren't caused by anything other than someone installing a trojan on your PC, thereby obtaining your password, or by a simple brute force script aimed at cracking your password. A lot of times what we then see happen, is the hacker will login to your FTP account, upload a mailing script, and send out thousands of spam emails. It makes your site look bad, it gets our IPs black listed, and none of it is any fun at all. So, lets go over a few basic security principles (and these apply to those of us who are on Macs too!).
As much as it pains me, ILoveTerry is not a good password. A basic brute force script would be able to crack it in less than 5 minutes. Even I<3Terry is on the weaker side. A strong password is something with combination of uppercase and lower case letters, numbers, symbols and is at least 8 characters long. It also should not contain any personal information, whether it be your name, street address, birthday or even your social security number. If anyone were to every try to gain access to your site, that's where they would start. Your passwords should be random and unique to each site. As easy as it is, don't use passwords over again on multiple sites, otherwise once one is leaked, you've opened yourself up everywhere. If you're still uncertain, here's a post of 500 passwords that you SHOULD NOT use.
Routine Password Changes
Before we even get into changing your password routinely, there's something I have stress - I'd yell it from the mountain tops if Cleveland had any. Change your default password! When we create your account, you're assigned a default password. It's randomly generated and still unique to you, but it needs to be changed. Next up - change your password at least every 90 days. You never know when your password is going to be leaked. By changing your password every 90 days, if your password ever gets out, you're making it likely that they're going to get an old password.
Anti Virus Software
Everyone should be running some sort of anti-virus software. There's no excuse. I know Norton and McAfee love to take over your computer, but there are several others that are entirely non-obtrusive, and do their jobs great. It's not only important to have the software installed, but also to keep your virus definitions up to date. New viruses come out every day, and viruses are modified every day, so you may find yourself unprotected at some point in time and that has rendered the software useless.
Some anti-virus software has anti-spyware built right in. That's great. If yours does not, you need an anti-spyware software installed on your PC. Again, no excuse. While most spyware just likes to annoy you, and pop up random ads, there are pieces of spyware that are much more malicious, and like to steal your passwords, and credit card information.
I expect that soon we'll see a rise in wireless internet becoming the next tool for hackers to steal your information. It's an absolute must that you secure your network. If you're running strictly a wired network, your much safer than someone running a wireless network, but you're not completely in the clear. A firewall is still necessary; even if it's something as basic as Linksys' SPI firewall. If you are running a wireless network, you've got quite a job ahead of you.
First, change the routers default password. Everyone knows the default username and password on almost all brands of routers are admin/admin.
Second, change the SSID. This is the broadcast ID that your wireless router broadcasts under. Don't make it anything that is recognizable to you! I prefer SkyNet - it's humorous to us nerds, yet no one knows it's mine. If you're okay manually setting up the network, you can even disable the SSID broadcast ID and then no one will see the router unless they manually configure their system to connect to it.
Next implement some sort of encryption policy. WEP is easily broken anymore, as the key is exchanged with each communication. If a hacker were to monitor enough packets being transferred back and forth between your PC and the router, they'll eventually come up with your WEP key. WPA is a much better idea.
Finally, enable MAC address protection. This means that only the devices you have allowed on your network can connect to the network. Unfortunately, this is not an end-all solution, as MAC Addresses can be duplicated. This does however make connecting to your network much more difficult.
Hopefully these tips prevent some of the easy hack jobs that we've been seeing. However as we all know, our security is only as strong as the weakest link so it's important that all of us continually monitor the security of our Cloud VPS, and our home computer network. If any of them are lagging behind, it's bringing down the security of the entire system.