enhance general password security

[Driesp]

Hello all

I notice from time to time that passwords are leaking and accounts are getting hacked.
Sometimes it is because the password in use is too easy, but also because a client got phished.
This is not a new problem, and it seems to be happening more and more.
We should try to find a solution to secure our servers and make sure DirectAdmin does not receive a bad reputation because of this.

There is 2FA for the DirectAdmin login page, which is great.
However, I am still looking to improve the security of other services, for example: e-mail (SMTP, IMAP and POP3) FTP, SSH,...

I already requested a DirectAdmin feature that prevents users from setting their own password for e-mail accounts, FTP accounts,...
But that feature has not been implemented yet and it has not given any priority by DirectAdmin.
And it still does not help in case of a successful phishing attack.

Big competitors have implemented 2FA for all services, and they provide the possibility to use prefix whitelists (or country whitelists).

I am thinking about implementing prefix lists in our firewalls that are only allowed to connect towards specific ports (for example: 21, 465, 993 and 995).
I should also write an application where clients can whitelist IP addresses when they are on a trip via the DirectAdmin interface. (of course this should be communicated)

I am wondering how others improve the security of their servers / network regarding these issues.

Kind regards
Dries

 

[zEitEr]

Hello Dries,

Big competitors have implemented 2FA for all services

One should differentiate a real security VS a personal identification. The 2FA is rather about the second. They use 2FA just to make sure you are you, but nobody else, just in a case they would need to sue you.

And whenever 2FA is used a social engineering comes to a place.

Yes, for sure 2FA can help in certain cases. But you should remember a SIM card can be cloned, and a SMS can be intercepted, WiFi can be faked, and etc.

If you want to secure passwords you might consider blocking CloudFlare in a server's firewall in order to not let your users to use it. All passwords submitted over HTTPs and proxied by CloudFlare should be considered as compromised.

Then you might quit using virtual servers, cloud servers and stick to bare metal servers only. Unencrypted snapshots of virtual servers might be accessed by unauthorised stuff of DC.

Never enter a password in a Virtual console for a VM.

Stop using 3rd-party SMTP services for mailing.

You can not be too paranoid when it comes to a security. When trying to protect your server from an outside world, you should review your habits and make your users to do the same.

The list can never end)))

As a minimal one should consider:

1. disabling cleartext logins over unencrypted connections to FTP, POP, IMAP, SMTP.
2. disabling password authentication for SSH

for example: e-mail (SMTP, IMAP and POP3) FTP, SSH

 

[Driesp]

Hi Alex

I think that, but I am unsure, our clients are getting phished from to time.
I am working hard to prevent phishing e-mails to come into our servers, but it is hard to combat. Some are still getting in.

I honestly don't think our clients will get hacked via SIM swapping, social engineering to get the 2FA codes, or via password sniffing on a fake WIFI network, because they aren't that high profile.

Our clients get hacked via a simple phishing mail, and their e-mail accounts are being used to sent out spam.
I have implemented low e-mail limits and change the password when a spam run has taken place.
But I would like to prevent our network form sending out spam at all, I want to prevent even 1 spam message from leaking out.

If (one of) our clients would be this high profile, we will be using whitelists and allow only connections from certain ASN's.

Kind regards
Dries

 

[zEitEr]

via password sniffing on a fake WIFI network, because they aren't that high profile.

Nevertheless according to my practise a case with compromised email passwords is at the top of cases. And it is not a rare thing to connect to a fake WiFi in a Caffe and/or another public place like airport and railway station.

And if you are dealing with too many phishing mails, then 2FA hardly can help you with protecting SMTP, POP, IMAP, FTP without much customisation. I could offer the following scenario for this case:

1. users and/or admin list trusted IPs for connecting to SMTP, POP, IMAP, FTP - connections from such IPs are not filtered
2. when a user needs to connect from a new IP (too paranoid probably) or Geolocation: country, city, then a connection gets blocked, and the user is asked to enter one-time or permanent security key on a special page. A link can be emailed after each or a number of such connection attempts.
3. when a new IP is unblocked or Geolocation: country, city - all connections go fine

Probably not the best thing, as users will definitely complain about being blocked. But there is no other way to provide 2FA for SMTP, POP, IMAP, FTP. Or do I miss anything?