Hostragon Security Overview
As a web hosting company, Hostragon primary task is not only to provide our customers with a highly-optimized webspace to host their data and web application, but also do this securely.
Security is a core functional requirement that protects mission critical information from accidental or deliberate theft, leakage, integrity compromise, and deletion.
We utilize several methods to keep your account safe in all our data centers by following security best practices designed to protect your data and assets in the web hosting cloud.
However, while we provide to you, our customer a wide range of security services you can use to secure your assets, we also expect you to be responsible for protecting & meeting specific business or web applications requirements for information protection under what we call a "shared responsibility model".
These below are by no means exhaustive as most of what we done on the area of security lies beyond the surface but these are the ones that could possibly affect the way you interact with our system.
1. Two-Factor Authentication.
Frankly, it's easier than you think for someone to steal your password that you could possibly ever imagine because passwords are increasingly easy to compromise.
Any of these common actions could put you at risk of having your password stolen:
- using the same password on more than one site
- criminals infecting your computer with keystroke loggers
- data harvesting via phishing websites
- sharing or reusing passwords with other people
- social engineering and attacks over your phone
- downloading an app on software to your local system or mobile device
- clicking on links in email messages from friends, families or those you don't know.
Two-factor authentication adds an additional layer of security by introducing a second step to your login.
It takes something you know (i.e.: your password), and adds a second factor, typically something you physically have (such as your phone).
Since both are required to log in, in the event an attacker obtains your password two-factor authentication would stop them for accessing your account.
Whenever you sign in to either your billing portal, cPanel server, Plesk server, you'll enter your password as usual.
Then we will ask for something else to make sure that you are who you said you are ... at least within a reasonable bound.
But this can only happen if you have set up 2-Step Verification using the methods on the after-sign up emails that we have sent to you.
We highly recommend that you enable and configure two-factor authentication for your servers and your client area.
If you ever lose access to your device or unable to authenticate, just let our security team know and we will disable these after verifying your identity.
2. Password Aging
Password aging is another technique we use to defend against bad or compromised passwords.
Password aging means that after a specified period you are prompted to create a new password.
The theory behind this is that if a user is forced to change his or her password periodically, a cracked password is only useful to an intruder for a limited amount of time.
The downside to password aging, however, is that users are more likely to write their passwords down.
In fact, we know that asking our users to change passwords frequently may actually encourage simple, weak passwords.
But please, we beg you in the name of all that is holy, not to do that.
There are tons of great password managers that you could use to securely manage your password seven if you have a million of them and often come as stand-alone applications, web browser extensions, or a manager built into your operating system.
Most password managers can automatically create strong passwords using a cryptographically secure random password generator, as well as calculating the entropy of the generated password.
A good password manager will provide resistance against attacks such as key logging, clipboard logging and various other memory spying techniques.
Please see below for some good password generators you can use.
It is important to understand that while this is part of our overall security strategy, it is actually an outdated security model because it is a security model that was in theory assumed to mean that if a password has been compromised, requiring it to be changed regularly should limit the access time for the attacker.
In today's digital environment, "average" or "bad" passwords can be cracked in the cloud in mere seconds.
If your password is compromised it will almost certainly be in seconds, not months.
Moreover, a compromised password is likely to be used immediately by an attacker to install a back-door on your local system, often via privilege escalation and once this is accomplished, password changes won't prevent future attacker access.
And when the bad guy gets your password, they are not going to wait the required "90 days", they are going to leverage it right away.
And that's why it is essential to take into consideration or implement the other options we have listed on this page.
In all, you are as good as your overall security.
3. Password Strength
The internet was never designed to be used by those outside a circle of trust.
That it took the whole by storm and changed it also means that adequate security measures weren't put in place to accommodate its explosive growth.
Password authentication, a relic of the era that try to overcome these shortcomings is still very pervasive even though new technologies are cropping up to replace it.
But until such time, it remains the primary authenticating mechanism for most online systems.
We enforce minimum password strength for your cPanel, Webmail, Plesk, Billing system and other portals that customers have access to.
With password strength enforcement, our system measures the effectiveness of your password against guessing or brute-force attacks.
In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly.
When you add a password, the strength is indicated by a password strength meter.
The strength of a password is a function of length, complexity, and unpredictability.
But please do remember that this measure or feature is not a reliable guide to how likely it is that your password will be cracked but designed to nudge you in the direction of creating better, stronger passwords in general.
We should repeat this: using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls.
If you want to take your password outside our system, you can use:
To generate a good password, you must:
- use a minimum password length of 12 to 14 characters.
- avoid using the same password twice (e.g., across multiple user accounts and/or software systems).
- avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past) and biographical information (e.g., ID numbers, ancestors' names or dates).
- avoid using information that is or might become publicly associated with the user or the account.
- avoid using information that the user's colleagues and/or acquaintances might know to be associated with the user.
- and should not use passwords which consist wholly of any simple combination of the aforementioned weak components.
Here are good password generators you can use:
And even when you use these tools to either check your password strength or create a new passwords, do add additional symbols or letters or alphabets to the password you just checked if you intend to use it online just to be on the safe side.
4. Intrusion Detection
Our system try to detect unauthorized access or attempts, malicious attacks or abnormal behavior including distributed brute force attacks to your server.
But like every piece of technology, it is not infallible.
When you or someone violates security rules (e.g trying to enter a wrong password, etc.), then our systems will automatically block the access to your IP address.
Naturally you may want to attempt login in again with the correct password if you are the rightful account owner.
When you do that, you will see a CAPTCHA.
After entering the CAPTCHA and password correctly, our system will remove you from the blocked list and if it notices that you consistently uses this IP address, it will automatically white-list it for you.
You can also ask us to white-list the IP if you have a static IP address.
However do note that i a case of repeated violation where you fail the password authentication multiple times, your IP address may be automatically & permanently banned for accessing our systems.
What to do when you get banned or having issues accessing your account(s):
Hostragon takes your security, reliability of your web applications, and privacy very seriously.
But we know that sometimes machines may mistake your action as malicious and out of sheer over-zealousness, clamp down.
Having said that, please ensure that your contact information including a reachable address you check regularly & phone number is on file, so that we can reach you.