Security & Anti-Virus
- How do I remove the "Site Insecure" warning in some browsers?
- How can I deny someone from accessing my web site?
- How do I generate a new GnuPG Key?
- How do I password protection a directory?
- How do I scan my email and web site for viruses?
- Information About The Heart Bleed Vulnerability
1. How do I remove the "Site Insecure" warning in some browsers?
Chrome and Firefox have started showing insecure warnings on sites without SSL certificates. Therefore, it is very important to redirect your website traffic from HTTP to HTTPS.
In order to force your web traffic to use HTTPS, you need to edit the code in your .htaccess file. Before we move onto redirecting HTTP to HTTPS, here’s how you can edit a .htaccess file.
Editing a .htaccess File
There are instructions/directives in the .htaccess file that tell the server how to act in certain scenarios and directly affects how your website functions. Common directives in .htaccess file:
Ways to edit an .htaccess file:
- Edit the file on your computer and upload it to the server using FTP.
- Use “Edit” mode in FTP program that allows you to edit a file remotely.
- Use a text editor and SSH to edit the file.
- Use the File Manager in cPanel to edit the file.
Editing .htaccess in cPanel File Manager
Note: Backup your website in case something goes wrong.
- Login to your hosting account cPanel
- Files > File Manager > public_html in left hand menu
- Now select the domain name you want to access if you have multiple domains
- Look for the .htaccess file on the right hand side of the screen..
- Click on the .htaccess file and click on “Edit” on the menu above.
- A dialogue box may pop up asking about encoding. Click the “Edit” button to continue.
- Edit the file
- Click “Save Changes” when done.
- Test your website to make sure it is done correctly. If there is an error, restore to the previous version and try again.
- Once you are done, click “Close” to close the window.
Redirecting HTTP to HTTPS
1. Redirect All Web Traffic
If you have existing code in your .htaccess, add the following:
|
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
|
2. Redirect Only a Specific Domain
For redirecting a specific domain to use HTTPS, add the following:
|
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
|
3. Redirect Only a Specific Folder
Redirecting to HTTPS on a specific folder, add the following:
|
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} folder
RewriteRule ^(.*)$ https://www.yourdomain.com/folder/$1 [R,L]
|
Note: Replace “yourdomain” with your actual domain name wherever required. Also, in case of the folder, replace /folder with the actual folder name.
Here are two examples of redirecting only a specific domain using my own sites:-
#redirect to https
RewriteEngine On
RewriteCond %{HTTP_HOST} ^lankygamer\.co\.uk [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://lankygamer.co.uk/$1 [R,L]
#redirect to https
RewriteEngine On
RewriteCond %{HTTP_HOST} ^mickwood\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mickwood.com/$1 [R,L]
2. How can I deny someone from accessing my web site?
Overview
The IP Deny Manager will allow you to block a range of IP addresses to prevent them from accessing your site. You can also enter a fully qualified domain name, and the IP Deny Manager will attempt to resolve it to an IP address for you.
Adding IP Addresses
Steps
- Enter the IP Address or domain name you want to prevent from accessing your web site in the "IP Address or Domain" text box.
You can specify denied IP adresses in the following formats:
10.5.3.333 |
Single IP Address |
10.5.3.3-10.5.3.40 |
Range |
10.5.3.5-40 |
Implied Range |
10.5.3.3/32 |
CIDR Format |
10. |
Implies 10.*.*.* |
- Click on the Add button.
- You will see the following confirmation:
- If you entered an IP Address, you will see...
- "Users from the IP address(s) IP_ADDRESS will not be able to access your site."
- If you entered a domain name, you will see...
- "DOMAIN was resolved to the ip address IP_ADDRESS. Users from the IP address(s) IP_ADDRESS will not be able to access your site."
- Click on the Go Back link.
- When the page loads, you will see a table with your added IP addresses containing the following information, split into four columns:
- Server Setting - This entry will be the IP Address name you entered in Step 1 above.
- Beginning IP - If you entered one of the "Range" formats (defined in the table in Step 1), this entry will be the beginning IP address of the "Range" you entered in Step 1.
- Ending IP - If you entered one of the "Range" formats (defined in the table in Step 1), this entry will be the ending IP address of the "Range" you entered in Step 1.
- Remove - Click on this option to remove the IP Address or IP Range from the system completely.
Removing IP Addresses
If you want to remove an IP Address, cPanel has a built-in feature that will allow you to easily delete any IP Addresses you have previously created.
Steps
- Assuming you have added an IP Address or IP Range, view the "Current IP addresses being blocked" table as described in Step 5 of the "Adding IP Addresses" section at the top of this document.
- Find the IP Address you want to delete in the table.
- Next, click on the Remove link in the "Actions" column.
- When the page loads, click on the Yes button.
- The next page will state "The IP address IP_ADDRESS will now be able to access your site."
3. How do I generate a new GnuPG Key?
Overview
GnuPG is a publicly available encryption scheme that uses the "public key" approach. With GnuPG, messages are encrypted using a "public key". However, they can only be decrypted by a "private key", which is retained by the intended recipient of the message. If you are unfamiliar with GnuPG Keys, visit the WikiPedia web site on GNU Privacy Guard at http://en.wikipedia.org/wiki/Gpg.
4. How do I password protection a directory?
Overview
Password protection allows you to require a username and password to access a folder within your site from the web. When password protecting a folder, there are a few things to remember. Protecting a folder will protect all folders within that folder. Also, you will need to create users who can access the protected directory. You can give the password protected directory any name, no matter what the actual directory is called.
Security Settings
When a user accesses the protected directory through the web, they will be prompted to enter a username and password. The name that you choose for the protect directory will appear as well.
Steps
- Click on the Password protect this directory text box.
- Think of a name you want to users to see when they visit the password protected directory. Enter the name in the "Name the protected directory" text box.
- Click on the Save button.
- You will see the following confirmation:Click on the Go Back link.
- "The access permissions for PATH_TO_PASSWORD_PROTECTED_DIRECTORY have been set."
- When the page loads you will see your settings have been saved in the "Security Settings" section.
5. How do I scan my email and web site for viruses?
Overview
The control panel includes a built-in virus scanner. Which allows you to scan your email accounts for potential viruses, only scan your home or web hosting account's root directory for potential viruses. You may also scan your /public_html/* and all the files and directories associated with the public web space for potential viruses and scan your public FTP space and associated accounts for potential viruses.
Once you have made your selection, click on the Scan Now button and follow the remaining instructions below based on the feature you chose.
Using The Scan Feature
The system will start scanning your Mail files. You will see a status section on the next page stating how many files have and will be scanned by the system. Also shown is the percentage of completion by the scanning software. In addition, the system will tell you which files are being scanned as they are being processed by the scanner.
If any infected files are found during the scan, they will appear in the "Infected Files" section of the page. You will have the option to delete the files that are infected.
If no infected files have been found during the scan, a pop-up will appear stating "Virus Scan Complete. No Virii Found." Click the OK button to be redirected back to the Virus Scanner page.
6. Information About The Heart Bleed Vulnerability
mickwood.com is aware of the vulnerability, dubbed “Heartbleed”, which is a security concern for users of OpenSSL, a widely-used opensource cryptographic software library. It can allow attackers to read the memory of the systems using vulnerable versions of OpenSSL library (1.0.1 through 1.0.1f). This may disclose the secret keys of vulnerable servers, which allows attackers to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. In addition, other data in memory may be disclosed, which conceivably could include usernames and passwords of users or other data stored in server memory.
mickwood.com technicians patched all of its servers that were affected shortly after the vulnerability was announced. Due to the nature of the vulnerability it is impossible to know if any information, including private keys, passwords, and session ID’s, have been compromised. Therefore, as a precaution we recommend reissuing and revoking any SSL certificates you have and resetting any passwords.
If you have any questions or concerns, please feel free to ask us.
|