Must strange site visitor user agent be avoided? If yes how? - performance

I am using shared hosting.
My site was showing "ERR_CONNECTION_REFUSED".
So i went to see visitors to my (SSL) site.
I found that instead of regular names in the "User Agent" list,
cpanel visitors list is showing
user agent Expanse indexes the network perimeters of our customers. If you have any questions or concerns, please reach out to: scaninfo#example.com"
I want to know whether this is harmful and if yes,
How to avoid such unknown user agents?
Is there something i should do with ".htaccess" file?
Once again, i am using shared hosting (so, i have limited accessibility).

The ERR_CONNECTION_REFUSED you saw when accessing your website had nothing to do with the visitor you saw in cpanel. You might have had a different issue with your server configuration/shared hosting provider.
That "visitor" was an internet crawler, most likely from Palo Alto Networks, who owns Expanse. Long story short, it shouldn't cause any harm. They say that their crawlers are used to index/categorize URLs around the internet and/or to spot malicious content.
I advise you to ignore it, since there's not much you can do - I assume they have some ranges of IPs for their crawlers so you wouldn't be able to blacklist all of them anyway.

Related

What does website isolation / user isolation do Laravel Forge?

In Laravel Forge there's an option called Website Isolation, which some people also seem to mention as user isolation as well. I am not quite sure what it does and possible benefit for such functionality. It would be great if someone can explain this!
It also means you can assign different users to different sites on your server. You can give them SSH and SFTP access to a specific site without allowing them access to other sites on the same server. It also can prevent malicious code in one site from affecting another site on the same server if these sites have different users.
See https://blog.laravel.com/forge-user-isolation
I found out that one of the biggest advantages for using Website / User Isolation is that Laravel Forge will be then able to offer unique and independent nginx environment compared to other sites exist in the same server. Thus, in situations where it requires restarting an nginx or overloading, other sites in the server should work perfectly fine.

Best practice to store App Key in Laravel

I have been doing a lot of research on this and I can't seem to find a definitive answer. Obviously these days security is a big issue, hacks are going on all over the place of major companies that invest millions into security and they're still getting hacked.
I work on Laravel a lot and use shared hosting with Hostgator or some similar company of high report. Laravel comes with a built in function for encrypting database info and decrypting to the user when requested.
However, I have a question on how secure this ACTUALLY is. If someone gets into my cPanel, my app key which is used for encryption is right there in front of them. Granted, my cPanel password is the one that's auto-generated by Hostgator and it's complete jibberish with semicolons and alphanumeric strings all over, so it's not easy to guess.
But I'm trying to learn a little bit more about security. If my app key in my env file is locked securely behind my cPanel login, is Laravels built in "encrypt()" method "enough" to call an app "secure"? Is there other measures within Laravel or my host provider that could make it more secure than just tight passwords? Is there some sort of practice of referencing the app key through an external source that's not located in the cPanel area? So even if my cPanel got hacked, my app key wouldn't be in those files and get exposed?
I'm not a security expert, but there are a few points I can share from my experience in working at highly-secured companies.
First, Laravel itself is fine. You can generally trust open source software since it's transparent and security bugs get discovered and addressed early. So you don't need to improve Laravel, just use it as is, preferably an LTS version.
Then, CPanel is a liability. You should minimize weak points on your system, i.e. those that are externally accessible. Get a VPS or a private server and access it via an SSH, don't use tools like CPanel and PhpMyAdmin on it. The less software you have that talks to the outer world, the less vulnerable you are to bugs in that software.
In my current company the production server can only be accessed via SSH from a single IP address, the address of the dev server. So I log in to dev server first, and then log in from there to the prod. It denies all connections from all other IPs.
If you are limited to using CPanel or something similar, consider protecting the login page with HTTP Basic Auth, some hosting providers allow that.
You also want to keep your system and software up to date. Not too new either as that may have bugs that haven't been caught yet. Our devops prefer to have it a couple of minor versions behind, so that the community has time to test it out and get hacked for you.
That's all I know as a web-dev, sure enough there are special tools and ddos protection services but that's beyond a dev's concern imo. If you just follow these steps, you should be safe. Hope that helped a bit, cheers :)

How to access Cpanel on 1&1(IONOS) hosting? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed last year.
Improve this question
Does anyone know how to access Cpanel on 1&1(IONOS). One of the biggest in the web hosting market but I didn't know it was one of the worst. Knowledge Base is empty. Searching on Google doesn't result in anything.
I am startled by the fact that I found NO INFORMATION online. Absolutely NO information on google. How could it be possible? No one has ever tried to ask this question before?!?!? BTW IONOS is the worst web host. If someone has to search for 20 mins to access even cpanel, then it's the worst web host.
IONOS Screenshot
Note the below is only available if you have the right build assigned to your account.
Server administration with Plesk is conveniently done right in your browser.
Since Plesk provides its own HTTPS service for this, a web server (e.g. Apache)
does not need to be running on the server.
Open your web browser and enter your domain name (or IP address)
followed by :8443 in the address bar.
Log in with the user name Admin and your initial password.
You can log in to IONOS and find your initial password in the Server Access Data section.
I am sure by now you managed to fix your problem. But I figured I must just post how I accessed it for other people. I am assuming that you wanted to remove some of the files on your website (i.e. if a WordPress plugin destroyed your site). The way I accessed my files is as follows: Firstly go to your Ionos dashboard. Then click on the contract you are using (i.e. WP Business). Thereafter go to hosting and click manage, then a page will open and click webspace. Once you click webspace you will be able to access all of your files.
I hope this helps someone out because truly getting information about Ionos seems like thesis research.
I nearly fell for their $6-for-the-first-year Business Plan account. Whups! Good thing I asked some questions first.
The sales person answered the chat after approx 20 mins, and was not customer friendly. When I enquired about included CPanel apps, I was abruptly told that CPanel is not included - you must purchase it separately. She did not tell me (this is what I mean by "abrupt"), but I read elsewhere, that they wrote their own "CPanel-like" administration tool - but from what I can tell it is significantly less capable. And as of this writing, I still do not know if they offer Node.js (which was something that I asked the sales rep but she did not answer).
I would be interested to see a screenshot of the IONOS CPanel replacement. I also would like to know what included apps they offer, such as phpBB, SimpleMachinesForum, Node.js, Python, Ruby - and how Git management/deployment works. As of this writing, and over 30 minutes on chat with them (including wait time), I have no idea.
Here is a fairly recently article from Dec 2021 that sheds more light:
https://websitesetup.org/hosting-reviews/ionos/
You can access your Cpanel using below URL,
http://IP:2082
Note: In IP you have to set your Cpanel IP.
above link redirect to login page, In login page you need to enter your username and password,
From the look of your screenshot it looks as if the package you have purchased is not one that contains a server. Here are two options for packages with servers.
Cloud
Dedicated
Ref
Go to Servers & Cloud -> Infrastructure -> Servers and select the server you want to access.
Then, go to either the Plesk or cPanel section, there you'll find user, password and host for your server.

Device based access policy for Laravel

Security is not my area of expertise. I am working on a lightweight administrative Laravel web app for internal use by company (small) employees:
The app is intended to be used only by the employees
Remote work (from home) is not uncommon
Smartphones and laptops are usually used when working remotely
I would like to secure it as much as possible - beyond authentication, access controls or 2FA. I am trying to think of ways to make it virtually invisible to the public, but still available for the employees. Defining proper rules for crawlers might make it a bit more obscure but I think more could be done. Network based restrictions would limit the employee flexibility.
Based on this I got the idea that the app could be made available only if the request is made by an authorized device. I am not sure however whether or not this is a good approach. Neither do I know how to tackle the problem of authorizing the various devices and making that information available to the server during communication.
i.e. How would I tag a device as authorized so that I only have to do it once and can reliably validate the information in a web app? Regular authentication as well as role based access would still be in place but the app could return a 404 response if the accessing device is not whitelisted.
Is there a way to achieve something like this while not making it too restrictive for the users or painful to set up? Or is there a better method for achieving the same result?
Consider a VPN?
If you are hosting the device on an internal network, you could see if the IT dept. can set up VPN access to work remotely (in most cases, this is already in place) and then it does not need to be accessed over the internet via a URI. Instead you can simply navigate to the internal address once you're in the network through the VPN - no public access and no need to worry about pesky web crawlers!
It also makes it easier to moderate your application. For example, if an employee leaves the company you can simply revoke their VPN access and they'll no longer be able to access the application.

Single godaddy account suitable for hosting multiple dev projects?

I want a single hosting account where I can put up my development sites, and small sites I do for friends, some might be experiments, some might be public. None will get huge traffic. They'll all either be using PHP roll-my-own or Code Igniter with MySQL.
I'll want to be pointing multiple domain names at different directories under this account. I'll also probably make use of rewrites extensively.
I'm not in the US but US hosting is far more economical. Is godaddy a good choice given my requirements? I'm looking at the base account as it allows unlimited domain names.
What i hate about go daddy is their domain registerations are "expensive". With privacy it comes to essentially $18/domain, compared to someone like dreamhost (which has free privacy $10).
I personally use dreamhost to register my domains and rackspace to serve the content.
Their smallest instance is ~12/month.
I like the freedom rackspace gives me, it is a full linux box with whatever you want. Shared hosts often aren't flexible enough for quirky framework/requirements. In your case, any shared hosting will do as you are using php/CI.
I'm looking at the base account as it allows unlimited domain names.
Nowadays, just about everyone offers unlimited domain names and what not. Not really a killer feature.
In the end shared hosting is shared hosting. You are sharing a space with other users. If it is experimental then it won't matter.
Something you wish to consider is "money back policy". For instance I had at one point an account with MOcha host and they only offer money back inside 30 days, limited money inside 180 days. After that, they eat your money. Something to consider.

Resources