Versions Compared

Old Version 7

changes.mady.by.user HostBill

Saved on

compared with

New Version Current

changes.mady.by.user HostBill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Securing Files

...

We You need to secure the config.php file. Let's set Consider setting the permissions to 444.

1. Navigate to your HostBill install directory and go to the /includes/ directory.

2. CHMOD / change file permissions of config.php to 444.

That's it. Modifying the permissions of this file is necessary , and the easiest security method you can apply to your HostBill install.

Warning
titleIMPORTANT

Protect contents of includes/config.php file at all costs.

During installation HostBill generates $ccEncryptionHash inside of it which is used as partial key for passwords encryption, if you'll loose/replace this variable's value, you will also loose all stored passwords.


Securing Directories

...

In order for HostBill to operate in a safe secure environment, you 'll want need to prevent anonymous users from uploading content to your server. We already know that , as well as listing directory contents.

HostBill temporary dir: templates_c has  uses folder permissions of 777, and users can upload files to the downloadsattachments folder through support tickets. Let's You need to secure these folders to protect your server.1.

Note: steps below are for non-enterprise installations. Enterprise installer will do this for you.

  1. Navigate to the HostBill

...

  1. main directory.

...

  2. Move

...

  1. the attachments,

...

  1.  downloads,

...

  1. and templates_

...

  1. c folders outside of the public directory.

...

  2. In this example main HostBill dir is  /home/hostbill/public_html/, so we're moving those folders into /home/hostbill/

...

  2. Go back to your main HostBill

...

  1. directory and head to

...

  1. the includes/ directory.

...

  2. Add the following lines to very bottom of your config.php file so HostBill can locate them on the server.
Code Block
languagetext
$hb_downloads_dir = "/home/hostbill/downloads";
$hb_attachments_dir = "/home/hostbill/attachments";
$hb_templates_c_dir = "/home/hostbill/templates_c";

You'll notice that these values variables are already available in mentioned file, but with different location entriesvalues. You can just need to replace / edit the current entries.

...

Code Block
languagetext
titleExample assumes hostbill is username
/home/hostbill/public_html/{hostbill-install-directory/}
/home/hostbill/public_html/{hostbill-install-directory/}includes/config.php
/home/hostbill/attachments/
/home/hostbill/downloads/
/home/hostbill/templates_c/

You can now safely CHMOD all directories in the following directories to 777 

Code Block
chmod 777 -R /home/hostbill/attachments
chmod 777 -R /home/hostbill/downloads
chmod 777 -R /home/hostbill

...

/templates_c


Info
titleNote about directory listings

You should prevent your webserver from listing directories contents. Ie.: when using apache add following to your .htaccess file:

Options -Indexes

When using nginx, add following to server block of nginx config file:

autoindex off;


Securing Administrative Access

...

Change Admin Folder Name

As of HostBill 3.0.0, users may now HostBill admins can rename their admin folder. Renaming your admin folder will prevent brute force attacks, password guessers, and other similar threats.

1. Navigate to your HostBill install directory and edit the /admin folder's name. Change it to something uncommon. We'll use new-folder-name as an example.

2. Navigate to /Edit includes/config.php and make the following changes.

...

Now you can navigate to your HostBill's new admin URL, replacing /admin with /new-folder-name to access the administrative control panel.


Note
titleNote about folder change

Note that after changing admin folder name path you cron.php file will also change.

You should update crontab entries created for HostBill to new  location after folder name change.

This also affects pipe.php file location, used for piping emails into HostBill ticket system.


Enable 2-factor authentication

HostBill offers a number of Multi-Factor authentication plugins that works also for admin portal and can add additional layer of security for accessing admin resources. 

You can enforce use of MFA/2FA for all staff members  in Security & Display  


Restrict IP Access

...

on application level

HostBill has an admin access restriction feature that controls what IPs may access the administrative interface. To utilize this feature, do the following.

1. Navigate to Security Settings > Administrative Settings → Allowed IPs.

2. Allow your IP IPs first.

3. Deny all IPs next.

HostBill will always check the deny IPs first, and allow IPs next.

Webserver: Password protect admin folder

Additionally you may want to consider password protecting your admin folder using Basic Authentication - refer to your webserver documentation on how to achieve this. 

Apache: Restrict IP Access With .htaccess

You can also additionally protect access to admin panel on webserver level.

The following is just an example. If you are using Apache as webserver, you may add it in your .htaccess file and configure as needed.

...

Code Block
languagetext
 # Allows single IP address. 
 allow from 111.111.111.111


Note
titleNote

Paths  Above may vary depending on server webserver software you're using

Additional Security Tools

...

You can find this feature in the Security Settings of HostBill. You can enable / disable notifications for certain staff / administrators, which will send a notification to both of you, and the staff member when someone has logged into the account with the feature enabled.