Securing Files
We need to secure the config.php file. Let's set the permissions to 444.
1. Navigate to your HostBill install directory and go to the /includes/ directory.2. CHMOD / change file permissions of config.php to 444.
That's it. Modifying the permissions of this file is necessary, and the easiest security method you can apply to your HostBill install.
Securing Directories
In order for HostBill to operate in a safe environment, you'll want to prevent anonymous users from uploading content to your server. We already know that templates_c has folder permissions of 777, and users can upload files to the downloads folder through support tickets. Let's secure these folders to protect your server.
1. Navigate to the HostBill install directory.2. Move the attachments, downloads, and templates_c folders outside of the public directory. The /home/hostbill path is a great location.3. We're using /hostbill as our example. Your new hierarchy should be /home/hostbill/ for the above mentioned folders.4. Go back to your HostBill install directory and head to the /includes/ directory.5. Add the following to your config.php file so HostBill can locate them on the server.
$hb_downloads_dir = "/home/hostbill/downloads"; $hb_attachments_dir = "/home/hostbill/attachments"; $hb_templates_c_dir = "/home/hostbill/templates_c";
You'll notice that these values are already available, but with different location entries. You just need to replace / edit the current entries.
To sum it up, your new folder layout should look similar to this (provided have web files inside /home dir)
/home/hostbill/public_html/{hostbill-install-directory/}
/home/hostbill/public_html/{hostbill-install-directory/}includes/config.php
/home/hostbill/attachments/
/home/hostbill/downloads/
/home/hostbill/templates_c/
You can now safely CHMOD all directories in the /home/hostbill directory to 777.
Securing Administrative Access
Change Admin Folder Name
As of HostBill 3.0.0, users may now rename their admin folder. Renaming your admin folder will prevent brute force attacks, password guessers, and other similar threats.
1. Navigate to your HostBill install directory and edit the /admin folder's name. Change it to something uncommon. We'll use new-folder-name as an example.2. Navigate to /includes/config.php and make the following changes.
Change
$hb_admin_folder='admin';
To
$hb_admin_folder='new-folder-name';
Now you can navigate to your HostBill's new admin URL, replacing /admin with /new-folder-name to access the administrative control panel.
Restrict IP Access Application Level
HostBill has an admin access restriction feature that controls what IPs may access the administrative interface. To utilize this feature, do the following.
1. Navigate to Security Settings > Administrative Allowed IPs.2. Allow your IP first.3. Deny all IPs next.
HostBill will always check the deny IPs first, and allow IPs next.
Restrict Access With .htaccess
The following is just an example, you may add it in your .htaccess file and configure as needed.
# Sets the IP deny / allow rule order. order deny,allow
# Denies IP access from all IPs. deny from all
# Denies 111.111.111.0 - 111.111.112.255 : 512 IPs Blocked (Range) deny from 111.111.111.0/23
# Denies 111.111.111.0 - 111.111.112.255 : 512 IPs Blocked (Subnet) deny from 111.111.111.0/255.255.254.0
# Allows single IP address. allow from 111.111.111.111
Note
Paths may vary depending on server software you're using
Additional Security Tools
HostBill also offers various tools to help you in managing your installation security.
Login Notification
You can find this feature in the Security Settings of HostBill. You can enable / disable notifications for certain staff / administrators, which will send a notification to both you, and the staff member when someone has logged into the account with the feature enabled.