You need to secure the config.php file. Let's set the permissions to 444.
1. Navigate to your HostBill install directory and go to the /includes/ directory.
2. CHMOD / change file permissions of config.php to 444.
Modifying the permissions of this file is necessary and the easiest security method you can apply to your HostBill install.
Protect contents of includes/config.php file at all costs.
During installation HostBill generates $ccEncryptionHash inside of it which is used as partial key for passwords encryption, if you'll loose/replace this variable's value, you will also loose all stored passwords.
In order for HostBill to operate in a safe environment, you need to prevent anonymous users from uploading content to your server. templates_c has folder permissions of 777, and users can upload files to the attachments folder through support tickets. You need to secure these folders to protect your server.
Note: steps below are for non-enterprise installations. Enterprise installer will do this for you.
1. Navigate to the HostBill install directory.
2. Move the attachments, downloads, and templates_c folders outside of the public directory.
3. We're using HostBill user as our example. Your new hierarchy should be /home/hostbill/ for the mentioned folders.
4. Go back to your main HostBill directory and head to the includes/ directory.
5. Add the following lines to very bottom of your config.php file so HostBill can locate them on the server.
$hb_downloads_dir = "/home/hostbill/downloads";
$hb_attachments_dir = "/home/hostbill/attachments";
$hb_templates_c_dir = "/home/hostbill/templates_c";
You'll notice that these variables are already available in mentioned file, but with different values. You can just replace / edit the current entries.
To sum it up, your new folder layout should look similar to this (provided have web files inside /home dir)
You can now CHMOD following directories to 777
chmod 777 -R /home/hostbill/attachments
chmod 777 -R /home/hostbill/downloads
chmod 777 -R /home/hostbill/templates_c
Securing Administrative Access
Change Admin Folder Name
HostBill users can rename their admin folder. Renaming your admin folder will prevent brute force attacks, password guessers, and other similar threats.
1. Navigate to your HostBill directory and edit the /admin folder's name. Change it to something uncommon. We'll use new-folder-name as an example.
2. Edit includes/config.php and make the following changes.
Now you can navigate to your HostBill's new admin URL, replacing /admin with /new-folder-name to access the administrative control panel.
Note about folder change
Note that after changing admin folder name path you cron.php file will also change.
You should update crontab entries created for HostBill to new location after folder name change.
This also affects pipe.php file location, used for piping emails into HostBill ticket system.
Restrict IP Access Application Level
HostBill has an admin access restriction feature that controls what IPs may access the administrative interface. To utilize this feature, do the following.
1. Navigate to Security Settings → Administrative Allowed IPs.
2. Allow your IPs first.
3. Deny all IPs next.
HostBill will always check the deny IPs first, and allow IPs next.
Restrict Access With .htaccess
The following is just an example. If you are using Apache as webserver, you may add it in your .htaccess file and configure as needed.
# Sets the IP deny / allow rule order.
# Denies IP access from all IPs.
deny from all
# Denies 184.108.40.206 - 220.127.116.11 : 512 IPs Blocked (Range)
deny from 18.104.22.168/23
# Denies 22.214.171.124 - 126.96.36.199 : 512 IPs Blocked (Subnet)
deny from 188.8.131.52/255.255.254.0
# Allows single IP address.
allow from 184.108.40.206
may vary depending on server software you're using
HostBill also offers various tools to help you in managing your installation security.
You can find this feature in the Security Settings of HostBill. You can enable / disable notifications for certain staff / administrators, which will send a notification to both of you, and the staff member when someone has logged into the account with the feature enabled.