Time for a re-think of DA’s install security defaults

Time for a re-think of DA’s install security defaults

The insecure E-mail access problem has triggered other thoughts concerning the security defaults within DA. Over the past few years, the workplace moved from one’s place of employment, to wherever one finds himself. A company’s "technical" support people aren’t often that technical. They are on call even when they are on vacation, while traveling, or at training to add E-mails, and check things out in the control panel. The reason for the rapid rise in the number of web sites that use Drupal and WordPress is so that these people and business owners themselves can manage the content of their own sites. It’s not at all uncommon for these people to work on these items while "on the road". Secure control panel access during install has been the norm for other control panels for quite some time. All modern web development environments and operating systems support secure options for web site maintenance.

The purpose of a control panel is to make the server easier to manage servers. When a change in the way people work dictates we the need to implement something manually as a matter of course when setting up a server, it indicates it’s time for that to become part of the core install. It would be better to start out secure and have the hosters loosen it up areas, than to start out loose, and rely on hosters to remember and have the knowledge to tighten them up. It’s common for us to keep up on patches to guard against obscure security breaches that require substantial technical knowledge to exploit. We should all the more go after the huge and obvious ones, that require little technical knowledge to exploit, especially since they are the easiest ones to fix. We’ve recognized the world has changed, and our need to change with it.

In summary, I’m thankful of all of the features that DA has added and refined. Things like Brute Force Monitor, Daily E-mail Limits per DirectAdmin User, RBL blocking, and on and on. I love it. However, this is an area where kid who doesn’t know much can download a packet sniffer to cause untold damage. I’m suggesting that we not make it quite that simple for people to compromise our server’s security.

Comments are closed.