We use control panels and/or the command line interface as assistive tools to apply, among other things, security systems. There are pros and cons for each of these instruments.
Panels are favorable because their GUIs are user-friendly. Their point-click usability, however, is hampered by restricted options. We saw an example of this with cPanel's weak default of mod_auth_basic for password protection in Setup Apache's mod_auth to Password Protect Directories.
The terminal, CLI, shell, console or whatever else it's called today is favorable, on the other hand, because our options, not least those for security, are complete and, given a little practise, the command line is faster to use. The downside is that, for newbies, they're bewildering. Best advice: persevere. 🙂
Safe server access
In Lock Down WP Connections wpCop looked at SSH and its cousin SSL, setting up the terminal with the former and advising about the importance of the latter for when we log into and browse a panel – so that's using https not http. Both methods are secure although there is always the concern of a brute force password attack with the panel option.
If you use unmanaged hosting, allowing you full administrative rights, and so can toughen SSH as wpCop explains in Harden SSH, the Secure Shell for Safe Server Access, then the shell is rock solid. Fully toughened, the terminal is more secure than a panel, essentially, because brute forcing is thwarted.
Then again, for the rest of us, a super-tough control panel passphrase – and I'm talking 16bit alpha-num3ric camelCase plus $pecial character$ here – is exceptionally hard to crack. In reality many users use panels – not least of all the WordPress Dashboard – as well as the terminal, diminishing risks with a healthy mix of methods covered on this site.
Check for unauthorized logins
When logging into a server make a habit of checking it was you who last logged in, else was the support guy if you needed help. With the terminal and panels there's usually a “Last login from” notification with an IP address alongside, hopefully yours.
If you suspect a breach then change any associated passwords such as for your site, database, e-mail and any server panel logins, cover the salient steps in Disaster Recovery, and closely monitor the logs for your site and server. What fun.
Understanding the terminal
There are some core topics that you need to know to get the most from CLI use. For subjects that are not directly security-related there are tutorials at wpCop's sister site, vpsBible, a site dedicated to setting up and maintaining a darned decent web server.
The bashrc file allows us to swap complex commands with shortcut aliases, so we can execute a task with a few keystrokes. This file is super-handy and makes the terminal far more friendly:
Otherwise, check out the Linux links on the Server Security Resources page for some helpful sites.
Elevating to superuser permissions
If your hosting plan allows you privileged user access, then to execute many commands you will need to elevate your regular user rights to those of a superuser or the root user. This is rather like what happens in Windows Vista (and beyond) where one has to confirm a system-changing configuration.
To do this with Linux we prefix our commands with the sudo directive and, when prompted, provide the user password:
You can also assume root to execute privileged actions, for example like this:
Having given your password you can do anything, so be careful. You have assumed root and so need not now prefix commands with sudo. Revert back to normal as soon as possible:
From the terminal to a control panel
Cool beans. That's enough about the terminal, for now.
For those who've advanced beyond shared web hosting, let's install Webmin, a really decent and massively modular control panel that helps manage the server with a GUI alternative. And it costs absolutely diddly-squat. Hurrah.