==Dedicated/VPS Hosting==
'''Password Management''' is the core of any security strategy. For Dedicated dedicated and VPS hosting options, there are several modes of control that administrator can apply.
<ol>
<li>
Enforce strong password - a strong password should contain Upper upper and Lower lower case characters, Numbers numbers and Special Characters special characters and should be long; greater than 20 characters. It is also possible to restrict the use of previously used passwords. On Linux systems the following command can be used to force complex passwords for users:
</li>
password required pam_cracklib.so minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1
For more detail, refer to the guide [http://www.linux-faqs.info/security/force-strong-passwords| Force strong passwords]
<li>
Use password aging, the chaging command on Linux servers allows checking of password age by user and setting of password aging parameters[http://linoxide.com/linux-command/password-expire-chage-command/ link for tutorial on chaging].
</li>
<li>
Failed login attempts should result in the locking of the associated user account. On Linux systems, the faillog command can be used to check failures and to set failure limits. For more details see [http://www.cyberciti.biz/tips/rhel-centos-fedora-linux-log-failed-login.html| Faillog]
</li>
<li>
Use Password Management software - a tool such as Keepass, or KeepassX for Linux and Mac, allows users to easily generate, store and mange complex difficult to crack passwords. Refer to this guide for details on [https://securityinabox.org/en/keepass_main| Keepass]
</li>
</ol>
</li>
<li>
Private keys should be used for SSH login access. The following guide gives details on generating and setting up public/private keys for SSH login, [http://support.suso.com/supki/SSH_Tutorial_for_Linux| SSH tutorial]
</li>
<li>
File permissionsshould be restricted for critical files. User should only be allowed access to files relevant to their work. Execution as root should be restricted. Discussion of [http://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions linux file permissions].
</li>
</ol>
==Shared Hosting==
For shared hosting password managment is a core defence against attack. The administrator password should fit the criteria above for a strong password - long, variance in characters containing no dictionary words.
As above [https://securityinabox.org/en/keepass_main| Keepass] can be used to generate and store a complex admin password. This has the secondary advantage of limiting access to the admin password to those who are trusted with the Keepass store.
</li>
<li>
'''Restrict IP addresses'''
Depending on what version of CPanel your provider offers, it is possible to lock down access via [http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/DenyAccess| Host Access Control] option. This allows you limit access to very specific IP addresses.
</li>
<li>