{"id":21347,"date":"2018-04-05T11:05:13","date_gmt":"2018-04-05T09:05:13","guid":{"rendered":"https:\/\/hetzner.co.za\/help-centre\/?p=21347"},"modified":"2026-05-28T14:08:54","modified_gmt":"2026-05-28T12:08:54","slug":"security-and-reliability","status":"publish","type":"post","link":"https:\/\/xneelo.co.za\/help-centre\/products-and-services\/security-and-reliability\/","title":{"rendered":"Security and Reliability"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Our motto of <strong>Trusted in Hosting<\/strong> drives all that we do at xneelo. Scrutinised and well-considered security processes are a critical part of delivering a successful product to our customers.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This document aims to provide information and reassurance regarding the appropriate technical and organisational measures we have in place to protect our customers\u2019 data and intellectual property<\/span> <span style=\"font-weight: 400;\">and should be read in conjunction with our <\/span><a href=\"https:\/\/xneelo.co.za\/legal\/terms-of-service\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">terms of service<\/span><\/a><span style=\"font-weight: 400;\"> and <\/span><a href=\"https:\/\/xneelo.co.za\/legal\/privacy-policy\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">privacy policy<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We don\u2019t provide individual audits or highly detailed information regarding security queries for our web hosting and dedicated server product range.\u00a0<\/span><\/p>\n<h2>Physical security<\/h2>\n<h3>Location<\/h3>\n<p><span style=\"font-weight: 400;\">We house servers in data centres across two locations: <strong>Samrand<\/strong> (Gauteng) and\u00a0<strong>Cape Town.<\/strong>\u00a0Colocation hosting is only offered in our Samrand facility.<\/span><\/p>\n<h3>Surveillance<\/h3>\n<p><span style=\"font-weight: 400;\">The Samrand Data Centre uses 45 internal and external surveillance cameras, as well as 10 perimeter cameras, which are strategically placed and monitored around the clock to ensure that all servers remain off-limits to anyone without security clearance. High-voltage security fences and a 24\/7 security presence help to deter any opportunistic crimes.<\/span><\/p>\n<h3>Access control<\/h3>\n<p><span style=\"font-weight: 400;\">Customers, employees and contractors have varying levels of authorised access to different areas of our facility, controlled by high-tech biometric scanning systems, with 20 devices and pin-coded keypads.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Colocation customers have 24\/7 <\/span><a href=\"https:\/\/xneelo.co.za\/help-centre\/products-and-services\/dc-access-colocation\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">unattended access<\/span><\/a><span style=\"font-weight: 400;\"> to their POD and a unique pin to each of their racks.<\/span><\/p>\n<h3>Fire prevention<\/h3>\n<p><span style=\"font-weight: 400;\">The facility is custom-designed for low fire risk, with a Very Early Smoke Detection Apparatus (VESDA) installed to trigger alarms at even the slightest hint of smoke particles. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">There are no flammable materials present in the \u2018white space\u2019 in the Data Centre and all cabling is fire-retardant. <\/span><\/p>\n<h3>Power outages<\/h3>\n<p><span style=\"font-weight: 400;\">An 11kV power supply from the municipal power utility energises a fault-tolerant, medium-voltage ring that powers two separate low-voltage 2MVA energy centres. These A- and B feeds power mission-critical infrastructure such as IT load, air conditioning, security systems and emergency lighting. They provide seamless electrical failover with their own emergency backup power systems in the event of a power failure.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We have on-site fuel storage sufficient to run our generators for 3 days continuously. Our UPSs provide always-on power, with battery standby time of 30 minutes.<\/span><\/p>\n<h3>Connectivity<\/h3>\n<p><span style=\"font-weight: 400;\">Our network is multi-homed with multiple uplinks per data centre via at least two Tier 1 upstream providers and peering partners. Should a network failure occur, traffic is automatically rerouted via alternate uplinks, significantly increasing our network resilience.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Connectivity is provided through diverse, redundant fibre routes connecting the facility to a 10Gbps fibre ring.<\/span><\/p>\n<h3>Network security<\/h3>\n<p><span style=\"font-weight: 400;\">Network level security consists of three main components:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">DDoS mitigation<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">VLAN reverse path forwarding protection<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Juniper firewall rules at the network edge and core<\/span><\/li>\n<\/ul>\n<h2>DDoS mitigation<\/h2>\n<p><span style=\"font-weight: 400;\">A DDoS detection and mitigation system is deployed in both the Cape Town and Samrand Data Centres. DDoS attack traffic is diverted to a filter\/scrubbing server that can distinguish between valid and malicious traffic. Malicious traffic is scrubbed off while valid traffic is re-injected into the network. The victim IP is not affected during the DDoS attack. DDoS detection and mitigation is fully automated and traffic diversion occurs automatically.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Small DDoS attacks are scrubbed locally in the data centre by the mitigation system. For larger attacks, traffic is diverted to an international DDoS mitigation provider which then sends the clear traffic on to South Africa.<\/span><\/p>\n<h2>VLAN Reverse path forwarding protection<\/h2>\n<p><span style=\"font-weight: 400;\">Reverse path forwarding protection is enabled for all VLANs in our data centres. This policy ensures that only the subnets allocated to a VLAN can generate traffic for that VLAN. This helps to mitigate two kinds of malicious traffic:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Source-spoofed traffic where a host is sending out traffic for subnets that do not belong to the VLAN.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Inter-VLAN subnet spoofing, where a host in one VLAN uses IP addresses from another VLAN using source-spoofing.<\/span><\/li>\n<\/ul>\n<h2>Juniper firewall rules<\/h2>\n<p><span style=\"font-weight: 400;\">Firewall rules on the data centre network edge and at the core are used to protect the network in a number of ways:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Rate-limiting of certain protocols to protect the network infrastructure.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Blocking of certain protocols and destination IP addresses to protect our operational systems.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Restricting access to certain hosts and protocols to defined lists of source addresses.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Blocking of abusive IP addresses and hosts.<\/span><\/li>\n<\/ul>\n<h2>Monitoring<\/h2>\n<p><span style=\"font-weight: 400;\">All servers managed by us are monitored 24\/7 for all critical services and hardware health. Our reactive system administrators react to monitoring alerts as they are identified and escalate issues to data centre staff or platform engineers.<\/span><\/p>\n<h3>Platform security<\/h3>\n<h4>Servers<\/h4>\n<p><span style=\"font-weight: 400;\">All servers used to provide our managed hosting service, both for shared web hosting and managed servers are <strong>physical servers exclusively provisioned and managed by us<\/strong>. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Our Self-Managed Servers are provisioned by us, while the software is maintained by the customer.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Servers are designed to provide <strong>redundancy and reliability<\/strong>, including multi-core, multi-CPU systems, ECC (Error-Correcting Code) memory modules to detect and correct data corruption in real-time and enterprise grade storage that includes hard disk and solid state drives.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">All data is stored on dedicated, robust RAID storage arrays providing data redundancy and integrity. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Additionally, our TruServ Commerce range of Self-Managed servers include a Battery Backup Unit (BBU) which protects and maintains the data on RAID cards.<\/span><\/p>\n<h4>Security response policy<\/h4>\n<p><span style=\"font-weight: 400;\">All relevant <strong>security advisories<\/strong> are evaluated weekly. We make use of <strong>Debian Linux<\/strong> and trust their <a href=\"https:\/\/www.debian.org\/security\/\" target=\"_blank\" rel=\"noopener noreferrer\">security response<\/a> <\/span><span style=\"font-weight: 400;\">to all <a href=\"https:\/\/cve.mitre.org\" target=\"_blank\" rel=\"noopener noreferrer\">CVEs<\/a><\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">Note: Debian is a slow moving distribution, which means that versioning misinterpretation regarding security vulnerabilities may occur when looking at the output of a typical automated security scan. Debian don&#8217;t upgrade major versions for any releases once they move into the stable release phase, but they do apply security patches. Therefore it may appear that the old stable release of Debian is running an insecure version of certain software packages e.g. OpenSSL (1.0.1t-1). However, once the Debian patch version is applied (1.0.1t-1+deb7u3), the vulnerability is addressed. This indicates the Debian maintainer&#8217;s ongoing commitment to patching security related issues on all supported versions of Debian.<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">We are committed to updating all software to the latest stable versions within 7 days of their release, and within 24 hours for critical software updates.<\/span><\/p>\n<h4>Remote access<\/h4>\n<p><span style=\"font-weight: 400;\">Access to managed servers is limited by means of Linux firewall software. All managed servers make use of the same incoming firewall rules and we do not allow any deviation from the standard rulesets<\/span><\/p>\n<h4>Backups<\/h4>\n<p><span style=\"font-weight: 400;\">All our Managed Servers (i.e. Web hosting and Managed Servers) are automatically backed up in the early hours of the morning. The backup includes all critical data required for disaster recovery.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Backups are made of the user\u2019s home directory as well as databases. The user\u2019s home directory will include site content, web logs and any mail that was on the server at the time that backup was completed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Customers can restore up to the previous 2 weeks of backup data via the control panel. Please note that we do not guarantee backups. If you have critical data that you cannot afford to lose in the event of a disaster, keep a copy of your data locally (or at an alternate location) as well.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Logs (such as FTP, web server and mail logs) are normally kept for 60 days.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Due to the large scale of our Web hosting and Managed server hosting environment, our backup and restore process is effectively tested on a daily basis.<\/span><\/p>\n<h3>Software development<\/h3>\n<p><span style=\"font-weight: 400;\"><strong>Stack<\/strong>: We have a strong focus on open source technologies and mainly use PHP and Ruby as our backend languages. Our frontend stack consists of HTML\/HTML5, CSS\/CSS3 and various JavaScript frameworks. We use varying database technologies including MySQL, MariaDB and Postgres <b>across different platform components<\/b>. To see what&#8217;s available on our Managed hosting offering refer to our article: <a href=\"https:\/\/xneelo.co.za\/help-centre\/products-and-services\/software\/\" target=\"_blank\" rel=\"noopener\">Software used on xneelo servers<\/a>.<\/span><\/p>\n<p><span style=\"font-weight: 400;\"><strong>Coding Practices<\/strong>: We follow an Agile development methodology and use best practices and industry-standard secure coding guidelines to ensure security is always top of mind. External penetration testing providers are used to validate that we are secure.<\/span><\/p>\n<h3>Antivirus<\/h3>\n<p><span style=\"font-weight: 400;\">All servers (which are Linux-based) run anti-malware software, which is updated as new virus definitions are released. Servers are scanned daily. <\/span><\/p>\n<h3>User passwords<\/h3>\n<p><span style=\"font-weight: 400;\">All customer passwords are stored in a one-way encrypted format. We are not able to retrieve any passwords. Due to the broad technology implementation across our hosting software and platform, we employ a number of different passwords hashing algorithms e.g. bcrypt, sha-512. \u00a0We implement industry standard practices for mitigating various password cracking methods e.g:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Password salts to mitigate rainbow attacks<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Multiple password hashing rounds (key stretching) to massively draw out brute force attacks<\/span><\/li>\n<\/ul>\n<h2>Mail security<\/h2>\n<p><span style=\"font-weight: 400;\">SSL is used for POP, IMAP and SMTP protocols for email, resulting in data encryption between our server and customers\u2019 mail programmes. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">The use of strong passwords is enforced when creating or editing mailboxes via the mail admin tool.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The following measures are used to mitigate spam and malware:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Anti-virus and anti-spam scanning occur on all inbound and outbound email.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Common malicious file extensions are blocked for both inbound and outbound email.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Known malicious IP addresses are blocked by our firewall for incoming email.<\/span><\/li>\n<\/ul>\n<h2>Fail2ban<\/h2>\n<p><a href=\"https:\/\/www.fail2ban.org\/wiki\/index.php\/Main_Page\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Fail2ban<\/span><\/a><span style=\"font-weight: 400;\"> is an intrusion prevention software that scans log files and blocks any IP addresses that have been identified as malicious. This is just one of the measures we take to help prevent Brute Force password attacks against mailboxes and Content Management Systems (CMS) like WordPress and Joomla.<\/span><\/p>\n<h3>Web Application Firewalls (WAF)<\/h3>\n<h4>ModSecurity<\/h4>\n<p><a href=\"https:\/\/xneelo.co.za\/insights\/modsecurity-helping-keep-your-site-safe-behind-the-scenes\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">ModSecurity<\/span><\/a><span style=\"font-weight: 400;\"> is active on all our Web Hosting packages and our Managed Dedicated Servers. It acts like a shield between your website and the internet, offering an additional layer of protection, which makes it harder for malicious attackers to gain unauthorised access to your website.\u00a0<\/span><\/p>\n<h4>Cloudbric WAF<\/h4>\n<p><a href=\"https:\/\/xneelo.co.za\/cloudbric\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Cloudbric WAF<\/span><\/a><span style=\"font-weight: 400;\">\u00a0is an advanced, enterprise-grade web application firewall that shields your website and website applications (like WordPress) against hackers. It guards against suspicious and malicious website traffic, which specifically looks for opportunities to exploit weaknesses in your website\u2019s code.<\/span><\/p>\n<h4>IP Reputation System<\/h4>\n<p><span style=\"font-weight: 400;\">Our IP Reputation System contains a list of known \u2018bad\u2019 IP addresses which is frequently updated. This list is regularly sent to all of the servers on our hosting platform, ensuring any traffic from these IP addresses is blocked by the server firewalls.\u00a0<\/span><\/p>\n<h4>Data protection<\/h4>\n<p><a href=\"https:\/\/xneelo.co.za\/legal\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Data protection<\/span><\/a><span style=\"font-weight: 400;\"> includes security and is a related topic.<\/span><\/p>\n<h4>Payment Data Security<\/h4>\n<p><span style=\"font-weight: 400;\">Credit\/debit card purchases for our services are processed by the third-party vendor, DPO.<\/span><span style=\"font-weight: 400;\">\u00a0No credit\/debit card information is submitted via our website or stored on any of our systems.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Banking details used for debit order instructions are secured by various authentication measures and system firewalls.<\/span><\/p>\n<h2>Other<\/h2>\n<h3>Incident response<\/h3>\n<p><span style=\"font-weight: 400;\">We have good incident response plans, procedures, and practices in place which means we respond to incidents or data breaches quickly and effectively. <\/span><\/p>\n<h3>Trust and Safety team<\/h3>\n<p><span style=\"font-weight: 400;\">Our dedicated team of Trust and Safety analysts monitor the hosting platform for any form of abuse such as compromised websites and mailboxes, network abuse and phishing attacks and take swift remedial steps. They also contribute towards adapting our systems to current trends in spam to ensure that our spam filtering service is effective.<\/span><\/p>\n<h3>Accreditation<\/h3>\n<p><span style=\"font-weight: 400;\">We have not undertaken the SOC 2 or ISO 27001 accreditation, though we fully support the Trust Service Principles (TSP) of security, availability, processing integrity, confidentiality, and privacy. We commit to security best business practises and continuous improvement.<\/span><\/p>\n<h2>Customer responsibilities<\/h2>\n<p><span style=\"font-weight: 400;\">While we care for the hosting infrastructure including the network and servers, it is our customers&#8217; responsibility to keep their data and hosting account secure. <\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use secure passwords and store them safely<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Ensure sufficient security for your web applications<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Ensure that CMS\u2019 and plugins are always kept up-to-date<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Self-Managed customers need to administer and security patch their own OS and applications, firewalls, etc as we are responsible for the hardware and they are responsible for their software.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">We remain committed to providing a reliable hosting service to businesses that are serious about uptime, 24\/7 technical support,\u00a0and are looking to benefit from evolving technologies.<\/span><\/p>\n","protected":false,"plain":"<span >Our motto of <strong>Trusted in Hosting<\/strong> drives all that we do at xneelo. Scrutinised and well-considered security processes are a critical part of delivering a successful product to our customers.<\/span>\r\n\r\n<span >This document aims to provide information and reassurance regarding the appropriate technical and organisational measures we have in place to protect our customers\u2019 data and intellectual property<\/span> <span >and should be read in conjunction with our <\/span><a href=\"https:\/\/xneelo.co.za\/legal\/terms-of-service\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span >terms of service<\/span><\/a><span > and <\/span><a href=\"https:\/\/xneelo.co.za\/legal\/privacy-policy\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span >privacy policy<\/span><\/a><span >.<\/span>\r\n\r\n<span >We don\u2019t provide individual audits or highly detailed information regarding security queries for our web hosting and dedicated server product range.\u00a0<\/span>\r\n<h2>Physical security<\/h2>\r\n<h3>Location<\/h3>\r\n<span >We house servers in data centres across two locations: <strong>Samrand<\/strong> (Gauteng) and\u00a0<strong>Cape Town.<\/strong>\u00a0Colocation hosting is only offered in our Samrand facility.<\/span>\r\n<h3>Surveillance<\/h3>\r\n<span >The Samrand Data Centre uses 45 internal and external surveillance cameras, as well as 10 perimeter cameras, which are strategically placed and monitored around the clock to ensure that all servers remain off-limits to anyone without security clearance. High-voltage security fences and a 24\/7 security presence help to deter any opportunistic crimes.<\/span>\r\n<h3>Access control<\/h3>\r\n<span >Customers, employees and contractors have varying levels of authorised access to different areas of our facility, controlled by high-tech biometric scanning systems, with 20 devices and pin-coded keypads.<\/span>\r\n\r\n<span >Colocation customers have 24\/7 <\/span><a href=\"https:\/\/xneelo.co.za\/help-centre\/products-and-services\/dc-access-colocation\/\" target=\"_blank\" rel=\"noopener\"><span >unattended access<\/span><\/a><span > to their POD and a unique pin to each of their racks.<\/span>\r\n<h3>Fire prevention<\/h3>\r\n<span >The facility is custom-designed for low fire risk, with a Very Early Smoke Detection Apparatus (VESDA) installed to trigger alarms at even the slightest hint of smoke particles. <\/span>\r\n\r\n<span >There are no flammable materials present in the \u2018white space\u2019 in the Data Centre and all cabling is fire-retardant. <\/span>\r\n<h3>Power outages<\/h3>\r\n<span >An 11kV power supply from the municipal power utility energises a fault-tolerant, medium-voltage ring that powers two separate low-voltage 2MVA energy centres. These A- and B feeds power mission-critical infrastructure such as IT load, air conditioning, security systems and emergency lighting. They provide seamless electrical failover with their own emergency backup power systems in the event of a power failure.<\/span>\r\n\r\n<span >We have on-site fuel storage sufficient to run our generators for 3 days continuously. Our UPSs provide always-on power, with battery standby time of 30 minutes.<\/span>\r\n<h3>Connectivity<\/h3>\r\n<span >Our network is multi-homed with multiple uplinks per data centre via at least two Tier 1 upstream providers and peering partners. Should a network failure occur, traffic is automatically rerouted via alternate uplinks, significantly increasing our network resilience.<\/span>\r\n\r\n<span >Connectivity is provided through diverse, redundant fibre routes connecting the facility to a 10Gbps fibre ring.<\/span>\r\n<h3>Network security<\/h3>\r\n<span >Network level security consists of three main components:<\/span>\r\n<ul>\r\n \t<li ><span >DDoS mitigation<\/span><\/li>\r\n \t<li ><span >VLAN reverse path forwarding protection<\/span><\/li>\r\n \t<li ><span >Juniper firewall rules at the network edge and core<\/span><\/li>\r\n<\/ul>\r\n<h2>DDoS mitigation<\/h2>\r\n<span >A DDoS detection and mitigation system is deployed in both the Cape Town and Samrand Data Centres. DDoS attack traffic is diverted to a filter\/scrubbing server that can distinguish between valid and malicious traffic. Malicious traffic is scrubbed off while valid traffic is re-injected into the network. The victim IP is not affected during the DDoS attack. DDoS detection and mitigation is fully automated and traffic diversion occurs automatically.<\/span>\r\n\r\n<span >Small DDoS attacks are scrubbed locally in the data centre by the mitigation system. For larger attacks, traffic is diverted to an international DDoS mitigation provider which then sends the clear traffic on to South Africa.<\/span>\r\n<h2>VLAN Reverse path forwarding protection<\/h2>\r\n<span >Reverse path forwarding protection is enabled for all VLANs in our data centres. This policy ensures that only the subnets allocated to a VLAN can generate traffic for that VLAN. This helps to mitigate two kinds of malicious traffic:<\/span>\r\n<ul>\r\n \t<li ><span >Source-spoofed traffic where a host is sending out traffic for subnets that do not belong to the VLAN.<\/span><\/li>\r\n \t<li ><span >Inter-VLAN subnet spoofing, where a host in one VLAN uses IP addresses from another VLAN using source-spoofing.<\/span><\/li>\r\n<\/ul>\r\n<h2>Juniper firewall rules<\/h2>\r\n<span >Firewall rules on the data centre network edge and at the core are used to protect the network in a number of ways:<\/span>\r\n<ul>\r\n \t<li ><span >Rate-limiting of certain protocols to protect the network infrastructure.<\/span><\/li>\r\n \t<li ><span >Blocking of certain protocols and destination IP addresses to protect our operational systems.<\/span><\/li>\r\n \t<li ><span >Restricting access to certain hosts and protocols to defined lists of source addresses.<\/span><\/li>\r\n \t<li ><span >Blocking of abusive IP addresses and hosts.<\/span><\/li>\r\n<\/ul>\r\n<h2>Monitoring<\/h2>\r\n<span >All servers managed by us are monitored 24\/7 for all critical services and hardware health. Our reactive system administrators react to monitoring alerts as they are identified and escalate issues to data centre staff or platform engineers.<\/span>\r\n<h3>Platform security<\/h3>\r\n<h4>Servers<\/h4>\r\n<span >All servers used to provide our managed hosting service, both for shared web hosting and managed servers are <strong>physical servers exclusively provisioned and managed by us<\/strong>. <\/span>\r\n\r\n<span >Our Self-Managed Servers are provisioned by us, while the software is maintained by the customer.<\/span>\r\n\r\n<span >Servers are designed to provide <strong>redundancy and reliability<\/strong>, including multi-core, multi-CPU systems, ECC (Error-Correcting Code) memory modules to detect and correct data corruption in real-time and enterprise grade storage that includes hard disk and solid state drives.<\/span>\r\n\r\n<span >All data is stored on dedicated, robust RAID storage arrays providing data redundancy and integrity. <\/span>\r\n\r\n<span >Additionally, our TruServ Commerce range of Self-Managed servers include a Battery Backup Unit (BBU) which protects and maintains the data on RAID cards.<\/span>\r\n<h4>Security response policy<\/h4>\r\n<span >All relevant <strong>security advisories<\/strong> are evaluated weekly. We make use of <strong>Debian Linux<\/strong> and trust their <a href=\"https:\/\/www.debian.org\/security\/\" target=\"_blank\" rel=\"noopener noreferrer\">security response<\/a> <\/span><span >to all <a href=\"https:\/\/cve.mitre.org\" target=\"_blank\" rel=\"noopener noreferrer\">CVEs<\/a><\/span><span >.<\/span>\r\n<blockquote><span >Note: Debian is a slow moving distribution, which means that versioning misinterpretation regarding security vulnerabilities may occur when looking at the output of a typical automated security scan. Debian don't upgrade major versions for any releases once they move into the stable release phase, but they do apply security patches. Therefore it may appear that the old stable release of Debian is running an insecure version of certain software packages e.g. OpenSSL (1.0.1t-1). However, once the Debian patch version is applied (1.0.1t-1+deb7u3), the vulnerability is addressed. This indicates the Debian maintainer's ongoing commitment to patching security related issues on all supported versions of Debian.<\/span><\/blockquote>\r\n<span >We are committed to updating all software to the latest stable versions within 7 days of their release, and within 24 hours for critical software updates.<\/span>\r\n<h4>Remote access<\/h4>\r\n<span >Access to managed servers is limited by means of Linux firewall software. All managed servers make use of the same incoming firewall rules and we do not allow any deviation from the standard rulesets<\/span>\r\n<h4>Backups<\/h4>\r\n<span >All our Managed Servers (i.e. Web hosting and Managed Servers) are automatically backed up in the early hours of the morning. The backup includes all critical data required for disaster recovery.<\/span>\r\n\r\n<span >Backups are made of the user\u2019s home directory as well as databases. The user\u2019s home directory will include site content, web logs and any mail that was on the server at the time that backup was completed.<\/span>\r\n\r\n<span >Customers can restore up to the previous 2 weeks of backup data via the control panel. Please note that we do not guarantee backups. If you have critical data that you cannot afford to lose in the event of a disaster, keep a copy of your data locally (or at an alternate location) as well.<\/span>\r\n\r\n<span >Logs (such as FTP, web server and mail logs) are normally kept for 60 days.<\/span>\r\n\r\n<span >Due to the large scale of our Web hosting and Managed server hosting environment, our backup and restore process is effectively tested on a daily basis.<\/span>\r\n<h3>Software development<\/h3>\r\n<span ><strong>Stack<\/strong>: We have a strong focus on open source technologies and mainly use PHP and Ruby as our backend languages. Our frontend stack consists of HTML\/HTML5, CSS\/CSS3 and various JavaScript frameworks. We use varying database technologies including MySQL, MariaDB and Postgres <b>across different platform components<\/b>. To see what's available on our Managed hosting offering refer to our article: <a href=\"https:\/\/xneelo.co.za\/help-centre\/products-and-services\/software\/\" target=\"_blank\" rel=\"noopener\">Software used on xneelo servers<\/a>.<\/span>\r\n\r\n<span ><strong>Coding Practices<\/strong>: We follow an Agile development methodology and use best practices and industry-standard secure coding guidelines to ensure security is always top of mind. External penetration testing providers are used to validate that we are secure.<\/span>\r\n<h3>Antivirus<\/h3>\r\n<span >All servers (which are Linux-based) run anti-malware software, which is updated as new virus definitions are released. Servers are scanned daily. <\/span>\r\n<h3>User passwords<\/h3>\r\n<span >All customer passwords are stored in a one-way encrypted format. We are not able to retrieve any passwords. Due to the broad technology implementation across our hosting software and platform, we employ a number of different passwords hashing algorithms e.g. bcrypt, sha-512. \u00a0We implement industry standard practices for mitigating various password cracking methods e.g:<\/span>\r\n<ul>\r\n \t<li ><span >Password salts to mitigate rainbow attacks<\/span><\/li>\r\n \t<li ><span >Multiple password hashing rounds (key stretching) to massively draw out brute force attacks<\/span><\/li>\r\n<\/ul>\r\n<h2>Mail security<\/h2>\r\n<span >SSL is used for POP, IMAP and SMTP protocols for email, resulting in data encryption between our server and customers\u2019 mail programmes. <\/span>\r\n\r\n<span >The use of strong passwords is enforced when creating or editing mailboxes via the mail admin tool.<\/span>\r\n\r\n<span >The following measures are used to mitigate spam and malware:<\/span>\r\n<ul>\r\n \t<li ><span >Anti-virus and anti-spam scanning occur on all inbound and outbound email.<\/span><\/li>\r\n \t<li ><span >Common malicious file extensions are blocked for both inbound and outbound email.<\/span><\/li>\r\n \t<li ><span >Known malicious IP addresses are blocked by our firewall for incoming email.<\/span><\/li>\r\n<\/ul>\r\n<h2>Fail2ban<\/h2>\r\n<a href=\"https:\/\/www.fail2ban.org\/wiki\/index.php\/Main_Page\" target=\"_blank\" rel=\"noopener\"><span >Fail2ban<\/span><\/a><span > is an intrusion prevention software that scans log files and blocks any IP addresses that have been identified as malicious. This is just one of the measures we take to help prevent Brute Force password attacks against mailboxes and Content Management Systems (CMS) like WordPress and Joomla.<\/span>\r\n<h3>Web Application Firewalls (WAF)<\/h3>\r\n<h4>ModSecurity<\/h4>\r\n<a href=\"https:\/\/xneelo.co.za\/insights\/modsecurity-helping-keep-your-site-safe-behind-the-scenes\/\" target=\"_blank\" rel=\"noopener\"><span >ModSecurity<\/span><\/a><span > is active on all our Web Hosting packages and our Managed Dedicated Servers. It acts like a shield between your website and the internet, offering an additional layer of protection, which makes it harder for malicious attackers to gain unauthorised access to your website.\u00a0<\/span>\r\n<h4>Cloudbric WAF<\/h4>\r\n<a href=\"https:\/\/xneelo.co.za\/cloudbric\/\" target=\"_blank\" rel=\"noopener\"><span >Cloudbric WAF<\/span><\/a><span >\u00a0is an advanced, enterprise-grade web application firewall that shields your website and website applications (like WordPress) against hackers. It guards against suspicious and malicious website traffic, which specifically looks for opportunities to exploit weaknesses in your website\u2019s code.<\/span>\r\n<h4>IP Reputation System<\/h4>\r\n<span >Our IP Reputation System contains a list of known \u2018bad\u2019 IP addresses which is frequently updated. This list is regularly sent to all of the servers on our hosting platform, ensuring any traffic from these IP addresses is blocked by the server firewalls.\u00a0<\/span>\r\n<h4>Data protection<\/h4>\r\n<a href=\"https:\/\/xneelo.co.za\/legal\/\" target=\"_blank\" rel=\"noopener\"><span >Data protection<\/span><\/a><span > includes security and is a related topic.<\/span>\r\n<h4>Payment Data Security<\/h4>\r\n<span >Credit\/debit card purchases for our services are processed by the third-party vendor, DPO.<\/span><span >\u00a0No credit\/debit card information is submitted via our website or stored on any of our systems.<\/span>\r\n\r\n<span >Banking details used for debit order instructions are secured by various authentication measures and system firewalls.<\/span>\r\n<h2>Other<\/h2>\r\n<h3>Incident response<\/h3>\r\n<span >We have good incident response plans, procedures, and practices in place which means we respond to incidents or data breaches quickly and effectively. <\/span>\r\n<h3>Trust and Safety team<\/h3>\r\n<span >Our dedicated team of Trust and Safety analysts monitor the hosting platform for any form of abuse such as compromised websites and mailboxes, network abuse and phishing attacks and take swift remedial steps. They also contribute towards adapting our systems to current trends in spam to ensure that our spam filtering service is effective.<\/span>\r\n<h3>Accreditation<\/h3>\r\n<span >We have not undertaken the SOC 2 or ISO 27001 accreditation, though we fully support the Trust Service Principles (TSP) of security, availability, processing integrity, confidentiality, and privacy. We commit to security best business practises and continuous improvement.<\/span>\r\n<h2>Customer responsibilities<\/h2>\r\n<span >While we care for the hosting infrastructure including the network and servers, it is our customers' responsibility to keep their data and hosting account secure. <\/span>\r\n<ul>\r\n \t<li ><span >Use secure passwords and store them safely<\/span><\/li>\r\n \t<li ><span >Ensure sufficient security for your web applications<\/span><\/li>\r\n \t<li ><span >Ensure that CMS\u2019 and plugins are always kept up-to-date<\/span><\/li>\r\n \t<li ><span >Self-Managed customers need to administer and security patch their own OS and applications, firewalls, etc as we are responsible for the hardware and they are responsible for their software.<\/span><\/li>\r\n<\/ul>\r\n<span >We remain committed to providing a reliable hosting service to businesses that are serious about uptime, 24\/7 technical support,\u00a0and are looking to benefit from evolving technologies.<\/span>"},"excerpt":{"rendered":"<p>Information regarding the responsible security measures we have in place to protect our customers\u2019 data and intellectual property.<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"lsx_disable_title":"0","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","footnotes":""},"categories":[205],"tags":[23846,20740,18933,335],"topics":[10413,10377,10393],"class_list":["post-21347","post","type-post","status-publish","format-standard","hentry","category-products-and-services","tag-security-and-reliability","tag-cloudbric-waf","tag-waf","tag-tech-specs","topics-mail-security","topics-website-security","topics-products"],"acf":[],"additional_meta":{"category_title":[{"term_id":205,"name":"Products and Services","slug":"products-and-services","term_group":0,"term_taxonomy_id":205,"taxonomy":"category","description":"Products and Services provided by xneelo","parent":0,"count":93,"filter":"raw","term_order":"98","cat_ID":205,"category_count":93,"category_description":"Products and Services provided by xneelo","cat_name":"Products and Services","category_nicename":"products-and-services","category_parent":0}],"tag_title":[{"term_id":23846,"name":"Security and Reliability","slug":"security-and-reliability","term_group":0,"term_taxonomy_id":23846,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw","term_order":"200"},{"term_id":20740,"name":"cloudbric waf","slug":"cloudbric-waf","term_group":0,"term_taxonomy_id":20740,"taxonomy":"post_tag","description":"","parent":0,"count":10,"filter":"raw","term_order":"1218"},{"term_id":18933,"name":"waf","slug":"waf","term_group":0,"term_taxonomy_id":18933,"taxonomy":"post_tag","description":"","parent":0,"count":10,"filter":"raw","term_order":"1817"},{"term_id":335,"name":"tech specs","slug":"tech-specs","term_group":0,"term_taxonomy_id":335,"taxonomy":"post_tag","description":"","parent":0,"count":2,"filter":"raw","term_order":"2981"}]},"featured_image_src":null,"author_info":{"display_name":"marketing","author_link":"https:\/\/xneelo.co.za\/help-centre\/author\/marketing\/","author_avatar":"https:\/\/secure.gravatar.com\/avatar\/a6ea315e112423b2b955cb020fbce2b0835956c6ad85ff0f13f1db298977eaaa?s=96&d=mm&r=g"},"_links":{"self":[{"href":"https:\/\/xneelo.co.za\/help-centre\/wp-json\/wp\/v2\/posts\/21347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xneelo.co.za\/help-centre\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xneelo.co.za\/help-centre\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xneelo.co.za\/help-centre\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/xneelo.co.za\/help-centre\/wp-json\/wp\/v2\/comments?post=21347"}],"version-history":[{"count":0,"href":"https:\/\/xneelo.co.za\/help-centre\/wp-json\/wp\/v2\/posts\/21347\/revisions"}],"wp:attachment":[{"href":"https:\/\/xneelo.co.za\/help-centre\/wp-json\/wp\/v2\/media?parent=21347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xneelo.co.za\/help-centre\/wp-json\/wp\/v2\/categories?post=21347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xneelo.co.za\/help-centre\/wp-json\/wp\/v2\/tags?post=21347"},{"taxonomy":"topics","embeddable":true,"href":"https:\/\/xneelo.co.za\/help-centre\/wp-json\/wp\/v2\/topics?post=21347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}