Security How-To Guides on Webscale Product Documentation

Password Guidance

Mon, 01 Jan 0001 00:00:00 +0000

The Webscale Control Panel requires that you change your password every 90 days. A password must be at least 8 characters, and must contain at least one digit, one uppercase character, and one lowercase character. Webscale recommends using generated passwords and storing them in a secure password manager to avoid easy-to-guess passwords. Ensure that you do not use your Control Panel password for any other services.

Webscale recommends using Multi-Factor Authentication to provide an additional layer of protection to your access.

Security Monitoring

Mon, 01 Jan 0001 00:00:00 +0000

Security Monitoring is an add-on feature that allows for continuous monitoring of cloud resources for malicious activity. Potential security concerns are published to the Webscale Event Log where they can be reviewed and monitored in the Event Log Viewer.

Configuring Security Monitoring

In order to configure security monitoring, your account must be granted access to the Security Monitoring plan. Please contact Webscale Support if you need this feature enabled for your account.

Editing the Blocklist

Mon, 01 Jan 0001 00:00:00 +0000

Add IP addresses to the blocklist to block known-bad IPs from accessing the backend of your application. It’s also possible to add User-Agents to the blocklist by defining a pattern to match. You should add known-good IP addresses to the allowlist to allow them to access your application. For more information on adding IP addresses to the allowlist, see Editing the Allowlist .

Note

To follow these instructions, log into Webscale Control Panel and click the three vertical dots menu of the application box.

Editing the Allowlist

Mon, 01 Jan 0001 00:00:00 +0000

Add your local IP address to the Allowlist to ensure you always have access to the backend of your application. You should also add some IP addresses to the Blocklist to prevent them from accessing your application. You can find those instructions on Editing the Blocklist .

To follow these instructions, log into Webscale Control Panel and click the three vertical dots menu of the application box.

On the menu that appears, click Edit.

How to Configure Multi-Factor Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Multi-factor authentication (MFA) is a way to help increase security by requiring users to authenticate with a device in addition to the standard username and password combination. Some examples of multi-factor authentication include SMS codes and authentication applications such as Google Authenticator or Authy. Multi-factor authentication on Webscale uses authentication applications only.

Configure multi-factor authentication (MFA)


	1. To enable multi-factor authentication yourself while logged in, visit your User Profile and click the Enable MFA button. Otherwise, if the role a user belongs to requires multi-factor authentication, it must be configured when the user initially logs in to the control panel. When they login, the user sees a QR code. Use the authenticator application on the device to scan this QR code. Some examples of authenticator applications are Google Authenticator, Authy, OnePassword, etc. Please refer to the software installation instructions for your specific device.
	2. Once the user scans the QR code, the authenticator application on the user’s device will generate a 6-digit code, called a One-Time Password (OTP). Enter the generated OTP into the text field on the control panel, and click the Verify button. To ensure the enrollment was done correctly, the user must confirm by entering their current password in the box that appears after entering the OTP.
	3. Multi-factor authentication for the user is now enabled. For future logins, the user must use the authenticator application on their device to generate an OTP after they’ve successfully authenticated with their password. Note that checking the box for Remember this browser will set a cookie so the MFA code is not needed again if you login from the same browser. Users follow a similar process, starting at the User Profile, to change or reset their multi-factor authentication application. The user must be able to login using their existing multi-factor authentication device to make changes. If the user changes devices or applications and cannot login, please Contact Support .

Troubleshooting

If the MFA token being generated is not validating and allowing the user to login, it’s possible the time settings for the user’s mobile device and computer do not match. The specifics for resolving this issue differ depending on the mobile device OS and the computer OS in use. Here are some helpful resources:

How to Use Webscale Secure Access

Mon, 01 Jan 0001 00:00:00 +0000

User Roles can be used as an action in an optional web control, called Webscale Secure Access, to protect sections of your application from the general internet. This increases security by ensuring that only users who you’ve invited and assigned to a role can access these sections. As an example, you can require users to use Webscale’s login form before accessing your website’s login form, and can enforce multi-factor authentication (MFA) for these users as well.

Enabling Bot IP Shield

Mon, 01 Jan 0001 00:00:00 +0000

Bot IP Shield is an add-on feature from Webscale that allows you to protect your application from known attack sources. Webscale has partnered with Webroot’s BrightCloud® IP Reputation Service to maintain IP reputation data that is updated every 5 minutes to reflect the latest attack sources.

After enabling this feature, configure shielding for the application that you want to protect. Then, create Web Controls to handle traffic from sources that you consider a threat. For example, you could configure the Web Control to deny requests from a request IP if it is a known threat.

How to Block Countries from Accessing Your Site

Mon, 01 Jan 0001 00:00:00 +0000

It’s possible to use a Web Control to block countries from accessing your application. This is done by using the Country of origin is... condition for the Web Control.

To follow these instructions, log into Webscale Control Panel and click the three vertical dots menu of the application box.

On the menu that appears, click Edit.

Create the Web Control

Click Web Controls on the menu. Then, click the Add A Web Control button to go to the Edit Web Control panel.

Installing SSL Certificates

Mon, 01 Jan 0001 00:00:00 +0000

E-commerce sites require encrypted connections to remain PCI complaint and accept credit card data. Encryption ensures secure transmission of credit card details, which prevents bad actors from intercepting the information. To encrypt connections for your website, you must have an SSL (TLS) certificate installed for your site. (“SSL” and “TLS” are widely-used acronyms for “Secure Sockets Layer” and “Transport Layer Security.” SSL is now deprecated. TLS is the successor of SSL.)

Troubleshooting and Researching a Security Breach

Mon, 01 Jan 0001 00:00:00 +0000

One of the most stressful things that can happen to an ecommerce business is to discover that your site has been hacked or otherwise compromised. Webscale offers protection to known attacks right out of the box, but there are additional steps you can take to increase the security of your site and prevent future attacks. These are accomplished through the usage of Web Controls. There are also some common steps you can take to find out if the site has already been compromised.