Can I Feel Secure On A Shared Server
Apr 29, 2008
I have a small reseller account but all the domains are managed by myself. Security has not been a problem because the sites are simple, but now I have a need to deliver and recieve private files. I know how to keep the website itself secure writing my own sessions, using explicit variables, storing sensitive data outside of the web directories and that sort of stuff but it is my 'neighbors' that bother me. If one of them gets hacked or I get a bad neighbor sharing the server I do not want them to have access to my files and passwords.
A few years ago I wrote a browsing script that I found out had the ability to escape my own area and roam freely around every area on the server with unlimited access to every file. When I complained about it, the server admin said that I had nothing to worry about. When I pressed the issue I was told that nobody could invade my files because it was against the rules to go into other people's account. It turned out most server administrators left things open to eliminate scripting problems for their users and there was really no way to lock down a server without breaking a lot of scripts. At the time I moved to a more secure server but they eventually opened things up because of too many complaints and help requests.
Have things changed? Have they worked out the issues with shared servers? Is there a way to tell if my host has implemented proper safeguards (if any viable ones exist)?
View 14 Replies
ADVERTISEMENT
Dec 18, 2007
how to secure a windows and a linux server used for shared hosting?
View 0 Replies
View Related
Apr 10, 2008
A friend is looking for shared hosting with secure ftp, or pgp encryption or both. Do you know of any host that offers them? Would a vps have these features?
View 5 Replies
View Related
Nov 5, 2009
We have several VPS's reselling shared hosting, and as we grow our shared hosting operations, I've realized how its almost impossible to have every user, developer or who ever is accessing our shared accounts to properly lock down their scripts eg set proper permissions... But what I don't get is how larger shared hosting providers (which we plan on becoming) fully lock out homedir/User A from being able to access, view or write to homedir/User B's files no matter if User A's executed scripts, processes, protocols is requesting User B's files...
In a shared environment you can't rely on your customers to lock down their stuff and they are trusting you to take reasonable precautions to protect their stuff at the same time... This should be basic security but its almost impossible it seems to achieve in a shared env.
Obviously there are VPS's with completely isolated layers but in a shared env it shouldn't be too big of a request to have one persons stuff not easily visible by another person no matter if SSH is being used or a script of any kind.. bottomline... think of a hotel ... a "shared environment"... one guest can't just go in someone else's room easily. The hotel owner ensures that guests rooms are not available for other guests to access, this is a reasonable policy and the hotel owner would be in deep s**t if other guests had access to other guests rooms....
Here are the reasons why I think "secure shared hosting" is essentially a paradox...
1. False sense of security - SuPHP, Suexec, open_basedir..
Problem is even if you're using SuPHP or open_basedir or other security practices, someone on that server could still possibly "view" other users files which could include database config files and other files that you wouldn't want someone to read/access. These files could include xml, dat, txt etc any other file that a user might not want another user in another homedir to access that isn't protected by SuPHP or SuExec...
2. People often say.. well its your users responsibility "Rely on your end users to choose proper permissions for their files"... This is like relying on your hotel guests to deadbolt their door instead of having an autolock on their door when they close it.
I'm sure your clients would expect you to "section off" their account reasonably from another user however these doesn't seem possible at least with Apache that requires "nobody" to have to access files... And the problem is you can't rely on your users.. Besides, most open source scripts (WP, Joomla, Magento) and people here in this forum recommend 644/755 permissions as being the ideal permissions for most files/folders however if a user makes all of their files 644/755 other users can still possibly access those files.. You still would be giving world-readable access... Many people still use PHP as an Apache DSO, so under normal circumstances where scripts are installed in pub_html a user is FORCED to use world-readable permissions on their config files for their apps to run. For instance with our cPanel install, when we provision accounts in WHM, it creates .htaccess files with 644 permissions .. well why would it do this if .htaccess shouldnt be read by other users .. same goes with xml files, or other non-php/cgi files outside or inside the pub_html directories of a users homedir/ that shouldnt be viewable by world users...
Bottomline, until "world" readable/writable/executable permissions completely are ignored in a users homedir/ for not just PHP/CGI but for any file I think shared hosting security no matter what patches you have added to Apache or your system (Suhosin ,SuPHP etc) ... is a paradox... It shouldn't even be possible in any home dir no matter how responsible/irresponsible a user is for one user to be able to view another users stuff. The whole point and reason panels such as WHM or any panel uses the /home dir is to separate that users files/mail/etc from another users.. So, logically, there's no reason why a script would need access to anothers home dir/ knowing its a shared environment and on a shared hosting env it shouldn't be allowed to go outside of that users /home/ dir ...
POSSIBLE SOLUTION:
So I think a server admin should be able to enable a "mod_shared host" lets say in WHM or something that will get rid of global permissions eg there will only be 64 not 644 for any file in /home/<user>/... If someone chmods something to anything in Y ... XXY ... Y is completely ignored and set to 0...
If the server admin wants to override such settings, there could be an override feature but by default, just as PHP open_basedir restrictions settings in WHM work for PHP, the same should go for all files/scripts part of a home dir (any extension), under normal shared hosting shouldn't be accessible by any method (FTP, SSH, any apache module/process - CGI, Java etc) regardless of DSO, SuPHP...
Until then... How could large shared hosting providers sleep at night knowing that they are not protecting everything in their users home directories? This should be a simple and reasonable request that a user would expect when signing up for Shared hosting... Obviously there are other possible security leaks, breaches can occur but this should be basic security...
Shared hosting shouldn't be like open kindergarten cubbies with a curtain protecting the contents, instead, anyone signing up for shared hosting would expect their host to at least have a high school locker with a pad lock ....
Or am I missing something? Is there a solution already for this reasonable security practice of protecting users from each other user without referring them to a VPS or a dedicated? How do the big shared hosting operations have a large shared environments with hundreds of users on a box NOT allowing others to view/access other peoples stuff?
I've asked people on cPanel forums as well as our hosting provider, everyone has mixed responses and no real "answer" so I wanted to get your thoughts...
View 2 Replies
View Related
Jan 21, 2007
I'm running a shared hosting environment and I'd like to know if it's even possible to secure the Apache while it's running mod_php. I know I could go suPHP with PHP-CGI, but that'd increase drastically the server load.
So what should I do to best secure the server?
So far now I did:
- Apache:
Installed mod_security and mod_evasive.
- PHP:
Set register_globals=OFF
Set disable_functions = ini_restore, popen, exec, shell_exec, system, passthru, proc_open, proc_close
Set safemode=ON
Set open_basedir to user's directory on virtualhost
Is that would be a secure environment for my users?
View 2 Replies
View Related
Mar 10, 2007
I have a user who is looking into using Vbulletin but he is currently using Discusware and wants to retain the look and feel of his forum. Anyway this can be done?
View 0 Replies
View Related
Dec 18, 2008
if i use uk2.net's dedicated, will my US users feel slower connection?
if i host my site on uk2.net, will the site load slower for US visitors because the server is in uk ?
what about FDCservers, and serverpronto, any opinions on them ?
uk2.net appeals because of the price.
View 4 Replies
View Related
Mar 25, 2009
i have question about securety of our DNS Server.
View 8 Replies
View Related
Apr 25, 2008
My server hacked!
my server hacked for tow time in less than one month (both times they were similar to each other), and my previous securing company work on my server in previous hack but the server hack again!
anybody can work on my server? this is very URGENT because my server and all of our sites are down!
View 3 Replies
View Related
Mar 14, 2008
so while we all obsess over hardening our servers against sophisticated hacking attempts, how many of us consider the security of our own host's control panel?
Just today i'd forgotten my login for my host's helpdesk. I couldn't find their password recovery form, so i opened their public support chat and asked support for a link to their password recovery form. Apparently they didn't have a password recovery form. Here is the chat transcript:
Support: Hello
Tom: Hi, where is your password recovery form for the helpdesk?
Support: How may i help you?
Tom: Did you see my message?
Support: Yes
Support: Let me know your email address
Tom: [REMOVED]
Support: Okay Let me check
Support: Your new password is [REMOVED]
So, the only think really stopping someone from logging into my helpdesk and posting a server cancellation ticket is a little bit of research to find my email address and a traceroute to find my host.
View 4 Replies
View Related
Nov 11, 2007
I see that one of the most important things nowadays is the security of our servers.
I would like to know from people here that are running big and small servers what they have done to secure their servers. What tips, what softwares they have used, which applications using and are more secure than others.. generally everything that could make good in the protection and security of our servers.
Even if you asked helped from a company doing that work, what changes they have done to your servers? which options they changed?
I am making this thread so as to collect all info we know in one place.. One knows about that tip.. the other one knows another tip.. having all of them somewhere could make a tremendous difference..
Moderators please dont move that thread in any software discussion or other forum as this is one of the most active ones and also has instant relation with the dedicated servers we buy.
View 11 Replies
View Related
Dec 6, 2007
I have a friend that works in the IT. He is about to start his own business, something in the line of network connection or something like that. I was telling him that I'm planning on getting my own dedicated server but that I have no idea how to secure the server. He told me that most linux desitributions come with their own build in firewall and that I don't need to worry about security. He told me to just ask my dedicated server provider to make sure the firewall is enabled and that's it. When he told me that I thought to myself, either this guy has no idea what he's talking about, or those guys at Webhostingtalk have no idea what they are talking about!
View 14 Replies
View Related
May 23, 2008
Which is the best company to secure my web server?
View 8 Replies
View Related
Sep 8, 2007
Is anyone have a ebook or article about secure linux server and apache .
I want to secure own server and my vps customer
my linux system : Centos
also i have cpanel control panel
View 3 Replies
View Related
Dec 4, 2008
i want to secure my server that scanner tools can not scan my site . because of one of my site is very important to do not scan of folder.
my server os : linux Centos 5
View 3 Replies
View Related
Mar 27, 2007
I have a unmanaged server, and i want to have it secure harden.. how do i do it?
View 5 Replies
View Related
Jul 27, 2007
I would like to know if it's possible to secure a server used only for streaming.
Here is what I have on my server :
- Gentoo,
- FlashMedia Server,
- and the following services are enabled : ftp, ssh, named and web ssl
Is it possible for instance to install Mod_security?
View 3 Replies
View Related
Mar 25, 2009
I came across this very detailed step-by-step tutorial on how to secure a Plesk based VPS. It's up-to-date and was just written so the info is accurate.
Here's the link to the full tutorial: ...
View 1 Replies
View Related
Mar 25, 2008
I have a cPanel dedicated server and have a lot of spam attacks on this server. It's getting so bad that our IP is being added to Yahoo & AOL blacklists and my emails are bouncing to these accounts.
Is there anyone on here who can do a thourough check on our server and install anything necessary to stop this kind of activity?
View 5 Replies
View Related
Mar 13, 2007
For hosting irc and shells i heard that the best choice for OS is the FreeBSD..
I would like to know if there are any toturials or if someone can write one.. (or give some tips) of how can i secure a machine running FreeBSD and used for irc + shells!
For example how can i install a firewall, a rootkit etc etc..
Also what about putting users at jail? (not allowing them see other dirs except theirs) how can i do that?
Also what about dont allow users use some commands like dmesg, ping, traceroute, and also how can i make them when they do ps -aux to only see their processes (to not be able see the other processes from other users..)
View 3 Replies
View Related
Jul 6, 2009
I'm thinking about creating a limited platform for my employees to access my hosting servers
I wish they can create certain types of directories for users, set permissions on some directories, list users accounts, etc.
but although I don't think they would want to abuse this kind of access, I not only like the Trust-No-One premisse, but I also find it not very unlikely that the computer they're using get compromised or something like that
so I'd like to get technical ideas on how to develop this system and to know if anyone is interested and would like to contribute to the code
what I've considered so far is that I should either create a special user for that which would be on all users group, or should give it "root" access... the latter seems more reasonable for me considering the implementation and compatibility between systems and control panels
but with "root" access I mean "running MY INTERFACE to the employee as root"... this interface would have limited options like "create directory for user X", "list content of user X", etc. (taking a lot of care on input validation)... and would enforce some limits to prevent abuse (for example, can't list the content of more than 10 users per hour, or something like that... and alert me)
my main doubt is how you think that should be implemented? as a special server or as a webservice? with webservice I have the advantage of being capable of using SSL in a simple way and I don't need a special client (since any browser is a client)
then that could be PHP or Perl... but running as UID 0 (I don't even know if apache allows that, or if there's a workaround like SUID)
View 6 Replies
View Related
Jul 7, 2008
I`m going to use FTPS for one of my accounts on a cPanel Server.
Should I assign a dedicated IP to that account, then install SSL on FTP.DOMAIN.COM?
View 6 Replies
View Related
Mar 18, 2008
I am seeking a little input from others who use multi-CPU machines with large memory as web servers and mysql servers.
I will be more than happy to give additional information I might have overlooked if you need it. Just ask.
We are starting to run more and more dedicated hosts running joomla applications. I've been trying to find the very best settings for both performance and security that I can for the servers to function well specifically with their joomla applications.
Serves are not used for *anything* else at all.
The servers are strictly used to serve up web pages. No need for anything other than what apache/php, joomla requires and a few other things such as ffmpeg, etc.
I would like to remove all tools which aren't needed for such a server, leaving a bare minimum server which is less susceptible to hacking.
I've never messed with the root account so wonder if I can simply not allow any access as root other than terminal, perhaps not even su by giving another account full root access and of course, while allowing the system to continue to function properly with the many things which must run as root.
I would like to do this on all of my public machines which are of course behind firewalls. I also have load balancers and cache devices in front of the web servers but at this time, they are not activated so aren't in the realm of this question.
Development is done in a separate environment and the data is pushed to the web server via private network to the web servers. This means no need for shared tools, FTP, or anything else which users would need in a shared environment.
The servers are 8-way IBM, running linux and apache, php/APC.
Servers have 32GB of memory and I can install up to 64GB.
Databases are run on separate machines which are also dedicated only to running mysql databases. Same machines as above.
Machines all run multiple network cards bonded as a single IP.
So, my questions are;
How can I best utilize my hardware to take advantage of their memory capacities.
For example, on the web servers, I'd like to find the best settings for httpd.conf which takes advantage of the machines resources.
On MySQL servers, I'd like to do the same as the above, taking the best advantage of the hardware/memory.
For web serving and for joomla, I seek the very best security settings I can possibly get. I say best because since they aren't used by users, there is no need to have a lot of tools and access to these machines so it should not be a problem to tighten these machines up a great deal.
Any input from those who have such experiences would be very welcome as I've been finding no one place for help on this.
View 0 Replies
View Related
Dec 23, 2007
what software You Used for securing your windows server.
How Can I Securing My server from All DDOS Attack and All remote hacking?
What kind of software you Used to protect your windows server?
View 14 Replies
View Related
Jan 31, 2007
i have vps and i enable the safe_mode , but now i need to turn it off becouse i need to install image uploader script and this script need safe mode off to work
so,
what can i do to secure my server while i turn off my safe mode?
what can happend if i turn off safe mode?
what is the job of safe mode?
View 6 Replies
View Related
Mar 9, 2007
where we can read over tutorials on how to secure/optimise windows server?
View 5 Replies
View Related
Oct 7, 2008
I'm trying to find a good hosting provider to host our company's website as our fallback option in case of disaster. One or two dedicated servers should do it, but it'll need the space/bandwidth to host a database of around 60-80 gigs, with the ability to rsync newer copies of the database on a regular basis. We also need to store a Tomcat website, which will take up much less space, but also need to be rsynced to be kept up to date on a regular basis, though less often than
Also, we probably need Red Hat Linux specifically, as opposed to other flavors of Linux.
Of course we need root access to install the other apps we'll need. My paramount concern is the security of our companies data, much of which not only has to be protected for our companies sake, but also for laws such as HIPAA, etc. Cost is a consideration, but security, dependability, and flexibility (root access to our machine, ability to rsync between sites) is more important.
I was wondering if anyone's got suggestions for me, hosting providers they've liked for these purposes? I'm looking at Media Temple's dpv Nitro option right now ...
View 6 Replies
View Related
May 12, 2009
I'm working on a research study at the University of Toronto and we would like to set up a website and dedicated secure server. I would like some recommendations on start packages that would be appropriate with prices. I'm hoping some could over their own experiences.
View 14 Replies
View Related
Jul 28, 2009
How I can secure my server from vulnerabilities and threats and ddos attack? How can I find my server is compromised or hacked?
Which ports I should check, what commands I should fired on shell prompt? which softwares you will recommend.
View 14 Replies
View Related
