My information:
I have my photography site (sfxphoto.com) currently being hosted as my main site (site contents are located inside of the publichtml folder). I also have my photo retouching site (elite-retouch.com) being hosted as a sub-domain under the main site (which has it's own folder inside of the publichtml folder). I'm being hosted through InfluxHost on a Linux server.
My Dilemma:
For the photo retouching site, I want to be able to give my clients their OWN FTP access to a designated potion of the server.
So, lets say my client upload directory is "publichtml/eliteretouch.com/client_ftp". I then want to be able to make a folder for (we'll call him) client_a inside of the "/client_ftp" folder. So the full directory to THAT clients specific folder will be: "publichtml/eliteretouch.com/client_ftp/client_a"
How can I:
1) ...set their specific FTP to open to their directory only?
2) ...ensure that they cannot navigate to other folders on my server?
3) ...make it so that the login information doesn't carry the MAIN site name, but the sub-domain site name instead?
My website, a free classified ads site, is hosted by XO, the hosting company. I'm introducing a feature where advertisers can, for free, post pictures of the things that they're advertising -- that is, where advertisers can upload a JPEG or a GIF. I understand that this can open my site up to the uploading of malicious code, and that I should put safeguards in place to make sure that only JPEGs and GIFs get uploaded. However, I'm wondering if XO doesn't include some built-in safeguards that would keep malicious code from getting executed. In other words, since a profesional hosting company runs the servers -- not me -- do I need to be worried about security at all?
I was just working on some concepts for image upload security features and wanted some others opinions. Would the below be worth doing to not have to deal with the 777 or even 775 phpsu issue(s)?
- What about loading the images into a db and logging the upload. Then having a cron or a daemon move the file to a location under the owner (user) and then delete the file out of the db.
Pros: - Images would be loaded and displayed from under the user of the site making no 777 issues.
Con: - Mass use of db could cause crashes? - Would have to write front end to know if the file was in db or in the folder location
My server is Win2003 Standard with IIS 6. I'm using IIS6 to host websites but i have a need to run subversion which require Apache. I'm wondering would it cause any problem with my current operation. Apache will run on different port than the standard 80.
I just started using FileZilla Client, as a way of allowing business clients to upload to an ftp account at my website (the ftp account is a subdirectory of my public_html directory, and has its own username and password).
I noticed that, along with other information for each file listed at that subdirectory, FileZilla also posts info on "owner" and "group". It turns out that, for each of these fields, FileZilla displays the username of my entire site -- not the username specifically associated with the particular ftp account to which FileZilla had connected. Thankfully, it doesn't also display the password that goes along with it!
I'm wondering if anyone would know:
- does this constitute a significant security risk? - is this because of actions on the part of my web host, or because of FileZilla's programming? (ie, would the same thing occur in all ftp clients?) - if this is a significant security risk, would there be any workaround?
I have several servers here at my home. I want to run them up on a really fast upload like 10 - 100 mbps. How would i get this in the UK at home. I heared that you can get multiple connections and blwnd them together. Is this right.
When i try to upload a image files to the linux based shared hosting server application with java and .Jsp files
(using apache common file upload) the following exception is getting...! java.security.AccessControlException: access denied (java.io.FilePermission /var/chroot/home/content/h/e/r/heritageameric/html/heritageshopping/abc.txt write)
Hosting people suggesting me that i need .htaccess file to solve and get write permission..!
But iam completely new to this .htaccess file concept..!
I am a application/systems developer looking for a VPS hosting provider that would allow me upload a customized xen image that I could use as a template for additional VPSs.
Does anyone know of a hosting provider that could do this type of thing?
I have a site to do for someone but I have just realized they do not have hosting set up.
Every time I have done sites, they already had hosting.
What shall I do? Because they expect me to organize their hosting so I am confused. All I know or can guess is, it is a media site so bandwidth will be high.
I am building a website for a client in Thailand. Normally I recommend all clients to Dreamhost but am not sure what to do for my Thai customer. Billing and customer support should be in thai (eventhough they speak English well enough).
But I am having trouble finding a reputable company in Thailand. What should I do? Where should I turn?
I'm trying to make the best recommendation for a client who has some complicated needs.
They are a university that has opened a public policy and educational office in the national capital.
I do not forsee a substantial amount of traffic being generated on the site - something a simple hosting package from ICDSoft should be able to handle.
However, there are three issues that complicate matters:
1) They may actually have huge spikes in traffic. They anticipate occasional mention in the national TV/radio media and in these cases, they don't want their site to buckle.
2) They do some audio and four video podcasts a month. They have around 50 viewers of each right now (not too substantial) but if they become successful, that number could increase by a lot.
My initial thinking was to try to host these on an outside service - even a free one - like OurMedia.
3) They want to send out email newsletters. Right now they have 850 subscribers for the list for the new location, but as people visit the site, they will sign up more.
I presume they will want to have the email's originate from the same location that the @[url] is to prevent being marked as spam, right? So, if they were to use constantcontact, emails would be from @constantcontact. But if they wanted it to be from their @[url].edu, we would need to send them from the .edu's own SMTP server, right?
I have thought about the 'cloud computing' thing - does that scale up automatically or not?
I also want to know from ICDSoft how much concurrent bandwidth/connections I can get simultaneously (is that the right way to word the question to them?)
What is the best way to transfer the cost of webhosting to a client?
What I'm trying to establish is for instance, if you design a website and offer to set-up the hosting for them for say, an inital 2-year period, how do you go about getting them to pay for the hosting after the 2 years has expired? The same obviously applies to a domain right?
I want to get on my own ded server for free hosting and have it fully managed by the provider e.g. they have the capability to look for spammers/hackers/phishers/ etc while I'll be on my marry way providing free hosting. Is there such a provider? Any recommendations?
I am conducting some research into potential risks that web hosts have to deal with on a daily basis. What potential security risks are there for web hosts ? And how do they overcome these issues?
I have hosting - php/apache - with Orchard Hosting, and I've been with them for many years and there's never been a problem.
Then, a couple of days ago I realised from my logs a text file had been put in a directory in my webspace without me knowing anything about it. I emailed my host and they said it could have happened by either:
1. someone using ftp and getting into my account
2. someone injecting PHP through a form on the site.
I've added some code to my validation to look for <? and fwrite keywords but I think it's secure! But in the logs, there's no visits to the pages where the forms are (one of which is AJAX powered) - so I'm not sure it's injection.
Is someone using some kind of anonymous connection to my FTP (which shoudn't work!) the most viable reason why this has happened?
I have a server is running windows 2003 enterpirse as WEB HOSTING. It don'nt configure to become Domain Controller. Anyone advise me that Should I do if this server will attached by hacker, virus or OS error,damage?
From some weeks I try to have a secure install for my Debian. THis server will be a shared hosting host so need special security but I don't know how to do this.
My requirement are :
- Apache
- PHP (mod, not cgi)
Actually, users can navigate into my server by using phpshell script. And someone put lots of file into /tmp directory so I tri to secure all of that but don't find good tuto for that; do you know where can i have some?
And what about php using cron so execute with php-cli how to secure it?
I'm a web designer trying to find a web host for a client. I've set up several clients, including the one in question, at IX and haven't had a problem until the other day, when my client's site was hacked. A redirect code was inserted, taking the user to a false site that installed a virus. The offending code was removed by IX but the client's experience with their tech support was less than satisfactory. I've seen similar stories on this forum and others.
I'm looking to find another host and have some questions about security on shared hosting plans. I understand that they're not completely secure but I'm wondering if certain hosts or certain servers are more susceptible to hacks than others? I see very little, if any, mention of security on sites of hosts offering low-cost, shared hosting plans.
Fewer low-cost hosts seem to be offering dedicated IP addresses. Is a shared IP address going to be less secure than a dedicated one?
My client's site is info only -- no ecommerce or user login -- so it doesn't have to be Fort Knox, but they shouldn't have to worry about it being hijacked either.
Lots of questions, I know. It's my first time posting on this forum, so be gentle.
I have read many helpful feedbacks regarding choosing a reliable web host. Most of the concerns are centered around costs. However, I am more particular about the relative security of my website in addition to other perks such as space, speed and bandwidth. I rate my concerns on a 1-10 scale:
Security 9/10 Bandwidth 7.5/10 Disk space 6/10 E-mails, backups, etc: 8/10 Cost: 7/10
I have a server setup and running shared hosting perfectly. I duplicated one of the plans and just set it to DEDICATED IP. This is for users that will be requiring SSL.
I then went into my panel settings and added in all the additional ip's. It even says in the panel listing "6 dedicated ip's available".
Yet, when I try to re-run the task for provisioning it constantly fails with the message:
Unable to create hosting. Ip address does not exist in client's pool ....
I am in a shared hosting environment. Their php's setting does not have open_basedir set and safe_mode is off.
I was poking around their server and noticed that using some simple system() calls within a php script, I was able to access /etc/passwd and therefore access all their client's public_html.
I am currently calling them to let them know of the vulnerability. But out of curiosity, is it normal that I can read all the other site hosted? They do have config files with mysql pasword in it.
I've been reading these forums for a while now... a lot of very interesting and useful stuff. However, I've always been happy with the hosting of my site until recently, and have never had a pressing reason for wanting to change.
However, I recently had a four day outage to my site. The hosting company (which shall remain nameless, for now) put this down to a security problem which meant they had to take down the shared Windows server and go through all the sites on the server looking for the site that had bad code which caused the security outage. I also has problems with malicious javascript being injected into my pages prior to this.
I quote from the hosting company "Unfortunately this is a shared hosting solution and by its very nature, it means that poor code affects all sites on that web server. .... The vulnerabilities of ASP, MS-SQL and .Net are well documented." They then proceeded to try to sell me a dedicated server (which I believe will likely be too expensive for my needs).
I'm no expert on hosting, but this doesn't sound right to me. Is all Windows shared hosting afflicted with these kinds of security problems? or only when it's not set up right? I need reliability, but not absolute 100% bulletproof uptime if it comes with a dedicated server pricetag. I do need to avoid outages of a number of hours/days (!!) however
Hopefully one of the experts here can put me right I can't believe that Windows hosting security is that bad that no company can have a shared hosting product that avoids the aforementioned problems. What do you think?
MySQL 5.0 supports stored procedures -- but is it safe to allow shared hosting customers to have privileges to create them? If the procedures are global, does that mean that:
a) one customer could write a procedure which accessed another customer's data?
b) any customer could call a procedure created by a different customer?
c) any customer could override an existing mysql function in a way that would affect other customers?
d) any customer could write a function that bound to a system library and crash the entire server instance?
I normally hang out in the web design area, so it there is a related thread, please point me there.
I have been hosting a very small site with, what I thought, was a respectable local company. This morning I went to my home page and guess what - my friendly neighbourhood hacker paid me a visit. Gone (commented out) is my home page content, replaced with the following text:
I would like to report that your site is highly compromisable. Please review your hosts security settings. I would recommend changing though, they are a piece of ****. (I have not deleted anything. the original page is commented out but is still located in this file.)
This security message has been brought to you by Scorpian & AV.
How do I deal with this? If I get no response from my current hosting company on how someone got hold of my ftp password, I want to move my site, but how do I know the next company has better security measures? And what should these security measures include? Any tick lists out there for testing domain host's security?
Most scripts use PHP and MySQL extension so no problem at all until i came up with 1 little devil taht requires php with PDO and pdo_mysql My question is, is there any side effect on a production server if i recompile apache with those extensiones turned on?
Do they run in parallel to the way php and mysql runs now or will it break the whole scripts running and send the server to hell?
Basically what i mean is, i have the resources on the server to run it but do they run in parallel or they change/reconfigure the whole way php and mysql works?
