I'm starting to test out VPS panels and found vePortal 2. I purchased it and installed it. Now I'm checking some security, as we all know about the terrible result of HyperVM as everyone blindly used it because it was "pretty" but it was not secure.
Some serious concerns I'd like to share with vePortal 2.
1) It makes no backups of any of the files it modifies during install, or so I haven't seen any, like httpd.conf.... more of a pain than anything. There is no way to auto uninstall it either..
2) vePortal gives full root access to the Apache user, letting apache run any root commands!
They add this to your /etc/sudoers
apache ALL=(root) NOPASSWD:ALL
[root@nd11108 myadmin]# su -s /bin/sh apache -c "whoami"
apache
[root@nd11108 myadmin]# su -s /bin/sh apache -c "sudo whoami"
root
This is a root exploit waiting to happen. I asked them about this and got the response.
Quote:
It would be a security breach if a) apache was allowed SSHD Access, or b) the server was running scripts that havn't been marked secure, We have a very comprehensive team of beta testers including one of the largest providers around, They and their staff have not been able to break the security or integrity of the panel as of yet.
All panels in one way or another have root control over the system, for example they wouldnt be able to have a SSH Console without it, as only specified commands would work, we do have a list of the commands required by vePortal if you wish to limit it, but the console and the Shell Commander functions would stop working.
Regards,
Gavin H.
Chief Information Officer
That's funny I have been using the panel a few minutes and already found they've ignored the biggest security hole possible..
3) In 5 minutes I've found multiple XSS vulnerabilities in the admin area... Like search customers, I was able to generate JavaScript alerts in multiple fields....
4) It stores the MySQL root password in clear text in a .php file... yeah that's real secure. Why does it even operate under the MySQL root user, its using a single database....
5) I forgot to add, it doesn't recognize ANY OpenVZ Vps's you've created manually. It has no idea they exist and you cannot view them at all.
I'm sure I could dig deeper into the source code and find more but it's not worth it. Judging by what I found without actually trying to spend time on security I completely removed the product.
The panel does look nice but it sure gets a mark of insecure for me, I would advise others seriously look into the security of this new panel if you're considering using it.
Unlike earlier versions of Microsoft Windows Server, the 2008 version gives you a default logon screen that is very similar to Vista. Instead of the the interactive dialog box that prompts you for a username, password, and sometimes domain, users will find a “push button” screen displaying all users with login permissions. To log into an account all the users will now need to know is the password. This makes things much easier for hackers as the only thing they will now need to guess is the password.
There are a couple of ways to resolve this problem. First, the server administrator can set the local security policy to not display the last username and disable fast user switching. Second, in the System Remote Settings dialog, the remote desktop options can be set to allow computers with Remote Desktop that support Network Level Authentication.
Since the first method is covered in a few blogs, I’ll limit myself to discussing the second method. In the latest versions of Remote Desktop Connection client (version 2.0 for Mac and the version shipped with Windows Vista), Network Level Authentication is supported. This means users must send the username and password before Windows 2008 accepts the connection. Earlier versions of RDC (like the one found in many installations of Windows XP) don’t support NLA. So technically, users will only need to supply the IP or domain name of the remote Windows server, leave the username and password blank, and interact with the logon process that is provided at connection time. Windows 2008 servers that do not have the NLA option set for remote desktop connections are vulnerable since the interactive logon screen (post-connection) is displayed to users using earlier versions of RDC.
This last point may be of significance to service providers offering Windows 2008 dedicated servers. If the server is set up with default settings, the NLA option is disabled and new users will by default be made to change passwords on first logon. Users using new versions of RDC will not be able to logon because the initial password change sequence on first logon is not compatible with NLA. The server will return an incorrect password message to the RDC client even though the user has provided the correct username and password. The only way to establish first connection is thus to use a non-NLA supporting version of RDC so that the user can establish connections without supplying credentials and then going through the password change wizard during the initial login. But as mentioned, having NLA disabled on server side is not an ideal practice at this point.
So there are a couple ways to do this. The service provider should disable the “change password on next logon” option during the user creation process and get user to manually change the password after logon. Or alternatively, assist the client/user in changing passwords through the console internally.
I have just discovered a massive security in the CPANEL 10.9 software. This problem is in the BACKUP FEATURE. If you do remote ftp back onto the same account. It will put the file in the account home directory and it will have this type of stuff accountname:ROOTPASSWORD@serverhostname.com
I am a web designer, and have been doing this for about 5 years now and have never encountered such a problem. I had a problem come up a few days ago where one of my clients got into an argument with the Mavrick Team web hosting and computer services company's owner regarding services. She has reported to me that he went into her email account, and has emailed her clients false information about her services after their heated discussion. She told him that she was going to press charges. He told her that he had harvested all of her clients email addresses and will email them to her competitors if she does not back down. What can she do? I feel awkward as I am in the middle of it now. I was the one who referred her to Mavrick Team (aka as I host them) for web hosting services, and moved her site to their servers. This man has created such a big problem for this women now. Her clients are doubting her services and he is blackmailing her. She does not owe him any monies. She has forwarded two of the emails that her clients forwarded to her, so I know she is not making this thing up. I advised her to move all of her emails to a personal email account, contact all of her clients to let them know that someone has access to their info, and I am helping her move her site. Who can she report them to?
I have nothing to do with it. Just passing it along.
What is veportal?
vePortal is a VPS Commanding total system control Web-Based system that utilizes PHP Hyper-Threading resulting in major acceleration over competing products, As long as your server can meet the recommended system requirements our control panel and your users will never wait for a page to load for longer than the average website.
I have some concerns with hosting an external URL. I have these two websites www.benchmarkportal.com and www.bmponlinestore.com and my question is, is it possible for www.bmponlinestore.com to launch if ever I click on www.benchmarkportal.com/store/ url with the url name unchanged meaning it wont change to www.bmponlinestore.com? scenario:
step : when I click on www.benchmarkportal.com/store/
result: the contents of www.bmponlinestore.com shows up but without changing the url name(the url will still be www.benchmarkportal.com/store/)
I have been involved in the development of a complex PHP web applications that does very large amounts of processing, includes several files with thousands lines of code, does multiple and complex db queries etc. So far it has been running only on non-public development servers and has been surprisingly fast given what it does.
But I am concerned about what might happen when it is time for it to start running on a website with many users.
Is there a way to estimate in advance how serious that problem may be?
so let's get this all hashed out... it'll be interesting to see how people handle various situations.
Before responding, let's keep this thread signature free.
I recently came across an issue where a customer wanted to bring their own Microsoft products/licenses to the table. Got a few questions for the other providers out there... this really needs to be hashed out.
Microsoft is very strict when it comes to enforcing their license policies, we all know this much.
So... when a customer wants to install their own software, what do people do to help ensure that whatever agreement you have with your upstream provider or Microsoft isn't in voliation by allowing someone to bring their own licenses?
What steps do you take to ensure validity of said licenses?
How do you define, much less enforce, these guidelines?
What role, if any, should a provider play in doing their part to help stem illicit license abuse?
I have just finished testing with my HP DL380 G3 server and I have been looking at different companies / facilities to ship it off to for co-location.
How do you ease your own concerns of hardware failures on the server (aside from HDD which are easy to replace) when it is so far away.
I control a datacenter / networking environment for my company, so I have immediate access to any of our gear that breaks, but I will not be co-locating within our facility for obvious reason.
Are most people using left over Dell / Compaq / HP stuff or custom builds? I went with HP because of the built-in iLO capability to lessen the need for so much remote hands in the event of a reboot etc.
I guess the biggest thing that is worrying me right now is a catstrophic hardware failure such as motherboard / cpu. All others can be quickly fixed (HDD, RAM, etc), but with a motherboard / cpu failure, the extended downtime can be long while spare are ordered / shipped.
I have been having a very hard time tracking down the source/cause of this surge in email. My server has been sending out thousands of spam emails under the nobody account. So far I have done the following:
Created a spam_log to monitor php/cgi mail scripts Secured firewall and setup monitoring & automatic ip ban of dictionary attacks in exim Secured the /tmp folder Updated server to latest STABLE version of cpanel Scanned server with rootcheck kit
Here is a sample email that is getting bounced back. I have nearly 60,000 bounced emails in the queue with similar messages.
156P Received: from mailnull by whm.mav-hosting.com with local (Exim 4.63) id 1Hndfh-0001A4-0G for nobody@whm.mav-hosting.com; Mon, 14 May 2007 11:45:17 -0500 039 X-Failed-Recipients: beyp@ttnet.net.tr 029 Auto-Submitted: auto-replied 063F From: Mail Delivery System <Mailer-Daemon@whm.mav-hosting.com> 031T To: nobody@whm.mav-hosting.com 059 Subject: Mail delivery failed: returning message to sender 052I Message-Id: <E1Hndfh-0001A4-0G@whm.mav-hosting.com> 038 Date: Mon, 14 May 2007 11:45:17 -0500 Data spool file 1Hndfh-0001A4-0G-D This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
beyp@ttnet.net.tr SMTP error from remote mail server after RCPT TO:<beyp@ttnet.net.tr>: host ttfarm.ttnet.net.tr [212.175.13.134]: 550 Invalid recipient: <beyp@ttnet.net.tr>
------ This is a copy of the message, including all the headers. ------
Return-path: <nobody@whm.mav-hosting.com> Received: from nobody by whm.mav-hosting.com with local (Exim 4.63) (envelope-from <nobody@whm.mav-hosting.com>) id 1HnaLG-0007Jz-CX for beyp@ttnet.net.tr; Mon, 14 May 2007 08:11:58 -0500 To: beyp@ttnet.net.tr Subject: Interaktif Bankacilik Hesabiniz From: Ak Bank <acc@akbank.com.tr> Reply-To: MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit Message-Id: <E1HnaLG-0007Jz-CX@whm.mav-hosting.com> Sender: Nobody <nobody@whm.mav-hosting.com> Date: Mon, 14 May 2007 08:11:58 -0500
**CONTENT OF SPAM MESSAGE REMOVED**
I removed the content of spam so it's not posted on the forum
Paypal started sending me notices that it was unable to connect to my IPN (I'm using modernbill v4) yet I used it without a problem for 3 years.
The sent this message in response to my support inquiry:
I have had the IPN logs checked and show that, on recent transactions, your Web server returned an HTTP 200 OK on some of the transactions. Transactions were pulled from:
Date: Fri, 04 Jan 2008 15:00:09 GMT and Date: Thu, 03 Jan 2008 22:20:48 GMT
The reason that you are receiving the E-mail in question is due to your server not responding with an HTTP 200 OK rsponse. When this happens, the PayPal system attempts to resend the IPN POST for up to four days at which time the E-mail in question is generated to inform the merchant of issues with the IPN script.
This issue is not a PayPal issue, but is rather caused by your server's response to IPN POSTs sent to the IPN Script.
Can anyone recommend a well-established VPS provider with facilities at a major EU connection point, preferably TheNetherlands? I need a small account for secondary DNS and MX, plus some caching experimentation. Might turn into an unmetered dedicated mega-server at the same location if things go as planned, so if you only have experience with dedi or colo at a certain host, feel free to chime in.
I'm already a colo-host and a cPanel distributor myself, so I don't need management or a control panel, just a minimal-install CentOS 5 VPS. (I'll be installing cPanel DNSonly) Here's the kicker though, like most USians, I only speak English (and some would say badly), so the host has to speak at least enough to get the account set up. (preferably has a site in English). The real deal-breaker is that they MUST have their own merchant account and accept credit cards for recurring billing. I will not use Paypal, Moneybookers, or any other 3rd-party processor that requires a registration or manual payments. That almost always indicates an amateur operation in someone's basement. Looking for something along the lines of ThePlanet, but in Amsterdam. (AmsterNet? PlanetDam? )
I'm having a serious problem with Apache 2.0.54. I'm running Debian Sarge (3.1) and I cannot upgrade Apache (easily) so I am stuck using 2.0.54 (2.2+ are not supported on Sarge). I have been trying everything with config changes and different tweaks but Apache is giving me lots of trouble. Whenever I run "apache2ctl restart" Apache will crash and will not start. But when I run "apache2ctl start" Apache will run and in the log, it simply puts "[warn] pid file /var/run/apache2.pid overwritten -- Unclean shutdown of previous Apache run?". I get nothing else before or after I run those commands. Running "apache2ctl graceful" starts messing with it giving me "apache2 <defunct>" errors and "apache2ctl configtest" gives me nothing except "Syntax OK."
Here is my "apache2.conf" file:
Code: # Based upon the NCSA server configuration files originally by Rob McCool. # Changed extensively for the Debian package by Daniel Stone <daniel@sfarc.net> # and also by Thom May <thom@debian.org>.
# ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>); # you will save yourself a lot of trouble.
ServerRoot "/etc/apache2"
# The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at # its default value. The main reason for changing it is if the logs # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL # DISK. The PID of the main server process is automatically appended to # the filename.
LockFile /var/lock/apache2/accept.lock
# PidFile: The file in which the server should record its process # identification number when it starts.
PidFile /var/run/apache2.pid
# Timeout: The number of seconds before receives and sends time out.
Timeout 300
# KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate.
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance.
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection.
# prefork MPM # StartServers ......... number of server processes to start # MinSpareServers ...... minimum number of server processes which are kept spare # MaxSpareServers ...... maximum number of server processes which are kept spare # MaxClients ........... maximum number of server processes allowed to start # MaxRequestsPerChild .. maximum number of requests a server process serves <IfModule prefork.c> StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 0 </IfModule>
# pthread MPM # StartServers ......... initial number of server processes to start # MaxClients ........... maximum number of server processes allowed to start # MinSpareThreads ...... minimum number of worker threads which are kept spare # MaxSpareThreads ...... maximum number of worker threads which are kept spare # ThreadsPerChild ...... constant number of worker threads in each server process # MaxRequestsPerChild .. maximum number of requests a server process serves <IfModule worker.c> StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule>
# perchild MPM # NumServers ........... constant number of server processes # StartThreads ......... initial number of worker threads in each server process # MinSpareThreads ...... minimum number of worker threads which are kept spare # MaxSpareThreads ...... maximum number of worker threads which are kept spare # MaxThreadsPerChild ... maximum number of worker threads in each server process # MaxRequestsPerChild .. maximum number of connections per server process (then it dies) <IfModule perchild.c> NumServers 5 StartThreads 5 MinSpareThreads 5 MaxSpareThreads 10 MaxThreadsPerChild 20 MaxRequestsPerChild 0 AcceptMutex fcntl </IfModule>
User www-data Group www-data
# The following directives define some format nicknames for use with # a CustomLog directive (see below). LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "%h %l %u %t "%r" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent
# Global error log. ErrorLog /var/log/apache2/error.log
# Include module configuration: Include /etc/apache2/mods-enabled/*.load Include /etc/apache2/mods-enabled/*.conf
# Include all the user configurations: Include /etc/apache2/httpd.conf
# Include ports listing Include /etc/apache2/ports.conf
# Include generic snippets of statements Include /etc/apache2/conf.d/[^.#]*
#Let's have some Icons, shall we? Alias /icons/ "/usr/share/apache2/icons/" <Directory "/usr/share/apache2/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory>
# Set up the default error docs. # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html #
# # Putting this all together, we can Internationalize error responses. # # We use Alias to redirect any /error/HTTP_<error>.html.var response to # our collection of by-error message multi-language collections. We use # includes to substitute the appropriate text. # # You can modify the messages' appearance without changing any of the # default HTTP_<error>.html.var files by adding the line; # # Alias /error/include/ "/your/include/path/" # # which allows you to create your own set of files by starting with the # /usr/local/apache2/error/include/ files and # copying them to /your/include/path/, even on a per-VirtualHost basis. #
<IfModule mod_negotiation.c> <IfModule mod_include.c> Alias /error/ "/usr/share/apache2/error/"
<Directory "/usr/share/apache2/error"> AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en es de fr ForceLanguagePriority Prefer Fallback </Directory>
# # The following directive disables redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a # problem with Microsoft WebFolders which does not appropriately handle # redirects for folders with DAV methods. #
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^gnome-vfs" redirect-carefully BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
# Allow server status reports, with the URL of http://servername/server-status # Change the ".your_domain.com" to match your domain to enable. # #<Location /server-status> # SetHandler server-status # Order deny,allow # Deny from all # Allow from .your_domain.com #</Location>
# Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # Change the ".your_domain.com" to match your domain to enable. # #<Location /server-info> # SetHandler server-info # Order deny,allow # Deny from all # Allow from .your_domain.com #</Location>
# Include the virtual host configurations: Include /etc/apache2/sites-available/[^.#]* And here's my "httpd.conf" file:
Code: # This is here for backwards compatability reasons and to support # installing 3rd party modules directly via apxs2, rather than # through the /etc/apache2/mods-{available,enabled} mechanism. # #LoadModule mod_placeholder /usr/lib/apache2/modules/mod_placeholder.so <VirtualHost 66.150.225.201:80>
# httpd dmn entry cgi support BEGIN. # httpd dmn entry cgi support END.
# httpd dmn entry PHP2 support BEGIN. php_admin_value open_basedir "/var/www/:/usr/share/php/:/tmp/" # httpd dmn entry PHP2 support END.
<Directory /var/www> # httpd dmn entry PHP support BEGIN. # httpd dmn entry PHP support END. Options Indexes Includes FollowSymLinks MultiViews AllowOverride All Order allow,deny Allow from all </Directory>
</VirtualHost>
I am on the end of my rope with Apache and feel like just formatting the server and reinstalling Apache. Which reminds me, I did try using apt-get to remove and install Apache again but nothing worked.
Anyone else notice the huge outage at Surpass? My sites went down as I was editing one, and checking the server status returns a very, very long list of downed servers. Since the Surmunity Forums appear to be down as well, I was wondering if anyone here had found out what was up via other means, and whether or not there is any estimate on when it might come back up.
I was a webhost from a while ago leasing dedicated servers and eventually went to work for the datacenter where I had my colo. For a while now I've working with a neat group of 5-6 other folks programming a new uptime monitor/geo-dispersed server load testing system/software. We were looking for possible partners to keep hosting costs down during the alpha stage of the project but while we were drawing up the papers, we saw just too much opportunity for a conflict of interest to arise and realized we couldn't realistically associate ourselves with any single company to that degree. So after a little work and fundraising, we're finally in a position to either lease some servers or colo.
Since I've been out of the loop for a while, I just want to know who the major/reliable players are when it comes to leasing or colo machines in multiple areas (ideally East, Middle, West, Canada and Europe/Asia? We would prefer to be with one company for ease of billing and have our network of monitoring stations spread out geographically. But we don't want all of our eggs in one basket so if a provider goes belly-up or decides to hike our rates 30-40% with little notice, we won't have too much to worry about.
We're watching what we spend during the alpha stage very closely, but I've been insisting we can strike the right balance between cost and reliability (connectivity).
I have fairly a large web site that has a forum and a torrent tracker.
Currently MySQL server is handling about 150 queries an avarage per second. Here is the server spec:
Core2Duo 2.66Ghz 4Gb RAM 320GB SATA 7200RPM (Server provider does not have 1.5K RPM nor 1.0k RPM) 100Mbit Connection (servers on the same switch and the switch does not have 1Gbit port) MySQL Version: 5.0.51a
I had Master-Master Replication setup with forum running on one and the tracker running on the other. Although this has been working for about few days, we started seeing lags in the replication process. After a week, there is a major lag and the changes made on one of the servers takes about 5 hours to appear on the another. So, this doesn't work.
What would be the other ways of splitting MySQL queries concerning the same database?
While I was researching, I read about MySQL Cluster with database storage engine being NDB.
But, let's say that there is a power failure on both the nodes at the same time, then I would lose the whole database as the database is stored on the memory correct? I would not like to take that chance either, but if this is faster then replication method then maybe I will concider.
I thought about editing the forum coding to make all queries that concerns the tracker to go in to, say server B (with forum's primary MySQL server being Server A), and make the tracker use server B as MySQL backend, but it seemed like a heavy work so that will be the last choice.
It seems that all of the emails sent from clientexec to the major carriers (gmail, yahoo, msn etc.,) are being either blocked completely or marked as spam (msn).
When I send an email from outlook from the same domain client exec is on the email goes through fine.
I have added an SPF Record and my domain is not "blacklisted" for spam anywhere.
I recently switched over to SoftLayer for dedicated hosting and the servers are great. However we've been getting hit on and off with massive (50-80%) packet loss, which has been crippling our performance and causing all sorts of problems
I put in a support ticket and they linked me to the Internet Health Report website and said it was due to one of their bandwidth providers (I think Global CrossinG) and not on their internal network and to be patient as it could take time to resolve
Are any other SoftLayer customers going through this? Is this an unusual occurrence? I feel like if it was really one of their partners that it would be affecting a lot of their customers and it would be a high priority issue right?
I'm kind of stuck on what to do; I just invested a lot of energy into moving content onto these new servers and am concerned about whether to wait it out or whether to start finding a new company. This kind of packet loss is really unacceptable...
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
What seemed to be a good company quickly turned to nightmares. I purchased a couple domains. All went well. Then paypal emailed me saying they are high risk and wanted me to confirm I made the payment and service was given. So until I did the payment was held. They blame the held on me and threatened me to release it or they will cancel my account.
So they finally gave them the money and all was well. Well I did a stupid thing and decided to get a VPS from them, they have good deals so I thought, whats the worse that can happen. Well shortly after, I get a email saying because your payments are unreliable, we are waiting a week to setup your vps which is complete udder crap.
So I just said screw it and said give me a refund then and about 2 hours ago I try logging into my client center and my account is gone.
I am hoping one of them see this so we can get this worked out. In the mean time I opened disputes on all of the payments.
I have regarding hosting/designing my application. Users of my website upload highly sensitive files to the server. I'll use SSL but will that be enough since the files are not encrypted on the server. I tried to encrypt the files but that is adding a huge overhead.
My first question is - is it a good idea to store the files on the server rather than a database? My other question is regarding hosting; I'm thinking of building my own server and host it in a colo. Is colo more secure than dedicated hosting? Currently i'm still in the process of developing my App and my environment is Windows Server 2008/SQL Server 2005.
Is there any problems with having duplicate rules in different files as I have downloaded some rules and am going to make them all into one file to give me the best protection, but this is going to take time and I really need some sort of protection now