By Thomas Reznor
Web hosting security can be a real nightmare, especially if you don’t know what goes wrong. What you don’t know about Web hosting can hurt your business. Hackers are constantly trying to find new ways into your server and are becoming more and more clever each day.
While web hosting companies are doing their best to keep up with the demand for improved security measures, it is still crucial that webmasters take precautions to make sure that the security of their sites and data are not inadvertently compromised.
Understanding the Risks
Shared hosting servers and VPS accounts can be vulnerable to attacks by hackers who carry out their work by uploading malware or otherwise malicious sites or code onto a server. Once the site is uploaded, it becomes an imminent danger to all customers whose data is hosted on that server, as it is either set up to activate automatically or it can be triggered inadvertently by an administrator in the course of routine server maintenance work.
These programs can also be introduced to a server through security vulnerabilities in a legitimate client’s site, and the malware is used for anything from stealing credit card data to launching a DDoS, or Distributed Denial of Service attack that then allows hackers to hijack an entire hosting server and use it for attacking other servers, either within the same network or on other networks.
Even misuse of a network for spamming is very detrimental to a hosting company and its clients. It can result when a spammer abuses the hosting company’s resources to the point that its DNS servers are blacklisted by one or more major E-mail providers. This means that customers will not be able to send even the most routine E-mails from their accounts, and for some customers this renders the account useless.
How Web Hosting Firms Should Protect Against Breaches in Security
First of all, every hosting company should know who its customers really are. An account registered from a location or IP address known for hacking and security breaches is often set up by a legitimate business that is purposely using a reliable hosting provider outside its own location so as to avoid security issues. Therefore, routinely rejecting accounts from such locations is not always the best policy. On the other hand, careful screening of all accounts, where proof of identity is requested and new clients are contacted by phone before accounts are actually activated, will deter hackers from registering accounts with a host that takes these precautions.
No responsible host should make available open access, cost-free hosting that is sponsored by advertisements if it also offers paid hosting packages on the same server network. Free hosting accounts are often used by hackers who entice users to visit their sites and download malicious programs that can be a danger to the entire network, or at the very least create problems for legitimate customers. A host that offers cost-free promotional hosting should do so only for known clients, and it should be kept on a separate network to prevent users from setting up malicious sites.
A reliable firewall is also a must. The firewall should block any threats to the server and sites hosted on it that may come from outside the network, and custom settings should allow for banning IP addresses, such as those of unsecured proxy servers, that are known to present security threats.
Specific software is now available that can be installed on servers to prevent DDoS attacks. All hosting companies should install such software on their server networks, and it should be a standard feature on co-located dedicated hosting servers as well.
Shared hosting providers also should limit the use of executable commands, especially in PHP (on Linux web hosting servers). These commands can be used by account holders to access files throughout the server, and even if this is done accidentally, which is often the case, the damage can be irreparable.
All sites on each server or network should be monitored to make sure that no malicious code has been uploaded to a site, even if the rest of the site is completely legitimate. In cases where a site has been compromised and presents a danger to other users, the site must be suspended and not allowed to function again until the owner has taken measures to remove the threat in question. Features are now available that allow automatic alerts from web hosting providers to let clients know that their site has had a hacking attempt made to it. This enables the client to take responsibility on his end to plug any security vulnerabilities that can affect use of all websites on the server.
At present, practically every reputable web hosting company backs up all data to a remote server on at least a daily basis. This is a must as it allows the host to restore data to its entire network or to a particular site should it be damaged by a breach in security or by any other type of technical difficulty.
A web hosting provider should offer its clients extended security protection, either as a standard feature or for an extra fee. Secure FTP (SFTP), which encrypts data being uploaded so that it cannot be compromised during the upload process, is a desired feature that protects both webmasters and the web host from uploading files that could be compromised. E-commerce sites should be able to obtain an SSL (Secure Socket Layer) certificate for encryption of all sensitive data, such as credit card information, that passes through the hosting server, and SSH (Secure Shell) access should be offered for secure communication between the hosting server and the computer that a client uses to access his web hosting account.
Both hosting companies and users of hosting accounts should periodically change all passwords used for access at whatever level they can access the server and files. Hosting companies should require employees to change passwords at certain intervals, and in the event of equipment or personnel change, all passwords used for server access should be changed.
Website account holders should change passwords in the event of any detected threat to their sites, or after they have made major changes, such as updating a CMS or uploading new software, that could pose a security threat. In the event a hosting company notifies a client of a thwarted attack, the company should advise the client to change all hosting access and site administrator passwords in the event these were compromised during the attempt at hacking the site.
Other User Precautions
In general, while web hosting companies do have a responsibility to maintain the highest level of security on behalf of their clients, clients should also take precautions to make sure they are not inadvertently misusing their accounts, especially where shared Linux hosting is concerned. As PHP, which is hosted on Linux, is the most easily abused programming language, webmasters and business owners should be aware of the source of any code or software they are installing on their accounts. When new code is uploaded, it should be tested or screened if possible, whether it was written by hired PHP programmers, purchased as a standard off-the-shelf solution, or obtained as a module or other extension for an open source CMS.
Web hosting providers should assist their clients in taking these security precautions by providing utilities to test code whenever possible, even though most harmful code will be stopped by properly deployed server-side security measures in any event. This is really a customer service function, in that educating clients on how to prevent disruptions will help them maintain full access to their websites at all times. Client security education can take the form of bulletins which provide reminders to screen code, as well as links to resources that help clients maintain the highest level of security at all times. Such bulletins are also a way to promote frequent changing of passwords, and to warn clients of known malware or hacker threats that could affect their hosted site.
Windows vs Linux
Most hosting companies offer both Windows hosting and Linux web hosting, and regardless of any security concerns, most clients are compelled to choose one or the other based on the technical needs of their websites and applications. Even though PHP, which is hosted on Linux servers, is easy to abuse or misuse, its convenience and availability compared to Windows hosted ASP and ASP.NET often outweighs security factors. Only Java can be run on either platform.
Therefore, even in the rather rare event that a new client is going to choose the language in which his site is written based on hosting security concerns, there really is no hard-and-fast answer as to whether the convenience of PHP outweighs its vulnerability to security issues. There is also no real answer as to whether Windows hosting or Linux web hosting is more secure, although each platform has its advantages:
Advantages of Windows Hosting
– Limited User Account Privileges
Windows Server users are automatically logged in as standard users and need to request permission and enter passwords to use their administrative privileges when these privileges are granted by the main administrator. This means that a malicious program that somehow gets user access would be theoretically thwarted before it can make any real changes to files. It also means that a new employee who has not been vetted or fully trained cannot gain access to any files that he could damage purposely or inadvertently.
– Professional Response to Security Flaws
In the event a security flaw is detected, it is handled only by the authorized Microsoft security team. This can mean that solutions to the flaws are more secure and more reliable, since experienced programmers who are employed by Microsoft are the only ones who can correct flaws that could be exploited by unscrupulous individuals.
Advantages to Linux Web Hosting
– Fewer Known Threats
Since Windows is so widely used as an operating system on stand-alone computers, it is a more frequent target of hacking and malware attacks, and many of these threats are of significance to Windows Server as well. Linux has fewer known instances of targeted malware, and reports indicate that few installations of Linux have ever really been threatened by malware. In addition, hosting services now have the ability to install programs that also prevent Windows malware from attacking sites hosted on Linux servers; this can happen when customers or webmasters access PHP sites hosted on Linux from Windows computers.
– Faster Response Time When Security Flaws Are Spotted
The open source community behind Linux is very responsive to issues that threaten its stability in any way. Therefore, when a threat is detected, patches are made available as soon as possible, even if a new full version that includes the patch is only released later.
It is truly very difficult to select a hosting platform based on security issues, especially when most clients are locked into one platform or the other because of the language used to create their websites. In any event, proper server hardening techniques can be used to ensure top-level security of either platform.
Server hardening is essential to make sure that improvements are made to the default configuration of any web server. This applies to dedicated servers as well as to shared hosting servers, and standard procedures are recommended for both Linux web hosting and Windows hosting servers. While server hardening also encompasses basic security techniques such as providing clients with secure access to their server accounts as well as frequent password changes, specific extensions and programs are recommended to ensure best practices in server hardening techniques.
Windows Server Hardening
Windows 2003 can be analyzed and upgraded for security issues with guidance from its Security Compliance Manager function, which allows administrators to determine the desired baseline level and type of security and to activate all features necessary to maintain it.
Windows 2008 and Windows 2008 RC 2 include updated and easier to use versions of the above function, which are referred to as the Security Configuration Wizard. Its features include easy disabling of unused ports and other features that are not being used but which could be exploited by hackers.
Windows IIS also suggests specific methods of server hardening; however, experts agree that taking the precautions necessary at the 2003 or 2008 operating system level are sufficient to guarantee that IIS will not pose security threats.
Linux Server Hardening
The main versions of Linux used for Linux web hosting, such as CentOS, include security extensions such as SELinux which provide functions similar to those offered by the Windows security management software. AppARMOR is an alternative which is also open-source and which is preferred by some specialists for hardening Linux web hosting servers at kernel level.
The Most Secure Choice
Clearly, the most secure choice for any web hosting application is a managed, dedicated server. This enables the client to ensure that his sites and applications cannot be affected by security threats which are uploaded by other users, and it affords the web hosting client access to professional management which handles all web security issues and server hardening on his behalf.
However, for many customers, such a server is not practical, and many web hosting companies rely on shared and VPS hosting for the bulk of their services. In order to provide the best level of security protection, all possible safeguards against threats, starting with customer identity checks and including careful monitoring as well as top-level server hardening techniques, are an absolute necessity. Such dedication to security helps web hosting providers retain their best customers and attract new ones. Considering that today’s small website can become tomorrow’s major success, web hosting providers who are attentive to the security concerns of their clients at the shared hosting level are the ones who will retain them when the time comes to upgrade to a managed, dedicated server. They will know that the web hosting provider will be even more attentive to their security concerns as their sites and server requirements continue to grow.