A reader alerted us today about yet another web server compromise, affecting a large number of domains. In this particular case, the server was hosted with iPowerWeb, a provider of low cost web space on shared servers.
Space on a shared server is ok for personal use. But you should think twice before using it for commercial, in particular business critical use. Your web sites security will depend on a few hundred other users on the same system doing the right thing. A bad php script on one virtual server could lead to a compromisse of all web sites hosted on the same system.
If you have to use a virtual host, try to follow these tips to make things "as secure as possible":
- Don't go with the lowest bidder. You still rely on the hosting company to maintain the server and there is not much maintenance that can be done for $1/month.
- Check references. Look at sites like zone-h.org for defacement history and netcraft.com for stats like uptime.
- Keep solid backups of your files on a local system!
- Avoid files and directories that are writeable by anybody but yourself. In particular, avoid files writable by the web server.
- Do not rely on any access control provided by php/perl/cgi scripts. Other users may bypass it with their own scripts.
If you are providing shared web space, try to follow these rules:
- know your customers. Avoid handing out accounts before billing details are validated. Try to verify credit card payments by phone.
- consider virtual systems (xen, vmware...). While not perfect, its a lot better then housing all users on the same system.
- chrooted user accounts can be almost as good as virtual hosts. But they can be hard to maintain, and they still use the same web server process which may cross over chrooted users.
- monitor user activity carefully.
- use a host based IDS to detect intrusions quickly.
- got backups?
I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022