Dedicated Server
For a Dedicated Hosting system, the user can either run their own physical hardware or rent this hardware from a provider. The former solution offers total control of the physical hardware, however, there are significant downsides to this approach and should be avoided; it is only recommend under special circumstances such as storing sensitive data. In the latter case, the hosting agent provides the hardware but the user has total control of the server via remote access. In this scenario, the provider is responsible for replacement of hardware parts that fail or malfunction - this support is generally done through a ticket system and relies on the user to report errors.
Benefits
- User has total control of the system's software
- User has total control of access rights
- User has control of physical network connection, allowing them to whitelist or block connection from allowed or spurious connections
- Financial cost of hardware malfunction is not an issue as the host is responsible for replacing/repairing failing hardware
- The host can be chosen to place the server in a different jurisdiction from that of the user to prevent seizure
Downsides
- The user does not have physical access to the server
- The host is not responsible for data loss or downtime if the physical server fails
- The time taken to repair a hardware malfunction depends on the provider chosen. See Choosing a hosting provider.
- The contract can be terminated by the host and access to the server can be terminated or suspended depending on the host's terms of use.
VPS
A Virtual Private Server(VPS) is an instance of a Virtual Operating System running on a much larger server. Typically multiple VPS will be run on a single server. In a VPS environment, you have a dedicated virtual private server but do not control the server on which it is hosted. Resources will be limited, you can not control or harden the outer server.
Benefits
- The cost of this type of server will typically be significantly cheaper than a dedicated server
- Depending on the host, the server will be capable of running most standard server software, up to a certain limit
- Hardware is managed by the hosting provider unless self hosting
- If self hosting, a single server can be used for multiple purposes and to provide multiple distinct servers
Downsides
- Processing power will be limited over a dedicated server but, depending on the hosting provider, should be capable of running small to medium capacity websites
- Bandwidth will also be restricted
- The user will not have access to the outer server and will thus not be able to harden it
Threats
- Social engineering attack
- Password Bruteforce
- Service interruption through Denial of Service attack
- System software exploits
- SSL spoofing
- Data loss or data theft
Mitigation
Password Management is the core of any security strategy. For Dedicated and VPS hosting options, there are several modes of control that administrator can apply.
-
Enforce strong password - a strong password should contain Upper and Lower case characters, Numbers and Special Characters and should be long; greater than 20 characters. It is also possible to restrict the use of previously used passwords. On Linux systems the following command can be used to force complex passwords for users:
password required pam_cracklib.so minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1
For more detail, refer to the guide Force strong passwords
-
Use password aging, the chaging command on Linux servers allows checking of password age by user and setting of password aging parameters link.
-
Failed login attempts should result in the locking of the associated user account. On Linux systems, the faillog command can be used to check failures and to set failure limits. For more details see Faillog
-
Use Password Management software - a tool such as Keepass, or KeepassX for Linux and Mac, allows users to easily generate, store and mange complex difficult to crack passwords. Refer to this guide for details on Keepass
User Management on Dedicated or VPS systems allow administrators fine grained control of user login and access permissions.
-
Root user login should be disabled by default
-
Secure Shell(SSH) login should be forced, telnet and ftp login access should be disabled by default. To upload files to the server securely user can use Secure FTP(SFTP) clients.
-
Private keys should be used for SSH login access. The following guide gives details on generating and setting up public/private keys for SSH login, SSH tutorial
-
File permissions should be restricted for critical files. User should only be allowed access to files relevant to their work. Execution as root should be restricted. Discussion of linux file permissions.
Software Management
-
System software must always be uptodate. Critical patches are released by software vendors and operating system providers on a regular basis. These handle potential exploits, if your system is not uptodate it may be vulnerable. The clearest example of this is the SSL bug [1].
-
Minimising installed software is an important step in reducing potential vulnerabilities. The system should have the bare minimum of packages and software installed to support its purpose.
System Management
-
Firewall, iptables
-
Check listening ports
-
Logging and Auditing
-
Anti-intrusion system,
-
SELinux
-
fail2ban
Apache
Database
Web app
brief desc for these three with link to web app guide
