Choose a hosting provider

Revision as of 15:33, 26 May 2014 by Bill (Talk | contribs)

Criteria

There are several aspects which should be considered when selecting a service host. Below is a general list, this document gives detailed information on each area. eQualit.ie has developed a review of existing providers based on experiences with our Deflect network.

  • Price - relative services offered
  • Reputation - are they well known, have they had security breaches or reports of poor support, do they adhere to certain principles inline with that of your organisation - such as data privacy or protection of human rights defenders.
  • Specialisation - do they work in the field of human rights, software applications or general hosting
  • Is mail provided
  • Hardware specifications
  • Operating systems offered
  • Supported provided
  • Readily discusses your security concerns and which security features and processes they offer with their hosting.
  • Provides the most recent stable versions of all server software.
  • Provides reliable methods for backup and recovery.
  • Provides encryption options for hosting of sites or mail

Features

It is quite important to consider the possibilities offered by your provider's control panel. If you need to write a support ticket everytime the server has to reboot, it wont be an efficient process, especially during a crises. Possible features to look out for include

  • Automated operating system installs
  • Server boot and reboot
  • Remote console (sometimes known as KVM)
  • Server and network statistics
  • Dynamic components (e.g. adding extra disk space, RAM without rebuilding the machine or having to order a new service)
  • Server access (varies between SSH, SFTP or web based)

Secure hosting setups

Depending on available skill level the following secure system setups are possible:

High Technical

Dedicated Server

For a Dedicated Hosting system, the user can either run their own physical hardware or rent this hardware from a provider. The former solution offers total control of the physical hardware, however, there are significant downsides to this approach and should be avoided; it is only recommend under special circumstances such as storing sensitive data. In the latter case, the hosting agent provides the hardware but the user has total control of the server via remote access. In this scenario, the provider is responsible for replacement of hardware parts that fail or malfunction - this support is generally done through a ticket system and relies on the user to report errors.

Examples

Benefits

  • User has total control of the system's software
  • User has total control of access rights
  • User has control of physical network connection, allowing them to whitelist or block connection from allowed or spurious connections
  • Financial cost of hardware malfunction is not an issue as the host is responsible for replacing/repairing failing hardware
  • The host can be chosen to place the server in a different jurisdiction from that of the user to prevent seizure

Downsides

  • The user does not have physical access to the server
  • The host is not responsible for data loss or downtime if the physical server fails
  • The user is responsible for detecting and reporting hardware faults on some providers
  • The time taken to repair a hardware malfunction depends on the provider chosen. See Choosing a hosting provider.
  • The contract can be terminated by the host and access to the server can be terminated or suspended depending on the host's terms of use.

VPS

A Virtual Private Server(VPS) is an instance of a Virtual Operating System running on a much larger server. Typically multiple VPS will be run on a single server. In a VPS environment, you have a dedicated virtual private server but do not control the server on which it is hosted. Resources will be limited, you can not control or harden the outer server.

Examples

Benefits

  • The cost of this type of server will typically be significantly cheaper than a dedicated server
  • Depending on the host, the server will be capable of running most standard server software, up to a certain limit
  • Hardware is managed by the hosting provider unless self hosting
  • If self hosting, a single server can be used for multiple purposes and to provide multiple distinct servers

Downsides

  • Processing power will be limited over a dedicated server but, depending on the hosting provider, should be capable of running small to medium capacity websites
  • Bandwidth will also be restricted
  • Potential risk of provider, law enforcement or other state forces accessing contents of virtual server without user's awareness.
  • The user will not have access to the outer server and will thus not be able to harden it

Threats

  • Social engineering attack
  • Password brute force
  • Service interruption through denial of service attack
  • System software exploits
  • SSL man-in-the-middle attacks
  • Data loss or data theft

Mitigation

Password management is the core of any security strategy. For the dedicated and VPS hosting options, there are several modes of control that administrator can apply.

  1. Enforce strong password - a strong password should contain Upper and Lower case characters, Numbers and Special Characters and should be long; greater than 20 characters. It is also possible to restrict the use of previously used passwords. On Linux systems the following command can be used to force complex passwords for users:
  2. password required pam_cracklib.so minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1
    

    For more detail, refer to the guide Force strong passwords

  3. Use password aging: the chaging command on Linux servers allows checking of password age by user and setting of password aging parameters link.
  4. In some cases it may be prudent to enabled account locking for accounts that have been under particularly concerted attacks. On Linux systems, the faillog command can be used to check failures and to set failure limits. For more details see Faillog. Great care should be taken when enabling user locking as an attacker can simply deny users access to their own services by intentionally locking an account. Generally it is better practice to ban the attacker before the need for account locking is encountered.
  5. Use Password Management software - a tool such as Keepass, or KeepassX for Linux and Mac, allows users to easily generate, store and mange complex difficult to crack passwords. Refer to this guide for details on Keepass

User Management on dedicated or VPS systems allow administrators fine grained control of user login and access permissions.

  1. Root user login should be disabled by default - the sudo package should be installed and all superuser actions should be run through it.
  2. Secure Shell(SSH) login should be forced, telnet and ftp login access should be disabled by default. To upload files to the server securely user can use Secure FTP(SFTP) clients.
  3. Private keys should be used for SSH login access. The following guide gives details on generating and setting up public/private keys for SSH login, SSH tutorial. Once SSH keys have been set up for all relevant users, disabling password-based logins should be considered.
  4. File permissions should be restricted for critical files. User should only be allowed access to files relevant to their work. Execution as root should be restricted. Discussion of linux file permissions.

Software Management

  1. System software must always be up to date. Critical patches are released by software vendors and operating system providers on a regular basis. Updates frequently contain fixes for potential vulnerabilities and bugs, if your system is not up to date it may be at risk. A recent example of this is the SSL bug HeartBleed.
  2. Minimising installed software is an important step in reducing potential vulnerabilities. The system should have the bare minimum of packages and software installed to support its purpose.

System Management

  1. Firewall can be enabled via iptables the guides here and here describe iptables configuration.
  2. To protect the server it is important to audit the open ports on the machine. To check listening ports you can run
    netstat -tulpn
  3. Logging and Auditing is a key aspect of server security. All hacking, brute force, DDoS or other attacks should be captured, monitored and analysed.
    This guide describes the location and purpose of common Linux log files.
    To ensure that information is not lost, overwritten or that the logs do not grow infinitely the tool Logrotate can be used.
    Installing a tool like Logwatch allows you to monitor and respond to suspicious activity. The following guide describes installing and configuring Logwatch.
  4. Security Enhanced Linux(SELinux) is a kernel level security control mechanism, which enforces a set of rules and procedures for the system. SELinux provides fine grained control for access rights and permissions.
    To check if it is enabled run
    sestatus
    To enable run
    setenforce enforcing
    To adjust the SELinux config is available at
    /etc/selinux/config
  5. Fail2ban is an excellent tool that can be used both to combat simple DDoS attacks but also to detect and block brute force login attempts.
    Apache hardening As well as considering the physical server and it's operating system users must thinking in terms of application security. Especially for those applications which either contain sensitive data or those that provide access routes to the machine for an attacker. Below is a set of guides for Apache webserver hardening.
  • 13 Apache Web Server Security and Hardening Tips
  • Apache 2.0 Hardening Guide

Intermediary Technical

Hosted platform

For organisation that wish to setup their own custom site based on an existing platform such as Wordpress.com, there are a setup of steps that should be taken to ensure a good level of security. The choosing a hosting provider guide should also be consulted.

Platform Security

  1. Limiting access - Making smart choices that reduce possible entry points available to a malicious person.
  2. Containment - Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.
  3. Preparation and knowledge - Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.
  4. Passwords
  5. File Permissions
  6. Admin user
  7. SSL
  8. SFTP client
  9. Platform updates

Hosting install of pre-built software platform, such as Wordpress,

Shared Hosting

In a Shared Hosting environment, your and other website owners shared one server. This includes sharing the physical server and the software applications within the server. Shared hosting services are affordable because the cost to operate the server is shared between you and these other owners. There are, however, a number of down sides, such as being slower.

Examples:

Threat Mitigation

Basic Technical

For a basic setup providing a content distribution platform such as a blog users have the option of using existing free services such as Wordpress, Journoportfolio or similar.


Threat Mitigation

  1. Strong Passwords are a core element of any system. The access password for the host should be restricted to those individuals with the organisation that work directly with the server. Safe password creation and storage procedures should be followed, as described [|here]
  2. Malware is core vulnerability for the devices used by those managing and logging into the hosted system. Malware, keyloggers and viruses provided a straightforward means of attack.
    The attacker does not need to hack or compromise the server, instead via infection through phishing emails or malicious websites the attacker can log and store the passwords and other critical information.
    To mitigate this threat all individuals who work with or have login access to the server must have anti-virus installed, a firewall and have an up to date system. For more information [|see]
  3. Two factor Authentication should be enabled where available as this will make compromising a system significantly more difficult.
  4. Wordpress Security is described in detail in the following guide.

Comparison Matrix

Dedicated Server Virtual Private Server Shared Hosting Cloud Service
High technical skill Requires Intermediary technical skill Intermediary/Basic Basic
Allows disk/data encryption Allows encryption within VPS Limited or no control of data encryption Depends on provider but usually not provided
SSH and private key login Enforce secure login for VPS Login via CPanel or Custom interface - some hosts offer 2 factor auth Depends
User access control and restriction User control Control via user accounts added through management software Control via management software
Allows SSL cert, must setup and provide own cert SSL cert, must setup and provide own cert Allows only shared SSL cert, most host provide shared cert Most host platforms will provide SSL support by default
Total control of applications and software Control of software within VM, limited access to hardware depending on type of VM Application control only via management interface Depends on cloud server - certain services with provide data access restrictions but this is a non-ideal scenario
Manually maintained and updated Server is patched but VPS remains responsibility of user Patches and updates provided by host - though may lag behind depending on quality of hosting Depending on scale of provider - patching and support will be provided to protect their reputation
Limited supported - hardware support and replacement depending on provider Similar to dedicated support Support is generally in terms of management software - hardware is automatically monitored by hosts Similar to shared though support is specific to the platform hosting
Anti-ddos and brute forcing via fail2ban, botnetdbp deployment Provider may or may not mitigate DDoS attacks DDoS attacks will receive some or limited mitigation depending on quality of host, generally they will not protect against large scale attacks and may force the website to be removed Depending on the provider if the attack crosses their threshold for protection they may shut down the website or ask it to leave


Back to front page