===Criteria===
There are several aspects which should be considered when selecting a service host. Below is a general list, this [https://pad.riseup.net/p/rh_ispq| document] gives detailed information on each area. eQualit.ie has developed a [https://wiki.deflect.ca/wiki/ISP_reviews review] of existing providers based on experiences with our Deflect network.
*Price - relative services offeredfor most groups the cost of the infrastructure will be a major determining factor. however, there are a large number of competitive offers and though this is an important factor it should be used as a boundary to decide what is available not as the sole reason to purchase a service.
*Reputation - are they well known, have they had security breaches or reports of poor support, do they adhere to certain principles inline with that of your organisation - such as data privacy or protection of human rights defenders.
*Specialisation - do they work in the field of human rights, software applications or general hosting
*Is mail provided- for many organisation it is not an option to run their own mail server, however, is they do not wish to sue a free service such as [https://riseup.net Riseup] or [https://gmail.com gmail], or if they wish to have domain specific email - such as info@mywebsite.org - then it is worth considering services that provide free email accounts.*Hardware specifications- does the server fits my needs? For most websites basic servers are enough but websites with high traffic can demand more stable or dedicated hardware.*Operating systems offered- different operating systems provide different functionality and integration with other applications. They also have different degrees of vulnerability and support.*Supported provided- this is an essential aspect when choosing a hosting company. It should also be considered in terms of language support, whether support is provided for software and/or hardware issues.
*Readily discusses your security concerns and which security features and processes they offer with their hosting.
*Provides the most recent stable versions of all server software.
It is quite important to consider the possibilities offered by your provider's control panel. If you need to write a support ticket everytime the server has to reboot, it wont be an efficient process, especially during a crises. Possible features to look out for include
* Automated operating system installs, this feature is hugely useful if it will be necessary to reinstall the operating system on your server. it avoids the need for dedicated time from one of your team members.* Server boot and reboot, when installing new applications or updating existing software components, or as a means to resolve an issue, the ability to remotely restart your server can be critical. This is dependent on the type of server you are using. * Remote console (sometimes known as KVM), this is invaluable in diagnosing issues with your server's physical hardware but equally is a necessity if you wish to perform full disk encryption as a password will have to be entered before the machine has full booted up.* Server and network statistics, this information helps you track your server and/or website giving you detailed information for debugging, tracking attacks or discovering who is visiting your site.
* Dynamic components (e.g. adding extra disk space, RAM without rebuilding the machine or having to order a new service)
* Server access (varies between is the means by which you can physically connect to your server. Options iclude SSH, SSH key, SFTP or web based)*
==Secure hosting setups==
===Mitigation===
'''Password management''' is the core of any security strategy. For the dedicated and VPS hosting options, there are several modes of control that administrator can apply.
<ol>
<li>
Enforce strong password - a strong password should contain Upper and Lower case characters, Numbers and Special Characters and should be long; greater than 20 characters. It is also possible to restrict the use of previously used passwords. On Linux systems the following command can be used to force complex passwords for users:
</li>
password required pam_cracklib.so minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1
For more detail, refer to the guide details [http://www.linux-faqs.info/security/force-strong-passwords| Force strong passwords]<li>Use password aging: the <tt>chaging</tt> command on Linux servers allows checking of password age by user and setting of password aging parameters [http://linoxide.com/linux-command/password-expire-chage-commandAccess_Restrictions#Dedicated/VPS_Hosting| link].</li><li>In some cases it may be prudent to enabled account locking for accounts that have been under particularly concerted attacks. On Linux systems, the faillog command can be used to check failures and to set failure limits. For more details see [http://www.cyberciti.biz/tips/rhel-centos-fedora-linux-log-failed-login.html| Faillog]. Great care should be taken when enabling user locking as an attacker can simply deny users access to their own services by intentionally locking an account. Generally it is better practice to ban the attacker before the need for account locking is encountered. </li><li>Use Password Management software - a tool such as Keepass, or KeepassX for Linux and Mac, allows users to easily generate, store and mange complex difficult to crack passwords. Refer to this guide for details on [https://securityinabox.org/en/keepass_main Keepass]</li></ol>
'''User Management''' on dedicated or VPS systems allow administrators fine grained control of user login and access permissions.
<ol>
<li>
Root user login should be disabled by default - the <tt>sudo</tt> package should be installed and all superuser actions should be run through it.
</li>
<li>
Secure Shell(SSH) login should be forced, telnet and ftp login access should be disabled by default. To upload files to the server securely user can use Secure FTP(SFTP) clients.
</li>
<li>
Private keys should be used for SSH login access. The following guide gives details on generating and setting up public/private keys for SSH login, [http://support.suso.com/supki/SSH_Tutorial_for_Linux| SSH tutorial]. Once SSH keys have been set up for all relevant users, disabling password-based logins should be considered.
</li>
<li>
File permissions should be restricted for critical files. User should only be allowed access to files relevant to their work. Execution as root should be restricted. Discussion of [http://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions| linux file permissions].
</li>
</ol>
'''Software Management'''
<ol>
<li>
System software must always be up to date. Critical patches are released by software vendors and operating system providers on a regular basis. Updates frequently contain fixes for potential vulnerabilities and bugs, if your system is not up to date it may be at risk. A recent example of this is the SSL bug [https://heartbleed.com HeartBleed].
</li>
<li>
Minimising installed software is an important step in reducing potential vulnerabilities. The system should have the bare minimum of packages and software installed to support its purpose.
</li>
</ol>
'''System Management'''
<ol>
<li>
Firewall can be enabled via [http://www.netfilter.org/projects/iptables/| iptables] the guides [http://www.tecmint.com/basic-guide-on-iptables-linux-firewall-tips-commands/| here] and [http://www.cyberciti.biz/faq/category/iptables/| here] describe iptables configuration.
</li>
<li>
To protect the server it is important to audit the open ports on the machine. To check listening ports you can run
netstat -tulpnFor more details see [[Access_Restrictions#Dedicated/VPS_HOSTING| see]]
'''System and Software Management''' is primarily concerned with ensuring that the physical system and its software is setup in the most mangeable, maintainable way and that attention is paid to keeping everything up to date to avoid potential vulnerabilities.
</li><li>Logging and Auditing</li><li>Anti-intrusion system,</li><li>For more details see [http://selinuxproject.org/page/Main_Page[System_Management| Security Enhanced Linux(SELinux)see]] is a kernel level security control mechanism, which enforces a set of rules and procedures for the system. SELinux provides fine grained control for access rights and permissions.
To check if it '''Webserver Setup''' is enabled runan important consideration when hosting a website. There are a variety of steps that can be taken to lock down a webserver and to make sure that no vulnerabilities or accidental leaks occur.
sestatus To enable run setenforce enforcing To adjust the SELinux config is available at /etc/selinux/config </li><li>For more details [http://www.fail2ban.org/wiki/index.php/Main_Page| Fail2ban] is an excellent tool that can be used both to combat simple DDoS attacks but also to detect and block brute force login attempts.</li></ol><ul>'''Apache hardening''' As well as considering the physical server and it's operating system users must thinking in terms of application security. Especially for those applications which either contain sensitive data or those that provide access routes to the machine for an attacker. Below is a set of guides for Apache webserver hardening.<li>[http://www.tecmint.com/apache-security-tips/Webserver_setup| 13 Apache Web Server Security and Hardening Tipssee]<li>[http://xianshield.org/guides/apache2.0guide.html| Apache 2.0 Hardening Guide]</li></ul><ul>'''Database hardening''' A key approach discussed elsewhere in protecting data, both at rest - on disk - and in use - in memory, is to encrypt these data stores either as part of full disk encryption or as individual restricted encrypted mount points. Below are further guides for specific hardening techniques for the MySQL database system.<li>[http://www.greensql.com/content/mysql-security-best-practices-hardening-mysql-tips| MySQL Security Best Practices]</li><li>[http://rochakchauhan.com/blog/2013/11/19/security-and-hardening-tips-for-mysql/| Security and Hardening Tips for MySQL]</li><li>[http://www.securethelock.com/2014/01/09/12-steps-for-hardening-mysql-from-attackers/| 12 steps for Hardening MySQL from Attackers]</li></ul>
</div>
===Hosted platform===
For organisation that wish to setup their own custom site based on an existing platform such as Wordpress.com, there are a setup of steps that should be taken to ensure a good level of security. The [[Choosing_A_Host | choosing a hosting provider]] guide should also be consulted.
'''Benefits'''
* Hardware is managed and maintained by the hosting provider
* There is no need to build custom software
* Using an install of an existing platform, such as Wordpress.com, means that software patching and bug fixing is handled by a dedicated group
* Once the solution is setup, secured and configured management is minimal
* The software platform will provide support for the core functionalities of managing a website such as user creation, content uploading and provide mechanisms for exporting/backup
'''Downsides'''
* The provider must be carefully chosen based on the information in this [https://pad.riseup.net/p/rh_ispq document]
* Software updates must be performed by the organisation
* Backup is the organisations responsibility
* No support is provided for configuring or managing the platform
'''Platform Security'''
<li>
Limiting access - Making smart choices that reduce possible entry points available to a malicious person.
For more details see [[Access_Restrictions#Dedicated/VPS_HOSTING| see]]
</li>
<li>Containment - Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.
</li>
<li>
PasswordsPassword management - the core component of any digital security strategy is control and management of passwords. For more details [[Access_Restrictions#Dedicated/VPS_Hosting| see]]
</li>
<li>
File Permissions</li><li>Admin Software updates and system control - allows the userto lock down the system and restrict what applications are running.</li><li>SSL</li><li>SFTP client</li><li>Platform updatesFor more details see [[System_Management| see]]
</li>
</ol>
Hosting install of pre-built software platform, such as Wordpress,
===Shared Hosting===
* http://www.dreamhost.com/web-hosting/
* http://wpengine.com/ (wordpress only)
'''Benefits'''
* Host provided support for software and hardware
* Reduced technical needs for organisation
* Standardised software components
'''Downsides'''
* Heavily relies on the hosting providers technical and support abilities
* Danger that compromise to another unrelated site could compromise user's site.
* Your security is tied to that of others using the same system
* Limited or no control over security procedures - relies heavily on abilities of hosting provider
===Threat Mitigation===
==Basic Technical==
<div class="mw-collapsible-content">
For a basic setup providing a content distribution platform such as a blog user's users have the option of using existing free services such as Wordpress, Journoportfolio or similar. '''Examples:'''* [http://wordpress.com/ Wordpress]* [https://www.tumblr.com/ Tumblr]* [https://www.journoportfolio.com/ Journo Portfolio]* [http://www.joomla.org/ Joomla] '''Benefits'''* Host provided support for software and hardware* Very low technical needs for organisation* Easy setup and quick start '''Downsides'''* Heavily relies on the hosting providers technical and support abilities* No control over system software or hardware* Limited security options
===Threat Mitigation===
strong <ol><li>'''Strong Passwords''' are a core element of any system. The access password for the host should be restricted to those individuals with the organisation that work directly with the server. Safe password creation and storage procedures should be followed, as described [[Access_Restrictions#Dedicated/VPS_Hosting|here]]</li><li>'''Malware''' is core vulnerability for the devices used by those managing and logging into the hosted system. Malware, keyloggers and viruses provided a straightforward means of attack.<br>The attacker does not need to hack or compromise the server, instead via infection through phishing emails or malicious websites the attacker can log and store the passwordsand other critical information.<br>To mitigate this threat all individuals who work with or have login access to the server must have anti-virus installed, 2 a firewall and have an up to date system. For more information [|see]</li><li>'''Two factor auth,Authentication''' should be enabled where available as this will make compromising a system significantly more difficult.</li><li>'''Wordpress Security''' is described in detail in the following [http://codex.wordpress.org/Hardening_WordPress guide]. </li></divol>
</div>
</div>
<div class="toccolours mw-collapsible mw-collapsed" style="width:800px">
==Comparison Matrix==
<div class="mw-collapsible-content">