Aw, “semi-managed?” What does that mean? What do they manage and what do they leave to you?
As I’ve preached before, better to have the host manage the server (they don’t have to get in the way … and don’t unless you ask for help), better to have WHM/cPanel making regular updates (cPanel has been changing with new features as well as plugging security issues - which they tell you about as soon as they have a patch). YOUR job is to write good code recognizing that everything which visitors submit (intended or not - the last thread I answered questioned requests for /?q=node/add …) MUST be carefully matched to what the script expects to receive (including checking data types as well as values, e.g., look for [and replace] apostrophes in strings which will touch your database!).
Again, it’s a matter of letting the experts do their job and paying attention to the things which are your responsibility (and within your capability).
One further note, WebHostingBuzz is posting a notice upon login (to WHM) that mod_security had been added as an option (because it does require some user management - configuration and review of the prolific logs it generates). As a “user,” mod_security would be a good thing for you to look into.
password control (make them difficult and require changes);
manage FTP access to the server as well as individual accounts (I have clients who want to get into their website but will only allow that if I create a new account for them, i.e., jail them within their account so any back code will not affect other client websites … or the server);
same with telnet access (although that is more dangerous because of the powerful things that can be done from the shell);
keep WHM/cPanel up to date (security updates are the most important);
REQUIRE daily checks of canned apps (like WordPress as they are always under attack and do update their code frequently AND ensure that updates are IMMEDIATELY made - best, IMHO, to only use canned apps in their own account because attacks on them are so often successful that the whole server could be compromised);
keep master copies of your files as backups for reinstallation (attacks do happen and they are occationally successful);
throttle your mail server (successful attacks are often by spammers who use your server to send SPAM - choke that off in your mail queue so you can delete the thousands of e-mails which can only get your server blacklisted);
learn some mod_rewrite code (http://dk.co.nz/seo) to help protect your scripts from malicious code (as with the /?q=node/add query string the other member was getting frustrated with; it’s also a VERY useful tool for webmasters!);
That should be enough to keep you off the streets nights for a while!
Sounds like they’re taking care of the server end of things … as they should.
I won’t use a host which does not provide WHM (Web Host Manager)/cPanel (the premier website control panel). That makes management of the websites and domains quite simple. While there are other control panels, the cPanel stack is clearly at the top of the heap.
Many hosts won’t include WHM/cPanel because it’s an additional license for them so “bare bones” hosts will often offer WHM/cPanel as an option but at an additional cost.
YOUR PHP sanitizes everything? (That statement scares me because I have a problem believing it.) Does that mean that your code examines all visitor input? That’s an extremely valuable skill so I hope you’ve learned all the ins and outs of that. IMHO, prepared statements should be an intermediary between the sanitized input and the database (as a further check).
Your host wants to be paid for a free Apache module? Horrors! Look it up - it’s an easy task for a webmaster to install mod_security. Keeping the rules up to date and reviewing the logs are where the effort comes in. Of course, there is a website dedicated to creating and testing mod_security rule sets so that’s neither difficult nor time consuming.
YOU should be able to access your account via Telnet but there should be NO public (or client) access.
Are you kidding? My WHM/cPanel is AUTOMATICALLY updated every day! I doubt your host needs to do anything to be sure it’s updated BUT, if you insist, you can visit cpanel.com every day (or week or hour or minute) to be sure.
Kudos to you for using ‘All “home-grown” code’! I do, too, but still worry about having overlooked something. At least “home-grown” code makes it difficult (hopefuly) for hackers to get in and damage websites.
CSF? IMHO, throttling is important (to limit possible SPAM and protect from being added to blacklists.
Keep mod_rewrite at the top of your ToDo list and get on it ASAP. It’s an incredibly powerful tool for webmasters (and one of the things I insist on having available with any host (mod_rewrite is NOT enabled by default).
There’s no rest for the wary - but BE WARY of all the attack vectors you can imaging (and understand that’ll be less than half of those hackers are using).
It means whether you send my website input through a $_POST or $_GET or Form or Upload or whatever, my code will carefully inspect it and smash it to pieces with a baseball bat if you so much as think of sending me bad or invalid code!!
Then I beat it up a second time with Prepared Statements and (some) constraints in MySQL.
I stand behind my code…
I think so, but I don’t know for sure. On my To-Do list.
[quote=“dklynn, post:4, topic:112320, full:true”]
YOU should be able to access your account via Telnet but there should be NO public (or client) access.[/quote]
I will have to research that.
I sleep well at night knowing I am running all original code. (Learning Linux and System Administration is what makes me sweat!!!)
Full Disk Encryption
CSF - ConfigServer Security & Firewall
CSF comes with Login Failure Daemon (LFD) and I think it addresses those types of things, but that is on my To-Do List as well!
I use it now minimally for preventing directory listings and for mod_rewrites. Will have to read up on its other capabilities.
My website is hacker safe, because it is offline! (I’m still trying to get my server safely configured.)
Whew! I’m relieved to read that you are very conscious (suspicious) of all user input (including 404 requests?). That’s your first line of defense (after mod_rewrite’s limited capabilities in this realm). Your prepared statements (for database access) is a great second line. As far as I’m concerned, your clients appear to be in very good hands.
Mod-security can help your host defend against DOS attacks as well as many others (I’m just getting into the rule creation and then I’ll be examining the OSR (?) rule sets to see which I want to enable. As I said, it’s a GREAT tool but it does have a considerable learning curve and requires monitoring of its log files (and deleting old logs as I’m sure they’re a storage hog).
Thanks for your definitions. FDE must certainly come with its key stored within your website AND uploads to your website will certainly have to be processed by the key (like a door key to the entrance hallway). I have the feeling that your entrance hallway is well protected, though, so I wouldn’t lose too much sleep. Just be aware that FDE (and mod_security, for that matter) required considerable additional processing before serving files to your site visitors. Ditto CSF, I’m sure. There is a price to pay for security (in cost as well as convenience) but it beats having to rebuild servers and reputation!