How do you check out a potential host before signing up, to make sure that they
1) take security seriously, and
2) know what they are doing security-wise?

I've been reading the technical forum here for awhile, and that has given me some insight as to which hosts may know about security, and which may not. (I also notice the hosts that never post in the technical forum.)

When I see a host stating that "SSH is dangerous and that is why they don't allow it for their customers", it tells me that they don't know much about security, and I would avoid them.

Any other suggestions for checking out the security and security knowledge for a potential host?

Originally posted by chrisb


When I see a host stating that "SSH is dangerous and that is why they don't allow it for their customers", it tells me that they don't know much about security, and I would avoid them.


You could be right, but this is a generalization - many hosts offer SSH after the client has passed a "screening" (ie, photo id or something of the sort)

IMO, SSH is perfectly ok to offer to clients, provided they have a valid reason to have it (not just, it's nice to have)...nowadays with these nifty control panels, you dont need SSH which is probably the main reason it is not offered with many hosts...

as far as security goes, best way to find out is to ask specific questions

I agree with akashd 's comments. There are hosts like ourselves that do provide SSH access, it's just not setup by default. Those clients that do require it simply need to request it be enabled. This generally prevents newbies from doing any damage when they don't know what their doing.

Mike, that is not the crux of the thread. Debating SSH is another thread that's going on. I'd like to keep this thread about security... if that's possible. :)

Only need for SSH now a days is just to import big databases with the mysql command after you ftp the database.

Dont think cpanel can do it with anything larger then 1meg database if im not wrong.

It would be nice if phpmyadmin, you could tell the path of mysql database and have it import it instead of mysql command.

Is there anything else thats need SSH?

Edit: opps sorry for getting out of topic, couldnt help it.

Originally posted by MultiVol
opps sorry for getting out of topic, couldnt help it.

And you should be... especially when you don't know what you are talking about. :)

I'd hate to send you guys support questions. Instead of addressing the issue; you'd go off on a tangent. *sigh*

Originally posted by chrisb

When I see a host stating that "SSH is dangerous and that is why they don't allow it for their customers", it tells me that they don't know much about security, and I would avoid them.

Chris, sorry but I will not agree with this. Often, for not saying always, hosts use this type of phrases just for passing the message easily to every type of customer beginner and/or advanced. That phrase means : NO SSH ....and we give you a simple reason (no explanations), just to get a general idea that ssh use isn't for everyone...

I would choose a host that reports that phrase instead of one that gives ssh access to everyone.

And in any case shared hosting isn't the most secure thing..it is always 'shared' hosting. So a dedicated server well configured is the solution for you if you need high security. I mean that searching high security on shared hosting...isn't that much realistic. Of course this is my poor opinion.

Security is always one of those fine line issues between locking a server down tight, and still allowing people in a shared environment to do the things they need to do. As they say, the only trully secure server is one with it's powercord yanked out of the wall.

Having said that, attention to notices is always a good idea, and upgrading software as applicable. A stroll through Netcraft shows a lot of servers around with old Apache and PHP versions even after the recent well documented holes that sprung up. While the holes in both don't appear to have been something of direct concern as far as a 'hole' goes they did allow for things to happen that an upgrade would prevent.

Security's not only what's on the server, but paying attention to what others are doing. port scans, anon ftp, bad scripts... the list goes on. Recovery plans are important as well of course, in the event you miss something and someone slips through a gap.

I think a major issue is keeping an eye on the ball. Like most things in life, the moment you relax, is the moment someone sneaks up behind you and bops you over the head.

Greg Moore

Originally posted by chrisb
Any other suggestions for checking out the security and security knowledge for a potential host?

My first suggestion is to never bring up SSH on WebHostingTalk. The uninformed comments that invariably follow are hilarious but tiresome. I think you know that already.

Why not ask your host a few questions? Even if they have to get escalated, at least you'll find out what they have to say about following Bugtraq, hardening servers, monitoring users, etc. Shared hosting can in fact be quite secure; the security policy begins with not trusting the users.

On the more passive side of things, find out what software they're running and how often they seem to upgrade. Netcraft is usually helpful in that regard.

Kevin

Originally posted by akashik
As they say, the only trully secure server is one with it's powercord yanked out of the wall.

You forgot about physical security. You need it in a vault, too. :)

To see if a host had half way good policies, here's what I would ask them.

1. What and when was the last security update that was done on your servers?
2. Do you notify your customers of OS and subsystem updates that are performed or scheduled?
3. How do you ensure that users are unable to access each other's files?
4. How do you deal with denial of service and similar attacks?
5. Are network/system security incidents reported to users if they affect their service?
6. Does your organization know of any outstanding issues that could compromise your system or network in any way?

Unfortunately, not just in the web hosting world, but everywhere, system/network administrators are generally very undertrained or underskilled. Most organizations have administrators by chance instead of by training.

Well, you can detect simply when the Host(s) advertise SSH very clearly in their Hosting Plans without fear, rather than undermining the customer intelligence(Not recommended for beginners/only on request) that I believe that instill confidence in a prospective client that the Host have the server well under under control security wise in contrast to Hosts that are very pessimistic to SSH when a prospective customer mentioned it and live in fear of it.

There are many alternative routes to damage a server without using SSH and SSH user are those you know(your hosting clients) that you have details/records of and can always take appropriate actions against them if required.

Oh, I forgot to mention, should the Host that you have found and does not mentioned anything about SSH, just fire off an email and confirm it.

If the reply is: Yes, SSH, SSI, FTP is enable as default, then you can rest assured that the Host is for you.

Regards

Thanks cactus for your feedback. Yeah, I understand that SSH is a part of security as well as scripts, but I was hoping more to discuss "server security set-up", and that some hosts would voluntarily tell us how they set up their server to make it secure, such as Apache, suEXEC, etc.

Originally posted by cactus
If the reply is: Yes, SSH, SSI, FTP is enable as default, then you can rest assured that the Host is for you.

Don't know why they would reply with SSI and FTP if you asked about SSH.

A good response from a security knowledgeable host would be.

"Yes, SSH1 and SSH2 with 3DES and SHA-1 are both available." :)

I think we just list "shell access", and the ssh is assumed.

Thank you bitserve for correcting the error. From your experience, could you elaborate further, how do you secure SSH or audit it to remain secure at all times? Thanks

Originally posted by chrisb
When I see a host stating that "SSH is dangerous and that is why they don't allow it for their customers", it tells me that they don't know much about security, and I would avoid them.
[/B]

This isn't always true. I would say a good number, perhaps the majority, of hostile attacks do originate from shell access. Therefore, some hosts choose to take the risk and others do not. This does not indicate security knowledge, only the level of risk the host is willing to take. The only thing I see this indicating is that the host is not right for you, as you clearly want SSH access.

To test for security knowledge, you might want to ask what security software they utilize. Such as intrusion detection, firewall etc. (Port Sentry, IPchains, Iptables etc.).
If they do not have much of a response, it would suggest they have not invested much time in the area of security.