Background:
I have been running a Linux web site hosting service for a few months now. I would like offer PHP, MySQL and possibly Perl to the more expensive hosting packages. There are too many people who ask me if we offer this to ignore it.

My partner says its irresponsible! Is this true? For some reason he is scared to death of getting hacked. He is scared because his friend’s httpcity.com got hacked and lost all their accounts information.

There is a difference between free hosting and paid hosting right?

Notes:
PHP would be run in safe mode.
PHP hosting would have it’s own dedicated server.
Every other, to every night backups.

Looking for:
I need something solid that will make him change his mind. Tell me you have 1000+ accounts using PHP and never had any major security problems. :(

As long as you keep your software packages updated and have a sound security policy, you should be fine :)

To add to what JonL said it sounds like your freind at httpcity.com did not have backups.. this is the #1 mistake.. without php, perl whatever you can still be compromised I would make that my top priority over everything else.

httpcity.com didn't have backups that was the messed up part.

I listed that we would have nightly backups or bi-nightly backups. It would be on it's own server away from the mail server. ... Worst case, we get hacked by a user who figured out how to use PHP to get to root access and they delete everything on the server.

We can just set it back up again within 48 hours and try to figure out what client did it right?

More feedback. I have a very stubborn partner.

My partners solution is to just offer the clients a lot of pre-written scripts for users to use from our control panel. It sounds pretty Mickey Mouse to me. :(

1. Backups
2. Keep everything patched and up-to-date
3. Don't let anyone know your root password
4. Don't give SSH access to anyone unless they obsolutely need it
5. Yes there is a difference between paid and free hsoting. You have the right not to accept customers if you think they are a potential threat to you and/or your other customers.
6. Brush up on what PHP etc is and what it can be used for, then brush up on security of these things and you (or your partner) will see he is leaning a little too heavily on the paranoid side. If you make sure everything is up-to-date and are careful about who you give what to. Caution is a good thing, paranoia is a little extreme :)

Get it right intially and you can minimise any potential risks that may or may not occur.

I find it a bit silly myself, but as your *partner* (meaning he does have a say) is paranoid you might want to try another approach.

I'd put together figures of how much more business ($) you could bring in, and how much it would cost to hire someone (part-time even) who has a sound knowledge of security. If the new incoming business supersedes the amount it would cost to hire this person, then go for it.

Then both of you can be happy ;)

PHP "safe mode" isn't. And neither is mod_perl.

If you do things properly -- with suexec -- then you'll be quite safe; otherwise, you're asking for trouble.

I'm inclined to say that "if you have to ask, don't do it".

Originally posted by cperciva
PHP "safe mode" isn't. And neither is mod_perl.

If you do things properly -- with suexec -- then you'll be quite safe; otherwise, you're asking for trouble.

I'm inclined to say that "if you have to ask, don't do it".
Ya, nothing is completely safe. I would like to offer the service and trust my users. I guess I should just have a good AUP and cross my fingers and be prepared?

I have heard about PHP's safe mode and have used it. It's un-useable for me and read that it isn't as safe but is more safe with the right settings.

Thanks for all the help this stuff is GOLD!

*Off topic*
Does anyone know anything about JSP and supporting it on a Linux server is a good idea?

The bottom line is to be prepared for anything. ASSUME the worst...

"You will get hacked and the server rm-rf'd every night."

Now, build your solution from there up. As for limiting the security threats, I would recommend that you do run all scripts on a seperate server. Give users access to "scriptserver.yourdomain.com/~username/" as their CGI-bin... Use cgiwrap to wrap all cgi scripts and php scripts (you have to use the php patch for that... Its been around a few years and works quite well, I think its in the current cvs of cgiwrap as well.) rlimit all users cpu time and memory usage as well. keep detailed logs. run php in safe mode but also read the php security docs... safe_mode alone doesn't do a lot - there are still functions that should be disabled (mail() for example... user could spam from your server if he wanted)

Again, plan for the worst and then you'll always be ok. We have a free php service for a sponsorship - we'll be booting the OS off a CD for them. This way any hacks just require a reboot, on rebooting manual intervention is required to recover user files from backup or not. Backup is done every night. When you boot the server you can say "recover files from backup server" or just leave it alone and it will not copy files from the backup server back to the servers hard disk (which is only used for user files and swap.)

If there are ever any updates to the os/etc we just burn a new OS cd and drop it in while playing frisbee with the old one. CD's cost a few cents. And no, we don't play frisbee with dead CD's in the DC... doubt security would like it.

Originally posted by jessep

*Off topic*
Does anyone know anything about JSP and supporting it on a Linux server is a good idea?

Maybe I'm missing the point of JSP (I'm sure I am as I haven't really looked too much into it, beyond the basics) but it seems to be you can do everything JSP can do in PHP or ASP if on windows. Personally I think JSP consumes too much processing power to be effective. Like I said you can do it all in PHP anyway.

Bare in mind this is purely personal opinion

Refcom,
If I paid someone for advice it wouldn’t have been as good as what you just gave me! I’m looking into everything you just said! I didn’t even think about users sending spam with the with mail() function.

Reseller,
I worked on 3 projects as a front end UI designer where the sites were coded in JSP and EJBs. None of the projects really gook off except for resourceadapters.com. I was just wondering if it would be helpful to add to the list of things a user can get when signing up. If it does consume too many resources I’m sure it wouldn’t be worth it because I have never heard of someone using it to make their little web site.

GOLD!!!