Results 1 to 7 of 7
  1. How important is Security?

    Hello,

    How important is it to have good security such as firewalls? Are hackers that much of a threat to a web server that I may setup? I guess my main worry is, will it be worth it to invest in a heavy security system?
    Fast, Cheap, Reliable Hosting

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    well, if you have lets say a vulnable php script... they could possibly be able to use your server to launch attacks on other servers. In my opinion you should never be lax on security. If you are hosting clients NEVER be lax.. You must secure your server. if you do not secure your server you are putting your business and clients at risk
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    Weigh yourself about security, features and user-friendly. Imagine you are in the middle of a triangle... each corner of the triangle represent security, features and user-friendly respectively. So when you move more towards security, you trade off with features and user-friendly (more away from the other two corners in that triangle). Now if you move more towards features, again you trade-off with security and user-friendly. So you need to find a good mix of those three (where are you in that triangle)...

    Each company will have different security policies and thus you need to think what you are after for... if you going all out for security, your clients will be making a lot of noise due to lack of features etc... so in short, security is like adding layers or barrers to your important data/applications... how many security layers you want to add depends on your weightage on the three i mentioned. The more you add, the more your clients will encounter problems for their application... ...

    Just my thoughts
    Giam Teck Choon
    :: Join choon.net Community today to share your tips and tricks on server issues please ::
    :: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::

  4. #4
    Join Date
    Mar 2006
    Location
    Katy, Texas
    Posts
    172
    You should never be lax, but you should never have complete lockdown as well. As the above poster said, there is a bit of a balance, but in a shared enviroment some things are just good form. I can't say anything exact, but picking up a good book (even just an introductory one so that you are familiar with things in case something happens) would probably help you out a bit. (I'm a big fan of "Hardening Linux" myself, really nice book though it is kind of technical.)

  5. #5
    Join Date
    Dec 2004
    Posts
    350
    Are you for real?!?

  6. #6
    Join Date
    Jul 2002
    Posts
    38
    essentially, security is prevention - the amount of money that an organization would spend on security is variable. its simply a play with figures and the risk of being compromised. like we all know, putting an server on the internet has its risk - for some, attacks and hackers are a hugh issue and they are willing to spend lots of money on it. for others, they will risk it - cross their fingers and hope for the best.

    IMO - basic securing of any internet server service is a necessity. there are just too many playful people around - poking around to spot an easy target. its probably like a case of locking your car when you pop into a supermart. but do you want to arm your car with
    an alarm system?
    an autosensor that detects motion within 3 feet of the car?
    anti-hijacking system that will stop the car if it isn't able to identify the driver's hands?
    GPS tracking system?
    I'm not sure if everyone is ready to arm their car with these gadgets - they do have their place in certain areas ... but is probably isn't mainstream. its probably the same with server security, the basic securing of server services etc. are a necessity. anything extra is essentially based on your own analysis - how important is uptime? is there any data worth the trouble etc. etc. etc.

  7. #7
    Things you can look forward to if you don't bother with server security are:

    1. Getting added to the RBLs because a spammer got ahold of your box

    2. Being used to DoS other hosts
    2A. Possibly getting DoSd yourself since your server DoSd someone else's

    3. Your CPU cycles getting wasted because someone is using your server to crack passwords or DoS someone

    4. Your bandwidth getting wasted because someone is using your server to DoS someone

    5. Your server being fork() bombed or something similiar because someone thought it would be funny to do so (this can/will kill your box pretty much instantly)

    6. Getting rooted and rmd

    7. Getting rooted and someone mass defacing every site on your server

    8. Getting your host connected to an IRC network, where any number of people will be able to take control of your box for whatever reason they want

    9. Being used to submit fraud orders to other webhosts or whoever

    10. Being used to break into other hosts

    11. Getting "infected" with worms, which will chew up your bandwidth and CPU cycles, as well as infect other vulnerable hosts


    I'll stop there, but that list is by no means all inclusive, since anyone who hacks your box can and will do whatever they feel like. This is a very small list of things you can look forward to if you don't bother with security. Furthermore, one could argue it's a responsibility to secure a server that you plan on connecting to the Internet. No one wants to receive spam and no one wants to be DoSd, especially if these things could have been mitigated by some basic preventive actions.

    My recommendation would be to do the following:

    Find a few people that do server security, and ask them for a quote on securing a server. Have them provide you with information detailing everything they plan on doing to harden your host. Shop around a bit, and be willing to pay a few bucks for someone to do this for you. You're going to need upkeep as well, but a 1 time job is better than nothing. It could save you a lot of headache in the future.

    Take it from someone who's been in the business for a number of years. If you don't take control of your servers, someone else will. It's only a matter of time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •