Reseller Shared vs VPS from a Security Perspective
I was hoping I could get some feedback from some of the sys admins or linux gurus.
It's fairly difficult to understand the policies in use within a Managed Shared Reseller environment simply because nobody wants to reveal their security policies which to me could be a poor security public relations practice all around, however I am fairly certain due to the nature of remote call centres and the requirement to cater to a wider audience that it is simply just an inferior security policy all around. Whether that be admin access or hosting service access, I am unsure as to whether the admin or OS or Root access is actually whitelisted to the data center or if it's wide open for remote monitoring and servicing, While I am positive the hosting service or control panel access is certainly not whitelisted at all.
Now I understand a VPS is no guarantee for better security as it simply may not be hardened or limited properly. However in comparison to the Reseller accounts the opportunity to do so exists.
Does anyone have any insights regarding the security practices of Reseller Shared hosting set-ups? I mean does anyone have experience with Reseller Shared hosting accounts vs VPS or Dedicated hosting which has proven to them that one is superior or inferior to the other. I mean for most applications, either or will handle the workload, I am strictly concerned with security, and policies as a result of the audiences which must be catered to.
Additionally... I was wondering if anyone has any good resources regarding the innate security capabilities or track records of various linux OS.
Not to give a short answer, but this would all depend on the company one is dealing with. If they have poor security policies in a shared environment, I doubt very much they would be any different in a VPS/dedicated one.
A VPS/dedicated is simply an isolated environment that typically allows use of additional resources (not always in the case of a cheap VPS), and provides the ability to customize that environment with modules/settings that may not be available in a shared environment.
I am not a Linux Guru. If you are and if you have the time and security expertise required to keep a VPS or Dedicated box updated and as secure as possible, you can do what you want, with regard to server security. If not, leave it to a knowledgeable web hosting company (I use MDD and OLM, but there are many others out there) to keep it secure for you. With regard to a Linux Distro, I would suggest you use an Enterprise distro, such as Red Hat Enterprise Linux or CentOS, which is a rebuild of RHEL.
Well... That's the thing Lanny... up until now I was convinced that shared hosting was the way to go... I mean the focus on tightening up on security would seem rather simple if you ask me. Everyone together and protected in a herd. More man hours to focus on a single configuration.
As of recently I have witnessed what I think is an sql injection hijack an entire box. That's one of the brand name boxes which you have mentioned and those distributions are fed updates regularly to my knowledge.
That should never happen if you ask me... an SQL injection which gains privilege to other areas of the system I mean... especially on an enterprise class system.
I would suspect that having an SQL injection in any way shape or form hitting a machine over http would never in a million years be able to get into special priviledged areas of the system. IE... why should one persons database be a vulnerability to me?
I mean I am no expert with Linux either... but I do know a thing or two about the shadow password... and I am absolutely shocked having had an opportunity to play around with a few exploits which I do know of, that I have been able to actually get at the root password file through an HTTP call... I can only imagine what things were like with linux distributions which didn't make use of shadow...
I mean... I think the real question I'm asking... is shared hosting safe at all considering the exploits are coming in over http? Should that be the case, which I am pretty sure it is...
Last edited by MrKappaBeta; 09-25-2009 at 01:22 PM.
No root login - Moderators can you move to Technical & Security Issues
I understand your concerns. As I recall, one of the first things to do in hardening a VDS or dedicated box is to disable root log ins. The NSA has a manual you can download, free, in .pdf format, from nsa.gov about hardening RHEL 5 (or CentOS 5 since it is binary equivalant).
Moderators: Can you move this thread to the Technical & Security Issues area? I think he will get better responses there.