WebHostingTalk


Choosing between managed and unmanaged hosting

The service of Managed Hosting varies between providers, but usually involves the relief of not having to worry about manually taking care of kernel and software updates, system backups and things of that nature, therefore giving you the peace of mind to focus on things more important to you or your business.

However, these services, when bought as part of a Dedicated Server package, normally cost far more than equivalent or better service from a third-party security auditor. That's because the server providers rely on you choosing the easy way and going with their package rather than outsourcing it, despite outsourcing usually leading to far better security service at a lower price.

There are two parts to Managed Hosting; the initial setup of all components, followed by the ongoing monitoring, updating and (with very few hosts) security auditing.

The initial setup can either be performed by anyone with a sound technical background, or bought as a service for a one-time-fee from one of many third party firms, usually the very same firms that also sell you third-party security auditing.

This article will cover each step. The better your technical skills, the more you can do yourself. If your technical skills are lacking, you should absolutely pay a third-party firm to do the initial set-up as well.

With that out of the way, let's go through the major areas that a Managed Host will normally automate for you, and how to do it yourself and where you need the help of a third-party auditor:

Contents

Automatic Rebootless OS Updates (Kernel)

Kernel updates can be automated in a rebootless fashion with an industry-proven subscription service at Ksplice.com, currently priced at $9.95 per month for a full virtual machine host, or $3.95 per month for a server without virtualization. It's used by many major hosts and also provides bulk licensing if you have a large number of servers to manage. The price should be more than worth it to you, given the fact that you will be able to keep your server running 24/7 without having to reboot for kernel updates. It can notify you by email when it applies an update. Note that there are no alternatives to Ksplice, paid or otherwise. It is the only solution out there for installing Kernel patches without rebooting.

The free alternative is to do regular Kernel updates which require a server reboot. This might be acceptable to you, but usually any downtime is bad for your customers/visitors and might even cost you sales, so the minor cost of the Ksplice service is probably worth it to you.

Imagine the scenario of hosting critical game servers. You can either choose to perform regular free Kernel updates that force you to shut down all game sessions in progress and reboot the server, or instant updates without rebooting the machine thanks to Ksplice. Which do you think your customers prefer? That's not a question, the answer is obvious. Of course if you have regularly scheduled downtime, you can simply wait and perform the kernel update then - but then again, delaying security updates means you are open to attack for however long it is until your next maintenance cycle (which could be a whole week away if you have a normal weekly maintenance schedule). Imagine that a ridiculously dangerous Kernel bug is discovered and that you still have 6 days to your regularly scheduled maintenance. Now realize that some of your users will be malicious and have the intent of compromising your server. Now realize that they will most likely be aware of this exploit and try it against your server! With Ksplice your server keeps running and you perform the update immediately with zero downtime. It's your choice.

Automatic Software Updates (i.e. Apache, MySQL, etc)

The easiest (and wrong) way is to simply add a cron job to "apt-get update; apt-get upgrade" to keep software up to date automatically. This will install the latest patches for software without you having to do any work at all. However, in case there's a major new version of software (such as going from 1.x to 2.x), you often need to re-configure the config files since it's not uncommon that they'll have added or changed plenty of config entries.

To avoid such a nasty surprise, what you really should do is install one of many tools out there such as cron-apt or apticron, which will check for new software at regular intervals and notify you by email about available updates, so that you can read up on the changes done to the software. Doing so is recommended, as blindly running apt-get upgrade will mean that you have no idea what it's patching, why or when, and it might install major upgrades that require you to modify the configuration file, and so on. Therefore you should set up one of the aforementioned tools instead of a straight "apt-get upgrade" job.

Automatic Backups

This is easily automatable with a cron job and a tool such as rsync, which will take care of only backing up modified files, thereby saving you bandwidth and backup time. Set it up to back up any data you need (such as the web root, logs, config files and databases), and you're done.

It is suggested that you back up to an off-site location so that your data is in a physically separate location to your server, in case something happens to the hosting facility itself.

If possible, it's also worth setting it up in reverse fashion so that the backup location connects to your server and downloads the required data. The reason being that if you have your server connect to the backup location, and your server is compromised, the hacker might feel malicious and decide to connect to your backup storage and wipe it. They can't do that if you do the connection in reverse, as your server won't contain any info on how to connect to the backup storage; alternatively, set up the backup server so that all previous backups are protected from modification.

People with a good connection at home could also use their own computer as the backup storage, to avoid having to pay for storage space for backups elsewhere. However, it is strongly recommended that you have a RAID setup (mirroring or parity based) or other redundant backup system if you decide to go that route, as storing backups on a single disk at home will make your entire backup collection vulnerable to a disk crash. Keep that in mind. Either pay a storage provider, or do it yourself with a home RAID/redundant backups setup, or don't do it at all.

Initial Configuration (of all components such as Apache, etc)

This is the most difficult area mentioned so far, as you need to set up and secure all of your configuration files (for your services, such as Apache with mod_security, PHP, MySQL, Postfix, Virtualization, etc). There are scores upon scores of great, free, high quality guides on the optimal, most secure setup. If you decide to do it yourself, you should read multiple high quality guides on each component to make sure that you don't miss anything.

Additionally, please remember to obscure (anonymize) your server headers and response pages so that they don't divulge information useful to an attacker (such as the exact server version or versions of components such as PHP). Anonymizing will keep out a large portion of the more casual hackers, since they'll give up when they can't figure out what version of, say, Apache you are running, meaning they won't know what version you're at (and therefore won't know what exploits still work on your server).

Read plenty of high quality guides to make sure that your initial configuration is well secured.

GUI Management of Configuration Files

It is recommended that you install software configuration panels such as the most popular one, cPanel (although a license costs money), or one of its many alternatives. This will give you a graphical interface for your service configuration, allowing you to effortlessly configure most major tasks and only rarely having to delve into config files again.

Keeping Script Solutions Secure (i.e. Wordpress, forum software, and so on)

Managed Hosts usually provide you with one-click, autoupdated installations of common software such as Wordpress or whatever else you may require for your site.

When you choose to manage everything yourself, you don't get that advantage. Therefore you must read up on how to set up automatic or manual (with email notification if possible) updates for every script solution you use, so that you can stay up-to-date and plug the latest security holes.

You also need to be aware that custom-written scripts can easily contain serious security holes such as opportunities for SQL injection, so be very careful with what mods you install for your script solutions.

This is a whole field all of its own, and securing your scripts is just as important as having a secure server - perhaps even more important since it's definitely the easiest attack vector if an attacker discovers that you're running outdated scripts full of holes, as that will render all your other security measures moot.

Security Auditing

The flipside to managing the server on your own is that you really should hire a security auditing company to regularly investigate your server for signs of break-ins and to make sure that you're running a secure setup. No matter how good you are, they're pretty much guaranteed to be three steps ahead of you and it's well worth paying for audits if your servers' integrity matters to you.

How often to audit is up to you and your budget, and there are plenty of firms offering subscription based auditing with weekly checkups.

You need to be absolutely aware that you're likely to miss things if you decide to do this step manually. For instance, you might have had a break-in during the small time between a kernel exploit was discovered and before it was patched, and you might not even discover it on your own.

If you do insist on doing it yourself, it's suggested that you have a robust backup system in place so that you can do an OS reinstall and restore the data on any sign of a successful break-in, otherwise you might think you've removed all traces of the break-in but actually still be compromised; for instance the hacker may have installed some hidden software that leaves them with another way in even after you've plugged the hole. Security is as good as your wallet allows, and personal expertise doesn't go all the way. Sure, there are lots of tools and procedures you can use, but you won't be as thorough or experienced as a professional auditor.

There are however a few things that you should setup during your initial installation even though you pay for audits, as these tools help the auditors too, and those are:

  • Install a monitoring tool such as aide or tripwire (the latter is more popular) to monitor and notify you of changes to the integrity of system files.
  • Configure syslog to send the log files to a remote log server where they can't be tampered with.
  • Read the logs regularly and use tools like logcheck or logwatch to see the most critical information.
  • Monitor for new user accounts and weird processes, files and opened ports that shouldn't be there.
  • There are many more things to do, but leave that to the security auditor.

Conclusions and savings

That's that. Study the above and ask yourself if you really need a Managed Hosting provider. Many "managed" providers will really just do the aforementioned kernel/software update automation and automatic dispatching of secure config files, and won't even do security auditing, while still charging a very hefty fee. If you are technically proficient enough then you can easily do the initial server set-up on your own and rely on affordable third-party auditing for your security from then on, which will save yourself a lot of money since Managed Hosting usually adds anywhere from $50 for cheap hosts to (more often) hundreds of dollars per month for the higher quality ones. Even if you aren't proficient enough to do the initial setup on your own, you can simply pay a third-party firm to do the initial setup to your specifications and still save money compared to having your host manage the system.

These savings can then be redirected into finding a higher-service provider, with better infrastructure, better support, better peering, and better hardware, and to offset the minimal cost of the third-party security audits.

It's up to you if you want to pay the premium of Managed Hosting, or if you want a cheaper, and usually better secured system, by going for third-party security audits along with either a manual or third-party initial setup.

The cost of security audits obviously varies widely based on provider, but you can find monthly subscriptions with weekly checkups for prices that still put you far below the cost of paying for Managed Hosting, and you will get more thorough and personalized audits than you'd get from most hosting providers that only bake basic security into their Managed fee.

Good luck!

Web Hosting Wiki article text shared under a Creative Commons License.

Personal Tools

Toolbox