New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How secure is data in shared hosting environments?
Lets say a basic WHMCS/Cpanel shared webhost platform. How secure is the data (and SQL databases) from your neighbors or their activities? For example could malware on neighbors platform sneak into yours and sniff all the data?
I'm well aware of how KVMs, OpenVZ, Docker, etc. solutions work but having never setup a shared hosting platform I'm oblivious to the security (or there lack of?) that might exist on modern shared hosting platforms.
Thanks, feel free to toss in any personal experiences you feel might be relevant.
Comments
I remember a long ago this shared hosting provider mixed up my web site's files with some maratha cyber army hacking group's domain, so if I typed their domain in google, my website's contents appear. so yeah shared hosts can be really dangerous if it's not a reliable service.
Sounds like they didn't set shared SSL.
It's as secure as the administrative staff is competent.
Back in the day (I haven't admin'd CPanel in years), you could build CPanel with user-execute-permission. It made it slower, but every site ran as it's own user. So, unless someone was stupid and set their umask 000, you generally had read-only access to other users, if even that. The FTP and web-based services effect a chroot, so you pretty much need to do it at the server level- or write a malicious script to poke around others stuff.
Of course, there are plenty of "We'll start a provider" programs out there with people who can't even spell Linux who are in charge. If you don't do it yourself, pay close attention to what people have to say about the service you are interested in, or you might end up with your shit stolen, or on a flakey EIG host.
Basically what @WSS said. In theory it's quite simple setup a server in a way that makes it impossible for users to view or even mess with other peoples stuff but it requires the person setting it up to at least have a basic understanding how permissions work and how to take the necesary steps to enforce them and thats where it gets scary. I've seen enough people running apache with modphp failing to realize how allowing every user to run programs (scripts) with the permissions of the webserver is just asking for trouble in a multiuser environment and similar basic things that i would inspect the used configuration very closely before putting any trust into it.
Thats what I'm particularly worried about, someone putting a malicious script on their setup and running a cron job on it which results in it copying data potentially even SQL databases.
Then go for KVM as a service rather than a shared webhost. It takes a lot more work than some script kiddie hitting WordPress just right. You could also get a NAT OpenVZ host and stick ClodFart in front of it, but that's rather ghetto.
The users should be isolated, but there is just a small layer between them, which keeps them isolated.
Someone with admin privileges could just dump your customer database.
Better get a KVM.
I would not host anything sensitive on OVZ or Shared Hosting.
Even if you get a KVM, the attacker can still make a snapshot and get the costumer database.
If you are total paranoid, get a Dedi but a KVM should be fine.
With Black Friday coming up in a few weeks, you should be able to pick up a hell of a lot of good for cheap. KVM and Dedi.
As secure as a condom.
What is this? Is it any kind of firewall?
Ya I believe that might be wise, I'm very familiar with managing a Linux server. Although I do appreciate how easy shared hosting makes things, especially with the advent of Let's Encrypt modules for Cpanel. For extremely low traffic web-apps it's pretty convenient.
What is everyone's thoughts on web based management modules like webmin, VestaCP, Kloxo-MR. I'm thinking I can keep the port closed and just Tunnel through SSH to access it. Is it much easier than managing a server via SSH? Seems like it might muck everything up via an update or something, thats a lot of power to give an app. But I could be wrong.
I always thought OVZ was as secure as KVM. Are KVMs that much more secure? What about AnyNode.com any decent experience with them?
Hmm I've never taken part in the back friday offerings here. Any decent offerings from the medium boys like Vultr, linode, etc. you think? This is just going to be a dedicated KVM for one non-WP dynamic site with very minimal traffic, doubt I need too much, just needs to be secure. Perhaps I can even get away with a 512mb or dare I say 256mb solution? Bare Centos 7 min. with Nginx and MariaDB? That can't take up too much ram right? idk.
Depends how your coding is done, 256MB could be fine or you could need more: you'd rather test before, or go for a bigger VPS as more RAM can't hurt and you'll have room for more cache.
Regarding the offers, I personally don't think that vultr/linode will have great recurring deals, betters deals are to be expected from smaller providers. Online might have a cheap dedi that nobody can order though.
WHMCS on a shared hosting is disastrous.
Can't wait to buy servers again i don't need
Yea I think I'm going to go with 512mb min with 768mb-1gb being the sweet spot. I was considering AnyNode and Virmach but Virmach's massive attention from chinese users has me a bit worried about their reliability. I suppose if I go with their Dallas node there will be less potentially sketchy overseas use cases. Or am I just worried about the wrong thing.
In any case it probably makes sense to wait till black friday/cyber monday and see if I can swoop up a decent 512-1gb ram host for about $12.50-$17.50 a year. I think it's doable.
Anynode is a good pick, @scaveny is a badass.
Francisco
Ya they are on the top of my list, but I'm tempted to see what comes down the pipe in terms of offers from them. I would imagine with their new hardware buildout they will need to fill it in a bit especially the Seattle node.
Additionally buyvm is also on the top of my list on account of the Storage Block coming out in a few months (you mentioned it in a different thread). But that would be for a different use case than this.
@francisco Any comments btw regarding the security of shared hosting? I would consider you to be definitely an experienced individual in that field. Feel free to ignore if it's too private since you provide Shared WebHosting services.
The big boys who don't need us will occasionally throw a bone, but I remember the debacle when Vultr pulled the $2.50 deals (set them all out of stock) a few months ago. Your best bet for saving money would be to get your usual CC or OVH reseller- with the problem being most CC resellers won't setup a deal with HE for a tunnel, so you don't get IPv6.
I'd say 512M would be more than enough, but CentOS is hungry. You'll be lucky to do much on CentOS 7 with 256MB. Don't forget to check out @eva2000's CentMinMod.
Vultr has the 512mb plan available at Miami and New York
True, and IPv6 is a whole checkbox down the line.
I would always take the view that shared hosting is like giving your data away.
I know this is blasphemous here but I would rather avoid re-sellers. Nothing wrong with Colocators but I feel those that just picked up a dedicated server to resell aren't as experienced in management and security as those that must build out a rack.
IPv6 isn't much of a concern for me on replacing this single site.
Considering the complete lack of any provider jumping in to discuss and defend shared hosting I have a feeling you may not be too far from the truth. With that said i still plan on keeping my shared hosting solution for sites that I don't care about their data being public (there's no login area the whole darn thing is public!).
But this thread has been an eye opener for me. I always assumed shared hosting was somewhere at least close to a docker level setup.. Seems I was incorrect, sites without login requirements = shared hosting. Sites that need logging in = VPS or dedicated server.. Good to know.
Well, then you're still limited in your options when money still comes into play. Just get a shitbox from WSI/NOCIX and be done with it. Note that they don't seem to have an adequate/existing UPS or network redundancy, so down means down.
Or, you know, just spin up a $2.50-$5 Vultr VPS which isn't dedi, but it's cheap and good enough for this case, or a $3 ARM shitbox with Scaleway.
Isn't a shared hosting account similar to a shell account of old, only more locked down, so less flexible?
This is really the answer you are looking for, so if you choose wisely the risks are within what I would call acceptable limits given the software being used. Although you will never know until it all goes south.
For too many hosts their idea of security is nothing more than installing cPanel and sitting back.
I remember years back I got a message to log into cPanel, the person said they were looking in the file manager and there were dozens of folders they did not recognise. Turns out he had access to all the home folders on the server and I could freely roam around them all. How the fuck was that even possible? The only answer was an incompetent host that had been tinkering and had no idea what they were doing or had done.
Now that is an extreme example. That said I always take the view that if your data could end up in the public domain and that would be an issue then always do it yourself and always go directly to a DC for your needs, no middlemen. That does not eliminate risk, just reduces it further and you become responsible, nobody else.
and always go directly to a DC for your needs, no middlemen.
That would be great, but sometimes the need just hasn't met cost yet. Shared Hosting has it's place, I love my host and won't be changing that. But your right, it's always best to have control over your own sensitive data if possible.
To be clear though, there are plenty providers that meet this and offer shared. When I say straight to DC I don't just mean the DC itself but also those that Colo and control the end hardware rather than resellers.
Oh I see yes of course I agree. Renting racks or even better yet a "suite" tends to definitely produce better options than someone just buying a dedicated server and putting in multiple kvms for sale.