web hosting

Hack-Proofing Your Dedicated Server

Having a dedicated server is one of the true signs that you have made it as a small to medium sized business owner.  Unfortunately, it also makes you a likely target of hacking and other security threats.  Securing any machine equipped with a web or application server is a huge challenge, one you may not be able to overcome alone.  You need to worry about everything from your email and FTP communications to OS and kernel patches.  And let’s not forget about those web technologies that can bring you so much functionality along with a lot of grief when not properly secured.  This web-based world we live in can be very hazardous to any business so if you want to protect your server, we suggest paying close attention to the contents of this article.

Must-Have Defenses

Securing a dedicated server begins with creating a two-layer bullet proof vest to deflect the attempts of the enemy.  Two of the most effective weapons to carry into battle: firewall and intrusion protection technology.  With a firewall, your server will be able to fight off common exploits such as DDoS (distributed denial of service) and brute force attacks.  Usually originating from multiple unsecured, enslaved machines, the dreaded DDoS attack will slam your dedicated server with awful amounts of insignificant traffic, overwhelming critical resources and rendering the hardware inaccessible to legitimate users.  A quality firewall with good configurations will enforce rules that filters access and blocks malicious traffic while allowing legitimate traffic to pass.  This is all done in a way that reduces latency and slow moving processes, so it all appears transparent to the end-user.

Though similar in a nature, intrusion detection and prevention takes a more advanced approach towards server security.  This technology blocks malicious traffic right at the source, locking compromised hosts in a quarantine area all while routing genuine user traffic in a quick and efficient manner.  If a firewall represents your first line of defense, then intrusion protection serves as your behind enemy lines mechanism.  This powerful combination allows you to shift security measures from a reactive to proactive aspect.

Don’t Stop There

While the implementation of firewalls and intrusion protection make good first steps, one should keep in might that this isn’t the set it and forget it type of deal.  In order to stay ahead of the hackers, malware coders and corporate saboteurs you must consistently employ vigilance as well as frequent updates of your patches, blacklists, filters and other vital elements.  Purchasing and installing a few security devices and applications can be viewed as the easy part.  Managing them with efficiency is an entirely different story.

Because properly securing a dedicated server is cost prohibitive for most small and medium sized organizations, you may want to consider a managed service to help keep the intruders away.   Managed hosting is the often overlooked aspect of a dedicated server that could spell the difference between running a successful business, or going down because of a major security breach.  If you are not sure where you stand on server security, consult your IT team or speak with a professional firm for guidance.

The Need for PCI Compliant Hosting

More web hosting providers are offering services that provide customers with the help they need to achieve PCI (Payment Card Industry) compliance.  Achieving compliance requires the use of numerous security tools and policies to meet the standards that apply to any business that accepts, processes and stores credit card information.  Those who do not adhere to these requirements are subject to penalties and may eventually lose their privileges to accept credit card payments, which is the most common method of payment on the web.  If you sell products or services online, investing in a PCI compliant hosting solution may be worthy of your consideration.

Though PCI standards were introduced to protect consumer information and ensure integrity across various industries, they have also introduced a new level of frustration for the smaller business that has a need to sell products or services online, but doesn’t possess the resources to meet compliancy.  There is a lot that goes into protecting sensitive card data and unfortunately, one too many organizations are not equipped to provide this protection.  Everyday, companies are scattering in attempts to gather the necessary resources to not only fend off attackers, but also keep the government out of their business.  Difficulties aside, PCI compliance is needed as threats are growing rapidly in terms of numbers and sophistication.

PCI-Friendly Hosting Features

Achieving compliance requires a multitude of security components.  Some of the essentials include:

Malware Protection – Malicious software such as viruses, worms, Trojans and keyloggers pose a direct threat to card data stored on any computer or web server.  Businesses are strongly advised to keep their systems protected with reliable solutions capable of detecting and eradicating the latest malware programs.

Firewall - A firewall provides an organization with the ability to control inbound and outbound traffic going to and from the system.  With the right configurations, it can halt malicious traffic and also help to prevent basic hacking attacks.

Intrusion Detection – Though very effective, a firewall can only do so much.  An intrusion detection system enables PCI compliance by detecting the presence of malicious activities that pose a potential threat to card data resting on the system.

Network Monitoring – Even with all the right security mechanisms, card data can still be at risk due to a wide range of circumstances.  This could related to hardware failure or a problem with a backbone provider.  Network monitoring allows companies to stay one step ahead of such issues by watching over the network and reporting its status to system administrators.

SSL Certificate System - SSL (Secure Sockets Layer) is a must-have security feature for any business that sells goods or services over the internet.  Credit card data is in jeopardy whenever transactions are made on any website that isn’t protected.   With an SSL certificate, businesses can ensure the protection of sensitive information as the protocol creates an encrypted tunnel for which credit card details to travel through.

Not all hosting providers make the commitment to aid in PCI compliance but more are getting onboard with the concept.  Those who are should be commended for their efforts to aid in business-friendly solutions that take the stress out of meeting these demanding standards.

Windows Hosting with DotNetPanel

The control panel is very important in the web hosting arena as it can offer benefits to both the end-user and web hosting provider.  These programs are generally made to run on certain platforms and one of the best available for the Windows system is DotNetPanel.  Created by SMB SAAS Systems Inc., DotNetPanel is a feature-rich control panel made to simplify management tasks in the Windows hosting environment.  This control panel is robust, highly scalable and runs seamlessly without the bugs that commonly plague other applications.  Ease of use, excellent support and a great price are making DotNetPanal a first choice for many businesses.

Web Host/End-User Features

Advanced File Manager – The DotNetPanel File Browser is both powerful and comprehensive, allowing you to manage your files without the use of FTP.  This utility includes a zip/unzip function along with standard file managing options such as copying and moving files, creating files and folders and more.  Such advanced functionality gives you the power to deploy applications faster and more efficiently than FTP.  The File Browser is a wonderful feature for end-users who are behind a firewall and may not be able to use File Transfer Protocol.  It is easy to use and doesn’t require any complex network configurations.

Virtual Directories – DotNetPanel offers the unique ability to manage websites and virtual directories with nearly every one of their essential properties.  This includes default documents, security settings, MIME types, custom errors and FrontPage extensions among several others.  You can also change the location of the root folder or virtual directory any time after creating it.

Comprehensive Database Backups – DotNetPal has a wide range of features you will not find in other control panels.  One of them is the database backup/restore utility.  From the user-friendly interface you can easily backup and restore both MS SQL and MySQL databases.

Reseller Features

The DotNetPanel control panel is integrated with an arsenal of features designed to aid in the management of reseller hosting.  Some of the most notable features include:

Unlimited Hosting Accounts – With DotNetPanel, there is no limit to the number of standard or sub-reseller accounts you can set up.

Simple Resource Navigation - As an administrator, you can view all the websites, databases and user accounts of all the resellers and customers underneath you.  This can be done with ease from a centralized interface.

Account Activation and Suspicion - DotNetPanel gives you the ability to activate reseller, sub-reseller and user accounts in separate packages.  Once you suspend an account, all the resources of that particular hosting package are disabled entirely.

Audit Log – The audit log feature allows you to monitor and control every aspect of user accounts.  You can track user login credentials and also create, update and delete various activities.

DotNetPanel is a fully integrated control panel that covers nearly every angle of web hosting, a viable option for the shared hosting environment as well as dedicated and virtual private servers.  Although its restricted to a specific platform, DotNetPanel is quickly becoming the preferred choice for Windows hosting operations.

Staggering Numbers on Website Vulnerabilities

According to a recent study by Scott + Scott, a law firm based in Connecticut, 85% of businesses in the U.S. have experienced some sort of data breach, a factor that places the personal information of millions of consumers at great risk.  To no surprise, most of the companies involved in the study were exploited over the web with the leading cause being insecure servers and applications.  These vulnerabilities are what result in the lost of bank account numbers, credit card details and Social Security numbers while putting billions of dollars in jeopardy. Although there are various security mechanisms available to limit these exploits, the typical components such as firewalls and intrusions detection systems simply aren’t enough.

Intruders are just as aware of the critical information that can be accessed through an application as the webmaster.  In many cases, their entrance and overall success is attributed to numerous factors.  Those conscious of the roaming threats typically monitor network perimeters with firewalls and intrusion detection systems.  However, these components actually encourage exploits as they are required to keep ports 80 and 443 open to support SSL and protect online transactions.  To an intruder, these ports are open doors that enable website attacks in a number of different ways.  Most network firewalls are configured to secure only the internal perimeter, leaving the company open to a wide range of attacks.  And while both intrusion prevention and detection systems are somewhat more effective, they don’t perform complete analysis of a packet’s contents.  Without an additional layer of security, a knowledgeable intruder can penetrate a web application with relative ease.

An organization dedicated to improving the security of web-based applications, the OWASP (Open Web Application Security Project) recently composed a list of 10 of the most common vulnerabilities in today’s applications.  The potential threats are associated with the following:

1. Cross site scripting

2. Server-side scripting errors

3. The execution of malicious code

4. Insecure direct object reference

5. Cross site request forgery

6. Improper error handling and data leakage

7. Penetration of authentication and session management

8. Vulnerable cryptographic storage

9. Insecure web communications

10. Failure to restrict write permissions and URL access

The WASC Web Application Security Consortium have validated the OWASP’s top five application vulnerabilities with the testing of 31,373 sites.  Additionally, the Gartner Group reports that 97% of more than 300 sites studied in a survey were found to be vulnerable to application attacks.  The same study also revealed that 75% of today’s web attacks occur at the application level.

The numbers indicate that most E-commerce sites are easy targets for an array of attacks.  While proper coding is the key to prevention, one of the best methods of defense against application exploits is a web application scanner.   This type of mechanism protects both applications and servers from intruders by crawling through the site and analyzing every piece of content.  Such products conduct various tests along with simulated application attacks throughout the scanning process.  If genuine security holes are detected, reports are made and detail the severity of each vulnerability.  Security experts recommend using a scanner that offers a technical, in depth explanation of each vulnerability detected along with appropriate suggestions for eradicating them.

Shared Web Hosting vs. VPS Hosting, Part 1

We are often asked about VPS versus Shared Hosting. Most small and very small businesses will find shared hosting is a very good fit at a very reasonable price. There definitely does come a point when most businesses outgrow shared web hosting plans. Virtual Private Server (VPS) hosting can provide a solid “next step” for both medium-sized businesses and those smaller businesses that rely heavily on their site or email on a day-to-day basis.

In this first article we’ll outline a few of the key differences between shared web hosting and VPS hosting. Some of these apply only in the case of InMotion Hosting’s plans, but many of them are standard for VPS implementations.

Separate OS and Software

Virtual Private Servers have a complete autonomous Operating System specifically for that VPS. All of the software necessary to run a shared hosting server is present but setup just for the VPS to use. A VPS from InMotion Hosting is almost identical to having a dedicated server while having the convenience of a shared hosting account. It even has a full copy of Cpanel included.

Private Email Server & IP Address

Shared web hosting solutions share not only the web server but also the email server. In many situations, shared mail servers will handle thousands if not tens of thousands of domains at a time. With a VPS Hosting solution, a company will have its own email server dedicated to handling its own email. In addition, the email will be coming from a unique IP address and this greatly helps ensure fast, accurate delivery. There are several other benefits but the above two are the biggest factors for small and medium sized businesses that rely on email for their daily operations.

Custom Security Policy

VPS Hosting platforms are allow for a customized security policy. Your company can dictate how your vps is accessed and when. For example, with shared web hosting, email (POP/SMTP/IMAP/Web Mail) must be accessible through both secure and standard connections. VPS Hosting allows the business to require that its employees access their email through a secure socket layer (SSL) connection. This helps ensure logins and passwords are encrypted and can help prevent hackers from obtaining that information while in transit.

On-Server Anti-Virus Scanning

VPS Hosting accounts will most often include the ability to scan all incoming email for potential virus threats through an on-server virus scanning process. This is a resource intensive process and shared hosting typically doesn’t include it because it can greatly degrade reliability of the shared hosting server.

Customizable Firewall

Shared web hosting usually (and really should if it doesn’t) includes some form of firewall protection to help prevent hackers from accessing the server. When the firewalls are set up for shared hosting, access must be allowed to everyone on that particular server to control panels, web mail, POP, SMTP, FTP, etc. With VPS hosting, because it’s a stand-alone environment, the firewall can be locked down to only allow access from specific locations to those important services. For example, a business may be concerned about who has access to update the web site and will want to only allow access from their office to FTP or the hosting control panel.

A follow up coming soon.

Please feel free to ask questions, technical or from a business standpoint, and I will try to answer them in our upcoming posts.