The internet contains over 1.7 billion websites, and every one of them is hosted by at least one web server. A web server can host hundreds of sites on one physical machine, but depending on the way it’s hosted, just one hacked website can be the downfall for all sites on the server. Security for web hosters is more important than ever as more customers depend on your cybersecurity best practices and monitoring to find ongoing attacks. Web servers usually host several business sites, which store customer data, so they are common targets for attackers. So, we've put together a list of hosting security best practices and tips essential for web hosting security. This articles covers the following hosting security topics:
Shared vs. Dedicated vs. Managed Hosting
Web hosts come in all different sizes, shapes, and flavors. The three most common are: shared, dedicated, and managed hosting. The way providers host sites also determines the impact after a compromise, but cybersecurity responsibility differs depending on the hosting subscription.
Shared hosting is the most affordable for customers, but every site on the web host adds risk to other sites on the same server. When customers choose shared hosting, they share the same pooled resources on the server, so an attacker who gains access to critical server services (e.g., gains a shell access on the server, remote code execution, buffer overflow attacks) could inject their own code into every site hosted on the server. Shared hosters should take care to ensure that their shared hosting servers have advanced security applications and hardened operating system configurations to stop these attacks.
Dedicated hosting model doesn’t have the risks from other websites, but it puts security in the hands of the customer. If the customer manages all aspects of the server’s settings, then vulnerabilities could be introduced by administrators, unfamiliar with cybersecurity best practices. For example, if the dedicated server gets hacked and the host’s SMTPl server is used to spam malicious emails, the SMTP server could be blacklisted and any messages originating from the server could be blocked by spam filters. Since multiple customers use the same SMTP server, their legitimate emails could also be blocked. This would affect host reputation and customer retention.
Managed hosting is the best option for hosts because it takes all responsibility away from customers who have little cybersecurity knowledge and puts it in the hands of the host provider’s staff. The hosting provider ensures that all aspects of the site and the server are safeguarded, so customers are free to upload content and share pictures without managing security. It reduces risk but creates overhead on the hosting provider’s staff.
Securing Web Hosting Servers
In any hosting environment, hosters must ensure that their servers are secure. Securing a web server not only protects hoster assets, but it also safeguards customer data from hackers. Businesses that use hosting providers for website services rely on the hoster to safeguard their corporate data and keep the business site running smoothly. Should the server suffer from a compromise, it could cause data loss, downtime, and affect customer revenue. These issues affect the hoster’s reputation and revenue, so applying a few of the following best practices will harden security on web servers and reduce risk of a compromise.
Install and Configure a Web Application Firewall
A Web Application Firewall (WAF) blocks many common attacks sent through web forms. It runs on layer 7 of the OSI model, so it works differently than a typical hardware firewall. It’s similar to a reverse proxy where all traffic must pass through the WAF before it reaches the webserver. The WAF analyzes HTTP traffic and blocks any suspicious traffic
Using a WAF, hosters can block cross-site forgeries (CSF), cross-site scripting (XSS), SQL injections, and more. For example, if an attacker sends a malformed SQL string using a website’s contact form, the WAF detects it and blocks it. A good WAF will display statistics and information about blocked attacks so that the web host can identify vulnerabilities on customer sites.
Distributed Denial-of-Service Attack Protection
Mitigating DDoS attacks is the most difficult task for web hosts. These attacks can come from multiple IPs across the globe. Web hosts can’t block legitimate traffic, because it affects customer sites. But determining legitimate from malicious web requests requires the right monitoring and tools. Installing monitoring tools that detect and mitigate DDoS attacks is a must.
Attackers will launch a DDoS without warning, so mitigating techniques require the right tools that can mitigate it before it causes performance degradation and downtime for all sites on the hoster service. Good tools will notify administrators, mitigate the attack, and protect from resource exhaustion and crashes.
Use SFTP Instead of FTP
File Transfer Protocol (FTP) transfers data in cleartext, leaving customers at risk of man-in-the-middle (MitM) attacks and data eavesdropping. Instead of hosting an FTP server for customers to upload and share files, use Secure FTP (SFTP) to transfer any files over an encrypted channel.
Back-Up Data on Servers
Site owners make mistakes sometimes, and they then need their sites restored to a specific
date. Web hosting customers rely on web hosts to have good backups and a reasonable retention policy (e.g., 30 days). Backups are a component in disaster recovery and can be used to recover data at request from customers or restore a server, should it become a target in a sophisticated attack. For example, a successful injection of ransomware on a shared hosting server could destroy data across all customer sites. Backups could be used to recover instead of experiencing a critical security incident that can’t be remediated quickly.
Use Whitelisting for Maintenance IPs
Web hosters know that several customer IPs will be used to access authorized areas of their account (e.g., cPanel.Learn more about cpanel security). Instead of allowing open access from any IP address, customers should be advised to whitelist IP addresses so that only approved IPs can access administration areas of their account. The same should be done for the server itself. Administrators should use whitelisting of maintenance IPs for remote access using SSH.
Every connection to the web host should be encrypted to protect users from man-in-the-middle attacks. Users who connect to sites from public Wi-Fi open themselves to data being intercepted and stolen. By forcing an encrypted connection to the server, using a cryptographically secure cipher, user data is safe from eavesdropping and account compromise.
Antivirus and Antimalware Protections
When you host hundreds of sites on one server, you allow site owners to upload any file to their hosting account. These files could contain malware either purposely or unknowingly. Malware stored on the hosting server could affect other sites on the server if an administrator accidentally executes the file, or if an attacker would obtain elevated privileges on the host and will execute the file. Using antivirus for linux server and antimalware applications, the host can detect malicious files immediately and either clean the file or block it from being uploaded.
Remove Unused Applications Not Used for Hosting
When the hosting application is installed on the Linux server (e.g., Apache), it’s usually configured with default settings, plugins, and possibly other third-party applications. Any additional application on the server opens risks of vulnerabilities either from errors in code or from allowing the application to run unpatched. Instead of leaving them installed on the server, it’s better to remove any application not necessary for hosting customer sites.
Force Password Changes
Users, especially those with high-level privileges, should change their passwords frequently. If users keep the same password indefinitely, an attacker with access to those credentials could have access to the account for years, potentially. By forcing password changes on accounts, the attack window is reduced. For example, forcing users to change their passwords every 30 days gives an attacker only 30 days maximum to compromise and use the account.
Configure the Host’s HTTP Strict Transport Security (HSTS) Header
SSL/TLS forces encryption on the hosted website, but it does not protect cookies or sites that still allow HTTP cleartext connections. Setting the HSTS header to Strict-Transport-Security will transfer users from an HTTP connection to HTTPS, and it will force browsers to send cookies only over encrypted channels, which will mitigate cookie hijacking. The setting is server specific and not site specific, so it will require administrators to configure it on the host.
Mitigating attacks on thousands of user websites is no easy task, but the right web host security settings and tools will stop many attacks that could affect thousands of customers. With these ten best practices, you can safeguard customer data and avoid a critical cybersecurity incident that could cause downtime and impact revenue.
Take your web hosting security to the next level with Imunify360 security suite. Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.