Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Network design for web hosting with security in mind

Posted on 2012-04-09
Medium Priority
Last Modified: 2012-06-27
Hello there,

I've been having a lot of trouble with people who does not have anything useful to do with their time and go around disrupting other people's businesses by cowardly hacking and defacing small business websites.

It made me adopt a different position, trying to avoid as much as posible the invasions with the least cost/effort.

Most of the time, the issue was related to the fact that some weak security against sqlinjection and writable folders and files on the acoounts.

I only host websites that were designed with our framework, which has quite a few hands on the coding and might still have a few security holes. On top of that, I do not provide FTP access to the client, only me and my crew have access to the server. The panel is Plesk and no client has access to it, only me and a few guys from my crew.

Supposedly, I am in a very comfortable position, different from hosts that host applications done by third party, offer ftp access and panel access.

Based on that I am facing two issues:
1 - My network design must be rethought considering maximum security againg hackers and the sort.

2 - I need a complete audit on the actual websites to learn of possible holes that can be patched.

Lets explore issue 2 first.
I was thinking of publishing the website on a shared hosting account at any host and post a project either on elance or rent a coder or else to have other people find out the security issues so I can patch them.

What is your take on as how to proceed?

Regarding issue number 1, I was wondering if hosting all the website digital files (images mostly and files like pdf, doc, zip etc) on a separate server, maybe Amazon Cloud Drive and having no writable directories or files on the website itself would be a considerable move to prevent hackers from running scripts under the domain.
Aditionally, backups would be a breeze for me if content from hundreds of websites were stored under one single account.

On top of that I'd make sure my websites are completely sqlinjection free, if theres such a thing.

Id really appreciate someones view into that.


Question by:Ederwainer
  • 4
  • 2
LVL 51

Expert Comment

ID: 37826361
first the network should be done by your ISP due to a proepr installed network firewall, while the system security is either your job or that of the ISP too depending on your type of contract
if this is done, your system (network ports, file permissions, etc.) is proper protected according common standards
then you only have your web application with vulnerabilities which may be exploited to gain access to your data, your system or missuse your system
this means that you have to ensure that your application is proper coded according doing a good input validation of all data, encoding all output according the destination system (HTML for output to the browser, proper escaping to avoid SQL injections when send to database, etc.) and, if appropriate, a good access control
most of this should be done by source code ananlyses or at least a source code review

If you're unsure where to start according threats, vulnerabilities and risks, I'd suggest to start with OWASP top 10

Author Comment

ID: 37826955
When you say my ISP you mean the datacenter where I have servers, in this case Godaddy.
I run dedicated servers with pre-installed OS and control panel for web hosting. However, datacenters usually offer lots of service and I have to pick what is best for me and design it accordingly, or pay top dollars for third party to do so, but I'm not there yet as my revenue is still short.

Most of the problems took place due to write permission to folders, so I thought If I end the write permission, even if they get to the database they wont be able to delete/replace/add files.

The distance also plays a big role on this, as backing up data locally takes ages due to all the network nodes the connection goes through. So I thought of hiring S3 service from Amazon and have all the digital files to be stored and retrieve from their servers, as amazon has servers in my country (Brazil)

Im putting my framework to test by posting a project at elance so coders and technicians can find holes for me, as it is quite large application.

Comments are much appreciated
LVL 51

Expert Comment

ID: 37826966
> Most of the problems took place due to write permission to folders, ..
hmm, setting more restrictive permissions is just a second line of defence, defence in depth, or name it ...
the problem is the code which writes, you need to identify and fix that code

when you you have no resources for paied services, then you simply can setup your own network firewall; as you use linux for your servers, iptables is on board and will protect yll unvanted access if configured proper (i.g. you only need port 80 and 443 open for incoming requests and anyting else closed)
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 37826981
That is very clear to me now, so I'll focus on securing the application.
Do you happen to know any online service that can scan/navigate the framework, locate input fields and test it for vulnerabilities?


LVL 51

Accepted Solution

ahoffmann earned 900 total points
ID: 37827013
there're various online services, but the quality depends (no further comment:)
for tools start here:
LVL 35

Assisted Solution

Slick812 earned 600 total points
ID: 37828666
greetings  Ederwainer, , , Web host settings and server security is a very very LARGE subject, and has several very different parts (like "Linux security",  "Apache security", "php security", "mySQL security", "SQL injection vulnerability", "file upload vulnerability" and several others, along with those that have parts of several of these combined). My first suggestion would be for you to consider "Narrowing" your security questions down , by separating what you ask about, like ask two different questions about "file permission security" and  "SQL injection vulnerability", these two are (to me) widely different in their problems and solutions. Also by separating your security concerns in to different categories, you may be able to get better "Professional" help for your site's reviewers-consultants , , as an "Apache security" consultant, may not know very much about the "SQL injection vulnerabilities". And looking at your entire site for all of it (instead of ONE security aspect) would take too much time, and not have a good Focus.

- - - - - - - - - - - - -
You ask about security for - "write permission to folders", without saying much of your problems, Anyway, I will say that for file access for client-user uploaded file, I never have these in web-accessed folders, I store these in folders below the HTTP access level, and then I use a PHP access point to retrieve all of the "User" files as -
you can then check many things (logged in, file exists, security, etc.) with user.php and then get the correct file (image, zip, pdf) to send to the browser . Although I may have misunderstood your problem. But as already stated, changing the write permissions seems like a secondary effort, maybe not addressing the primary problem.

AS to SQL injection, please consider using the more recent and secure "MySQL Improved" php API , , mysqli was added in PHP ver 5, and is Improved in several ways, most important to me is the "Support for Prepared Statements" which uses TWO different input channels to the MySQL functioning, one for the actual SQL instructions  (SQL statement string) and another data transfer channel for the Data blocks to use in that statement.

There are advantages to using a cloud file service like "Amazon Cloud Drive", but also some disavantages, I tried the "Amazon Cloud Drive" as a test, but I did not use it in production, In my case It was way too time consuming to to redesign my site and all database tables and access methods for the Cloud Drive with sign-in and access requests, but maybe if you started with a "New Fresh" web site you could not have to re-write alot of you code. But my concerns for the Cloud Drive was NOT security, so that may be good for you?
LVL 51

Expert Comment

ID: 37828868
> ... then I use a PHP access point to retrieve all of the "User" files as ..
hmm, why the risk of a script for simple read-only access?
you don't need any script or program on any server for just delivering static content, that's a core web server functionality
KISS - keep it stupid secure :-)

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question