Network design for web hosting with security in mind

Posted on 2012-04-09
Last Modified: 2012-06-27
Hello there,

I've been having a lot of trouble with people who does not have anything useful to do with their time and go around disrupting other people's businesses by cowardly hacking and defacing small business websites.

It made me adopt a different position, trying to avoid as much as posible the invasions with the least cost/effort.

Most of the time, the issue was related to the fact that some weak security against sqlinjection and writable folders and files on the acoounts.

I only host websites that were designed with our framework, which has quite a few hands on the coding and might still have a few security holes. On top of that, I do not provide FTP access to the client, only me and my crew have access to the server. The panel is Plesk and no client has access to it, only me and a few guys from my crew.

Supposedly, I am in a very comfortable position, different from hosts that host applications done by third party, offer ftp access and panel access.

Based on that I am facing two issues:
1 - My network design must be rethought considering maximum security againg hackers and the sort.

2 - I need a complete audit on the actual websites to learn of possible holes that can be patched.

Lets explore issue 2 first.
I was thinking of publishing the website on a shared hosting account at any host and post a project either on elance or rent a coder or else to have other people find out the security issues so I can patch them.

What is your take on as how to proceed?

Regarding issue number 1, I was wondering if hosting all the website digital files (images mostly and files like pdf, doc, zip etc) on a separate server, maybe Amazon Cloud Drive and having no writable directories or files on the website itself would be a considerable move to prevent hackers from running scripts under the domain.
Aditionally, backups would be a breeze for me if content from hundreds of websites were stored under one single account.

On top of that I'd make sure my websites are completely sqlinjection free, if theres such a thing.

Id really appreciate someones view into that.


Question by:Ederwainer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 51

Expert Comment

ID: 37826361
first the network should be done by your ISP due to a proepr installed network firewall, while the system security is either your job or that of the ISP too depending on your type of contract
if this is done, your system (network ports, file permissions, etc.) is proper protected according common standards
then you only have your web application with vulnerabilities which may be exploited to gain access to your data, your system or missuse your system
this means that you have to ensure that your application is proper coded according doing a good input validation of all data, encoding all output according the destination system (HTML for output to the browser, proper escaping to avoid SQL injections when send to database, etc.) and, if appropriate, a good access control
most of this should be done by source code ananlyses or at least a source code review

If you're unsure where to start according threats, vulnerabilities and risks, I'd suggest to start with OWASP top 10

Author Comment

ID: 37826955
When you say my ISP you mean the datacenter where I have servers, in this case Godaddy.
I run dedicated servers with pre-installed OS and control panel for web hosting. However, datacenters usually offer lots of service and I have to pick what is best for me and design it accordingly, or pay top dollars for third party to do so, but I'm not there yet as my revenue is still short.

Most of the problems took place due to write permission to folders, so I thought If I end the write permission, even if they get to the database they wont be able to delete/replace/add files.

The distance also plays a big role on this, as backing up data locally takes ages due to all the network nodes the connection goes through. So I thought of hiring S3 service from Amazon and have all the digital files to be stored and retrieve from their servers, as amazon has servers in my country (Brazil)

Im putting my framework to test by posting a project at elance so coders and technicians can find holes for me, as it is quite large application.

Comments are much appreciated
LVL 51

Expert Comment

ID: 37826966
> Most of the problems took place due to write permission to folders, ..
hmm, setting more restrictive permissions is just a second line of defence, defence in depth, or name it ...
the problem is the code which writes, you need to identify and fix that code

when you you have no resources for paied services, then you simply can setup your own network firewall; as you use linux for your servers, iptables is on board and will protect yll unvanted access if configured proper (i.g. you only need port 80 and 443 open for incoming requests and anyting else closed)
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.


Author Comment

ID: 37826981
That is very clear to me now, so I'll focus on securing the application.
Do you happen to know any online service that can scan/navigate the framework, locate input fields and test it for vulnerabilities?


LVL 51

Accepted Solution

ahoffmann earned 300 total points
ID: 37827013
there're various online services, but the quality depends (no further comment:)
for tools start here:
LVL 34

Assisted Solution

Slick812 earned 200 total points
ID: 37828666
greetings  Ederwainer, , , Web host settings and server security is a very very LARGE subject, and has several very different parts (like "Linux security",  "Apache security", "php security", "mySQL security", "SQL injection vulnerability", "file upload vulnerability" and several others, along with those that have parts of several of these combined). My first suggestion would be for you to consider "Narrowing" your security questions down , by separating what you ask about, like ask two different questions about "file permission security" and  "SQL injection vulnerability", these two are (to me) widely different in their problems and solutions. Also by separating your security concerns in to different categories, you may be able to get better "Professional" help for your site's reviewers-consultants , , as an "Apache security" consultant, may not know very much about the "SQL injection vulnerabilities". And looking at your entire site for all of it (instead of ONE security aspect) would take too much time, and not have a good Focus.

- - - - - - - - - - - - -
You ask about security for - "write permission to folders", without saying much of your problems, Anyway, I will say that for file access for client-user uploaded file, I never have these in web-accessed folders, I store these in folders below the HTTP access level, and then I use a PHP access point to retrieve all of the "User" files as -
you can then check many things (logged in, file exists, security, etc.) with user.php and then get the correct file (image, zip, pdf) to send to the browser . Although I may have misunderstood your problem. But as already stated, changing the write permissions seems like a secondary effort, maybe not addressing the primary problem.

AS to SQL injection, please consider using the more recent and secure "MySQL Improved" php API , , mysqli was added in PHP ver 5, and is Improved in several ways, most important to me is the "Support for Prepared Statements" which uses TWO different input channels to the MySQL functioning, one for the actual SQL instructions  (SQL statement string) and another data transfer channel for the Data blocks to use in that statement.

There are advantages to using a cloud file service like "Amazon Cloud Drive", but also some disavantages, I tried the "Amazon Cloud Drive" as a test, but I did not use it in production, In my case It was way too time consuming to to redesign my site and all database tables and access methods for the Cloud Drive with sign-in and access requests, but maybe if you started with a "New Fresh" web site you could not have to re-write alot of you code. But my concerns for the Cloud Drive was NOT security, so that may be good for you?
LVL 51

Expert Comment

ID: 37828868
> ... then I use a PHP access point to retrieve all of the "User" files as ..
hmm, why the risk of a script for simple read-only access?
you don't need any script or program on any server for just delivering static content, that's a core web server functionality
KISS - keep it stupid secure :-)

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses four methods for overlaying images in a container on a web page
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question