Network design for web hosting with security in mind

Hello there,

I've been having a lot of trouble with people who does not have anything useful to do with their time and go around disrupting other people's businesses by cowardly hacking and defacing small business websites.

It made me adopt a different position, trying to avoid as much as posible the invasions with the least cost/effort.

Most of the time, the issue was related to the fact that some weak security against sqlinjection and writable folders and files on the acoounts.

I only host websites that were designed with our framework, which has quite a few hands on the coding and might still have a few security holes. On top of that, I do not provide FTP access to the client, only me and my crew have access to the server. The panel is Plesk and no client has access to it, only me and a few guys from my crew.

Supposedly, I am in a very comfortable position, different from hosts that host applications done by third party, offer ftp access and panel access.

Based on that I am facing two issues:
1 - My network design must be rethought considering maximum security againg hackers and the sort.

2 - I need a complete audit on the actual websites to learn of possible holes that can be patched.

Lets explore issue 2 first.
I was thinking of publishing the website on a shared hosting account at any host and post a project either on elance or rent a coder or else to have other people find out the security issues so I can patch them.

What is your take on as how to proceed?

Regarding issue number 1, I was wondering if hosting all the website digital files (images mostly and files like pdf, doc, zip etc) on a separate server, maybe Amazon Cloud Drive and having no writable directories or files on the website itself would be a considerable move to prevent hackers from running scripts under the domain.
Aditionally, backups would be a breeze for me if content from hundreds of websites were stored under one single account.

On top of that I'd make sure my websites are completely sqlinjection free, if theres such a thing.

Id really appreciate someones view into that.

Thanks!

Eder
EderwainerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
first the network should be done by your ISP due to a proepr installed network firewall, while the system security is either your job or that of the ISP too depending on your type of contract
if this is done, your system (network ports, file permissions, etc.) is proper protected according common standards
then you only have your web application with vulnerabilities which may be exploited to gain access to your data, your system or missuse your system
this means that you have to ensure that your application is proper coded according doing a good input validation of all data, encoding all output according the destination system (HTML for output to the browser, proper escaping to avoid SQL injections when send to database, etc.) and, if appropriate, a good access control
most of this should be done by source code ananlyses or at least a source code review

If you're unsure where to start according threats, vulnerabilities and risks, I'd suggest to start with OWASP top 10
  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
0
EderwainerAuthor Commented:
When you say my ISP you mean the datacenter where I have servers, in this case Godaddy.
I run dedicated servers with pre-installed OS and control panel for web hosting. However, datacenters usually offer lots of service and I have to pick what is best for me and design it accordingly, or pay top dollars for third party to do so, but I'm not there yet as my revenue is still short.

Most of the problems took place due to write permission to folders, so I thought If I end the write permission, even if they get to the database they wont be able to delete/replace/add files.

The distance also plays a big role on this, as backing up data locally takes ages due to all the network nodes the connection goes through. So I thought of hiring S3 service from Amazon and have all the digital files to be stored and retrieve from their servers, as amazon has servers in my country (Brazil)

Im putting my framework to test by posting a project at elance so coders and technicians can find holes for me, as it is quite large application.

Comments are much appreciated
0
ahoffmannCommented:
> Most of the problems took place due to write permission to folders, ..
hmm, setting more restrictive permissions is just a second line of defence, defence in depth, or name it ...
the problem is the code which writes, you need to identify and fix that code

when you you have no resources for paied services, then you simply can setup your own network firewall; as you use linux for your servers, iptables is on board and will protect yll unvanted access if configured proper (i.g. you only need port 80 and 443 open for incoming requests and anyting else closed)
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

EderwainerAuthor Commented:
That is very clear to me now, so I'll focus on securing the application.
Do you happen to know any online service that can scan/navigate the framework, locate input fields and test it for vulnerabilities?

Thanks

Eder
0
ahoffmannCommented:
there're various online services, but the quality depends (no further comment:)
for tools start here:
https://www.owasp.org/index.php/Phoenix/Tools
http://projects.webappsec.org/w/page/13246988/Web%20Application%20Security%20Scanner%20List
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Slick812Commented:
greetings  Ederwainer, , , Web host settings and server security is a very very LARGE subject, and has several very different parts (like "Linux security",  "Apache security", "php security", "mySQL security", "SQL injection vulnerability", "file upload vulnerability" and several others, along with those that have parts of several of these combined). My first suggestion would be for you to consider "Narrowing" your security questions down , by separating what you ask about, like ask two different questions about "file permission security" and  "SQL injection vulnerability", these two are (to me) widely different in their problems and solutions. Also by separating your security concerns in to different categories, you may be able to get better "Professional" help for your site's reviewers-consultants , , as an "Apache security" consultant, may not know very much about the "SQL injection vulnerabilities". And looking at your entire site for all of it (instead of ONE security aspect) would take too much time, and not have a good Focus.

- - - - - - - - - - - - -
You ask about security for - "write permission to folders", without saying much of your problems, Anyway, I will say that for file access for client-user uploaded file, I never have these in web-accessed folders, I store these in folders below the HTTP access level, and then I use a PHP access point to retrieve all of the "User" files as -
http://www.domain.com/user.php?log=123&file=fHj7Jk2Rz6Jl
you can then check many things (logged in, file exists, security, etc.) with user.php and then get the correct file (image, zip, pdf) to send to the browser . Although I may have misunderstood your problem. But as already stated, changing the write permissions seems like a secondary effort, maybe not addressing the primary problem.

AS to SQL injection, please consider using the more recent and secure "MySQL Improved" php API , , mysqli was added in PHP ver 5, and is Improved in several ways, most important to me is the "Support for Prepared Statements" which uses TWO different input channels to the MySQL functioning, one for the actual SQL instructions  (SQL statement string) and another data transfer channel for the Data blocks to use in that statement.


There are advantages to using a cloud file service like "Amazon Cloud Drive", but also some disavantages, I tried the "Amazon Cloud Drive" as a test, but I did not use it in production, In my case It was way too time consuming to to redesign my site and all database tables and access methods for the Cloud Drive with sign-in and access requests, but maybe if you started with a "New Fresh" web site you could not have to re-write alot of you code. But my concerns for the Cloud Drive was NOT security, so that may be good for you?
0
ahoffmannCommented:
> ... then I use a PHP access point to retrieve all of the "User" files as ..
hmm, why the risk of a script for simple read-only access?
you don't need any script or program on any server for just delivering static content, that's a core web server functionality
KISS - keep it stupid secure :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
MySQL Server

From novice to tech pro — start learning today.