Network design for web hosting with security in mind
Posted on 2012-04-09
I've been having a lot of trouble with people who does not have anything useful to do with their time and go around disrupting other people's businesses by cowardly hacking and defacing small business websites.
It made me adopt a different position, trying to avoid as much as posible the invasions with the least cost/effort.
Most of the time, the issue was related to the fact that some weak security against sqlinjection and writable folders and files on the acoounts.
I only host websites that were designed with our framework, which has quite a few hands on the coding and might still have a few security holes. On top of that, I do not provide FTP access to the client, only me and my crew have access to the server. The panel is Plesk and no client has access to it, only me and a few guys from my crew.
Supposedly, I am in a very comfortable position, different from hosts that host applications done by third party, offer ftp access and panel access.
Based on that I am facing two issues:
1 - My network design must be rethought considering maximum security againg hackers and the sort.
2 - I need a complete audit on the actual websites to learn of possible holes that can be patched.
Lets explore issue 2 first.
I was thinking of publishing the website on a shared hosting account at any host and post a project either on elance or rent a coder or else to have other people find out the security issues so I can patch them.
What is your take on as how to proceed?
Regarding issue number 1, I was wondering if hosting all the website digital files (images mostly and files like pdf, doc, zip etc) on a separate server, maybe Amazon Cloud Drive and having no writable directories or files on the website itself would be a considerable move to prevent hackers from running scripts under the domain.
Aditionally, backups would be a breeze for me if content from hundreds of websites were stored under one single account.
On top of that I'd make sure my websites are completely sqlinjection free, if theres such a thing.
Id really appreciate someones view into that.