The layers of concern as a web host, from the Operating System at the center, to the layer of protective software on the outer ring of defense.
Cyber Security: Securing Web Servers
Cyber security is a vast and complicated subject. Security breaches, hacks, and identity theft stories abound. In spite of the best efforts of some of the brightest minds in technology, cyber insecurity is only going to get worse before it gets better. There are many reasons for this, but basically it comes down to these main points:
- All systems have vulnerabilities that can be exploited.
- Many organizations do not follow good security practices.
- Everyone fails at following good security protocols, mainly because it's very hard to do.
Not much can be done about the first one. Software is written by humans and humans are fallible. Someday, software may be written only by other software using artificial intelligence. But that brings up a host of new issues.
Our lives are now suffused with many layers of software systems. Anyone with initiative can examine these systems and discover potential exploits. While organizations and individuals are devoted to finding errors and improving these systems, as they evolve, new errors are often introduced.
Given the inevitability of fallible coders and fallible software, our best protection against exploits is to be defensive. Unfortunately, here the fallibility factor rears its head again. We are not good at knowing about vulnerabilities and certainly not good at following basic rules that would help keep us safe.
I'll be discussing website and other security issues in subsequent posts. This article deals specifically with what we do to try and keep the web servers we use for our hosting services as secure as possible.
As web hosts we are constantly on the alert for new bugs and looking for better ways to make our systems safer. All our servers run the Linux, Apache MySQL, PHP stack (known as LAMP). With this system there are basically 3 levels we look at to keep secure starting with the operating system at the center (Linux). The next layer of software is managed by a company called Cpanel that manages the Apache server software, the MySQL database server and the PHP scripting language. Finally, we,manage and configure the outer layer of defensive software such as a firewall, keeps bad actors from penetrating into the other 2 circles.
If you manage your own PCs you know updating the operating system can be time consuming and disruptive to your normal workflow. In order to make sure the Linux OS stays current and secure, we have deployed a system called Kernel Care from Cloud Linux. Kernel Care automatically updates the system in the background and without having to reboot the server. I honestly do not know how they manage this, but I am grateful for the magic.
Moving to the next level, Cpanel is a large and complex layer that manages and organizes software and how all users interact with their hosting accounts. Updates are made on a regular basis and those include any needed updates to Apache, MySQL and PHP along with other enhancements to the Cpanel system generally.
We’ve also integrated the CloudLinux system here which provides “hardened” versions of PHP. This means that normally vulnerable older versions of PHP can be used because the vulnerabilities have be cleared by the CloudLinux folks. This allows us to host websites needing long abandoned versions of PHP without security risks, providing a great amount of flexibility for our hosting clients.
Cpanel also now provides free https access for all websites. Using the https protocol offers another layer of security for site owners particularly when any forms are submitted through the website.
Firewall and Other Protective Software
Finally, we have added an extra layer of protection that guards against bad actors attempting to penetrate the system.
Primarily, our Firewall blocks anyone (identified by their IP address) that tries and fails to login to a server either through a customer’s control panel or through the command line directly to the heart of the server. Thereafter, that IP address gets blocked from the server. Hundreds of IP addresses are blocked every day.
Of course, this system is most effective when people use strong passwords so that the scripts deployed to break in are unable to guess passwords before being blocked. I’ll have more about using passwords properly to aid in security in later post.
Additional software includes another firewall layer called ModSecurity. Also, our mail scanners not only try to detect and block spam, but also viruses that could be included in attachments. These are pernicious and can take over end user computers and even infect entire servers.
As you can see we work hard at making our systems as secure as possible with minimum disruption and inconvenience. This post offers an overview of the various layers at work and interacting. I've left out a great many details in order to keep the techno speak at a minimum. Still, nothing is foolproof. We periodically run security audits to be sure our servers have no malicious software running and look for ways to further bolster potential weaknesses.
In future posts we will be discussing account level security and ways that you, as an end user can avoid becoming a victim of an attack.
- Many thanks to Damon Hart and Jimmy Frasche for help completing this post.