How to get a Secure Web Hosting

Intrusion Prevention System in the Cloud When looking for a hosting solution for an Internet project, unfortunately too often the focus is only on features such as storage space, the number of possible databases and the usable programming language.
If you then make the decision based on the lowest price among the remaining candidates, most of the security of the hosting remains on the track. But what good is the supposedly fastest and feature richest hosting, if it is not reachable, the data is suddenly lost or in the worst case, a dubious website (Deface) is delivered, which ruined its own "good reputation".

We want to share our experiences and ways to build secure hosting without spending huge sums of money.


The different levels of security in hosting

Security can be divided into 4 levels for hosting.
Security level 1
This is about the security of the data center where the server stands for the hosting. Admittedly, you have no influence on the security of the building, the fail-safe power supply and the obligatory air-conditioning - but you can certainly do a lot right by choosing a provider of the corresponding securities. In case of doubt, the experience of other customers helps to find a provider who has a good reputation.
Security level 2
Again, an area where you have no influence - the network in the data center. Here, the provider is required to use redundant devices (switches, routers, etc.) and a firewall. In this point, it is as before, you have to trust the hoster and in case of doubt on reviews.
Security level 3
This level is about the server itself. So software updates, backups and monitoring of the important functions of the server. Selecting the right hardware to match the project and its requirements is important on the one hand and on the other hand, the redundancy of the system at the most important points (power supply, hard disk, network).
Security level 4
The project itself - so all the functions offered by the Internet project, should be safe. This can be ensured through security audits, but they are usually quite complex and therefore expensive. It is better to rely on the experience of developers already during implementation. So should not necessarily entrust the junior developer with this task.

With a good selection of data center and its network, you can check off two security levels yourself. The security of levels 3 and 4 is in your own hands. In the following, however, only level 3 will be considered more closely, since the level of security level 4 does not necessarily allow a general approach.


Hardware Selection: The Security of Hosting

Hosting solutions come in different forms. Most commonly used is "shared hosting".
The influence that one can take on the security options of shared hosting is minimal, if they exist at all.
Most options are available with a dedicated server. Cloud server and vServer are at least still good to secure at operating system level.
With cloud servers, however, the possibilities are limited again.
But there are also similarities: aspects of product security that apply to all hosting variants.
These include regular backups because they are the best way to prevent data loss or the total loss of hosting.


The minimum of security - backup and restore

Creating regular backups definitely makes sense. On the one hand, important files and directories should be backed up and if used, you must not forget the databases!
But when it comes to pure creation, it must not stay, because what's the use of the best backup if it is not on an external disk and also says goodbye to the death of the system hard drive.
The most widely used and easiest way to back up to an external disk is to move via FTP.
Often the providers offer FTP backup storage, which can be used for small money.
There are many free tools that can be used to create a backup and move it via FTP. Most rely on incremental backups. That means it is backed up only what has changed as well. This saves a lot of memory. But this saving has a catch in the moment where you have to play back the backup again.
This can take several hours or, as we have already experienced, even days. That is not a solution in our view. After all, you want to be back online quickly in the event of a crash.
In most cases, you can configure the backup tools that make incremental backups so they do not. That means - you have a full backup.
In the best case, you have such a single file, which can be retrieved via FTP back to the target system and unpacked. This is usually done in a manageable time and you have again a working server.
Automating now the backup creation and moving via FTP, a large part of the security is guaranteed.
The frequency of backups and how long backups are kept must be decided by yourself. Our recommendation is to keep the backups for at least 7 days.

Of course, with shared hosting, backups are just as important and possible. Sometimes the providers themselves offer functions to create backups and move them to external storage.
If you do not have this option, you have to make do with your own solutions. You can create the backups yourself by dragging the data to the local machine with an FTP client or by writing a small shell script, which does this task automatically.


System updates

Important for the security of the server are also regular updates of the operating system and the software that is installed on the server.
For almost every operating system there are mail lists in which you can register and you will receive notifications when there are updates and patches for the operating system.
With shared hosting you are again dependent on the provider, because only he can install updates. In general, the providers do the same, but you should pay attention to how often this happens and on which days and times the updates are performed. It is nice to have an up-to-date system, but you should not buy it through frequent and prolonged outages due to maintenance.


Redundancy through RAID disks

The hard drives of a server are usually the most stressed components. In addition to a high access speed and data rate of the hard disks, you should make sure that a RAID network is present. There are several different types of RAID, such as RAID0, which are trimmed for speed, and those that are optimized for redundancy, such as RAID1. There is also mixed operation of redundancy and speed, which however requires more than 2 hard disks in the server.
In our view, RAID1 is to be chosen, provided that the server only has 2 hard disks.
Whether software or hardware Raid is rather secondary. Of course, the hardware RAID has the disadvantage that the RAID controller can break down and the redundancy of the hard disks is obsolete.
Of course, if you have a redundant RAID in the server you have to make sure that in case of a problem you also get notified in order to become active.


Hosting monitoring around the clock

Even with the current operating system and redundant server hardware, the service offered can fail. The reason for this can be manifold, but in any case, it is important to know that a service has failed, and preferably even before your own customers notify you.
This can be monitored by a monitoring service that monitors 24/7 services, devices or connections and sends out an email or SMS if it fails. In the monitoring services, you can rely on locally used software such as Cacti or Munin or you use external providers as they are simply with Google under the term "monitoring service".
The use of such a flexible solution is of course only possible on dedicated servers, vServer or cloud servers. For all other hosting solutions you need the help of the provider. Often the hosting providers also offer their own monitoring solutions.


Hosting support and availability

Support plays an important role in hosting, even when it comes to security.
Even if the provider advertises with a 99.99% availability of hosting, it is very important to have a contact person in the data center in case of emergency.
What else is useful for monitoring, for example, which has detected and reported the failure of a hard drive but no one is there, who can swap the disk and re-integrate it into the server.
This service, ie a good support of the provider, is not self-evident. Here helps a SLA (Service Level Agreement) which the provider offers of itself or you negotiate it yourself with the provider. There is regulated which services must be provided within what times and how high the costs are.
Often, the hosting provider advertises with an availability. Usual figures are 99% or 99.99%. The difference seems to be marginal but seen over a year, and that's what the figures refer to, the 0.99 percent is just over 3 days of acceptable downtime.
Whether you can live with it, everyone has to decide for themselves. On the other hand, 100% availability can hardly be achieved because the hosting provider also depends on external influences.
Cloud hosting is often referred to as 100 percent resilience. If one considers that several servers, so-called clusters, are combined into a network, this is theoretically possible. If one server of the cluster fails, all services still work. The danger of a network defect can also paralyze this system.


System security

By choosing the best possible hosting solution, you lay the foundation for security.
If the hosting provider secures its internal network with a core firewall, DOS attacks and similar attacks on hosting are likely to be fended off. A paralysis of server services is thus unlikely ever.
However, special attacks on services of the server do not resist this firewall. Here it depends on the server itself to secure.
For example, a port scan from the outside can already point out that you will be attacked immediately or much later. If the attacker knows which services are running on the server, he will look for vulnerabilities in these services. Often there are known vulnerabilities that can be largely closed by system updates. For unknown vulnerabilities, it will be more difficult to defend against them and also the testing of access data (Brute Force) for the services you have to prevent otherwise.
This is where an IDS (Intrusion Detection System) helps. This searches for patterns left by potential attackers and informs the administrator of the server.
IPS (Intrusion Prevention System) systems, which detect attacks such as brute-force attacks, for example, go further and block the attacker directly so that he can not cause any damage. There are many helpful tools on the topic, and there are also external services that can help you identify such attacks and respond accordingly.
For example, the Cloud-IPS is such a service. It detects attack patterns and blocks the uninvited guests. But this Cloud-IPS goes one step further.
It collects information about attacks on all connected systems. The Cloud IPS can decide whether you want to protect other connected servers preventively. Because there are often attack patterns, for example, if for several hours in Germany standing server attacked increasingly from Asia, the cloud can decide to protect all servers in Germany from this IP network.


Conclusion: Safety is feasible

With the knowledge presented here, the selection of a suitable hosting solution for the project should succeed. If you also pay attention to the mentioned security aspects, the data protection and the security when setting up the hosting, chances are good to operate a reliable and secure hosting.

Last update: 2018-08-30