Re: Security in a hosted facility

From: Michele Jordan (
Date: 06/08/02

Date: Sat, 08 Jun 2002 08:43:44 -0400
From: Michele Jordan <>
To: Lists <>

Well, I work in that environment.

We do the system type security, upgrade software, apply patches, etc
etc. We monitor access to the server, and scan for blatantly *bad*
things that the customers might put on the server. (phpinfo and comes to mind immediately). We use chroot'd ftp
environments to protect customers from each other. We don't allow
anonymous ftp access. We put the servers behind a firewall, and only
allow the necessary protocols through.

The customer is responsible for the security of his ftp password, any
programs to access databases he may implement, etc. If there is
something that is being exploited on the 'net, I will look and see if I
think we are vulnerable via a customer. I have gone in and disabled
scripts on customer sites before because they were insecure.

The squeeze is in offering services. If we offer php, we are inherently
insecure. If a customer wants to access his database from anywhere for
management, it opens it up to everyone else. And, I'm pushed between
management all the time to be "customer-friendly". We are in the
business to sell web hosting, and need to make sure that our customers
want to host at our site. Extremely tight security does not make for a
pleasant environment for the customers. We are implementing differing
security level hosting, for customers that care a bit more than the
others. But, if I drive all the customers away with my security
efforts, we go out of business.

So, it's a balance. I monitor logs, security lists, etc. try to do my
best. I inform my customers they are in a shared environment, and hope
they *understand* what that means. Most won't, but most of our websites
are little mom/pop things, and won't be devastated if something happens
and we have to recover.


Lists wrote:

>I've been researching web defacement trends lately and realized that most (higher percentage) defacements appear to be performed on servers in a hosted facility (such as Interland, Iquest, OLM, Digex etc) furthermore as most of the sites appear to be related to small business I assume they are on shared hosted boxes.
>Is there anyone on the list in the ISP/Hosting provider world that can answer who is responsible for security in this configuration?
>I realize that some hosting providers offer additional managed security services, but for those that don't and offer shared (multiple sites on 1 box) hosting do they just secure the box and let their clients control their environment? Therefore leaving their customer in charge of their own security for their site?
>If indeed this is a bit of a gray area, is there any documented legal proceedings that have held the ISP liable for the lack of security on a hosted site?
>Thanks in advance for your assistance.