Thread: eUKHost Security Policies, etc
View Single Post
  #4 (permalink)  
Old 15-10-2009, 22:10
eUKhost.com's Avatar
eUKhost.com eUKhost.com is offline
Chief Marketing Officer
  
Join Date: Sep 2005
Posts: 5,922
Send a message via AIM to eUKhost.com Send a message via MSN to eUKhost.com Send a message via Skype™ to eUKhost.com
Default
Hi Artis,

Our System Administrators have full control of our Shared, Reseller and VPS Hosting Servers. There is no way we can restrict our access on our Shared Hosting Servers, Reseller Hosting Servers and VPS nodes. eUKhost is a reputed Web Hosting provider in the UK and We host at least 1 Million websites on our servers. Our staff recruitment procedure is highly complicated and only disciplined + honest staff members manage to make it through various aptitude, attitude and technical tests. New staff members always work with limited access for at least 1 year and all our System Administrators with full control of servers have served our organization for more than 2 years.

Some of our Dedicated Server customers have servers with us from last 3 - 4 years and they prefer to communicate only with their favorite staff members for any sort of technical problem. We have retained all these customers as well as staff members only because of proper internal as well as external policies.

Default Security Settings on Servers/VPS:-
We don't implement any sort of security settings on our servers without communicating with the customers. Those who host their custom applications or CMS would never like to see trouble with their applications if we install firewall and security softwares by default.

It is clearly mentioned on our website that we harden/secure servers only on demand. I will suggest you to recommend a Dedicated Server to your customer as we can guarantee 100% access restriction on a Dedicated Server. We will allow only your IP address to access the server and no one else would be able to connect to your server until and unless you whitelist their IP address from the server. We can sign a SLA / Contract with you or your customer which will mention all our access restriction policies and everything else you expect from us. Our Solicitor won't allow us to make any changes in the SLA or Privacy Policy, so there's nothing much we can do to change the information on our website.

Our Linux Server security solution / Server Hardening includes following tasks:-

Webserver security

* Installation of mod_security with our own custom ruleset. This module consists of many different rules.
* The ruleset that we use blocks dangerous attempts to hack the server. Add an additional rule or disabling one is possible for us whenever needed as it consists of many rules.
* Compiled PHP version 4, 5 or 6 as per the requirements of the client.
* Installation of mod_evasive to prevent DDoS Attacks.
* PHP Security (disabling few php functions which can be used for php backdoor:"exec,system,passthru,readfile,shell_exec ,escapeshellarg,escapeshellcmd,proc_close, proc_open,ini_alter,dl,popen,parse_ini_file, show_source,curl_exec")

Security Audit

* Installation of Rootkithunter and Configuring it to update and run itself on a daily basis - It will then send you a report if anything goes wrong.
* Repair or Re-installation of corrupt binaries.

SSH Security

* Installing and compiling the latest version of OpenSSL.
* Installing and compiling the latest version of OpenSSH and Configuring it with the latest version of OpenSSL.
* Disabling Root access and enabling key based access as per the client request.
* Changing default SSH port, disabling SSH1 protocol and enabling SSH 2 protocol.

Firewall configuration

* Installing CSF/APF firewall (latest version) and Configuring the firewall to accept only incoming/outgoing
connections on ports that are needed on a cPanel system.
* Disabling port 22 (default SSH port).
* Brute Force Detection setup and configuration with the firewall.
* Linux socket monitor setup - This will send you an alert whenever a new port is opened on the server.

Server Monitoring

* Installing System Integrity Monitor to monitor the following services
- Apache
- MySQL
- Email
- Server load
- SSH
- FTP
* The System will automatically try to fix any problems which may arise such as big log files that would automatically get recycled. If the system is not able to fix the problem itself it will send a notification to our support department.

Environmental security

* Mounting /tmp partition with noexec permissions so that no files on these partitions can be executed.
* Disabling compilers for all users but root.
* Sysctl.conf hardening to make it much harder to get attacked by syn floods.
* Open basedir protection setup.
* Installing chkrootkit and configuring it to send daily report to our support department.

Apache tweaking

* Installing Zend Optimizer.
* Tweak Apache configuration.
* Recompile Apache with commonly used Apache and PHP modules.

Securing Binaries

* Installing/updating Libsafe.

DNS recursion restriction
__________________
UK Web Hosting || Business Hosting || eUKhost Knowledgebase
Toll Free : 0808 262 0255 || Skype : mark_ducadi
A bunch of Sheep led by a Lion is better than a bunch of Lions led by a Sheep.
__________________________________________________

Please email cmo[at]eukhost.com if you have any questions or need my assistance
Reply With Quote