eUKHost Security Policies, etc

[eezee319]

Hi guys

This is more a question for administrators, but I would be also interested how others have approached issues of data security / protection in web hosting.


I have looked at your Ts&Cs, SLAs, and service descriptions, but I am unable to find an answer to my question. I wanted to find out if you have any specific security policies in place for the provision of your services. As I understand from the documentation I have seen on your website while you can provide assistance with securing the servers, provide firewalls, backups, monitoring, etc it is ultimately responsibility of your customer ensure the security of their service and data. As an administrator of my system I am happy with this.

However, do you have any internal policies / safeguards in terms of physical access to the systems? Having access to hardware or virtual platform management tools potentially gives you a root access to my system hosted with you. I recognise that this is a necessary evil for you to be able to mange your systems efficiently and help me if I lock myself out of the system, etc., but what controls do you exercise to prevent unauthorised access to customers' data internally? What information non-disclosure principles do you apply?

I'm asking this as I am currently putting together a proposal for a hosted application for one of my customers. They are a registered data controller and will be storing certain customer details on the system some of which might be sensitive and under Data Protection legislation they must ensure that this data is stored securely. At this point I need to understand what the overall security of the system is and where the weak points are. Ideally I would like to see some sort of Information Security Policy document?

Also it would be useful to understand if there are any differences in security procedures you offer between your dedicated servers and virtual platforms. On these forums there are messages by your administrators saying that all your servers follow the same hardening / protection procedures, but on the Live Chat I was advised that only a dedicated server would offer me the ultimate security? I'm sure you want to promote sales of dedicated servers, but is the difference really that marked in terms of security management? Is it really easier to bring down or compromise VPS container than a pure HW system if both are configured to follow the same security protocols? Of course for the virtual system there are additional entry points, but if these are properly secured there should be little difference?

[DPS Computing]

Just to breifly go over your points from a customer point of view.

Firstly, I am only aware of eUK staff going into your account / server for maintenance or at your request. In any case, I don't expect that they will do anything (read, copy or otherwise) any data that you have on the server (unless of course you request a backup!).

Secondly, I would advise that sensitive data be encrypted so that no third party (whoever they may be) can get hold of your sensitive data .

[eezee319]

Thanks for your input.

I'm quite aware of technologies that can be used to maximise the security of the data both in terms of transit and storage. The point though is that having physical access to the device and or a root access to the system can render some ot these methods pretty useless? I have all the confidnece that eUKHost staff would not tamper with the data or disclose it to third parties and only access system on my request, however, any serious IT business has a formal written policy in place explaining what the procedures are, how they are implemented and monitored, and what happens if there is a breach of these policies.

[eUKhost.com]

Hi Artis,

Our System Administrators have full control of our Shared, Reseller and VPS Hosting Servers. There is no way we can restrict our access on our Shared Hosting Servers, Reseller Hosting Servers and VPS nodes. eUKhost is a reputed Web Hosting provider in the UK and We host at least 1 Million websites on our servers. Our staff recruitment procedure is highly complicated and only disciplined + honest staff members manage to make it through various aptitude, attitude and technical tests. New staff members always work with limited access for at least 1 year and all our System Administrators with full control of servers have served our organization for more than 2 years.

Some of our Dedicated Server customers have servers with us from last 3 - 4 years and they prefer to communicate only with their favorite staff members for any sort of technical problem. We have retained all these customers as well as staff members only because of proper internal as well as external policies.

Default Security Settings on Servers/VPS:-
We don't implement any sort of security settings on our servers without communicating with the customers. Those who host their custom applications or CMS would never like to see trouble with their applications if we install firewall and security softwares by default.

It is clearly mentioned on our website that we harden/secure servers only on demand. I will suggest you to recommend a Dedicated Server to your customer as we can guarantee 100% access restriction on a Dedicated Server. We will allow only your IP address to access the server and no one else would be able to connect to your server until and unless you whitelist their IP address from the server. We can sign a SLA / Contract with you or your customer which will mention all our access restriction policies and everything else you expect from us. Our Solicitor won't allow us to make any changes in the SLA or Privacy Policy, so there's nothing much we can do to change the information on our website.

Our Linux Server security solution / Server Hardening includes following tasks:-

Webserver security

* Installation of mod_security with our own custom ruleset. This module consists of many different rules.
* The ruleset that we use blocks dangerous attempts to hack the server. Add an additional rule or disabling one is possible for us whenever needed as it consists of many rules.
* Compiled PHP version 4, 5 or 6 as per the requirements of the client.
* Installation of mod_evasive to prevent DDoS Attacks.
* PHP Security (disabling few php functions which can be used for php backdoor:"exec,system,passthru,readfile,shell_exec ,escapeshellarg,escapeshellcmd,proc_close, proc_open,ini_alter,dl,popen,parse_ini_file, show_source,curl_exec")

Security Audit

* Installation of Rootkithunter and Configuring it to update and run itself on a daily basis - It will then send you a report if anything goes wrong.
* Repair or Re-installation of corrupt binaries.

SSH Security

* Installing and compiling the latest version of OpenSSL.
* Installing and compiling the latest version of OpenSSH and Configuring it with the latest version of OpenSSL.
* Disabling Root access and enabling key based access as per the client request.
* Changing default SSH port, disabling SSH1 protocol and enabling SSH 2 protocol.

Firewall configuration

* Installing CSF/APF firewall (latest version) and Configuring the firewall to accept only incoming/outgoing
connections on ports that are needed on a cPanel system.
* Disabling port 22 (default SSH port).
* Brute Force Detection setup and configuration with the firewall.
* Linux socket monitor setup - This will send you an alert whenever a new port is opened on the server.

Server Monitoring

* Installing System Integrity Monitor to monitor the following services
- Apache
- MySQL
- Email
- Server load
- SSH
- FTP
* The System will automatically try to fix any problems which may arise such as big log files that would automatically get recycled. If the system is not able to fix the problem itself it will send a notification to our support department.

Environmental security

* Mounting /tmp partition with noexec permissions so that no files on these partitions can be executed.
* Disabling compilers for all users but root.
* Sysctl.conf hardening to make it much harder to get attacked by syn floods.
* Open basedir protection setup.
* Installing chkrootkit and configuring it to send daily report to our support department.

Apache tweaking

* Installing Zend Optimizer.
* Tweak Apache configuration.
* Recompile Apache with commonly used Apache and PHP modules.

Securing Binaries

* Installing/updating Libsafe.

DNS recursion restriction

[eezee319]

Many thanks for the reply. This does answer most of my concerns and will help me with my recommendation to my customer (the first couple of paragraphs was what I was really looking for).

I have been with your company for a few years now and have not had any issues in terms of data security (apart from it being too strict on my first shared account - but you even sorted that out) and all this insistent probing was just so that I can get a bit more information about your formal procedures and satisfy my customer that my technology provider can offer them a solution that will fit their needs.

[eUKhost.com]

You are welcome Artis

We have absolutely no problem to sign Contract with you which will have mention of all the security related questions you have asked.