This document describes some of the security systems and practices we have in place and use daily to help ensure the security of our systems and our clients’ information.
The details here are not meant to be exhaustive and are certainly not overly detailed on purpose, but should hopefully help to give some perspective of the extensive measures we go to in respect of securing our systems.
Because of our use of custom installs and settings and the security background of our key system architects, in many ways we offer one of the most secure web hosting environments available, but always with the caveat that even the best system in the world won’t prevent a security breach caused by a bad application or out of date code with security vulnerabilites.
As such, despite all our attempts, clients should still be aware of their own responsibility to secure their own web sites and systems.
All software used should be regularly updated with the latest security fixes and patches and web sites should be maintained by skilled personnel who understand Internet security and can develop code to the appropriate standard.
Shared Hosting Systems
Our general shared hosting systems (i.e. those used to provide One Plan hosting) that are currently being loaded with new clients are secured in the following manner:
- Data centre managed edge firewalls and IDS (Intrusion Detection Systems)
- Local system firewalls on each server managed by Ecological Hosting
- Custom installation of the operating system in house to our own exacting standards
- Servers only run the minimum required services for the given purpose and management (e.g. database servers have no web services installed – they are pure database only systems)
- Management related services are locked out to specific IP addresses or otherwise protected using firewalls and similar measures to prevent unauthorised outside access
- File system level security: our default FTP permissions and the server set up are such that all Unix level world readable permissions can be off and web services will still function – this helps prevent users on the same shared system from accessing another users files directly via the filesystem
- Use of Red Hat Enterprise Linux on all shared hosting web servers, with SE Linux mandatory security policies enabled and enforcing – this helps prevent system applications (such as the web service) operating in parts of the disk they should not be accessing
- The most dangerous PHP functions are disabled and PHP is limited to certain directories to prevent access to critical server files via scripts
- Suhosin Hardened PHP is used to further enhance PHP security
- PHP script operations are also limited by owner, user ID and location
- Enforced strong FTP passwords are created for all clients – this is not negotiable and FTP passwords can only be changed by Ecological Hosting to another equally cryptic and complex password – enforcing FTP passwords like this prevents clients selecting easily cracked passwords which could lead to compromise of the system via access to their web space
- Dedicated database servers remove the need for web servers to run database services – dedicated database management servers also move the scripts most commonly targeted by hackers away from the core hosting environment and away from the actual database servers
- Pro-active monitoring of servers: persistent bad behaviour from any given IP address will result in a permanent block on our firewalls
- Our main system and network architects have extensive security experience including several years working on systems and Internet security for one of the main four high street banks and running data centres operations for large blue chip clients
Linux vserver Systems
These are inherently very secure in respect of separation from other vserver users on the same host system. The security is provided a the kernel level and uses special file contexts to maintain complete separation of processes and environment.
We minimally load our Linux vserver host machines with around 10 Linux vservers carefully making sure the RAM provision can cope with the theoretical maximum load at any given moment.
Because vservers are totally configurable by the client and the client has full root access, the security of the Linux vserver itself (the system the client accesses), is to a large extent, entirely down to the client and the settings they are using.
We deliver vservers with initial settings to match the highest security we know how to provide given the clients individual requirements.
As for Linux vservers, dedicated servers are fully configurable by the client.
Again, we will deliver a secure server or install to the clients specification. If the client requests or changes settings that lower security, this is their prerogative, but because the system is dedicated, the single client should be the only one suffering any breach of security.
Anything that starts to affect other users on our networks (e.g. bandwidth saturation) will cause the given dedicated server creating the issue to be powered off or have other sanctions raised against it to ensure service reliability for all our clients.