What's your secure setup like?

Artashes

Artashes

Administrator
Staff member
Watching the WebHostingTalk.com hacking fiasco unfold, this unfortunate event for the industry got me thinking what kind of a secure setup should be in place for a site like ours?

Obviously how WHT secures itself is their business (and they have techs who work on that), but I am very interested in hearing what type of reasonable (from a cost effective standpoint) and secure setup you'd recommend for HostingDiscussion.
 
Honestly - a CDP Backup solution would be ideal. Having multiple CDP backups is even better. If you want to work something out with me, drop me a note and we'll throw some size numbers around etc.

Basically, a backup should be secure from the general public for sure. I can't believe that they allowed such a breach to affect their backups as well. Pretty amazing stuff.

With a CDP (Continious Data Protection) setup you can backup every hour if you wanted and be able to restore a mysql table, a single file in the file system, the entire site, or even a bare metal restore on a NEW server in just minutes.

My own backups for our customers we run Every hour (stored for 24 hours), every day (stored for 7 days) and every week (stored for 4 weeks). So at any point a user can go back in time up to 4 weeks and restore a database table or file right from their control panel.

Windows, linux - doesn't matter ;) www.r1soft.com is who we work with to purchase the software, but we do backup solutions for other hosting companies at a fraction of the price depending on disk space usage etc.

Would be willing to trade disk space for a banner ;) hehe
 
Apart from any backup software's the servers provide, it would be advisable if the customers keep downloading backups regularly to their PC, at least weekly.
 
handsonhosting said:
Would be willing to trade disk space for a banner ;) hehe
Click to expand...

Thanks for that Conor, I will surely consider. :)

At this time I am just panicking and trying to figure out what we can do to help prevent an event like that. A thing like that happens, I don't care for the content really, as long as nobody steals/harms any of our members private information (emails, passwords, PMs, etc). I don't want you hurting because of my irresponsibility.

As an actual solution, does HD have to be in its own dedicated space or a VPS would do same justice?
 
Well at a minimum off site backups should be considered. Even better are off GRID/NET backups. We do backups here of our own site and store those backups on DVDs. Even our own business computers with designs, graphics, contracts, emails and tax info - a copy is stored at my location (Nebraska) and a copy is stored at my business partners location (California). This was also necessary in order to follow our business plan and life insurance so that if one person did die, the other could continue to operate the business.

There's a number of FTP programs out there that can schedule backups for you. I believe CuteFTP has a setting that it will log into a folder and you can download "X" on a schedule. You could easily have the database dump to a file, then download that file via FTP on a regular basis.

Granted, data such as the emails etc would be a concern, but if they're going to hack and take your data, and you've already secured things as best that could be done, then that's about all you can do. Have a backup on hand, contact the users so they know whats going on, and then move forward.

I think contact is a big concern. I haven't received anything from WHT to say that their site was compromised. I KNEW it was, because I couldn't get on, but if I hadn't been checking, would I ever have known? Communication is key in every busienss, and an online forum is a business like it or not!

VPS and Dedicated Servers are pretty much the same when it comes to the security level. The only two things shared are the Kernel and the Memory for the most part.

As long as your security checks are in place, and you're making regular backups, thats about all that anyone can ask for.
 
(Linux) Some standard things should already be in place running periodical audits and monitoring. chkrootkig, rkhunter, AIDE, LFD, etc.

Do basic user password audit with a utility such like John every month to rule out the possibility of weak password (recent Lxlabs incident case in point).

I never rely on a single point, meaning just one production and no DRs. DRs can set up in such ways that it's a read-only snapshot in case when prod is either down due to HW failure or cracked.

As always, I am surprised to see a lot of VPSs running without firewall at all.
 
I would have to say Yes the whole Backup Stage is a Good way to be able to save information in case of a tragedy But to me i would be more worried about the system its self from the security.

If your going to host peoples websites and what not and start your own hosting business what you need to think about is the one and only main priority is security.


If a hosting company was to ever get hacked just one time can effect its reputation through out the world dramatically

even tho you may be able to provide a backup to the client im sure the client would be worried that what if this was to ever happen again.



im a certified CEH ( Certified Ethical Hacker ) and through out the years of learning Hacking Methodology i have been able to protect systems and be able to block out hackers because i know how they hack ive been doing this for over 10 years of my life now.


If your wanting a General public quote for hosting discussion you could send me a message about what all you are wanting to do and id be more then happy to find you a Company or service that best suits your likeings.
 
You must log in or register to reply here.

Supporters

Back
Top