Once again I've been inspired by a stack overflow question, and it made me think about issues of a shared hosting platform. You know the ones; the "host your site for £2.99 a month" sites. There's nothing inherently wrong with it (I was using them for a long time until I decided I wanted my own server to play with, and still using one for a different project for the moment), but it brings its own risks. Some of those risks are to do with the infrastructure, others are with the people who are hosted on it.
From the infrastructure side of it, how do you know the following things:
- What version of which operating system is it running?
- When was the operating system last patched or updated?
- How often are patches and updates applied?
- Will you be notified about the maintenance time for these patches to be applied?
- How many others are hosted on the same platform?
- How much resource is on the platform, and what can I use?
And that's just the start.
Someone can spin up a cheap VPS (Virtual Private Server) for very little capital, say £5 a month. If they then sell on this resource, or part of it, for £2.99 a month, and get 10 people to pay that for the resource, that have a clear £25 a month profit, and you get rubbish hosting. For the record few hosts will be like this, but it's possible.
With the shared hosting, how do you know that I won't upload something dodgy to my hosting which allows me to access something on your section of the server? How do you even know whether the server will protect you from someone trying that on the platform? Lots of risk. For most it's worth it, and a reputable host will do everything they can to prevent this. However, if you've got the knowledge, inclination and are willing to put a little bit of effort in, you could get yourself that very same VPS, know exactly what resource is available to you, and know that you aren't sharing it with anyone. It's what I try to do! (actually, this site is on a dedicated server not a VPS, but that's not the point)
There's some things you'll need to consider first though:
- Firewall - is there a one provided with the service, or do you have to set one up yourself or even pay extra for it?
If it's something you need to do yourself, think hard about which ports you really need open, and close the rest (bad experiences!)
- Where possible, don't use 'root' to log in with.
If you have to use root (you really don't after the initial set up i.e. user creation) either make the password difficult to guess/remember (password managers!) or use an SSH key for authentication. Passwordless login, and more secure
- Only install software that you a) need and b) trust
Yes, that's like any computer.
- Set up regular backups
Again, like any machine/site
- Keep track of security updates for the operating system, and apply them when possible
Yup, like any other machine
There's loads of other things to consider, but just remember that a server is just like any other computer you own. It needs updating and looking after from time to time. It's quite fun to look after your own server and be able to configure things how you want them; and it's also a way of helping to protect yourself against the bad people out there who just want to ruin things for the rest of us. Just be careful whilst you're doing it. It's really not fun being locked out of your own server because you misconfigured a firewall, and even less fun having to check everything through on the server and set up a firewall once you've been blacklisted - it's a long road of required proof to get off those lists.
If security is a concern for you, or you've been bitten once or twice by rogue code on shared hosting, why not look into your own VPS or dedicated server? There would only be your code on there so you know where the blame would lie if anything went wrong, but also you've got far more control to limit access and tighten security to give yourself peace of mind.