I have some friends who are designing some webpages for some local political activists. They want to put these pages on a webserver which has extra heavy protection against hackers and other malicious intrusion …
While I realize that many webservers nowadays have normal levels of protection against these kinds of problems, still I am wondering if anyone who knows of some webservers which kinda specialize in offering top-flight service in terms of these types of protective measures and related things …
Here’s a friend from back home who’s setup a company just doing this sort of thing. Even if you didn’t go with him I’m suer he’d have some recommendations (if you call, be awareof the time different, -13 hours right now).
Don’t use Microsoft technologies, Hartzell. Unfortunately that would eliminate about 99% of all of Taiwan SW techies right there. There’s a handful of guys on Forumosa who could help your tech guys find the right hosting partner.
A couple of the guys I’m thinking of haven’t posted in this forum for awhile though…
Maybe there are hosting companies that can secure any administrative access via two-factor authentication like SecurID. I advocate the use of SecurID for any remote access. You’d be secure against everything except vulnerabilities in the web server.
At the lowest level, basic security in Apache web server is the responsibility of the web hosting service. Choose one that runs Linux or FreeBSD (which is about half the servers on the Internet, and they are also much cheaper than Windows servers). Servers running Sun Solaris or VMS are also very secure, but they cost more.
However, no matter how secure the server, web site designers often punch a big hole in security when they decide to use PHP, a programming language designed to give you “dynamic content”. Ditto for running Java apps on the site. There is nothing that web hosting companies can do to protect you if your site runs dynamic programming languages and is badly designed.
If you want real security, it’s best to be “boring”. That is, no PHP, Flash, Java, or even Javascript. Just plain old generic HTML and graphics, which for most people is all they really need. You only have to resort to the fancy programming languages when you get into stuff like online sales, automated response to messages, etc - this is what’s meant by “dynamic content”. Forumosa runs on phpBB, which unfortunately is also not secure.
It should also be mentioned that those users who will be uploading content to the site (probably using FTP) need to have secure passwords.
If the site is controversial, its probably better if its in another country anyway, harder to search, seize, or subpoena. IMHO there are lots of big cheap ISP’s in the USA that are plenty fast when accessed from Taiwan. I mean, Forumosa’s machine is in the USA isn’t it? Don’t go with the rock bottom cheapest though. I’ve heard good things about rackspace (the Texas one might be better than the UK one) . If its small scale they can use “shared hosting” but if its bigger they need “dedicated hosting”. They might need this anyway if they insist on a machine that is pared down in services rather than larded up with them like a “shared host” would be.
If they’re really that paranoid, the basic idea is: fewer services = fewer ports = fewer attack points. Though yes, DoS attacks are unavoidable. They could point their domain to send their mail to a yahoo account so they’re not even running mail on the machine. In theory they could get by with only ports 80 (http) and 23 (ssh) open.
DoS attacks take considerable resources, especially if the attacker intends to keep up the attack for any length of time. It’s not the sort of thing that rogue college kids do when they’re bored. The Russian mafia is the main culprit at this time, using DoS attacks to blackmail companies into paying up. Increasingly, many victims just weather the attacks, which eventually cease. You can also mirror the site, though that means you’ll have more than one domain name. For example, IBM.com could mirrored to IBM.com.tw.
[quote=“Toe Tag”]
If they’re really that paranoid, the basic idea is: fewer services = fewer ports = fewer attack points. Though yes, DoS attacks are unavoidable. They could point their domain to send their mail to a yahoo account so they’re not even running mail on the machine. In theory they could get by with only ports 80 (http) and 23 (ssh) open.[/quote]
Unless you’re running your own dedicated server, you won’t get to choose which ports are open and which are closed. Almost all web servers will have port 21 (ftp) open, but hopefully they will be running vsftpd (Very Secure FTP). That, however, will be beyond your control if you’re just a customer. As I mentioned in a previous post, server security is the responsibility of the hosting service.
Web masters need to be careful about offering dynamic content (ie php and Java) which offer convenient backdoors to hackers. As for DoS, I wouldn’t be too concerned, but if somebody does mount such an attack, there is little you can do about it except to have some mirrors for your site.
Oh don’t forget, try setting better passwords. Use at least 10 characters with a combination of numbers and letters. Please do not have it spell out a word, or someone’s address. Otherwise you’ll just get brute-forced.
