This week, ServInt was one of a dozen hosts to send a letter to the Senate Judiciary Committee to support updating the Electronic Communications Privacy Act, along with the i2Coalition which coordinated the hosting industry’s participation.
The government needs a warrant based on probable cause to search our mail or the documents in our homes. It’s one of our most fundamental rights, guaranteed in the 4th Amendment of the Bill of Rights. But because of this outdated law — the ECPA — which passed in 1986 before the commercial Internet even existed, law enforcement only need a subpoena (issued without a judge’s approval) to read emails that have been opened or are more than 180 days old. Under the ECPA, communications stored on a server over 180 days are said to be abandoned. This rationale has allowed the government to demand access to older electronic communications without a warrant issued by a judge.
That’s right… the government says it doesn’t need a warrant to search through your old email.
This year, Congress is finally considering updating ECPA. ServInt plans to directly engage in this much overdue process, offering its perspective and expertise in dealing with 18 years of serving customers online and dealing responsibly with law enforcement information requests.
We know that aiding law enforcement in responsible ways doesn’t need to come at the expense of our fundamental Constitutional rights. ServInt will be carrying that message, along with other i2Coalition members, up to Capitol Hill this year.
Stay tuned to the ServInt Source where we’ll keep you updated on the status of this and other important Internet legislation.Image by g4114is.
Since its passage in 2001, there has been a lot of media attention given to critics of the Patriot Act at home and abroad. Privacy and government accountability concerns have been raised over some of the provisions of the Act, and in recent years, these concerns have been co-opted by some European hosts who have twisted them into marketing propaganda. Basically, they claim that hosting in Europe is more “secure” than hosting in the US, which is complete and utter nonsense.
Part of the argument these groups make—captured succinctly here—is that not only do all customers of US hosts with data housed in US data centers fall under the Patriot Act, but those who house their data in foreign data centers operated by US companies fall under US law as well.
To be sure, some of this fear has come from statements made by American companies hosting data in Europe, including Microsoft, which — during its June 2011 launch of Office 365 in London — admitted that European data, stored or processed in Europe by Microsoft, would fall under the jurisdiction of the Patriot Act.
News of the reach of the Patriot Act has led many to believe that US companies — and their servers — are somehow inherently less secure than European hosts.
But those who cite this as reason to host with European providers, miss or ignore the facts of European law. Read more
One of the critical parts of administrating your server is being able to log into your server via SSH (or shell access) as root. By accessing your servers “on the command line,” you can roll up your proverbial sleeves and really dig in: installing software, changing system configurations, investigating problems, etc. But there is a server security concern when logging into a system with all that control when you’ve only got a single password protecting access. This is where key authentication comes in.
Instead of typing in a password, you can generate an encrypted key pair that is used to authenticate you when logging in. The server will look to see if you have this key file on your computer instead. There is a good little overview of the process from cPanel here.
Key authenticaion is a great server security measure to implement as it allows you to control which systems can access your server. You can also turn password authentication off and your server will be immune to SSH password attacks. This is major step in security hardening and is highly advised.
Harsh words, but it needs to be said. At ServInt, we work very hard to deliver servers to our customers that are as secure as they can be. But every customization of and installation on a server creates holes in that security. It is simply the nature of the Internet and networking. If you have data to share, you must find ways for users to access that data.
Server security is a balance. The most secure server is one that is powered down and not connected to the Internet. But obviously, this server is little more than an expensive brick. To be useful, clients need to customize their servers, installing various programs that serve data out to and receive data from users on the Internet. Read more
We’ve all logged onto websites with an https://… url. That little “s” in https designates that the connection is using TLS / SSL encryption, an added level of security when interacting with a website. The most common places to see this are on sites that collect personal information or payments, basically anything private that users wouldn’t want to escape into the world.
Secure Sockets Layer (SSL) and its cousin, Transport Layer Security (TLS), are open standards for providing secure www service (plus mail, FTP and telnet). Originally proposed by Netscape, SSL uses RSA public-key encryption for specific TCP/IP ports. SSL competes with Secure-HTTP (S-HTTP). Read more
Jailshell is a level of shell (SSH) access that limits a user to his or her specific directory structure. Under regular SSH when users log into their servers they are taken to their home directory and can execute commands within their directory structure.
Under SSH, that user can also travel to any directoy on the server and even use “ls” to get a directory listing, they just cannot open the files or interact with them. Jailshell, on the other hand, logs users into their directory structure and locks them in (much like a prison or jail cell), disallowing them from openly traversing the directory structure outside of their home.
In order for a site to run on PHP, the server must interpret the PHP code and generate a page when visitors access the website. It interprets the code based on which PHP library you are using, such as PHP 4 or PHP 5. A PHP handler is what actually loads the libraries so that they can be used for interpretation. PHP handlers determine how PHP is loaded on the server.
There are multiple handlers that can be used for loading PHP: CGI, DSO, suPHP, & FastCGI. Each handler delivers the libraries through different files and implementations. Each file and implementation impacts Apache’s performance, because it determines how Apache serves PHP.
It is essential for your server’s performance that you select the handler that fits your situation. Selecting the right handler is just as important as the PHP version itself. One handler is not necessarily better than another; it depends on your unique setup.
Note: In the event that your server runs multiple versions of PHP, you may assign different PHP handlers to each individual instance of PHP. For example, version 5 may be handled by CGI while PHP 4 is handled by DSO.
How to change the handler
Changing the handler on cPanel is very easy to do and takes only seconds. Log into WHM and navigate to: Main >> Service Configuration >> Configure PHP and SuExec
You simply select your PHP handler choice from the drop-down menu. Then hit “Save New Configuration”.
Note: If you do not see your desired choice in the drop-down menu, it may need to be compiled on the server first. You can do this via the EasyApache script of WHM.
List of PHP handlers
All competent webhosts should provide customers with hosting solutions that are secure out of the box. Managed hosting providers work hard to make sure that what we provided customers remains secure on an ongoing basis. But most people can’t make much use of a hosting solution without taking it and making it their own–adding what they need to make their business work. Unfortunately, start adding anything to the solution you’ve been provided and it changes the security profile of the box.
It is not always obvious when a server is hacked. A malicious piece of code may lie buried in a random directory for weeks or even months before it activates and begins doing harm to the server or to other machines.
Unfortunately, this means it is usually not possible to simply restore a customer server from backups. Though we keep a daily, weekly and monthly backup of every VPS customer server, there is no way of knowing if the corruption occurred before the earliest backup was made. All too often, this means a customer is left rebuilding his or her server from scratch. Thankfully, this is a rare occurrence. ServInt, as well as most reputable software providers take active steps to deter and prevent malicious attacks.
In the 1990s websites were largely static html pages. The bulk of the work was in designing the pages. Once they went live, they changed little and needed updating only as often as the owner wished to update the content. But two things have occurred over the last 15 years that have dramatically changed the way webmasters interact with their sites.
The first change has been the development and implementation of server-side software such as PHP, ASP, and even WordPress and Magento. Most websites are no longer simply pages of static text, they are highly interactive and highly customizable. These new software developments open up a world of new things you can do, but they also open up all kinds of security pitfalls that need to be carefully avoided.
The second change is that the hardware that hosts these sites has become far more powerful. Advances in technology have not only increased the processing power and memory of host machines, but they have brought the price of this technology down so far that these machines are available for even entry-level hosting packages.
The keys to the Ferrari.
What this all means in terms of customer experience is that where at one time signing up for a web hosting account meant getting to borrow a bicycle to ride down the block, now it means getting the keys to the Ferrari.
Over the past five years especially, this combination of increasingly complex software and more powerful hardware has led to a dramatic increase in hacked servers on the web. Good managed web hosts routinely monitor their clients’ servers looking for any suspicious spikes in usage that might indicate unauthorized access. Companies should—and many do—try to work with customers to ensure that their server is ‘hardened’ (a pretty loaded term) and when circumstances dictate, that they have firewalls in place. But even with these steps and many others—forgive me if I must be intentionally vague here—at some point there is little even the most proactive host can do to anticipate a hack.
This is where customers come in.
One of the single best ways to prevent hacked servers is to keep all server-side software up to date. Vendors are constantly learning about and correcting weaknesses in their software code, releasing free updates to their users.
It would be great if a hosting company could magically update all of the third-party software customers have installed on their servers, but with literally thousands of different pieces of software for web designers to choose from, this is impossible on a practical level. A managed host does its part by upgrading operating systems and kernels as needed, but without consulting each customer personally and maintaining extensive lists, there isn’t even a way to determine all the software that is running on a customer’s server, let alone individually updating each customer’s products.
So what can customers do to protect themselves? Here are a few steps:
First, only install the software you need. Each application installed on a server opens that server up to any security risks the software has. The fewer pieces of software running on your system, the lower the chance of our server security being compromised.
Second, keep track of your installed software so you know what you’ve set up. I can’t tell you how many times I have traced the source of a security compromise for a customer only to have them say, “I didn’t even know that was still on my server.”
Third, keep the software you are running on your server up to date. There are options you can enable in cPanel and some other control panels to inform you when any software you downloaded directly from your control panel has been updated. Also, many places such as The Symantec Security Focus Bugtraq list allow you to sign up for emails that will send you information on software updates.
For all other software, there should be a page on the designer’s site which lists current versions and where to download updates. Keeping a folder of bookmarks of these sites can be a real life saver. Simply surf to the pages you have marked a couple times a month and check for software updates.
Fourth, ensure that the computer you are accessing your website from is properly protected. Keeping your server locked down against attacks and completely up to date is only so helpful if a piece of malware on your desktop tracks your keystrokes and finds out your server’s password when you log in. Having your server’s root access compromised (getting “rooted”) makes for a very bad day.
Finally, it sounds simple, but it is very important. Change your password, and change it often.
A few simple steps can put the power of security in your hands and go a long way to ensuring your server doesn’t fall victim to attack. A good managed host will work tirelessly to make sure that your business always stays up. But if you keep a close eye on what you put on your server and keep it updated, it’ll go a long way in helping us help you.
Photo by jonworth-eu