AnyHosting

We’ve done both managed hosting as well as virtual hosting at AnyHosting, and there are many challenges to doing it securely. As Bruce Schneier is fond of saying, “Security is a process, not a product.“. All of the techniques described in this post aim to mitigate the amount of damage a successful attack can do, but this must be part of an overall security strategy, which is beyond the scope of this post (but I’ll say more about in the future).

There are many aspects to security; what I’m talking about today is compartmentalization -  that is, either physically or virtually separating customers from each other (into separate “compartments”), so that a break-in to one service does not result in a break in to all of them.

When you’re doing managed hosting of separate physical servers (or even virtual private servers), there’s generally a lot less to worry about – a malicious user getting access to one customer’s server does not generally lead to a break-in of all your customer’s servers, unless you’ve been lax with password or network security (e.g. not using encryption inside your network, using the same passwords everywhere, etc.).

However, virtual hosting presents much more of a challenge to secure properly, as the whole point is to use the same server instance for multiple sites. The primary problem is that most servers operating systems that use Apache (the most popular web server on the net right now) run all websites as the same user, which means that if you allow dynamic scripts to be run (CGI, PHP, etc.) then all users have read/write access to all files on that server.

The halfway point between VPS and virtual hosting is operating system-level virtualization. You’ve got different choices depending on OS: Solaris Containers, FreeBSD Jails, and Linux VServers  are all popular choices. These each give the customer a private filesystem and process list, as well as allowing the web host to limit resources like CPU, memory and I/O.

A solution of last resort is the Unix command “chroot“, which at least separates the filesystem from separate users, but does not allow the host to control resources and care must be taken to prevent users from breaking out. Tools like jailkit can be helpful, if you decide that you need to go this route.

The safest and easiest way to host separate sites is of course separate physical servers for each client; it’s also of course the most expensive. The cost/effort ratio continues in the same direction as you look at VPS, OS-level virtualization, chroot and finally no separation (this is only applicable if you either manage everything yourself and do not allow user uploads, or don’t allow dynamic scripting of any kind – however, you still run the risk of a break-in to one site affecting all of your customers).

(EDIT: fixed jailkit link)

This entry was posted on Sunday, May 20th, 2007 at 3:14 am and is filed under security, web hosting. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.