As Director of Network Compliance, one of my less enjoyable jobs is to explain to a customer whose server has just been hacked exactly what damage has been done and what data can and cannot be saved.
All competent webhosts should provide customers with hosting solutions that are secure out of the box. Managed hosting providers work hard to make sure that what we provided customers remains secure on an ongoing basis. But most people can’t make much use of a hosting solution without taking it and making it their own–adding what they need to make their business work. Unfortunately, start adding anything to the solution you’ve been provided and it changes the security profile of the box.
It is not always obvious when a server is hacked. A malicious piece of code may lie buried in a random directory for weeks or even months before it activates and begins doing harm to the server or to other machines.
Unfortunately, this means it is usually not possible to simply restore a customer server from backups. Though we keep a daily, weekly and monthly backup of every VPS customer server, there is no way of knowing if the corruption occurred before the earliest backup was made. All too often, this means a customer is left rebuilding his or her server from scratch. Thankfully, this is a rare occurrence. ServInt, as well as most reputable software providers take active steps to deter and prevent malicious attacks.
In the 1990s websites were largely static html pages. The bulk of the work was in designing the pages. Once they went live, they changed little and needed updating only as often as the owner wished to update the content. But two things have occurred over the last 15 years that have dramatically changed the way webmasters interact with their sites.
The first change has been the development and implementation of server-side software such as PHP, ASP, and even WordPress and Magento. Most websites are no longer simply pages of static text, they are highly interactive and highly customizable. These new software developments open up a world of new things you can do, but they also open up all kinds of security pitfalls that need to be carefully avoided.
The second change is that the hardware that hosts these sites has become far more powerful. Advances in technology have not only increased the processing power and memory of host machines, but they have brought the price of this technology down so far that these machines are available for even entry-level hosting packages.
The keys to the Ferrari
What this all means in terms of customer experience is that where at one time signing up for a web hosting account meant getting to borrow a bicycle to ride down the block, now it means getting the keys to the Ferrari.
Over the past five years especially, this combination of increasingly complex software and more powerful hardware has led to a dramatic increase in hacked servers on the web. Good managed web hosts routinely monitor their clients’ servers looking for any suspicious spikes in usage that might indicate unauthorized access. Companies should—and many do—try to work with customers to ensure that their server is ‘hardened’ (a pretty loaded term) and when circumstances dictate, that they have firewalls in place. But even with these steps and many others—forgive me if I must be intentionally vague here—at some point there is little even the most proactive host can do to anticipate a hack.
This is where customers come in
One of the single best ways to prevent hacked servers is to keep all server-side software up to date. Vendors are constantly learning about and correcting weaknesses in their software code, releasing free updates to their users.
It would be great if a hosting company could magically update all of the third-party software customers have installed on their servers, but with literally thousands of different pieces of software for web designers to choose from, this is impossible on a practical level. A managed host does its part by upgrading operating systems and kernels as needed, but without consulting each customer personally and maintaining extensive lists, there isn’t even a way to determine all the software that is running on a customer’s server, let alone individually updating each customer’s products.
So what can customers do to protect themselves? Here are a few steps:
First, only install the software you need
Each application installed on a server opens that server up to any security risks the software has. The fewer pieces of software running on your system, the lower the chance of our server security being compromised.
Second, keep track of your installed software so you know what you’ve set up
I can’t tell you how many times I have traced the source of a security compromise for a customer only to have them say, “I didn’t even know that was still on my server.”
Third, keep the software you are running on your server up to date
There are options you can enable in cPanel and some other control panels to inform you when any software you downloaded directly from your control panel has been updated. Also, many places such as The Symantec Security Focus Bugtraq list allow you to sign up for emails that will send you information on software updates.
For all other software, there should be a page on the designer’s site which lists current versions and where to download updates. Keeping a folder of bookmarks of these sites can be a real life saver. Simply surf to the pages you have marked a couple times a month and check for software updates.
Fourth, ensure that the computer you are accessing your website from is properly protected
Keeping your server locked down against attacks and completely up to date is only so helpful if a piece of malware on your desktop tracks your keystrokes and finds out your server’s password when you log in. Having your server’s root access compromised (getting “rooted”) makes for a very bad day.
Finally, it sounds simple, but it is very important. Change your password, and change it often
A few simple steps can put the power of security in your hands and go a long way to ensuring your server doesn’t fall victim to attack. A good managed host will work tirelessly to make sure that your business always stays up. But if you keep a close eye on what you put on your server and keep it updated, it’ll go a long way in helping us help you.
Photo by Jon Worth