Common security issues you face as Linux (web)hosting provider

The practice of giving user level access to anyone with a PayPal account or credit card is in and of itself insanity. I've been working in the hosting industry for the better part of the last six years and I still find it insane.

This is a list of what I do for most servers (shared or not) in no particular logical order:

• I almost never use the distro supplied kernel. I keep our own kernel tree which stays in step with Linux mainline ... as far as grsecurity permits. Its not just a security measure, its also an optimization measure. You won't find stuff like parallel / usb / audio support in our kernels (as web servers don't need them). The kernels are built to utilize only the stuff on the board that we need.
• 9/10 bad things are let in by buggy user scripts. Many customers know enough PHP to be dangerous. mod_security is one of my best friends, I pay for subscriptions to hardened rule sets and keep them updated almost weekly.
• Auditing is critical, I also recommend using OSSEC or something similar.
• All of my servers are attached to a maintenance LAN, which I am able to reach independently of the public network. When / if things do go bad and you find your server so busy sending junk packets all over the Internet, you'll appreciate having another way in. I also have IP KVM's installed on all servers, or IPMI depending on the hardware.
• Lately, I have been using Xen as a management layer for shared servers. I create a single guest which has 99% of the system's memory. This allows me to do things like file system repairs / snapshots / etc rather painlessly. It can really help in recovery if things go wrong (and handy to hide the LAN from the shared server).
• I maintain a very strict iptables based firewall that is especially strict when it comes to egress.
• I am very careful about who can access the system compiler and linking tools.
• I update system software religiously.
• I make periodic scans to ensure people aren't unwittingly running old and vulnerable versions of popular applications such as Wordpress, PHPBB, etc.
• I offer free installation of stuff that clients 'find on the Internet'. This really helps me to audit what's being hosted, while offering customers additional value. It also helps ensure that things are installed securely and correctly.
• Always, always, always harden PHP, make sure you use suexec for PHP as well. Nothing is worse than finding a bot in /tmp owned by 'nobody' :)

Finally, last but not least:

• I actually read the system log files. So many hosts come running to see what went wrong only after an issue is noticed. Even when using tools like OSSEC, its important to be proactive.

It looks like other people are going into lots of details, however the single biggest source of malicous activity has to be FTP.

Lock it down to certain IPs, disable it for accounts that don't need it. Even disable service unless it's requested.

I've had to deal with dozens of hacks after malicious code is uploaded into websites, either spamming the world or redirecting visitors with iframe injections. Rarely do they get root or shell access, instead they just cause a ton of manual housekeeping work of un-blacklisting servers and manually searching code.

The main source of the hack isn't the server itself, but infected end-user PCs which sniff FTP passwords and send them back to the mothership, to then be used later from a different machine to upload the code.

I worked for a web hosting company for a while and it is a nightmare to keep all users secure. Specially on a shared environment. Private servers are way easier to keep track, since security issues are isolated only to that system.

Some things to keep in mind on a shared hosting:

• A bug in one site can affect all others. So try to limit what each user can do and be restrictive on permissions. It includes ulimit, php limits, etc.
• Monitor the system and individual sites. A tool like OSSEC can be very handy to deal with all the information.
• The Linux kernel does not have a good track regarding local exploits. So make sure that it is always updated and use kernel security extensions (grsecurity, SELinux, etc).

For the private servers, you leave the security on your users hand, but make sure to install proper QOS, NIDS and anti-DOS tools on your network.