Earlier, we understood the types of hosting services and told you how to choose the right one for your project. Virtual hosting (shared hosting) is considered the most popular – when many client services are hosted on one physical server. This allows you to optimize server capacity and keep prices affordable for any user. The performance of shared hosting is usually enough for small sites, although the range of tariffs is designed for both small projects and serious stores.
With this hosting arrangement, a high level of security for each client is important: isolation of files from each other, anti-virus protection, backup.
How the hosting security is organized
Any information security starts with physical security. Hosting servers are located in secure data centers. Only employees have physical access to them. In addition, data centers are protected against power outages and equipment failure, have special ventilation and fire-fighting systems. All important nodes are redundant: if one fails, it will be replaced by a stand-in.
Isolation of hosting services
One server can host many hosting services ordered by different clients. But each of them has access only to their own files. The basis for this is the permission allocation mechanism provided by the Linux operating system.
Each file and directory in Linux can be configured for read and write access. Access is separately configured for:
- the owner of the file;
- user groups to which the owner belongs;
- everyone else.
A separate operating system user is created for each client on the server. Access rights are configured in such a way that you can neither look into someone else’s files nor write anything there.
This mechanism of rights distribution is incredibly flexible, it allows you to customize access in systems of any scale.
User processes, including PHP handlers, are isolated – everyone can only manage their own processes. The use of memcached, which is available on VIP hosting plans, is safe – each user has a dedicated instance and uses a separate port.
SSL certificate (Secure Sockets Layer) is required for HTTPS protocol to work. Thanks to the certificate, the data exchange between the client and the server is encrypted. SSL also confirms the authenticity of the site to which the user connects. And today it is a mandatory element of every modern resource.
For any website on hosting you can order and install an SSL certificate of your favorite certification center, including a free one from Let’s Encrypt, or get a free 1-year certificate from GlobalSign together with the domain.
Automatically generated passwords
Hosting automatically generates passwords for application services. Automatically generated passwords contain special characters, numbers and letters of different case. This method allows you to create a password that is resistant to password mining without thinking about the principles of cryptography.
As with any program code, there may be vulnerabilities in the code of a website through which it can be infected with malware. It is important to notice the infection in time and take action. To do this, you need an antivirus.
In addition to scanning and notification, antivirus can “cure” infected files – remove malicious code from them and repair damaged areas. Despite the capabilities of antivirus, there are situations when files cannot be cured. In this case, you need to restore the site from a backup.
Google Safe Browsing
In addition to antivirus protection, the hosting system is configured to monitor blocked sites in Google Safe Browsing. The principle of the system is to find malicious web resources and show warnings in search results or in the browser to protect users.
If a client’s site is included in the list of unsafe sites in Google Safe Browsing, a message with recommendations on how to fix the problem will be sent to the contact email.
Automatic backups are available on shared hosting. Backups are stored on separate servers that are independent of the hosting servers. All site files and databases are saved in the copy. Each backup is created at the beginning of the day Moscow time. Thus, all changes for the past day are saved.
The user can restore the site from the backup or download the archive to his computer. Each backup copy is stored for 30 days, then it is irretrievably deleted.
Protection against DDoS attacks
A DDoS attack is a distributed attack on a server that results in a denial of service. As a result, the site does not work or works intermittently. The most common cause of DDoS attacks is competition. Not getting to the desired site, the client goes to the available site of a competitor, and the administrator of the affected resource loses money.
Since there are many sites on one physical hosting server, protection from DDoS is extremely important. An attack on one resource should not affect all the others.
A DDoS attack can occur at either a low or high level of the OSI model. A low-level DDoS attack takes place at the network and transport layers (third and fourth). For this type of attack the attacker uses imperfections of network protocols. At REG.RU hosting the protection against low-level attacks works constantly.
High-level DDoS-attack takes place at the session and application levels (fifth and seventh). Most often such attacks are similar to a large number of requests from users, so protection must be connected separately for each site. If the attack is powerful and affects not only site availability but also server performance, the provider can restrict access to the site until the attack is over or until the client connects the protection.
Web Application Firewall
ModSecurity with paid rules from leading cybersecurity companies is used as Web Application Firewall. Web Application Firewall filters attacks on user sites that target vulnerabilities of popular CMS (Joomla, WordPress, Bitrix, OpenCart and so on).
Such attacks include, for example, SQL injection. This attack method allows you to execute an arbitrary SQL query to the site’s database. The consequences can be serious – from data theft and hacking the site admin to complete deletion of all data from the database.
This is a software tool for preventing brute force attacks. It is often used to protect SSH and FTP, but can also be configured to protect other services. The way Fail2Ban works is simple – it scans the logs, and if it detects several login attempts with incorrect username and password, it temporarily blocks access from the attacker’s IP address.
Despite its simplicity, this method of protection is very effective – it becomes much harder to pick a password. Fail2Ban has a side effect – if the user simply forgets the password and tries to remember it by trying to search for possible variants, he will also be temporarily blocked.
Why these tools may not be enough to protect websites
We have listed the tools we use to secure our clients’ sites. But if the user doesn’t follow basic security rules, the effectiveness of the protection is reduced. It’s like putting on seatbelts in a car: without it, you simply can’t keep yourself safe while traveling. Therefore, we can highlight a few simple rules, observing which you will maximize the safety of your site from hacking, and yourself from data loss.