Security - The Importance of Solid Audit Practices
Security across the Internet has become a growing concern from small to medium business to major corporations. Warding off threats from Internet Criminals has become an expensive and time consuming necessity of doing business across Communications Networks.
The cost of providing high level security for IT Infrastructers can easily surpass thousands of dollars monthly and depending on the type of business can be in the several millions annually.
We monitor our systems, whether leased or owned, constantly and take immediate action when security updates of any kind are needed. Our approach is proactive and not reactive.
Net Locations has also aligned itself with a few of the Internet's most professional security experts on the application level. Website owners need to be sure that their applications are hacker proof or risk losing data and having their sites compromised in variety of ways by unscrupulous Cyber Criminals.
On this page we provide a list of the many services we provide to keep our systems safe and to help keep your websites guarded from compromise. We also discuss some of your responsibilities with regards to securing your site. If you need a security audit for your server or wish to scan your critical apps for vulnerabilities, we have services available. More information is available on individual services pages throughout the site.
||An Apache module is a security layer in Apache that helps prevent exploitation of vulnerable web scripts. We install and configure the cPanel and HSphere mod_security module for Apache v1, v2 and LiteSpeed. We regularly update the software itself and the definitions. ModSecurity is a server script that we update and maintain on a regular basis. All LAMP Hosting Plans (LiteSpeed-cPanel and Hsphere) are protected by ModSecurity.
||Our VHS Cloud Plans offer hardware firewall solutions that offer a near enterprise level of security to help protect all sites hosted within the cloud. For small to medium business sites this offers a savings over having to manange or outsource a firewall. Similar firewalls protect each server in our clustered and other dedicated hosting plans. Microsofttm Medium Trust is used exclusively for Windows Hosting within the VHS Cloud Environment.
On The Cloud
|Preventiertm is the unique, proactive DDoS prevention program created by Rackspace to ensure unmatched network protection and performance for our customers. No other hosting provider has combined three such disparate technologies to create such an all-encompassing protection system for their network. From network-wide packet scanning through granular traffic analysis right down to server-level anomaly detection, Preventier's three layers of detection identify and filter hostile traffic 24x7x365.
The Hsphere Cluster employs similar DDoS protection systems. LiteSpeed-cPanel are protected at the Network Level and each server employs Port Flooding Detection - Per IP, per Port connection flooding detection and mitigation to help block DDoS attacks.
Top Layer appliances from Corero are used in some of our dedicated server colos.
|Server Hardening and Optimization
||All of our owned or leased systems and servers are subject to 'Best Practices' hardening and optimization. It isn't a matter of overly comprehensive; it's a matter of quality, not quantity. We do not over our servers (or yours for that matter) with useless and unproven software.
We start with proactive patch management. Keeping servers patched with the latest updates is critical from the network level to the application layer. Key services are listed below:
- Security Audits (also available on a per cost basis for hosted sites)
- Service Hardening
- Access Control Systems
- Firewall Configuraiton
- Service Isolation (Jailing)
- System Updates
- ModSecurity and Suhosin Installation
- Rootkit Checks
- Removal of Services not needed or that might be a Security Risk
- File System Audits
- Password Audits
- Intrusion Detection Systems (IDS)
- Network Security
- R1 Soft Backup Solutions
- Antivirus and Antispam
- SSL Encryption
- Securing of Email Systems
- Clam AV Installation
||We provide advanced monitoring for our servers and systems on a 24/7/365 basis with proactive response to any downed services. In addition we monitor server software - PHP, MySQL, MS SQL, MTA's and the like.
||mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it's a good idea to integrate this with your firewalls and routers for maximum protection.
- Requesting the same page more than a few times per second
- Making more than 50 concurrent requests on the same child per second
- Making any requests while temporarily blacklisted (on a blocking list)
This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on 'reload' should not be affected unless they do it maliciously. mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use.
Thanks to Jonathan Zdziarski for the above detailed explanation.
|What can you do to practice good security?
||Keeping your servers, sites and computer system secure is a comprehensive topic and is a book not a paragraph. However, below are some pointers that will serve you well:
This information above just barely scratches the surface but you may now be more aware than 15 minutes ago. It is your duty to protect yourself and your customers. While infallible security may be a pipe dream, making things difficult for the bad hackers to compromise your computers, sites and servers is highly recommended. Most hackers will move on to an easier victim and unfortunately there are millions of them out there. Too many people simply don't take security seriously until they are forced to, because they've had their indentity cloned, their PayPal account broken in to or all the private data on their servers compromised. Take the time to start practicing good security habits and stay informed and aware of security at all times.
- Use secure passwords for your servers, sites and personal/corporate computers. We at Net Locations never cease to be amazed at the weak passwords far too many users employ. A good password should be at least 12 characters and must be one that can't be guessed and should be very difficult for hackers to scan. Think of a password as the key to your house, once someone else has it, your house is now their's as well. A good password might look like this - R$y2T!Wt@-08*.
- The number one way hackers get into a site or server is through a compromised password. It may be impossible to make any password hacker proof, but it is possible to make it very difficult to crack. The longer it takes for a hacker to compromise your password, the more likely he is to move on and look for another victim.
- No matter how diffcult your password might be for a hacker to crack, it's irrelevant if your computer is not properly secured. So if you're going to store passwords on your PC make sure they are encrypted. There are plenty of free encryption software packages that will do the job. This is not a bad idea for any other sensitive documentation you might be storing on your computer.
- Use security software like AVG or Vipre to protect you against malware, trojans, worms, viruses, phishing scams, bad Websites and the like. In addition make sure that you keep defintions updated and the software itself as well. Use a password to access your computer.
- Always use safe email practices. Don't open attachments from anyone and that includes your best friend, unless you were expecting it and know the file name and sender. Don't click on links from spammers or other emails such as phishing scams. Visiting rogue Websites is one of the premier ways that hackers compromise your computer and attach it to a Bot Network.
- Flaws in Web-based software is another security risk that hackers love to exploit. Often applications are written by teams of coders and assembled later; there exists a very strong possibility that somewhere in this process somebody made an error and left a major security hole in the software. Hackers can exploit this type of software and gain access to the data behind it or even upload malware to the Website. Before putting any application software into use be sure to have it tested for security flaws and patched immediately; also keep all such software patched and up to date.
- If you are using your own servers (cloud, dedicated, VDS and the like), be sure to have it or them properly secured by professional security experts.