What are the best web hosting services for security?
#1
I've been looking into launching my own website, and from what I've seen, there's so many ways to "hack" a website. Considering I know very little about web security, I was wondering if there's any web hosting services that provide solid security?
Reply
#2
You're not looking for free webhosting correct? Because that's pretty unreliable. I would recommend https://www.ovh.ie/ they also have decent ddos protection. Although I prefer vps or dedicated server.
Reply
#3
(12-02-2015, 01:26 AM)Insider Wrote: You're not looking for free webhosting correct? Because that's pretty unreliable. I would recommend https://www.ovh.ie/ they also have decent ddos protection. Although I prefer vps or dedicated server.
Definitely not free web hosting, thanks for the recommendation, definitely going to look into it.
Reply
#4
I've used www.blazingfast.io for a few months they have fast customer response time and are really friendly helping you with your questions. they have good DDos protection also. and are cheap imo $5 a month
Reply
#5
For the most part, security of web applications is separate from the security of the host. This is because its code you supply that is running and is vulnerable. So if you're looking for something that will magically prevent the vulnerable code you upload from running it will be hard to find as that often breaks functionality leading to bad reviews.

Anyway...there are three basic types of hosting you can get:

Shared Hosting - This is the 'entry' level, it used to be the cheapest but VPSs have gotten pretty cheap over the years. As it sounds you'll basically get some space and bandwidth on a server shared by many people. You won't get root, you probably won't be allowed to run many long lasting processing, you'll have limited ability to configure the server.

In exchange for only getting limited access you get a all of that stuff managed for you. You don't need to worry about configuring your mail server, your http server, DNS, etc. You'll probably get easy installs of common web-apps where the install is done automatically, sometimes they'll even update them for you. Basically, this is the easiest to use level of hosting.


Virtual Private Server (include cloud in here) - This is where you get an entire system all to yourself, except you're still sharing the physical hardware with other people(fewer than shared). You usually get root access and can do anything you want with your resources. The basic idea is you're given a virtual machine running on a dedicated server that runs several VMs for other people.

Dedicated Server - Exactly what it sounds like, you get some dedicated hardware and its all yours to do whatever you want with.

---------------------------------------------------------------------

There are a couple other important terms:

Managed Hosting - Remember how shared hosting had everything setup for you, thats called managed hosting. Its when someone else manages the server for you. You can get a VPS or a Dedicated as managed hosting also but its quite expensive. With managed hosting especially at the VPS or Dedicated level you can specify the type of security you want them to setup, so you can have them setup a web-application firewall, intrusion detection|prevention systems, etc.

Unmanaged Hosting - For VPS and Dedi this is usually what you get, they will start the server for you, give you a control panel where you can reinstall an OS, reboot, shutdown, etc. Beyond that OS install, you are on your own and have to manage the server yourself.

---------------------------------------------------------------------

If you are wanting a host that provides a significant level of security at the web-app level, then you are going to want a managed provider. However this is also usually really expensive unless you go shared which may or may not offer web-app level support.

Lets talk briefly about the server level security, dedicated hardware is going to be your most isolated level, if you've got a dedi that pretty much the only way you're going to find yourself owned is as a secondary attack (unless ofc you are the specific target).

A VPS, gives you system isolation, but there have existed vulns that would allow one VPS to compromise the hypervisor leading to a compromise of all the systems running on that box. The isolation is at the OS level though which is better than shared hosting which just basically gives you a /home directory.

So yea, shared hosting has the least isolation, usually just a directory under /home you can write to and your sites are served from. At any decent host you won't have access to read/write other users and there will be security at that level, but its much easier to compromise other users on your server than other VMs on the server(VPS). The plus side is going with a reputable shared host will get you reasonable security at this level probably a better server setup than if you set it up with an unmanaged VPS/dedi as they have people whose job is to take care of such issues.

---------------------------------------------------------------------

So, the above probably hasn't really answered your question thats because the answer to your question really depends on your priorities. Given your inexperience I'd recommend a reputable shared host, this way your web service, your database, your domain name service, your mail server will all be managed for you and you'll only have to worry about setting up your website securely.

Shared hosts are definitely hit and miss. So I recommend against godaddy, bluehost, and hostgator.

Godaddy I simply don't trust at a company level and advise people to stay away from them after their support for SOPA some years ago.

Bluehost, I've used them and it wasn't a bad host, but to get a shell account on the server you need to provide scans of your ID. I also from personal experience knowing some of the staff again I just don't trust the team...in security trust is a big deal.

Hostgator, I haven't personally used them but from friends they generally don't seem to care about security and are usually pretty vulnerable at the server level.

I have been using Dreamhost.com since 2006 for my shared hosting and have been fairly pleased with their shared hosting. I worked on a project that used one of their managed VPSs which was pretty decent but that only lasted a few months.

Why dreamhost? One of their early claims to fame was their support, its dropped off a bit now but generally I've been very pleased with their level of support even for shared hosting. On the security front, I had a friend running a website which had a SQL inject years ago, their support notified me of the issue including the file and line number where the issue was. When I've hit CPU limits they've also suggested optimizations to code so I've been pretty pleased with that type of service.

In addition to their support their pretty customization for a shared host. Firstly, you get shell access so you can run your own scripts on the server like say a python HttpServer, you don't get root so no privileged ports but having shell access lets you do a lot. They support various versions of PHP and if you want you can run your own PHP instance with its own php.ini, no limits on that. They also support Ruby and Python websites.

And probably the biggest deal in terms of web-app security is their support for mod_security which is a Web-Application Firewall(WAF) with solid default rules that will act as an obstacle when attempting a number of common attacks.

If you don't want to go shared, then I'd recommend Amazon AWS (cloud) hosting or really any cloud host. Cloud hosting provides a bit more client isolation, though technically its VMs on hardware, you'll find that there is usually more isolation between hardware machines as they offer private networks and stuff like that which standard VMs don't offer.

tl;drFrankly, if you want as much security handled for you as possible, I'd recommend dreamhost.com's shared hosting.
--------------------------------------------------

If you(or anyone reading this) do go with dreamhost you can google for coupons or ask me to make you a coupon (its part of their referral/affiliate system)

Their coupons are actually really quite good as they allow me to give away up to $97 worth of discounts as:

A flat discount on the first year of up to $97
1-5 free as long as you're a customer domain registrations(com/net/org only) at $15 per domain
1-3 free as long as you're a customer static IPs at $30/ip

So if you want a coupon it can be any combination of the above totally <= $97. I've created a couple that people might want:

GS97OFF - Does as it says, $97 off the first year of hosting.
GSDOMAINS for 5 free lifetime domain(com/net/org) registrations and $22 off for the first year. This is the best deal imo, I've been using a similar coupon for years and no paying registration really adds up over time.

For anyone worried, as I'm giving away the maximum discounts, I don't get anything from anyone using these coupons.
Reply
#6
(12-02-2015, 04:28 AM)dropzone Wrote: For the most part, security of web applications is separate from the security of the host. This is because its code you supply that is running and is vulnerable. So if you're looking for something that will magically prevent the vulnerable code you upload from running it will be hard to find as that often breaks functionality leading to bad reviews.

Anyway...there are three basic types of hosting you can get:

Shared Hosting - This is the 'entry' level, it used to be the cheapest but VPSs have gotten pretty cheap over the years. As it sounds you'll basically get some space and bandwidth on a server shared by many people. You won't get root, you probably won't be allowed to run many long lasting processing, you'll have limited ability to configure the server.

In exchange for only getting limited access you get a all of that stuff managed for you. You don't need to worry about configuring your mail server, your http server, DNS, etc. You'll probably get easy installs of common web-apps where the install is done automatically, sometimes they'll even update them for you. Basically, this is the easiest to use level of hosting.


Virtual Private Server (include cloud in here) - This is where you get an entire system all to yourself, except you're still sharing the physical hardware with other people(fewer than shared). You usually get root access and can do anything you want with your resources. The basic idea is you're given a virtual machine running on a dedicated server that runs several VMs for other people.

Dedicated Server - Exactly what it sounds like, you get some dedicated hardware and its all yours to do whatever you want with.

---------------------------------------------------------------------

There are a couple other important terms:

Managed Hosting - Remember how shared hosting had everything setup for you, thats called managed hosting. Its when someone else manages the server for you. You can get a VPS or a Dedicated as managed hosting also but its quite expensive. With managed hosting especially at the VPS or Dedicated level you can specify the type of security you want them to setup, so you can have them setup a web-application firewall, intrusion detection|prevention systems, etc.

Unmanaged Hosting - For VPS and Dedi this is usually what you get, they will start the server for you, give you a control panel where you can reinstall an OS, reboot, shutdown, etc. Beyond that OS install, you are on your own and have to manage the server yourself.

---------------------------------------------------------------------

If you are wanting a host that provides a significant level of security at the web-app level, then you are going to want a managed provider. However this is also usually really expensive unless you go shared which may or may not offer web-app level support.

Lets talk briefly about the server level security, dedicated hardware is going to be your most isolated level, if you've got a dedi that pretty much the only way you're going to find yourself owned is as a secondary attack (unless ofc you are the specific target).

A VPS, gives you system isolation, but there have existed vulns that would allow one VPS to compromise the hypervisor leading to a compromise of all the systems running on that box. The isolation is at the OS level though which is better than shared hosting which just basically gives you a /home directory.

So yea, shared hosting has the least isolation, usually just a directory under /home you can write to and your sites are served from. At any decent host you won't have access to read/write other users and there will be security at that level, but its much easier to compromise other users on your server than other VMs on the server(VPS). The plus side is going with a reputable shared host will get you reasonable security at this level probably a better server setup than if you set it up with an unmanaged VPS/dedi as they have people whose job is to take care of such issues.

---------------------------------------------------------------------

So, the above probably hasn't really answered your question thats because the answer to your question really depends on your priorities. Given your inexperience I'd recommend a reputable shared host, this way your web service, your database, your domain name service, your mail server will all be managed for you and you'll only have to worry about setting up your website securely.

Shared hosts are definitely hit and miss. So I recommend against godaddy, bluehost, and hostgator.

Godaddy I simply don't trust at a company level and advise people to stay away from them after their support for SOPA some years ago.

Bluehost, I've used them and it wasn't a bad host, but to get a shell account on the server you need to provide scans of your ID. I also from personal experience knowing some of the staff again I just don't trust the team...in security trust is a big deal.

Hostgator, I haven't personally used them but from friends they generally don't seem to care about security and are usually pretty vulnerable at the server level.

I have been using Dreamhost.com since 2006 for my shared hosting and have been fairly pleased with their shared hosting. I worked on a project that used one of their managed VPSs which was pretty decent but that only lasted a few months.

Why dreamhost? One of their early claims to fame was their support, its dropped off a bit now but generally I've been very pleased with their level of support even for shared hosting. On the security front, I had a friend running a website which had a SQL inject years ago, their support notified me of the issue including the file and line number where the issue was. When I've hit CPU limits they've also suggested optimizations to code so I've been pretty pleased with that type of service.

In addition to their support their pretty customization for a shared host. Firstly, you get shell access so you can run your own scripts on the server like say a python HttpServer, you don't get root so no privileged ports but having shell access lets you do a lot. They support various versions of PHP and if you want you can run your own PHP instance with its own php.ini, no limits on that. They also support Ruby and Python websites.

And probably the biggest deal in terms of web-app security is their support for mod_security which is a Web-Application Firewall(WAF) with solid default rules that will act as an obstacle when attempting a number of common attacks.

If you don't want to go shared, then I'd recommend Amazon AWS (cloud) hosting or really any cloud host. Cloud hosting provides a bit more client isolation, though technically its VMs on hardware, you'll find that there is usually more isolation between hardware machines as they offer private networks and stuff like that which standard VMs don't offer.

tl;drFrankly, if you want as much security handled for you as possible, I'd recommend dreamhost.com's shared hosting.
--------------------------------------------------

If you(or anyone reading this) do go with dreamhost you can google for coupons or ask me to make you a coupon (its part of their referral/affiliate system)

Their coupons are actually really quite good as they allow me to give away up to $97 worth of discounts as:

A flat discount on the first year of up to $97
1-5 free as long as you're a customer domain registrations(com/net/org only) at $15 per domain
1-3 free as long as you're a customer static IPs at $30/ip

So if you want a coupon it can be any combination of the above totally <= $97. I've created a couple that people might want:

GS97OFF - Does as it says, $97 off the first year of hosting.
GSDOMAINS for 5 free lifetime domain(com/net/org) registrations and $22 off for the first year. This is the best deal imo, I've been using a similar coupon for years and no paying registration really adds up over time.

For anyone worried, as I'm giving away the maximum discounts, I don't get anything from anyone using these coupons.
ThanksĀ for the detailed answer will be looking into your recommendations.
Reply
#7
(12-02-2015, 01:26 AM)Insider Wrote: You're not looking for free webhosting correct? Because that's pretty unreliable. I would recommend https://www.ovh.ie/ they also have decent ddos protection. Although I prefer vps or dedicated server.

Personally I would suggest avoiding OVH, as it is trivial to get servers hosted there ToS'd.
Reply
#8
(12-18-2015, 03:50 PM)MLT Wrote:
(12-02-2015, 01:26 AM)Insider Wrote: You're not looking for free webhosting correct? Because that's pretty unreliable. I would recommend https://www.ovh.ie/ they also have decent ddos protection. Although I prefer vps or dedicated server.

Personally I would suggest avoiding OVH, as it is trivial to get servers hosted there ToS'd.

I think it depends on the individuals threat model. Surely if he's not hosting any "shady" things my guess is that he'd be alright. But yeah I can agree with you a bit, I'm personally trying to stay away from OVH myself because of their "Send me your ID/Passport and banks statements or ulitlity bills for verification". You need to give up your anonymity and privacy.

In such cases a reseller might be a better option.
Reply
#9
Well so far the cheapest hosting that provides the best security would be: https://blazingfast.io/
Reply
#10
Based on your business niche, select the top hosting service where it is difficult to hack.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Web Dev Looking for job because of corona virus TwoDots 1 4,324 08-09-2020, 10:07 PM
Last Post: Insider
  LAMP, LDAP, and PostFix, Ubuntu VM security and monitoring measures? QMark 4 9,650 04-26-2019, 12:25 AM
Last Post: Insider
  Is the best way to learn IT really a University? QMark 19 29,563 03-16-2019, 03:18 AM
Last Post: mothered
  My various hosted services jaruga 2 12,647 07-13-2018, 03:11 AM
Last Post: jaruga