Web hosting clients are often their own worst enemy where security is concerned. Hosting industry professionals spend way too much time dealing with hacked accounts and content management systems, spam and malware-infected servers, and all manner of problems that could have been avoided with a modicum of caution.
But, as the saying goes, there’s not much you can do about unknown unknowns, and that’s what server and CMS vulnerabilities are to many hosting clients.
Security is big business on the modern web, and a hosting company that makes an effort to protect its clients has an edge on the competition. Of course, hosting providers can’t hand-hold clients through every possible security problem, but there are a few low-impact services they can offer to reduce the chances that an unsuspecting client will shoot themselves in the foot.
Proactive Security Updates
When news of the massive Equifax data leak hit the headlines, I placed a small bet with myself that the culprit would turn out to be outdated software. Naturally, I won my bet. A vulnerability in Apache Struts was the attackers’ entry point, a vulnerability that had been disclosed and patched a couple of months before the breach. If Equifax had updated, they could have avoided the pickle they find themselves in today.
Proactive security updates would massively reduce the number of hacked hosting accounts.
Regular Malware Scans
When a breach does occur, it’s good to know about it as soon as possible. Typically, hackers plant malware on the server, and with regular, easily scriptable malware checks, the majority of hacked accounts can be spotted and cleaned up quickly.
Certificate-Based SSH Access
Passwords are not a good authentication mechanism for critical infrastructure. Even server administrators and others who ought to know better have a tendency to choose easily guessed passwords.
If you allow SSH access to hosting accounts, they’ll be a lot safer if the only login method on offer is public key authentication.
Installation Of Common Services
Configuration errors cause a huge number of security vulnerabilities. There are tens of thousands of insecure databases on the web because of configuration errors made when installing MongoDB. It’s insecure by default for testing purposes, and everyone who understands MongoDB knows this. Unfortunately, understanding software isn’t a prerequisite for installing it.
That problem could easily be avoided if hosting companies installed potentially dangerous services like databases and web servers for their clients.
Finally, help clients out by offering them a pre-configured firewall with sensible defaults. I know this can create support problems, but an installation of CSF can repel many types of attacks, reducing the potential support burden. For extra points, consider offering a Web Application Firewall that will protect users from attacks on their content management system or eCommerce store.
Many hosting providers take a “client beware” approach to security, but on today’s web, is that really a viable approach? Going the extra mile to keep clients safe can reduce support costs and provide a great marketing advantage over less scrupulous competitors.