Business web hosting security details

Security is often not given the attention it deserves, however we believe it should be a very high priority. The last thing you or your business needs is for your website or email to become compromised, resulting in downtime or unauthorised changes.

Inbound and Outbound Firewalls

Firstly, all traffic is filtered externally to the machine providing the service. It may be common practice for other hosting providers to filter traffic at the end destination, however this allows the possibility of firewall settings being modified should the machine become compromised. This is not the case at ayuda hosting. Our firewall rules are enforced independently to the machine providing the service thus preventing the firewall from being modified from an internally compromised machine.

While most firewalls filter incoming connections only, we filter both incoming and outgoing connections. Experience has shown that filtering outbound connections is just as important as filtering inbound connections. All outbound connections to hosts are denied except for those to trusted hosts.

Role Based Access Control (RBAC)

Put simply, Role Based Access Control (RBAC) defines "who can do what and how". More technically, RBAC is used to control what files, sockets and resources a program has access to and what sort of access (e.g. read, write, execute, create, delete, etc) is allowed. All our machines enforce tightly controlled RBAC policies to ensure all applications only access what they need to.

Least Privilege Memory Protection

In lay terms, least privilege memory protection enforces rules on the different memory regions of a program. By default, all memory can be modified and executed by a program. This can result in vulnerable applications having foreign executable code injected into them, causing undesirable, or destructive, behaviour. By making memory regions containing executable code read-only (that is, they cannot be modified) and making modifiable memory regions non-executable, the risk of applications being exploited in this manner is reduced.

Stack Smashing Protection (SSP)

Designed to complement the use of least privilege memory protection, stack smashing protection helps protect against buffer overflows in software. Stack buffer overflows occur when more data is copied into the buffer than there is space allocated. Once again, it can result in the injection of foreign executable code that modifies the intended behaviour of a program.

suEXEC

Whilst it is common, or easier, to set up your system to execute web applications as the Apache user (eg: using mod_php to execute PHP code) this has the disadvantage, and risk, of different websites using the same user id (i.e. the Apache user id). Our hosting platform utilises suEXEC which results in all web applications being executed by the user assigned to the hosting account. Each hosting account has their own user id so that no two hosting accounts share the same user.