Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed last year.
Improve this question
I have a question with security point of view, it might sound silly but i'm very interested to know. If someone uploads his code on shared hosting (assuming some general US based web hosting companies where it cost about $5 to 10$ a month), is it secure there? Would the other users hosted on same servers somehow access the code? (and of course the hosting administrators can access?) In that case is it really safe to host on shared hosting companies?
This depends on how the individual web hosting company have setup there systems.
You need to trust the company you are hosting with but any half decent hosting company should have it locked down so customers can't access each others code. It is always a risk that someone with access to the same server could find it easier to access your data but again this shouldn't be a massive issue with a trusted well known provider.
The best bet is to read company reviews and see what existing customer think about them.
If the company has properly configured the server, no -- other users on the same server will not be able to see your code. However, the administrator will be able to, and may state this in the contract agreement.
Review the contract when purchasing shared hosting to see what rights the administrator claims. Usually, they'll only access your data when there is a problem, such as any indication you are running a script that violates your contract agreement.
Additionally, regardless of the contract agreement, an administrator will likely be required to provide access to law enforcement if they have a warrant, based on the laws local to the country where you are hosting. They may or may not be allowed to notify you, again, based on local laws.
If you're concerned about intellectual property, just make sure you're using a reputable company for hosting. Chances are, stealing your code isn't worth the risk.
Well, the hosting administrator has obviously access to your code, but of course they should have some policy that prevent for usage of your data.
Other user could not "generally speaking" see your code, but this strongly depends on server configuration. For example, if some other webmaster host a web application in the same server and this is exploited, it is possible that also your application is affected.
Moreover, it could be easyer for other user using the same server to access your data instead of a "normal" attack to a private server.
btw, you should be a good sysadmin to protect a server better than a pros that does this thing all day long, so, it basically depends on your system admininstration knowledge.
As you posted this question, you're probably not that good in this kind of stuff, so you may think as a shared hosting like something acceptably secure. (of course, it also depends on what do you want to host)
More professional shared hosting providers use a mod_suphp/suexec setup. That provides a pretty reliable demarcation between users. And going from there you can often work reliably without conflicts from other users.
Of course you still have to live with the performance impacts of a shared server. And an exploit in the system libraries can be taken advantage from any of the other accounts still.
There is no any fully secure web hosting, even if it is a dedicated server.But in most cases, dedicated servers are much more secure than share hosting. With dedicated server, you own a physical server while going with shared hosting, you share a server with others and there are so many factors you cannot control,such as neighbors.
Let's come back to shared hosting security. Though there is no any fully secure shared hosting, you can find a more secure one. The security largely depends on what your web host do with security while you can leverage it too. If your web host has poor secure configurations, it is more possible for hackers and even neighbors to access your account and data.
What you need to do is to go for a shared hosting with higher secure configuration, like advanced firewall, if you can only afford a shared hosting. Here you can check out http://tutorials.hostucan.net/what-to-consider-when-pick-up-a-secure-hosting to see how to select a secure hosting.
If they use Cloud linux instead of Centos
CSF production tools , SSL , other security plugins and configurations the shared hosting is secured ,
If you purchase dedicated server or vps you have to purchase all the licence , security plugins for the same configuration its very expensive
My Recommendation If its shared or dedicated server use cloudlinux and install paid csf plugins and add human verification robots in your site make your site secure , avoid free plugins and theme in your site or theme
Shared hosting means a single server is shared between multiple users. So, when it comes to security it depends on the hosting providers as there are some techniques through which they isolate the environment of an individual user. But still, all users have the same server IP that somehow put them in danger and security breach.
I always prefer a dedicated or separate setup for my websites and I used Cloudways. I have a dedicated server IP and my server resources aren't shared between multiple users. I'm feeling pretty secure with CW.
Related
My office network provides internet access to my employees when they connect to it through the office's router. I want to make a web application in which only computers connected to the internet through my office router, can access. So that my employees have to be in my office area before they can login into the php web application.
If they are connected to the internet, but not through my office network they should not be able to log in to the application. (I know I could have deployed the php app in a local server setup in my office but I want the app to be on a remote server on the internet for my personal reason).
What hardware do i need to setup my office network and how do I make PHP detect the id of the hardware of my network so php can determine that a request is coming from my network.
Some options to recognise your private office from a public website:
IP address
This will only work if you know what IP address is in use at any given time by your allowed clients. In the case you use a NAT gateway, this has to be the outside address.
It becomes pretty easy to do this if you have static IP addresses for all your allowed clients, if they change, it quickly becomes a nightmare to keep them right at all times.
Security: since HTTP is based on TCP it's not trivial for other to get to use your IP address through spoofing, but it's by far not foolproof either. Consider it a poor-man solution at the very best.
Caveat: if any of your staff can get remotely to their machine, they can access it remote (so e.g. a time registration system is going to get circumvented by this quickly)
VPN
VPN stands for Virtual Private Network.
This is the goto solution from a security perspective. Essentially you build up tunnels between either individual clients or networks as a whole with the VPN server.
On the central end of those tunnel(s), your webserver answers to web requests (but not to the internet at large).
There is a whole range of VPN products out there. There are equally relatively easy to build solutions using free software (e.g. OpenVPN).
Things on how the client (network or computers) will authenticate to the server and what traffic is attracted to the VPN and much more are all possible parameters you can set.
Security: it depends a bit on the choices made, but unless unproven or outdated solutions are picked, this can be done "top notch". It is however in skill level probably just above your typical IT shop around the corner (but you might be in luck).
Same remark as above: your staff that can gain access to it, might be tunnelling into their machine at work or might use credentials and settings on an office machine at home as well.
DNS
reverse mapping of IP to names is far too easy to spoof, don't try this.
Login/Password
This is a relatively easy solution: allow access from anywhere, but give authorised users a login and password and let them have access after being logged in properly.
Security: It's non-trivial to get this fully secure, there's plenty of opportunity to make errors in how the application works so that it becomes a problem.
But if you have to have a zero footprint on the clients, this is your best option.
Add in 2 factor authentication to increase the password security and make passing on passwords a bit more difficult.
TL;DR
I'd setup an OpenVPN based VPN, they are relatively easy to setup, the clients exist for most OSes (take care not all: e.g. iOS: I don't know of one) and it'll give you more than average protection without you having to delve deeply into the details of encryption protocols and the like.
Still there's a learning curve, but there's plenty of tutorials out there that don't assume much prior knowledge either.
For your clients you setup a certificate-based authentication system using EasyRSA (included with OpenVPN). It's a bit of a habit you need to create, but once setup properly, adding and removing users becomes relatively painless.
On your server all you need to do is make sure the http server only binds to the IP address of the tunnel interface.
Didn't really know what title to give this question so I hope its acceptable.
I am using a system which has an API. I don't have a lot of control over this system, but one thing I need for security reasons is for it to be locked down to my IP. This works, so now the system can only be accessed from my IP.
Now, I have built a custom app which uses the above API. This app is hosted on a server which is different from my IP address. Therefore, when I try to make the API call it fails due to it being restricted. I know this is the case, because if I run the app locally from my location, it works without any problems.
So, the question is whats the best thing to do? I know I could add the IP address of the server which is hosting my app to the systems API. However, I think the servers IP is dynamic which could cause problems. I have also used things like no-ip locally to control my dynamic IP, but I cant imagine I can install this on my web server.
Looking for thoughts as to how I can overcome this problem.
Thanks
I don't know if I can ask this here but well.
I have created my software, it's developed in php 5.4, laravel 4, xampp v3.2.1, and I work the software local (localhost/public/something).
So my question is:
If I want to sell my software, how can I install it in the pc of a user?
I dont know about servers, but I think it's better to have the data in a free server isn't it? Any recommended tutorial?
I don't want to install the xampp server to the client and all the stuff of a developer, just install the software and have it easy for the user.
Any help will be grateful.
You can't sell PHP software with the expectation that a user installs it. This is functionally possible but involves so much setup that you'd never guarantee a user would be able to use it on even a small range of systems. They'd have to setup a web server, database server, all the various connections etc. or you'd have to write an installer which did all that for them.
You're also disclosing your entire code base to any user who buys your software, which means there are no mechanisms you could use to prevent both your software and code being shared freely - which is nice if you're writing open source, but not if you plan to make much money.
The best way to sell software in the form of a website is to provide a restricted user mechanism such that you can enable or disable a users' access via a website, and control this access based on a subscription or one time sale to the customer.
You're speaking of xampp so it seems you have created a website/application. Hence you should not have to "install it in the pc of a user". A website is made to be available from any machine with a browser.
Xampp is a local server on your computer. What you need is a server to make it available to other person than you.
You have a wide variety of possibilities to host your code and make it available:
Shared hosting
IaaS/PaaS hosting (http://www.tomsitpro.com/articles/paas-providers,1-1517.html)
You'll also need a domain name to make it reachable (ex: stackoverflow.com)
I have written apps that run on both iPhone and Android. They make calls (HTTP POST requests) to a PHP script on my Ubuntu server that retrieves queries from MySQL server there, etc.
Basically I want to encrypt these messages going back and forth. I have the additional constraint that I am on shared hosting and so do not have root (or sudoer) access on my server.
What is the best way to implement this? I don't want something where I have to pay verisign for a cert (I know very little about security). I am thinking it will somehow involve a public/private key scheme, but I am not sure what is the best method for this.
any thoughts? thanks.
If you are on a shared hosting server, it is likely a bit of a challenge (and, depending on the provider's setup, impossible) to secure your keys from other users. Plus, reinventing the encryption wheel is generally a bad idea. So I wouldn't go that route, especially if you aren't knowledgable about security.
The easiest solution is to use SSL. If you really don't want to get a cert from Verisign (or Comodo or whomever), use your provider's default SSL cert. If they have things set up so that your SSL server will use a cert for https://www.YourHostingProvider.com/, then you should be able to make that work, perhaps with a bit of homework. (MediaTemple is set up that way, where you get their cert if you don't have your own. Not sure about other hosting providers.)
Do try to educate yourself about the elevated risks involved in doing this on the cheap. For example, depending on the setup, it's possible that anyone else on the shared hosting service could impersonate your site if they are sufficiently skilled and determined, since they may have access to the same SSL private key you're using.
If you're securing game high scores or something, that will probably be OK. If you're securing credit card numbers or people's personal health information, this is definitely not the way to go. You don't want to store that kind of information on a shared hosting service, and you definitely don't want to be so resource starved that you're reluctant to buy an SSL cert.
I know that on regular shared hosting, storing PHP sessions in the default location (/tmp) may present security issues. A VPS does not have this issue. Therefore, I assume VPS cloud hosting does not. But what about regular cloud hosting? Is that just shared hosting over multiple computers, meaning that PHP sessions would still be vulnerable to the prying eyes of other webhosting clients on that cloud? Or is there something different about (non-VPS) cloud hosting that protects from PHP session storage location vulnerabilities?
Shared hosting simply means that your web hosting provider places multiple web sites on a single server.
Cloud hosting uses the same concept and is in reality just another
type of shared hosting, but with greater upwards and downwards
scalability.
One issue with shared hosting is that within the context of a single server, there is a fixed amount of physical space. Although the hosting provider will provision their servers in such a way that you don’t run into capacity problems, the issue still remains. Cloud hosting removes that possibility by replacing the concept of the individual physical server, with that of a virtualized and highly scalable infrastructure.
But the security is still a concern in cloud hosting. The only difference is that your files are stored in multiple servers. And you do not know and trust where the files are stored.
So for better session handling and security I will advice you to use database to store and manage sessions for the following reasons.
Only you have access to the session data.In shared hosting this can help you a lot.
Each server will have its own directory where these session files are maintained, so if you are employing load balancing across multiple servers there is no guarantee that a request for an existing session will be given to the server which is maintaining the state for that session.
It would be difficult for a site administrator to perform such queries as "how many sessions are currently active?" or "which users are currently logged in?".But if you are storing in the database then you can track.
The application needs to be able to run on multiple servers without server affinity.
Here is a great article about storing sessions in database by Chris Shiflett.
Hope it helps.
I could be wrong, but most "cloud hosting" services, as in not a "VPS" service, is just shared hosting on a cloud server that the host scales up as needed.
The only time I find storing sessions in, say for example "/temp", secure, is when I'm the only the only person using the server.