is there security on shared hosting?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

is there security on shared hosting?

Post by jmut »

Hi,
I have to write a paper on PHP security as a whole, and am just interesting how stuff works on shared hosting, as I want to write on this topic as well.
I have always used dedicated servers where I have full control and am the only one on the PC.

I am interested on what best practices are to setup shared hosting environment - stuff like hardened php, suexec, openbasedir, just couple of keywords that I actually cannot put together.

Is there interesting readings on this topic you could point me to..or maybe share some own experience.

As far as I know there is no ultimate security/isolation between users on shared hosting environment.
Thanks.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Is there interesting readings on this topic you could point me to..or maybe share some own experience.
There is a chapter on this in Esseniual PHP security by Chris Shifflett and also Apache Security by Ivan Ristic, both of which are excellent books. The general principles are
  • Sharing of resources means one user can runs things that slow down other uses (DOS attacks)
  • You share the same file system (think databases, sessions and PHP sources)
  • Many users depend on the same environment meaning it is harder to update without upsetting people; fewer updates == more vulnerabilities
The second point there is the major one the other two are just footnotes really.
As far as I know there is no ultimate security/isolation between users on shared hosting environment.
Nope, there is. Server Virtualization.
or maybe share some own experience.
Shared servers = don't go there. Virtual Private servers, very nice :)
Post Reply