Question about ISP provided personal Webpage/space security

[CityK]

If your ISP provides servers to host customers personal webpages/spaces, who handles website security - is it all up to the security features in place on the ISP's network or does the customer have to take security features into consideration while constructing their personal page?

Basic question, but I have no clue about webpage development etc.

CK

 

[Howell]

Re: Question about ISP provided personal Webpage/space secur

AFAIK, It is not the programming (coding) of the webpage that is the problem. It is how the server handles either bad requests or bad input (in forms).

Even when using perl or CGI a sober admin will not give you rights to modify anything system-wide on purpose. These things usually happen when the server, which generally has to run with elevated rights, elevates the rights of the requests above that which the admin intended.

 

[blakerwry]

I'd say it's upto both parties. You obvisouly don't want to give users the ability to make drastic changes to the server or atleast your portion of the server through the use of ASP, CGI, etc.

And the server admin shouldn't be giving you any more access than is necessary. System wide configuration on the web and ftp servers is entirely upto the admins, however there is usually a bit more locking down that you can do on your end in the case of apache.

 

[Will Rickards WT]

I'm not sure what you mean by security.

An ISP or even a web host provides you with a directory in which to put all your stuff. The ISP configures their webserver how they want to. So they handle that type of general webserver/machine security.

But if you want to restrict access to a section of your website or even your whole site, that is generally up to you. It works with your webserver but in most cases you provide some sort of configuration file.

 

[Howell]

Yeah Cityk, Did you mean password protecting certain webpages or sites you have designed or did you mean application of security patches and other admin?

 

[CityK]

I guess I kind of meant a bit of both.

For example,
here's a page from the ISP that invites users to showcase their webpages that they created on the provided space.

Chosing the top one (the message therapy one) and plugging its address into Netcraft shows that the server is running Apache on Compaq.

What I'm curious about is

1) how easy would it be for some outsider to come along and completely deface the website.....I'm assuming that aspect mainly relies upon the ISP admin to keep apache etc completely patched and up-to-date.

2) similarly, say you don't utilize the webspace for a website, but instead ues it for a holding ground so that you could store some files online. What exactly is keeping that space secure and preventing someone access too it and preventing them from deleting/altering said files etc. ?

Like I said, I'm clueless to the website stuff.

CK

 

[blakerwry]

In order to deface a sight...

If the hoster only offers FTP access (no shell accounts) and there is no ASP, CGI, etc way to upload or modify pages then it's only a matter of hacking the FTP server or guessing(brute forcing) the user/pass on FTP.

Of course, the admin of the FTP server should have an automatic lockout after so many failed login attempts so that brute forcing would not be an issue.

Alot of sites will have some web interface to update the site using CGI or some other language. The owner of the site as well as the admin should make sure any CGI uploading/managing utils are properly secured so that no unauthorized access can even get close to accessing these pages.


if you are hosting files on your site and want some of them secured, usually you'd put them in a passworded area of the site and prevent access to downloading of the files via permissions.

Theres a couple ways to implement passwords. One is via file system permissions and allowing users to login using their own account. This may not be an option for you with your host as alot of hosters only offer 1 user and that is the administrator of your site, you. Another would be using .htaccess in apache. I think something similar may exist for IIS. It's basically an ASCII text file that has information about users and permissions in the current folder and subfolders. Needless to say, you don't want people viewing your plain text file containing critical information, so typically access to view .htaccess and /htpass files (or all .xxx hidden files) have been blocked as a global rule in apache.. you could additionally set the file permissions so that only the server and you can read/write the file and not other users.

 

[blakerwry]

btw, .htaccess allow more than just user/pass. Try checking out http://www.javascriptkit.com/howto/htaccess.shtml

it's a guide I referenced when setting up some private areas of my own site.

 

[CityK]

Thank you.