Why not just get your own server.
-----Original Message----- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Tuesday, February 12, 2013 5:54 AM To: cf-talk Subject: Re: New Round of Exploits going on Byron, That is partly true, if you make certain assumptions, but things are not quite that simple, considering the following. Let say you get your own server to host your own site. And that is it, you do not do any kind of lockdown, do not keep your patches and hotfixes up to date, do no monitoring what so ever. Then yes in such a scenario the shared server will be safer in general because your server as a whole is not secure, so a vulnerability on the server is more likely. So getting a server with no idea what your doing and no management or support, would be pretty dumb. If you do not have the skills to manage it yourself and make sure it is secure then you should be paying you host or someone else to do this for you. However if you are running a server with *ONLY* your own site on it, your chances of being attacked in the first place are much less than a shared server, Consider that a shared server is going to have *AT LEAST* 200 other sites on it, probably more, and attackers generally target a list of domains/websites rather than the server itself when looking for vulnerabilities, so that is a 20,000% increase in your chances of being hacked due to other websites on the server already Lets also consider that your own site is written in CF, and so CF is the only thing you would have installed on your own server. So you only have one "application layer" attack vector. But on a shared server your also going to have ASP, .NET, Perl, PHP, Ruby and probably more, so that has just increased the possible attack vectors by at least another 500% On Tue, Feb 12, 2013 at 6:37 AM, Byron Mann <byronos...@gmail.com> wrote: > > (apologies for the length) > > Russ, > > I can tell by your comments that you either have dealt with a lot of > hosts or have worked or owned one. Well said. > > Having worked in the Hosting space for more than 10 years now, I can > safely say there is absolutely no 100% way to prevent these exploits > on any platform. > > That is not to say there are not more secure options than shared > hosting, but even at that you may need the above average skill set. I > can make an argument that shared CF hosting is probably more secure > for half the people using Coldfusion out there. > > How and why? > > Well most probably have no one actively monitoring their servers. Not > only do we have ourselves and tools looking at the servers, but our > customers who make us instantly aware of an issue. > > Even a subpar host probably has a better lock down on CF than many non > host managed CF users. > > How many can say they don't have root kits (or even know what that is) > running on their server? Probably a lot on this list, but the average > vps, cloud or dedicated user out there, ummm probably not. > > Example, there was a recent issue we had with hidden elements being > injected to files on a shared server. This was actually a customer > running Wordpress. How many out there would have found that and how > quickly, say on a dedicated server with a site that only gets updated once a month. > > The best you can do is be vigilant, do your patching and homework and > when the next compromise comes, take it on the cheek, mitigate, and > take what you learned and try to improve for the next go around. > > And if you are a hosting customer, it's up to you to be aware and > educated on what a host should and shouldn't be doing (aka this list). > And then decide if it's time to move on or acceptable to you. > > Of course I'm speaking in general terms, as this is the case with not > only CF, but all platforms. How many times a week do we hear about a > drupal or Wordpress issue, just about as often as CF, but if not more. > > Quick fact, we have more dedicated, vps, cloud (vms) revenue effected > by compromises than our shared customers. > > But let's not all forget the real problem here. It's not cf users, the > host or Adobe's fault. It's the dirt bags out there who make > escalations happen that result in the 3 am phone calls. > > Byron Mann > Lead Engineer & Architect > HostMySite.com > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354530 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm