On Fri, Jun 07, 2002 at 08:31:20AM -0400, Lists wrote:
> I've been researching web defacement trends lately and realized that most (higher
>percentage) defacements appear to be performed on servers in a hosted facility (such
>as Interland, Iquest, OLM, Digex etc) furthermore as most of the sites appear to be
>related to small business I assume they are on shared hosted boxes.
> Is there anyone on the list in the ISP/Hosting provider world that can answer who is
>responsible for security in this configuration?
In every case i've seen, this can be divided into 2 categories:
shared/dedicated (ISP Owned)
----------------------------
ISP/Hoster is responsible for security, and clients generally don't have
root, unless they're in some kind of virtual-machine architecture. End
users usually get a VirtualHost and a home directory containing cgi-bin
and htdocs directories. This is always messy, security-wise, in my
experience, especially when EUs are given shells, and not just FTP/HTTP
access. Keeping up on all the patches on a shared environment is a big
job, so locally exploitable holes available to shell users can abound.
In a perfect world, all shell servers would either have heavy kernel
patching done to minimize these risks, or the staff to stay on top of
these issues, but alas, this is not the case.
in cases where the ISP owns the box, but gives the customer root anyway,
many companies will make the customer responsible for security and
forego support contracts, as root access gives the EU the ability to do
something really silly.
Colocation (customer owned)
---------------------------
EU is almost always responsible for every facet of systems
administration and implementation. Any help on the part of the ISP or
hosting provider is either billed as professional services fees for an
hourly rate, or a support contract may be drawn up for x hours/month of
support. Unfortunately, many EUs who could make out just fine on a
dedicated machine with a shell and a home directory want root on their
machines just for the sake of having it, leaving their colocated machine
wide open, unpatched and unprotected, with the EU unaware that there are
patches to apply and holes to close.
> I realize that some hosting providers offer additional managed security services,
>but for those that don't and offer shared (multiple sites on 1 box) hosting do they
>just secure the box and let their clients control their environment? Therefore
>leaving their customer in charge of their own security for their site?
In shared environments, EUs are usually left to their own devices
regarding CGI and web security, or any facet of their own particular
environment, but ISPs will generally call reported or noticed security
problems in code or implementation to the EU's attention. Other pieces
of system security such as system directory permissions, privileged
daemons, etc. are under control of the hosting provider.
> If indeed this is a bit of a gray area, is there any documented legal proceedings
>that have held the ISP liable for the lack of security on a hosted site?
I don't know of any "legal" documentation other than the hosting
provider's AUP and any contractual agreements that may be drawn at the
time their service is turned up.
--
[ rich henning ] /"\
[ [EMAIL PROTECTED] ] \ /
X
support the ascii ribbon campaign against html e-mail / \
