web hosting security
I hope this is the right forum to post this query. We are software development company. We plan to host some web solutions for our customers at our data center. I would like to know what the security considerations (like regular Vul. assesement/Pen tests, patching systems etc) that needs to be taken into account before hosting any web applications at our data center. We are planning to have a policy for the same. Any web based resources could be useful.
disable_functions=exec, passthru, shell_exec, system, proc_open, popen, pcntl_exec, ftp_exec, fopen, fgets, curl_exec, curl_multi_exec, escapeshellarg, escapeshellcmd
This was people are allowed to upload, even use includes... but as far as web based shells go its a moot point.
Did you try nerdyhost. It has some wonderful features
Alot depends on what you'll actually be hosting. For example:
For PHP stuff:
Read through the guides here:http://phpsec.org/projects/guide/
Also take a look at: http://www.hardened-php.net/suhosin/
For ASP/.NET stuff:
You'll have to google that yourself as I don't touch Microsoft stuff :)
I also recommend having an external 3rd part security and vulnerability scanner run regularly against your external IPs. There are several out there... I know Mcafee offers some, there is also Security Metrics, or if you're doing it on the cheap side and have the man power, set up your own nessus scanner (http://tenable.com/products/nessus). Which many of the 3rd party companies that offer external scanning end up using in some way or another themselves.
And obviously try to follow standard security polices like correct app tier separation with egress and ingress filtering etc... If you find yourself placing database servers in your web/external zone you're doing something wrong.
That's my 2c anyway.