How to keep a shared web hosting server secure?

What are the ways of keeping a shared hosting linux server secure, assuming SSH access is available for every user?

I am mainly thinking of securing the shared servers from the users themselves and between themselves together.

SSH access on a shared hosting server can be a bad thing...

We offer Jailed Shell for customers on certain plans, but certain commands are of course blocked.
More info on setting up Jailed Shell on cPanel here

Cloudlinux is a great product for helping isolate customers on a shared server.

Yes like RDO said, SSH shoud be limit as much as you can on a shared hosting, but there is also the chrooted solution to isolate each user.

But I haven't use in production yet as most of users doesn't know what is SSH..

I have to agree with SSH access on shared hosting is a bad idea. Most shared hosting customer don't even know what SSH is let alone want access to it. We have never been asked for shell access by any of our shared hosting clients.

As RDO stated CloudLinux is best for security and account isolation, jailed shells can work well but also require a lot of configuration.

RDO Servers said:

SSH access on a shared hosting server can be a bad thing...

We offer Jailed Shell for customers on certain plans, but certain commands are of course blocked.
More info on setting up Jailed Shell on cPanel here

Cloudlinux is a great product for helping isolate customers on a shared server.

Click to expand...

LJSHost said:

I have to agree with SSH access on shared hosting is a bad idea. Most shared hosting customer don't even know what SSH is let alone want access to it. We have never been asked for shell access by any of our shared hosting clients.

As RDO stated CloudLinux is best for security and account isolation, jailed shells can work well but also require a lot of configuration.

Click to expand...

I read some articles it is possible to do local hack on shared hosting if users have not set file permissions as well. Is this exact information?

CloudLinux can stop attacks from shared accounts on a same server?

the first steps ...

1) Install 1h or cloudlinux
2) Enable mod_userdir Protection
3) Enable php open_basedir Protection
4) enabled SSH Password Authorization Tweak
5) Disable or change port for shell.

Update kernell and all pache for OS.

Secure Shared Server

Hello,

Securing the shared server is an ongoing process.

- Set jailed shell for the users is the first option.
- CloudLinux with cagefs is one of the recommendation
- Change ssh port to a custom port
- Set password strength to a strong value
- Check for the applications in the server and make sure they are using the latest softwares, if not upgrade it to them
- Update kernel/softwares to the latest by adding the patches
- Most Important, Enable BACKUP, so even if it is hacked, we can restore the site.

Above are some of the recommendations only.

uniwebhosting said:

the first steps ...

1) Install 1h or cloudlinux
2) Enable mod_userdir Protection
5) Disable or change port for shell.

Click to expand...

Why do we need to enable mod_userdir and disable or change port for shell? and which ports would you suggest to change?

Nixtree said:

Hello,

Securing the shared server is an ongoing process.

- Set jailed shell for the users is the first option.
- CloudLinux with cagefs is one of the recommendation

Click to expand...

These I can apply for a VPS I am managing or it only work for a shared hosting?

If yes, how to find them or set up them?

Thanks in advance
Kaz

Hi

You can select the Jail shell for all users from whm and then give bash shell who is trustworthy or know what they will be doing.

Other steps you can do to secure is

Disable Password Authentication completely and force all shell users to use key and create proper documentation to setup and use Key based ssh auth on different flavors like Linux, windows putty, for both private and public key based auth.

Key based auth with custom ssh port is the best secure thing you can do with ssh access.

If you wish extra security , You can restrict Ip access as well by blocking ssh port for public. Only allow ssh for whitelisted one and provide a method to whitelist / block ip via whmcs, like the below one

http://www.whmcs.com/appstore/1354/WHMCS-CSF-Manager.html

Hope this will be the most secure way for providing ssh acccess for all users in a shared server.

Hope this helps

You can use this tutorial to compare it with your cPanel server.
Else it is wise to use CLoudlinux to separate user accounts as much as possible. If you prefer free tools, then you would need to do things step by step / follow tutorials and tweak server as time goes.