Shared-Hosting Perils
Shared hosting can be a cost-efficient solution for many Web sites, but you may end up paying a different sort of price. As always when sharing with strangers, there's a risk of the unknown. A well-designed and -managed operating system along with other system software may be able to protect applications and users from one another, but things do go wrong at times.
Consider what happens when an attacker goes after one of the other sites on your shared server. Vulnerabilities such as the MySQL Password Handler Buffer Overflow Vulnerability or the PHP wordwrap() Heap Corruption Vulnerability may occur. If the attacker gains control of the server or the database, you're all just as vulnerable.
And the attacker may not even be an outsider—it could be another customer.
Mike Prettejohn of the Internet research firm Netcraft Ltd., which follows the hosting market carefully, said he thinks "strongly themed shared hosting—such as the Yahoo storefronts"—are the best type of shared hosting. They define a rigid but easy-to-use environment for the customer, limiting the damage the customer can do accidentally or otherwise, and they scale brilliantly for the hosting company. Such hosts usually focus on product and service sites because they have better potential for sharing facilities, such as a shopping cart program and tax and shipping calculation. In a sense these features may make those sites bigger targets, because there will be customer records with credit card and other valuable data. But good management by the hosting service and restrictions on the customers can limit the exposure.
Generic shared-hosting accounts, on the other hand—the ones with access to Perl, PHP, and (shudder!) shell accounts—are potential disasters. It's very easy for one customer to impact all of the others with a badly written program. And you know how Linux vulnerabilities are often described as not such a big deal because only local—not remote—users can exploit them? Those shell accounts make the users local! Again, good management can prevent those users from uploading and executing arbitrary and exploitative code, but good management isn't built into the operating system.
Moreover, DoS attacks against hosting services seem to be increasing. If your sites are in the wrong IP range, you get to suffer along with everyone else.
Mail servers aren't immune to death by association, either. If one of the major RBLs (Realtime Blackhole Lists), such as Mail Abuse Prevention System decides to block e-mail from the mail server you share, because some other domain on the same server had been spamming, it won't be your fault, but you'll pay the price all the same.
In general, you should consider your site more vulnerable to attacks from other sites in the same data center than from outside. You know how in the movies the bank robbers rent the basement next door and break in at night? If you want to attack an Internet site, maybe even an Internet bank, rent a logically nearby server.
There's nothing nearer than another site on a shared server. A dedicated server is a good solution, but even if security is a real concern, you may not be able to afford one. Shop around before you sign up. Look for a shared-hosting service that has some malware protection, like antivirus. If you're keeping personal user information, you should also look for one that supports SSL for your site, not shared with everyone else on your server. This means you'll need your own IP address, so it may cost more. But it's better to pay a little more up front to be sure you're safe. |