New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
CloudLinux with LVE's or FreeBSD jails.
Since, I'll have very few sites per server. Cloudlinux is not an option and OS shall be centos or Ubuntu
In that case, go YOLO!
xD
Looking for some serious answers though, that one wasn't bad lol
There's always suExec for users having access to other user's files. However, if you want security assistance, you'll need to give up on WordPress immediately.
Aah, no way giving up on wordpress. Assuming I am hosting clients sites on multiple servers. What precautions can I take?
And any way to atleast secure it a point possible?
at least vestacp makes use of mod_ruid2 by default or can run with mpm-itk or use php-fcgid/suexec whatever you prefer. so it's pretty much all you can do to isolate on shared webhosting. of course use different users/customers per site and disable ssh access for those etc.
if you want to really isolate use different VMs :-)
Wordpress vulnerabilities mainly come from themes and plugins. The recent compromise of LEB was an exception with the flaw in the WP core. The popular cut and paste script kiddie code relied on Akismet being present, which it is by default, and I delete since I don't enable comments on my sites.
The problem comes my way because these are not my sites but clients and I cannot monitor continuously what they are installing. Also, need to protect one site from being effected due to presence of a website from a bad customer.
Yeah, but then you have the problem of VistaCP using VistaCP builds, too. So, should VistaCP fall behind, you're not protected by your $DISTRO_OF_CHOICE releasing security updates for PHP, Apache, MySQL, Exim, et al..
Basically, what we're saying is: Charge a $30/mo WordPress fee.
I know, I know, the crowd will hate me but: mod_blah plus php-derp plus, why not, maybe a php "security script" (biting carpet) does not add to security but to trouble.
Kindly think: Not even openvz succeeds in really 100% user separation. So what are the chances that adding some piles of crap will do?
As long as there is but one client on any given virtual or real machine, linux can be a nice online game to play. As soon, however, as there are multiple tenants, go BSD and be done.
that's not true. at least on debian it install everything from official debian repos (depending on what you set in your sources.list ;-)), works with wheezy, jessie or even stretch if you dist-upgrade after installing vestacp first.
only for nginx it adds official nginx repo to use newer version then delivered with e.g. jessie.
for serving the control panel itself it uses an own/modified installation of nginx/php-fpm thats true, but that's more likely further separation from the customer pages ;-)
but I agree that may not be 'secure' after all compared to different servers. thousands of shared hosting providers are dealing with it one way or another.
If you want better separation then use multiple, smaller VPSs instead of a single, larger one.
That being said, FreeBSD jails are a good bet (or jails on Debian or CentOS, but FreeBSD just comes with them out of the box). You could also run with separate users whose only permissions are to their respective web site directories. With PHP-FPM you can run multiple processes as separate users (you can even chroot but this requires some technical know-how).
For what it's worth, I also agree with what @doughmanes and @bsdguy said.
Thanks to all of ya. I decided to host one site per vm. Previous plan was to host 2-3 per Scaleway server. Any provider who can provide around 512 ram to 1gb in affordable prices like $1-1.5 and have a stable and good reputation? Except buyvm
Those VM providers with pooled resources?
I'm not sure what you mean but some providers with good rates and isn't out of stock all time while maintaining good specs
Try @exception0x876, you can split the wishosting resources into multiple small NAT vpsses and run your own routing VPS alongside.
Pool resource providers give you X amount of RAM, disk, IPs, transfer, etc. to allow you to setup your own VM with such resources
Just simple vps providers with quick deployment and small (512-1024)mb ram + ssd. Like Scaleway, digital ocean. Sorry for not being clear that time. Same service but lower prices. $1-2 and well established. @teamacc nah.
You are aware that this means you can split a 4 usd/month vps into 4 chunks right?
I think that for 1$-2$ per month one should ask for more than just 1GB of RAM.
As a bare minimum I'd expect 4GB RAM plus a Porsche incl. a beautiful pre-heated naked woman.
Although I personally always suggest to pay 50 cents more to get 100GB raided ssd and the free trips to a fine Hotel in Nice.
Okay. Calm down mate.
Probably not a good budget to start with. I know.
IMO if you don't mind all sites sharing the same IP you'd rather use BSD jails, with pkg audit you'll be able to check your jails for security issues easily and it will be easier to keep everything secure / up to date; it also would be probably cheaper than x vpses.
I just have one big dedicated server that is split up into a bunch of small OpenVZ VMs.
It's pretty awesome being able to create a VM, completely trash it by mistake, delete it and pretend nothing happened.
why?
I suggest the same. (If this option is available with the provider you end up choosing, I heard @Francisco can provide that with the so called 'slices')
I'm not your mate.
When you asked a reasonable question re. a problem you got a reasonable and hopefully helpful answer.
But for the 1$-2$ question ... well, about the friendliest answer would probably be "In case you didn't notice, this whole site is filled with cheap VPS offers. Just pick one".
Moreover, how should anyone provide hints when all you give them is 512MB - 1GB RAM? I'm afraid most providers readiness to do the "find out what he wants for a dollar a month" dance is limited. Understandably.
(BTW, I myself would probably have recommended some but based on RAM alone that seemed unreasonable)
Because I want my first time to be a success and easy.
@jetchirag... for complete isolation the best way would be using different VM's as suggested by the members already.
To isolate two websites:
-running on vestacp
VestaCP's latest version by default uses basedir in its template and restricts read/write for each Website to its siteroot, typically
/home/<vesta_user>/web/<domain>. So the sites are (kind of) isolated in a way that if one of your sites in hacked and malicious shell loaded, it won't be able to crawl to other sites.As a best practice for VestaCP:
Do not host sites in the default admin user.
Create Separate VestaCP users for each site, then host the domain + DB inside that VestaCP user.
For WordPress, there are some good recommended File Permission settings that you can google for and apply. Also you can use Succuri, WordFence and other security plugins.
All that said, do not miss on your server level security and harden it as much as you can at multiple fronts. There are many useful posts at VestaCP Forums
Kindly take notice already: A panel, no matter which one, is not a security measure nor an adequate way to reasonably setup/configure/tighten a server, no matter what their evangelists sputter.
The very best to expect from a panel is to not utterly fuck up. And frankly, the above isn't even what panels are made for. They are made to keep people who would create havoc if they used a commandline, away from the commandline.
Sorry for being frank.