Well, I work in that environment. We do the system type security, upgrade software, apply patches, etc etc. We monitor access to the server, and scan for blatantly *bad* things that the customers might put on the server. (phpinfo and formmail.pl comes to mind immediately). We use chroot'd ftp environments to protect customers from each other. We don't allow anonymous ftp access. We put the servers behind a firewall, and only allow the necessary protocols through.
The customer is responsible for the security of his ftp password, any programs to access databases he may implement, etc. If there is something that is being exploited on the 'net, I will look and see if I think we are vulnerable via a customer. I have gone in and disabled scripts on customer sites before because they were insecure. The squeeze is in offering services. If we offer php, we are inherently insecure. If a customer wants to access his database from anywhere for management, it opens it up to everyone else. And, I'm pushed between management all the time to be "customer-friendly". We are in the business to sell web hosting, and need to make sure that our customers want to host at our site. Extremely tight security does not make for a pleasant environment for the customers. We are implementing differing security level hosting, for customers that care a bit more than the others. But, if I drive all the customers away with my security efforts, we go out of business. So, it's a balance. I monitor logs, security lists, etc. try to do my best. I inform my customers they are in a shared environment, and hope they *understand* what that means. Most won't, but most of our websites are little mom/pop things, and won't be devastated if something happens and we have to recover. -Michele Lists wrote: >I've been researching web defacement trends lately and realized that most (higher >percentage) defacements appear to be performed on servers in a hosted facility (such >as Interland, Iquest, OLM, Digex etc) furthermore as most of the sites appear to be >related to small business I assume they are on shared hosted boxes. > >Is there anyone on the list in the ISP/Hosting provider world that can answer who is >responsible for security in this configuration? > >I realize that some hosting providers offer additional managed security services, but >for those that don't and offer shared (multiple sites on 1 box) hosting do they just >secure the box and let their clients control their environment? Therefore leaving >their customer in charge of their own security for their site? > >If indeed this is a bit of a gray area, is there any documented legal proceedings >that have held the ISP liable for the lack of security on a hosted site? > >Thanks in advance for your assistance. > > >
