8 Replies Latest reply on Apr 19, 2016 2:37 AM by innovativehosting

    Shared Hosting in not secure?

    worldcloud

      There is another (huge) thread running about Commerical FileMpaler Hosting. In this thread I wanted to simply concentrate on how/if shared hosting is any more dangerous than dedxicated hosting. i would like to keep this thread focused, so let's say the 'shared host' is running FileMaker Server 14 with only ports 80, 443, 5003, 5353, 1600-16004 accessible to the public.

       

      each user/ client is configured as an Admin Group an a separate backup is done for each client/ folder- accessible with user-isolated FTPS.

       

      OPEN REMOTE

       

      one issue that often comes up is that User A sees User B files when browsing the server- this does not mean he/ she has access to the files, but the file names may be visible.

       

      option 1: the developer can choose to not make the files visible

      option 2: the provider can utilize the option 'show only the file I have access to' , but some users will complain about a double log-in

      option 3: the provider can remove public access to port 5353, thus making these files invisible; thus requiring the user to know the exact file path or have a link.

      oprion 4: use a custom PHP controlled portal to launch FileMaker solutions

       

      SERVER SIDE plug-ins

       

      The short answer is that they are not permitted on a shared server. The reason is that many plug-in allow features like copy, delete, FTP, etc. since we can not authorize plug-ins at the admin group level.

       

      SSL

       

      We have found that many FMP users do not bother with SSL on FMS with FMP users. On a shared server, this is managed by the provider and is more likely to be setup. In the case where it is setup correct, this is a draw.

       

      WEB Publishing

       

      even on a shared server, IIS (or Apache) will allow multiple sites/ domains to access the FM Web Publishing engine, so if you wish to host at database.mydomain.com; this is equally possible with a shared server or a dedicated server.

       

      BACKUPS

       

      backups are available via FTPS and through the SAT tool. A user can not access any files which do not belong to them.

       

      LOGS

       

      the FileMaker SAT tools shows database names and usernames, thus in a shared environment- these users should not be giveN access to the FM server log via the SAT. It does not 'hack' access for a user, but it gives two of the three pieces of information required.

       

      RDP / ARA

       

      Most dedicated servers allow remote access via RDP or ARA (Mac). These ports are off on a shared server, but typically open on a dedicated server. Since these are 'common' ports there are hacking tools designed to locate and attack these services. This is one component where dedicated servers are more vulnerable; however without this access, developers could not update, install plug-ins, or make other customizations.

       

      QUOTAS

       

      No one client should be permitted to 'suck up' all the free drive space and thus shut down the server. Microsoft Windows has the ability to set folder quotas, so if user a tries to take too much space, his/her file will no longer allow changes.

       

      INSECURE SOLUTIONS

       

      FIleMaker is big on weak passwords; however some solutions have 'public' data and their Developer's gladly accept guest users. If those users create bogus records, I fail to see how that is a security issue for other clients. If they allow default usernames for Admin access, then an outside user could create scripts, delete records, and/or suck up processor cycles; but I still fail to see how that compromises another client's data.

       

      ----

       

       

      assumming the above criteria are met, can anyone describe to me specifically how a server with multiple clients is more secure than a dedicated server? There are some advantages to a dedicated server, but in this thread I'm particularly interested in why FMI is of the opinion that shared hosts are so dangerous.

       

      we have been hosting since FileMaker 5, and I could write a book about hosting FileMaker. There are a number of features/ tweaks that I would love to see FileMaker develop, but the reality is that there are so few professional FileMaker hosting companies that our requests normally get outweighed by those who affect a larger number of users. There are risks to hosting any solution. FileMaker is inferring that shared hosting is less secure than dedicated servers and thus they may restrict these in the future. At this stage, I don't agree with this premise; but I certainly welcome discussion from the community.

       

      Our past experience shows that our clients have a higher risk with a dedicated server than with our shared services...

       

       

      ideas... Comments... Experainces?

       

       

      thanks,

       

      joe

      CEO, Worldcloud, Inc.

        • 1. Re: Shared Hosting in not secure?
          taylorsharpe

          I disagree that a shared server provides more security.  What you are describing is that your company as the hosting company are properly implementing security.  But dedicated hosting is not different in configuring security.  You are basically just saying as a service you are willing to properly configure security for people in shared hosting  Additionally, there are more security issues when you are on the same server even down to simply things out of your control like being a bigger target to denial-of-service attacks due to other high profile companies possibly on the same server. 

           

          What I will agree with you is that a shared server with proper security is clearly better than someone who does not know what they are doing setting up their own server without proper knowledge or assistance.  Running a server is more than running an application on a local machine and server operating systems are fairly different than consumer operating systems. 

           

          FileMaker's easy entry into databases leads to lots of people trying things on their own without professional assistance and in some ways, that is very powerful that many people can accomplish making useful solutions on their own.  But many such solutions need help if they are going to become production data solutions for business critical processes. We need not to discourage this because this is the primary way I see new people coming to FileMaker.  But we need to be honest with people that while FileMaker may be easier than other databases, when it comes to running mission critical data, even FileMaker solution is not simple and involves a lot of server and security knowledge in addition to user interface and schema. 

          • 2. Re: Shared Hosting in not secure?
            monkeybreadsoftware

            With MBS Plugin you can limit plugin calls.

            Enable only the functions you need, allow them only for specific scripts or user accounts.

            • 3. Re: Shared Hosting in not secure?
              CICT

              Hi Joe

               

              As ever the World is being controlled by the lowest common denominator and no matter how good a job you, or we do, the decision has been made and we need to find a way forward that works for each of us

               

              Lots of opinions given, but no evidence has been provided other than those hosting companies who have declared they have no experience of any security issues over the last 10 years or so of hosting.

               

              The power of encryption, alternative and disabled ports, security setup and backups pale into insignificance when put against corporate policy.

               

              It will be an interesting year!

               

              Andy

              • 4. Re: Shared Hosting in not secure?
                CICT

                Hi Taylor

                 

                Just wondered whether you've ever played 10-pin bowling? I've always found it harder to hit a single standing skittle than when there lots of them? Sounds to me as if we're going to have a lot more IP addresses out there in the future!

                ;-)

                Kind regards

                Andy

                • 5. Re: Shared Hosting in not secure?
                  taylorsharpe

                  CICT wrote:

                   

                  Hi Taylor

                   

                  Just wondered whether you've ever played 10-pin bowling? I've always found it harder to hit a single standing skittle than when there lots of them? Sounds to me as if we're going to have a lot more IP addresses out there in the future!

                  ;-)

                  Kind regards

                  Andy

                   

                   

                  Just hoping ISP's will get over charging for IP's now that they can hand out IPv6's like sand on the beach.  Very typical to charge $20 a month for a handful of IPs that really cost them nothing.  But, yes, each server will need its own IP. 

                  • 6. Re: Shared Hosting in not secure?
                    worldcloud

                    I guessing that you haven't ever tried to get a new block of addresses from ARIN.

                     

                    They are requiring more and more justification, and they can not simply 'create more IP addresses.

                     

                    This is just one of the many issues with FileMaker's new policy. Go Google this topic on the MySQL forums and you will find that MySQL is used all the time in multi-tenant installations with practically no mention of security concerns.

                     

                    Sent from my iPad

                    • 7. Re: Shared Hosting in not secure?
                      taylorsharpe

                      No, I haven't had the experience of getting IP's from ARIN.  But it sounds like you are talking about IPv4 addresses.  IPv6 addresses should be very plentiful. 

                       

                      And I agree with you that FileMaker is the only database company I know that has any mention of multi-tenant licensing restrictions on a database server.  There is a lot of licensing on size of databases, cores, connections, end users, etc., but FileMaker is the only one restricting a server to a single entity.  And that makes me feel a bit uncomfortable when they are marching to a different tune than the main stream databases.  Granted, you don't always want to follow main stream, but it is just something that is different and will probably end up costing users more money.  And even if it is not more money on FileMaker, having more servers clearly costs more in hardware or virtualization.  And not being able to maximize a server with multiple companies is not environmentally friendly either especially in regards to power. 

                       

                      I'm leery about the reasons for the EULA changes, but in general the direction FileMaker has taken my clients has been good and most are very happy with the tools and features FileMaker has provided so far.  So I am going to leave open my judgement on this EULA change to see how it works out. 

                      • 8. Re: Shared Hosting in not secure?
                        innovativehosting

                        There is nothing like like Shared Hosting is not safe. If you are starting to develop website then, Shared Hosting suits the best. Innovative Hosting Corporation is one of best provider of Shared Hosting service. Although used to provide service quickly. So don't be late, let grab 20% offers on hosting plan.

                         

                        https://www.innovativehostingcorp.com/