AnsweredAssumed Answered

Shared Hosting in not secure?

Question asked by worldcloud on Feb 29, 2016
Latest reply on Apr 19, 2016 by innovativehosting

There is another (huge) thread running about Commerical FileMpaler Hosting. In this thread I wanted to simply concentrate on how/if shared hosting is any more dangerous than dedxicated hosting. i would like to keep this thread focused, so let's say the 'shared host' is running FileMaker Server 14 with only ports 80, 443, 5003, 5353, 1600-16004 accessible to the public.

 

each user/ client is configured as an Admin Group an a separate backup is done for each client/ folder- accessible with user-isolated FTPS.

 

OPEN REMOTE

 

one issue that often comes up is that User A sees User B files when browsing the server- this does not mean he/ she has access to the files, but the file names may be visible.

 

option 1: the developer can choose to not make the files visible

option 2: the provider can utilize the option 'show only the file I have access to' , but some users will complain about a double log-in

option 3: the provider can remove public access to port 5353, thus making these files invisible; thus requiring the user to know the exact file path or have a link.

oprion 4: use a custom PHP controlled portal to launch FileMaker solutions

 

SERVER SIDE plug-ins

 

The short answer is that they are not permitted on a shared server. The reason is that many plug-in allow features like copy, delete, FTP, etc. since we can not authorize plug-ins at the admin group level.

 

SSL

 

We have found that many FMP users do not bother with SSL on FMS with FMP users. On a shared server, this is managed by the provider and is more likely to be setup. In the case where it is setup correct, this is a draw.

 

WEB Publishing

 

even on a shared server, IIS (or Apache) will allow multiple sites/ domains to access the FM Web Publishing engine, so if you wish to host at database.mydomain.com; this is equally possible with a shared server or a dedicated server.

 

BACKUPS

 

backups are available via FTPS and through the SAT tool. A user can not access any files which do not belong to them.

 

LOGS

 

the FileMaker SAT tools shows database names and usernames, thus in a shared environment- these users should not be giveN access to the FM server log via the SAT. It does not 'hack' access for a user, but it gives two of the three pieces of information required.

 

RDP / ARA

 

Most dedicated servers allow remote access via RDP or ARA (Mac). These ports are off on a shared server, but typically open on a dedicated server. Since these are 'common' ports there are hacking tools designed to locate and attack these services. This is one component where dedicated servers are more vulnerable; however without this access, developers could not update, install plug-ins, or make other customizations.

 

QUOTAS

 

No one client should be permitted to 'suck up' all the free drive space and thus shut down the server. Microsoft Windows has the ability to set folder quotas, so if user a tries to take too much space, his/her file will no longer allow changes.

 

INSECURE SOLUTIONS

 

FIleMaker is big on weak passwords; however some solutions have 'public' data and their Developer's gladly accept guest users. If those users create bogus records, I fail to see how that is a security issue for other clients. If they allow default usernames for Admin access, then an outside user could create scripts, delete records, and/or suck up processor cycles; but I still fail to see how that compromises another client's data.

 

----

 

 

assumming the above criteria are met, can anyone describe to me specifically how a server with multiple clients is more secure than a dedicated server? There are some advantages to a dedicated server, but in this thread I'm particularly interested in why FMI is of the opinion that shared hosts are so dangerous.

 

we have been hosting since FileMaker 5, and I could write a book about hosting FileMaker. There are a number of features/ tweaks that I would love to see FileMaker develop, but the reality is that there are so few professional FileMaker hosting companies that our requests normally get outweighed by those who affect a larger number of users. There are risks to hosting any solution. FileMaker is inferring that shared hosting is less secure than dedicated servers and thus they may restrict these in the future. At this stage, I don't agree with this premise; but I certainly welcome discussion from the community.

 

Our past experience shows that our clients have a higher risk with a dedicated server than with our shared services...

 

 

ideas... Comments... Experainces?

 

 

thanks,

 

joe

CEO, Worldcloud, Inc.

Outcomes