Security > create separate user account for each website


#1

Hi there
I’m willing to start the new year by improving the security of my websites on DreamHost :wink:

Right now i have all my websites under my own user
I use the same FTP account to access all of them, and i guess it’s not a good security practice
I understand that in case one website gets hacked, all others are instantly in danger, right?

Ended up on the DH Wiki’s Security page (http://wiki.dreamhost.com/Security), especially the ‘File permissions’ paragraph

This seems to be my solution:
"A good practice is to create separate user account for each website"
But what does that exactly mean?

Guess i need to add new users (each for every website) from the control panel (‘Manage Users’ > ‘Add A New User’)
Then go to ‘Manage Domains’ > ‘Edit’ (for the website i want to assign the new user) > 'Run this domain under the user:'
And assign the newly created user, one for every domain/website
It also automatically creates a copy of the website under the new user…

Am i getting it right?
Or has that to do with creating a new DH ‘billing account’ for every website??

Thanks a lot
Alessio


#2

Yes, that’s right. I’m in the process of doing the same thing. I only have one site that is remotely popular, and a few other hobby projects. By putting each under its own user, you will minimise the risk created by a hacker compromising one of the sites.

The panel does a fairly good job of moving a site to a new user, although it didn’t work for me on one that had a lot of video files. The system I came up with is using the domain name as part of the username rather than something like bobocat1, bobocat2, bobocat3, etc as users.

The DH billing account is not related at all. Please see my summary of account types which might help make things clearer.


#3

Thanks mate
Great link you posted! Quite useful to clarify some mess i have
Well, seems i have some work to do :slight_smile:

Btw, let me ask a couple of other dummy questions

  1. Pretty sure this is the prototype of dummy question, anyway… when i shift a domain under another user, does that also influence any of the email settings associated with that domain? (whether it’s managed by DH or by Gmail)
    I mean, after i created the new user and assigned a domain to it, is there anything else i have to take care of (like email stuff) or am i done?

  2. What does that process of assigning a new user to a domain actually do?
    (does it create a brand new independent directory and copy the website inside, or is it just a path/redirection thing, so to say…?)
    And is it a definitive way of securing website one from another? Are then websites bulletproof from each other?

Finally, are there any internet resources about website security, the various types of attacks and how to prevent them, and similar stuff (always for dummies) you would suggest?
I’m definitely eager to learn more


#4

1: I don’t think so. I use GMail for my email, so I’m not 100% sure, but if you are using DH as your mail provider, the mail is still going to you@yourdomain.com which is completely unrelated to which which user the domain is running under.

2: It’s just a form of containment. There are hundreds, even thousands of other users on your machine, but unless they did something really stupid with their home directory permissions, you can’t access any of their files. So creating a user for each domain is the same thing. If one site is compromised, an adversary can’t touch your other sites. By itself, it won’t make any of your sites more secure, but it will help contain a breach if (when) one happens.

3: yeah, lots. there are too many actually. I wouldn’t even know where to start. just google it.


#5

Got it and thanks again

  1. yeah i’m surely aware of that, that’s why i was asking for some suggestions :wink:
    Ok then… Google here i come again[hr]
    Oh wait… forgot to ask about another CRUCIAL issue
    (Almost) everything is clear now about this websites/user accounts thing
    But on the other side, we also have databases…

Does the same work for databases too?

Are db’s under the same user vulnerable when one of them gets hacked?
Is it also a good practice to create a new user for every of your db’s?

(didn’t see any mention on that on the DH Wiki’s Security page… maybe db are just a whole different beast…?)


#6

You can put all your eggs in one basket, or you can give them each their own container. DBs are like golden eggs.


#7

Goggled a little and found this on the Wordpress website:

“Database Security
If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user.”
(http://codex.wordpress.org/Hardening_WordPress)

So i guess it’s also a good practice to create separate users for each database…

Any consideration on that?