The University’s Web Hosting Service offers a range of proactive security tools to help keep users’ sites safe and secure
The University’s Web Hosting Service is an internal service for members of the University community to host websites suited to their unique needs. The service provides an environment for users to develop and host websites for specific areas that may have functionality, formatting or branding requirements outside the scope of what is offered on the main University of Edinburgh site. The service hosts over 1,000 sites ranging from research projects and PhD pages to the Edinburgh Sports and Student Unions.
“We currently utilise the web hosting service to provide free web hosting to our student societies and groups. Societies and groups utilise this service to host websites with information about the groups and post event details. We have found most of the end users have used the built in application installer to setup CMS systems such as WordPress, which they are able to do without the need of IT as the process is very easy,” said Matthew Ashton-Jones, IT Support for Edinburgh University Students’ Association.
With the flexibility to configure self-service sites suited to personalised needs comes challenges related to ensuring users are protected from potential online malicious activity, and themselves. There is a large variety between users who diligently monitor their site and patch when new updates are released, and others who, for legitimate reasons, leave their sites relatively untouched and vulnerable to exploitation. As such, in recent years the University Web Hosting service has sought to incorporate automated security and technical tools to help assess and secure the servers, increasing the security of the sites hosted on the service while decreasing the burden to individual users.
“We have a very good working relationship with the [Web Hosting] team. Their communications are probably some of the best – both timely and informative – that I have come across from an ISG team. The team have always been approachable, friendly and customer focussed. And extremely knowledgeable about their domain – which has been a life-saver on more than one occasion,” said Euan Cameron, Digital Innovation Team Manager, College of Arts, Humanities & Social Sciences. “If I have received a system-event alert from the service (security or otherwise) that I have been unsure about, they have always been quick to explain the issue highlighted when contacted.”
Cloud Linux Operating System
The University Web Hosting Service adopted the Cloud Linux Operating System to help manage the multitude of sites it supports. The Cloud Linux operating system is designed specifically for hosting websites in a shared environment and specializes in isolation between websites. In this way, if one site is compromised the system prevents others from being accessed and limits cross-infection. The operating system also has a mechanism for limiting resources between individual users, so one site cannot bring down the entire server of sites if it crashes or experiences technical difficulties. This tool ensures continuity of operations and helps prevent against the chain reaction of negative impacts from denial of service (DDoS) attacks.
“We rely on the OS to be stable and secure and impact as little on our workloads as possible. By utilising the Web Hosting Service, we are more than happy to say that CloudLinux OS has met our requirements, and with the team’s support we hardly notice/concern ourselves about the OS in our day-to-day work,” said Euan.
Patchman is a vulnerability detection and patching tool created to simplify security for web hosting providers. The tool automatically scans all the sites hosted on the University server every night, identifies any known vulnerabilities, commonly via WordPress or Drupal, and patches them unobtrusively. The patching does not impact the platform itself or any settings, rather it changes the code to plug any security holes and then emails the site owners to notify of the patch execution and associated details. Site owners have the ability to roll back any patches in their Control Panel if they discover resulting issues. Additionally, system updates can override patches if necessary.
“With so many sites in our portfolio – including 40+ Drupal installations, and sites supported by external developers – having a tool that can automatically patch vulnerabilities when identified, and before a developer can get to it, has allowed me to sleep better at night,” said Euan.
The proactive tool helps address vulnerabilities before they become targets for spam, DDoS attacks and more. For instance, the Unix team notified ISG of an unknown WordPress issue that suggested exploitation. In exploring the issue further ISG discovered Patchman had already patched 60 sites that contained the vulnerable plug-in.
“Patchman has proven to be an incredibly useful tool, as we are a small team and having time to manually patch the large number of websites which we administer can prove to be difficult to arrange,” said Matthew. “With Patchman this is automatically taken care of and we are notified via email that the upgrades have been successful or have failed (requiring manual intervention).”
To round out its comprehensive package of security tools, the University also utilizes Immunify 360, a proactive defense against threats in the form of a web application firewall. The firewall detects any malicious traffic or attempts to hack into sites hosted through the University. The interactive dashboard provides statistics related to the security levels of sites hosted through the service and their web traffic including detections, blocked requests and black-listed and white-listed IP addresses. Immunify 360 also identifies grey-listed IP addresses that are presented with a CAPTCHA request when trying to access the site to prove their identity. The service’s malware scanner continually analyzes scripts and recognizes suspicious behavior in real-time, stopping malware from running on the servers and successfully restoring scripts from backup.
“Security incidents, to our knowledge, have been kept at an absolute minimum, while my team can focus on delivering and developing our own services unhindered by the resource burden of manually managing these ourselves, or resolving the incidents that would, most likely, be the outcome of not having these tools in place,” said Euan.
Because the University Web Hosting audience is largely internal, access to the tools is only available to those on the University network or via the University VPN. Further, the sites are integrated with University Single Sign On to provide additional secure options for users to access the sites.
“The web hosting service and the included security tools have enabled us to offer an easy and secure web hosting service to our groups which would not be possible without the assistance and service being provided by ISG,” said Matthew.