Best practice for securely hosting multiple websites?

[Joe Link]

We have one large site, and many smaller ones with little traffic. All are currently hosted on a dedicated system which is complete overkill. My goal is to reduce our costs while maintaining or improving security. My extensive research into various options has me over thinking the switch, and quite nervous about leaving the excellent support of Liquid Web. I've narrowed my choices for independent server management, and I believe I'll be going with Linode for hosting.

Basically I'm not sure if I should put all of the sites on the same Linode node, possibly using VM's or CloudLinux to separate them, or if I should separate the sites into separate nodes (giving the large site it's own). Using the same Linode would be cheaper, as I'd only need one license for cPanel and LiteSpeed (if I don't switch to NGINX). My main concern here is security, I don't want the compromise of one site to leave the others vulnerable (within reason). If I get separate nodes it'll double my licensing and management costs, but it might be worth it.

So, what do you guys do?

Right now I'm paying $401/month for this, including the LiteSpeed and CloudLinux licenses, and it's simply overkill for what I'm doing. I haven't done anything to optimize the installation, and I don't believe the load has ever been above .35

Single Intel Xeon E3-1270 V2 3.5GHZ Quad Core – Hyperthreaded
32GB DDR3 SDRAM
2 x SATA Software Raid 1 Drives (1TB 7200RPM SATA)
4 x SSD Hardware Raid 10 Drives (120GB Kingston Hyper-X SSD MLC)
1 x SATA Backup Drive (1TB 7200RPM SATA)

 

[m1ne]

You run run every site in its own chrooted directory, just like a web host would do. For example,

site1.com owned by user1:user1
site2.net owned by user2:user2

Neither one can access anything below their respective public_html.
That's overkill though, imo. I've ran all my sites under the same user for years and rely on 1: software being patched quickly and 2: my own security setup (firewall and etc).

 

[Mike Edge]

We run several few million post clients on the same server and over 150 communities across all our servers. All via shared hosting and in the 2 years we been in business, no one has ever been hacked.

 

[Joe Link]

There is a very good possibility I'm being paranoid here

 

[m1ne]

There is a very good possibility I'm being paranoid here

Mhmm.

 

[accyroy]

I was in the exact same situation a year or so ago... The large site is now on it's own VPS. The other much smaller sites get experimented on a bit more and I feel a lot more confident on that server knowing it cannot take out the main site if I or someone else does something wrong. You shouldn't need a cPanel license on the server with just the one site.
I'd definitely go the multi node route if I where to make that decision again today.

 

[TPerry]

There is a very good possibility I'm being paranoid here

No, they ARE out to get you!

 

[rdn]

Try Centmin Mod - Shell Menu based Nginx installer for CentOS servers
To save you a lot from Cpanel, LiteSpeed, Cloudlinux License.

 

[TPerry]

Why not grab SolusVM or ProxMox and - if the server is large enough - just roll out VPS's for each site. Set them up with KVM VPS type and they should be pretty insulated from each other.

 

[Joe Link]

I really appreciate everyone's replies so far!

I was in the exact same situation a year or so ago... The large site is now on it's own VPS. The other much smaller sites get experimented on a bit more and I feel a lot more confident on that server knowing it cannot take out the main site if I or someone else does something wrong. You shouldn't need a cPanel license on the server with just the one site.
I'd definitely go the multi node route if I where to make that decision again today.

Why not grab SolusVM or ProxMox and - if the server is large enough - just roll out VPS's for each site. Set them up with KVM VPS type and they should be pretty insulated from each other.

Good to hear, thanks for the feedback @accyroy.

These two replies pretty much sum up my dilemma. I could provision a larger node that would handle everything and setup my own KVM. If I'm thinking about this correctly it'd be similar to having separate nodes, with the exception of whatever the host has done to further harden the hypervisor (something I know nothing about).

Try Centmin Mod - Shell Menu based Nginx installer for CentOS servers
To save you a lot from Cpanel, LiteSpeed, Cloudlinux License.

This is also an option. The reason I was thinking of cPanel is because I'm familiar with it, so I wouldn't have to bother whoever I have doing the admin work as often. It does seem like a waste for only one site though. Another factor is that I usually have @MattW do my server work. When I told him I was considering not going with cPanel he said that would be fine, so long as I didn't need email (which I do, currently dovecot/exim). I really don't think I need LiteSpeed, it's just (again) what I'm familiar with.

No, they ARE out to get you!

 

[rdn]

need email

For email server, you can have a separate VPS with: Mail-in-a-Box

 

[Joe Link]

For email server, you can have a separate VPS with: Mail-in-a-Box

I think it'd be worth the $15/month to not have to setup another box

 

[Puntocom]

If you want security run independent servers and OpenBSD. I have saved ~50% billing after some tweaking getting much better performance. OpenBSD rocks! it also has LibreSSL and very good secyrity features enabled by default.

OpenBSD Security

Install only the mininum neccesary software.