Skip to content

Security Overview

Security Philosophy

MDHosting takes a layered approach to security, recognising that no single measure is sufficient. Our security strategy encompasses prevention, detection, response, and recovery.

Core Principles:

  • Defence in Depth: Multiple layers of security controls
  • Least Privilege: Minimal necessary access for all services
  • Security by Default: Secure configurations from deployment
  • Continuous Monitoring: Proactive threat detection
  • Incident Response: Prepared procedures for security events
  • Compliance First: GDPR and UK regulations adherence

Current Security Posture

Strengths

Infrastructure Security - SSH key authentication enforced - Non-standard SSH ports - Firewall (CSF) on all servers - Regular security updates - Geographic isolation (Germany/UK)

Application Security - Let's Encrypt SSL/TLS on all sites - Multiple PHP versions with security updates - Regular software patching - Malware scanning (cPanel built-in)

Data Security - Daily automated backups (encryption at rest planned - Q1 2026) - GDPR-compliant hosting location - Encrypted connections (SSH, HTTPS, IMAPS)

Operational Security - 99.98% uptime demonstrates reliability - Proven incident response capability - Documented procedures

Identified Gaps

⚠️ Security Monitoring - Status: Incomplete - Impact: Limited visibility into security events - Risk Level: Medium-High - Action: Deploy Wazuh SIEM (in planning)

⚠️ Centralised Logging - Status: Logs distributed across servers - Impact: Difficult correlation and analysis - Risk Level: Medium - Action: Implement centralised log aggregation

⚠️ Intrusion Detection - Status: Basic firewall rules only - Impact: May miss sophisticated attacks - Risk Level: Medium - Action: Deploy Wazuh with IDS capabilities

⚠️ Security Incident Documentation - Status: Informal procedures only - Impact: Inconsistent incident response - Risk Level: Medium - Action: Document formal incident response plan

⚠️ Vulnerability Management - Status: Ad-hoc patching - Impact: Potential exposure to known vulnerabilities - Risk Level: Low-Medium - Action: Implement systematic vulnerability scanning

Security Architecture

Network Security

graph TB
    Internet[Internet]

    subgraph "DMZ - Public Services"
        FW1[Firewall Layer 1<br/>CSF/iptables]
        LB[Services]
    end

    subgraph "Protected Zone"
        WEB[Web Services<br/>Apache/nginx]
        MAIL[Email Services<br/>Exim/Dovecot]
        DB[Database<br/>MySQL/MariaDB]
    end

    subgraph "Management Zone"
        ADMIN[Admin Interfaces<br/>cPanel/SSH]
        BACKUP[Backup Systems]
    end

    subgraph "Monitoring Zone - Planned"
        WAZUH[Wazuh SIEM]
        LOGS[Log Aggregation]
    end

    Internet -->|Port 80/443| FW1
    FW1 --> LB
    LB --> WEB
    LB --> MAIL
    WEB --> DB

    Internet -.->|SSH Keys Only| ADMIN

    WEB -.->|Logs| WAZUH
    MAIL -.->|Logs| WAZUH
    DB -.->|Logs| WAZUH
    ADMIN -.->|Logs| WAZUH
    WAZUH --> LOGS

    classDef public fill:#f39c12,stroke:#2c3e50,stroke-width:2px,color:#fff
    classDef protected fill:#3498db,stroke:#2c3e50,stroke-width:2px,color:#fff
    classDef management fill:#8e44ad,stroke:#2c3e50,stroke-width:2px,color:#fff
    classDef monitoring fill:#27ae60,stroke:#2c3e50,stroke-width:2px,color:#fff

    class FW1,LB public
    class WEB,MAIL,DB protected
    class ADMIN,BACKUP management
    class WAZUH,LOGS monitoring

Access Control

SSH Access: - Key-based authentication only (passwords disabled) - Non-standard ports (>10000) - IP whitelisting where practical - Automatic ban for failed attempts (Fail2Ban)

Control Panel Access: - HTTPS only - Strong password requirements - IP whitelisting available - Session timeouts configured - Two-factor authentication (planned for ApisCP)

Database Access: - Local connections only (no remote access) - Application-specific users with minimal privileges - Regular credential rotation

DNS Management: - Restricted to admin access only - DNSSEC for enhanced security (planned) - Hidden master architecture (planned)

Application Security

Web Applications: - All sites served over HTTPS - HTTP to HTTPS redirection enforced - Secure headers configured (HSTS, CSP planned) - Regular WordPress core/plugin updates - File integrity monitoring (planned with Wazuh)

Email Security: - SPF records configured - DKIM signing enabled - DMARC policies (to be fully implemented) - SpamAssassin for incoming mail - TLS for mail transport - Authenticated SMTP required

Database Security: - Databases isolated per account - Minimal privilege principle - Regular backups (encrypted in transit; at-rest encryption planned) - No remote database access - SQL injection protection (application level)

Threat Model

Primary Threats

1. Unauthorised Access - Vector: SSH brute force, credential compromise - Impact: Critical - full server compromise - Mitigation: Key-based auth, Fail2Ban, non-standard ports - Status: Well-protected

2. DDoS Attacks - Vector: Volumetric attacks, application-layer attacks - Impact: High - service unavailability - Mitigation: Hetzner DDoS protection, rate limiting - Status: Basic protection, could be enhanced

3. Malware/Ransomware - Vector: Compromised WordPress plugins, email attachments - Impact: High - data loss, client site defacement - Mitigation: Regular backups, ClamAV scanning, updates - Status: Good backup strategy, monitoring needs improvement

4. Data Breach - Vector: Application vulnerability, SQL injection - Impact: Critical - GDPR breach, reputational damage - Mitigation: Regular updates, minimal data collection, encryption - Status: Good practices, formal incident response needed

5. Insider Threats - Vector: Accidental or malicious actions - Impact: Medium-High - configuration errors, data exposure - Mitigation: Audit logging, change management, backups - Status: Low risk (single operator), logging needs improvement

6. Supply Chain - Vector: Compromised software packages, dependencies - Impact: Medium - potential backdoors or vulnerabilities - Mitigation: Official repositories only, signature verification - Status: Standard practices, could be enhanced

Threat Prioritisation

Threat Likelihood Impact Priority Status
DDoS Attack Medium High High Basic protection
Malware Infection Medium High High Good backups, need monitoring
Data Breach Low Critical High Need incident response
Unauthorised Access Low Critical High Well-protected
Insider Threat Low Medium Medium Acceptable risk
Supply Chain Low Medium Medium Standard practices

Security Monitoring (Planned)

Wazuh SIEM Deployment

Objectives: - Centralised security event monitoring - Real-time threat detection - Compliance reporting (GDPR, PCI DSS) - File integrity monitoring - Vulnerability detection - Incident response support

Architecture:

graph TB
    subgraph "Monitored Servers"
        EU1[eu1.cp<br/>Wazuh Agent]
        NS1[ns1<br/>Wazuh Agent]
        NS2[ns2<br/>Wazuh Agent]
    end

    subgraph "Wazuh Infrastructure"
        MANAGER[Wazuh Manager<br/>Log Processing]
        INDEXER[Wazuh Indexer<br/>Data Storage]
        DASHBOARD[Wazuh Dashboard<br/>Visualization]
    end

    EU1 -->|Logs & Events| MANAGER
    NS1 -->|Logs & Events| MANAGER
    NS2 -->|Logs & Events| MANAGER

    MANAGER --> INDEXER
    INDEXER --> DASHBOARD

    ADMIN[Administrator] --> DASHBOARD

    classDef servers fill:#3498db,stroke:#2c3e50,stroke-width:2px,color:#fff
    classDef wazuh fill:#27ae60,stroke:#2c3e50,stroke-width:2px,color:#fff
    classDef admin fill:#8e44ad,stroke:#2c3e50,stroke-width:2px,color:#fff

    class EU1,NS1,NS2 servers
    class MANAGER,INDEXER,DASHBOARD wazuh
    class ADMIN admin

Detection Capabilities:

  • Login attempts and authentication events
  • Root access and privilege escalation
  • File modifications in critical directories
  • New processes and services
  • Network connections and port scans
  • Web application attacks (SQLi, XSS)
  • Malware detection
  • Compliance violations

Alerting:

  • Real-time email alerts for critical events
  • Daily/weekly summary reports
  • Custom alert rules for specific threats
  • Integration with incident response procedures

See Wazuh Deployment Project for implementation details.

Vulnerability Management

Current Process

Patch Management: 1. AlmaLinux security updates - automatic daily 2. cPanel updates - manual monthly 3. WordPress core - automatic minor, manual major 4. WordPress plugins - manual weekly check 5. PHP versions - manual quarterly review

Vulnerability Scanning: - cPanel's security centre (basic) - Manual review of security advisories - WordPress plugin vulnerability checks

Planned Improvements

  • Automated vulnerability scanning with Wazuh
  • Scheduled patch management windows
  • Testing environment for updates
  • Documented patch validation procedures
  • Regular penetration testing (annual)

Incident Response

Current Capability

Informal Procedures: - Immediate backup restoration if needed - Server isolation capabilities - Contact with Hetzner support - Client notification process

Response Time: - Critical incidents: <1 hour response - High priority: <4 hours response - Medium priority: <24 hours response

Required Improvements

Priority: High - Formal incident response plan needed

Planned Documentation:

  1. Incident Classification
  2. Severity levels and criteria
  3. Escalation procedures

  4. Response time targets

  5. Response Procedures

  6. Initial assessment steps
  7. Containment procedures
  8. Eradication procedures
  9. Recovery procedures

  10. Post-incident review

  11. Communication Plans

  12. Internal communication
  13. Client notifications
  14. Regulatory reporting (GDPR)

  15. Documentation requirements

  16. Contact Information

  17. Emergency contacts
  18. Vendor support details
  19. Legal counsel (if required)
  20. GDPR supervisory authority

See Incident Response for detailed procedures (to be completed).

Compliance & Standards

GDPR Compliance

Current Status: ⚠️ Requires documentation improvement

Strengths: - Servers located in Germany (EU) - Encrypted data in transit (HTTPS, SSH, TLS) - Data minimisation practiced - Client data segregation

Gaps: - Incomplete data processing records - Informal data retention procedures - Limited data breach notification procedures - Insufficient privacy impact assessments

Action Required: - Complete GDPR compliance documentation - Formal data processing agreements - Document retention and deletion procedures - Enhanced incident notification procedures

See GDPR Compliance for detailed requirements (to be completed).

Industry Standards

Alignment with Standards:

  • CIS Benchmarks: Partial compliance (to be assessed)
  • NIST Cybersecurity Framework: Informal alignment
  • ISO 27001: Not certified, but following many practices
  • PCI DSS: Not required (no direct card processing)

Security Roadmap

Q1 2025 (Current Focus)

  • Document current security posture
  • Complete security gap analysis
  • Deploy Wazuh SIEM
  • Implement centralised logging
  • Document incident response procedures
  • Complete GDPR compliance documentation

Q2 2025

  • Implement file integrity monitoring
  • Deploy intrusion detection rules
  • Vulnerability scanning automation
  • Security awareness documentation
  • Penetration testing (external)
  • PowerDNS with enhanced DNS security

Q3 2025

  • Enhanced DDoS protection review
  • Web Application Firewall (WAF) evaluation
  • Security audit of ApisCP migration
  • Implement security metrics dashboard
  • Quarterly security review process

Q4 2025

  • Annual security assessment
  • Update threat model
  • Review and update all security procedures
  • Compliance audit preparation
  • Plan next year's security improvements

Security as a Service

Potential Revenue Opportunity

With Wazuh deployment and enhanced security practices, MDHosting can offer:

Security Monitoring Package: - 24/7 security monitoring - Monthly security reports - Incident notification - Compliance reporting - Estimated value: £10-15/month per client

GDPR Compliance Service: - GDPR documentation assistance - Data processing agreements - Privacy policy templates - Compliance audits - Estimated value: £25-50 setup + £10/month

Premium Backup Service: - Enhanced backup frequency - Off-site backup storage - Ransomware protection - Priority restoration - Estimated value: £15-25/month per client

Potential Additional Revenue:
30 clients × £35/month average = £1,050/month = £12,600/year

Security Metrics

Key Performance Indicators

To Be Implemented:

  • Mean Time to Detect (MTTD): Target <1 hour
  • Mean Time to Respond (MTTR): Target <4 hours
  • False Positive Rate: Target <5%
  • Patch Compliance: Target >95% within 7 days
  • Security Incidents: Track and trend
  • Uptime: Maintain 99.98%+

Reporting

Weekly: - Critical security alerts summary - Failed login attempt statistics - Malware detection reports

Monthly: - Security posture dashboard - Vulnerability assessment results - Patch compliance status - Incident summary

Quarterly: - Comprehensive security review - Threat landscape updates - Compliance status - Security roadmap progress

Resources & Training

Security Tools

Current: - CSF (ConfigServer Security & Firewall) - Fail2Ban - ClamAV (malware scanning) - Let's Encrypt (SSL/TLS) - cPanel Security Centre

Planned: - Wazuh SIEM - PowerDNS with DNSSEC - WAF (to be evaluated) - Enhanced backup verification tools

Knowledge Resources

  • Wazuh Documentation: https://documentation.wazuh.com
  • OWASP Guidelines: https://owasp.org
  • CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks
  • UK GDPR: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
  • NCSC Guidance: https://www.ncsc.gov.uk/collection/small-business-guide

Security is an ongoing journey, not a destination. This document will be continuously updated as our security posture evolves.

Document Status: Draft - Requires completion of gap remediation Last Updated: January 2026 Next Review: End of Q1 2026