zeno_lee asks:
"How do people deal with situations like this? Recently, we were cracked because our ISP failed to patch known security holes. They now want us to pay for them to patch up the holes. We are a bunch of dedicated volunteers who run a community web site we are developing using Apache/PHP/MySQL. The volunteers have nothing to gain except the rewards of bringing a national community together. We were cracked twice within 1 week of going live on the site. We are getting service from CommuniTech, who rent us a Cobalt Raq3 server. Part of the reason to go with a dedicate server from an ISP is to outsource system administration. No one amongst us is a full time computer security officer." One would think that when you pay for system administration, that security would be part of the deal. Looking at their
FAQ, they give the impression that their servers are secure, so you'd think they would do something as simple as apply patches.
Also, there is no mention of any extra charges for security on their
pricing page, so does CommuniTech have any sensible reason for charging extra?
"We were cracked first within 5 days of our site going live. After paying communitech.net $62.50 for reinstalling the OS, it was cracked just 24 hours later. After speaking with Cobalt, they told us that our ISP, communitech.net, failed to patch up well publicized security holes on the Raq3. Acknowledging their failure, Communitech is not charging us for reinstalling the OS, but they are charging us $125 for someone to patch up the security hole. How blatantly unfair is that? I wanted the Slashdot community to be aware of the practices of such companies and see if others have had similar experiences and how they dealt with those situations.
We signed a 6 month contract, and we need options and strategies. What are the possible options we have? We just want a website running, we don't need to deal with all this bull."
Slashdot Mirror
In cobalt's defense they have done a lot of work on their GUI management tools. They don't just throw a pile of hardware and open source software together and resell it. They do add a lot of value to their systems, and don't seriously over charge for it.
Brad - the question is about RaQ 3 from Cobalt..
When did you hear last time that Cobalt is running on Windows? it's only running Linux and their new ones running on Solaris.
Of course - you can grab such a machine and slap Windows NT/2000 on it, but whats the point?
Hetz (Heunique)
From my experience - you'll find with Apache a MUCH more reponsive answer, instructions for workaround - and in most of the times - a patch WITHIN few hours...
...funny ("disable Java on your clients"), and most of the time the patches comes either after few days at minimum, and even when they issue a patch, they're not checking it well (service pack 6 on Win NT, anyone? or the latest security fix which won't apply on many machines...)
With MS stuff (and I had the "pleasure" to be in that situation) - first they argue with you that you are wrong, and it doesn't exist, then when they are convinced that there is something true in what you say - their workaround is
Sorry, but MS still doesn't "get it" on security in my book.
Hetz (Heunique)
A website is cracked.
A cipher is cryptanalyzed.
--
Xenu loves you!
From what I've seen of Rackspace from talking to sales and support, they are very concerned about being the best at what they do. But they don't do what you want them to do; you wanted someone else to do administration and security for you.
I would probably just go with Debian and a managed hosting solution (like Rackspace) and then ask someone who is very knowledgable about security to lock down your site. You won't need new security administration until you upgrade to the next Debian version. Don't forget to subscribe to debian-security-announce, too.
I'm sorry, but it costs money to have someone maintain security. And this CT company ain't willing to give away what skills they have. Though it doesn't sound like they play a fair ball game.
Ciao!
The Doctor What (KF6VNC)
Since it seems like someone actually found this interesting, I thought I'd go ahead and post the actual link to the google service (AdWords.) Of course, clicking through, in their estimate of how much it would cost to attach your banner to the "communitech" keyword, it would appear that no one actually searches for communitech so maybe this isn't such a hot idea :) Still, especially if very few people search for communitech, this is a low-cost way to get your point across.
~luge
~luge
IAAL,BIANLY
buy one of those cheap ad banners on google and set it to come up every time someone searches "communitech." Have it link to a page where you've collected a list of your problems (and hopefully the problems of others, to give it more credibility.) Make it look very professional; avoid getting personal; etc., and pretty soon you'll have solutions.
IAAL,BIANLY
From http://www.communitech.net/hosting/virtual/plans/u nix.cgi:
These people are obviously ignorant of Sun's own history. Sun caught on in the 1980s--not because it was the most stable, not because it was the most secure, but because Sun's software was the most open. Sun's success in the 1980s and early 1990s can be mainly attributed to the fact that they opened up the code for NFS, the code for the XV windowing toolkit, and the code for the RPC library.
NFS was, and still is a joke, compared to better systems like AFS. However, the popularity of PC-compatible hardware shows that it is not the best that wins in the computing marketplace, but the cheapest and most open.
The statistics prove this: Linux is gaining market share. Solaris is losing market share.
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
...is not due to Sun open sourcing their toolkits for NFS and XV and such; it's due to that fact that they all but give the OS away with their servers. And SUN servers, frankly, kick ass, which is why they sell so many of them.
This space for rent. Call 1-800-STEAK4U
When you lease a dedicated server, you're getting a box and the root password, on a network of some sort, plugged into some power.
As far as the rest, bail on the contract, tell your credit card company to stop payments to them, and go find someone else. Colocation services, really, are a dime a dozen, like dialup ISP's were a few years ago. Of course, that assumes you can move. You didn't set up your DNS so that they are responsible for yout domain, too, did you?
This space for rent. Call 1-800-STEAK4U
Obviously you didn't read the last paragraph since "6 month contract" is pretty clear.
While I agree that they're a bunch of incompetent idiots for not including security updates as part of the base service, both for customer goodwill and for the numerous problems that can arise from having hosts on your network that are script-kiddie-bait, I have to point out that people also should be free to sign contracts with incompetent idiots if they choose, and businesses should be free to contract to provide piss-poor service.
It's the nature of a free country and a free economy; people have to be free to pay other people to do stupid things, as long as those stupid things are what was agreed to.
The host didn't say in their contract that they would keep up the patches, so the customer's legitimate bitch is pretty narrow.
Next time, they should make sure this is included in the contract, and not do business with anybody who won't.
On other hand, you will *NOT* find a contract that assumes responsibility for keeping the systems secure; no company in their right mind would agree to that. What they will do is agree to keep up with the latest patches from the OS vendor in a timely manner. "In a timely manner" of course would be expected to be fought out in court after the fact.
Oh; and while I am a highly-paid information security professional with a Fortune 500 company, I am not now, nor have I ever been, an attorney.
-
I'm feeling generous today, so it's time to feed a lonely old troll...
/. very often anymore...
/. have occurred over it.
/. is so painful for you to read, leave. You're only wasting your time and ours posting mindless gripes. But then again, that's the only thing a good troll does anymore...
What APACHE cracked? How come when an apache server is cracked, the slashdot crowd says "who were these idiots who can't apply patches!" but when an IIS server is cracked and people say "they haven't applied the patches, cluess admins!" those folks get either flamed or modded into oblivion? The double standard is really getting old and the reason I don't read
1. There is no "Slashdot crowd". We all disagree, many times vehemently, on just about every topic you can imagine. Closed vs. open source, Linux vs. xBSD, KDE vs. GNOME, Perl vs. python, mySQL vs. postgreSQL; you nameit, at least half a dozen flamewars on
2. You can't even come up with a compelling rant; where is the double standard here? Using your own words...
Apache: when an apache server is cracked, the slashdot crowd says "who were these idiots who can't apply patches!"
IIS: when an IIS server is cracked and people say "they haven't applied the patches, cluess admins!"
It seems to me that your rhetorical "Slashdot crowd" is saying that it's the admin's fault in both cases.
3. If
Jay (=
yes, but how many people in the world actually check with the better business bureau prior to making a purchase? .01%? .1%?
They're basically a useless bunch of people, attempting to keep themselves in business through collecting dues... "well, if you don't pay us our dues, we can't say that you're a member and if anyone calls asking we'll say that you refused membership"... it's almost blackmail, given their reputation...
The problem with having your remote box doing apt get updates via cron is you end up breaking shit all the time without realizing it. More than once the latest and greatest package has its own set of bugs you just unknowingly stuck on your box. Stick with an older heavily patched version of a deamon that is well documented. Switching to new code constantly is only going to open up security holes you don't know about.
I'm a loner Dottie, a Rebel.
Be that as it may, you also have to realize that this happened once before already. Is it so unreasonable for them to fix a security hole once the server has been hacked using it?
No, this sounds like a case of a business actually trying to screw the customer by double-charging--charging for reinstalling the OS and charging for applying a security patch, and one that really wouldn't take much time anyway.
But the main point is, even if they don't promise security or anything, I disagree with some of your statements. Maybe it is reasonable for them to reinstall the OS for a charge. But then on top of that demanding a charge to patch the security hole is absurd.
Call (816) 300-4678 and ask to speak to dedicated support. You'll get a sense of their hold times. Then ask them a few innocent questions about how secure their stuff is, and be reasurred when they answer all is taken care of. Then stop and think, and then laugh like a maniac :)
Their quickserv pricing is a joke. Their overusage charge runs OVER $8 per GB. That is rediculous frankly, we push a couple thousand GBs a month and would be quickly broke at that rate. A good place should hit $3/gb or $2/gb, they are FOUR TIMES more expensive.
Take a look at any place like rackspace.com or dellhost.com, or maxim.net.
.coms never do any business planning in the first place, so don't have a clue what costs should be.
Maxim.net charges $250 mbit == 320GB a month or 10GB a day. Let's say we push above 4mbits. At maxim thats gonna cost $1000.
At pair that 1200GB is gonna be much more expensive. Reduce it to 1000GB/month because of the 60GB a month they give you. Then you have an overage of 33GB a day which costs $8250!
For us, this decision is trivial. I'll take that $7,000 a month or $84,000 a year any day.
Now, the hardware they give you doesn't even come close to the hardware dellhost would give you for the same price, and if you ARE lower bandwidth dellhost includes a gig or two free every day as well.
Then ask whether you have full access to your box including easy 24x7 reboot in 5 minutes or less. Dell provides that at a much lower cost.
In fact, I can see almost NO price point and NO usage pattern that makes pair quickserves a good deal. That is suprising for any hosting company, and especially pathetic at pair because we were with them for a long time.
Finally, when you call them up to get some quickservers setup, you'll find that instead of next day provisioning you get at a place like dellhost.com, you'll get a who knows, especially for an order of more than one server (we run 4 duel CPU's and a quad xeon with 2g of ram plus a single PIII for admin.)
I'm suprised they have any business whatsover, but I suspect most of the new
I'll respectifully disagree with your very very cheap description. More like incredible ripoffs to idiots silly enough to fall for it.
Unlimited bandwidth = joke. Call them, tell them you'll be hosting a huge file archive and expect to push 1,000GB a month per server minimum, for that $200 monthly cost. Laugh while they root around and discover the magic document that turns unlimited into super limited and we can cut you off without notice just as you become popular.
Uptime promises = joke, even if they are in writing. Usually they claim it was an outside problem even if THEIR router failed, and the amount you get if they break their SLA is pathetic.
Security is a joke. Our current Top 5 dedicated hosting provider allows easy access to all customer accounts, and I mean easy, no hacking, no passwords, nothing. It's so easy it's not even newsworthy. I like it because I never have to logon, passwords are a pain. And they have yet to patch a security hole either.
Don't sign super long contracts. Rackspace charges an arm and a leg and are doing great. Why? One reason is they go month by month, they've got an incentive to keep you, and I suspect it makes a difference.
Anyone find a really good and cheap dedicated hosting provider? I'd love a place where we could buy our own set of 10 servers, and just pay for the space and the bandwidth, and have it be cheap. With a proper telephone remote-reboot, we could do everything else ourselves, which we already have to do because the emergency support are basically script readers in Kajikastan I think.
This is one for lawyers. It all boils down to the contract.
The best outcome would probably be for you to find out that they probably breached the contract by demanding more money for somethign that is part of 'administration' and simply get a pro-rated refund, and move your service elsewhere.
posting a very negative comment about them on Slashdot, where tons of sysadmins and web developers hang out? The negative publicity should more than make up for any profit they get from slacking off... Oh, wait...
Dump communitech and go with Rackspace.com. I was researching places like this awhile back for a little project I was working on, and I only heard good things about rackspace.com. Standard bandwidth is 10GB/mo, but for $120 more, you get 75GB/mo. Even their crappiest intel box is better than a Raq3 (they provide those also though).
Need Free Juniper/NetScreen Support? JuniperForum
Now, if you call the ISP and demand that they install a patch Immediately If Not Sooner, they probably charge you time & labor for this work which is essentially special attention to the box, as it breaks from the set patching schedule (which probably is part of your service agreement).
I dunno the Communitech patching and service scheme, but this seems a likely answer to the question, which is obviously coming from an upset and nervy customer.
--
Terrorists can attack freedom, but only Congress can destroy it.
Service levels come in three flavors.
:)
Managed server - Server is provided and maintained by the hosting company in question. You may or may not have root access.
Dedicated server - Server is provided, but the level of administration provided by the hosting company should be discussed. Unless requested, I would expect NO interference from the hosting company. You should always have root access.
Colocated server - Same as above, except the customer provides the server too.
Updates and patches are usually (maybe not usually? it's usual for where I work, Site5, atleast) by the hosting company anyway, without a charge.
Some things are charged for, and should be - But just keeping a system up to date (which will also keep 90% of the script kiddies at bay - I'm not implying an uptodate system is a secure system, however) should be standard practise at all hosting providers.
What happened with CommuniTech, under any other circumstances, I would put down to miscomunication - As in, the host thought that the client wanted to handle things themselves. But CommuniTech have what I wouldn't call the best reputation.
Search for CommuniTech at Webhosting talk, and you'll see what I mean.
I need a sig.
"That said, the security of your box is your responsibility. It doesn't matter where your box is located or whose pipes it's connected to. "
If there was an understanding that security was to be handled by the ISP then it's NOT your responsibility. You are paying them for a service and it's their responsibility. That's what service contracts are for so you can let someone else handle the problem.
War is necrophilia.
Debian plus psionic.com.
Go to psionic.com and download their free tools logcheck is an official potato package but portsentry is not (it's in woody). Either way you can either download the tar file or the deb from debian and install them.
Then go to The Trinity document and do some reading.
After that you should be able to defend yourself from most attacks.
War is necrophilia.
Did the contract you signed make any statements about security upgrades? I read over their FAQ and it does not lead me to believe that they would do that. To the contrary, it basically says "we're as secure as any other unix platform but a determined cracker can get in".
I've been a victim of contract assumptions in the past. Never ever ever expect a contractual partner to do something that will cost him money (in material or labor) unless its explicitly stated.
SuperID
Free Database Hosting
"Exclusions. Maintenance and support services shall not include services for problems arising out of (a) tampering...."
SuperID
Free Database Hosting
Managed Service = Looking after the server, including applying security patches.
They purchased a sysadmin package, so that the hosting prover supply sysadmin for the box.
So:
:)
- power outage - don't they have a backup generator? Always find out about backup electricity when co-locating.
- $850 for 2 boxes per month co-location with unlimited bandwidth - even in the UK you can pay £3100 per year (under $500 per month) for unlimited bandwidth for a box (4U or under), with a reputable provider (clara.net) who know what they are doing.
Anyway, American in store service may be great, but America doesn't match many other countries for tech support. Anyway, in a few months time when the recession bites home in America, there will be plenty of high quality techs available, and service will improve.
Yeah, yeah. I saw that right after I posted it. I just had to bold it too :(
---
satire, n: 1) witty language used to convey insults or scorn; 2) a form of humor lost on most slashdot moderators.
Doesn't really suck when, even after proofing your message, you don't catch the mistake until after you post. And to do it in bold, no less :(
---
satire, n: 1) witty language used to convey insults or scorn; 2) a form of humor lost on most slashdot moderators.
Well, my previous post has an error too!
:o
Should be "Doesn't it suck.."
Oh, to correct your correction, it actually should have been "It is their responsibility..."
Its Beer Ti^H^H^H^H^H^H^HSaturday, what can I say?
---
satire, n: 1) witty language used to convey insults or scorn; 2) a form of humor lost on most slashdot moderators.
Well, they specifically said it is a dedicated server. That means that they have leased it, just like you would lease a car. Maintenance, upkeep and system administration is solely the lessors responsibility.
Visit Cobalt's website, subscribe to Cobalt's lists, especially the announce list.
Search the user list archives and discover the unholy number of folks that have been hacked through BIND because they didn't upgrade.
The fact is, they leased it. It is they're responsibility for the upkeep. It would be a different story if they leased web space, but they didn't.
Leasing a dedicated server does not absolve you of system administration, but exactly the opposite!
---
satire, n: 1) witty language used to convey insults or scorn; 2) a form of humor lost on most slashdot moderators.
I think he just did :)
Sigh... even more reasons that I hadn't heard yet that Communitech sucks. I never had a problem with ZIP files (and my sites use them extensively), so I'm guessing that they just had a grudge on you and that was the best excuse they could come up with. They do that a lot. BTW, there's absolutely no way you have to pay any of that extra money just because they want you to do so. Ask them to pay you $5000. Tell them the reason, "just because" - after all, that's the reason they're demanding money from you. The only power they have over you is a) the TOS and the agreement you signed, which most certainly doesn't mention anything about additional fees that were never agreed upon, and b) they can take down your website, which they had already done, so they relinquished that power. They have no right to request that money, and you have the right to sue them (well, at least threaten that) or report them to BBB, attorney generals, etc.
BTW, if you're serious about the site dedicated to "showing the truth" behind CT (or possibly, a general site to uncover dark secrets of other bad companies) then I'll definitely join you. My CT hell ended over a year ago, so my hatred for them has somewhat dampened, but I'm still enraged when I think of their company.
I used communitech for a little over a year, and my experience was awful. They kept on taking away services that were promised when I signed up, and refusing to refund anything. They suspended my accounts twice; their policy for suspension is to immediately take the site down and leave a "forbidden" page, then ask questions later. One of the times it was because I was using too much bandwidth - one of the primary reasons I used communitech was because of their promise of "unlimited bandwidth" (I believe they've since changed their policy, without notice of course). The second time it was because I alerted them of a security hole in their system. ALERTED them - I simply wanted it fixed, but they suspended my site. When I called soon after, they threatened to call the police. They guaranteed 99.5% uptime when I signed up, but never met that - later, when questioned, they said that they were working towards that goal, but it wasn't in actually a guarantee (even though it was advertised on their front page). Customer support was horrendous - I'll leave it at that. When I finally canceled my accounts, they continued billing me. They wouldn't stop until I threatened to call the Attorney General of their state (after that, of course, they quite willingly stopped). I could keep going, but I'll leave it at that. Please, whatever you do, get away from Communitech. If you don't, I assure you that you'll regret it later.
I have had a dedicated server at Dialtone Internet for over a year, and have been pleased with their service. They have great connectivity, 24 hour monitoring, a ticketing system and reasonable pricing. They don't handle patches under my plan (I handle those via ssh) but I have dealt with their support department several times (reboots, and a hardware failure) and they have been very professional. I did have some difficulty once, straightening out some billing issues with their mostly Spanish-speaking staff in that department. It took two days of faxes and emails and a lot of patience on both sides before we were able to overcome the language barriers and get things in order.
Anyway, I would definitely recommend Dialtone to anyone looking for a dedicated server.
--
Wouldn't the best way of demonstrating your pissed-ness be to take your business elsewhere? Find another provider.
Also find a web-host review site or something, and tell the world how bad your current provider sucks.
--
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
Maybe you could actually READ my comment. I said that the same response is NOT given. People rant on M$ security, how it "sucks" and is "worthless", but say that the admins are cluless in the apache case... BTW, the fact that my response was modded "troll" -1, pretty much does nothing except back up my argument.
---
DO NOT DISTURB THE SE
It sounds like they're incompetant, which really doesn't surprise me at all. Most companies seem to feel you can train some monkeys to do sysadmin level work. That's not true of any OS, although some of the more "User Friendly" ones delude you into thinking you can, right up until the skript kiddies march in and take over. You have the correct level of expectation that security holes will be fixed as part of what you're paying them to host the site, so if they don't hold up their part of the contract, threaten to sue the crap out of them. Or at least demand that they release you from the contract since they're not upholding their end of the deal. IANAL but I play one on TV.
As a side note, a lot of these web hosting places are fly by night operations that disappear a couple of months after they open up. The fly-by-nights are much more likely to try to get by with trained monkeys on the sysadmin team. If the guy who sold you your service is also the system administrator, be wary. It's always a good idea to see how long a company's been in business and ideally get some references from other customers of that company before you decide to do business with them.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Please MOD this up!
Sig goes here
Very informative!
Sig goes here
We do give our customers root to their servers and we warn them that while one advantage to a dedicated server is that we will maintain the server and keep it running, when they do something boneheaded (like chmod -R bob /) we will bill them to fix it.
So far it hasn't been a problem and only one customer has actually done something to break the server (see the chmod example above).
-----
I think it can kiss its reputation goodbye he moment this story is on /.
You can check webhostingmenu.com to find better web hosting.
It lists plans from FirstWorld, AF Hosting, NYI.net, Hyper Hosting, Verio, Bitserve, ThinkHost, Interliant, and Dell Host. None of these will be as bad as CommuniTech. [/plug]
I've had a pair of boxes hosted at Maxim.net for quite a while. The prices are low -- for 2 boxes and 1 dedicated meg (which we can fill 100% all month long for the same price), we pay around $850. These are for boxes we built, so hardware is not included, but that's still pretty impressive. Although I've never remote-rebooted (both boxes up 185 days running linux since they had a power outage 6 mo ago), they have telephone reboot, as well as some services.
They just merged into a larger company, and they finally got a trouble ticketing system, but customer service is still pretty awful, so its fortunate I rarely need it. They have a few very clued network guys, if you can get them.
Also, the cobalt raqs are very easy to patch. They have a GUI, a section to install software (Maintenance/Intall Software). You can just paste the URL of the patch, and it installs it. The patches are here.
That said, communitech sucks. I've had problems with them in many other areas too. I can't recomend another ISP that will patch the servers for you, but I can say that communitech sucks.
--
--
Stay tuned for some shock and awe coming right up after this messages!
Cobalt makes their patches available for everyone to download and install. Sure, it takes them several weeks to make a patch available, and given that they use RedHat GNU/Linux security holes keep popping up, but there is no reason why your ISP should be more able than you to download and apply the patches.
Of course, I have to wonder why you're using a Raq anyway... I've never quite understood how $1000 of hardware plus lots of free software equals a $5000 server.
Tarsnap: Online backups for the truly paranoid
The long: A similar thing happened to one of our clients. I work for a web development company and we have over the last year tried to get away from hosting. Its annoying, we don't want to do admin work, etc. so we partnered with a well known hosting provider (with pretty much a similar contract). The box was running NT (not my choice) and the day before they had scheduled to install a patch for a very well known (and for a good amount of time) bug, a script kiddie hacked the site. The first thing the hosting provider did? Blame us AND demand more money to get the site back up. WTF? Anyway, while they scrambled around with their heads cut off, we brought the servers back to our office, brought in security experts we were negotiating a partnership with anyway, and locked down the site and brought it back up (all in 24 hours ;-) ourselves. Then, we had our new security partners go into the hosting providers rack area (the hp let us into the wrong closet first.. *sigh*) and effectively make the provider their bitch. "This is wrong, this is wrong", etc. The client is very happy with us and 5 seconds away from dumping the provider. Since then, the provider has pretty muched asked "how high" when we or the client has said jump.
psxndc
The emacs religion: to be saved, control excess.
I know that this is a random plug, but I get my service from toolshed51.com The service they provide is excellent, they have the PHP, Apache & mySQL tools installed and they run FreeBSD that is constantly patched for security holes. You should contact them!
PS--I don't have any affiliation except that I'm a satisfied customer!
Doh!
...or do you think Solaris sunglasses provide all the light in the world?
You need apache, php, and mysql. Many, many hosting providers will have accounts set up around this configuration, allowing you to "just have a website up without all this bull" as you put it. They worry about server admin and security (on the host and network level anyway), all you have to do is write code and pay the bills.
As an example of a place that has the feature set you're looking for with very generous disk allocations for reasonable prices, see csoft.net. (I've never used them but I've heard good things about them, and when I emailed them some techie questions about their service they responed quickly and very professionally.) For example, the $25/mo. plan gives you unlimited disk. All plans include 1Gb/day of traffic ($6/Gb per Gb over 30 per month). Anyone here actually, directly used these guys that would like to comment?
--
News for geeks in Austin: www.geekaustin.org
News for Geeks in Austin, TX
Just caught this on their website:
The fact that dedicated server hosting is a port-based service as well as a non-shared hardware environment makes Quality of Service superior over virtual server solutions. Quality of Service on dedicated servers where CommuniTech.Net guarantees the hardware integrity is measured in two aspects. First, Quality of Service is measured at the switch port, ensuring bandwidth is quality and that there is no internal or external network congestion. Secondly, Quality of Service extends to the hardware used for the dedicated server, making sure there are no hardware performance issues. If such issues arise at anytime, it is our responsibility to resolve the hardware issues, which would have an adverse effect on Quality of Service.
The fact that it is possible (though difficult) to cause a hardware failure through remote software operation is of concern. First, to minimize such circumstances, it is quite important to use only quality hardware in all dedicated servers. Secondly, Quality of Service is exclusive of any software-related issues on the dedicated server, which is the responsibility of the client, not CommuniTech.Net. Therefore, the client, depending on his/her use of the dedicated server, has to carry out the Quality of Service control right down to the application layer.
They claim quality assurance on the link and the hardware, but not software. They state that is a client responsibility. That is a bit unusual, even assinine, but there you have it.
Derek
It seems to me that the BBB (Better Buisiness Bereau) was set up to handle situations just like this -- a buisiness doesn't provide services which it said it would. Although it usually doesn't have any official power AFAIK, the power of reputation in this case can be enormous.
That's it. I'm no longer part of Team Sanity.
What's the security-maintenance potential of Debian-based systems? I generally set up Red Hat-based servers at client sites, run a tight ipchains firewall and custom compile whatever daemons will be publicly available from the latest source; and then watch for security news, compiling updated daemons as necessary. So, far, no problems, fingers crossed. But I've recently been playing with Debian, am coming to like .deb far better than .rpm, and wonder what the odds would be of a daily "apt-get dist-upgrade" in cron on server's keeping security relatively tight (and not sometimes mucking things up)? Some of y'all must be doing this?
"with their freedom lost all virtue lose" - Milton
There might be a reaction.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
You'd do well to read this guide, it's helped me out tremendously:
m l/ coverpage.html
:)
http://www.openna.com/resources/articles/v1.3-x
(Securing and Optimizing Linux, by Gerhard Mourani)
First let me say that I'm a reseller for Communitech, virtual accounts only, though I don't believe that makes me biased toward them; if anything, my experiences have biased me against CT. I've had my own nightmares with them and I'm still wrapped up in being double-billed on one resold account for almost a year. Personally I think you're lucky they reinstalled the OS for free the second time around; be sure to double-check your credit card bill when it comes in... CT is one of those companies you love and hate at the same time and their customer service does suck - that's why they have a lot of resellers. We can provide the personal service and support that they aren't capable of.
That said, the security of your box is your responsibility. It doesn't matter where your box is located or whose pipes it's connected to.
Communitech isn't responsible for making sure your box is secure any more than RoadRunner is responsible for making sure my local linux machine is locked down. Their responsibility is to make sure that your machine is connected, powered up, and able to serve traffic. When you order a dedicated server from CT, they slap on an installation of your chosen OS, along with Apache and some development tools. They don't make any promises or guarantees that your system will be secure or that they'll be patching your box every time an exploit is found.
CT still uses Redhat 6, and it says that on their dedicated server config page (the RaQ page just says Linux 2.2, but the more general pages indicate they're using Redhat 6). If I were to take on a box with a fresh installation of RH6, the first thing I'd do is upgrade bind - shot in the dark, but I bet that's how you were owned.
In any case, the bottom line is this, and you're free to disagree: if no one in your group is prepared to spend time finding patches and securing the box, your group isn't ready to be running a dedicated server.
Good luck and make sure to check that URL. You've got a dedicated server for at least a few more months, someone on your team needs to read up and get to work
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Here is the dedicated server contract from Communitech.
It seems that 7.1, 7.2 and 7.3 are covering the software maintainance. Altough they are not very specific on it.
Woah - someone had a bad experience with Communitech? I'm surprised. Wait, just the opposite of that. Communitech (known as "Communistech" by the little online cliche I'm a part of) is a company which loves changing its TOS and being sneaky/deceitful about it just to make a quick buck. First, according to one of their abuse department guys, the 'president' of the company went through a friend's site, SimStuff.com. Without consulting the owner, he deleted the entire site (including several dozen hosted sites) because they had .ZIP files that MIGHT have been pirated software. The company also said that SimStuff.com had 'pornographic' content on it.
Er - since when is a site about SimCity 'pornographic'? And what site doesn't use .ZIP files, especially if it's a gaming site?
The company eventually changed its position to that of "the owner was inappropriately using his space" - by having .ZIP files available for download.
When I posted news about this incident on my Maxis-related site, I was harassed in my forums by an employee of the company (though I don't remember the specifics; they used a fake name to post it originally, but I was able to trace the IP back to the company.)
The site was killed because the company decided that .ZIP files are pirated files and then lied about the content of the site.
The company also refused to refund the owner of the site, despite the fact that they made a clear mistake and then lied about it (and then went as far as to harass supporters of the site).
The company didn't return phone calls from the webmaster and it took him several days to even get an answer as to why his site was simply deleted.
From what I recall, they also threatened to charge the webmaster a $500 "cleaning up" fee (I'm not sure about that number - but it was rather large) for deleting the site. I was harassed after proposing that members of the community donate money to pay for that fee in case
they pressed it. And the reason they threatened to do it was because they felt the webmaster was 'harassing' them because I, and others, had posted the email addresses of various company officials for people to write them and ask them to reverse their decision. They also threatened to charge money for each of those emails sent in, as well as file abuse reports to our ISPs.
Not to mention the fact that they got rid of one of the guaranteed features, Ultraboard, in the middle of my hosting period; thus, when their server screwed up my config styles, I couldn't re-install the program and thus had to ditch my forums.
Communitech exists to make a quick buck. They lie about their features and twist their 'contract' and 'terms of service' around just to cheat people.
I'm more than willing to help out any site dedicated to reviewing Communitech's poor decisions and actions. I can probably even host the site on a server we rent from another company. Email me: adam@!nozone.net. (Remove the "!").
What is their justification for the $125 Charge? You say you rent the Raq3, do they mean to imply that this is something you could do yourself, and they will do it for you?
Just where does the boundary in your contract lie on that? If you are allowed to do the patch yourself, then there may be ~some~ justification for the charge (that doesn't make it right, mind you). However, if it's something they won't let you do, then they are exercising quite an unfair business practice. A bit of a Catch-22 where they won't let you fix it, it needs to be fixed, and they still want to charge you for it.
If the second option is true (You don't have access to patch the server), I'm sure if you call and complain enough, they'll work something out. Just remember to bug them A LOT!!! They'll buckle, escpecially if you're right, and they know it, and you can plant the seed in their heads that any court would know it too
-----
You might want to check out cr0wbar's rant against Safe Audit when they screwed him over. The more you let people know about this kind of nonsense, the more likely it is said business will think twice about screwing you over.
We've seen this reaction all over the place. Any time people are treated unfairly in any situation, cry out publically about it. This does change things.
This story CLEARLY indicates wrong doing on their part. For example, anyone who has ever dealt with phone companies fixing their service knows that service providers are responsible for fixing problems with their own systems. When I got my second line installed, they had problems with line at a distro station. They didn't charge me to fix the problems there. If they had, I would have raised hell. But they didn't. They're responsible for it. End of story.
Why bother.