zeno_lee asks:
"How do people deal with situations like this? Recently, we were cracked because our ISP failed to patch known security holes. They now want us to pay for them to patch up the holes. We are a bunch of dedicated volunteers who run a community web site we are developing using Apache/PHP/MySQL. The volunteers have nothing to gain except the rewards of bringing a national community together. We were cracked twice within 1 week of going live on the site. We are getting service from CommuniTech, who rent us a Cobalt Raq3 server. Part of the reason to go with a dedicate server from an ISP is to outsource system administration. No one amongst us is a full time computer security officer." One would think that when you pay for system administration, that security would be part of the deal. Looking at their
FAQ, they give the impression that their servers are secure, so you'd think they would do something as simple as apply patches.
Also, there is no mention of any extra charges for security on their
pricing page, so does CommuniTech have any sensible reason for charging extra?
"We were cracked first within 5 days of our site going live. After paying communitech.net $62.50 for reinstalling the OS, it was cracked just 24 hours later. After speaking with Cobalt, they told us that our ISP, communitech.net, failed to patch up well publicized security holes on the Raq3. Acknowledging their failure, Communitech is not charging us for reinstalling the OS, but they are charging us $125 for someone to patch up the security hole. How blatantly unfair is that? I wanted the Slashdot community to be aware of the practices of such companies and see if others have had similar experiences and how they dealt with those situations.
We signed a 6 month contract, and we need options and strategies. What are the possible options we have? We just want a website running, we don't need to deal with all this bull."
Slashdot Mirror
buy one of those cheap ad banners on google and set it to come up every time someone searches "communitech." Have it link to a page where you've collected a list of your problems (and hopefully the problems of others, to give it more credibility.) Make it look very professional; avoid getting personal; etc., and pretty soon you'll have solutions.
IAAL,BIANLY
From http://www.communitech.net/hosting/virtual/plans/u nix.cgi:
These people are obviously ignorant of Sun's own history. Sun caught on in the 1980s--not because it was the most stable, not because it was the most secure, but because Sun's software was the most open. Sun's success in the 1980s and early 1990s can be mainly attributed to the fact that they opened up the code for NFS, the code for the XV windowing toolkit, and the code for the RPC library.
NFS was, and still is a joke, compared to better systems like AFS. However, the popularity of PC-compatible hardware shows that it is not the best that wins in the computing marketplace, but the cheapest and most open.
The statistics prove this: Linux is gaining market share. Solaris is losing market share.
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
Unlimited bandwidth = joke. Call them, tell them you'll be hosting a huge file archive and expect to push 1,000GB a month per server minimum, for that $200 monthly cost. Laugh while they root around and discover the magic document that turns unlimited into super limited and we can cut you off without notice just as you become popular.
Uptime promises = joke, even if they are in writing. Usually they claim it was an outside problem even if THEIR router failed, and the amount you get if they break their SLA is pathetic.
Security is a joke. Our current Top 5 dedicated hosting provider allows easy access to all customer accounts, and I mean easy, no hacking, no passwords, nothing. It's so easy it's not even newsworthy. I like it because I never have to logon, passwords are a pain. And they have yet to patch a security hole either.
Don't sign super long contracts. Rackspace charges an arm and a leg and are doing great. Why? One reason is they go month by month, they've got an incentive to keep you, and I suspect it makes a difference.
Anyone find a really good and cheap dedicated hosting provider? I'd love a place where we could buy our own set of 10 servers, and just pay for the space and the bandwidth, and have it be cheap. With a proper telephone remote-reboot, we could do everything else ourselves, which we already have to do because the emergency support are basically script readers in Kajikastan I think.
Dump communitech and go with Rackspace.com. I was researching places like this awhile back for a little project I was working on, and I only heard good things about rackspace.com. Standard bandwidth is 10GB/mo, but for $120 more, you get 75GB/mo. Even their crappiest intel box is better than a Raq3 (they provide those also though).
Need Free Juniper/NetScreen Support? JuniperForum
Well, they specifically said it is a dedicated server. That means that they have leased it, just like you would lease a car. Maintenance, upkeep and system administration is solely the lessors responsibility.
Visit Cobalt's website, subscribe to Cobalt's lists, especially the announce list.
Search the user list archives and discover the unholy number of folks that have been hacked through BIND because they didn't upgrade.
The fact is, they leased it. It is they're responsibility for the upkeep. It would be a different story if they leased web space, but they didn't.
Leasing a dedicated server does not absolve you of system administration, but exactly the opposite!
---
satire, n: 1) witty language used to convey insults or scorn; 2) a form of humor lost on most slashdot moderators.
I used communitech for a little over a year, and my experience was awful. They kept on taking away services that were promised when I signed up, and refusing to refund anything. They suspended my accounts twice; their policy for suspension is to immediately take the site down and leave a "forbidden" page, then ask questions later. One of the times it was because I was using too much bandwidth - one of the primary reasons I used communitech was because of their promise of "unlimited bandwidth" (I believe they've since changed their policy, without notice of course). The second time it was because I alerted them of a security hole in their system. ALERTED them - I simply wanted it fixed, but they suspended my site. When I called soon after, they threatened to call the police. They guaranteed 99.5% uptime when I signed up, but never met that - later, when questioned, they said that they were working towards that goal, but it wasn't in actually a guarantee (even though it was advertised on their front page). Customer support was horrendous - I'll leave it at that. When I finally canceled my accounts, they continued billing me. They wouldn't stop until I threatened to call the Attorney General of their state (after that, of course, they quite willingly stopped). I could keep going, but I'll leave it at that. Please, whatever you do, get away from Communitech. If you don't, I assure you that you'll regret it later.
It sounds like they're incompetant, which really doesn't surprise me at all. Most companies seem to feel you can train some monkeys to do sysadmin level work. That's not true of any OS, although some of the more "User Friendly" ones delude you into thinking you can, right up until the skript kiddies march in and take over. You have the correct level of expectation that security holes will be fixed as part of what you're paying them to host the site, so if they don't hold up their part of the contract, threaten to sue the crap out of them. Or at least demand that they release you from the contract since they're not upholding their end of the deal. IANAL but I play one on TV.
As a side note, a lot of these web hosting places are fly by night operations that disappear a couple of months after they open up. The fly-by-nights are much more likely to try to get by with trained monkeys on the sysadmin team. If the guy who sold you your service is also the system administrator, be wary. It's always a good idea to see how long a company's been in business and ideally get some references from other customers of that company before you decide to do business with them.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Cobalt makes their patches available for everyone to download and install. Sure, it takes them several weeks to make a patch available, and given that they use RedHat GNU/Linux security holes keep popping up, but there is no reason why your ISP should be more able than you to download and apply the patches.
Of course, I have to wonder why you're using a Raq anyway... I've never quite understood how $1000 of hardware plus lots of free software equals a $5000 server.
Tarsnap: Online backups for the truly paranoid
It seems to me that the BBB (Better Buisiness Bereau) was set up to handle situations just like this -- a buisiness doesn't provide services which it said it would. Although it usually doesn't have any official power AFAIK, the power of reputation in this case can be enormous.
That's it. I'm no longer part of Team Sanity.
You'd do well to read this guide, it's helped me out tremendously:
m l/ coverpage.html
:)
http://www.openna.com/resources/articles/v1.3-x
(Securing and Optimizing Linux, by Gerhard Mourani)
First let me say that I'm a reseller for Communitech, virtual accounts only, though I don't believe that makes me biased toward them; if anything, my experiences have biased me against CT. I've had my own nightmares with them and I'm still wrapped up in being double-billed on one resold account for almost a year. Personally I think you're lucky they reinstalled the OS for free the second time around; be sure to double-check your credit card bill when it comes in... CT is one of those companies you love and hate at the same time and their customer service does suck - that's why they have a lot of resellers. We can provide the personal service and support that they aren't capable of.
That said, the security of your box is your responsibility. It doesn't matter where your box is located or whose pipes it's connected to.
Communitech isn't responsible for making sure your box is secure any more than RoadRunner is responsible for making sure my local linux machine is locked down. Their responsibility is to make sure that your machine is connected, powered up, and able to serve traffic. When you order a dedicated server from CT, they slap on an installation of your chosen OS, along with Apache and some development tools. They don't make any promises or guarantees that your system will be secure or that they'll be patching your box every time an exploit is found.
CT still uses Redhat 6, and it says that on their dedicated server config page (the RaQ page just says Linux 2.2, but the more general pages indicate they're using Redhat 6). If I were to take on a box with a fresh installation of RH6, the first thing I'd do is upgrade bind - shot in the dark, but I bet that's how you were owned.
In any case, the bottom line is this, and you're free to disagree: if no one in your group is prepared to spend time finding patches and securing the box, your group isn't ready to be running a dedicated server.
Good luck and make sure to check that URL. You've got a dedicated server for at least a few more months, someone on your team needs to read up and get to work
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Here is the dedicated server contract from Communitech.
It seems that 7.1, 7.2 and 7.3 are covering the software maintainance. Altough they are not very specific on it.
What is their justification for the $125 Charge? You say you rent the Raq3, do they mean to imply that this is something you could do yourself, and they will do it for you?
Just where does the boundary in your contract lie on that? If you are allowed to do the patch yourself, then there may be ~some~ justification for the charge (that doesn't make it right, mind you). However, if it's something they won't let you do, then they are exercising quite an unfair business practice. A bit of a Catch-22 where they won't let you fix it, it needs to be fixed, and they still want to charge you for it.
If the second option is true (You don't have access to patch the server), I'm sure if you call and complain enough, they'll work something out. Just remember to bug them A LOT!!! They'll buckle, escpecially if you're right, and they know it, and you can plant the seed in their heads that any court would know it too
-----