zeno_lee asks:
"How do people deal with situations like this? Recently, we were cracked because our ISP failed to patch known security holes. They now want us to pay for them to patch up the holes. We are a bunch of dedicated volunteers who run a community web site we are developing using Apache/PHP/MySQL. The volunteers have nothing to gain except the rewards of bringing a national community together. We were cracked twice within 1 week of going live on the site. We are getting service from CommuniTech, who rent us a Cobalt Raq3 server. Part of the reason to go with a dedicate server from an ISP is to outsource system administration. No one amongst us is a full time computer security officer." One would think that when you pay for system administration, that security would be part of the deal. Looking at their
FAQ, they give the impression that their servers are secure, so you'd think they would do something as simple as apply patches.
Also, there is no mention of any extra charges for security on their
pricing page, so does CommuniTech have any sensible reason for charging extra?
"We were cracked first within 5 days of our site going live. After paying communitech.net $62.50 for reinstalling the OS, it was cracked just 24 hours later. After speaking with Cobalt, they told us that our ISP, communitech.net, failed to patch up well publicized security holes on the Raq3. Acknowledging their failure, Communitech is not charging us for reinstalling the OS, but they are charging us $125 for someone to patch up the security hole. How blatantly unfair is that? I wanted the Slashdot community to be aware of the practices of such companies and see if others have had similar experiences and how they dealt with those situations.
We signed a 6 month contract, and we need options and strategies. What are the possible options we have? We just want a website running, we don't need to deal with all this bull."
Slashdot Mirror
buy one of those cheap ad banners on google and set it to come up every time someone searches "communitech." Have it link to a page where you've collected a list of your problems (and hopefully the problems of others, to give it more credibility.) Make it look very professional; avoid getting personal; etc., and pretty soon you'll have solutions.
IAAL,BIANLY
I used communitech for a little over a year, and my experience was awful. They kept on taking away services that were promised when I signed up, and refusing to refund anything. They suspended my accounts twice; their policy for suspension is to immediately take the site down and leave a "forbidden" page, then ask questions later. One of the times it was because I was using too much bandwidth - one of the primary reasons I used communitech was because of their promise of "unlimited bandwidth" (I believe they've since changed their policy, without notice of course). The second time it was because I alerted them of a security hole in their system. ALERTED them - I simply wanted it fixed, but they suspended my site. When I called soon after, they threatened to call the police. They guaranteed 99.5% uptime when I signed up, but never met that - later, when questioned, they said that they were working towards that goal, but it wasn't in actually a guarantee (even though it was advertised on their front page). Customer support was horrendous - I'll leave it at that. When I finally canceled my accounts, they continued billing me. They wouldn't stop until I threatened to call the Attorney General of their state (after that, of course, they quite willingly stopped). I could keep going, but I'll leave it at that. Please, whatever you do, get away from Communitech. If you don't, I assure you that you'll regret it later.
You'd do well to read this guide, it's helped me out tremendously:
m l/ coverpage.html
:)
http://www.openna.com/resources/articles/v1.3-x
(Securing and Optimizing Linux, by Gerhard Mourani)
First let me say that I'm a reseller for Communitech, virtual accounts only, though I don't believe that makes me biased toward them; if anything, my experiences have biased me against CT. I've had my own nightmares with them and I'm still wrapped up in being double-billed on one resold account for almost a year. Personally I think you're lucky they reinstalled the OS for free the second time around; be sure to double-check your credit card bill when it comes in... CT is one of those companies you love and hate at the same time and their customer service does suck - that's why they have a lot of resellers. We can provide the personal service and support that they aren't capable of.
That said, the security of your box is your responsibility. It doesn't matter where your box is located or whose pipes it's connected to.
Communitech isn't responsible for making sure your box is secure any more than RoadRunner is responsible for making sure my local linux machine is locked down. Their responsibility is to make sure that your machine is connected, powered up, and able to serve traffic. When you order a dedicated server from CT, they slap on an installation of your chosen OS, along with Apache and some development tools. They don't make any promises or guarantees that your system will be secure or that they'll be patching your box every time an exploit is found.
CT still uses Redhat 6, and it says that on their dedicated server config page (the RaQ page just says Linux 2.2, but the more general pages indicate they're using Redhat 6). If I were to take on a box with a fresh installation of RH6, the first thing I'd do is upgrade bind - shot in the dark, but I bet that's how you were owned.
In any case, the bottom line is this, and you're free to disagree: if no one in your group is prepared to spend time finding patches and securing the box, your group isn't ready to be running a dedicated server.
Good luck and make sure to check that URL. You've got a dedicated server for at least a few more months, someone on your team needs to read up and get to work
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!