Supposen your machine DOES get compromised, do you think knowing any users which were using a shell at the time on the machine would help you with your investigation?
We also state in our TOS that while a user is on the system, we can monitor their actions.
It helps to know when users are actually logged on, if you want to do any active monitoring.
It adds to the picture of system usage. When grouped with resource usage, login frequency and duration, you can figure out patterns in user behaviour, which can also be helpful when trying to track down system compromise.
I just feel it's better to be prepared then to get caught with hot grits down your pants.:)
Plus, sometimes people will request a shell account when their domain name is very suspect - Recently, 'allripped-fxp.com' requested a shell.
It's nice to know when they're logged in, so I can actually take a look at what they're doing, and determine if the reason they requested shell access is truthful and doesn't violate TOS.
If someone has a legitamate need for shell access, they can contact us and say so, and we'll enable it for them.
I'm not saying shell access should *never* be granted, I'm saying shell access should be granted *after* some contact has been made with the client.
Sorry for being security concious. Oh. Wait. No. I'm not sorry.:)
I agree and disagree.
Leaving shell access available for everyone who signs up is just begging to be screwed with by the script kiddies of the world.
I'm a system administrator at site5.com (we're on the Cpanel3 development team) and we wrote a shell wrapper that denies access to the shell unless it's specified as an option in/var/cpanel/users/username. It also notifies us via ICQ pager whenever anyone signs into their shell account.
We're also thinking about modifying bash to make it do chroot()'ing to the users' home directory.
Blindly offering shell access to any customer that signs up, without any kind of administrator contact, is very shortsighted IMHO.
I'm Vince from Site5.
I'd just like to add a few things...
Site5.com are one of only 2 hosting companies in the world who have access to the Cpanel3 source code. (Our CEO is on the Cpanel3 development team). And to my knowledge, we're the only company outside of VDI.net's datacenter that can offer Cpanel3/WHM for free to our dedicated and colocated customers.
So if anyones looking for a Cpanel3 server, we can help you out.:)
Feel free to contact me (vince at site5.com) for more information.
Managed server - Server is provided and maintained by the hosting company in question. You may or may not have root access.
Dedicated server - Server is provided, but the level of administration provided by the hosting company should be discussed. Unless requested, I would expect NO interference from the hosting company. You should always have root access.
Colocated server - Same as above, except the customer provides the server too.
Updates and patches are usually (maybe not usually? it's usual for where I work, Site5, atleast) by the hosting company anyway, without a charge.
Some things are charged for, and should be - But just keeping a system up to date (which will also keep 90% of the script kiddies at bay - I'm not implying an uptodate system is a secure system, however) should be standard practise at all hosting providers.
What happened with CommuniTech, under any other circumstances, I would put down to miscomunication - As in, the host thought that the client wanted to handle things themselves. But CommuniTech have what I wouldn't call the best reputation.:)
Search for CommuniTech at Webhosting talk, and you'll see what I mean.
Not even - I'm writing this from a FreeBSD machine.
I don't care what came where in a poll. Debian is by far the best Linux distro, and regardless of what the GPL zealots say, I can run whatever software I choose on it.
The advantage is with the ease of use of.deb's, something which needs to get much more publicity, like *BSD's ports do.
RPM's just outright suck, and I would be happy for Debian, or one of the *BSD's, to take the spotlight away from RedHat and the rest of the RPM wannabe Linux distros.
That's because Mandrake sucks. RPM sucks.
FreeBSD is definately superior to Mandrake, Redhat, SusE - Any RPM based distro.
You should however try Debian. During the install, don't use the task system. You get a very raw install, and can then install exactly what apps you need using apt-get.
It's disapointing that people are turning away from Linux because of shitty distros like Mandrake.
They both look they come from a long line of derivation, if you ask me.
You also contradict yourself by stating that "FreeBSD is based on original BSD code" then stating that the original code had to be removed due to licensing issues.
It ends up with being horses for courses - Each to their own, etc etc. Neither is really "better" then the other, and unfortunately BSD is losing market share because of lack of publicity.
Hopefully it'll get the attention it deserves, because it is indeed a great OS - For it's purpose. Which IMHO is in the server environment.
Re:How about Annoyed enough
on
Is BSD Dying?
·
· Score: 2
Multiple distributions is a Good Thing (TM).
It's all about Freedom of Choice.
180+ also sounds like somewhat of an exaggeration, although, I'll admit I've done no research.
You must realise, however, there is still only one kernel. One "Linux".
As for BSD... I'm not really a fan. It's a great OS, but Debian sid + the 2.4.1 kernel smoke it.
Does BSD have anything similar to apt? Not ports.
Ports (AFAIK) are only for installing packages, not upgrading them.
For example... Say I install bind through ports. Then cvsup my ports, and the new ports contain an upgraded bind. I need to cd/usr/ports/net/bind;make install, to get the new bind. Right?
KDE is okay... Sorta... Maybe for Windows users... It'd be better if they fix those licencing issues. Any news on the QTL/GPL business Debian were going through with KDE/QT? Neurotic: Person who builds forts in the sky Psychotic: Person who lives in those forts
That wasn't the point, the point is that the Redhat installer makes you install all the X crap cause it's POSSIBLE for you to MAYBE use make xconfig. Such is Redhat. I remember a friend of mine getting really pissed cause he had to install X to install Apache during the Redhat install... That was 6.0... Hopefully they've improved the installer and dependacy issues by now. Neurotic: Person who builds forts in the sky Psychotic: Person who lives in those forts
Stupid racist fuck. A great man dies and you decide to blame black and Jewish people? Alcoholism is a disease that needs treatment and help. You don't mention all the white people also lined up outside those same pawn shops, liquer stores and check cashing joints. You disgust me. Neurotic: Person who builds forts in the sky Psychotic: Person who lives in those forts
Thats very true. What you're talking about is called steganography, which is the art of hiding data in other data. Which is a very good way of hiding your information... But would seem out of place in top level security places. I mean, where am I going to hide my really really secret data... Well... I could hide it in my really secret data, then put it all in my not-so-really secret data... Unless you have some meaningless data that seems completely irrelevant to what you're hiding, then it becomes a bit pointless. And with top secret data, you're not likly to store it next to something pointless.. Like oh say some pictures of Natalie Portman...:o)
Neurotic: Person who builds forts in the sky Psychotic: Person who lives in those forts
If it used cable or DSL, then it surely would have stated so... Its a "dial-up gateway"... You know... For dialing-up. Some areas just don't have cable or DSL yet. Some countries don't have cable or DSL yet. In England we're just now getting DSL... If I had to use dial-up, and knew my dial-up gateway was running OpenBSD as opposed to something like NT... I'd be happier, knowing I were using a secure ISP and probably have better connection speeds too!:o)
Its less usable at first. Once you actually start installing packages, its just another distro - Just more secure. Having the extra security isn't a bad thing... Unless you add NOTHING from the base install. Which is pretty useless anyway...
Slashdot Mirror
Supposen your machine DOES get compromised, do you think knowing any users which were using a shell at the time on the machine would help you with your investigation?
:)
We also state in our TOS that while a user is on the system, we can monitor their actions.
It helps to know when users are actually logged on, if you want to do any active monitoring.
It adds to the picture of system usage. When grouped with resource usage, login frequency and duration, you can figure out patterns in user behaviour, which can also be helpful when trying to track down system compromise.
I just feel it's better to be prepared then to get caught with hot grits down your pants.
Plus, sometimes people will request a shell account when their domain name is very suspect - Recently, 'allripped-fxp.com' requested a shell.
It's nice to know when they're logged in, so I can actually take a look at what they're doing, and determine if the reason they requested shell access is truthful and doesn't violate TOS.
And anyway, every little helps.
Regards,
Vince.
(vince at site5.com)
We have a decent amount - I'd say we're medium sized.
I'd say less then 10% of our users use the shell, and not many of them use it every day, so I'd estimate around 100 ICQ pages / day / 2000 users.
Quite managable.
Plus, we can make it alternate between members of staff, and distribute the pages evenly.
Regards,
Vince.
(vince at site5.com)
Well, when something like this is posted, and you have inside information and good contacts, it doesn't hurt to spread the word. :)
Regards,
Vince.
(vince at site5.com)
If someone has a legitamate need for shell access, they can contact us and say so, and we'll enable it for them. :)
I'm not saying shell access should *never* be granted, I'm saying shell access should be granted *after* some contact has been made with the client.
Sorry for being security concious. Oh. Wait. No. I'm not sorry.
Regards,
Vince.
(vince at site5.com)
I agree and disagree.
/var/cpanel/users/username. It also notifies us via ICQ pager whenever anyone signs into their shell account.
Leaving shell access available for everyone who signs up is just begging to be screwed with by the script kiddies of the world.
I'm a system administrator at site5.com (we're on the Cpanel3 development team) and we wrote a shell wrapper that denies access to the shell unless it's specified as an option in
We're also thinking about modifying bash to make it do chroot()'ing to the users' home directory.
Blindly offering shell access to any customer that signs up, without any kind of administrator contact, is very shortsighted IMHO.
Regards,
Vince.
(vince at site5.com)
HostRocket use Cpanel3, probably with a theme.
Regards,
Vince.
(vince at site5.com)
Hi
...
:)
I'm Vince from Site5.
I'd just like to add a few things
Site5.com are one of only 2 hosting companies in the world who have access to the Cpanel3 source code. (Our CEO is on the Cpanel3 development team). And to my knowledge, we're the only company outside of VDI.net's datacenter that can offer Cpanel3/WHM for free to our dedicated and colocated customers.
So if anyones looking for a Cpanel3 server, we can help you out.
Feel free to contact me (vince at site5.com) for more information.
Regards,
Vince.
Service levels come in three flavors.
:)
Managed server - Server is provided and maintained by the hosting company in question. You may or may not have root access.
Dedicated server - Server is provided, but the level of administration provided by the hosting company should be discussed. Unless requested, I would expect NO interference from the hosting company. You should always have root access.
Colocated server - Same as above, except the customer provides the server too.
Updates and patches are usually (maybe not usually? it's usual for where I work, Site5, atleast) by the hosting company anyway, without a charge.
Some things are charged for, and should be - But just keeping a system up to date (which will also keep 90% of the script kiddies at bay - I'm not implying an uptodate system is a secure system, however) should be standard practise at all hosting providers.
What happened with CommuniTech, under any other circumstances, I would put down to miscomunication - As in, the host thought that the client wanted to handle things themselves. But CommuniTech have what I wouldn't call the best reputation.
Search for CommuniTech at Webhosting talk, and you'll see what I mean.
Not even - I'm writing this from a FreeBSD machine.
.deb's, something which needs to get much more publicity, like *BSD's ports do.
I don't care what came where in a poll. Debian is by far the best Linux distro, and regardless of what the GPL zealots say, I can run whatever software I choose on it.
The advantage is with the ease of use of
RPM's just outright suck, and I would be happy for Debian, or one of the *BSD's, to take the spotlight away from RedHat and the rest of the RPM wannabe Linux distros.
FYI, I use Debian, FreeBSD and OpenBSD.
That's because Mandrake sucks. RPM sucks.
FreeBSD is definately superior to Mandrake, Redhat, SusE - Any RPM based distro.
You should however try Debian. During the install, don't use the task system. You get a very raw install, and can then install exactly what apps you need using apt-get.
It's disapointing that people are turning away from Linux because of shitty distros like Mandrake.
http://perso.wanadoo.fr/levenez/unix/history.html
They both look they come from a long line of derivation, if you ask me.
You also contradict yourself by stating that "FreeBSD is based on original BSD code" then stating that the original code had to be removed due to licensing issues.
It ends up with being horses for courses - Each to their own, etc etc. Neither is really "better" then the other, and unfortunately BSD is losing market share because of lack of publicity.
Hopefully it'll get the attention it deserves, because it is indeed a great OS - For it's purpose. Which IMHO is in the server environment.
NetBSD has experimental SMP code.
Multiple distributions is a Good Thing (TM).
/usr/ports/net/bind;make install, to get the new bind. Right?
It's all about Freedom of Choice.
180+ also sounds like somewhat of an exaggeration, although, I'll admit I've done no research.
You must realise, however, there is still only one kernel. One "Linux".
As for BSD... I'm not really a fan. It's a great OS, but Debian sid + the 2.4.1 kernel smoke it.
Does BSD have anything similar to apt? Not ports.
Ports (AFAIK) are only for installing packages, not upgrading them.
For example... Say I install bind through ports. Then cvsup my ports, and the new ports contain an upgraded bind. I need to cd
apt-get update; apt-get upgrade.
Each to their own, I guess.
You know, you're right. You can.
But I didn't.
vince@portal:~$ gcc -v /usr/lib/gcc-lib/i386-linux/2.95.2/specs
Reading specs from
gcc version 2.95.2 20000220 (Debian GNU/Linux)
vince@portal:~$ uname -a
Linux portal 2.4.0-test9 #2 Wed Oct 4 14:59:11 GMT 2000 i686 unknown
vince@portal:~$
2.95 not compatible with kernel 2.4... Riiiight...
I have a woody.
Or even dot-slashed.. ./'d... Get it?
KDE is okay... Sorta... Maybe for Windows users... It'd be better if they fix those licencing issues. Any news on the QTL/GPL business Debian were going through with KDE/QT?
Neurotic: Person who builds forts in the sky
Psychotic: Person who lives in those forts
That wasn't the point, the point is that the Redhat installer makes you install all the X crap cause it's POSSIBLE for you to MAYBE use make xconfig. Such is Redhat. I remember a friend of mine getting really pissed cause he had to install X to install Apache during the Redhat install... That was 6.0... Hopefully they've improved the installer and dependacy issues by now.
Neurotic: Person who builds forts in the sky
Psychotic: Person who lives in those forts
Stupid racist fuck.
A great man dies and you decide to blame black and Jewish people?
Alcoholism is a disease that needs treatment and help.
You don't mention all the white people also lined up outside those same pawn shops, liquer stores and check cashing joints.
You disgust me.
Neurotic: Person who builds forts in the sky
Psychotic: Person who lives in those forts
Thats very true. :o)
What you're talking about is called steganography, which is the art of hiding data in other data.
Which is a very good way of hiding your information... But would seem out of place in top level security places. I mean, where am I going to hide my really really secret data... Well... I could hide it in my really secret data, then put it all in my not-so-really secret data...
Unless you have some meaningless data that seems completely irrelevant to what you're hiding, then it becomes a bit pointless. And with top secret data, you're not likly to store it next to something pointless.. Like oh say some pictures of Natalie Portman...
Neurotic: Person who builds forts in the sky
Psychotic: Person who lives in those forts
If it used cable or DSL, then it surely would have stated so ... Its a "dial-up gateway" ... You know ... For dialing-up. ... ... I'd be happier, knowing I were using a secure ISP and probably have better connection speeds too! :o)
Some areas just don't have cable or DSL yet. Some countries don't have cable or DSL yet.
In England we're just now getting DSL
If I had to use dial-up, and knew my dial-up gateway was running OpenBSD as opposed to something like NT
Its less usable at first. ... Unless you add NOTHING from the base install. Which is pretty useless anyway ...
Once you actually start installing packages, its just another distro - Just more secure.
Having the extra security isn't a bad thing