Paranoid security

[vladimir]

Hi,

I've been using Eukhost services for more than a year and I'm generally satisfied with the level of service and especially technical support.

However, in the past week I've wasted more than four hours hunting for obscure glitches in my scripts only to find that they were caused by security settings on the hosting servers.

The first case was a problem with mod_security and it was resolved quickly once I contacted tech support. However, I had spent two hours trying to identify the problem before asking for help (because in most cases the problem is my stupidity) and only after I eliminated everything else did I contact technical support.

The other problem which isn't solved yet is with the suhosin Extension (hardened PHP) which limits the number of elements in the _FILES superglobal to 25. It took me two hours to figure this out and I expect this will also be solved shortly.

I'm sure you guys realize that time is money and four hours of hunting for weird glitches is four hours I can't bill my clients for... so I would recommend and appreciate that you think a bit more thoroughly about potential problems before you decide to implement new security measures. I've been a web developer for 8 years and I've used a lot of hosting solutions and this is the first time I've encountered mod_security and suhosin.

[vladimir]

Yes, I almost forgot another incident where the FTP passwords were changed and after three unsuccessful login attempts by my FTP client my IP was locked out from even accessing the site 'for security reasons'. This was before I checked my e-mail to see warning from Eukhost that my passwords were changed but it still took me most of the day to figure out that I can't access my site (HTTP or FTP) only from my IP.

[flesso]

Hi there,

I do appreciate that such security measures may be causing you problems, but these measures are in place for the greater good of yourself and all who are hosted on eUK servers.

I myself use both security measures as well as other methods to secure my servers so that they can't be accessed by hackers in any way.

At the end of the day, you are more likely to loose a larger amount of money if the server itself becomes compromised since this would cause you a long period of downtime.

[flesso]

I'd also like to add that the security measures in place are inline with what many web hosting providers use, and as I said, I also use them personally and know a number of other forum users who use such measures on their servers.

[vladimir]

Quote:

Originally Posted by flesso

I'd also like to add that the security measures in place are inline with what many web hosting providers use, and as I said, I also use them personally and know a number of other forum users who use such measures on their servers.

Well I'm not so sure about what other hosting providers use but I've never encountered these problems with any of them.

Also, I absolutely understand the need for security but when it takes me hours to realize what is a scripting error on my part and what is a security measure, then it gets a bit counter productive.

I suppose I could interpret any 'weirdness' that happens as a security measure and go whine to technical support just to save time but I respect their time and I expect them to respect my time as well.

[vladimir]

Now they tell me that they cannot change a setting that limits my scripts to only 25 upload files and suggest that I switch to VPS or dedicated hosting if this limitation bothers me.

I guess I'll have to cancel my account. Certainly cheaper than reworking my CMS.
Oh well...

[flesso]

Quote:

Originally Posted by vladimir

Now they tell me that they cannot change a setting that limits my scripts to only 25 upload files and suggest that I switch to VPS or dedicated hosting if this limitation bothers me.

I guess I'll have to cancel my account. Certainly cheaper than reworking my CMS.
Oh well...

Hi there,

Please wait for a while and I'll have Mark reply to this thread.

[vladimir]

Quote:

Originally Posted by flesso

Hi there,

Please wait for a while and I'll have Mark reply to this thread.

Ok, thanks. I wasn't really going to cancel like right now, you know.

The problematic setting is
suhosin.upload.max_uploads = 25

And I wouldn't whine about it but I've never encountered this limitation before (who uses suhosin anyway?) and it seems completely arbitrary and unnecessary plus I find it hard to believe that it cannot be changed locally as the tech support said.

[eUK-Victor]

Hello,

Apologies for the inconvenience caused in this regard..

There are few suhosin parameters of the value of which we won't be able to increase or vary the server side settings. But suhosin.upload.max_uploads settings can be varied without causing any security problem.

However, I have increased it on server to 100 as per you have requested in your support ticket. Please give a try again to upload the files. You won't face such problem now for the same.

[vladimir]

Wow, you guys work fast. Problem solved!

Now let's forget my whining.

[DPS Computing]

Just to add that mod_security (and to my knowledge suhosin) have been implimented on all eUKhosts shared servers since I have been a customer here (which is over 2 years) and from other forum posts when I first joined, a long time before that.

mod_security especially is considered an absolute must by any reputable hosting company that I have ever heard of a the hardening of PHP is done to prevent malicious code being executed on the server which would at best damage damage your account and at worst destabalise the whole server.

Glad that you have got your problem sorted .

[eUKhost.com]

you can check some leading Webhosting Discussion forums as well as forums of the opensource CMS and portal makers. You will see many upset members on their forums complaining about vulnerability in the code of respective CMS and the makers of those CMS's are left clueless for all those hacking problem.

There's a similar thread on WHMCS forum where many customers got hacked and information was stolen from their WHMCS. Loosing critical information of your customers can create big problems for you.

You can face similar problems in future if you leave all php functions open on your web server or keep mod_security disabled for your website. Try and get rid of the CMS in future as you should not stick to something which can't work with mod_security and disabled php functions which can result in hacking or injection of your website.

[WelshTom]

You'll find mod_security and Suhosin on a lot of web host's servers, it's certainly not uncommon. Infact, I run both of these on all of my servers, and I'd be extremely concerned if I didn't. If they're not enabled and configured properly, the web host is potentially putting its customers websites and the server at risk.

[DPS Computing]

Overall, the general consensus is, its not paranoid security its extremely poor software development.

Would you, as a business, buy the next version of Windows if they removed passwords, encryption, security centre, Windows Defender, all virus software etc just to satisfy every bit of poor software out there that can't run with such standard features?

[vladimir]

Quote:

Originally Posted by DPS Computing

Would you, as a business, buy the next version of Windows if they removed passwords, encryption, security centre, Windows Defender, all virus software etc just to satisfy every bit of poor software out there that can't run with such standard features?

mod_security and suhosin are standard features? Are you serious? Since when? And how come neither shows up in phpinfo() on any other hosting service that I have access to?

How is being able to simultaneously upload more than 25 files extremely poor software development? How many should be the maximum and why exactly that number? It's a photo gallery! And what is the risk in generating an error so I know what the problem is instead of wasting hours of my time?

And what is so incredible about allowing URLs to be sent via POST by default? No, I had to spend hours to figure out it's just mod_security restrictions.


Look, I don't mind the security and I was willing to forget hours of wasted time but what you're saying is I'm a newbie idiot because I don't know the default limitations of every esoteric webserver extension that's out there. Are you serious?! GD is standard, PCRE is standard, suhosin and mod_security are not.

To the moderator: if you're reading this, you'll be doing everyone a favour by deleting this thread.

[DPS Computing]

Quote:

Originally Posted by vladimir

mod_security and suhosin are standard features? Are you serious? Since when? And how come neither shows up in phpinfo() on any other hosting service that I have access to?

How is being able to simultaneously upload more than 25 files extremely poor software development? How many should be the maximum and why exactly that number? It's a photo gallery! And what is the risk in generating an error so I know what the problem is instead of wasting hours of my time?

And what is so incredible about allowing URLs to be sent via POST by default? No, I had to spend hours to figure out it's just mod_security restrictions.


Look, I don't mind the security and I was willing to forget hours of wasted time but what you're saying is I'm a newbie idiot because I don't know the default limitations of every esoteric webserver extension that's out there. Are you serious?! GD is standard, PCRE is standard, suhosin and mod_security are not.

I am. If you give me the names of these web hosts I will be happy to investigate this issue with them and report back to you. I believe that there will be some kind of security software equivilent to mod_sec if not mod_sec itself.

I'm not saying that specific thing is necessarily a security risk - I also cannot comment on every single restriction that mod_sec or suhosin has.

Well it is tough sometimes, I can understand that you find this frustrating. If you prefer I'm sure eUKhost will migrate you to their non-secure server where you will not run into such problems.

And I was by no way implying or saying that you were an idiot - all any of us every try to do is merely explain things.

With such respected publishers and experts such as O'Reilly - Introducing mod_security | O'Reilly Media - recommending its use and stating that is is essential to have security, whether it be mod_security or an equivilent I would count it as essential.

My intentions are not to offend you, we are all trying to help.

[eUKhost.com]

Just take a look at WHMCS forum or check WHT for all threads with subject *hacked*. All those resellers hosted with different hosting companies got hacked as their hosts had no mod_security or disabled php functions.

Check our forum and let me know what was the date when someone reported hacking problem ?

We have expertise in security of servers and that's the only reason our shared and reseller hosting customers feel safe with us. We don't spare hackers when we see failed hacking attempts from the access logs on our servers.

We don't add this security modules to trouble you. All these security settings are done to prevent your websites from any possible injection or hacking attempt.

[vladimir]

Why not have your tech support make a note every time someone has a problem with certain security restrictions and then use the notes to compile a troubleshooting document that all new customers will be pointed to:
Note that our hosting servers use mod_security and suhosin extensions. Please familiarize yourself here and here with the security limitations these extensions enforce.

Then whiny customers like me wouldn't have anything to complain about. I always RTFM

Again, I have no problem with security if I'm aware of it.

[eUKhost.com]

Quote:

Originally Posted by vladimir

Why not have your tech support make a note every time someone has a problem with certain security restrictions and then use the notes to compile a troubleshooting document that all new customers will be pointed to:
Note that our hosting servers use mod_security and suhosin extensions. Please familiarize yourself here and here with the security limitations these extensions enforce.

Then whiny customers like me wouldn't have anything to complain about. I always RTFM

Again, I have no problem with security if I'm aware of it.

Hi Vladimir,

I will talk to our CTO and see if his team members can assist us to make such document for new customers. Customers use many different CMS's, portals, blogs, guestbooks and many different open source scripts which encouter different types of problems due to mod_security or disabled php functions.

Compiling a document for customers using all types of open source scripts will be a difficult task, but I will try to find out some solution as we will need to reduce support ticket and chats next year when signups will get accelerated.

Thanks for your valuable suggestion.

[DPS Computing]

I agree, that is a good suggestion Vladimir. That way if new customers feel comfortable enough to read it and get involved in that way they can and for customers who are not that technically gifted they can skip it.

I hope that you can understand that the security measures are only there to help you (& the rest of us).