cPanel WHM Fantastico Warnings

[Chris]

Does fantastico have a new version checking system active?

For the past week I have been receiving daily emails regarding multiple packages which are available for upgrade e.g. Nuke, Wordpress, Coppermine etc. Since I have several domains with these packages I receive multiple emails every day !

How important are these upgrades? Is there some way to acknowledge the emails so that I don't have to keep deleting them, or is upgrade of all these packages really mandatory??

regards
Chris.

[eUKhost.com]

Hello Chris,

Even I am getting many such notifications as it seems that cpanel has included this feature in cpanel 11 and it is recommended to keep your softwares updated to avoid any sort of security issues with the older version.

If you wish to disable this notifications then you will need to remove your email address from the contacts manager of your cpanel control panel.

[247h]

Quote:

Originally Posted by eukhost.com

...remove your email address from the contacts manager of your cpanel control panel.

I presume you mean WHM Contacts Manager? That seems to be too much of an extreme kludge for my liking — what about all the other notifications you might want to receive?

There seems to be no way to defeat or switch off these Fantastico notifications presently, so the solution I'm intending to adopt is to create and use one specific receipt address entered in every account's cPanel > Fantastico > Email Notifications option box — if you leave it empty the notifications get delivered to the accountname@domain address. Then it should be a matter of filtering them for deletion or whatever ...

[Chris]

Yes - that sounds more like it, thanks. I guess I should also do some research to find out whether any of the suggested upgrades are important ... but as your footer rightly says - its always a question of time ...

[DPS Computing]

You could always filter your emails using a simple rule as well - filter then to another folder or whatever from a certain email address (which the notifications are coming from) and then deal with them when you have the time or have the ones about the updates automatically discarded based on content.

Hope that helps .

[247h]

Quote:

Originally Posted by 247h

...There seems to be no way to defeat or switch off these Fantastico notifications presently, so the solution I'm intending to adopt is to create and use one specific receipt address entered in every account's cPanel > Fantastico > Email Notifications option box — if you leave it empty the notifications get delivered to the accountname@domain address. Then it should be a matter of filtering them for deletion or whatever ...

Well, having implemented my suggestion last night it made no difference to the resultant emails received this morning — they didn't get delivered to one chosen mailbox — maybe I should have restarted Exim or something ...

Anyway, upon further investigation I discovered that for those that have root access, using WHM > Add-ons > Fantastico De Luxe WHM Admin > Updates & Notifications, one can now add all User accountnames wishing to be exempt, in a list, or similarly, by domain names. I've chosen to turn off 'Outdated Installations Notification for the Users', globally, for the time being ...

So for those of you that are Resellers or on Shared Hosting, you will have to request these changes of eUKhost or your root administrator. I'll report back tomorrow if this doesn't work as anticipated ...

[eUKhost.com]

I wont prefer to get those disabled

Hopefully people will upgrade their installations after getting bugged daily

[247h]

Quote:

Originally Posted by eukhost.com

...Hopefully people will upgrade their installations after getting bugged daily

Upgrading immediately doesn't always suit everyone Mark — there are often times when users have customised their scripts and/or have plugins installed that they rely on which do not necessarily work with an upgrade. It can take weeks/months to overcome some of these hurdles, or it's too risky to just jump in and upgrade — having said that, the versions available in Fantastico have always lagged behind what's currently available.

Many of my scripts have been modded, or when I installed them were newer than the Fantastico version, so that now, Fantastico is unable to upgrade them automatically — BTW, this is another way to circumvent Upgrade Notifications, 'cos you don't always get them if the script isn't recognised!

[eUKhost.com]

some scripts like Nuke, Joomla or Mambo make major problems for the server if they are not updated on time. People manage to reduce expenses with this scripts but one cannot trust code of this scripts as they are not designed with security view.

Online marketing companies have become more aggressive this days and Millions of Dollars are spent by this people to find new ways of mass injections in websites. We have somehow managed to keep this groups away from our servers with a severe punishment for them but one cannot predict what other methods they will find to boost their business.

Last time we got their domain disabled from registry of ICANN but this time they used a different domain which was redirecting to another URL. They wont stop their Research work so we should not stop with 1 version of a open source script for long time. find a solution to automatically readd your mods back to the installation after you upgrade the backend scripts.

[247h]

Quote:

Originally Posted by eukhost.com

some scripts like Nuke, Joomla or Mambo

Would you care to be more specific about their weaknesses and, if necessary, not here in public if it's too sensitive?

I have no idea about Nuke but have read it's poor, security-wise. Similarly so has been phpBB (which I'm surprised you haven't mentioned), but am surprised about Mambo and Joomla as I've used both and have not found any issues — that's not to say there haven't been some, but I don't recall reading email alerts regarding these or from my occasional visits to their forums and websites.

However I have now downloaded Joomla Tools Suite and Mambo Security Check and am finding them very useful.

[DPS Computing]

Joomla! - No issues!?!?!?!?! - That has to be a first.

From what people are telling me as well as my own experience Joomla is the worst script in the world for security! - and always has been!

[247h]

Let's have less bluff'n'bluster and a few hard facts please? I'm perfectly willing to listen to reasoned argument and I'm sure that I've run (and am still running) Joomla and Mambo websites at least as long as you have but I've not encountered a single security issue. I concede I may have been unusually lucky, but that in itself is a rarity regarding my personal webhosting experiences ...

I'm equally bemused by the flak that is posted on the Joomla forum where the designers and people qualified to comment suggest in the vast majority of cases that it's not down to Joomla per se, but server settings, so who does one believe?

I didn't pay a huge amount of attention to all the debate on here a while ago in which at least one of eUKhost's servers was compromised, so I imagine from Mark's gripes in this thread that he's had some bitter experience and has chosen to remind us — the question is, were YOU affected in the same way ('cos you were on the same server)? I guess I'll satisfy my own curiosity now by trawling back through those threads ...

[eUKhost.com]

Most of the Content Management Systems need you to set 777 permission on certain directories to which they can write and when you make new pages from the CMS those are stored in those directories.

When you set 777 permission to a directory which is accessible from browser then any kid in the world can execute commands from browser to write to those directories. They can upload scripts on the server as well as in /tmp

You should not forget that /tmp has 777 server already set on it so if someone manages to upload in this directory then rest of the things are quite for them to continue. They can run DDoS scripts, spamming scripts, port scanning, ftp injections, Iframe Injections, Brute Force attack, Binaries and Libraries modifications, password decryption and many more things that you must have never heard so far.

You are lucky so far as they have not reached any of the websites hosted on your server. it would be late to install mod_security at that time and tweak php.ini as well as some other server side settings.

You submit many tickets for small small things but there has been no ticket ever from you for security of your server. our guys have expertise in that department so it takes no time to put a ticket and get certain things done from them. Its but obvious that some websites may face problems and those will be needed to be sorted but there's no need to Fume on those problems. Minor problems don't create any threat for your business while security flaws do so.

[247h]

Thanks for the further advice Mark — I see I will need to make some changes and I am already considering/actioning these. Nevertheless I feel that there's been a lot of bad experiences attributed to these scripts that wasn't justified.

We have rather strayed off-topic now so I'll leave it at that ...

[DPS Computing]

Quote:

Originally Posted by 247h

Thanks for the further advice Mark — I see I will need to make some changes and I am already considering/actioning these. Nevertheless I feel that there's been a lot of bad experiences attributed to these scripts that wasn't justified.

We have rather strayed off-topic now so I'll leave it at that ...

True - needless to say that obviously Joomla is the cause of its own security problems due to its own permission settings. So, yes of course I blame Joomla and not the server - it has been proven. As far as I understand it if you fully secure the server Joomla! has certain problems running. Maybe your websites haven't recieved that much attention yet, but when they do they will likely face problems (as many customers have found out in a bad way).

And of course Joomlas designers arn't going to admit that its Joomlas fault for the issues - they'll blame your host if it saves there own skin!!

Microsoft tell us every week that its "not Windows" but the "computer that your using to run it" - and how many of us believe that!?!

[eUKhost.com]

Quote:

Originally Posted by DPS Computing

True - needless to say that obviously Joomla is the cause of its own security problems due to its own permission settings. So, yes of course I blame Joomla and not the server - it has been proven. As far as I understand it if you fully secure the server Joomla! has certain problems running. Maybe your websites haven't recieved that much attention yet, but when they do they will likely face problems (as many customers have found out in a bad way).

And of course Joomlas designers arn't going to admit that its Joomlas fault for the issues - they'll blame your host if it saves there own skin!!

Microsoft tell us every week that its "not Windows" but the "computer that your using to run it" - and how many of us believe that!?!

I'll close this thread David

If Roger comes online and gets to this thread then things will be difficult for you