Announcement

Collapse
No announcement yet.

SSH Disabled on all linux VPS's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSH Disabled on all linux VPS's

    I was surprised to find out today that SSH had been disabled on all of our VPS's. No notification, and for the most ridiculous reason I can see possible.

    Apparently, eUKhost have disabled it on all of their customers servers because a small minority of customers are negligent in their own security. For some reason, eUKhost feel the need to impact service for everyone due to a few customers.

    Disabling SSH actually broke the order form on our website, and as a result we have lost orders. Fortunately, I have been able to re-enable SSH myself to fix this issue, but I am extremely annoyed to find that eUKhost have made unauthorised changes to the servers.
    Last edited by WelshTom; 18-03-2012, 19:11.

  • #2
    SSH access restricted on Virtuozzo Virtual Private Servers

    Dear customers,

    For better security of our customer's servers, we have decided to restrict SSH access on all Virtuozzo Virtual Private Servers. We have relayed this via the eUK-Status website (which can also be seen via the eUKhost Client Area), but we're posting this here just to make sure customers are aware of this.

    If you have a static IP, you can request our support staff to add your IP to the server allow list. However, we understand this is more inconvenient for customers who have dynamic IPs, but we are concerned of the security of our customer's servers which is why we have decided to implement this security change.

    You can also add your server via the Host Access Control section of Web Host Manager (WHM). Simply login to your server's WHM interface, search for Host Access Control and add your IP address for sshd. Please note if you have a dynamic IP, you'll have to do this each time your IP changes - make sure to remove your old IP from the access list afterwards.



    We apologise for any inconvenience caused to our customers as a result of this change.

    Kind regards,
    Ben Stones.

    Comment


    • #3
      Hi Thomas,

      I am really sorry for the inconvenience this has caused you. We had published a blog post stating why we have restricted SSH access on all Virtuozzo Virtual Private Servers, but I have to say we should of really notified customers about this beforehand (which I will be talking to the Managing Director about), which I sincerely apologise for to any customers who have been affected by this as a result.

      I have just posted a thread on the forum for customers to be able to add their IP to their server's allow list without having to contact us.

      I apologise for the inconvenience caused to you Thomas.

      Kind regards,
      Ben.

      Comment


      • #4
        This is absolutely bloody ridiculous! How the hell do you think you can disable the principle access to your clients servers and not give them proper notice?!?!?!??!? Whichever moron came up with this idea should be sacked.

        We have lost business because of this change - something eUK doesn't seem to give a damn about. We've also had our clients complaining who can't access stuff. No bloody wonder.

        Posting something on your support site which relates to something which is so vital is NOT sufficient.

        Frankly, this kind of service is what I've come to expect from eUK. Completely incompetent doesn't even come close.

        eUK - sort this mess out. NOW. Or we'll be going elsewhere.
        Jonathan Crass
        Joint Partner in Checker Design
        Joint Partner in Jst Hosting



        Comment


        • #5
          "The customer who has static ip address for internet connection can contact support department and request to add appropriate ip in the server’s allow list"

          So what about a significant number of your clients who will be connecting from:
          a) Multiple locations
          b) Dynamically assigned IP address (i.e. most of the ADSL connections in the UK, wireless devices using mobile networks)

          Neither have a static IP. So you're now saying they can't use the service they've bought?!??!?!
          Jonathan Crass
          Joint Partner in Checker Design
          Joint Partner in Jst Hosting



          Comment


          • #6
            Originally posted by jc8654 View Post
            "The customer who has static ip address for internet connection can contact support department and request to add appropriate ip in the serverís allow list"

            So what about a significant number of your clients who will be connecting from:
            a) Multiple locations
            b) Dynamically assigned IP address (i.e. most of the ADSL connections in the UK, wireless devices using mobile networks)

            Neither have a static IP. So you're now saying they can't use the service they've bought?!??!?!
            Hi Jonathan,

            I can understand your frustration Jonathan and I have to say I am not impressed technicians hadn't notified every Virtuozzo VPS customer in advance of this change. I have contacted John and Mark regarding this. I absolutely agree with you, most ADSL connections have dynamically assigned IP addresses which will cause a major inconvenience with customers having to have their IP added to the server allow list every time their dynamic IP changes.

            Customers do not need to contact us and wait for us to add their IP to their server allow list, they can do this via the Host Access Control section of WHM.

            I can't stress that I can fully understand that it is unacceptable for this change to have occurred without notifying in advance, and I am really sorry for the unacceptable inconvenience this has caused.

            Please understand this change was implemented because some of our customer's virtual private servers have been compromised and were running DDoS scripts, and so we had decided to implement this change for the security of our customer's servers.

            I will have John respond to this thread as soon as possible.

            Comment


            • #7
              If there'd been notice Ben, there would have been no downtime. We already have our servers way more secure than this change makes them. If we'd known, we'd have gone "don't touch them, we've done it ourselves". Instead - we have to run around fixing a mess caused by eUK technicians.

              Annoyed doesn't even come close...
              Jonathan Crass
              Joint Partner in Checker Design
              Joint Partner in Jst Hosting



              Comment


              • #8
                Originally posted by jc8654 View Post
                If there'd been notice Ben, there would have been no downtime. We already have our servers way more secure than this change makes them. If we'd known, we'd have gone "don't touch them, we've done it ourselves". Instead - we have to run around fixing a mess caused by eUK technicians.

                Annoyed doesn't even come close...
                Jonathan, I can understand what you're saying and I can understand it has affected your confidence with us. It was an urgent decision once we found DDoS scripts running on some of our customer's compromised VPS's.

                Comment


                • #9
                  Originally posted by Ben View Post
                  Customers do not need to contact us and wait for us to add their IP to their server allow list, they can do this via the Host Access Control section of WHM.
                  So what about those that don't have cPanel/WHM? It is an 'optional extra' after all. How do they access their servers so they can get the access back the eUK 'support' staff removed?

                  Jonathan Crass
                  Joint Partner in Checker Design
                  Joint Partner in Jst Hosting



                  Comment


                  • #10
                    If a client doesn't have cPanel/WHM then he will have to contact us to get his IP added. He can contact us via Live chat or Email or Phone support at any point of time and we will get that IP added for him, so that he can access his server via SSH using that particular IP.

                    Comment


                    • #11
                      Thankfully this doesn't affect me (yet?) but I can assure you that if my Virtuozzo VPS Clouds from my US-based supplier tried this 'trick', I'd move provider very quickly!

                      IMHO, you are going about this entirely the wrong way, to improve security:
                      • Clients sign up for (free) dynamic dns resolver service.
                      • Impose the use of CSF.
                      • Impose a change of SSH port
                      • Add client dDNS entries

                      The gets around the widespread use of ADSL and improves overall security on the servers, regardless of whether cPanel is in use or not. CSF has a GUI for a number of control panels, plus it can be relatively easily managed from a command prompt (assuming that you can 'shell in' in the 1st place!).

                      [Example: http://www.no-ip.com/services/manage...namic_dns.html - this is NOT an endorsement, just a site for someone to try, in case they are struggling to find a service.]

                      A sample script that might be used, along with dDNS hostname
                      Code:
                      #!/bin/sh
                      
                      webclient=`host my.hostname | cut -f 3`
                      for host in $webclient; do
                        iptables -j ACCEPT -p tcp --dport ssh --destination $webclient
                      done
                      Not to be used verbatim but as a basis for something automated - the iptables acceptance list would grow in time and would require pruning of past IP addresses.
                      Last edited by ejsolutions; 18-03-2012, 23:44. Reason: Sample idea
                      sigpicManaged osCmax hosting
                      (I'm not social )

                      Comment


                      • #12
                        Originally posted by Rossie View Post
                        If a client doesn't have cPanel/WHM then he will have to contact us to get his IP added. He can contact us via Live chat or Email or Phone support at any point of time and we will get that IP added for him, so that he can access his server via SSH using that particular IP.
                        So basically you're saying that they have to waste five minutes while one of your support team goes and makes the changes on his server... A server they should be able to access how they want to begin with... It is what they are paying for!

                        Sounds like a brilliant bit of thinking there....
                        Jonathan Crass
                        Joint Partner in Checker Design
                        Joint Partner in Jst Hosting



                        Comment


                        • #13
                          And to be frank, surely by the fact that anyone can undo the changes you're doing themselves makes this whole process even more ridiculous!
                          Jonathan Crass
                          Joint Partner in Checker Design
                          Joint Partner in Jst Hosting



                          Comment


                          • #14
                            Originally posted by jc8654 View Post
                            ... to waste five minutes while one of your support team goes ...
                            Is that the part in Live Chat that starts "On moment please, I'm looking into this"? Twenty minutes might be a more average timescale to complete the update, from my experiences.

                            A very ill-conceived idea that will hopefully be remedied soon - with an unabridged apology for the inconvenience. One hopes.
                            Last edited by ejsolutions; 18-03-2012, 23:05. Reason: typo
                            sigpicManaged osCmax hosting
                            (I'm not social )

                            Comment


                            • #15
                              And if you find:
                              1. the lack of notice regarding this change unacceptable or
                              2. this restriction distrupts your service


                              see http://forums.eukhost.com/f29/ssh-di...diculous-16736.
                              Jonathan Crass
                              Joint Partner in Checker Design
                              Joint Partner in Jst Hosting



                              Comment

                              Working...
                              X