Adult Web Hosting Security - Are webmasters Hurting themselves? (long post)
 

By: JFPDude


Ever worry about your server being hacked? Ever hear of someones who was? Whats the reasons behind such hacks? What steps can be taken to prevent these hacks?

I have seen more and more posts on the boards with topics like "Hosting need with cpanel" or "Need hosting with control panel". These posts concern me and should concern you if you are an adult webmaster. My purpose for writing this is to inform webmasters that they are hurting themselves.

Being an adult webmaster your selling a product everybody wants. From the minute man found out about women there has been an unmistakable urge to see and fantasise more. Knowing this as an adult webmaster your product that your selling has to be secure. The public wants your product more than they want money. This is a proven fact, more adult web servers get hacked than financial institutions.


What are the causes of some of these hacks? Well more than most is these control panels that every webmaster wants. Why do webmasters want these control panels? Well hosts drove them to this product. Between hosts that didn't respond to customer tickets for days or even weeks at a time, never answered their emails or phone calls, and were basically understaffed for the amount of customers they had.

Adult webmasters work long hours and sometimes off the wall hours due to their products they are pushing. No webmaster wants to make any changes during the day due to the fact that they may lose a sale. Therefore they require more attention to their needs at night. This fact drove the industry towards these off the shelf control panels.

How secure are these control panels? Any software that control the complete server is unsecure. It's another breakin point. Beyond that take for example you own xyz.com and someone else on your shared server owns zyx.com. Both of you have access to the control panel. Both of you have access to manipulate the way your site works in apache and bind (dns). Say webmaster A that owns xyz.com mistakingly adds his domain as zyx.com? What happens then? He takes control of your domain is what happens. He has just shut your domain down and taken control. He now controls the complete dns, mail, site, and all.

This is why most of the larger hosts and expierienced hosts don't offer a control panel. They know the havok it can cause. However webmasters are either unaware of this fact or misinformed as to what can really happen. This is why they offer support in the form of a ticket system. This is more secure for your domains than the control panel system. However it also raises the overhead for the hosting company. Sure company A thats selling you an account with a control panel can sell to you much cheaper because 80% of the labor is being done by you and not some tech. While company B has to have full time techs on staff just to do domain adds and email changes.

Outside of that the control panel is another avenue for a hacker to get into your system. One more point of entry. Every point of entry to a system is another vulnerability for a hack. In a world where we demand 24 hour support 7 days a week many find it easier to just go with the control panel and not bother the host. But is this the best thing for your company and business.

Unfortunately it has come to the point where even expierienced hosts have had to install control panels to meet customer needs. Because the webmasters demand them a lot of hosts swallow pride and give in to the vulnerabilities of the control panel in order to sell bandwidth and re-curring accounts.

Being in the feild of server security this is one of the first things I tell my customers not to look for in a host. I advise them to make sure thier server has no control panel on it at all. Hopefully this article will enlighten you to the dangers of control panels and allow you to run a more secure business. If I keep one person from having there sites taken down due to another webmasters mistake then I have done my job.

If this has been of interest to you or if you would like to make comments to me about it hit me up on ICQ at 44-33-144.

Thanks,
JFPDude

Nice post, a good read.. bump for others to read.

I've had something similar like that happen to me in the past ... But it was in the reverse.
I had control of someone's domain content threw one of my domains held in a smaller account.

My site was new, and the other persons domain was a PR3, which lead him to own all of my SE rankings to my fresh single digit pages. Luckily it was just a random bs page, and not something important. :helpme

Thanks for the comments.

What you forgot to mention is that cpanel (cpanel.net) checks before adding
a domain and won't allow someone to add a domain if its already added to
the server. So its not so easy to hijack a domain.
Automation of things means smart work. Sure you could run the old way
where you have your staff add every e-mail or database or domain or whatever.
But as we all know computers/programs don't do mistakes, humans do.
And lets face it, even the hosts that don't offer a control panel have scripts
that do the most configuration and not configure everything manually.
As for control panels beeing a security issue, mind you, but you should be aware
that to date most vulnerabilities are in the scripts people use and not in
control panels.
Every software is insecure. Windows beeing one of them. Do we stop using it ?
No. There are many companies that use it for hosting their sites or other stuff
and have qualified staff that know how to secure it.
The hacks that happen this days its because people that don't know
what the heck they're doing and not because of the software they're using.
And this is exactly what control panels try to do, make it easy for everyone.
Obviously there are cases where you don't need a control panel, shared
environments its not the case tho.
You beeing in the server security field makes me smile because ,
how long its been ? 3-4 years ago ? I was teaching you how to configure bind.
If it only takes that little to be in the server security field I bow to you.

Sure your article its a good selling one but surely not more than that.
I may not be as good as you at using words but I sure know what the heck I'm talking about.

Many good points I agree with. Now http://foundrynap.com as we have exposed is on a shared server with 150 other domains ... some of these domains were sold as dedicated boxes.

cpanel being secure and all and not doing what you claim ... how is it that the http://foundrynap.com page got changed?

Its simple, its because Magg had no fucking clue about running a server,
its in no way related to cpanel, mind you there are close to a million servers
running cpanel. you don't see them hacked do you ?

No but out of those numbers you mentioned less than 0.01% is adult related and the rest are not really something people would want to break into.

You'd be surprised how many adult sites run on cpanel.
AND I mentioned "shared environments" which usually means small sites.
Big sites obviously don't run cpanel. Also you're wrong again, adult its not the
most targeted industry. The most wanted things in adult are passwords
which are mostly cracked by brute force and not using vulnerabilities.
The second most wanted things from adult is e-mail lists and cc no,
but the ones that have those don't run on shared servers and I highly doubt they run cpanel.

So your saying cpanel and plesk has no vulnerabilities? Or even just cpanel? I added plesk as it's another favorite.

Google is your freind...

Interesting reads search for:

plesk dns vulnerability
cpanel dns vulnerability
cpanel hacked
plesk hacked

I could go on and on but you get the idea.

I do get the idea, you seem not to tho.
Sure they do have vulnerabilities, like any other software.
That doesn't mean we don't use it, it only means we patch it and we secure
the server properly.
If you actually read my post you'll notice I never said its secure.
Bind and Sendmail are some of the buggiest software you don't see everyone stop using it.
As an admin I don't recommend cpanel either especially on dedicated servers, but if
the customer really wants it, and thats what matters in the end, I do everything
to keep the server as secure as possible and not bash on control panels.

I am not bashing control panels I am making people aware of what they are opening thier businesses up to.

If your agreeing with what I said then it's a mute point to be argueing it right?

I never use control panels - all my servers are hand rolled apache and sendmail. But I realize that is a real pain in the ass - with a couple domains per server maximum I can deal with it, but if I was hosting hundreds of domains per server a cp would start to look attractive.

Lets face it - 99% of adult sites don't have the resources to use non-cp hosting or pay someone else to do it. What really shocks me though is how many larger sites use a cp, that soesn't make much sense to me.

Completely agree with your post though - cp are for small sites and newbies, they have no place on large money making sites.

"Ever worry about your server being hacked? Ever hear of someones who was?
Whats the reasons behind such hacks? What steps can be taken to prevent these hacks?"

we're not talking about the same thing. Your post makes it look cpanels are the fault,
I'm saying clueless people are at fault.

Hmm ... ok I forgot to put part 1 on that post.

because it's more than 1 part.

Thanks for pointing that out.

JFPdude you getting my icqs?
edit: never mind

I disagree with this as there are many adult hosts that will host you on a ticket system rather than a control panel affordably.


Some of these hosts have plans starting at $19.95 a month.

At the least, with a control panel you know what you need to watch out for and how to secure it. If you're on a server where the host is doing everything by hand, there's a chance that host will make a mistake every single time he adds a domain, or a mysql database or an email address to the server. And if he's using his own scripts to do that stuff, you have no idea what might be going wrong in those scripts that you can't see.

As dynamic as things are right now, it's just not acceptable to have to call, or write to someone and wait every time you want to add a new domain to your account, change an email address or modify something else in your account.

Post a poll anywhere and ask how many people would prefer to submit a ticket and wait for their host to add domains for them, and how many prefer to click a button, type a name, and be on their way. I think you already know what kind of response you'll get.

Agreed but I was talking about medium and larger sites that are invariably on dedicated servers. It takes me about 5 minutes to hand edit apache and domain files to add a domain manually, but not everyone has a Linux admin on call; hence the birth of cp.

I am always planning to put together some PHP tools that would be a cp of sorts to edit the mail, apache, and dns entries for sites - would give me most of the advantages with none of the risk.

Bill please ... I don't know you personally. And I would agree many webmasters want things instant. However what about the big players? Do they do things that have to be done this second? No they have meetings and talk about strategies and all that.

Are you an expert on security Bill? Can I ask you a few questions?

What kind of router does High Country Hosting own?

What size pipe is allocated to High Country Hosting?

Do you have on site techs that are employees of High Country Hosting?

Whats your spam policy? Is your server secure from spammers ?

ICQ me 44-33-144

No Response from Fuckin Bill at High Country Hosting ... maybe because:

He's an EV1 reseller thats running an open relay for spammers.

Test it out:

http://www.abuse.net/relay.html

for Address to test: (as host name or dotted quad) put in: mail.highcountryhosting.com

I did and the response I got was:

This host was recently tested with an anonymous test.
The host appeared to accept a test message for relay.

Gotta agree with JFPDude here, control panels are crap, open many security holes on your server and slow it down considerably. They compile all kind of crappy modules in apache and put a bunch of weird rewriterules (needed by the panel in special cases only) that do nothing but eat memory and slow down the processing of requests.

Sounds like more and more people want a windows-like server, that is easy to manage at the expense of reliability, security and performance. Microsoft provides such products, maybe you'd be happier with them...

Exactly my point. Many webmasters have no clue what control panels do to their server as far as security and performance.

Thank you for putting into clearer words.

Some issues can be discussed to death. Other issues need to be addressed immediately. We've run own servers since 1999 and there is absolutely no way we would go back to a ticket (or control panel) type of system.

So you have an on staff tech?

You find that system more reliable for your business model?

Panels *can* have their uses and make life a little easier but it depends hugely on the panel. Horses for courses and all that.

For anyone insisting on buying a server with one keep clear of Ensim. It's evil shit that invades the system and makes updates to fix gaping security holes near impossible.

Personal view is that dismissing panels out of hand is daft for reasons people have pointed out already. But...unless they MUST be used try to avoid them.

We have three people on staff who are competent to admin a server, although only one is tasked with that full time. We feel its much more advantageous to control everything in house. A few advantages off the top of my head: work is done on our schedual; the techs not only understand what they have to do but also why; when planning new projects is good to have people around with a very deep understanding of the hardware/software that it will be running on; lastly an internal tech has a much greater interest in using our resources most efficiently than one who works for a hosting company and would love to sell/lease us additional hardware.

Very good points and I agree with you completely.

Some things that haven't been said that you touched on is the point of needing extra hardware and software. Your right many hosting companies rather than optimizing or updating a sevrer will just sell you another server. Sometimes these costs are totally avoidable and can be fixed with a few settings in some of the existing software.

:thumbsup

Personal dislike of control panels is all the extra shit they require to be installed on the one server.

I have to say though, my experience has shown me that the reason for 99% of hacks is due to webmasters not updating their scripts! If you install phpbb, keep it updated. If you install formmail, keep it updated! Seriously. I've seen everything from content management scripts to trading scripts get hacked alll because of laziness.

Why else would someone upload and install a script and never update it? It's gotta be laziness.

As a webmaster, your job is to keep your site and software up to date. Your hosting company should keep your server secure. At least, if you are with a decent host, they will.

Oh, and ALWAYS ALWAYS ALWAYS back up your shit. CD burners are nearly free now... dvd burners are hella cheap. Buy one, use it. Daily if you are profitable and update your site often, weekly if you arent or your sites are fairly static. Seriously, the number of webmaster who DO NOT KEEP BACKUPS scare me.

Official word from cpanel this is the software they support:

apache 1.3.33
php choice of 4.3.X
mysql choice of 4.0.X or 4.1.X
perl 5.8.4


This folks is a security risk some of that software is over a year old.

So much for the security in cpanel ...

do a test send [email protected] an email with your server specs and have them email you what software they support. Or I can forward you what I asked them and the reply.

Many good points in this thread.

Any honest company would do that and it's what is expected from a responsible host.
But there's hosting companies popping up like they were TGP's. There was a flood of them 6-12 months ago, it has slowed down a little bit now.
I looked into some of the small ones that were dirt cheap. They had bought themself a rack or a single server at EV1 or some other cheap host and then reselled them with Cpanel/Plesk. Do you think they are doing any kind of security work? Doubt it. If they would, the profit for that server would be gone.

A server and its software needs maintenance. A responsible host will take care of that.
I don't consider a hosting company that is selling 10Mb/s for $100/mo for a host that will take care of me when shit hits the fan, there's not enough room for them to spend hours on helping me.

So the problem isn't really Cpanel or Plesk, it's the host itself. But as a general rule, I see hosts that use Cpanel or Plesk in a different light the hosts who doesn't.

My :2 cents:

Good post swedguy.

Bump for the night crew