zeno_lee asks:
"How do people deal with situations like this? Recently, we were cracked because our ISP failed to patch known security holes. They now want us to pay for them to patch up the holes. We are a bunch of dedicated volunteers who run a community web site we are developing using Apache/PHP/MySQL. The volunteers have nothing to gain except the rewards of bringing a national community together. We were cracked twice within 1 week of going live on the site. We are getting service from CommuniTech, who rent us a Cobalt Raq3 server. Part of the reason to go with a dedicate server from an ISP is to outsource system administration. No one amongst us is a full time computer security officer." One would think that when you pay for system administration, that security would be part of the deal. Looking at their
FAQ, they give the impression that their servers are secure, so you'd think they would do something as simple as apply patches.
Also, there is no mention of any extra charges for security on their
pricing page, so does CommuniTech have any sensible reason for charging extra?
"We were cracked first within 5 days of our site going live. After paying communitech.net $62.50 for reinstalling the OS, it was cracked just 24 hours later. After speaking with Cobalt, they told us that our ISP, communitech.net, failed to patch up well publicized security holes on the Raq3. Acknowledging their failure, Communitech is not charging us for reinstalling the OS, but they are charging us $125 for someone to patch up the security hole. How blatantly unfair is that? I wanted the Slashdot community to be aware of the practices of such companies and see if others have had similar experiences and how they dealt with those situations.
We signed a 6 month contract, and we need options and strategies. What are the possible options we have? We just want a website running, we don't need to deal with all this bull."
Bad admins (Score:1)
Communitech has a history of crappy service... (Score:1)
Another thing I may mention is their supposedly "private" reseller plan. When I was with them, they basically disclosed to all their resold accounts (IE: accounts sold by their resellers w/out the end customer knowing it was through communitech) that their current "host" was just a reseller for communitech, and that they could get better prices dealing directly with communitech.
Unfortunately, most hosts I've dealt with have similar problems. I had a good experience with I-Interactive, but then one day they stopped responding to my technical requests, the server came down for a while, then came back up. Apparently they had sold their business and now it's a joke...
Dedicated Server vs Managed Server (Score:1)
$1k Hardware + free software = $5k (Score:2)
Re:I know this is a plug, but... (Score:2)
When did you hear last time that Cobalt is running on Windows? it's only running Linux and their new ones running on Solaris.
Of course - you can grab such a machine and slap Windows NT/2000 on it, but whats the point?
Re:cmon! (Score:2)
With MS stuff (and I had the "pleasure" to be in that situation) - first they argue with you that you are wrong, and it doesn't exist, then when they are convinced that there is something true in what you say - their workaround is
Sorry, but MS still doesn't "get it" on security in my book.
Cryptanalyzed (Score:2)
A cipher is cryptanalyzed.
--
Re:HACKING COBALT RAQ3 SERVERS (Score:1)
Re:Simple Solutions to Complex Problems... (Score:1)
kashani
Re:rackspace.com (Score:2)
From what I've seen of Rackspace from talking to sales and support, they are very concerned about being the best at what they do. But they don't do what you want them to do; you wanted someone else to do administration and security for you.
I would probably just go with Debian and a managed hosting solution (like Rackspace) and then ask someone who is very knowledgable about security to lock down your site. You won't need new security administration until you upgrade to the next Debian version. Don't forget to subscribe to debian-security-announce, too.
I'm sorry, but it costs money to have someone maintain security. And this CT company ain't willing to give away what skills they have. Though it doesn't sound like they play a fair ball game.
Ciao!
Re:rackspace.com (Score:1)
Disclaimer: I'm on Rackspace's payroll, I'm a Linux developer, and I really like it. I'm not speaking as a representative of Rackspace in anyway, shape, or form... just an employee who takes pride in his company.
Rackspace may be fine today, I don't know. But it wasn't that long ago that almost all of their servers were vulnerable to Bind NXT attacks.
I guess it's all relative, but I believe that was back in late January... and the bind NXT hole was eventually plugged up on every server where the customer allowed us to do the upgrade for him/her. Since this was a major remote exploit, we ended up with a bunch of folks working overtime to perform the upgrades. Any server you see vulnerable now (at least on the Linux side) has a customer that has been informed of the risks but chosen not to upgrade or let us upgrade for whatever reason.
I sent them email on it and got no response at all.
Where'd you send it? I'd be highly interested in finding out where the break down was... I certainly don't want us to get a rep for ignoring folks who are trying to be helpful.
Thanks for trying to give us a heads up, though.
Re:So, why the charge? (Score:1)
They really need to seek legal counsel and have them review the contract. Their obligations should be spelled out in there, although the ramifications of the specific legalese requires a lawyer to interpret. (grumble)
Re:If you really want to do something about it... (Score:2)
~luge
~luge
If you really want to do something about it... (Score:5)
The people at communitech are idiots (Score:3)
From http://www.communitech.net/hosting/virtual/plans/u nix.cgi [communitech.net]:
These people are obviously ignorant of Sun's own history. Sun caught on in the 1980s--not because it was the most stable, not because it was the most secure, but because Sun's software was the most open. Sun's success in the 1980s and early 1990s can be mainly attributed to the fact that they opened up the code for NFS, the code for the XV windowing toolkit, and the code for the RPC library.
NFS was, and still is a joke, compared to better systems like AFS. However, the popularity of PC-compatible hardware shows that it is not the best that wins in the computing marketplace, but the cheapest and most open.
The statistics prove this: Linux is gaining market share. Solaris is losing market share.
- Sam
Solaris' Popularity... (Score:2)
But you're leasing a dedicated server. (Score:2)
When you lease a dedicated server, you're getting a box and the root password, on a network of some sort, plugged into some power.
As far as the rest, bail on the contract, tell your credit card company to stop payments to them, and go find someone else. Colocation services, really, are a dime a dozen, like dialup ISP's were a few years ago. Of course, that assumes you can move. You didn't set up your DNS so that they are responsible for yout domain, too, did you?
Contract (Score:1)
Re:Q - Debian? (Score:1)
First of all, NEVER cron apt-get dist-upgrade. Cron apt-get update, if you want, but that's kind of a waste of bandwidth if you're not updating every day. I've had things like SSH break totally because the SSH maintainer f**cked up the packages (this is not, in fact, uncommon; ssh breaks more than any other package I've ever insatlled) - cronning it will pretty much ensure that if ssh goes to hell, no one is logged in to fix it, and you will need to talk to tech support and get them to log in via console (assuming, of course, they can do so), since you won't have telnet installed (I hope I hope).
Secondly, don't assume that just because you run dist-upgrade, you're secure. Go to the Debian Documentation Project [debian.org] and read the Securing Debian Manual [debian.org]. While you're there, read the Debian System Administrator's Manual [debian.org] and the Debian Network Administrator's Manual [debian.org]. Debian may be awesome in most respects, but Potato (2.2) comes with a general setup, not a secure one (though it could certainly be worse).
Debian's pitfall is users assuming that all is well in all cases. This is not true. You need to be just as vigilant with Debian as with other distributions; the difference, however, is that when something needs to be done in Debian, it's usually easier and faster to do. You still need to be on guard; check conf files after debconf creates them, make sure and set passwords on things like mysql, and be wary of the unstable branch (use testing instead), and things should work out for you.
Debian saves you time, but never think it does everything, or you will be rooted faster than RH5.2 on a default install.
~Sentry21~
Re:Switch (Score:2)
Re:Do what you'd do for anything else (Score:1)
Re:Sue them for Malpractise? (Score:2)
It's the nature of a free country and a free economy; people have to be free to pay other people to do stupid things, as long as those stupid things are what was agreed to.
The host didn't say in their contract that they would keep up the patches, so the customer's legitimate bitch is pretty narrow.
Next time, they should make sure this is included in the contract, and not do business with anybody who won't.
On other hand, you will *NOT* find a contract that assumes responsibility for keeping the systems secure; no company in their right mind would agree to that. What they will do is agree to keep up with the latest patches from the OS vendor in a timely manner. "In a timely manner" of course would be expected to be fought out in court after the fact.
Oh; and while I am a highly-paid information security professional with a Fortune 500 company, I am not now, nor have I ever been, an attorney.
-
Re:cmon! (Score:2)
What APACHE cracked? How come when an apache server is cracked, the slashdot crowd says "who were these idiots who can't apply patches!" but when an IIS server is cracked and people say "they haven't applied the patches, cluess admins!" those folks get either flamed or modded into oblivion? The double standard is really getting old and the reason I don't read
1. There is no "Slashdot crowd". We all disagree, many times vehemently, on just about every topic you can imagine. Closed vs. open source, Linux vs. xBSD, KDE vs. GNOME, Perl vs. python, mySQL vs. postgreSQL; you nameit, at least half a dozen flamewars on
2. You can't even come up with a compelling rant; where is the double standard here? Using your own words...
Apache: when an apache server is cracked, the slashdot crowd says "who were these idiots who can't apply patches!"
IIS: when an IIS server is cracked and people say "they haven't applied the patches, cluess admins!"
It seems to me that your rhetorical "Slashdot crowd" is saying that it's the admin's fault in both cases.
3. If
Jay (=
Re:Patch it yourself? (Score:1)
I've recently been doing a lot of sysadmin work on Raq 3's, and it is a completely different layout than I find on a RH box (still Unix, yes, but RH-like, you're really pushing it)
Re:Have you talked to your local BBB? (Score:2)
They're basically a useless bunch of people, attempting to keep themselves in business through collecting dues... "well, if you don't pay us our dues, we can't say that you're a member and if anyone calls asking we'll say that you refused membership"... it's almost blackmail, given their reputation...
Re:Q - Debian? (Score:2)
Not surprising... (Score:1)
The answer I have won't help if you're already stuck in a six-month contract - the contract needs to spell out who is responsible for applying patches, and what the timeline for applying those patches should be, among other things (turnaround time for a request to add an account to a server would be another sticky point for "managed hosting.")
If it's just a co-located box, you're SOL.
Re:I agree with the ISP (Score:2)
No, this sounds like a case of a business actually trying to screw the customer by double-charging--charging for reinstalling the OS and charging for applying a security patch, and one that really wouldn't take much time anyway.
But the main point is, even if they don't promise security or anything, I disagree with some of your statements. Maybe it is reasonable for them to reinstall the OS for a charge. But then on top of that demanding a charge to patch the security hole is absurd.
All I Know is... (Score:1)
They moved my site to concentric networks, which makes me log in to www.xo.com so service my space.
When I wanted to cancel it, I sent email to them (xo), then had to send it to cnchost.com, then to 9netave, who then told me to call a local number. They told me to email w3corp.com. This was a month ago.
As of today,it's still all up and running. Morons.
Pope
Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!
Phone for Fun (Score:1)
They've got some great music on their sales line. Ask a sales rep some hard questions :)
Recommendations (Score:1)
Re:Simple Solutions to Complex Problems... (Score:1)
Re:Communitech Hell (Score:2)
Re:Simple Solutions to Complex Problems... (Score:2)
Their quickserv pricing is a joke. Their overusage charge runs OVER $8 per GB. That is rediculous frankly, we push a couple thousand GBs a month and would be quickly broke at that rate. A good place should hit $3/gb or $2/gb, they are FOUR TIMES more expensive.
Re:Simple Solutions to Complex Problems... (Score:2)
Maxim.net charges $250 mbit == 320GB a month or 10GB a day. Let's say we push above 4mbits. At maxim thats gonna cost $1000.
At pair that 1200GB is gonna be much more expensive. Reduce it to 1000GB/month because of the 60GB a month they give you. Then you have an overage of 33GB a day which costs $8250!
For us, this decision is trivial. I'll take that $7,000 a month or $84,000 a year any day.
Now, the hardware they give you doesn't even come close to the hardware dellhost would give you for the same price, and if you ARE lower bandwidth dellhost includes a gig or two free every day as well.
Then ask whether you have full access to your box including easy 24x7 reboot in 5 minutes or less. Dell provides that at a much lower cost.
In fact, I can see almost NO price point and NO usage pattern that makes pair quickserves a good deal. That is suprising for any hosting company, and especially pathetic at pair because we were with them for a long time.
Finally, when you call them up to get some quickservers setup, you'll find that instead of next day provisioning you get at a place like dellhost.com, you'll get a who knows, especially for an order of more than one server (we run 4 duel CPU's and a quad xeon with 2g of ram plus a single PIII for admin.)
I'm suprised they have any business whatsover, but I suspect most of the new
I'll respectifully disagree with your very very cheap description. More like incredible ripoffs to idiots silly enough to fall for it.
Simple Solutions to Complex Problems... (Score:4)
Unlimited bandwidth = joke. Call them, tell them you'll be hosting a huge file archive and expect to push 1,000GB a month per server minimum, for that $200 monthly cost. Laugh while they root around and discover the magic document that turns unlimited into super limited and we can cut you off without notice just as you become popular.
Uptime promises = joke, even if they are in writing. Usually they claim it was an outside problem even if THEIR router failed, and the amount you get if they break their SLA is pathetic.
Security is a joke. Our current Top 5 dedicated hosting provider allows easy access to all customer accounts, and I mean easy, no hacking, no passwords, nothing. It's so easy it's not even newsworthy. I like it because I never have to logon, passwords are a pain. And they have yet to patch a security hole either.
Don't sign super long contracts. Rackspace charges an arm and a leg and are doing great. Why? One reason is they go month by month, they've got an incentive to keep you, and I suspect it makes a difference.
Anyone find a really good and cheap dedicated hosting provider? I'd love a place where we could buy our own set of 10 servers, and just pay for the space and the bandwidth, and have it be cheap. With a proper telephone remote-reboot, we could do everything else ourselves, which we already have to do because the emergency support are basically script readers in Kajikastan I think.
Re:rackspace.com (Score:1)
I sent them email on it and got no response at all.
So basically, because of that I wouldn't be surprised if they really are just as clueless as Communitech, just bigger
Sadly.. (Score:2)
The best outcome would probably be for you to find out that they probably breached the contract by demanding more money for somethign that is part of 'administration' and simply get a pro-rated refund, and move your service elsewhere.
Dealing with bad ISPs, have you considered (Score:2)
Rackspace giving similar service... (Score:1)
Comment removed (Score:3)
30-day unconditional cancellation guarantee (Score:1)
"CommuniTech.Net extends a 30-day unconditional cancellation guarantee to all dedicated server clients, regardless of the contract term length."
You didn't say how long you have currently been with them, but you seem to imply that you're fairly new with them, so I hope this helps!In general (Score:2)
Now, if you call the ISP and demand that they install a patch Immediately If Not Sooner, they probably charge you time & labor for this work which is essentially special attention to the box, as it breaks from the set patching schedule (which probably is part of your service agreement).
I dunno the Communitech patching and service scheme, but this seems a likely answer to the question, which is obviously coming from an upset and nervy customer.
--
More Specific? (Score:1)
I'd absolutely expect a host to make sure whatever they provide is secure and to not charge extra to make sure their software is secure.
However if you install your own custom software onto the box, then it is your responsibility for any problems that software may cause.
That is unless the hosts somehow claimed something as stupid as "you install it, we support it!" in their contract. That is one hell of a lot of software to support.
Like many other people here I've been involved in colos for years with a few different providers. In every case that was how things worked.
-Steve Gibson
Service... (Score:2)
Managed server - Server is provided and maintained by the hosting company in question. You may or may not have root access.
Dedicated server - Server is provided, but the level of administration provided by the hosting company should be discussed. Unless requested, I would expect NO interference from the hosting company. You should always have root access.
Colocated server - Same as above, except the customer provides the server too.
Updates and patches are usually (maybe not usually? it's usual for where I work, Site5 [site5.com], atleast) by the hosting company anyway, without a charge.
Some things are charged for, and should be - But just keeping a system up to date (which will also keep 90% of the script kiddies at bay - I'm not implying an uptodate system is a secure system, however) should be standard practise at all hosting providers.
What happened with CommuniTech, under any other circumstances, I would put down to miscomunication - As in, the host thought that the client wanted to handle things themselves. But CommuniTech have what I wouldn't call the best reputation.
Search for CommuniTech at Webhosting talk [webhostingtalk.com], and you'll see what I mean.
Dealing With Bad Service From Dedicated Host Provi (Score:1)
when you said
We were cracked twice within 1 week of going live on the site... and later One would think that when you pay for system administration, that security would be part of the deal.
Your provider has a duty of care. they demonstrate that this duty or obligation [under contract] is accepted by limiting
- phyiscal access to the servers
- requiring use of passwords and
- validating your identity before disclosing personal information
I will assume that these three standards are already met.the duty of care can be applied to the network and server security in the same manner that you would reasonably expect physical security. when the provider demonstraties that they are concerned about physical security, a standard of care is established.
a breach of the duty of care is a serious issue.
when you said:
We were cracked first within 5 days of our site going live. After paying communitech.net $62.50 for reinstalling the OS, it was cracked just 24 hours later.
This established that you did advise the provider of the problem and they do havd a duty to resolve this issue. the second point is that the providers action did not resolve the issue. if you were charged $62.50 and promised that this action would resolve the security issue then demand your money back. any reasonable hosting provider would be pro-active in the installation of OS patches which leads to my second point of you get what you pay for.
Solutions
if you know/are a law student then standard and duty of care are discussed in Donahuge V Stevenson 1932 All ER Rep1 (HL)]
Re:A good security reference, and some comments (Score:2)
If there was an understanding that security was to be handled by the ISP then it's NOT your responsibility. You are paying them for a service and it's their responsibility. That's what service contracts are for so you can let someone else handle the problem.
Also.. (Score:2)
Go to psionic.com and download their free tools logcheck is an official potato package but portsentry is not (it's in woody). Either way you can either download the tar file or the deb from debian and install them.
Then go to The Trinity document [csuchico.edu] and do some reading.
After that you should be able to defend yourself from most attacks.
Market share (Score:1)
One way to interpret this is that the Unix market is consolidating around Linux and Solaris.
They are still twonks (Score:1)
Of course some responsibility needs to fall on the buyer. If someone offers you a Porsche for $29.95, you shouldn't be suprised if it is not what you expected.
Xix.
Managed vs. Dedicated (Score:1)
Look at the contract! (Score:2)
I've been a victim of contract assumptions in the past. Never ever ever expect a contractual partner to do something that will cost him money (in material or labor) unless its explicitly stated.
SuperID
Free Database Hosting [freesql.org]
Re:Communitech Dedicated Server Contract (Score:2)
"Exclusions. Maintenance and support services shall not include services for problems arising out of (a) tampering...."
SuperID
Free Database Hosting
Re:service is key (Score:2)
They purchased a sysadmin package, so that the hosting prover supply sysadmin for the box.
Re:maxim.net (Score:2)
- power outage - don't they have a backup generator? Always find out about backup electricity when co-locating.
- $850 for 2 boxes per month co-location with unlimited bandwidth - even in the UK you can pay £3100 per year (under $500 per month) for unlimited bandwidth for a box (4U or under), with a reputable provider (clara.net) who know what they are doing.
Anyway, American in store service may be great, but America doesn't match many other countries for tech support. Anyway, in a few months time when the recession bites home in America, there will be plenty of high quality techs available, and service will improve.
Re:Simple Solutions to Complex Problems... (Score:1)
Provided your site doesn't exceed the cap-bandwidth (which, at 2 GB/day, is quite high for 99.9% of the sites out there), the Quickserve are very very cheap with all you inside (rented hardware, support and reliable power/connection).
Re:Simple Solutions to Complex Problems... (Score:2)
Go to www.quickserve.com (Pair Networks dedicated servers). For 249 $ you can rent a Duron box with 30 GB disk, 2 GB/day bandwidth and support. It's a FreeBSD only company, and usually you don't have root access (that's the price to pay for free REAL & quality support).
They have a very high availability rate (well over 99.9%), they're the largest independant hosting company. I've been their customer for 3 years and never had the idea of going away !
service is key (Score:1)
Re:So, why the charge? (Score:2)
---
Re:So, why the charge? (Score:2)
---
Re:So, why the charge? (Score:2)
Should be "Doesn't it suck.."
Oh, to correct your correction, it actually should have been "It is their responsibility..."
Its Beer Ti^H^H^H^H^H^H^HSaturday, what can I say?
---
Re:So, why the charge? (Score:3)
Visit Cobalt's [cobalt.com] website, subscribe to Cobalt's lists [cobalt.com], especially the announce [cobalt.com] list.
Search the user list archives [cobalt.com] and discover the unholy number of folks that have been hacked through BIND because they didn't upgrade.
The fact is, they leased it. It is they're responsibility for the upkeep. It would be a different story if they leased web space, but they didn't.
Leasing a dedicated server does not absolve you of system administration, but exactly the opposite!
---
Check your contract (Score:1)
It's fairly simple. Check your contract. Does it guarantee patches will be installed on build? If not, maybe it should. Escalate the issue to one of their managers; maybe you can convince them to change the policy, and once the policy is changed, you should not be charged.
I happen to work for a fairly large dedicated hosting company, and the majority of the clients that really loathe us simply don't understand the service they've signed up for.
Just because it's a dedicated server doesn't mean it's a managed server. Dedicated means it's yours; managed means they either fully manage or help to manage the server.
Personally, I think that the ISP is responsible for providing to you the RAQ3 in the most secure configuration available (ie, with all patches installed on delivery), but once it's delivered, it becomes your responsibility unless your contract says otherwise.
On a side note, ditch the RAQ3. Cobalt is notoriously bad about providing updates on a timely basis; they didn't release a RAQ3 patch for the recent BIND exploit until three weeks after it had been published on BUGTRAQ.
Slashdot effect (Score:1)
As for telling the world how much they suck (Score:2)
Re:Communitech Hell 2 ("Communistech") (Score:2)
BTW, if you're serious about the site dedicated to "showing the truth" behind CT (or possibly, a general site to uncover dark secrets of other bad companies) then I'll definitely join you. My CT hell ended over a year ago, so my hatred for them has somewhat dampened, but I'm still enraged when I think of their company.
Communitech Hell (Score:5)
Dialtone is pretty good (Score:2)
Anyway, I would definitely recommend Dialtone to anyone looking for a dedicated server.
--
Switch (Score:2)
Also find a web-host review site or something, and tell the world how bad your current provider sucks.
--
Re:cmon! (Score:2)
---
Sue them for Malpractise? (Score:3)
It sounds like they're incompetant, which really doesn't surprise me at all. Most companies seem to feel you can train some monkeys to do sysadmin level work. That's not true of any OS, although some of the more "User Friendly" ones delude you into thinking you can, right up until the skript kiddies march in and take over. You have the correct level of expectation that security holes will be fixed as part of what you're paying them to host the site, so if they don't hold up their part of the contract, threaten to sue the crap out of them. Or at least demand that they release you from the contract since they're not upholding their end of the deal. IANAL but I play one on TV.
As a side note, a lot of these web hosting places are fly by night operations that disappear a couple of months after they open up. The fly-by-nights are much more likely to try to get by with trained monkeys on the sysadmin team. If the guy who sold you your service is also the system administrator, be wary. It's always a good idea to see how long a company's been in business and ideally get some references from other customers of that company before you decide to do business with them.
Re:Switch (Score:2)
Mind you, I am not a lawyer, although I play one on Televison.
Re:Well - it is dedicated, not managed (Score:2)
MOD this up! (Score:2)
Dedicated provider responsibilities. (Score:2)
We do give our customers root to their servers and we warn them that while one advantage to a dedicated server is that we will maintain the server and keep it running, when they do something boneheaded (like chmod -R bob /) we will bill them to fix it.
So far it hasn't been a problem and only one customer has actually done something to break the server (see the chmod example above).
-----
Re:Have you talked to your local BBB? (Score:2)
switch... (Score:2)
It lists plans from FirstWorld, AF Hosting, NYI.net, Hyper Hosting, Verio, Bitserve, ThinkHost, Interliant, and Dell Host. None of these will be as bad as CommuniTech. [/plug]
maxim.net (Score:2)
They just merged into a larger company, and they finally got a trouble ticketing system, but customer service is still pretty awful, so its fortunate I rarely need it. They have a few very clued network guys, if you can get them.
Re:Patch it yourself? (Score:2)
Also, the cobalt raqs are very easy to patch. They have a GUI, a section to install software (Maintenance/Intall Software). You can just paste the URL of the patch, and it installs it. The patches are here [cobalt.com].
That said, communitech sucks. I've had problems with them in many other areas too. I can't recomend another ISP that will patch the servers for you, but I can say that communitech sucks.
--
Re:Simple Solutions to Complex Problems... (Score:2)
Sound like you're looking to rent a rack from somewhere like above.net (or exodus, or level3, etc.). If you're looking for a tier 2 provider rather than one of the tier 1s, take a look at the dicussions at www.webhostingtalk.com in the advertising forum; there are a few people there who are advertising colocation space.
Patch it yourself? (Score:3)
Of course, I have to wonder why you're using a Raq anyway... I've never quite understood how $1000 of hardware plus lots of free software equals a $5000 server.
Hmm... this sounds sooooo familiar (Score:2)
The long: A similar thing happened to one of our clients. I work for a web development company and we have over the last year tried to get away from hosting. Its annoying, we don't want to do admin work, etc. so we partnered with a well known hosting provider (with pretty much a similar contract). The box was running NT (not my choice) and the day before they had scheduled to install a patch for a very well known (and for a good amount of time) bug, a script kiddie hacked the site. The first thing the hosting provider did? Blame us AND demand more money to get the site back up. WTF? Anyway, while they scrambled around with their heads cut off, we brought the servers back to our office, brought in security experts we were negotiating a partnership with anyway, and locked down the site and brought it back up (all in 24 hours ;-) ourselves. Then, we had our new security partners go into the hosting providers rack area (the hp let us into the wrong closet first.. *sigh*) and effectively make the provider their bitch. "This is wrong, this is wrong", etc. The client is very happy with us and 5 seconds away from dumping the provider. Since then, the provider has pretty muched asked "how high" when we or the client has said jump.
psxndc
I know this is a plug, but... (Score:2)
PS--I don't have any affiliation except that I'm a satisfied customer!
Do you ever look out the window? (Score:2)
do you really need a dedicated host? (Score:2)
You need apache, php, and mysql. Many, many hosting providers will have accounts set up around this configuration, allowing you to "just have a website up without all this bull" as you put it. They worry about server admin and security (on the host and network level anyway), all you have to do is write code and pay the bills.
As an example of a place that has the feature set you're looking for with very generous disk allocations for reasonable prices, see csoft.net [csoft.net]. (I've never used them but I've heard good things about them, and when I emailed them some techie questions about their service they responed quickly and very professionally.) For example, the $25/mo. plan gives you unlimited disk. All plans include 1Gb/day of traffic ($6/Gb per Gb over 30 per month). Anyone here actually, directly used these guys that would like to comment?
--
News for geeks in Austin: www.geekaustin.org [geekaustin.org]
Re:Well - it is dedicated, not managed (Score:2)
The fact that dedicated server hosting is a port-based service as well as a non-shared hardware environment makes Quality of Service superior over virtual server solutions. Quality of Service on dedicated servers where CommuniTech.Net guarantees the hardware integrity is measured in two aspects. First, Quality of Service is measured at the switch port, ensuring bandwidth is quality and that there is no internal or external network congestion. Secondly, Quality of Service extends to the hardware used for the dedicated server, making sure there are no hardware performance issues. If such issues arise at anytime, it is our responsibility to resolve the hardware issues, which would have an adverse effect on Quality of Service.
The fact that it is possible (though difficult) to cause a hardware failure through remote software operation is of concern. First, to minimize such circumstances, it is quite important to use only quality hardware in all dedicated servers. Secondly, Quality of Service is exclusive of any software-related issues on the dedicated server, which is the responsibility of the client, not CommuniTech.Net. Therefore, the client, depending on his/her use of the dedicated server, has to carry out the Quality of Service control right down to the application layer.
They claim quality assurance on the link and the hardware, but not software. They state that is a client responsibility. That is a bit unusual, even assinine, but there you have it.
Derek
Re:Dedicated provider responsibilities. (Score:2)
SealBeater
Re:$1k Hardware + free software = $5k (Score:2)
Have you talked to your local BBB? (Score:3)
Re:Communitech Hell (Score:2)
Re:The people at communitech are idiots (Score:2)
Yes, Linux is even gaining popularity over porn according to google:
(AdWord Keyword search)
Linux: ~4.5mil impressions/month
Porn: ~2.5mil impressions/month
Q - Debian? (Score:2)
Light of Public Attention (Score:2)
There might be a reaction.
Check out the Vinny the Vampire [eplugz.com] comic strip
A good security reference, and some comments (Score:5)
http://www.openna.com/resources/articles/v1.3-x
(Securing and Optimizing Linux, by Gerhard Mourani)
First let me say that I'm a reseller for Communitech, virtual accounts only, though I don't believe that makes me biased toward them; if anything, my experiences have biased me against CT. I've had my own nightmares with them and I'm still wrapped up in being double-billed on one resold account for almost a year. Personally I think you're lucky they reinstalled the OS for free the second time around; be sure to double-check your credit card bill when it comes in... CT is one of those companies you love and hate at the same time and their customer service does suck - that's why they have a lot of resellers. We can provide the personal service and support that they aren't capable of.
That said, the security of your box is your responsibility. It doesn't matter where your box is located or whose pipes it's connected to.
Communitech isn't responsible for making sure your box is secure any more than RoadRunner is responsible for making sure my local linux machine is locked down. Their responsibility is to make sure that your machine is connected, powered up, and able to serve traffic. When you order a dedicated server from CT, they slap on an installation of your chosen OS, along with Apache and some development tools. They don't make any promises or guarantees that your system will be secure or that they'll be patching your box every time an exploit is found.
CT still uses Redhat 6, and it says that on their dedicated server config page (the RaQ page just says Linux 2.2, but the more general pages indicate they're using Redhat 6). If I were to take on a box with a fresh installation of RH6, the first thing I'd do is upgrade bind - shot in the dark, but I bet that's how you were owned.
In any case, the bottom line is this, and you're free to disagree: if no one in your group is prepared to spend time finding patches and securing the box, your group isn't ready to be running a dedicated server.
Good luck and make sure to check that URL. You've got a dedicated server for at least a few more months, someone on your team needs to read up and get to work
Shaun
Communitech Dedicated Server Contract (Score:4)
It seems that 7.1, 7.2 and 7.3 are covering the software maintainance. Altough they are not very specific on it.
Re:If you really want to do something about it... (Score:3)
customer relations incidents, including duplicate
billing, services retracted, and so forth. Then
sue. Extensive written records will trump anything
they say, and as long as you avoid acting like a
child, you'll be believed by judge and jury.
C//
Re:rackspace.com (Score:2)
I'll second that. They're definitely more expensive than the bargain-basement hosting huts, but the it's well worth the money. We've got a growing number of machines over there. The service has been trouble-free (not a single outage that I'm aware of) and they've been very responsive when we've needed someone to go kick the server in the middle of the night.
Communitech Hell 2 ("Communistech") (Score:2)
So, why the charge? (Score:3)
Just where does the boundary in your contract lie on that? If you are allowed to do the patch yourself, then there may be ~some~ justification for the charge (that doesn't make it right, mind you). However, if it's something they won't let you do, then they are exercising quite an unfair business practice. A bit of a Catch-22 where they won't let you fix it, it needs to be fixed, and they still want to charge you for it.
If the second option is true (You don't have access to patch the server), I'm sure if you call and complain enough, they'll work something out. Just remember to bug them A LOT!!! They'll buckle, escpecially if you're right, and they know it, and you can plant the seed in their heads that any court would know it too
-----
Continue to publicize. Go just short of slander. (Score:2)
You might want to check out cr0wbar's rant against Safe Audit [detonate.net] when they screwed him over. The more you let people know about this kind of nonsense, the more likely it is said business will think twice about screwing you over.
We've seen this reaction all over the place. Any time people are treated unfairly in any situation, cry out publically about it. This does change things.
This story CLEARLY indicates wrong doing on their part. For example, anyone who has ever dealt with phone companies fixing their service knows that service providers are responsible for fixing problems with their own systems. When I got my second line installed, they had problems with line at a distro station. They didn't charge me to fix the problems there. If they had, I would have raised hell. But they didn't. They're responsible for it. End of story.