This came out Wednesday night... I didn't see any other reference to it here so I though others might be interested. I know it will impact us since we only use it for DNS service.


This message is being sent to all 4WebSpace customers. Due to recent
events, we are changing the rules regarding DNS servers. We have always
strongly recommended against running DNS on the RaQ servers for a number
of reasons, but these warnings were not sufficient. Several 4WebSpace
servers have been compromised and BIND has mysteriously stopped working on
several others, resulting in an increased load on our technical support
department.

The solution is simple: all 4WebSpace customers will now be required to
use Tera-Byte's DNS servers instead of running DNS on their RaQ
servers. We will configure the servers so that you can use your own domain
name if you desire (eg. ns1.yourdomain.com and ns2.yourdomain.com instead
of ns1.tera-byte.com and ns2.tera-byte.com). With this co-branded DNS
service, there is no reason to run DNS on the RaQ.

To do this, you will need to do four things:

1) Request a Tera-Byte DNS control panel if you do not already have
one. Send an email with the subject line "DNS control panel account for
yourdomain.com" (substitute your actual domain name for yourdomain.com) to
support@4webspace.com as soon as possible. Be sure to use the same email
address that you used on the 4WebSpace order form. The DNS control panel
account is free.

2) If you want to use co-branded name servers, just say so on your DNS
control panel request. If you already have a DNS control panel account,
send an email with the subject line "co-branded name server request for
yourdomain.com" to support@4webspace.com as soon as possible. If you want
to use names other than ns1.yourdomain.com and ns2.yourdomain.com, be sure
to specify them in the body of the email. Once again, be sure to use the
same email address that you specified on your 4WebSpace order form. The
co-branding service is $10 per month.

3) Update the necessary domain information with your registrar.
a) If you are using co-branded name servers, you will have to create
entries for them with your registrar. The exact process depends on the
registrar, so please contact them if you need instructions.
b) If you are not using co-branded name servers, make sure all your
domains use the following DNS information:
primary: ns1.tera-byte.com 216.234.161.11
secondary: ns2.tera-byte.com 216.234.161.12

4) Add all your hosted domains to the Tera-Byte DNS control panel. The
procedure is straightforward, but we will be posting a walk-through on our
web site. Stay tuned to http://www.4webspace.com for details.

This will result in a more reliable, easier to use DNS setup for your
server. We will begin blocking all DNS requests to 4WebSpace servers on
February 21 (one week from today), so you must act quickly if you
are currently running DNS on the RaQ.

Sincerely,
4WebSpace Technical Support
Tera-Byte Network Operations

References:

ISC (creators of BIND) recommendation to upgrade to BIND 9, which is not
available in packaged form for the RaQ
http://www.isc.org/products/BIND/bind-security.html

CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND
http://www.cert.org/advisories/CA-2001-02.html


Why not just stop providing support for DNS issues if the customer runs their own DNS servers if you guys cannot handle it? Blocking DNS requests is a rather drastic step don't you thing?

ALL servers are vulnerable to the Bind attack, not just Raq's... Why are you just taking this step on the Raq servers?

<EDIT>
Though I would add before people start posting... Yes, it would be OK if we only providing DNS to a few domains on the DNS server. However, we are providing DNS services to over 3,000 domains on the Raq and have scripts to setup and update the zone files. We will not be able to do this on the Tera-Byte DNS server.

Also, there are other security problems with Qpopper and Sendmail... Why just bother with Bind? If you want to see all the updates to exploits that have been discovered you can look at:
http://www.cobalt.com/support/download/raq3.eng.html


[Edited by scottlaw on 02-17-2001 at 01:29 AM]

I think Steve mentioned something in a thread in the Cobalt forum about this. Search for username: keeg and you should be able to see his last post.

4webspace have made a good decision IMVHO. The bind vulnrability was highlighted ages ago and the patches for all ditributions released shortly thereafter.

If people do not upgrade then they not only have a very high risk of their own server getting cracked but this also has implications for the SL's of other servers on the Network.

4webspace have retained these clients rather than kicking the cracked servers off the network. If it was me I would cancel the accounts of the servers that didn't upgrade with a Zero refund.

You wouldnt have customers for very long, dave... We have to deal on a daily basis with a customers box getting hacked, if they dont come in through dns they will find another place to come in....

I agree with Charles !

I think its a sensible decision. Plus, they are not being totally irrational either. They are giving you the choice of having cobranded DNS. So how does it matter?? On the contrary, it reduces one head ache for the host.

I think that was a poooooooor move on their part.

Do they see any other dedicated server companies doing that? No. At least I haven't.

It's their (the client) server, they should be able to do what they want with it. If it gets cracked, it's their fault (since Tera-Byte doesn't..well didn't recommend using it). And if they can't fix it they should at least have to pay a technition to fix it if they went against their recommendations.

I agree. If I can't, or don't want, to update BIND, or any other problems that may arise in the future, they should charge a fee to do it. Otherwise charge me to fix the server when it's hacked. But don't force us to pay for something we used to have for free.

Well, I think (as Steve mentioned) that 4webspace is aimed at a certain market and for that market, they want people to use their DNS unless they can demonstrate ability. I won't argue that last point with anyone but point is that the price is inexpensive and they can't cover the support issues that arise from this. Yes, they could charge, but I think the average $99/mo server leaser doen't want to pay additional charges.

It seems they are open to work with you, but just realize the market they are aiming for with that offer and I think you'll understand the decision.

I signed up for a RaQ a few hours ago with 4webspace, I have just tried to go to their website and it seems to be down... http://www.4webspace.com - Is it just me ?

Thanks.

no it isnt just you some user took a bunch of already assigned ips and bound them to his server, this in turn caused one of the other users that was affected to take a bunch of new ips as well. the net affect of thise 2 users was 25 sites offline including my own. they have both been terminated.

Steve

I have been asking tera-byte to use their dns servers with my dedicated server as ns1.mydomain.com ns2.mydomain.com for many months.
I'm happy they finally do it.

Nope I just signed up for one as well a couple of hours ago and recently posted a quick question about setup time before the site went down. The site briefly had it's directory structure displayed and then showed the default RAQ page. The site is back up now but I have not heard about the account. I should mention I am not irritated with them I just need to have an idea of when the server will be ready so I can do some planning. Anybody else know what happened?

Ok y'all managed to post a reply while I was writing mine.

this was posted over at catalog.com's website about raq and bind... figured i'd repost it for everyone to see...

SECURITY ALERT:



We here at Cobalt wanted to assure you that we are doing everything
possible to get .pkg's out the door for the recent BIND exploit as
well as the recent ProFTPD response to several security holes.

More information about the BIND exploit can be found at http://www.isc.org/
and information about the proftp vulnerabilities can be found at
http://www.securityfocus.com/archive/1/160902

Several of our customers have already been compromised by the BIND
exploit and we expect that many more are still vulnerable. Therefore,
we stongly encourage you to install the following.

Just to recap recent announcements:

BIND:
pkg's for upgrading BIND are available on ftp://ftp.cobalt.com/ for
the RaQ4 and RaQ3

Locations:
ftp://ftp.cobalt.com/pub/packages/raq3/eng/RaQ3-All-Security-4.0.1-9353.pkg
ftp://ftp.cobalt.com/pub/packages/raq4/eng/RaQ4-All-Security-1.0.1-9353.pkg

We reccomend that you log onto your server and restat named by hand
to ensure that the upgrade takes effect. This can be done by logging
into your server as root and running /usr/sbin/ndc restart

If you wish to verify the version that is currently running, run
/usr/sbin/ndc status

Currently we only have RPMS available for all other products:

For Qube3 and XTR:
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/i386/bind-8.2.3-C1.i386.rpm
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/i386/bind-utils-8.2.3-C1.i386.rpm
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/i386/bind-devel-8.2.3-C1.i386.rpm

For RaQ2:
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/raq2/bind-8.2.3-C2.mips.rpm
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/raq2/bind-devel-8.2.3-C2.mips.rpm
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/raq2/bind-utils-8.2.3-C2.mips.rpm

For Qube1, RaQ1, Qube2:
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/bind-4.9.8-C1.mips.rpm
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/bind-utils-4.9.8-C1.mips.rpm

For the above RPMS we reccomend that you log onto your server and
restat named by hand to ensure that the upgrade takes effect. This
can be done by logging into your server as root and running
/usr/sbin/ndc restart

Again, if you wish to verify the version of named that is currently
running, run /usr/sbin/ndc status

ProFTPD:

RPMS are avaiable at ftp://ftp.cobaltnet.com for all products:
i386: (Qube3, RaQ3, RaQ4, XTR, CacheRaQ4)
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/i386/proftpd-1.2.0rc3-C1.i386.rpm

mips w/ PAM: (RaQ2)
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/proftpd-1.2.0rc3-C1.mips.rpm

mips w/o PAM: (RaQ1, Qube2)
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/mips/proftpd-1.2.0rc3-C1-NOPAM.mips.rpm

As always, the RPMS are experimental and upsupported until the
official pkg is release and posted.

If you have any questions about these upgrades, please contact me
at rhendrix@sun.com

Thanks

-Rene Hendrix

--
Rene Hendrix
Sun Microsystems
Server Appliance Business Unit
rhendrix@sun.com