Results 26 to 50 of 56
Thread: Insecure =/
-
07-11-2002, 11:24 AM #26Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 574
And...
If you don't think your customers are a threat, think again.
Anyone want to set me up with a server in their data center and show you what can be done?
Don't think it doesn't happen either.
-
07-11-2002, 11:25 AM #27Web Hosting Master
- Join Date
- May 2001
- Posts
- 1,349
Yeeehaaa... I don't know how to insall windoz yet but I host websites! I know lots about security. I lock my servers up in my closet real good.
Hehe good luck breaking into my SSH-1.99-OpenSSH_2.9p2. I run only telnet. And it's the 1993 version so there are no new hacks against it since nobody has it any mo'.
-
07-11-2002, 12:46 PM #28Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
Re: And...
Originally posted by clockwork
It's not an excuse, it's real life. (Welcome to it!)
Customers hate restrictions.
How many of you here don't offer normal FTP access, raise your hand. (As opposed to scp/sftp)
Ok, I was with you until your last comment about most attacks coming from apache... uhhh?
Elaborate on that for me..
Hate to tell you, I do live in real life...
Customers really don't mind restrictions, as long as you explain it to them, 98% are more than understand the other two usually just need a little bit of guidence...
On my apache comment, most people will upload a script and call it from the web, so it runs as nobody... Most attacks are major system compromises, they are deleting another user's files because they have the files CHMOD'd 777, or something along those lines...
Running the attacking script via Apache would make it a little harder to track the person down, if they did it via shell it would be simple....
Originally posted by clockwork
If you don't think your customers are a threat, think again.
Anyone want to set me up with a server in their data center and show you what can be done?
Don't think it doesn't happen either.
Of course they are threats, I never said they weren't....
I think you seriously need to check your attitude...
-
07-11-2002, 10:32 PM #29Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 1,029
Many "hosting companies" here barely know how to use the control panel and don't really know how things work, and then they sell reseller accounts and even more "hosting companies" form that know even less about how things work. Some hosting companies have their own Linux servers and don't even know how to copy a file in Linux, much less upgrade software.
As for SSH-1.99-OpenSSH_3.1p1, it's possible they've turned off ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt like I have or have it patched, but then again...who knows.ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
-
07-11-2002, 10:47 PM #30Disabled
- Join Date
- Nov 2001
- Location
- Canada
- Posts
- 1,963
Originally posted by ToastyX
Many "hosting companies" here barely know how to use the control panel and don't really know how things work, and then they sell reseller accounts and even more "hosting companies" form that know even less about how things work. Some hosting companies have their own Linux servers and don't even know how to copy a file in Linux, much less upgrade software.
As for SSH-1.99-OpenSSH_3.1p1, it's possible they've turned off ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt like I have or have it patched, but then again...who knows.
-
07-11-2002, 10:58 PM #31Web Hosting Master
- Join Date
- Dec 2001
- Location
- Detroit, MI
- Posts
- 1,067
I think you guys may read too deeply into what you see. Just because someone is running versions of software that have vulnerabilities, it does not mean they are vulnerable. Not in the least.
SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202
I find it ironic that you are attacking hosts for being potentially insecure, when you really don't even understand the vulnerability points. That's scarey.
Sorry to be so blunt.<!-- boo! -->
-
07-11-2002, 11:13 PM #32Web Hosting Master
- Join Date
- Aug 2000
- Posts
- 1,167
Originally posted by DizixCom
I find it ironic that you are attacking hosts for being potentially insecure, when you really don't even understand the vulnerability points. That's scarey.
Sorry to be so blunt.
Don't apologize.
-
07-12-2002, 02:47 AM #33Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
I don't know if you really care about it, but just to let you know I upgraded SSH on that box a long time ago, for some reason still show the old version, to be honest, I don't know why.
Indeed, just to be sure, I did it again to 3.4p1, but still show 3.1p1.
And I will really apreciate if you remove downtownhost.com from your first post, it make us look bad, when you don't really know about it.Last edited by Jedito; 07-12-2002 at 03:35 AM.
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-12-2002, 04:07 AM #34Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
Originally posted by clocker1996
And the list goes on and on, i wont try to embarrass too many companies
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-12-2002, 07:13 AM #35Junior Guru Wannabe
- Join Date
- Apr 2002
- Posts
- 89
This thread title reminds me of Linkin Park,
Freelance designer, providing CHEAP and HIGH QUALITY designs.
EMail: webmaster[at]phatronic.com
Y! Messenger ID: phatronic - ICQ: 159396474
Portfolio: http://www.webhostingtalk.com/showthread.php?s=&threadid=75511
-
07-12-2002, 08:47 AM #36Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 574
I don't think there's anything wrong with my attitude.
I've been working in web hosting for almost 4 years now (system administration).
I've tried to impliment security policies, but it seems no one cares.
I have gotten people to use SUExec to get around the Apache security issues. Oh, it wasn't easy either.
You tell people it's good for security, but the bottom line is they need to make changes and they will encounter problems migrating from the "normal" way. They don't like that.
As for most attacks, as far as I have seen... typical servers that get "owned" don't suffer data loss, they are simply used for tools such as cracking other servers or tying them into a ring of DDoS boxes.
If you see a box get data wiped from it, you might want to start looking into who has a grudge with you or your users. Sure, there could be some random, malicious person who rm -rf /* a box, but I have come to know that is far and few between... usually some script kiddie who thinks someone is on to him and has no idea how to clean log files.
I've been following security for over 6 years.
I remember when bugtraq used to be good.
My attitude isn't meant to insult you, it's just one of little hope when looking at the security of 95% (random figure) of hosting companies.
-
07-12-2002, 08:49 AM #37Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 574
Also... I see no one replaced FTP with scp/sftp (obviously not everyone here read the thread, but no one so far).
Think of who your clients are/will be - Windows users who have CuteFTP, Frontpage (maybe DreamWeaver if you are lucky), etc.
Unless you plan to blow them all off, good luck!
-
07-12-2002, 12:55 PM #38Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
Oh really? you don't see anything wrong with your attitude?
You exposed to a possible security hole in a public forum with more than 15.000 members at more than 5 host, because you wanted to play to "hey, I read securityfocus.com, I'm really smart, and those host do not upgrade their deamons, they are insecure, hehehe".
Again, I'll apreciate if you remove downtownhost.com from your misinforming message, and I suggest to read more before to post a message like this, it really make you look as a fool.█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-12-2002, 01:05 PM #39Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
BTW, what part of
"I don't know if you really care about it, but just to let you know I upgraded SSH on that box a long time ago, for some reason still show the old version, to be honest, I don't know why.
Indeed, just to be sure, I did it again to 3.4p1, but still show 3.1p1. "
You didn't understood?█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-12-2002, 09:09 PM #40Web Hosting Master
- Join Date
- Apr 2000
- Location
- California
- Posts
- 3,051
Originally posted by clockwork
I don't think there's anything wrong with my attitude.
I've been working in web hosting for almost 4 years now (system administration).
I've tried to impliment security policies, but it seems no one cares.
I have gotten people to use SUExec to get around the Apache security issues. Oh, it wasn't easy either.
You tell people it's good for security, but the bottom line is they need to make changes and they will encounter problems migrating from the "normal" way. They don't like that.
As for most attacks, as far as I have seen... typical servers that get "owned" don't suffer data loss, they are simply used for tools such as cracking other servers or tying them into a ring of DDoS boxes.
If you see a box get data wiped from it, you might want to start looking into who has a grudge with you or your users. Sure, there could be some random, malicious person who rm -rf /* a box, but I have come to know that is far and few between... usually some script kiddie who thinks someone is on to him and has no idea how to clean log files.
I've been following security for over 6 years.
I remember when bugtraq used to be good.
My attitude isn't meant to insult you, it's just one of little hope when looking at the security of 95% (random figure) of hosting companies.
-
07-12-2002, 09:30 PM #41Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
Originally posted by Tim_Greer
I think he was talking about posting publicly saying he was incompetent basically, and was vulnerable. Wrong and he looks incompetent. Right and you just told 15,000 members and a few thousand random non-members viewing the forum that he's an open target.
He didn't saw how do I have configured sshd_config, if I have it patched or not, he don't have a clue of how that box has been configurated.
He was just misinforming with inacurated information about a box that he never used, and even if it were true that the box its vulnerable, he show a lack of common sense in post a message like that in a public forum with 15000+ members.
I expect an apologies from clocker, and downtownhost.com removed from this thread.█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
07-13-2002, 12:21 AM #42Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 574
Originally posted by Jedito
Oh really? you don't see anything wrong with your attitude?
You exposed to a possible security hole in a public forum with more than 15.000 members at more than 5 host, because you wanted to play to "hey, I read securityfocus.com, I'm really smart, and those host do not upgrade their deamons, they are insecure, hehehe".
Again, I'll apreciate if you remove downtownhost.com from your misinforming message, and I suggest to read more before to post a message like this, it really make you look as a fool.
When did I post about any company being insecure?
That is, if you are referring to me, which it seems you are due to the "attitude" portion of your message.
-
07-13-2002, 12:24 AM #43Web Hosting Master
- Join Date
- Apr 2000
- Location
- California
- Posts
- 3,051
Last edited by Tim Greer; 07-13-2002 at 12:29 AM.
-
07-13-2002, 12:27 AM #44Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 3,734
I think everyone's getting confused over usernames here.
clocker1996 was the one who started the thread, not Clockwork.
-
07-13-2002, 12:29 AM #45Web Hosting Master
- Join Date
- Apr 2000
- Location
- California
- Posts
- 3,051
Originally posted by lightnin
I think everyone's getting confused over usernames here.
clocker1996 was the one who started the thread, not Clockwork.
:)
-
07-13-2002, 12:36 AM #46Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 574
Originally posted by Tim_Greer
Keeping programs up-to-date does not make one a system administration expert.
Keeping programs up to date is just common sense, even on your home computers.
What policies, to whom, and what do you mean?
And setting up rules for giving out information.
Have people follow a set number of rules when changing software (make sure it doesn't have holes).
And so on.
What Apache security issue and SuEXEC and what wasn't easy?
What's good for security and what changes and what problems are you talking about?
Changes would be moving away from how the other hosting companies do things, the vast majority.
I was with company A, and this is how they had things setup.. and company B i was with did the same thing, but you, company C, want me to do it this way? It just doesn't make sense to them since they can't (most of them) comprehend that the changes of a benefit.
Do you follow at all?
Just take replacing FTP with scp. I'm sure a company only offering scp as a way to upload data isn't going to get many customers.
Keeping programs up-to-date does not make one a system administration (or security) expert.
I think he was talking about posting publicly saying he was incompetent basically, and was vulnerable. Wrong and he looks incompetent. Right and you just told 15,000 members and a few thousand random non-members viewing the forum that he's an open target.
Thanks Tim.
-
07-13-2002, 12:38 AM #47Web Hosting Master
- Join Date
- Jan 2002
- Posts
- 574
Why do I have a feeling you guys are confusing me with clocker1996 ?
-
07-13-2002, 12:51 AM #48Web Hosting Master
- Join Date
- Apr 2000
- Location
- California
- Posts
- 3,051
Originally posted by clockwork
Why do I have a feeling you guys are confusing me with clocker1996 ?
-
07-13-2002, 12:53 AM #49Web Hosting Master
- Join Date
- Mar 2001
- Location
- Downunder..
- Posts
- 2,612
lol Tim
-
07-13-2002, 01:50 AM #50Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
Originally posted by Tim_Greer
I did, sorry. I was wondering how he suddenly was doing system administration for 4 years and watching security lists for 6. My mistake.
*bookmarks post*
This is possibly one of Tim's shortest posts