bear Posted May 31, 2012 Share Posted May 31, 2012 seems the letters D and H together like ** have been censored on the forum... Yes, and with the new forum, I have severely reduced access and can't fix it. I reported the issue... Link to comment Share on other sites More sharing options...
malfunction Posted June 1, 2012 Share Posted June 1, 2012 Form what I'd read, it wasn't the hosting being insecure, it was an employee issue. They were convinced to reveal account details, which could potentially happen on *any* hosting platform. Not so, I believe the properly paranoid sys admin should make it so the bad guys can't get in even if they HAVE the server's root password. IP restrictions, two factor authentication, VPN access only are all super simple to implement and there are plenty more sophisticated techniques - not to mention not sharing the root password with the upstream provider in the first place (especially losers like Hostgator; that they were being used was the biggest shocker in this whole miserable affair). We should all be doing this stuff, to not do so is just poor management imo. Link to comment Share on other sites More sharing options...
openmind Posted June 1, 2012 Share Posted June 1, 2012 Unless you own the data centre, any support personnel at a DC with high enough privileges could walk over to your server and reset the root password. The problem here was that the procedures in place at Hostgator /WHMCS simply were not good enough to prevent this happening. To be honest though, this issue has been beaten to death now, we all know Hostgator are cack, we all know better security procedures should have been in place at WHMCS and we all know that things must change and improve which I have no doubt they will... Link to comment Share on other sites More sharing options...
bear Posted June 1, 2012 Share Posted June 1, 2012 IP restrictions, two factor authentication, VPN access not sharing the root password with the upstream provider We should all be doing this stuff, to not do so is just poor management imo. And these are all things you're implementing on your own services/servers? With what provider, please? I'd like to discuss that option with them. Unless you own the data centre, any support personnel at a DC with high enough privileges could walk over to your server and reset the root password. The problem here was that the procedures in place at Hostgator /WHMCS simply were not good enough to prevent this happening. To be honest though, this issue has been beaten to death now All valid points (especially that last one), and many have hindsightful commentary to add about what they would do to protect themselves "if it were them". I imagine that many don't actually implement that sort of security, and some are probably hosted with the same provider they're tearing up currently. Happens all the time. Of course, then you look at others affected by socially engineered attacks, like MyBB. Had nothing to do with their host, it would appear their registrar (Namecheap) mistakenly handed over the domain name. With that, quickly set up a catchall, and start requesting password resets. Many ways in, and security takes effort...and isn't possible to achieve 100%, IMHO. Link to comment Share on other sites More sharing options...
disgruntled Posted June 1, 2012 Share Posted June 1, 2012 One thing I am not too happy with with WHMCS is their new marketing idea which winds up giving large hosting companies an unfair advantage on smaller ones as I now see hosting companies giving away WHMCS with reseller accounts. As this software falls into more hands for small fees the possibility of hackers will increase. This allows them to have hands on access to try and find holes in it. I believe it's a really bad idea - might be a good marketing scheme but long term it's not very good. Just like any other business WHMCS has to make money, if this means the lease large volumes of licenses to large hosting companies at a lower price this make viable financial sense for the long term success of the business. It does allow smaller companies to get into the business, resellers or not, this is good for the hosting industry, it brings about good competition, and it weeds out those that are no good because you can switch easily. Being a major player in the industry doesnt mean your the best, or cheapest, it means you advertised and campaigned well. Now keeping those clients, well thats a different matter. and this is where we come in as website hosts. If we can take just a small fraction of those unsatisfied customers we are taking a piece of their market share. I am sure this screw up from hostgator is not the first incident, i doubt it will be the last, i know they recently opened a new building in dallas, so you can see they are doing something right there but they are not the be all and end all of the hosting industry. Now as for WHMCS having millions of copies out there, i should hope that they do, and i hope that it is being hacked all the time. not because i want to see WHMCS go under, but because i want to see WHMCS go from strength to strength so we can all have better more secure systems, if an exploit is not known it cannot be plugged. Personally, i think if my business was attracting the attention of so many hackers i would be proud of the fact my business is doing so well to be such a prominent focus point for their attentions. In my mind these hackers are validating the very core of what WHMCS stands for simply by trying to undermine it. I started as a "reseller" with hostgator, i have found their support intermittent at times, slow at others, but on the whole they have been good in support. This is only my stand point on hostgator, and i still to this day use their services for provisioning of clients but not for my whmcs installation, i gave up their free whmcs license about 3 months after i started and never looked back. In the end, the safety and security of my clients rests in my hands, its my reputation on the line when things go wrong and not any third party companies i use. Resellers, co-locators and webhosts alike would all do well to remember that very fact. when the **** hits the fan, the buck stops with me. Link to comment Share on other sites More sharing options...
Roger Posted June 1, 2012 Share Posted June 1, 2012 I have said before, security is an ongoing, ever evolving state of mind. Security is not a goal to attain. As soon as one says to them self "I'm there, my stuff is now secure" is the moment their attempt to be secure has failed and it's only a matter of time. Link to comment Share on other sites More sharing options...
malfunction Posted June 2, 2012 Share Posted June 2, 2012 And these are all things you're implementing on your own services/servers? With what provider, please? I'd like to discuss that option with them. Absolutely, Softlayer are a good example of that. Firewall off anything related to SSH, RDP, cPanel or whatever, use their VPN over the private network for sole administrative access, leverage their two factor authentication to keep the management portal locked down and don't keep the actual root passwords in that portal. We do much the same elsewhere with Cisco VPNs and also for hardware we have on site with IPSEC. Nothing is completely bombproof but the above would have totally stopped last week's fiasco in it's tracks, no? Link to comment Share on other sites More sharing options...
bear Posted June 2, 2012 Share Posted June 2, 2012 Absolutely, Softlayer are a good example of that. Firewall off anything related to SSH, RDP, cPanel or whatever So your hosting customers are not allowed to use SFTP (apparently in favor of insecure FTP) or Cpanel, is that right? I can understand these restrictions on the server that houses your billing/support and so on (though one would then question why Cpanel on that), but on all servers to which you have root? Or have I misunderstood? Link to comment Share on other sites More sharing options...
BulliteShot Posted June 2, 2012 Share Posted June 2, 2012 @bear I wouldn't trust anyone else on my billing server. One messed up cPanel security setting and BAM - big security hole. If cPanel updates can constantly break things, imagine the security holes possible. These website control panels are far too complex for their own good. I don't run cPanel on my important websites, along with any other control panel. I setup linux user permissions on a per-website basis manually. Not much can go wrong when you've double checked everything. Link to comment Share on other sites More sharing options...
malfunction Posted June 2, 2012 Share Posted June 2, 2012 So your hosting customers are not allowed to use SFTP (apparently in favor of insecure FTP) or Cpanel, is that right? I can understand these restrictions on the server that houses your billing/support and so on (though one would then question why Cpanel on that), but on all servers to which you have root? Or have I misunderstood? The billing server is on a different network from hosting customers, in a different state and does not have (or need) a control panel panel installed. All administration is done over VPN and private network, no vendors allowed in. Hosting customers may not use SFTP, however they are encouraged to use FTPS over TLS/SSL which is secure. Plesk port is open but the panel is locked down to only user level accounts. Link to comment Share on other sites More sharing options...
ExsysHost Posted June 4, 2012 Share Posted June 4, 2012 The billing server is on a different network from hosting customers, in a different state and does not have (or need) a control panel panel installed. All administration is done over VPN and private network, no vendors allowed in. Hosting customers may not use SFTP, however they are encouraged to use FTPS over TLS/SSL which is secure. Plesk port is open but the panel is locked down to only user level accounts. Not sure if you are aware but FTPS is not as secure as SFTP... FTPS is only encypted during transmission of user name and password... while SFTP is encrypted for the entire session and public/private key pairs can also be utilized. Checkout proftpd and its SFTP integration documentation if you have any further questions. Link to comment Share on other sites More sharing options...
ExsysHost Posted June 4, 2012 Share Posted June 4, 2012 Answers to security questions such as, for example, mother's maiden name, name of favourite pet or the street you grew up on can be researched by a determined hacker who is targeting someone specific. This gets easier to research with the popularity of social networks such as Facebook where people tend to reveal too many personal details online. That's why I always register answers to these questions that cannot be researched, such as my mother's maiden name is "hamburger" and my favourite pet is "carburetor" or some other nonsense. +1 I thought this was common practice, since the PCI requirements state the questions should only be known to the account holder. Link to comment Share on other sites More sharing options...
ExsysHost Posted June 4, 2012 Share Posted June 4, 2012 And these are all things you're implementing on your own services/servers? With what provider, please? I'd like to discuss that option with them. SoftLayer provides this with their portal and out of band management network which is only accessible over VPN... it is all free with every server Link to comment Share on other sites More sharing options...
disgruntled Posted June 4, 2012 Share Posted June 4, 2012 +1 I thought this was common practice, since the PCI requirements state the questions should only be known to the account holder. I thought this was common practice? i have been doing this for about 15 years!! I find it strange that anybody would complete the question with an expected answer. Your setting up security to allow you total override access should you forget your password, surely this is just common sense that you would use nonesense information. For instance, first school: i watch csi, you hey the idea Link to comment Share on other sites More sharing options...
disgruntled Posted June 4, 2012 Share Posted June 4, 2012 (edited) +1 I thought this was common practice, since the PCI requirements state the questions should only be known to the account holder. I thought this was common practice? i have been doing this for about 15 years!! I find it strange that anybody would complete the question with an expected answer. Your setting up a security override to allow you total access should you forget your password, surely this is just common sense that you would use nonesense information. For instance, first school: i watch csi, but i dont like hamburgers Another good practice have seen a few places, allow the user to write their own question and answer. definitely something to request as a feature. Edited June 4, 2012 by disgruntled Link to comment Share on other sites More sharing options...
disgruntled Posted June 4, 2012 Share Posted June 4, 2012 (edited) Hosting customers may not use SFTP This is understandable, for anybody wanting to know why, create a hosting account that is allowed to use sftp and just keep on going up a directory, They cant change anything outside of their home directory, but they can see allsorts and download things you may not want them to. Edited June 4, 2012 by disgruntled Link to comment Share on other sites More sharing options...
ExsysHost Posted June 4, 2012 Share Posted June 4, 2012 I thought this was common practice? i have been doing this for about 15 years!! I find it strange that anybody would complete the question with an expected answer. Your setting up a security override to allow you total access should you forget your password, surely this is just common sense that you would use nonesense information. For instance, first school: i watch csi, but i dont like hamburgers Another good practice have seen a few places, allow the user to write their own question and answer. definitely something to request as a feature. Not sure if you mis-understood me, or I am misunderstanding you... I was agreeing to them saying I thought it was common practice to provide answers that are not the given answer... Example: What is your mothers maiden name? Answer: SanDiego345$ Link to comment Share on other sites More sharing options...
ExsysHost Posted June 4, 2012 Share Posted June 4, 2012 This is understandable, for anybody wanting to know why, create a hosting account that is allowed to use sftp and just keep on going up a directory, They cant change anything outside of their home directory, but they can see allsorts and download things you may not want them to. This is not true.. again checkout proftpd mod_sftp documentation for more information the user is caged to their home directory and cannot view anything else on the system Link to comment Share on other sites More sharing options...
disgruntled Posted June 4, 2012 Share Posted June 4, 2012 This is not true.. again checkout proftpd mod_sftp documentation for more information the user is caged to their home directory and cannot view anything else on the system ok well i must have a setting wrong on my servers because i tested and was able to go everywhere more or less, there were a few directories i couldnt see, for instance, /home/account/ i could see, but none of the other user folders, but i was able to wander around, i even downloaded a file just to see if i could. So, in this instance, i feel i have a security issue and shall most definitely be reading the documentation you posted to tighten up what appears to be a gaping great big **** me over sign in my server Link to comment Share on other sites More sharing options...
ExsysHost Posted June 4, 2012 Share Posted June 4, 2012 ok well i must have a setting wrong on my servers because i tested and was able to go everywhere more or less, there were a few directories i couldnt see, for instance, /home/account/ i could see, but none of the other user folders, but i was able to wander around, i even downloaded a file just to see if i could. So, in this instance, i feel i have a security issue and shall most definitely be reading the documentation you posted to tighten up what appears to be a gaping great big **** me over sign in my server I agree, the users should not be able to see beyond /home/their folder in fact for me it does not even indicate there is directories below it... "/home/user" is represented as "/" in the sftp client Link to comment Share on other sites More sharing options...
disgruntled Posted June 4, 2012 Share Posted June 4, 2012 I agree, the users should not be able to see beyond /home/their folder in fact for me it does not even indicate there is directories below it... "/home/user" is represented as "/" in the sftp client Firstly, myservers are configured to use pure-ftpd, so this is probably the first issue, secondly i now need to compile mod_sftp across my servers, the good news is the ftp server switch over is quick and painless. the compile, well i think my administration just got its next priority work. Link to comment Share on other sites More sharing options...
vincent_g Posted June 4, 2012 Share Posted June 4, 2012 SFTP requires Shell access To prevent a user from seeing others you need to have jail shell access set I don't allow shell access by any users and to prevent all from having access - even the at the data center Link to comment Share on other sites More sharing options...
ExsysHost Posted June 6, 2012 Share Posted June 6, 2012 SFTP requires Shell access To prevent a user from seeing others you need to have jail shell access set I don't allow shell access by any users and to prevent all from having access - even the at the data center nope not true... it all runs off the mod_sftp system built into proftpd... no need to give out shell access and definitely no need to use jail shell since we are not talking about the openssh sftp sub system. Link to comment Share on other sites More sharing options...
ExsysHost Posted June 6, 2012 Share Posted June 6, 2012 For those who were freaking out because their data was just leaked making claims of keys to kindom etc... honestly been doing some digging around on different underground sites and it seams that most of their scanners used google to find the WHMCS installs... didnt matter if you pay unbranded or not... the scanners find it with basic google search: inurl:submitticket.php then their scanner loops through result pages checking url to be a match and if it is exploitable see for yourself: https://www.google.com/#hl=en&sclient=psy-ab&q=inurl:submitticket.php&oq=inurl:submitticket.php Link to comment Share on other sites More sharing options...
BarrySDCA Posted June 6, 2012 Share Posted June 6, 2012 (edited) day before yesterday my card I had on file with whmcs was used all over GB. bank already reversed it. I'm not sure if it's related but it seems conicidental. A good idea to cancel any cards you may have had saved with whmcs. PS: one of the charges was Papa Johns in GB. Edited June 6, 2012 by BarrySDCA Link to comment Share on other sites More sharing options...
Recommended Posts