Sorry i have to vent
Sometimes i get so freaken mad at this whole web working structure we live in. My server now has been without a firewall, without login protection, without host access protection, and ssh is alive and login is authorized for over 4 hours now while they work on a solution. How can any host leave a server unprotected for that long, makes me so &^%$# mad.
My issue is not WHM/Cpanels fault, but it sure would have been nice to know when i first set up my server that i needed to either use autoSSL with letsencrypt OR purchase a cert for my servername as it seems in some cases email cannot be sent due to the servername using a self signed cert.
Dont get me wrong everyone at cPanel has been great and i do totally appreciate the assistance. I am not upset with cPanel, i am upset with the whole web structure and how complicated it has become for the average person. So many little puzzle pieces and no way to know it all before we fire up the server. Its just madening at times, sorry to vent here i just feel here of all places people would understand more about what i am talking about.
So i sit here waiting and waiting and wondering if my server is going to get hacked sitting there naked and exposed on the web. It is a horrible feeling. I am not even upset with my host, as i know they are doing everything they can and that they get busy as well. Its just a horrible feeling to know that someone who is not authorized could be poking around my server and stealing my propriatary content.
-
Hey there! I'm sorry to hear about your issues with the system. In general, you shouldn't need to do anything to enable certificates on a machine as cPanel enables AutoSSL on all new servers right from the installation time. Your hosting provider can disable those features if your license is purchased through them, so I'm wondering if that was the case here. I haven't even thought about SSLs on my personal machine in years because AutoSSL just takes care of everything.
cPanel should also be issuing hostname certificates even if AutoSSL is disabled, so you wouldn't need to manually do that in most cases.
But yes, I agree that things have become complicated, and no matter how much automation we try and add to a system there's always something more that has to be done.
Can you elaborate on how an unauthorized person could be getting into your server?
0 -
My server now has been without a firewall, without login protection, without host access protection, and ssh is alive and login is authorized for over 4 hours now while they work on a solution. How can any host leave a server unprotected for that long, makes me so &^%$# mad.
You shouldn't disable any of the above just because cPanel needs access to your server. They provide you with the IP adresses they will be connecting from.
Hopefully you only allow access to SSH using keys, not passwords.
1 -
I really dislike autoSSL, not that its a bad feature i know many that use it and love it. But its just not for me and i wanted another solution. One of the main reasons i dislike autoSSL is because it seems there are way too many "if this" or "unless this" options and i dont have the brain power for all that.
Actually if i could i would just have a simple server with a free panel. However, i dont have the experience and forgot many of the skills i once had to be able to use a free panel so cPanel fullfills my needs wonderfully, i do love many things about cPanel that i dislike with other paid panels. I dont expect cPanel to be perfect, nothing ever is, it is what i am used to and what i like, and what serves my needs.
But like anything else in the world, sales is done via fear, the insurance companies have that selling point perfected and the web world is no different. To answer your request
Can you elaborate on how an unauthorized person could be getting into your server?
I guess that is a hard question to answer because im not a hacker, dont know the first thing about it, dont understand what they do nor how they do it. My guess is that they either exploit a weakness of the site content itself, or they know what the actual server http data streams looks like and they use bits and binary level tricks to get into the system. I have enough experience to know that a computer will only do what you tell it to do, as long as 1+1 = 2 the computer does not care if its a hacker or not, and without any filters telling it otherwise, it says "ok great come on in".
But i dont want to turn this post into a hacker101 deal, that is not the purpose. The purpose of the previous paragraph was just to say we all take acceptable risk and we all know we have to have some kind of server protection. That said, my server for almost 6 hours had no 2FA protection, no host access protection, no ssh protection, no firewall protection, no cpHulk protection and someone else (the tech or serveral techs) had my WHM root password, cpanel access, and full SSH access. We used https://secureshare.support to pass that sensitive data but how do i know what happened after that. As a novice i have no clue what specific logs to check other than what is told me by the cPanel docs, i know there are many other logs available.
My point is that since the server was originally created and hardened there were 6 hours that almost any hacker worldwide probably could have accessed it easily, the server was at its weakest point to date. The logs i did look at showed attempts from IP's from china and russia one after another. Now my novice eyes dont think they got in because access was denied but they were making the attempt and my server was pretty much naked or close to it.
Now i do understand that them being denied says alot for cPanel protection however i have no clue if someone got in and set up something that runs in the background, they are certainly not going to advertise they got access. Maybe they just download my unreleased propriatary software that i been working on for 5+ years all by myself. Or maybe i got lucky and none of that happened and everything is just fine. I dont know any of that so i was very worried and upset that all the things server professionals tell us we should have was disabled for that long.
Alot of people dont understand that techs have shift changes just like any other job, and when the original tech working on the issue leaves their shift or passes it to someone else, that new tech has to educate themselves on the issue. This could mean reading over tons of email replies which takes time. I understand that and accept that as a part of the business but my feeling was, while you educate yourself on my issue mr. tech please turn my firewall back on and then read the emails.
So its not that i was upset that 100% someone was going to hack me. My stress came from the fact that it could happen at that moment because it was at it weakest point. And add in the added stress of i have no clue how to stop them or track their movements if it did happen. So being upset with myself played a big factor as well.
I hope that explains my original post better. :)
0 -
Was this ticket open with your hosting provider? As DennisMidjord said, cPanel support never asks you to disable security tools except for the minimum required to get us access, such as allowing a port or IP address.
0 -
Yes it was, namecheap it took 2 full days and i dont know how many different techs to finally figure out the email issues, some was my fault because i did not know that a test exim custom filter that was disabled had a code error in it and was blocking the email. I did not know that a disabled filter would still try to execute.
The other issue was the fact that i disabled autoSSL and exim was using a self signed cert as again i had no idea that i had to have a cert for the servername.
I dont have a paid support plan so it cost me $15 to have them look into it. Which i am also not upset at the cost, i know that is very inexpensive. Usually when i have an issue i ask them and they just give me some doc link or other resouce link since i dont have a paid plan.
I have to except that fact that since i dont have a paid plan i have to assume some responsibility and handle things myself. It was not that which upset me, i was not even really upset at how long it took since i dont have a paid plan. I was only upset and the fact they left my server so naked for so long, so it was how they did things not how long it took.
Does cpanel offer an affordable support plan?
0 -
We don't provide support outside of what is included with direct license holders - if your purchase your license through us that includes support.
1 -
Ok i understand. Thanks for your replies and also reply from DennisMidjord, im just glad its all over and i can put that experience behind me, learning some stuff in the end is good though. :)
0
Please sign in to leave a comment.
Comments
7 comments