As I am writing this, I am running clam.av right through the server /home directory on the server. (One virus, old file. Expunged. Fixed.)
I have got a warning from the Webhost that there are bugs on the server, and I have spikes in traffic which do not seem to relate to the real business of the server. There is an article up about Ancient versions of Linux being at risk… but this is not the case at Casa Pukeko, where A2 hosting runs a very patched version of the 2.6.32 kernel… or in real life, where I keep all my machines fairly uptodate.
Because it takes five minutes once a week with Arch Linux. Firstly, you go to the web page and check for warnings on instability. If there are issues, you fix them. Then, which is usually the case, you use superuser and type
'pacman -Syu'
.
But there is a reason that my web site uses an old kernel.
Here’s the problem when it comes to updating infrastructure systems like these for system administrators:
It’s not a matter of security, it’s a matter of “If it ain’t broke, don’t you even dare try to fix it.”
If history as sysadmins has taught us nothing it’s that the constant cycle of updates, especially on mission-critical machines, puts our job security on the lines. Especially when a lot of these machines are running custom code with dependencies that end up being the very security liabilities that get patched.
I have used a2hosting for years, and had two problems: one when I moved servers, and one when the system got completely shot and we could not get the blog back at all. And I get about as much spam coming through these servers as I do at the university… so A2 do know what they are doing. Many do not.
The problems comes from hosting companies selling very cheap servers and VPS, this are so cheap that people that hire them are so newbie that once they receive the servers they never ever patch them because they don´t know how. The hosting company is so bad and does not enforce patches because their earnings are so low per server/customer that they don´t care either to even bother wasting their time informing customers or actually enforcing updates. A proper company WOULD enforce security updates on their customers machines at least if they don´t they should be unplugged from their network which they are responsible for, but this means they need to track them down, inform the customer or even give them support, which is going the extra mile they don´t want. This costs time and money and they hardly make a profit with this customers, so they honestly don´t care.
The other problem is what all those pre paid hosting packages as long as 3 years, most people don´t care about their server or website anymore before one year, but since they paid 3 years they have to be remained online, in this case the company has no idea either the server or even hosting account was abandoned long time ago. Anyone working in some company providing services maybe can confirm this but there probably are allot of abandoned services which users don´t use and don´t care about them either.
If we track down this servers its no wonder they mostly always come from the same network and companies, and this is exactly why. Crappy hosting providers that give terrible low cheap services, most of the spam, dos attacks and other malicious traffic comes from this budget providers.
Amazingly some of this are in Europe, actually allot of this massive budge providers are in Europe and I know some system administrators even blocked the whole networks from this providers since most traffic coming from them was garbage. The US has them as well, but they don´t seem that popular to have a real impact in terms of customers/servers, otherwise we would see the same trend.
Selling cheap is not the problem, the problem is when you give a Linux server to someone that does not know what a server or operating system is and then leave it plugged online 24/7.
I strongly recommend that all bloggers and people who have a website pay someone else to do this. Do not go to the lowest bidder: go to someone who can sort things out. I only have had to talk to A2hosting about three times, but they have sorted problems on that day, or thereabouts. For a low traffic site that makes them very little money. People who will go the extra mile do deserve our support, so… I will stay with A2 — unless or until the USA decides that pesky foreign entities are not welcome.
