Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > Developer Center > Dreamhost: poor security, over stressed servers

Dreamhost: poor security, over stressed servers
Thread Tools
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 30, 2007, 10:53 AM
 
Web hosting providers with poor security

I'm sick of it. I'm sick of seeing web hosting providers that have no clue as to what they are doing. Some are big providers with thousands of accounts and very visible advertising. It is my goal here to expose their negligence so that people will avoid them.

To qualify for this page, you have to meet one of the following criteria:

* Customer's data should be readable or writable by other users when they claim that it is not.
* Log files exposing customer's data should be writable by other users.
* Password or other simular information is exposed.
* Anything else that shows severe negligence on the part of the system administrators, if they really have any.

2007

* Dreamhost.com - Where do I begin. These are the guys who say "Our servers are protected by ninjas" and swear up and down that they are really secure.
o Home directories are world executable, meaning you can pass through them and view user's web content.
o /var/log/xfer.log was world readable, meaning that you could figure out user's directory structure
o Load averaged 6 to 10 and was seen as high as 324.
o Couldn't transfer to/from their server any faster than 2Mbit/sec. Tested a few times to be sure.

I've also heard that their storage is a series of hundreds of NFS mount points - yuck!

I would not recommend putting a business website on Dreamhost with this kind of security practice and overstressing of their servers to be able to boast the features they boast. Somebody has to pay for all these features somewhere, and there are always trade-offs. If you are picking out a host, don't just go for a host that offers a gazillion features (many which you will never use) at the cheapest price - this is a game the hosting providers seem to enjoy playing.

At best, DH might be good for hobbyist websites, but if you are looking for a serious hosting provider, it's probably worth doing some careful research.
     
Love Calm Quiet
Mac Elite
Join Date: Mar 2001
Location: CO
Status: Offline
Reply With Quote
Jan 30, 2007, 08:55 PM
 
Those are serious allegations.
Any possibility you could give a *source* for the quote instead of leaving it as as set of anonymous allegations?
TOMBSTONE: "He's trashed his last preferences"
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 30, 2007, 08:59 PM
 
Originally Posted by Love Calm Quiet View Post
Those are serious allegations.
Any possibility you could give a *source* for the quote instead of leaving it as as set of anonymous allegations?
Web hosting providers with poor security - SusoSight


Does Dreamhost give out SSH access? If so, this could be easily verified.

I happen to know this person who posted this article. He also wrote this to me:

$ w
19:17:09 up 52 days, 3:23, 4 users, load average: 328.28, 274.12, 166.21

$ df | wc -l
244

look at that crazy load average, and check out all of the partitions (240 of them!)
     
macintologist
Professional Poster
Join Date: Apr 2002
Location: Smallish town in Ohio
Status: Offline
Reply With Quote
Jan 30, 2007, 09:00 PM
 
Who hosts Youtube?
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 30, 2007, 09:03 PM
 
Originally Posted by macintologist View Post
Who hosts Youtube?

A few different people own the netblocks YouTube uses:

Netcraft - Search Web by Domain..
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Jan 30, 2007, 09:22 PM
 
I like how the article is supposedly about security, but half the points are just bitching about how the author doesn't like Dreamhost.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 30, 2007, 09:26 PM
 
Originally Posted by Chuckit View Post
I like how the article is supposedly about security, but half the points are just bitching about how the author doesn't like Dreamhost.

An obvious bias, but if this person sat at the command line and typed in those commands and got those responses, they speak for themselves.
     
registered_user
Dedicated MacNNer
Join Date: Nov 2001
Location: Are Eye
Status: Offline
Reply With Quote
Jan 30, 2007, 10:02 PM
 
I tried the same experiment.

$ w
19:00:14 up 22 days, 20:42, 4 users, load average: 3.97, 3.49, 3.92
$ df | wc -l
45

:/
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 30, 2007, 10:09 PM
 
Originally Posted by registered_user View Post
I tried the same experiment.

$ w
19:00:14 up 22 days, 20:42, 4 users, load average: 3.97, 3.49, 3.92
$ df | wc -l
45

:/

Well, obviously the load average will fluctuate, but even those numbers are pretty high. This could be a new machine they recently added to their pool, or they could have finally bought more servers and spread out the load. Most sys admins like to keep their load average under 3:

UNIX� Load Average Part 1: How It Works

And 41 partitions? That is still f-ing insane!

If these were SAN partitions, they could make each partition as long as they wanted and each server could share the same set of disks. If this was a RAID array, I believe that only one device node would be used to represent the disk. So, it is likely that there are 41 standard hard disks connected to their servers, and accounts are placed on each of these disks in a round-robin fashion.
( Last edited by besson3c; Jan 30, 2007 at 10:18 PM. )
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 30, 2007, 10:12 PM
 
Can you paste in a copy of the output of a "df"? How about a partial listing of "ls -l /home"? "ls /home | wc -l"?
     
skalie
Mac Elite
Join Date: Mar 2002
Location: Clogland
Status: Offline
Reply With Quote
Jan 31, 2007, 02:31 PM
 
As I noted on another section of the forum...

186 GB storage till Feb 1st, when it drops to 185.5 GB, $1/mo per extra 10mb.

... that's just being silly.
     
MaxPower
Dedicated MacNNer
Join Date: May 2001
Location: Ze goggles, zey do nothing
Status: Offline
Reply With Quote
Jan 31, 2007, 02:45 PM
 
SSH'd into my dreamhost account. I did 'ls /home | wc -l'

It returns 963


Snippet of output of 'ls -l /home':

Code:
lrwxrwxrwx 1 root staff 14 2005-10-05 16:33 xander -> .kalgan/xander lrwxrwxrwx 1 root staff 14 2006-10-04 22:12 xenius -> .odelia/xenius lrwxrwxrwx 1 root staff 13 2006-04-19 07:12 xixonia -> .nape/xixonia lrwxrwxrwx 1 root staff 16 2005-10-05 16:33 xqdesign -> .odelia/xqdesign lrwxrwxrwx 1 root staff 21 2007-01-22 05:39 yachtclub -> .ragmeister/yachtclub drwxr-sr-x 3 root staff 4096 2007-01-22 05:39 yachtclub.wtf.30116 lrwxrwxrwx 1 root staff 15 2005-10-05 16:33 yeehaw -> .madeira/yeehaw lrwxrwxrwx 1 root staff 22 2006-08-07 21:07 yiorgara -> /home/.balder/yiorgara lrwxrwxrwx 1 root staff 25 2006-09-26 18:14 yogakendra -> /home/.tadpole/yogakendra lrwxrwxrwx 1 root staff 18 2005-10-05 16:33 yourpeople -> .umpire/yourpeople

'tail /var/log/xferlog' returns

Code:
Wed Jan 31 11:30:29 2007 0 67.112.74.4 1277 /home/.madeira/sammamis/1913intel.com/wp-content/plugins/live0.4.1/menu.php a _ i r sammamis ftp 0 * c Wed Jan 31 11:30:31 2007 3 67.112.74.4 5922 /home/.madeira/sammamis/1913intel.com/wp-content/plugins/live0.4.1/live.php a _ i r sammamis ftp 0 * c Wed Jan 31 11:30:31 2007 2 67.112.74.4 10240 /home/.madeira/sammamis/1913intel.com/wp-content/plugins/live0.4.1/Thumbs.db b _ i r sammamis ftp 0 * c Wed Jan 31 11:36:42 2007 0 216.215.65.2 6169 /home/.alastor/onjejank/justbaseballpodcast.com/feed/fb_jbfeed.xml b _ i r onjejank ftp 0 * c Wed Jan 31 11:37:18 2007 0 68.126.189.248 1180 /home/.saffiare/espike/kevinhansen.com/pxc/project_template_v03.txt a _ i r espike ftp 0 * c Wed Jan 31 11:38:07 2007 0 66.31.40.10 0 /home/.left/nrjw/Before.Sunrise.avi b _ o r nrjw ftp 0 * c Wed Jan 31 11:48:12 2007 0 68.160.169.41 18805 /home/.tadpole/bostoneventguide/bostoneventguide.com/eguideimages/sc/1_07/2_1_1st_pic.jpg b _ i r bostoneventguide ftp 0 * c Wed Jan 31 11:50:24 2007 0 68.160.169.41 16068 /home/.tadpole/bostoneventguide/bostoneventguide.com/begEmail/sc/soundcheck_2_1_07.htm a _ i r bostoneventguide ftp 0 * c Wed Jan 31 11:56:33 2007 0 128.231.168.116 40121 /home/.gambler/sherkhan/sherkhan.dreamhost.com/ffarchive/caps/browse-search-hybrid-00.png b _ i r sherkhan ftp 0 * c
( Last edited by MaxPower; Jan 31, 2007 at 02:59 PM. Reason: typo)
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 31, 2007, 03:20 PM
 
Originally Posted by MaxPower View Post
SSH'd into my dreamhost account. I did 'ls /home | wc -l'

It returns 963


Snippet of output of 'ls -l /home':

Code:
lrwxrwxrwx 1 root staff 14 2005-10-05 16:33 xander -> .kalgan/xander lrwxrwxrwx 1 root staff 14 2006-10-04 22:12 xenius -> .odelia/xenius lrwxrwxrwx 1 root staff 13 2006-04-19 07:12 xixonia -> .nape/xixonia lrwxrwxrwx 1 root staff 16 2005-10-05 16:33 xqdesign -> .odelia/xqdesign lrwxrwxrwx 1 root staff 21 2007-01-22 05:39 yachtclub -> .ragmeister/yachtclub drwxr-sr-x 3 root staff 4096 2007-01-22 05:39 yachtclub.wtf.30116 lrwxrwxrwx 1 root staff 15 2005-10-05 16:33 yeehaw -> .madeira/yeehaw lrwxrwxrwx 1 root staff 22 2006-08-07 21:07 yiorgara -> /home/.balder/yiorgara lrwxrwxrwx 1 root staff 25 2006-09-26 18:14 yogakendra -> /home/.tadpole/yogakendra lrwxrwxrwx 1 root staff 18 2005-10-05 16:33 yourpeople -> .umpire/yourpeople

'tail /var/log/xferlog' returns

Code:
Wed Jan 31 11:30:29 2007 0 67.112.74.4 1277 /home/.madeira/sammamis/1913intel.com/wp-content/plugins/live0.4.1/menu.php a _ i r sammamis ftp 0 * c Wed Jan 31 11:30:31 2007 3 67.112.74.4 5922 /home/.madeira/sammamis/1913intel.com/wp-content/plugins/live0.4.1/live.php a _ i r sammamis ftp 0 * c Wed Jan 31 11:30:31 2007 2 67.112.74.4 10240 /home/.madeira/sammamis/1913intel.com/wp-content/plugins/live0.4.1/Thumbs.db b _ i r sammamis ftp 0 * c Wed Jan 31 11:36:42 2007 0 216.215.65.2 6169 /home/.alastor/onjejank/justbaseballpodcast.com/feed/fb_jbfeed.xml b _ i r onjejank ftp 0 * c Wed Jan 31 11:37:18 2007 0 68.126.189.248 1180 /home/.saffiare/espike/kevinhansen.com/pxc/project_template_v03.txt a _ i r espike ftp 0 * c Wed Jan 31 11:38:07 2007 0 66.31.40.10 0 /home/.left/nrjw/Before.Sunrise.avi b _ o r nrjw ftp 0 * c Wed Jan 31 11:48:12 2007 0 68.160.169.41 18805 /home/.tadpole/bostoneventguide/bostoneventguide.com/eguideimages/sc/1_07/2_1_1st_pic.jpg b _ i r bostoneventguide ftp 0 * c Wed Jan 31 11:50:24 2007 0 68.160.169.41 16068 /home/.tadpole/bostoneventguide/bostoneventguide.com/begEmail/sc/soundcheck_2_1_07.htm a _ i r bostoneventguide ftp 0 * c Wed Jan 31 11:56:33 2007 0 128.231.168.116 40121 /home/.gambler/sherkhan/sherkhan.dreamhost.com/ffarchive/caps/browse-search-hybrid-00.png b _ i r sherkhan ftp 0 * c

I was wondering how many accounts were on the server, but also whether these accounts are readable by you. Can you do a "ls /home/.kalgan/xander"? If so, you should be able to copy one of these files into your own home directory, and that would be very bad.

Also not cool that the logs are readable by you.
     
MaxPower
Dedicated MacNNer
Join Date: May 2001
Location: Ze goggles, zey do nothing
Status: Offline
Reply With Quote
Jan 31, 2007, 03:36 PM
 
I can CD into the home dirs, but no commands available to me work.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 31, 2007, 04:37 PM
 
Originally Posted by MaxPower View Post
I can CD into the home dirs, but no commands available to me work.
What happens when you try an ls? Do you get no response at all, or an "operation not permitted" error?
     
registered_user
Dedicated MacNNer
Join Date: Nov 2001
Location: Are Eye
Status: Offline
Reply With Quote
Jan 31, 2007, 06:57 PM
 
I've been on the same server at Dh for over a year.

different accounts can't go snooping through other users' directories.

You might find fault with their hosting, that's ok. They're not perfect. But you're guy there had a bad experience.

I've been through several hosts in the past, and here's what I truly believe: When you have a shared hosting plan, you're rolling the dice. It might be great, it might not. But whatever you get, there's someone else with the same host that has the opposite experience. That's just how it is. It depends a lot on which box you're installed on. They're shared, so some are better than others.

I have two bits of advice: Don't buy hosting from a reseller. Resellers get the same tech support as regular customers, and you're just making sure that your customer service will be inferior since it has to go through another step. If you have a problem, talk to the host. They'll generally try to help. DH, for example, will move your site to a different machine. no fuss. Your buddy would have been pleased. DH might have a problem they aren't aware of. If you tell them, they'll likely fix it.

Oh and one last thing: just because a web site with green text on a black background looks nerdy, it doesn't make it an authority on anything. Especially when they create a list of 4 items in which 3 are the same, and one is "other."
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 31, 2007, 07:48 PM
 
My post was not addressing the reliability/uptime of their service, but in their security, the shortcuts they take to offer the service they do, and the negligence of their security model (or lack thereof).

I'm inclined to believe what this person has said, in part because I know him, but also because I believe that the hosting providers are caught up in the buzzwords and feature checklist/price game, and it is really damn hard to find an excellent sys admin.

Of course, there is no way to prove or disprove the data cited on this page since it was a snapshot from who knows when, but the advantage of going with a smaller hosting provider is that you often have a chance to talk to these people and find out how competent they really are, and because many of them go for the "Rolls Royce" approach to hosting meaning that they sacrifice having the cheapest prices and offering the most resources in favor of solid and personal service and attention.

Perhaps this can be said of all companies - it seems really hard to find large companies that provide an entirely satisfying customer experience.
     
brokenjago
Mac Elite
Join Date: Sep 2005
Location: Los Angeles, California
Status: Offline
Reply With Quote
Feb 1, 2007, 03:43 AM
 
I tried dreamhost once and I didn't like it at all. Looks like I made a good decision.

Been with Site5 ever since, although I'm not sure if they're any better as far as security goes.
Linkinus is king.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 12:46 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,