[HN Gopher] No support Linux hosting shutting down from hack
___________________________________________________________________
No support Linux hosting shutting down from hack
Author : ourmandave
Score : 329 points
Date : 2021-02-09 11:01 UTC (12 hours ago)
(HTM) web link (www.nosupportlinuxhosting.com)
(TXT) w3m dump (www.nosupportlinuxhosting.com)
| Reason077 wrote:
| This gives me a business idea. nosecuritylinuxhosting.com,
| anyone?
| rkalla wrote:
| LOL!
| zingplex wrote:
| With shared hosting still being a thing, I think that's a
| pretty saturated market.
| tyingq wrote:
| Looks like it was old school shared web hosting with things like
| WHMCS, Cpanel, Softaculous, Wordpress one-click installers, in-
| house written web admin, etc. Where each user was running in the
| same instance of Linux. Not, for example, a VM per user. That
| kind of setup has a really wide attack surface. Not surprising it
| was hacked. That kind of setup with deliberately narrow support
| was bound to get hit.
|
| Edit: Apparently their "sister company" sells virtual private
| servers, and appears to still be alive.
| http://nosupportvpshosting.com/index.php
| 0df8dkdf wrote:
| Yeah but it would be perfect for sysadmin who just want to host
| python, node type of server. Too bad they are shutting down.
| eznzt wrote:
| Most shared hostings work like that, they do not have a VM per
| user, and the professional ones don't get hacked often.
| dabockster wrote:
| Sounds like a Docker problem. Have the isolation without the
| VM overhead and associated network topology.
| _joel wrote:
| I used to manage a fleet of cPanel servers years back, they
| were a pain to manage as users would regularly get infected
| on their local machines and have HTML infected with malicious
| javascript. We used a bunch of tools like clamav/configserver
| etc to keep on top of it but it was definitely whack-a-mole.
| Even with inotify style job triggers to check the newly
| uploaded content.
| commandlinefan wrote:
| I set up a virtual guestbook for my daughter's birthday
| party last year on a cPanel-based hosting system. Couldn't
| for the life of me figure out why the damned thing wasn't
| working until I discovered that the admin had gone ahead
| and disabled my link "guestbook.cgi" since it was a common
| cPanel attack point. Apparently cPanel comes with a
| hackable default guest book of its own.
| tyingq wrote:
| I assume because they have more margin to keep up. If you
| work a system like this with $1/user minus the 30 cent Cpanel
| license, you have little to spend on security.
|
| The "no vm per user" means any privilege escalation bug lets
| a hacker wipe it all. And your unsupported customers are
| probably running all sorts of vulnerable stuff.
| kenniskrag wrote:
| How do they secure php? The php process can access nearly
| anything. Also they may have remote code execution vuln: http
| s://www.trendmicro.com/vinfo/us/security/news/vulnerabil...
| enkrs wrote:
| They use php-fpm pools where each website gets it's own
| uid:gid and the php process runs as that user. Then
| standard linux file permissions so you can only access your
| own uid files. To access web assets from nginx/apache, they
| add file permissions wich standard Linux acls.
|
| Altough not fancy, the security model is actually quite
| mature. Security problems in these servers come from
| misconfigured permissions and scripts, not the security
| stack.
| archi42 wrote:
| With the recent problem in sudo, I suspect this to be a
| likely cause. The typical shared hosting stack uses that
| somewhere, so servers will have it installed. A fast,
| malicious user (and a slow update process) is enough to
| get root on one machine and penetrate the rest of the net
| from there (can still be avoided, but requires some
| effort).
|
| Just a guess, of course.
| arp242 wrote:
| Supporting shared hosting well is probably a large reason
| for PHP's success.
| nkozyra wrote:
| Sure, but there's nothing inherent to the language that
| fueled that. They could have done that with Python, for
| example.
|
| Rather, it was popular software like bulletin boards and
| blogging platforms that built the demand. PHP used to
| have one of the lowest barriers to entry because you
| could get by with plain HTML and incrementally add
| business logic inline.
| icedchai wrote:
| Deployment?
|
| PHP made "deployment" very simple. On the other hand,
| Python is complicated to deploy even today.
| sneak wrote:
| Python webserver support doesn't support SSI-style open
| and closing code tags in HTML files to be executed per-
| request, last I checked.
|
| Is there anything like php or bml (bradfitz's equivalent
| for perl) for python, so that you can put code right in
| your html to be replaced at serving time with the code's
| output?
| shoeffner wrote:
| https://docs.python.org/3/library/cgi.html All your
| prints are essentially sent as response with CGI, but I
| think for Python WSGI is the standard you should use, and
| you can e.g. use jinja to render HTML with templates
| where you can use variables, certain functions, etc. Is
| that what you are looking for?
| tyingq wrote:
| PSP (python server pages) is pretty close to that. I
| don't think it is terribly popular. There's also Spyce.
| arp242 wrote:
| Not really; PHP had many features to make this easier;
| for example "safe_mode" and "open_basedir". These are not
| easily replicated in a stock Python by just "flicking a
| switch", even today (although the need for that today is
| a lot less than it was in 2000, and PHP even removed
| safe_mode). Not that these measures were perfect, but
| they were mostly "good enough".
|
| There was a reason that in ~2000-2005 you could find PHP
| shared hosts for $1/$2 month, and that Python/Perl/etc.
| shared hosts were much harder to find and more expensive.
| People started using PHP bulletin boards and blogging
| platforms because at the time it was easier and cheaper
| to run, but that's an effect and not a cause.
| 40four wrote:
| I've always found that very interesting about PHP. It can
| do both, be a standalone scripting language, and a
| templating engine.
|
| Not that I would ever recommend using as a templating
| language in 2021 :) but it's cool that it _can_ do that
| without any external library.
| ljm wrote:
| It's so cool that even though it's already a templating
| language, it's a templating language that hosts other
| templating languages too (Smarty, Twig).
| rob74 wrote:
| Sure, you could even argue that PHP was a success
| _despite_ the PHP language (which was, in the beginning,
| only a cobbled-together templating language, and then, to
| Rasmus Lerdorf 's dismay, people started to implement
| their backend logic in the templating language), and
| Python _could_ have done it, but, well, they didn 't...
| withinboredom wrote:
| now, you can even write actors in PHP:
| https://github.com/dapr/php-sdk#actors
| giantrobot wrote:
| > Sure, but there's nothing inherent to the language that
| fueled that. They could have done that with Python, for
| example.
|
| Not quite true. With shared hosting it was (is?) uncommon
| for a user directory to have ExecCGI enabled. If you
| wanted scripts to run they had to live in the cgi-bin
| directory. Additionally mod_rewrite could be expensive on
| low powered servers. This all meant doing anything
| dynamic meant "ugly" URLs and meta tag forwards if you
| were on such a shared host. It was also non-trivial
| amounts of effort to get some random CGI script working
| since you needed to know enough to get the shebang path
| correct for the server and set the right permissions.
|
| Contrast this to PHP where you dropped a .php file into
| your user directory and you've got some dynamic content.
| Platforms built on PHP _became_ popular because you could
| upload them to your user folder and they just sort of
| worked. There were no special executable paths, no
| shebangs, and no execute permissions to set.
|
| Perl was huge in the CGI space for a long time but the
| (consumer) content platforms built on it weren't nearly
| as successful because of the difficulty of mere mortals
| getting them running on their shared hosting plans.
| _joel wrote:
| Unix permissions and suexec I seem to recall, with other
| mitigations (chroot I think, but it's been a while since
| used it)
| bredren wrote:
| When I saw that customers needed to access cpanel and download
| their backups, I was wondering how this could be described as a
| place for experts.
| whitepaint wrote:
| If each of those services were running on different docker
| instances it wouldn't have happened (potentially)?
| eptcyka wrote:
| Docker containers are not security boundaries, unless ran on
| top of firecracker or gVisor.
| kenniskrag wrote:
| why not? I would argue, that they use linux namespacing,
| cgroup etc.
| CodesInChaos wrote:
| In theory it is a security boundary. But the attack
| surface is so big, and local privilege escalation bugs so
| common, that you should not rely on it to isolate
| different untrusted users.
| sneak wrote:
| You can say the same about VMs, to some extent.
|
| Containers absolutely _are_ intended to be a security
| boundary.
| beermonster wrote:
| No they are not
|
| https://info.aquasec.com/container-security-book
| cookiecaper wrote:
| Containers are _not_ intended to be a security boundary
| -- functionality along those lines has been gradually
| backported as maintainers realized that nobody was going
| to care when they said "don't use these as a security
| boundary".
|
| There's a world of difference between the amalgamation of
| hacks that comprise cgroups and something like BSD jails,
| which _are_ and afaik _always have been_ intended to be a
| security boundary, which implements real first-class
| kernel isolation for jailed processes, not just another
| subtree under proc that provides some direction to the
| kernel around resource consumption /priority and relies
| on UID/GID hacks to control access.
| CodesInChaos wrote:
| I agree that both are security boundaries in theory. But
| a minimal hypervisor is _much_ stronger than a cgroup
| container. Cgroup containers are a thin door made of
| wood, VMs a vault door made of steel. So people saying
| "containers are no security boundary" are exaggerating a
| bit, but not much.
|
| A minimal VM, like firecracker has a small attack
| surface, so I'm willing to trust that privilege
| escalation/VM escapes will be rare.
|
| A process restricted by cgroup/namespace/etc. still has
| access to the huge API surface exposed by the kernel, so
| privilege escalation is common, and I'm unwilling to
| trust this mechanism to isolate malicious code.
| sneak wrote:
| I agree that they're not very good ones, but a container
| escape would be treated by everyone the same way a VM
| escape would be: instant patching, coordinated/embargoed
| disclosure, AWS finding out before you do, et c.
|
| They didn't start out at the design phase that way, but
| they absolutely are today.
| jedberg wrote:
| They most certainly are not. That's a common misbelief.
| Containers are not designed as a security boundary, they
| just happen to function as one most of the time.
|
| VMs on the other hand actually are designed as a security
| boundary, but even then there are still attacks you can
| do against other VMs on the same box.
| tyingq wrote:
| I agree that containers are something of a security
| boundary, as is chroot(). Just not as robust a boundary
| as an actual VM.
| imtringued wrote:
| It's not good enough for multi tenant setups. A single
| malicious customer can potentially steal data from other
| customers. The docker team also considers security to be
| a pretty low priority.
| jamiesonbecker wrote:
| To say nothing of sidechannel attacks[0]
|
| People need to stop looking at containers as a cheap way
| to get security. They might be a more convenient way to
| get lots of apps running on a single machine, but they're
| not very secure.
|
| https://ieeexplore.ieee.org/document/7847002
| CodesInChaos wrote:
| 1. I expect people to move towards a VM per pod model,
| even in private setups. Firecracker claims a memory
| overhead of 5 MB, and a minimal QEMU setup shouldn't be
| too bad either.
|
| 2. It sounds like this paper is mainly about covert
| channels not side channels. Covert channels assume
| cooperation between both sides, so they're only relevant
| if one of the sides can't communicate trivially (e.g. via
| network)
| jamiesonbecker wrote:
| > vm per pod .. firecracker
|
| agreed. AWS gets a lot of flak, but open sourcing
| firecracker was really great. I'd really prefer to see us
| move toward vms instead of containers, even if we kept
| the same k8s abstractions.
|
| > .. covert ..
|
| thanks for the catch, should have taken more time. Here's
| a better paper:
|
| https://hal.inria.fr/hal-01591808/document
| CodesInChaos wrote:
| > I'd really prefer to see us move toward vms instead of
| containers, even if we kept the same k8s abstractions
|
| 1. For me containers are one of those abstractions,
| defined by exposing an application controlled userspace.
| Containers can be implemented by different isolation
| technologies, from simple chroot/cgroup/namespaces... to
| VMs.
|
| 2. I'd still use chroot&co to partially isolate
| containers within a pod, while using VMs to strongly
| isolate pods from each other. This enables features like
| shared block-devices, unix-domain-sockets and monitoring
| the processes in an application container from a separate
| diagnostics container.
| Spivak wrote:
| I think it's easier to say that namespacing is nearly
| orthogonal to security. Native containers (i.e.
| containers not running in a VM) are literally just
| processes running on the host and need to be secured with
| the same methods you would use on non-namespaced
| processes. Namespacing _does_ add another layer when used
| properly but it doesn 't replace any of the existing
| ones.
| kazen44 wrote:
| in the olden days, VPS providers worth their salt ran freebsd
| and had each tenant inside a jail.
|
| This was back in the early 2000's, and still seems to work
| rather well for the basic webhosting.
| generalizations wrote:
| Why not use a 'proper' VM system like xen?
| alnorth wrote:
| Xen only hit v1 in 2004 and was relatively niche.
| tyingq wrote:
| Lower overhead, both from a system and an administrator
| perspective.
| hmsimha wrote:
| CVEs for breaking out of a docker container come along as
| well [1]. Usually you need root in the docker container, but
| if you combine it with an escalation from non-root to root..
| well, you can see how that's less secure than a VM
|
| [1] https://unit42.paloaltonetworks.com/breaking-docker-via-
| runc...
| faeyanpiraat wrote:
| http??
| tyingq wrote:
| Yeah. There is an https endpoint, but the page renders wrong
| for me, so I linked the http one. I didn't look to see if the
| client login/registration sends plaintext over http.
|
| Edit: It does login over http, plaintext passwords over the
| wire. Heh.
| TedDoesntTalk wrote:
| It is also possible they wanted to shut down this service
| and pretending a hacker caused damage is an easy way out.
| perryizgr8 wrote:
| Why would they shut down though?? Worst case they can wipe the
| servers and start afresh.
| TruthWillHurt wrote:
| Probably person who built the platform left long ago and
| they've been running on autopilot since.
| tyingq wrote:
| Perhaps it didn't make much money prior to the hack. And you
| would have to operate at a loss until enough new customers came
| in. With probably lots of bad reviews from the prior customers.
|
| My guess is that if it was worth starting fresh, they did so
| with a new brand that makes no mention of the old service.
| dspillett wrote:
| _> Perhaps it didn 't make much money prior to the hack._
|
| There were significant changes to cPanel licensing not long
| ago which caused some consternation as it would result in
| some hosts needing to pay more. IIRC it moved from a per-
| server model to per-user, with a block of users included in
| the minimal fee so for small hosts the change had no effect,
| but for a host like this with many small accounts the extra
| cost there would make already small margins even more
| tenuous.
|
| Presumably the little profit still made was better than
| nothing if the maintenance needed was minimal, but not (for
| this reason and/or others) large enough to be worth the
| rebuilding effort after this attack.
| tyingq wrote:
| _" There were significant changes to cPanel licensing not
| long ago which caused some consternation as it would result
| in some hosts needing to pay more."_
|
| That's interesting. And it would have hit those providers
| that were grossly oversubscribing the hardest. Guessing
| this service was in that bucket.
| gvb wrote:
| It isn't worth the effort. Looking at their machine (CPU)
| specs, their equipment is pretty old. They likely have been
| running on autopilot for a few years.
|
| Rebuilding their clientele after a unmitigated disaster like
| this would probably take so much time that they would never get
| back in the black, especially since they are trying to do it on
| $12/year per customer. That requires a LOT of customers and
| they will have lost most of their existing ones before they
| would be able to rebuild.
|
| Add on that they probably have outdated software, probably a
| lot of it custom/customized, that have unknown security
| holes...
| mythrwy wrote:
| With services like Wix now you have even less potential
| customers.
|
| They probably have been slowly losing customers for years.
| dspillett wrote:
| And from the other side of their potential audience, the
| cheap VPS setups that are readily available these days will
| probably have been eating away users too.
|
| Heck, for $5/mo and a setup fee you can sometimes get a
| small dedicated server (only an Atom CPU, but 500Gb storage
| and half decent bandwidth) from Kimsufi and their ilk.
| darkwater wrote:
| > Add on that they probably have outdated software, probably
| a lot of it custom/customized, that have unknown security
| holes...
|
| Then advertising themselves as a hosting site for experienced
| people makes all this mess quite poetic.
| stone-monkey wrote:
| Really surprised to see this on hacker news, I would've thought
| it too piddly to warrant a thread here. Anyway, long time
| customer and was generally satisfied with the service. I just
| used it for my low maintenance low traffic wp blog. Got an email
| yesterday from them with the same message.
|
| Think I still had like 6 bucks in my account with them, but
| frankly, who gives a shit. The cheapness of the service was baked
| in such that eating a couple of bucks doesn't really matter. We
| had a good run of 4-5 years. Sad to see them go though.
| gogopuppygogo wrote:
| Long time customer as well and found out about this here on HN.
| I had $4 or $5 left as well but I guess it's gone. My site is
| still up for the moment so if I care to save it I'll move it.
|
| Might just be the end of the road for that site as I'm not
| about to spend more than $12/year to keep it going.
| jopsen wrote:
| I used wget to render my old MediaWiki setup into a static
| site, and then threw it on vercel.
|
| If you don't want to maintain a legacy app liable to be
| compromised, going static using wget + a few scripts is a
| lovely trick.
|
| No maintenance, no pain, and free hosting :)
|
| I personally doubt static websites will go out of fashion
| anytime soon.
| EricE wrote:
| Jekyl and Gatsby are pretty amazing. Got involved in a
| project at work that uses Gatsby underneath and once you
| get used to all the node.js/dependency BS it's actually
| fun.
| holstvoogd wrote:
| No Support hosting? So AWS basically? /s
|
| (For context, unless you pay 20% extra for AWS support, you
| basically get no support. There is a public forum for those that
| like to scream into the void.)
| blackoil wrote:
| I trust AWS over others primarily because of support. Over last
| three years we must have opened about a dozen support tickets,
| 100% of them were resolved to satisfaction.
| happymellon wrote:
| First line can be terrible, and I've had situations where I
| have tickets stuck in first line because someone in a
| timezone 12 hours different picked it up.
|
| They then are resolved several times without an actual
| resolution. The last time it happened I only found out in the
| end it was fixed was because I managed to speak to a member
| of the technical team for a different reason and enquired.
|
| It was the API Gateway dropping headers that contained
| underscores that happened for about 6 months last year if it
| impacted anyone else.
|
| In relative terms though, they are far and away better than
| the alternatives. At least I can get to speak to people quite
| easily, and I was able to even speak to folks on the team
| working on API Gateway and they even got my ticket.
| withinboredom wrote:
| I didn't even know it was possible to put underscores in
| headers. I would think many proxy servers would drop them.
| random5634 wrote:
| What a lie - flat out false.
|
| If you pay 29 or 100 per month you get very good support - it
| HAS too be a loss leader.
|
| If you need it you can pay more and get more
| gtsteve wrote:
| You need to buy support on a per-account basis and if you're
| doing something complex enough with AWS you'll end up with
| multiple accounts for each environment and for security
| segmentation etc.
|
| They'll give you general information from your account with
| the support plan but can't investigate any resources or logs
| without you owning a support plan on the other account and
| opening a ticket there.
|
| Also, many companies will have this set up on each account
| and hardly use it. I don't think it's a loss leader.
| whoknew1122 wrote:
| Work in AWS Premium Support. Given the sheer volume of
| accounts with support plans, I'm confident it doesn't lose
| money in aggregate. Premium Support isn't where you'll find
| AWS's giant money printer, but it's not losing money.
|
| That being said, I've definitely had cases where the
| engineering time to solve a case was worth more than that
| specific account was paying for support (at least for that
| month).
| dkyc wrote:
| Your numbers are wrong, you can get 'developer support' for
| $29/mo or 3% of AWS cost (whichever is higher), and 'business
| support' at $100/mo or 10% of AWS cost. In my experience, the
| support reps are qualified engineers that take your issues
| seriously, and it's something that we gladly pay for
| (particularly since it's opt-in, and you can change your mind
| at any time).
|
| Source: https://aws.amazon.com/de/premiumsupport/pricing/
| dubcanada wrote:
| Ya I am also not sure what OP is talking about, I've got
| nothing but great support from Amazon.
| Dylan16807 wrote:
| For free? Because even if they got the numbers wrong they
| were talking about the default level of support.
| tzs wrote:
| AWS without paying extra for support can still be fine for a
| lot of people. Where I work we use AWS, but not many AWS
| services other than basic virtual machines.
|
| As far as what we run on the machines goes (OS, applications)
| we are fine dealing with that ourselves. It's what we did back
| when our machines were machines we owned at a colocation
| facility, and its not much different when its on a VM at
| Amazon.
|
| When something goes wrong that affects us and requires AWS
| intervention, 99.9% of the time it is something that is going
| wrong for many other people too, some of those will have paid
| support and bring it to Amazon's attention if it isn't
| something Amazon notices on their own, and when Amazon fixes it
| that fix will fix it for all of us.
|
| I can only recall one time it didn't work that way. I was
| trying to track down a problem with our applications that
| involved something whose processing involved steps on three
| different systems. I needed to rely on the logs from those
| three systems to figure out the order things had happened in,
| and it was making no sense. I checked the clocks, and found
| that the three systems had wildly different notions of time.
|
| It turned out that the clocks on some of our instances were
| ticking at the wrong rate. They were ticking at steady rates,
| and normally the time code in Linux systems can figure out how
| far off the rate is and apply a correction, but some of the AWS
| instances had rates that were something like an order of
| magnitude more than the Linux code can deal with.
|
| We found some other people talking about this in the forums,
| but it apparently wasn't hitting anyone with paid support.
| Someone finally bought some paid support and reported it, and
| it got fixed. (It turned out that it had only affected one
| fairly small instance type, and only an older version of it
| that you were supposed to migrate away from over the next few
| months, which made it so that only a very small fraction of VMs
| were affected).
| Sebb767 wrote:
| Given that they shut down suddenly and you could not reach a
| human, it sounds more like Google Cloud ;)
| WrtCdEvrydy wrote:
| Here's a pretty dashboard that we use as marketing.
|
| When there's a thermonuclear strike, we'll mark down the
| services we think are dead as yellow.
| martin_a wrote:
| I don't think it can turn yellow because the servers
| responsible for turning it to yellow were fried. It will
| just stay on green.
| aljarry wrote:
| Not one of those big cloud offerings is human-friendly, until
| you pay $$$$$ and get proper account manager ;)
| markbnj wrote:
| > Given that they shut down suddenly and you could not reach
| a human, it sounds more like Google Cloud ;)
|
| On Google Cloud for over four years, with three kubernetes
| clusters and a few dozen VMs across three projects... and
| this thing you describe has never happened. Have you had a
| different experience with them?
| dlvktrsh wrote:
| https://gcemetery.co/
| Sebb767 wrote:
| This was a joke based on Google's tendency to suddenly shut
| down popular products ;) I had no negative experience with
| its Cloud so far.
| aspyct wrote:
| I don't pay anything for support at AWS, and I had <24h
| response every time I needed them, despite having a
| ridiculously low monthly invoice.
|
| That is in stark contrast to other providers to which I give a
| lot more money, and who can't be bothered to answer in a
| week... And when they do ally do answer, it takes another full
| week to do finally have a solution.
| amarant wrote:
| Dang, I never knew something like this existed! And now it
| doesn't..
|
| Anyone know of any similar services one might procure?
|
| Asking for a friend...
| dspillett wrote:
| There are many cheap shared hosts, though perhaps not that
| cheap if you want cPanel given their recent licensing change to
| per-account from per-server.
|
| If you are fine doing your own setup and have low resource
| needs, you can get a 1$/month VM from a number of places.
| Cheaper if your resource needs are _really_ low, or you don 't
| need a dedicated IPv4 address.
|
| There are even search engines collating them,
| https://www.serverhunter.com/ for instance. Just do a little
| background research before picking the cheapest, if you care
| anything for what you host.
| thesuitonym wrote:
| You might be interested in the tildeverse[0] or sdf [1]. Both
| options offer basic Linux hosting and shell access on a shared
| machine, though they're more of a social network based on old
| Unix services than a real website host. Well, SDF is robust
| enough to use as a real host.
|
| [0] https://tildeverse.org/ [1] https://sdf.org/
| akx wrote:
| You can get a VPS from Hetzner starting at 3 EUR/mo, or one
| from Digital Ocean at $5/mo. I know it's 3 to 5 times more
| expensive than this, but...
| wccrawford wrote:
| I've been using Nearly Free Speech, and someone else here
| recommended it, too. I don't use it for anything important, but
| it's been pretty reliable.
| massysett wrote:
| NearlyFreeSpeech.net. It's probably not as cheap as this was
| but is close. I used to have a personal static website there.
| These days I use it only for my domain. It's been years and
| I've never had a problem with them. They have extensive support
| webpages and a custom-rolled web interface for management and
| they seem to know what they're doing.
| tyingq wrote:
| Another cheap Cpanel provider that's ~$1/month:
| https://hobohost.com/
|
| If you're okay without Cpanel, there's a bunch of providers
| advertising dirt cheap VPS instances on https://lowendbox.com.
|
| As this thread indicates, though, you get what you pay for.
| ollybee wrote:
| I never understood why their no support hosting seemed radical,
| but unmanaged VPS's became an industry standard.
| jart wrote:
| They were almost certainly impacted by the recent sudo bug,
| considering how they offered cPanel hosting:
| https://archive.is/PCZ99 I've been trying to make contact with
| virtual hosting providers over the last few weeks to bring the
| weakness to their attention, but I've been ignored. cPanel hasn't
| even issued an update. It's heartbreaking watching websites get
| destroyed by the bad guys.
| ollybee wrote:
| You have my attention, what is this recent sudo bug?
| samizdis wrote:
| I think it's this one, which came to light last month:
|
| https://www.linux-magazine.com/Online/News/Decade-Old-
| Sudo-F...
|
| Edited to add: Here's another article about it (you should be
| able to find quite a few more, too):
|
| https://www.theregister.com/2021/01/26/qualys_sudo_bug/
| float4 wrote:
| https://news.ycombinator.com/item?id=25919235
|
| As a tip for the future, in case you're interested: you can
| use hn.algolia.com, search "sudo", time window something like
| "past month", and you'd have found it.
| vntok wrote:
| It is much more efficient and future-proof to have someone
| put the exact link as a reply, that way people coming to
| the thread afterwards can simply click on.
| float4 wrote:
| I gave the full link, and _additionally_ gave a tip _for
| those who were interested_.
|
| hn.algolia.com is a great resource and I'm certain not
| everybody here knows about it.
| edoceo wrote:
| I appreciate when you give me the fish, and also show me
| how to fish (or even remind me where the fish are).
| jart wrote:
| Thanks for teaching these men to fish. I thought I was
| going to need to do all the explaining.
| xwdv wrote:
| Not every man _needs_ to fish, we live in a society with
| specialization. Some people can do the fishing and some
| can do other things.
| TedDoesntTalk wrote:
| How do you know they are men?
| rement wrote:
| duckduckgo has a !bang for hacker news `sudo !hn` redirects
| to hn.algolia.com with the thread at the top of the list
| float4 wrote:
| Oh cool, didn't know that!
| passthejoe wrote:
| https://www.beyondtrust.com/blog/entry/understanding-sudo-
| vu...
| tyingq wrote:
| Discussed here: https://news.ycombinator.com/item?id=25919235
|
| Though they would have had to also get into the admin server
| running (probably) WHMCS.
|
| The sudo bug would let a hacker take over a server where the
| customer code ran, but not the main admin server. They would
| have needed some other weakness to get that. Perhaps aided by
| owning one of the customer servers.
| cestith wrote:
| The sudo package is provided by CentOS and should update fine
| with yum update. CentOS patched that in late January.
| * Wed Jan 20 2021 Radovan Sroka <rsroka@redhat.com> -
| 1.8.23-10.1 - RHEL 7.9.Z ERRATUM -
| CVE-2021-3156 Resolves: rhbz#1917729
| DangerousPie wrote:
| Is this legal? Don't they have to notify authorities about
| getting personal data hacked? And don't they have contracts in
| place with customers that they can't simply abandon? Just because
| you're cheap and don't offer support doesn't mean you don't have
| to follow the law.
| stone-monkey wrote:
| Long time user of the site, don't think they stored any of my
| personal details - I just paid via paypal. Don't think you
| could pay directly using any other payment method.
| tyingq wrote:
| I imagine it's one of those things where enforcement is
| difficult. Who would you call that would do anything about it?
| Quanttek wrote:
| Similar hosting solution but with support:
| https://uberspace.de/en/
| Waterluvian wrote:
| Feels like there's something very serious they aren't telling
| their customers.
|
| Do hackers have a copy of all customer data?
| michaelmior wrote:
| Probably given that they say the hackers compromised the
| servers hosting their customer database. The notice is
| seriously lacking in details though.
| prepend wrote:
| Well they market as no support so this notice is more than
| they promised. I kind of expected just a dead site and the
| autocharges to stop n
| ajitgoel wrote:
| What would be a good "no support hosting" alternative be for this
| provider?
| circa wrote:
| damn this is so sad
| thesuitonym wrote:
| This is a good reminder of why DevOps is not necessarily a
| replacement for a security-minded systems administrator.
| johnlogic wrote:
| It looks like the message about shutting down was left by the
| hacker. I can't tell if NSLH is shutting down, though the breach
| doesn't instil confidence.
|
| Whether NSLH is shutting down or not, it's a good time to make
| backup copies.
| joeberon wrote:
| I imagine support@nosupportlinuxhosting.com is routed to
| /dev/null?
| zomg wrote:
| i thought the same thing! how ironic that there's a "support"
| email for "no support" linux hosting???
| yazboo wrote:
| I have (had, I guess) a Wordpress site on here. They sent an
| email about the hack but somebody had already changed my password
| and recovery email in cPanel. They haven't changed the Wordpress
| admin credentials though, so I'm exporting what I can.
| passthejoe wrote:
| I didn't realize cPanel was such an attack surface.
| majewsky wrote:
| It's a web interface that gives you full admin access to a
| website. That's exactly where I would look for
| vulnerabilities if I were an attacker.
|
| I know I'm going to get flack for victim blaming, but not
| putting something like cPanel behind a VPN or SSH reverse
| proxy is on the same level as not wearing a seatbelt. At this
| point we should all know better, and those who don't will
| have to suffer the consequences.
| x86_64Ubuntu wrote:
| If my users have to access the cPanel from wherever they
| may be, how does a VPN or SSH reverse proxy help? Not
| trolling, I'm genuinely ignorant of top level security
| practices.
| EricE wrote:
| Because instead of exploiting cpanel directly from any
| random IP on the Internet globally, attackers first have
| to compromise your VPN connection.
|
| It's a pretty significant barrier and dramatically
| reduces the amount of attack surfaces out there.
|
| Mobile/Desktop OS's have come a LONG way in VPN support,
| so requiring VPN access for critical access (and
| administrative access should always be considered
| critical!) is not near the barrier of entry it used to
| be. Heck anyone can set a VPN server up on a raspberry pi
| in minutes that can handle hundreds of megabits of
| traffic - piVPN with Wireguard is drop dead simple to
| configure and deploy (WAY easier than the mess that is
| OpenVPN); the amount of friction to implement a VPN these
| days is just about negligable. It's a harder problem for
| service providers like this one that have thousands of
| customers - but they certainly had some sort of user
| account management/provisioning system; it' way past time
| to expect those to be able to handle security certificate
| management too.
|
| It's far less effort than cleaning up messes like the one
| being profiled here! And if you have sensitive data? Once
| your system is compromised it's no longer sensitive. It's
| now public knowledge :p
| EricE wrote:
| >not putting something like cPanel behind a VPN or SSH
| reverse proxy is on the same level as not wearing a
| seatbelt
|
| Exactly. It's astonishing at the amount of crap that has
| absolutely no business being directly connected to the
| Internet but shouldn't be.
|
| Convenience or security - it's either/or not a yes/yes.
| mythrwy wrote:
| Wow that's too bad!
|
| NSH was my go to for years for quick unimportant sites. Like a
| decade ago. They actually were very helpful the once or twice I
| contacted them (trying to get bigger instances). And $1 a month!
| dspillett wrote:
| If your needs can live in 1/2GB RAM and a few GB of space, it
| is fairly easy to find $1/month VMs. Cheaper if you don't mind
| paying annually and/or can cope with 1/4GB RAM or other lower
| specs.
|
| Fine for simple static hosting, or a bit of low concurrency
| more-dynamic server-side stuff, or running simple services like
| DNS.
| [deleted]
| generalizations wrote:
| I looked once, but couldn't actually find VMs available for
| $1/month. Where did you find such things?
| dspillett wrote:
| https://www.serverhunter.com/ lists a few, and many for not
| a lot more, if your resource needs are low enough. Cheapest
| currently listed is $9.5/yr if you need an IPv4 address.
| You'll also see them offered in places like lowendbox /
| lowendtalk / webhostingtalk / similar.
| mshook wrote:
| That's literally the definition of "no support"...
|
| Aka you're on your own...
| mkl95 wrote:
| This is apparently not the first time they have had this kind of
| incident. They were hacked in 2011 as well, which prompted them
| to delete all customer sites:
| https://www.webhostingtalk.com/showthread.php?t=1089317
| BlueTemplar wrote:
| Detailed answer at the end of the 2nd page of that thread.
| sodimel wrote:
| Here's the direct link to the message: https://www.webhosting
| talk.com/showthread.php?t=1089317&page...
| mattmanser wrote:
| _A more accurate title for this thread might be "jbulluck
| wishes he had taken backups of his website."_
|
| Classic response :)
| thitcanh wrote:
| What the.
|
| How dare they simply delete everyone's content? That's on
| another level of stupidity and/or evil.
| pimlottc wrote:
| The title should be fixed to capitalize the company name "No
| Support Linux Hosting"; as it's current written, it's not clear
| that it's a proper name.
| 1_player wrote:
| What an irresponsible business model.
|
| It's not the "no support" part that concerns me, is that they've
| pocketed the customers money until there was a major problem,
| then just shut down, customers be damned.
|
| Sounds like someone placed a server in their basement, added
| cPanel and a PayPal link and totally ignored whatever happened to
| that server.
|
| I guess you get what you pay for.
| woofie11 wrote:
| And as a high school student back in the day, I really would
| have appreciated the ability to pay for something like this!
|
| Really, not everything on the web needs to be mission-critical.
| fogihujy wrote:
| Yeah, the idea is sound (assuming it was properly marketed),
| but simply shutting everything down because of an issue like
| that does sound excessive. At the very minimum, they should
| have a basic backup that is enough to get the servers running
| again even if the customers' data got wiped.
| lub wrote:
| Sounds like the customers' data itself is still available?
|
| > All customers should immediately download backups of
| their websites and databases through cPanel.
| darkwater wrote:
| I noted that too and it's really weird. So, they do no
| have backup of their part of the data (or they don't
| want/are not able to restore it) but they still have the
| customers data?
| numpad0 wrote:
| Maybe they're compromised but data _seems_ intact, as in
| it'll be irresponsible to keep serving on the Internet
| but most of it are _probably_ not maliciously altered?
| fogihujy wrote:
| Yeah, it's pretty common for hackers to upload backdoors
| to random web sites when they can and exploit them at a
| later date. If we're talking about a full server
| compromise then I wouldn't use those downloaded data for
| anything except for analysis/archival purposes, unless
| it's been thoroughly cleaned first.
| sbarre wrote:
| Perhaps things were running in maintenance mode already,
| and there is no longer the desire to run this part of the
| business, so they took this unfortunate opportunity to
| wind things down.
| thesuitonym wrote:
| It sounds like they were just waiting for a reason to get
| out of the business. Sometimes you just keep something
| running because it handles itself, but isn't really
| bringing in any considerable amount of money. But once you
| hit a hiccup like this, it's not worth the time to fix it,
| because it wasn't really a revenue stream in the first
| place.
| danlugo92 wrote:
| > but isn't really bringing in any considerable amount of
| money
|
| Another poster pointed out they pocket around ~70k/year
| so I don't think it's that.
| thesuitonym wrote:
| 70k is a lot for a person, but not really a lot for a
| company. Someone mentioned they were one or two people,
| so that's not too bad, but if you get much beyond that,
| cutting that 70k may make it more trouble than it's
| worth.
| doublerabbit wrote:
| > Sounds like someone placed a server in their basement, added
| cPanel and a PayPal link and totally ignored whatever happened
| to that server.
|
| Welcome to 99% of shared web hosting businesses.
|
| WHM + cPanel is the combo you need to know if you ever want to
| run a webhosting company.
| jart wrote:
| It's not a business model. "No Support Linux Hosting" is a
| white labeled version of Shanje Inc. which is a small business
| from Iowa run by 1-2 people which was founded back in 1997, so
| they truly are a blast from the past. Shanje controls a Class C
| IPv4 block and they use it to host about 30,000 websites which
| nets them an estimated yearly revenue of ~$70k. Most of the
| sites that were impacted are ones you've never heard of like
| francisdiamonds.com and almuftahrentacar.com, but someone loved
| them enough to put them online, and now they've all been
| destroyed. Between hacking and COVID we've certainly seen a
| systematic decimation of the petit bourgeois. It's a tough time
| to be a small business owner.
| generalizations wrote:
| > controls a Class C IPv4 block
|
| That explains how they could so easily offer ipv4 addresses
| with their vps offerings on the sister site.
| carlivar wrote:
| This is only 254 useable addresses. Nice, but not that big.
| macintux wrote:
| It's certainly easy to see why small businesses are
| increasingly giving up on websites and just using Facebook.
|
| No cost, good discoverability, easy updates...just sucks for
| those of us who won't use the platform.
| tracker1 wrote:
| I'm not so sure on discoverability. Engaging with
| customers, sure. However, not the place I do searches for
| (mostly local) businesses.
| jrnichols wrote:
| That's what is especially frustrating to see. So much of the
| pre 2010 web is just gone, and I'm sure much of it gone
| because of something like this. hacks by ransomware garbage
| or script kids doing it "for the Lulz."
|
| internet vandalism saddens me.
| jart wrote:
| Don't mock lulz since that was the best part of the old
| web. When I think of lulz I remember stories like jobs and
| woz poking at&t in the eye blue boxing the pope. Today's
| guard rose to power on a billion laughs, but there's
| nothing funny about the criminality and extortion that
| flourishes under their watch as they focus their attention
| on banning people for vulgarity. OPM doomed us all.
| exporectomy wrote:
| The refund would be a fraction of a dollar that people would
| have paid for the incomplete part of their final month, no? So
| perhaps it's hardly worth refunding, or perhaps they did.
|
| A cheap low reliability non-spammy service is a pretty good
| niche for hobbyists. Who cares that it shut down. It did a job
| while it lasted.
| tinus_hn wrote:
| You can't charge one dollar monthly, the fees would eat
| almost all of your income
| stone-monkey wrote:
| Yeah, they charged in increments of 12 dollars iirc. It
| wasn't set up as a yearly sub though - it just worked as
| account credits, so if you had multiple sites it would
| deduct money from the same account pool.
| mshanu wrote:
| literally
| danielsamuels wrote:
| They don't help anyone, including themselves
| tomaszs wrote:
| You should put a warning before this comment. I have spilled
| some coffee :)
| geocrasher wrote:
| I've worked on the support side of the hosting industry for a
| Long Time. A few observations. 1) Hosting is hard. It doesn't
| seem like it should be, but it is. cPanel simplifies _and_
| complicates it because you 're locked into doing things The
| cPanel Way whether you like it or not.
|
| 2) Hosting is getting more expensive because cPanel keeps jacking
| up prices, and I strongly suspect that this host threw in the
| towel due to the severity of the compromise but also the razor
| thin margins. Digging out from under it was likely more trouble
| than it was worth, especially if they didn't have insurance for
| this kind of thing.
|
| 3) KEEP YOUR OWN BACKUPS. For the love of all data that is
| important, keep your own backups. Did I mention that anyone with
| a website on any provider on any continent should keep their own
| backups? By all means, keep your own backups. Because if you
| don't keep your own backups, you'll wish you'd kept your own
| backups.
| dabockster wrote:
| Any competitors to cPanel out there? Both free and paid?
| ljm wrote:
| I'm actually surprised a no support host set you up with
| something like cPanel and didn't just give you an SFTP user or
| a restricted shell account.
| ceejayoz wrote:
| cPanel? Ooof.
| esamatti wrote:
| Interesting business model
|
| ----------
|
| Experts Host Sites Here for $1/month
|
| Do you like paying extra so other people can ask amateur
| questions? That's how it is at other hosting companies where
| beginners and experts pay the same price. Beginners drive up the
| cost by asking a lot of novice support questions while the
| experts don't contact support. That is great for amateurs, and
| unfair to the experts like you.
|
| No Support Linux Hosting has a completely different business
| model. We ignore the support questions, and pass the savings on
| to you! If you are an expert who does not want to pay extra for
| help with amateur support issues, then you can host with us and
| save big money.
|
| Experts like you can sign up now for free. We charge $1/month per
| website, and there is no limit to the number of websites you can
| host in your account. This is the best deal in the web hosting
| industry, as long as you are the type of person who can find his
| or her own answers.
|
| -----------
|
| From
| https://web.archive.org/web/20201109042643/https://www.nosup...
|
| I guess they took savings from security too.
| kall wrote:
| If that kind of thing is appealing to anyone, check out
| uberspace.de. It's the best possible version of shared hosting
| and it can even cost 1EUR too (you should pay more though).
|
| Unlike this thing they are both super friendly to all manner of
| linux nerd stuff yet provide excellent, gracious support where
| they teach you the stuff you don't know.
| abdullahkhalids wrote:
| What you get for $1/month
|
| > Each website in your account can use up to 1GB of disk space
| and 30GB of monthly bandwidth. These resource limits are enough
| for most normal websites. Each website can set up 3 databases
| and 25 email accounts.
|
| The server specs are here
|
| https://web.archive.org/web/20200618180933/http://www.nosupp...
| generationP wrote:
| > 30GB of monthly bandwidth. These resource limits are enough
| for most normal websites
|
| Unless you have a griefer with a broadband connection and
| half an hour of time I guess?
| PeterisP wrote:
| Well, to protect from that you need to pay more than $1 of
| hosting or put up a free CDN in front of it.
| Aachen wrote:
| Yes, but how often does that really happen? I've known of
| this possibility since I was a teen, and sometimes it
| happened on fairly popular sites back when unlimited
| bandwidth was very expensive, but it was rare back then and
| I haven't heard of this actually happening to any site in
| the last decade. I'm sure you can find examples online, but
| it's way more common to get a proper DDoS than to get this
| kind of attack.
| Jach wrote:
| You'd think it'd be more common given how many sites are
| on EC2 and how expensive Amazon's egress is, but
| nonetheless, I never hear billing horror stories from
| that vector.
| LinuxBender wrote:
| This was a common prank on mobile browsers using 30+GB
| favicon.ico files. I am not even sure that was ever truly
| fixed in all the browsers, might be a good thing to test.
| The browsers would continue to download the favicon in
| the background even if you left the page. People that
| were roaming would get their cellphone accounts
| suspended. Providers reacted by putting roaming limits in
| place, but it still caused grief for people.
| toast0 wrote:
| At my last job, we would get casually DDoSeD from time to
| time. One of the ones I remember was a wordpress pingback
| reflection to a large file. Not too hard to handle
| (pingback is dumb and needs to die in a fire, but at
| least wordpress sets user-agent), but used a ton of
| bandwidth until sorted it out.
| spacemanmatt wrote:
| CDNs are the only sites that have ever saturated my
| broadband or fiber connections. Accessing 'mere mortal' web
| sites is way slower. Block out the whole day on your
| calendar.
| generationP wrote:
| OK, true -- I guess you can slow it down Zeno-style per
| IP if you set it up correctly.
| bluedino wrote:
| Reminds me of the old prgmr.com:
|
| _An easy to understand price schedule: $4 /month per account,
| and $1/month for every 64MiB ram. Please note; this means all
| plans come with $4/month worth of support._
| alanpost wrote:
| Prgmr.com owner here.
|
| While that copy is old, and our pricing reflects the hardware
| we run on today, the quip has now been updated to: "You get
| $5/month of support," which is the price of the smallest
| package we offer.
|
| That wisecrack aside, the reality of the support we provide
| is more in-line with our byline: "We do not assume you are
| stupid." In practice, and with a hat tip to pera replying to
| you here, that means we provide what you might call peer
| support--we explain what's going on, what steps are necessary
| to correct it, and take responsibility when we caused the
| issue. And expect similar candor.
|
| As you might expect, most of the technical support we provide
| is routine--with sufficient information communicated to both
| parties the problem is typically straightforward to resolve.
| But we treat tickets on their merit and customer reports do
| come in that admit more substantive investigation and
| resolution:
|
| the LAN of 16 Million Hosts:
| https://prgmr.com/blog/2020/07/17/classful-networking.html
|
| Possible Data Corruption on Debian Buster:
| https://prgmr.com/blog/2020/07/15/debian-buster.html
|
| Debugging freebsd.org Resolution Failure:
| https://prgmr.com/blog/2020/04/23/debugging-freebsd-
| resoluti...
|
| The people you talk to when you write us have the authority
| to investigate and--if correctable on our end--resolve your
| problem.
| pera wrote:
| I know but I believe they should rephrase that: I have been
| using their VPSs for ten years and they have the best
| customers support I have ever dealt with :)
| abdullahkhalids wrote:
| NearlyFreeSpeech, where I have been hosting my static personal
| site for 9 years has a similar model. You pay for exactly the
| resources you use. I pay less than $20/year.
|
| If you need support, you pay $5/month extra.
|
| https://www.nearlyfreespeech.net/services/support
| pas wrote:
| How come support is not pay-as-you-go based on time?
| corty wrote:
| I guess for small shops, a steady stream of income to pay a
| support person's salary is more important than the benefits
| of hourly billing like fairness and possible higher income.
| smitop wrote:
| They tried that at one point, and it didn't work out very
| well for them: https://blog.nearlyfreespeech.net/2013/12/27
| /member_support_...
| l-lousy wrote:
| "Why did it take you so long to answer my question" , "I
| just wanted a quick answer why are you charging me for 20
| minutes of support". Human time spent on support is not as
| cut and dry as hosting resources used, so I imagine it's
| easier to not have that discussion. Also 5$ would be like
| 15 mins of any qualified persons time, so really you're not
| paying much.
| pronlover723 wrote:
| Just price it like Microsoft. $499 per incident.
| Zenst wrote:
| >Also 5$ would be like 15 mins of any qualified persons
| time, so really you're not paying much.
|
| Be less minutes than that I dare say. $20 an hour tech
| costs, then you have overheads and that's without a
| profit margin. I'd say 5 mins be more closer to the mark.
| Really gets down to how many support calls you have as if
| you have a couple admins who have to dip into a support
| queue, then their hourly rate would be higher. However if
| you have a nice frontline 1st line support pool with 2nd
| and 3rd for escalation model/scale then it will get
| cheaper.
|
| That all said you have to factor in how much support they
| use and maybe your average user will need one or two
| tickets a year and then at the other end you the types
| who fail to read FAQ's and end up needing more support to
| use their computer, let alone the service and blur the
| lines contacting you for an issue that after some back
| and forth turns out to be the user's end. Those will be
| costly. So you balance things out - and go with the
| average and yet at the same time, dread some types of
| customers.
| UncleMeat wrote:
| I'd wager that qualified support staff would get paid
| well over $20/h. Plus there is all sorts of business
| overhead.
| kazen44 wrote:
| from experience, i can tell you high end support far
| exceeds $20/h (think 3rd level network and systems
| support). $20/h is more in the 1st line territory.
| h_anna_h wrote:
| I presume that you are all talking about SV, right?
| sjcoles wrote:
| Nope. Midwest, medium CoL, $18-20/hr to sit and reset
| passwords all day.
|
| Hell, I am just a sysadmin/developer with minimum
| experience (2yrs) and make ~$32/hr.
| h_anna_h wrote:
| Ah, so in the USA. Thanks, got it.
| ufmace wrote:
| Keep in mind also that there's probably 2x to 5x overhead
| between what the customer pays and the paycheck of the
| person doing the actual work.
| simple_phrases wrote:
| Tier 3 support makes as much, if not more, than software
| engineers even outside of tech hubs.
| tracker1 wrote:
| Not just SV, but almost anywhere in the US at this point
| I would imagine. I was working support in the Phoenix
| area back in the mid-90s' and it paid roughly 2-3x
| minimum wage at that time. While the ratio wouldn't be
| the same, a lot of places now have a minimum wage in the
| $9-12 range. Given that, $20/hr+ wouldn't be improbable
| for first line email/phone support.
| drewzero1 wrote:
| A couple of years ago I took a break from IT to work
| first-line support at a local (midwestern) software
| company. Hourly rate was just a little over that minimum
| wage range, nothing near $20hr though. I was glad to get
| it, glad for the experience, and glad to go back to IT
| when my time was up.
|
| In all fairness, support costs also include all of the
| techs' phones, computers, networking, software licenses
| for Teamviewer et al, and office overhead. So a $20/hr
| bill is pretty cheap for a minimum wage technician.
| udestoworkthere wrote:
| because that is a perverse incentive
| (https://en.wikipedia.org/wiki/Perverse_incentive)
| nfsn wrote:
| There are three main problems with pay-as-you-go support
| based on time. All three come down to support being
| provided by people:
|
| 1) Unlike software objects, it is not yet possible to
| instantiate qualified support personnel as needed.
|
| 2) Unlike virtual machines, people get _very_ cranky if you
| attempt to suspend them to disk or delete them to save
| resources when not in use.
|
| 3) Unlike physical hardware, uploading large volumes of
| data to people so they can produce useful output is
| _extremely_ time-consuming and resource-intensive.
|
| Here's a more serious answer:
|
| When you seek (qualified) support, you're not paying for
| the time it takes the person to _type_ the right answer;
| you 're paying for them to _know_ the right answer. (See
| also: https://www.snopes.com/fact-check/know-where-man/)
|
| It took us quite a while to figure that out, and we tried
| pay-as-you-go support along the way, as someone linked
| below. l-lousy correctly guessed the outcome of that: more
| time spent arguing with people about how much we charged
| them for support than providing support.
|
| Worse, that's how the person providing support makes their
| (minimal) income: by nickels and dimes and on other
| people's schedules. So, if you're doing that job, you're
| making very little money and frequently dealing with angry
| people due to a system you have no control over.
|
| It's the tech support version of being an Amazon delivery
| driver. Amazon may be cool with treating people like that,
| but I'm not.
|
| One detail l-lousy did get wrong (as others observe) is the
| 15 minutes. $5 is 5 minutes or less of a qualified person's
| time.
|
| That does assume people want qualified support and not
| first-tier "I can't be bothered to search the FAQ, read me
| the right one!" interactions.
|
| Usually, but by no means always, that's a reasonable
| assumption for us. People looking for that level of hand-
| holding tend to be much more successful with other hosting
| services with multiple tiers of support and (usually) phone
| support.
| tyingq wrote:
| The Cpanel licenses would take 30 cents/month out of that $1
| too.
| fukmbas wrote:
| Honestly just sounds like a bullshit way to not provide support
| for your product.
| kstrauser wrote:
| I love that model when done well. Others have mentioned
| NearlyFreeSpeech.net web hosting.
|
| What they provide to me: a place to upload my static web
| pages to, period.
|
| What I ask from them: serve these web pages I've uploaded,
| period.
|
| I don't want or need support for any of that. If something
| breaks on my part, I can and will diagnose and fix it. If
| something breaks on their end and they need to fix it, then
| that's a bug report and not a support request.
|
| In exchange for that, their prices are dirt cheap and perfect
| for the things I need it for. I couldn't possibly host it
| myself for the prices they charge me. I think that's a good
| example of there the business model makes a huge amount of
| sense for all involved.
| achairapart wrote:
| Also, no one noticed how funny is that they actually used
| Microsoft servers/tech for their own website (At least I
| presume by seeing urls ending in .aspx[0]) while offering
| "Linux Hosting"?
|
| [0]:
| https://web.archive.org/web/20190608074736/https://www.nosup...
| intrasight wrote:
| These days it would be a presumption since .net is well-
| supported on Linux
| IgorPartola wrote:
| For those interested in this kind of thing, there are two fun
| resources I would recommend. First, LowEndBox
| (https://lowendbox.com/) which documents where you can get VPS
| hosting for as little as $1/month or even cheaper in some
| instances. Second, Super Dimensional Fortress (http://sdf.org/)
| where for a $1 you can get lifetime low level hosting and for
| $25 you can get access to a much beefier server. A community of
| old school *nix nerds comes as a bonus.
| dannyw wrote:
| Just watch out: lots of the low end box providers end up
| shutting down, and may take your servers and data with it.
|
| I now stick to reputable "value" providers like BuyVM. Having
| an operator I can discord and get frank answers, as well as a
| commitment to privacy (Tor exit nodes _welcomed_ ), is nice.
| klodolph wrote:
| This is one of the reasons why business negotiation books
| will remind you that when you're making a deal with a
| vendor, you want to make a deal that is profitable for the
| vendor and supports / sustains their business. If you
| don't, then you'll have to find a new vendor after they
| collapse (or get rid of you as a client).
|
| For personal hosting I think one of the problems that makes
| this more complicated is that even as a group, you're
| nobody's biggest customer. You're just a side business for
| someone selling hosting B2B, usually. I know that the local
| grocery store will make sure that they can still sell to
| local customers, because that's the core of their business;
| I'm not so sure that cloud providers care much about my
| dinky website.
| EricE wrote:
| >and may take your servers and data with it.
|
| Only if you let them.
|
| Do people seriously NOT perform backups via independent
| methods utterly independent of their primary cloud service
| provider?
|
| No one remembers Photobucket or the hundreds of other cloud
| services that went "poof" into the night?
|
| There is no cloud, just someone else's computer - always
| have backups of some other means. A different provider with
| a different account, alternate mechanisms (i.e. email
| addresses with different email providers, etc.) to get to
| that data and accounts...
|
| It's even easier now with VM's, snapshots, free open source
| backup software that understands all of that - fairly
| inexpensive commercial solutions like veem - there is zero
| excuse.
|
| My favorite was a small SAAS provider that had all their
| backup infrastructure on AWS under the same account as the
| test/dev and operations - and someone got in and deleted it
| all. Partitioning - yes, it's an essential thing. And not
| just for technical. Separation of duties. Requiring
| concurrence by more than one person for critical
| operations. Lessons that should have been learned from past
| experience.
|
| Peoples (especially developers) eyes glaze over with
| documents like NIST 800-53 - but all those controls exist
| from experience. The bigger/more critical your system is to
| your survival, the more of those controls you should have
| answers for!
| renewiltord wrote:
| Honestly, they generally _don 't_ go poof. I remember I
| had a VPS for more than 10 years with Hetzner. No poofing
| till they had to get rid of that offering. I have the
| backups but I think now I prefer just running on GKE +
| RDS for funsies. Costs a bunch (like $50/mo) but I don't
| have to worry about anything.
|
| And fuck me if I'm ever writing a BIND zonefile ever
| again.
| devwastaken wrote:
| I remember their employees in their politics chat being
| angry conspiracy theorists and being entirely unreasonable
| similar to q conspirators. There's no problem with
| disagreement in politics but there's a line of general
| reasoning skills that bleeds into their actions. I don't
| trust those people having access to someone's server/data,
| especially if they are quote "liberal" or "progressive"
| mobilio wrote:
| It's better to get something even free like AwardSpace
| (https://www.awardspace.com)
| jcun4128 wrote:
| > SDF
|
| cool name (know the show)
|
| I'll have to check these out I've been using OVH all this
| time, also GitHub pages is pretty cool.
| lupire wrote:
| Also nearlyfreespeech.net is old and cheap and doesn't police
| legal content.
| jodrellblank wrote:
| > " _doesn 't police legal content._"
|
| What does that mean - what would it mean to "police legal
| content"?
| [deleted]
| retrac wrote:
| From the context, I assume they mean kick you off the
| service for publishing something the hoster disagrees
| with.
| SkyBelow wrote:
| I think the claim is that anything clearly legal is
| allowed. The problem is how iffy 'clearly' legal is.
| First, which country's law are we using? Second, which
| court rulings are we applying? Anything controversial
| ceases to be clearly legal because the police can go
| after it. Even if a well funded defense will eventually
| win the case, it may be on appeals meaning that
| punishment for the content has already begun. Thus it
| becomes easy to justify anything controversial as not
| being fully legal.
|
| And that's assuming they'll actually try to stick to
| their claim. I find that isn't the case when it is really
| put to the test.
| newen wrote:
| Topical example is Parler getting shut down by AWS for
| whatever reason Amazon gave.
| seneca wrote:
| Knowingly breaking guidelines here, with apologies, but
| why in the world is this downvoted? It's an accurate and
| timely example.
| jfengel wrote:
| Saying "whatever reason Amazon gave" is a pretty good
| reason to downvote it. Amazon gave reasons. If you can
| cite them, then you can disagree with them. But to simply
| wave those reasons away as "whatever" is intended to
| convey "that was obviously legal content being shut down
| for purely ideological reasons", and that is simply not
| the case.
|
| The "reason Amazon gave" was "content that threatens the
| public safety, such as by inciting and planning the rape,
| torture, and assassination of named public officials and
| private citizens", with examples given in:
|
| https://www.courtlistener.com/recap/gov.uscourts.wawd.294
| 664...
|
| So it's a bad example of something being dismissed for
| ideological reasons, and a bad example of something whose
| reasons can be assumed when the answer was easily
| available.
|
| That's an excellent reason to downvote something. It's
| simply not accurate.
| boarnoah wrote:
| Definitely be careful with hosts off Lowendbox, as other
| commenters have mentioned providers go offline without
| warning all the time. Never pay more than a year in advance
| etc...
|
| Notorious for "Deadpooling", providers sell ultra cheap
| hosts. Run them on over-provisioned servers for a year or two
| and disappear overnight.
|
| ex: https://tech.slashdot.org/story/19/12/08/1549222/20-low-
| end-...
| jart wrote:
| I'm so glad Super Dimensional Fortress is still around. I
| learned how to use Unix thanks to them back in the 1990s.
| They're in a different league than the goofballs selling
| unlimited web hosting cheaper than arizona iced tea.
| TedDoesntTalk wrote:
| This. sdf.org is awesome.
| cromka wrote:
| And their VPN service is a steal!
| zepatrik wrote:
| Just had a good 2h read on internet history.
| tacon wrote:
| lowendbox.com was great to start, but they got popular, and
| then profitable, and finally were bought by a low end hosting
| aggregator/rollup, and now almost all the different offers on
| lowendbox.com are coming from essentially the same company.
| The sister site, lowendtalk.com, seems to have picked up the
| mantle of open discussions, and they have offers, too. For
| example, recently I bought a 1GB KVM VPS for $14.83/yr. With
| KVM, I can use netboot.xyz and play to my hearts content with
| any Linux distro I want. I have NixOS running on it at the
| moment. On another, I'm playing with dokku, which takes over
| the whole VPS as a heroku clone.
|
| These companies are often unstable, so regular backups of
| anything you might be sad losing are vital. I recommend
| paying by the month, if that is available, and using this
| whitelist of low end providers who have been in business for
| a reasonable length of time[0].
|
| [0] https://lowendboxes.review/the-whitelist/
| richardfey wrote:
| If they appreciate what an "expert" is, they surely could hire
| one in security.
| beermonster wrote:
| I read the title too quickly. I thought this was going to be
| about a Linux-hating hosting provider... oops!
| Havoc wrote:
| That's the risk with smaller VPS operations. Good value but could
| shut down any time and leave you wondering what happened
| narcissismo wrote:
| Well that was concise.
|
| I'd love to know the types of sites they hosted. Anyone here have
| the skillz to find out?
|
| My bet is on slimming tablets and viagra sales.
| benlivengood wrote:
| host.io maps the associations. From another comment that
| francisdiamonds.com was hosted there we get
| https://host.io/ip/216.51.232.100
|
| Since they apparently had a class C one could look at each IP
| to find the rest of the sites.
| mythrwy wrote:
| I had some sites on there a long time ago.
|
| The model of course is shared IP so there are dozens, even
| hundreds of sites at the same IP address.
|
| I did some kind of lookup once to see who shared an IP with my
| site. It was stuff like churches, auto repair shops, high
| school kids experiments, plumbers. This was before Wix and
| friends. There was nothing scammy or spammy I saw on that
| particular IP anyway.
| sodality2 wrote:
| How exactly do you find other sites hosted on the same IP?
| narcissismo wrote:
| Nice work.
|
| Its also nice to know that a low price point doesn't
| automatically act as a bad-player magnet.
| sambe wrote:
| I guess you are also supposed to figure out for yourself what
| private information of yours has been compromised, since they
| can't be bothered to make it explicit.
| Triv888 wrote:
| You can get a VPS with your own IPv4 for the same price:
| http://www.lowendstock.com/ .
| jsmith99 wrote:
| There are superior VPS available for free in the 'always free'
| tier of GCP or Oracle Cloud. In the latter case you don't even
| need to set up a billing account, just provide a credit card
| for verification only, and you get 2 * VPS with a 1/8 of a
| physical EPYC core and 1GB RAM each, 100GB of block storage
| between them, and 10TB outbound data a month.
|
| Alternatively PaaS like Google's App Engine have 'always free'
| tiers sufficient for hobby sites.
| tyingq wrote:
| Different audience. As much as I loathe Cpanel, there's a bunch
| of customers that know nothing about Linux and want to
| point/click things into existence.
| dspillett wrote:
| _> know nothing about Linux_
|
| Given the name "nosupportlinuxhosting.com" I would expect
| many using the service to ba capable of knowing/understanding
| "apt install nginx php-fpm" and so forth.
|
| Though obviously cPanel and its ilk still offer some time-
| saving convenience even if you could setup everything
| yourself.
___________________________________________________________________
(page generated 2021-02-09 23:01 UTC)