More security changes today without notification

[jodieorourke]

mod_security Apache module was installed on Sheffield today without any notification. This can, and in some cases, has broken some legitimate applications (such as scripts that are passed a URL as a GET param).

I don't know about anyone else, but I'm getting a little tired of this now. A few weeks ago there was a knee-jerk change to FTP to prevent cPanel default account being used as an FTP login (which wasn't communicated to customers), and now this.

The first technical support person I spoke to was called Victor and claimed there was nothing wrong (he's done this in the past too). After failing to get anywhere with him, I spoke with Cristiano who was a lot more helpful - told me what the issues were with the new Apache setup, and how to fix things. A job well done there, and I hope I get support like that again in future.

Now, I fully understand that these changes are necessary in order to improve the integrity of the servers; but we are resellers, which means we manage multiple websites - often running quite disparate scripts. This means we need notification as soon as possible, even if this is immediately after the changes have been made. I'm finding this disregard of customer communication a bit unfair now, as it's now the second time this has happened in a short space of time. I'm sure I'm not the only reseller who is getting a bit fed up with wasting an entire afternoon/evening fire-fighting one of your security incendiary devices.

If you can't warn us in advance of these changes, at least notify us afterwards, rather than leaving us wondering why people keep complaining that things aren't working with their sites. As a software engineer, I can honestly say that these kind of destablizing changes need advance warning, and Live shouldn't really be used as the test-bed!

[Cristiano]

Hi there,

Thanks for the feedback provided. We turned off default FTP access for main cPanel accounts on our shared servers because a sustained FTP brute force attack was targeting our shared servers. During security audit our Admins have noticed that number of malicious scripts were uploaded via FTP on the server using legit cPanel login details and the account owners were not even aware of such incidence.

As per our chat yesterday, we had to make the changes on the server to tighten the server security (mod_security was already enabled on the server). I do understand your concern regarding updating the clients regarding the changes made, but it is not possible to notify each and every client beforehand.

What we can do is update the changes made on the forums (eukhost Announcements OR Network Status)

[OliverTreend]

If you can't warn us in advance of these changes, at least notify us afterwards, rather than leaving us wondering why people keep complaining that things aren't working with their sites.

I second this. Although mod_security has always been installed on my shared hosting server, I was very frustrated when the FTP default logins were disabled. Again, I think that a simple email wouldn't go amiss.

I do understand your concern regarding updating the clients regarding the changes made, but it is not possible to notify each and every client beforehand.

I don't understand how it should be any problem at all to email clients before/after making changes to their server. Afterall, you must have a system setup which will allow you to mass-email clients - no? If not - I suggest that one is setup. Even if it's an opt-in system - you can be sure that at least 2 people would appreciate it!

[Cristiano]

Hi there,

I second this. Although mod_security has always been installed on my shared hosting server, I was very frustrated when the FTP default logins were disabled. Again, I think that a simple email wouldn't go amiss.
I don't understand how it should be any problem at all to email clients before/after making changes to their server. Afterall, you must have a system setup which will allow you to mass-email clients - no? If not - I suggest that one is setup. Even if it's an opt-in system - you can be sure that at least 2 people would appreciate it!

Yes, we are in the process to launch two mailing lists for our clients.
In the Technical Notifications mailing list, emails will be sent regarding the changes on the server.

1. General Notifications.
2. Technical Notifications.

Wherein the customers who wish to receive Technical Notifications will need to subscribe/register for the technical notification mailing list.

I do not have an exact ETA as to when these mailing lists will be launched. But, we are in the process to launch the mailing lists and will get this done asap.