All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[Finalhosting] SSD VPS starting at €1,40/month | KVM | Anti-DDoS | Hosting in The Netherlands
jordynegen11
Member
Hello,
This is my first post as provider so I going to introduce myself al little.
My name is Jordy. I started Finalhosting in 2011 as a Minecraft hosting company. Now 8 years later we're focussing mainly on VPS hosting. Until recently we focused primarily on the Dutch market and now we're expanding.
Finalhosting has 3 employees. Myself, Melvin and Rob. Me and Melvin are the technical guys and Rob is the first line support/sales guy. With years of experience and troubleshooting, we know how to host a VPS. We are not a very big company with 100.000 servers, but we have 3 racks full of Dell blade servers.
Technical Features
- KVM Virtualisation
- Solid State Storage
- DDoS protection option
- Hosted in The Netherlands
- In-house development
- Free snapshot
Cloud Server Starter
- 512MB RAM
- 1 vCPU core
- 10GB SSD storage
- 250GB Bandwidth
- 50Mbit Uplink
- 1 IPv4 address
- Linux-only
Special sprice: €1,40 /month (€1,69 incl. VAT) discount code: LOWENDTALK
Normal price: €2,- /month (€2,42 incl. VAT)
Cloud Server Starter+
- 1024MB RAM
- 1 vCPU core
- 30GB SSD storage
- 500GB Bandwidth
- 100Mbit Uplink
- 1 IPv4 address
- Linux & Windows
Special sprice: €2,80 /month (€3,39 incl. VAT) discount code LOWENDTALK
Normal price: €4,- /month (€4,84 incl. VAT)
Cloud Server Trial
- 2048MB RAM
- 2 vCPU core
- 50GB SSD storage
- 150GB Bandwidth
- 50Mbit Uplink
- 1 IPv4 address
- Linux & Windows
Do you want to try our VPS servers first? No problem! You can test a VPS for free (3 days).
Order here
Please notice that we will check your order manually in this case.
Operation systems
DDoS protection
More info you can find HERE
Keep in mind that if you choose this option, the latency will be increased by 10-20ms. Depending on your location and ISP.
Managing your server
We were tired of using SolusVM, Virtualizor etc. Because none of them worked perfectly for us. So we build our own panel based on the Libvirt API. We call it: YourVM. Now we have a stable virtualisation panel that is built to our wishes.
For those who wonder: We're thinking about selling the panel under license in the future.
our admin panel:
Customer control panel
We didn't want a separate control panel for our customers. So we created a control panel inside WHMCS. Our customer VPS panel is clean and easy to use
Small FAQ
How far does your support go?
Our technical support is here to keep your VPS online. They will not install or configure your webserver or application. Those VPS servers are not managed.
Where are the servers located?
Our servers are located in the Global-E datacenter in Rijen, The Netherlands.
Do you allow spam or other illegal activity?
We do not! If we find out, we will suspend your server without refund.
Can I install via my own ISO?
Yes you can. Just create a support ticket with the link to the ISO file and we mount it on your VPS.
Do you offer livechat support?
Yes we do between local business hours.
Does the discount code (LOWENDTALK) works on every VPS package and is it recurring?
YES and YES
Payment methods
Local payment options
- iDeal
- ING Home'pay
- Bankcontact
- Belfius betaalknop
- KBC/CBC
- Pay by phone
- Achteraf betalen
Other payment options
- Paypal
- Paysafecard
- Mybank
- Przelewy24
- Bitcoin
- SEPA recurring
- SEPA transfer
- Sofort Banking
Business information
Website: https://finalhosting.nl
Customer panel: https://clients.finalhosting.nl
KvK number (Dutch business registration): 54033721
VAT number: NL226260471B01
Mail: [email protected]
Create a ticket: Here
Phone number: +31 85 10 52 790
Test IP: 185.211.51.1
Test IP (DDoS protected): 151.80.54.129
Comments
Props to you for telling people how many employees you have and the amount of equipment.
and
If you've written your own control panel you really should put in the ability for a user to install their own ISO.
Ordered a trial, interested in seeing this panel.
We are very open
We are working on a feature so that the customer can upload and mount their own ISO as we speak. It's already possible in the admin panel but not in the WHMCS module yet
Storing the root password of the customer and in plaintext? Pretty sure that this is a serious flaw in terms of GDPR
No, we have encryption for that. For security reasons I can't say how.
Your screenshot says "username: root" "password: ha-ha"
That's correct. Our system is decrypting it when loading the page. Why do you think the password is ha-ha?
So you are saying that you are saving the root password and not as hash but in a way that allows to decrypt it?
We have a way to decrypt the encrypted password. I want to tell you how but for security reasons, I can't.
Also if you don't trust, just change the password inside the VPS?
The password in the panel will only be updated when you reinstal he VM or change the password via the control panel. If your change the password via the OS, It will not be updated in the panel. We will not spy on your passwords my friend
I honestly don't care how you do it because I am aware that no sane person would handle customer passwords that way.
https://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374
Just one breach of your database and every (not changed) root password of your customers is known to the attacker leading to access to all customer data. We all know that most customers won't change the password due to laziness.
hmmmm ... such
secobscurity much wowanyway I can plainly see it is actually "hunter2" (ha-ha)
best to get your setup very carefully reviewed by someone experienced with teh securitahs
other than that seems like a pretty good vibe to me - so here's hoping you'll do well with it!
so little sense of security
They still have to break our encryption if that will happen. It's not the standard PHP encrypt( method
Only generated password by our panel will be saved in a encrypted way. I totally understand why you will not trust that if you don't know how we do that.
You can just change the password inside the OS. In that case the password will not be stored by the control panel.
But thanks @FR_Michael and @uptime for your feedback. I think we should inform our customers better about that.
@jordynegen11 - I'm of course referring to the (perhaps controversial, somewhat nuanced) questionable concept of "security by obscurity". I won't pretend to know any more about the nuts and bolts of a secure system than you do - but would urge you to consult someone with more established credentials and experience when security is an issue. (And, security is always an issue.)
@FR_Michael - I have a question for you - and with minor trepidation about blithely wading into this sales thread ... I will just go ahead and ask here anyway (as is LET tradition ... hopefully @jordynegen11 might enjoy seeing the thread bumped a bit without being totally derailed by the discussion
)
I recently noticed receiving root and VNC passwords in plaintext email upon fresh creation of a VPS from your (impressive, wonderful, in-house) system. (Also with clear instructions to change the password ASAP). I see this with many providers (and it bothers me a bit).
Can you explain how this is fundamentally different from what you're pointing out with this system? Maybe I'm missing something obvious here - not thinking too hard on this but curious to know more and would appreciate some insight if you care to share any.
If you have a way, someone else can find that way, and then you're screwed. If your panel can decrypt it, anyone can decrypt it. The easiest way to do so is by just looking at your code. Breaching the database is as easy as getting access to the (byte)code of the panel. Your first responsibility is making it hard for hackers to breach your database and code, but the second is minimizing the impact if they do.
The only exception would be if you store an encryption key in the browser and use that to decrypt the password. But that requires users to transfer keys between browsers to decrypt the password from anywhere, which is more of a hassle than actually remembering your password in the first place.
Other than that, looking good! All the best.
I see your point and believe me this is something we had a lot of headache with. But you need to die one death, one way or another. You need a way to transmit the initial password in the first place. We advice our customers to instantly change the password upon first login and if you distrust it you can change all of these passwords in a secure way (through f-com). In addition our Mailserver is using tls secured connections.
My problem on this is not the initial transfer of the password, my problem is that in case of a hacked control panel / database (this could happen to everyone, ask haendler.it about it) the attacker gets full access to every lazy customers vps and can access all files or do nasty things from their vps and no one will ever find out. Storing such passwords is a bad thing, storing them in a way that people with access can easily decrypt it makes things even worse.
@jordynegen11 don't get me wrong, it's good to see people / provider around that invested time and resources to create their own control panel and user experience and I wish you a good start here on LET.
this! There is nothing more to say, thank you for that!
We really thought about this. It's not like running a formula that decrypts the password. We had to give up some pageloading performance in order to do this.
If for some reason the database is leaked, a hacker needs physical access to our datacenter in order to decrypt the password. So good luck breaking in. Also you can't access the panel without a hardware key.
You're really talking about if, if, if ,if, if, if
And this is the last thing I gonna say about this. Because of your feedback we will choose to inform our customers betters about this. And if someone does not trust it, he or she can just change the password without storing it in the panel.
But thanks @solaire I got the message
@FR_Michael
My friend, you are another provider that is doing the same thing. Also your panel can be hacked.. Why are you try to teach me? It's not very nice to slander (my best english) another provider in their thread.
I suggest we stop this discussion. If you want to continue it, feel free to add me on discord: JordyNL#0001
For anyone who uses WHMCS and complains about root passwords, simply empty the DB password field ID in the tblcustomfieldsvalues table (and emails, but you should do it anyway) in an interval or write a hook/addon to do it with cron. Problem solved, now if your database gets hacked you'll be the only one who is dead and not your clients.
Just for the sake of it: we don't store any customer vps passwords in our control panel and customer login passwords are hashed with proven cryptographic libraries.
Good luck to you and your customers.
@jordynegen11 welcome to LET
... Discussion (at its best, unfortunately perhaps all too rarely) can be a good opportunity to learn and teach in a conversation with fellow travelers - that's really the main impression I get from what I'm seeing here.
I think you'll know for sure if some "competition" is dumping on your thread, that does happen.
But in this case I believe a friendly critic can be your best friend - especially when it inspires you to improve a crucial aspect of your offering - or at least to explain it better, as you now have.
You are right. I am totally open for critic and we have taken action because of your feedback. Tomorrow we will even discuss if we need to disable the encrypted password storage.
So it's not like we're doing nothing with you feedback. But I think this discussion has gone a little to far
Thanks @uptime
Good to hear - I think you'll find many hosts are here to help each other out.
Anyway, I hope you make some sales and get some good customers today.
I'm going to get back to my regularly scheduled programming (and shitposting elsewhere) now ...
I thought you asked to stop this discussion?
If you find such a security flaw I would highly appreciate it when you would point it out. It's not about feelings or critic, it's about customer data and security.
Finalhosting... Gonna order a plan and blow my brains out.
My friend, i strongly suggest you to not do the second part...
I don't think that's a security issue. Every provider has the 'see password' feature integrated on their panel, which is the generated password when re-installing. And it's up to the user to change the password in the terminal, unless I missed something.
@Janevski ... expressing appreciation for the final things in life
you can see the explanation why this is a bad idea earlier in this thread. I am not aware of any major provider doing it. But @jordynegen11 is right, everything is said and we should stop spamming his thread. If you want to discuss this or have any questions you can send me a pm, I will happily respond.
You shouldn't. You really fucking shouldn't