New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Please read back our discussion.
You shouldn't encourage people to do this, because every post you made that gives more context makes you sound worse
You imply several times you rolled your own encryption, which is like rule 0 on things you shouldn't do.
No gbit?
lel why are people keep getting triggered about the generated root password at the panel during the installation of VM OSeS? He already did mention that you can change the password after the VMs finish setup. Just change whatever you want, disable the root account, generate a key or whatsoever after VM finish installation. I see many providers do show root password after fresh installation of a new VMs, it is your responsibility to change the password afterwards.
Btw, if you have the question about how YOUR PANEL ACCOUNT password is stored, I have no idea how they store it. Might be salted might be not, all depends on their own understanding of their own panel that they build.
It's an option
because all commotion yesterday we decided to disable the function that stores the encrypted generated password after a reinstall in the database.
Even though we believe that it's safe enough and alot of customers like it, we want everybody to feel safe hosting a VPS at Finalhosting. So that's why we disabled it.
We wan't to make it an option to enable it per customer in the future, but only if the customer chooses to enabled it
@FR_Michael
@uptime
@texteditor
@solaire
You definitely earned yourself some respect for listening to feedback! +1 for your company.
Hello there,
Please accept my apologies in advance as I won't be as kind as previous comments, but I think those kind of "companies" should never exist.
First of all, I am not a server provider, I am a french consultant in cloud, security, and more globally in systems and network administration. I do provide servers but only for the purpose of selling the management service on it, so please don't go the way telling I'm only wanting to promote myself. I don't really know how I came to this thread but now here I am so I will take some time to give my opinion.
Let's start with the most obvious, are you licensed with WHMCS ? It appears you use their panel, and their license checker is denying your domain (the main one and the client panel one), so my guess is you are using a nulled WHMCS, potentially exposing all your "customers" data to an unknown guy. If this is true, you can expect WHMCS team to reach you out really soon. Second guess is that you're using some kind of multidomain, therefore breaking WHMCS licensing rules.
Now this password thing.... Check with ANY REAL PROVIDER, not minecraft or whatelse, none of them will never store any password except the one needed for login to the website, AND NONE OF THEM CAN DECRYPT STORED PASSWORDS. THIS IS A BASIC SECURITY RULE THAT MUST NEVER BE BROKEN, EVEN WITH CUSTOMER CONSENT/OPT-IN. Just send the password once and never store it, if the customer looses it then you/he can renew it. Just an exemple, will my car vendor agree to remove the seatbelt because I prefer my car without as a customer ? NO ! This is YOUR (legal) responsability to enforce security on your infrastructure, and the only fact that you don't understand the most basic security rule regarding passwords makes you looks like the kind of guys I often find on Discord saying "Please I wan't to run a company with nulled WHMCS, can somebody help I have no knowledge at all, what is SSH ?"
Reading through this thread and your answers, I assume there must be multiple security breaches in your website/infrastructure, so please take this as an advice, DO NOT KEEP GOING THAT WAY, hire or ask someone with some knowledge before trying to grow in a way where YOU are exposing customers to security breaches.
Again, I'm not here to promote myself neither disrespect your work, I do know how hard it is to build a project, but this is also my work to say people when they are totally messing up, and trust me, there is some big companies out there that hire peoples like me to spotlight/fix basic things like that (ok not that basic but you understand the thing).
@Tourista
Our invoice was overdue @whmcs 1 day ago, for some reason paypal did not do his job..
But no problem my friend no nulled WHMCS for us:
I don't quite understand how my previous anwers explain multiple security breaches in our infrastructure. Also please don't forget, I do this now for 8 years. I'm not a kid that doesn't know know what SSH is...
Also please check my previous comment: https://www.lowendtalk.com/discussion/comment/2970371/#Comment_2970371
But I appreciate your tips @Tourista
Tough crowd.
"For FinalHosting it was a rough ride and a prescription for Preparation H. For LET it was just another Monday."
Hang in their @jordynegen11 ... it gets better. (And then it gets worse. Then it may seem to get better again for a brief while, just long enough to get one's hopes up. And finally one may come to truly understand the wisdom of @Janevski ...)
In the meantime, it's important to maintain a reliable supply of superior potassium.
And that's what LET is here for.
We sort the potassium from the potatoe.
Always strive to be the best potassium you can be!
Hello @jordynegen11 , I'm happy to hear that you didn't go the nulled WHMCS way
.
I am just assuming as I won't run security tests on your infrastructure without your consent, it would be illegal, but your previous answers showed that you are lacking of knowledge regarding security, and since you told you are the tech guy (with Melvin), there is a good place for assuming that there may be other security breaches around. Again, not a critic, I strongly encourage you to take some time to dig all the possible breaches, and fix/avoid it or find a guy to do so.
I've read the entire thread, and my comment is telling you that disabling this "functionnality" is indeed a good idea, but you can't let this as a customer choice, see my car vendor exemple. I know everyone wants to satisfy customer, but customers mainly doesn't think about security in first place, this is your role as the tech guy. So how I do when a customer come to me with a password request ? I kindly explain that we don't store any password, neither we have the ability to read any encrypted password, therefore they must renew the password which will be sent to them and never stored/read by our team, as simple as that, always keep the security as the first major concern for your team, your customers will thank you for that.
Another example to that, in any enterprise network, managed by AD and so-on, even the most granted admin can't see user's passwords, and users are teach to NEVER tell their password to anyone, even the tech guys or whoever even if they have full trust in him. All the admin can do is reset the password.
I hope you will use all these feedbacks to enhance security on your end, because if you don't one day or another you will have bad surprises, with 2 choices, closing your company or spending a lot of money once hacked to hire a guy like me to get things back online.
I wish you good luck in this adventure and hope you will do it the good way, happy hosting
.
@Tourista
I understand. We will consider your tip also this is not live yet.
We put alot of time in security for our back-end. That's why we created our own custom encryption method in the first place to store the passwords (days of work just gone now
). There is always a consideration that you must make when you implementing such function between the pros and cons. And we choosed it to do it this way. But after your feedback we see different now.
I think our systems are pretty good secured. But you can never be sure for 100% ofcourse. No one can, unless you disconnect the internet
Thanks!
I am jumping on this bandwagon thread. It's nice to see some new offers for one. I would just like to add my comments to the "issues" shown here.
Constant complaining about the root password been available in the control panel.
When you re install your VPS as far as I can tell the password it auto generates gets saved which is not a problem at all. I assume everyone changes there root password when they first log in or at least use SSH keys so I see no issue with this feature in there panel at all. Also as the host has said if you change the root password on the VPS that password does not change that is on the panel rendering the "security concerns" useless. Also there are other hosts that do this HostHatch for instance.
Apologies for the rant😁. Good luck with your offers!
Alright permit me a last comment (yes I don't have much work today), but I don't want to pollute your thread my friend @jordynegen11 , so maybe we should discuss this somewhere else ?
This is not just about a password @TheRealDeal , this is reavealing the security policy of his company, so I give him a professionnal feedback, because this is my day-to-day job. When we speak about security, you should never use "I think" or "I assume", security breaches are real and if you don't bother to find them, well, hackers do.
When you are the tech guy, this is your role to ensure, not just think, that systems are secured in the best possible way, but indeed you will never reach a 100% secured system without disconnecting from internet. That does not mean that you shouldn't be trying to reach that goal even if you know you can't, the more you do now when everything runs smooth, the less you'll have to spend to fix things when it gets broken.
Speaking on just the password thing, more than 50% of users won't change the password if you don't enforce them to do so. Plus, you could also request user input for the password when installing VM instead of generating it, removing the need of sending it even once.
About encryption, except if you are working with an expert, I don't see the point of building your own encryption mechanism. There is industry standards for that, which are certainly better than your home-made encryption. And indeed, once encrypted, you won't be able to decrypt it, this is the ONLY goal of the encryption, there is no point of locking a door with 15 keys if you keep all the keys next to the door. This is why when you encrypt password, you just compare the encrypted ones, you never decrypt simply because you can't ! If you were able to decrypt, then this encryption mechanism would fall in the compromised ones as anybody could decrypt this mechanism.
Please don't let the "if" or the "I think" blow up your customers data, make tests, write down results, and fix what needs to be fixed. You can't just say "hey, i rent a house for peoples, I let all the doors without locks because I think there is no thiefs around here, but this is my customer's responsability if anything gets stolen, he could have bring a dog to keep the house !" : no, you have to install locks on the doors.
I hope that makes sense at least to you my friend the tech guy @jordynegen11 . Oh and yes I know you are not a kid with no knowledge of SSH, this was just to say that you make yourself looks like this if you don't make security your first concern, it's up to you to look like a pro, and your lasts answers are better
.
Cheers
I wanted to chime in on the whole password debacle last night but was too tired to construct a coherent message.
Security by obscurity never works. Objectively. There are tried and tested encryption algorithms, designs and techniques out there that have had decades of research poured into their development, and decades of attempted attacks, vulnerability assessments and independent audits made against them.
You developed this yourself. It only takes a bad actor who has a slightly bigger brain than your own to work out how you’ve encrypted your passwords, and that is that.
Requiring physical access? I don’t buy it. At the end of the day the decrypted password is being drawn on someone’s screen somewhere. If your panel can do it, a bad actor can do it.
These points aside, I congratulate you on disabling this mechanism and listening to the community response. You’ve also made a great looking panel and it’s nice to see a host that has taken the time to do so.
I understand that this password is for the VM only and that it can be changed after logging in, but seeing how you handle this single password makes me question how you handle the rest of my personal details including any passwords used elsewhere.
As a tip for success for the future, bullshitting about security or claiming your security is better than existing alternatives may encourage some customers, but it has done nothing but alienate me and I’m sure many others. For this reason (and this reason alone) you are on my list of providers that I personally will never be buying from.
I hope that not too many others will see this thread, as if I were in your shoes I’d be very embarrassed by the claims you've made. Hopefully lessons have been learnt and you’ll be able to move forward to grow your host into a successful and thriving business. I wish you all the best, but I’m out.
Well, what do I need to say about this? On the end it's your word against ours. We developed it this way (as explained for a part on discord yesterday). Just because we developed it on our own, doesn't mean it's bullshit and not safe.
regarding your other personal data:
Like 99% of all hosters here we use WHMCS en behind that we spend a lot of time securing our infrastructure. And we must. I don't know how that is in your country, but here in The Netherlands we can get very big fines when we don't manage the personal data of our customers the right way...
And yes, we listened at the community an disabled it. because we care about the opinion of our (potential) customers. But I don't think it's right to make this thread one big mess, if 1 guy has a good point.
We don't need you to buy it, but please as I requested before, just put this behind us. It's done. Don't put more oil on the fire.
Just thinking out of the box: Isn't that with all security? I can remeber 15 years ago: MD5 is supersafe!
Have you had it independently audited, tested or verified by security professionals/academics?
Yes, but the difference is with existing solutions one person's brain would need to be bigger than the collective brain size of several thousand industry professionals. With your solution, it's any man's brain against your own.
If you like we can split this into a new thread titled "Finalhosting's concerning security practices"?
For a fact, we "hired" (it's a good friend but independently) a cybersecurity expert who helped me with this. And yes he is the real deal working for big companies such as one of the biggest banks in the netherlands. This security method using infrared connections is not new, but not very common.
Also it has been approved by the authority personal data (authoriteit persoonsgegevens)
We still using it outside our company but not for the passwords anymore. Those infrared transmitters are not cheap...
As I said I did not give you the full story and I never will, but do not blame us for that.
NO
Lets just stop now
While that works for crypto implementation, that doesn't work for everything. And it's really nice that @jordynegen11 developed his own panel.
A 10y old could become a "vps provider" installing the right software. It doesn't mean that his node will be secure in any way, nor that his software will stay up to date. IMO building a custom control panel implies that the host knows a bit what's going on on the machines, and that can't be a bad thing. Of course the end result can be pretty bad if security isn't the main concern when writing the code, but there is no way to tell if that's the case without looking at the code, and a similar issue could arise with stalion, hotshatch panel or any other "self made" panel.
Regarding the "root password issue", is that such a big deal? Most serious users will change their password, and at worse it's those who didn't who will get pwned if the passwords end up in the hands of a "bad actor": the whole operation of @jordynegen11 (or hosthatch, for that matter!) wouldn't be compromised. Of course it's better not to save those passwords, or at least not in a way that can be easily decrypted to show them in the panel, but it's not what matters most: if the nodes are secure, well configured and the if host really knows what he's doing, the result can be way better (and more secure) than many "solusvm hosts"...
tl;dr welcome on LET, @jordynegen11, nice to see another host who's running his own panel!
@jordynegen11 I'd be interested to see the audit. Feel free to drop it to me however :-)
Agreed. I am not criticising his panel in the slightest and did commend him for it.
Yes. It shows a complete disregard for basic security practice.
Kind of like when providers email people the root password when they provision the server?
They are not storing everyone's passwords together in one location. In an ideal scenario, the provider retains no email logs for server provisioning making the security of the storage of the unencrypted provisioning password the onus of the recipient.
hmmm ... perhaps this general point would be a suitable subject for a separate thread not specifically about this particular host, but the many many hosts I've noticed doing the same or similar (as well as the few that don't - that short list which would now include FinalHosting).
I'm all for raising the bar when it comes to security - for all the players who peddle their wares here (and for those that don't as well).
LET's be fair here. Good for the geese, good for the gawkers, and that much more fun for the squawkers
No one could have seen this coming
"no nulled WHMCS for us"? Does that imply you converted a nulled WHMCS to a non-nulled one?
Those aren't being stored, ever
Yeah, people who mess up the obvious mistakes (especially those that double-down on them) tend to miss the less obvious stuff too
There is nothing I dislike more than a very egocentric person who isn't willing to accept that perhaps their security practices are wrong. When the host (or atleast, jordy in this instance) isn't even able to secure their own WHMCS, I lose some hope with regards to anything else they claim.
If need be, I can elaborate, but I wouldn't trust this host with anything more than fake details at this point.
HostHatch just reskinned SolusVM it's not a custom panel.
I'd say that it is both a panel, and custom. If something that is both custom and a panel, not a custom panel, then what is a custom panel? :-P
In all seriousness, I don't think reskinning Solus is necessarily a bad thing. It's refreshing at the very least. ;-)