Extra Web Security to be enabled on all websites (


#1

Does this really mean that DH are going to make a web server config change, known to break some apps, on /every/ hosted web site, even those on dedicated servers?

Or have I misunderstood?

Chris

Extra Web Security to be enabled on all websites (Policy Change)

Posted: Mar 17th, 2005 - 01:18:42 PM PST (15 hours 0 mins ago)

We recently unveiled our Extra Web Security feature that acts as a sort of firewall for your
website, protecting it from many common hacker attacks. The feature is optional and has been
available for you to turn on yourself up to now. We are now going to take the next step and will
be enabling it on all of our hosted websites next week. You will still have the option to disable
it yourself but doing so will accept all responsibility for any unauthorized access to your
account resulting from a security hole in your website software. Please contact our support
team right away if you have any questions or concerns regarding this.


#2

They are making an effort to securing their servers. They have offered the option as an option for a while to let everybody check if it works for them or not. Notice that they’re now changing the default setting but everybody can still manually turn it off, per domain (even per subdomain).

I see your point but I find it good that

  1. DH is actively making an effort to secure their hosting services,
  2. DH is providing a backup for those where the setting is problematic,
  3. DH is offering a trial period (though they didn’t call it that),
  4. DH is informing you in advance and lets you test and choose what works best for you.

Isn’t that a friendly, open, good and responsible way of managing hosted security?

TorbenGB
Try out DreamHost with a free WebIDPrices, options


#3

[quote]They have offered the option as an option for a while
to let everybody check if it works for them or not.

[/quote]

Not according to any Announcement I can see.

[quote]4) DH is informing you in advance and lets you test and choose what works best for you.

[/quote]

Ditto.


#4

This was announced a while back; in an announcement or in the “newslettery”.

In any case, they’ve let you enable this per-domain through the control panel for a while, and there was some discussion in the forum at that time, too. Try searching for it; I don’t have the exact details here but you can find them as quickly as I can.

So if you’ve tried it with success, you know it works and you won’t mind this new default setting. If you’ve tried it and found it broke (insert your tool here), then you know it won’t work and you can ask DH to not turn it on for that particular (sub)domain, or disable it yourself if they do enable it.

Cheers,

TorbenGB
Try out DreamHost with a free WebIDPrices, options


#5

As stated in the announcement, which apparently you haven’t read in its entirety, “You will still have the option to disable it yourself.”


MacManX.com
I don’t work here. I’m just your typical support forum volunteer.


#6

I wonder what makes you think I didn’t read that. Because it make no difference to the fact that this web this server config change could break people’s sites.

Unless you are suggesting the hapless site owner checks the config continuously all through the “next week” in which DH say at some point they are going to make the change, so he can immediately change it back before one of his users makes a page fetch that experiences the breakage.

If DH really do have to go live with such a cut-back, the responsible way to deploy it is to put the config option into a pending state, and then give an adequate notice period during which the site owners can uncheck it before the live date.

“Break first, fix after” is not the responsible way.


#7

[quote]This was announced a while back; in an announcement
[/quote]

As I said: nowhere I can see, and certainly not in

[quote]…> New “Extra Web Security” feature! (New Feature)
…> Posted: Jan 7th, 2005 - 11:08:16 AM PST (2 mons 9 days ago)

or in the “newslettery”.

[/quote]

Nowhere I can see there either. Nor in the rest of the KB. I think you are mistaken, Torben.

[quote]you can ask DH to not turn it on for that particular (sub)domain
[/quote]

… creating extra work for the staff

[quote]or disable it yourself if they do enable it.
[/quote]

… letting the site break first.

“Fail unsafe” is not a professional way to deploy such updates.


#8

DH has a right to make a change to the default set-up that WILL add a level of security that protects its servers from most hacking attempts and WILL NOT have a negative affect on 99% of the scripts running here. Folks have been testing it for two months here and for years at servers around the world. Mod_security is a great feature and I am glad DH has decided to enable it for users. I sleep better at night because my sites are more secure.

Anyone who can’t figure out how to override a default setting in their control panel probably shouldn’t be installing scripts at their sites anyway.

Think about it folks, with fewer hacks and holes to deal with, DH will have more time for user support. It’s a jungle out there and these servers are getting hit by potential hackers ALL the time.


#9

[quote]DH has a right to make a change to the default set-up that WILL add a level of security …

[/quote]

So what? Since DH has a right to make a change regardless.

[quote]I am glad DH has decided to enable it for users.

[/quote]

This announcement is about DH deciding to enable it for /itself/. DH’s enablement for users a while ago is a separate matter.

[quote]I sleep better at night because my sites are more secure.

[/quote]

You are definitely confusing the two.

[quote]Anyone who can’t figure out how to override a default setting in
their control panel probably shouldn’t be installing scripts at their sites anyway.

[/quote]

Pray tell us how one is supposed to override the setting /before/ it breaks a site?

[quote]Think about it folks, with fewer hacks and holes to deal with,
DH will have more time for user support.

[/quote]

Think about it folks,… disabling all CGI would do that even better.


#10

You’re over-reacting here. No site will be permanently broken. If your site is broken, and apparently there aren’t many that will be, you just disable the option to fix your site.

You are definitely confusing the two.


MacManX.com
I don’t work here. I’m just your typical support forum volunteer.


#11

You’re definitely blowing this way out of proportion. The reason why DH isn’t disabling CGI all together is because disabling CGI will break almost every DH-hosted site. Enabling mod_security will break very few, if any, DH-hosted sites. Think about it folks, with fewer hacks and holes to deal with, DH will have more time for user support.


MacManX.com
I don’t work here. I’m just your typical support forum volunteer.


#12

Hi Chris,
Don’t argue with me; argue with DH. Though I didn’t provide a reference to where it was announced, it was announced in some way or I wouldn’t have noticed. I’m just telling you what I know and hope it’s helpful. I have no problem with mod_security, so I didn’t worry further about it.

TorbenGB
Try out DreamHost with a free WebIDPrices, options


#13

[quote]it was announced in some way or I wouldn’t have noticed.
I’m just telling you what I know and hope it’s helpful

[/quote]

If you could tell me where it was announced, that would indeed be helpful. But I think you’ll find it wasn’t,Torben. Thanks anyway.


#14

Thanks, I had checked that, but that’s hardly the :

[quote]They have offered the option as an option for a while
to let everybody check if it works for them or not.

[/quote]

that alerts users to the fact they /need/ to check if it works for them, because DH will later, out of the blue, announce “we are going take the next step and will be enabling it on all of our hosted websites next week”.

It’s fine for DH to deploy updates that can enhance service on opt-out. It is not fine for DH to deploy updates that can degrade service on opt-out - such (this included) should be on opt-in.


#15

What’s the big deal?

[/quote]

The deal is you don’t have the option of existing service uninterrupted. This deal is big if your sites cannot afford service interruption.

As for

[/quote]

err… don’t we anyway?! :wink:

[quote]report it to Support and obviously they’ll take that into consideration.

[/quote]

Will do. Thanks for the advice, Bob.


#16

Well thanks for your trust, Chris. I’ve searched the forum and my mailbox and easily dug out these two items which I hope will be useful to you. Of course, not all software packages have been tested with this mod_security, so you should try to enable it for your domain and test it out, then revert it to off if you don’t think everything still works.

  1. You’ll find this post if you search the forums:
    http://discussion.dreamhost.com/showflat.pl?Cat=&Board=forum_troubleshooting&Number=14702&page=&view=&sb=&o=&vc=1
    It even states that they’re announcing it on 12/13/04. If you read the thread, then you’ll see that several folks noted that all of their stuff works even with the mod_security turned on.

  2. We indeed got an announcement, as it appears below:

[quote]
Subject: [Announcement] Extra Web Security
Date: Mon, 13 Dec 2004 18:13:44 -0800 (PST)
From: DreamHost Announcement Team support@dreamhost.com
To: Mr Torben Gundtofte-Bruun <@ removed>

We have added a new feature that can be enabled on any domain fully hosted with us. The
feature is called ‘Extra Web Security’ and can be selected when adding a new domain or added
to an existing domain by editing the domain’s Web service here:

https://panel.dreamhost.com/index.cgi?tree=domain.web&

Additional documentation about this feature can be found here:

https://panel.dreamhost.com/kbase/index.cgi?area=3040

This feature is known to be incompatible with at least a few server scripts that are being run by
some of our customers, though it works fine with the majority of all software. It is advised that
you test out this feature on a test sub-domain before enabling it on your live website.

Happy DreamHost Web Security Team


The preceding was a New Feature announcement, sent 2004-12-13 14:24:07.

You are receiving it via email because it is level 2 and
your account is set to get announcements of that level via email.
You can change that by visiting our web panel’s announcement
area at: https://panel.dreamhost.com/?tab=status&subtab=announce

Thank you for taking the time to read this announcement,
The Happy DreamHost Announcement Team[/quote]
TorbenGB
Try out DreamHost with a free WebIDPrices, options


#17

I did trust you Torben, or I wouldn’t have bothered to look. I did find the postings you cite, but in neither did I see:

[/quote]

with even the remotest suggestion we /needed/ to check because DH were about to turn it on regardless. OK, perhaps my mistake in interpretation, and everyone else did spot the urgent need. My apologies to you.

So onward… Consider those who did spot the need, did check, and finding it bust their sites, turned it OFF. Now DH are going to overwrite that crticial setting and turn it ON, busting the sites again. That’s not good service and surely not up to DH’s usual standard.

[quote]…> Notice that they’re now changing the default setting
…> but everybody can still manually turn it off, per domain

[/quote]

Torben, this is not just “changing the default setting”. This is changing every site’s /live/ setting. Web site config is hard enough as it is without little faeries flitting in and undoing my panel changes.


#18

You’re over-reacting here. No site will be permanently broken. If your site is broken, and apparently there aren’t many that will be, you just disable the option to fix your site.


MacManX.com
I don’t work here. I’m just your typical support forum volunteer.


#19

Agreeing with MacMac here, let me put out a few points.

[quote]I did find the postings you cite, but in neither did I see [ … ]
because DH were about to turn it on regardless.
[/quote]

Granted, they did not at that time say that they were planning to turn it on globally. I’m almost certain that they did NOT plan that at the time. So you’re right: they did not at that time warn us or suggest that we check it out.

  • My point here is that it’s there, it’s a new feature, it’s about security, why not try it? Some people thought “let’s try this new thing and see if it works, at least it can’t harm to try” and found that it didn’t break the site, so it’s all fine. A few problems were reported, so these are known. Those who don’t try it don’t know whether it even works or breaks their sites.

[quote]Now DH are going to overwrite that crticial setting and
turn it ON, busting the sites
[/quote]

Considering my past positive experiences with DH, I am certain that individual users that are concerned can write to DH and say please exclude my site from this new setting. Besides, if you’re really concerned, create a mirror site and test the mod_security there before you try it on a real live site. If your site is really that crucial, then I bet you have a pre-production environment as well … or do you do your implementations on the live code?

[quote]Web site config is hard enough as it is without little
faeries flitting in and undoing my panel changes.
[/quote]

First, I consider these faeries a service, not a disease. They actually help us to make our sites more secure and thereby saving us the risks of break-ins, data loss, and whatnot. So I’m in favor of faeries, as long as we know in advance what they do and we get a chance to speak up – all of which is available to us.
I don’t feel that this change is all that disruptive. It’s not like they’re terminating PHP+MySQL and offering only ASP/Access instead, right? This is a teeny detail that works on almost everything and you can check if it also works for you; either in a low period on your live site or in your pre-production mirror site.

I get the impression that you operate a site that can’t afford downtime, so therefore I’m going to assume you’re also using a development and/or preproduction “staging area” where you try out your new stuff before you put them live. Why not treat this “faerie gift” the same way, see if works, and have DH not enable it on your site if you prove it’s bad?

If DH won’t or can’t help you with that, then you’re rightfully complaining that they are forcing you to break your live site, and then we do agree that thís is bad. But even then, you can ask to be informed of the exact time when they do turn it on, so you can turn if off again immediately afterwards. Anyway, if it does break your site, you’ll see it right away and it’s a one-minute task to fix it.

TorbenGB
Try out DreamHost with a free WebIDPrices, options


#20

[quote]it’s there, it’s a new feature, it’s about security,
why not try it?

[/quote]

No reason. My point is not that people shouldn;t try it (theough there is good reason they’d not). My point is that having tried it, found it bust the site, and turned it off, one now gets an announcment from DH saying they are going to turn it on regardless.

[quote]… at least it can’t harm to try

[/quote]

Torben, you seem to be having a problem remebering the announcement that you yourself quoted:

“This feature is known to be incompatible with at least
a few server scripts that are being run by some of our customers”

Perhaps you’re not interested in uptime and data integrity. ITYF many others are.