So, we started Malware scanning using Linux Malware Detector from R-FX Networks a few weeks ago, and what it’s been able to find is really astounding. Clients sites are getting exploited at a pretty fearsome rate, and these days it’s just kind of become “the way it is”. It’s just part of being on the Net, that you have to be aware and vigilant and be mindful of your security.
Ok, hosts know that. The memo never seemed to make it to a lot of the clients.
I’ve always been a bit of a security nut, and shared hosting is kind of a strange beast in a lot of ways. Common security protocol: lock the box down so only the people that are supposed to have access to it have access to it. Common shared hosting issue: all and sundry coming in from anywhere in the world have to be able to get to the box. Common Security Protocol: only install interactive things that you understand and secure. Common Shared Hosting issue: when you can install something with a button click, you really don’t have to understand a damn thing beyond clicking a button.
Years ago, you knew when someone was on your box – they tried to ram torrents of crap through it before you caught them making the load go through the roof so you knew unequivocally there was a problem. Now? They’re stealthy, and they don’t want you to catch them, so it’s quiet. Like a creeping death.
I got tired of being smacked in the face with directories full of crap while taking a stroll through the servers, so now I scan every day. I haven’t automated notifications, and I decided that as tempting as it was to flip on the automated “suspend it OMG NAO” option (oh, you have no idea how tempting it was) as soon as there was a hit, the simple fact is most people don’t bother to read anything whatsoever about site security before having a site and I know that they have no idea what’s going on. So I give them a chance to come up to speed on things.
So my mornings are spent cutting and pasting reports to the individual clients and hoping I get a response and don’t get backed it a corner where I have to kick them off. I know, I know, I should automate it. It’s on the to do list. You know, the one that just keeps getting longer.
Luckily, LMD cleans a lot so not hearing from them is concerning but not earth shattering. The ones that come up day after day after day just make me want to cry. Ignoring me when you are serving crap to your visitors on my network will not make me care less that you are serving crap on my network. I’m continuously amazed at how many people get web sites and don’t realize that they are, in fact, an administrator.
Of course, in general it’s our industry’s fault for selling the false security. In our industry, we all market to people that don’t know anything and we do our best to present how easy it is, how flawless you can make it work, how you don’t need to know anything. And then in our TOS we remind them they damn well better know what they’re doing before they pull any fancy shit on our servers, damn it, or we reserve the right to TOS them right out on their butt whenever we gosh darn well please (usually said in a much more legalese way). Despite a river of security-minded blog posts on the company site, I’m no less guilty of that than anyone else.
I honestly wish I could afford to secure hacked sites for $4.58/m. Unfortunately, it’s just not cost-effective to do it, because between the securing and the conversation explaining how to stay secure, I’ve lost hours I can’t afford to lose, and I can’t have my staff losing hours, either. Sometimes, it’s frustrating when you want to do more, and you can’t.
Want to make your web host happy? (Me or anyone else.) Keep your site upgraded. Honestly. Don’t send me thank you cards, or brownies, or t-shirts, or flowers. Just keep your stuff patched.
I realize that this sounds very much like your Mom telling you when you were 10 that the best thing you could give her was just to keep your room clean and to do your chores…
Well, that’s because it’s exactly the same and, damn it, we both mean it.
