I'm reconsidering H-Sphere, but have some questions about things that I disliked in the past.

1. Is there a way to bill for dedicated servers, or miscelaneous services?

2. In SiteStudio, I see now it has a WYSIWYG editor. Does that mean that you can create a site using SiteStudio and then customize it with this new editor? Can it save as HTML? Can SiteStudio sites now be moved to new server during migration?

3. Has any more effort been made for security? Such as chroot, suexec or openbasedir? H-Sphere is the only control panel I've been hacked on.

4. Is there a program like Fantastico for cPanel, to let the customers automatically install popular scripts?

5. Can resellers escalate tickets to top level?

6. Is there now a way to change a plan for a user that is not in a plan group? For example if I had a special plan that I don't want existing customers switching to, but don't mind if people on that plan switch to others, can I either prevent this or do it for them without having to great a temporary group?

7. When adjusting settings in H-Sphere, do customers still have to click that apply settings link that they always forget to click?

Thanks,

Neofree

Greetings NeoFree:


1. Is there a way to bill for dedicated servers, or miscelaneous services?


A. Yes, through custom jobs.

We are currently using H-Sphere to bill for all of our managed service and security work even though none of those customers host with us.

B. Positive Software is currently working on a dedicated server package; details are in the customer only area.


2. In SiteStudio, I see now it has a WYSIWYG editor. Does that mean that you can create a site using SiteStudio and then customize it with this new editor? Can it save as HTML? Can SiteStudio sites now be moved to new server during migration?


Yes, you can customize it. I am not sure about the other questions / answers.


3. Has any more effort been made for security? Such as chroot, suexec or openbasedir? H-Sphere is the only control panel I've been hacked on.


Per pervious discussions, Positive Software creates an environment which allows security professional to create a very secure environment.

Some systems tie the hands of such professionals; and allow for insecure environments to be created because you have to wait on the vendor for updates.


4. Is there a program like Fantastico for cPanel, to let the customers automatically install popular scripts?


Not that I am aware of, but with 2.4.x you can create your own.


5. Can resellers escalate tickets to top level?

Not that I am aware of.


6. Is there now a way to change a plan for a user that is not in a plan group? For example if I had a special plan that I don't want existing customers switching to, but don't mind if people on that plan switch to others, can I either prevent this or do it for them without having to great a temporary group?

On our wish list; not at present.


7. When adjusting settings in H-Sphere, do customers still have to click that apply settings link that they always forget to click?

Yes.

Thank you.

1. So I can add a custom job such as onsite support for some users, and a dedicated server through that? But don't they still need some sort of account, like e-mail only or something before I can use custom jobs? PSoft's upcoming feature looks like what we want. Surprised someone said it wasn't a high priority though, seems like one of the biggest issues since I started a couple years ago.

2. Anyone else know?

3. Are you saying that I could manually install suexec to *automatically* work for everyone? And chroot to *automatically* work for everyone?

Dissapointing on the rest of the issues.

Neofree,

You might have a look at a recent thread in which some components of security with HSphere were discussed: http://forum.psoft.net/showthread.php?t=9553

Andrew

Greetings Neo:


1. So I can add a custom job such as onsite support for some users, and a dedicated server through that?

Correct.


But don't they still need some sort of account

Correct. But zero services can be assigned to the account.

3. Are you saying that I could manually install suexec to *automatically* work for everyone? And chroot to *automatically* work for everyone?

Did I mention suexec, choot, etc?

To recap what I stated:

"Per pervious discussions, Positive Software creates an environment which allows security professional to create a very secure environment.

Some systems tie the hands of such professionals; and allow for insecure environments to be created because you have to wait on the vendor for updates."

Thank you.



Dissapointing on the rest of the issues.[/QUOTE]

Yes you stated that you can do your own security. So I asked, can I make that possible without breaking H-Sphere, in other words.

Not that I am aware of, but with 2.4.x you can create your own.


This was in response to Fantastico-style installs. Is there a doc page on this? (I can't seem to find it....)

Cheers,

Ray

Greetings Ray:

1. See the packaging area on http://www.psoft.net/HSdocumentation/customization/index.html

2. http://forum.psoft.net/showthread.php?t=9422&highlight=postini is an example of using packages to add a new feature to H-Sphere to work with Postini curtisey of Igor.

===

Greetings NeoFree:

"Yes you stated that you can do your own security. So I asked, can I make that possible without breaking H-Sphere, in other words."


If you are a trained system admin, you can add a number of custom security features including suexec (PHP and otherwise).

Personally, I've not tried chrooting; jails can be broken.

There are how to documents on PHP SuExec by the way.

Thank you.

"Jails can be broken"

Windows can be broken to get into a car, does that mean we shouldn't have locks?

PSoft continues to have a bad attitude on security, I will continue to use cPanel.

Thanks,

Neofree

Greeings Neofree:

1. Please keep in mind our company is not Positive Software. So please don't judge Positive Software if I state anything you don't like to hear.

2. Positive Software, in my opinion, has the greatest attitude towards security:

A. They release updates as it relates to them promptly. In the past three years, all critical security issues have been dealt with in under 24 hours.

B. They do not bind the hands of security professionals like some other systems.

Thank you.

Greeings Neofree:

1. Please keep in mind our company is not Positive Software. So please don't judge Positive Software if I state anything you don't like to hear.

2. Positive Software, in my opinion, has the greatest attitude towards security:

A. They release updates as it relates to them promptly. In the past three years, all critical security issues have been dealt with in under 24 hours.

B. They do not bind the hands of security professionals like some other systems.

Thank you.

1. Doesn't matter. You are always here on this topic, they do not say otherwise and Igor has shown simular views in other threads.

2. A. Agree with you on A.
B. Disagree. I do not see how adding chroot support and suexec support (which already they provide instructions to do on a per user basis, why can they not make an option to make it do it automatically by default). I think maybe openbase dir can be done but even control panels as tight as Ensim this can be done. Also PHP5 I beleive eliminates the need for suexec or openbasedir AFAIK. Most importantly, PSoft already developed chroot support and beta tested it, but never brought to production. Every other major panel has this support now. Even if it can be broken it still slows down people from getting at other parts of the filesystem that they never need to get to. It also allows you to limit what binaries they can run.

I may still need to use H-Sphere because it most fits my business plan and budget, but still find this extremely frustrating. Even Ensim now has taken steps to allow more flexibility but maintain higher state of security.

Thanks,

Neofree

PSoft continues to have a bad attitude on security, I will continue to use cPanel.


cPanel is tight on security? Man, that thing is the most hacked piece of software I've seen! I understand everyone has diff't business reqt's - if HSphere does or doesn't meet yours that's cool, but the security of HSphere is pretty tight in comparison. Lacking a chroot or jail system is pretty small in the grand scheme of 'most' web hosts. Few people I've seen around barely understand what it entails and the benefits or shortcomings of it in general. The fact they don't have it in publication doesn't mean they have a 'bad attitude' on security. If your telling people cPanel is tight and HSPhere is not - you're off base.

If your telling people cPanel is tight and HSPhere is not - you're off base.

I agree with you totally as I migrate pissed off users from "Secure Ha Ha" Cpanel to Hsphere .. What a pile of junk Cpanel is .. I am amazed anyone even considers point and click security admin is a good thing ..

That Rant over .. yah .. Cpanel makes my life less fun .. Hsphere mostly makes it easier .. Simple ..

Lady Linux :cool:

Ok ..

One last thing

At least post the Thread in the correct Forum .. Troubleshooting .. What does this have to do with that .. ??

You don't trust Peter .. Well ok .. You were not reconsidering anything ..

Lady Linux

cpanel, hsphere, or whatever is only partially dependent on the cp for security. The rest is left up to the administrator to secure the server. One of the reasons we see so many cpanel security problems is because there are a lot of new server administrators who just assume cpanel will handle all security and they dont bother doing anything else.

Greetings David:

Agreed.

Security for the operating system and applications should be left to the security team.

Thank you.

This is the exact bad attitude I speak of, that only seems to be present with H-Sphere folks.

Firstly, you say leave it to security team. Well I'm not sure that chroot can be done by myself, I think H-Sphere would have to support enabling the chroot.

Most importantly this feature needs to be added for customer satisfaction, just like any other business. Wether or not a few of you think it is needed doesn't mean that a lot of us think this would be important.

Also, wether or not the security can be broken is not very relevant. It still adds an additional layer, and if nothing else it at least provides a cleaner SSH by not allowing the customer to see things that are not their own. They could go off somewhere else in the file system and think they're in their space.

It just seems everyone here would rather argue against improving security then doing anything about it. Again, I don't think this can be done our selves.

Thanks,

Neofree

Greetings Neofree:

Chroot does not make or break security.

Why don't we, with years of experience in security and server administration, offer SSH (jailed or otherwise)?

Because, a human being on payroll (or otherwise contracted for $) would have to monitor the server(s) where SSH is allowed 24x7x365 to ensure SSH was not abused.

Why offer an additional layer of security which requires 24x7x365 live management in order for it to be effective?

Neofree, a lot has been done about security in terms of documenting reasonable steps; and a security professional can go far above and beyond any documented steps.

For our RedHat and CentOS customers, we have a completely automated firewall system that automatically adjusts itself based on real time monitoring of log files.

That plus other, practical (key word), manageable layers are the key.

I will be among the 1st to speak that security must be done in layers; but the layers have to be practical and manageable.

In ending, I am sorry you believe Ensim and Cpanel are very secure (there are hack reports several times a week on both control panels at EV1Servers) compared to H-Sphere.

Thank you.

Getting tired of repeating myself. If nothing else it would provide a cleaner SSH environment. So the purpose of feature could be just making a simpler and easier interface then a security enchancement. Besides that, I think you're just flat wrong, chroot is a simple feature to install and does add an additional layer. By not being able to browse the file system the customers have a less understanding of the structure that is in place, because it can vary. Also by limiting the binaries available, the potential hacker will not have every networking tool available to them and other tools. Even w and top can aid a hacker, and they are not enabled in Ensim by default.

I do agree with you that system admins must not assume it's safe and must take additional steps, never disagreed there. But these things are simlpe things that need control panel support to work properly and should be done, IMHO.

Thanks,

Neofree

This is the exact bad attitude I speak of, that only seems to be present with H-Sphere folks.
Actually, we went from cpanel to h-sphere and have just recently migrated all of our accounts off of both of those and onto plesk servers, and all throughout each cp, security has been more than just the cp for us regardless of whether it's h-sphere or something else.
Firstly, you say leave it to security team. Well I'm not sure that chroot can be done by myself, I think H-Sphere would have to support enabling the chroot.

True, this is something that would probably be better handled by the cp, but is not something h-sphere offers yet. Personally, I still don't really trust anyone's 'secure' chrooted environment so we've always left this as a restricted feature anyway.

Also, cPanel, Plesk and Ensim have far more customers then H-Sphere. You will hear more complaints just because more customers exist. With providing support to other H-Sphere owners I can tell that many people don't do anything to secure their system with H-Sphere as well. So out of the box they are still more insecure then others. The only system I've been hacked on to date is H-Sphere. I'm actually very nervous to run it again, even though I *did* take many steps to secure my system seperately then just installing it.

Hello,

If nothing else it would provide a cleaner SSH environment.

Shell is something only a qualified trusted system admin should have access to .. With Cpanel .. I have noticed Reseller's having quite a bit of security control enabled in the system by default. This usually leads to some hacker/spammer/scumbug almost always buying Cpanel accounts to pretty much destroy the system.


Also by limiting the binaries available, the potential hacker will not have every networking tool available to them and other tools. Even w and top can aid a hacker, and they are not enabled in Ensim by default.

Limit them from what ??? Jailshells are hard to maintain .. Add extra holes into the system and restrict top level monitoring .. Personally If I only have a few places to look for vectors of attack its much better than scanning every user for what they did the day before.

Let me say one thing .. And this is my last word. I came from a hack free world .. The only reason the Internet is such a HUGE Mess is the poliferation of Easy to use Swiss Army style Operating Systems and programs running on top of them. I seriously doubt that most people counter pointing here are "Sage" enough to understand how to truly secure a system.

That would explain the fustration I see with point and click admin.

Giving in to that type of thing is exactly why The Top Adminstrators Of PSOFT .. who do work on these systems every day wish you would just find that other panel. Psoft becomes what you want .. Im history and im sure the bulk of PSOFT's customer 's would be also.

Rant Over .. Final Word

Lady Linux

Greetings Neofree:

The only system I've been hacked on to date is H-Sphere. I'm actually very nervous to run it again, even though I *did* take many steps to secure my system seperately then just installing it.


Did you contract with or otherwise hire a security professional?

How to documents are great, but they are not a replacement for some one who knows what they are doing; and how to apply that knowledge, experience, and wisdom to your particular system.


Besides that, I think you're just flat wrong, chroot is a simple feature to install and does add an additional layer.


Based on what security administration background are you making your observation?


Thank you.

3. Are you saying that I could manually install suexec to *automatically* work for everyone?

Yes: http://forum.psoft.net/showthread.php?t=5504&highlight=suexec


And chroot to *automatically* work for everyone?

Maybe...there's been some work done on it, but I'm not sure it's 100% there yet. mrbeans could probably shed some more light on the subject: http://forum.psoft.net/showthread.php?t=6670&highlight=chroot

Andrew

As a company moving from cpanel to h-sphere I concur that overall I find h-sphere to be a better environment entirely, I mean how many times have you had cpanel break due to overnight upgrades? They've even overrode the "no automatic upgrades" settings on occasion.

I've been doing server admin for years and in that time have had only a few requests for SSH access, right now I think I have 2 clients (that I actually know personally) that have SSH access enabled. We use hosts.deny/allow to help lock down SSH to only known IPs for access.

No system is 100% secure online, if you want a secure computer then unplug it from the network and you will be close, of course you will have to trust those with local access not to figure out any local root exploits.

Basically do NOT offer SSH access by default, insist on proper identity methods for those who request it and insist on valid reasons for requiring it, "editing files with vi" is NOT a valid reason as far as I'm concerned. Anyone who feels they need shell access will likely have a home Linux system, they can edit/test on there, production servers are not testing grounds.

H-Sphere definitely requires an admin with more knowledge of the basic Linux/BSD system, there also seems to be a better or at least more knowledgable support/user base surrounding it, just look at the Cpanel forums to see the mess support is there. I've tried several times to resolve nagging Exim issues and posting to the forums there is next to useless, meanwhile the same nagging issues exist with nobody able to offer an answer to fix them. So far every issue I've encountered with H-Sphere has been handled well by either Psoft or with a search of these forums.

The control panels should be considered a shell for your end users to better manage and use the hosting services you provide. The underlying OS is still something that requires a knowledgable admin to manage.

If I were to offer any sort of shell access I would definitely be doing it via a VPS solution rather than trying to lump it in with my general hosting services, 95%+ of hosting clients have no need or desire for SSH.

ladylinux:
You can link many of the binaries and even prevent the user from adding more. Some find the chroot a benefit to be able to install additional bin's though, but you can keep from having to maintain all of them. You could lock them from writing to anywhere then their home directory, so no real change there.

dynamicnet:
Here's a good article: http://www.bpfh.net/simes/computing/chroot-break.html
Two things of interest:
1. To break out you need another root vulnerability. If you harden and patch consistently, you can greatly decrease this risk.
2. FreeBSD seems exempt from this. Does H-Sphere not support FreeBSD?

Dynanet:
I get asked almost daily if our plans include SSH access. I'm not too sure how I'd make enough sales if I was really strict here. Another note on security... FTP is not a secure protocol. I regularly use SCP to copy files to and from the server instead of FTP. But SCP requires SSH access.

profitability: Thanks for the links :)

I get asked almost daily if our plans include SSH access. I'm not too sure how I'd make enough sales if I was really strict here. Another note on security... FTP is not a secure protocol. I regularly use SCP to copy files to and from the server instead of FTP. But SCP requires SSH access.

I also do not give out SSH access except when need is very well justified. In my experience (which is what it is :)) most who want shell accounts are those who are script kiddies, want to try to install IRC bots or IRC bounce programs, etc. And I for one don't want that kind of account.

You might find the how-to for installing SFTP with HSphere interesting to get around the security issues with FTP: http://forum.psoft.net/showthread.php?t=3187&highlight=sftp

Andrew

Oh here's another question... Is the CC database in H-Sphere still *not* encrypted?

profitibility: I've ran accross a few users who do that, but honestly more often I run accross old school people that prefer vi, or people who access things like BBS's that require a special terminal to connect to, or may use SCP and what not. Personally I use SCP to upload files, SSH/vi to edit them. I love using command line to make directories and such... Just a prefered environment.

profitibility: I've ran accross a few users who do that, but honestly more often I run accross old school people that prefer vi, or people who access things like BBS's that require a special terminal to connect to, or may use SCP and what not. Personally I use SCP to upload files, SSH/vi to edit them. I love using command line to make directories and such... Just a prefered environment.

No arguments there, I prefer the commandline myself, but I've found WebShell to be a decent substitute, and I've only had a handful of requests for shell access ever. It probably really depends on the market you serve -- we cater to higher-end corporate web hosting clients who work with professional development firms that typically don't require commandline access. I could definitely see SSH access being important to the do-it-yourselfer's, though. (I know I'd want it! :))

Someone correct me if I'm wrong, but I thought encrypted CC numbers was added in in 2.4?

On the whole HSphere vs. other CP's thing...you always have to balance features with security. To me, HSphere is truly a complete hosting automation package, allowing me to manage a large cluster of servers with shared resources and automated billing, and that functionality is worth the tradeoffs involved in running HSphere. Others are either one-server setups or still a bit half-baked in the multi-server arena. If you're looking for a one server type setup you may indeed be better off looking elsewhere.

I don't have much experience with the security setups of other CP's, but you are probably correct that others are more secure "out of the box." I think that by following the instructions kindly provided by several members of this community you can create a nicely secured system with HSphere. But, if chroot is a sticking point for you, you're probably best off looking elsewhere for now as I don't see that feature being available anytime soon.

Andrew

Someone correct me if I'm wrong, but I thought encrypted CC numbers was added in in 2.4?


I'd like to know the answer to this the most. I really do like the upcoming dedicated server and nested reseller features, it seems like H-Sphere is the only one that fits our new business model. However, HSPcomplete seems to already have surpassed H-Sphere now, if used with Virtuozzo AND Plesk. But seems quite pricey and not in my budget.

Thanks,

Neofree

yes encrypted cc is old news - been there for a while now

http://www.psoft.net/HSdocumentation/admin/credit_card_encryption.html

Well guys, I've just placed order for server and licenses! Looks like I'm coming back to H-Sphere. Finding I miss the integration of billing and support more then I thought. :)

Thanks,

Neofree

Welcome back.

Greetings NeoFree:

Welcome back.

Thank you.