Hi,
Apologies up front that the subject line reads like some sort of
passive-aggressive dodge ("I Am Sorry If You Feel You Have Been
Abused By Us", or "I Could Tell You But Then You Would Have To Be
Destroyed By Me"¹), but I didn't want to use language like
THERE HAS BEEN A COMPROMISE OF YOUR DATA
…because at the heart of this is a miscommunication on my part, of a
situation that has existed forever. Essentially nothing has changed
but it is perhaps surprising to some that things were/are the way
they are.
== The issue ==
If you are logged in to BitFolk's Grafana² to look at the graphs of
your service, then you can look at the queries that the Javascript
is sending, edit some of the placeholders, and look at graphs for
any other BitFolk customer.
This was known by me when I set up our Grafana last
October/November. The possibility of logged-in users sending
arbitrary queries was raised to me at the time by a couple of
people, and my response to that was to set some ACLs such that only
the specific queries that correspond to defined dashboards are
allowed. That is, the things that you can see can also be seen by
any logged in user if they make some trivial effort to do so.
I thought this was acceptable because with our previous solution
(Cacti), all users' graphs were visible by anyone on the Internet,
and that was the case from some time in 2007 up until late last
year. So in fact the current Grafana is more restrictive than Cacti
was.
I thought that this had been adequately communicated to you, the
customer base, including to the people who had raised concerns about
the Prometheus/Grafana security model.
I was wrong. Conrad Wood was one of the people who kindly advised me
when I was setting up Grafana/Prometheus; Conrad did warn me about
this issue as did a couple of other people, and I thought that I had
communicated what my solution was going to be (and that it was
actually stricter than Cacti was), but I might not have.
That suggests that there will be other customers who are unaware of
this, and unhappy about it.
== What we will do about it ==
I don't want customers to be unhappy, so what I will do is work on
tightening up the ACLs such that logged-in users can only use the
label/placeholder values that pertain to them.
I will work on this as a priority but I think it will still take a
couple of weeks to do.
In the mean time, if you are not comfortable with the situation that
any other user can craft a query to look at your CPU / bandwidth /
block IO stats, please drop an email to support(a)bitfolk.com and I
will block all non-admin access to your stats. That will include
your own access.
== Don't shoot the messenger ==
I appreciate that many of you probably will not care that other
customers could with some minor effort look at your graphs. The fact
that Conrad doesn't think it's acceptable, and repeatedly tried to
tell me that (but I failed to communicate and our wires initially
got crossed), probably means that there are some other customers for
whom this is news and who would be unhappy about it.
So I thank Conrad for bringing it to my attention again; I have
adjusted my viewpoint; I will restrict it; it would not be useful
for anyone to comment that they personally don't care. There will be
others who care, and this is for them.
(I did check with Conrad that they wanted to be named here and they
indicated that would be fine. If they'd said no then I'd just have
said, "a customer has brought to my attention…")
Thanks for reading, and I apologise for not making the situation
about visibility of stats clear throughout this long period of time.
Cheers,
Andy
¹ https://www.amazon.com/Could-Tell-Then-Would-Destroyed/dp/193555414X
² https://tools.bitfolk.com/grafana/
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hello,
I know there's a few WordPress experts here. Can I pick your brains?
Say I have a WP site at https://dev.example.com/ and I now want to
copy it and put it live at https://example.com/. Having read:
https://wordpress.org/support/article/changing-the-site-url/
do I just…
- Copy the filesystem structure from one document root to another
- Dump the database and re-insert it into a new database
- Install wp-cli and run
$ wp search-replace 'dev.example.com' 'example.com' --skip-columns=guid
and then it's all switched?
Cheers,
Andy
Hi All,
I need some help. I am out of my depth.
All my Wordpress sites have been infected by a virus that acts as
follows. Non Wordpress sits are not effected.
1) It permits the home page to partially show.
2) Then a pop-up requests authorization to continue (which I have not
clicked).
3) Then in the background the address line changes first to
create-space.com and then to adarath.com, before showing an advert for
gambling or porn, which depends upon your location and not your language
settings.
All google hits claim this is a browser virus, but I don't think it is.
Every check of my system comes up clean. Almost positive it is on the
server.
It only appears on the first visit to the site. If I clear cookies and
cache, then it reappears. My browser does NOT show this virus for any WP
site that is not hosted on my VPS.
Unfortunately I am in Thailand, supposedly having a holiday and meeting
my in-laws' family, and I have no access to my usual tools or the site
backups.
Has anyone any ideas how best to proceed?
Regards
Ian
--
Ian Hobson
Tel (+351) 910 418 473
Hi,
is there an API endpoint I can query for current & predicted traffic
usage?
I know of https://panel.bitfolk.com/xfer/ but rather not scrape ;)
Conrad
Hello,
I'm having some issues upgrading software on my Bitfolk-hosted Debian 10.2
server. I ran 'sudo apt --fix-broken install' after being told to do so to
fix unmet dependencies.
Running this gives the following error:
"This version of the GNU libc requires kernel version 3.2 or later. Please
upgrade your kernel before installing glibc."
Is there an easy answer to the obvious question what kernel to upgrade to?
And would this even solve my issues? I currently appear to be running
2.6.32-5-686-bigmem.
I've had this server for years and I might have added one quick fix for a
specific problem too many over the years.
Here's the content of /etc/apt/sources.list:
deb http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
stable main contrib
deb-src http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
stable main contrib
deb http://apt-cacher.lon.bitfolk.com/debian/ftp.uk.debian.org/debian/
stable-updates main contrib
deb http://apt-cacher.lon.bitfolk.com/debian/security.debian.org/
stable/updates main contrib
Thanks!
Martijn
Hello all,
This is more of a ramble than anything else so feel free to simply
ignore it.
I have been thinking about what to do with my machine recently. I run
some small websites, db and email server.
Currently this is all setup via puppet. Every now and again I get the
VPS reinstalled to a more recent LTS distribution and go about updating
puppet to to use this and switch to a new VPS with the updated setup.
I have recently been thinking about whether or not it might be easier to
have a much more stripped down machine and use docker to run my services
on top of.
Not sure how I would do this with rails websites, I currently use
Phusion passenger to service them all.
Wondering if anyone has experience running docker on a VPS within
BitFolk. I'm not sure if there are any virtulisation limitations that
would stop this either.
I am going to be upgrading my machine to a more recent LTS version
soonish since my current distribution is going EOL this year.
So, yes, I will probabyl end up doing what I normally do but considering
dockerising my services and not even sure if it would work on a VPS or
whether it would just be more trouble than its worth.
n
Hi,
I noticed that as of at least yesterday, BitFolk's DNS resolvers are
blocked from querying URIBL¹.
URIBL is a DNS-based blocklist of URIs mentioned in email spam. It
is used by default in SpamAssassin and other anti-spam products.
The usual reason for being blocked from querying URIBL is excessive
query volume. Their web site mentions a figure of 100k queries per
day.
I've had a look at the usage from BitFOlk's SpamAssassin service²
and the cluster is only checking about 7k emails per day. Possibly
7k emails expands to over 100k URIs to query, or possibly other
customers are doing excessive DNS queries - anyone using BitFolk's
resolvers to query will add to the count. I have asked URIBL for
clarification of what the issue is.
If the issue is query load then we will pay for a feed.
Until that is sorted out you will unfortunately be unable to query
URIBL usefully. It returns a value that SpamAssassin recognises as
"query blocked".
Cheers,
Andy
¹ https://uribl.com/
² https://www.bitfolk.com/customer_information.html#toc_2_SpamAssassin
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
