We have upgraded all servers to cPanel 11.24, or “cPanel Accelerated“, which should be a souped up yet slimmer version of cPanel. Likely, you personally won’t see much of a difference though you resellers will see some added branding options.

The good news is Accelerated has implemented many security fixes that are default on current out of the box software installations that cPanel gathers into one package, as well as addressed cPanel’s woefully late but finally here response to PCI Certification, something many of you merchants are clamoring to get before the deadline passes and you start to be fined.

(We know how you feel, we put it off as long as we could, too.)

The good news is that all servers should now pass a PCI Compliance scan, with some caveats. You’ll need to let us know your PCI Compliance company’s IP range so that we can exempt them from the firewall on the Apache port only. PCI Scans throw so many holes and exploits at the server that we inevitably wind up firewalling them, which is good for the security of your site - but not so good when they want to fully see how your web site responds to those attacks and where the holes are.

Please try and let us know when they’re coming beforehand so we can make sure that they can do and see what they need to do for you to pass. You’ll only need to do this the first time, as we’ll keep the range in there. If you want a company that we work with, we can guarantee that you’ll pass Security Metrics scan, as we did on the same servers and we already have their IPs.

The bad news? Well, it’s not bad, really, and this won’t affect the vast majority of you, but we have turned off the ability to include executables in SSI. The exec command executes a given shell command or CGI script, and as you can imagine, this is an incredibly exploitable aspect of your web site and we watch people hammer the server all day trying to shove them in there. We swat most of them away with mod-security.

After years of running with no sites ever being exploited on these servers, though, we have seen a recent rash of exploits from poorly coded CGI scripts, and we’re not going to allow it anymore by default. If you see:

[Mon Nov 10 19:11:03 2008] [error] [client XX.XX.XX.XX] unable to include potential exec “/script/here.cgi” in parsed file “/another/file.html”

You are trying to include an executable, and that’s no longer allowed just out of the box on everybody. You also need to turn on cgi scripts if you use them just to be safe.

In geekspeak IncludesNOEXEC is now the default, or more specifically, mod_include allows execution of CGIs and external commands using Server Side Includes and they are now disabled by default by the Options -IncludesNoExec directive.

Before you begin hyperventilating and wonder where you’ll get the time to recode your site, we do allow overrides, so you can take our security and turn it on its ear by creating an .htaccess file with the options you wish to have and blow your site wide open if that’s what you feel like doing.

If you wish to use a .htaccess file to permit the execution of CGI programs in a particular directory, you will need to create an .htaccess file that adds the executable option to that directory.

Options +ExecCGI

AddHandler cgi-script .cgi .pl

If you wish to use a .htaccess file to permit the execution of and including of CGI programs in a particular directory, you will need to create an .htaccess file that adds “Includes” to the Options (overriding the IncludesNoExec that exists by default).

Options +Includes +ExecCGI

AddHandler cgi-script .cgi .pl

Our current settings are:

-ExecCGI -FollowSymLinks Includes IncludesNOEXEC -Indexes -MultiViews SymLinksIfOwnerMatch

any of which you may override.

Just please remember that if you are deliberately turning off our security, if you are not keeping your scripts updated, if you disable the things meant to protect you and you wind up getting hacked, we’re going to suspend you outright should you get exploited. We can’t afford to do security consulting for $5 or $10 a month and the most we’ll do is install an older backup and tell you to fix your stuff. You’ll need to convince us that if we turn you back on, you’ll be able to secure your scripts and if you can’t, we will terminate the account, so please realize your responsibility in trying your hardest to keep your site secured is considered sacrosanct here.

We take our job to secure your sites very seriously - we expect you to do the same for our servers and out of respect for your neighbors.

The past two days we’ve performed routine upgrades on the software firewall, MailScanner, and reset the Bayesian database after some complaints that MailScanner wasn’t catching quite as much spam as it used to. All software is now up to date across all servers and everything’s running swimmingly, with no catastrophes.

Speaking of catastrophes, Ike shifted a bit and is now no longer on a beeline for Austin, though this storm is so exceedingly big we will likely see a bit of it even as far inland as we are as it passes a few hundred miles to the east of us according to current projections (though some projections do have us still running right through the center of Austin, those projections are not the most likely). We do have a pretty large number of folks that live in Houston hosting here, and we’ll be keeping an eye on how big of a disaster this winds up being for the Gulf Coast.

As we did with Katrina, should the panicky storm of the century predictions of the national media not be hyperbole, and should the “leave now or you face imminent death” predictions of the weather service not wind up being overzealous anticipation, we will not suspend or terminate anyone’s hosting accounts in the affected areas should your card suddenly not go through or you miss a payment. We’ll figure you’re rebuilding your house or paying a motel fee so you have a roof over your head, and will give you time to contact us to let us know what’s going on, and what you need from us.

Communicate with us and let us know what you need from us, and we’ll work with you in whatever way we can.