After a fortnight of frustration with my host, HostPapa, I need to vent my irritation somewhere. A blog post seems the ideal solution!
HostPapa have served me excellently over the past couple of years: 'unlimited' space and bandwidth (presumably not truly unlimited, but certainly more than I currently need), and a relatively complete offer in terms of server functionality. There have of course been issues: their shared servers allow access to a shared /tmp directory, which caused me problems once, when someone else had previously installed a blog package, leaving detritus which prevented my install due to ownership issues.
Other than that it's been a good relationship. Until now.
All webhosts obviously need to offer a mechanism whereby users can upload their files reliably. And securely. HostPapa agree, which is why they recommend Secure FTP (FTPS), using Explicit SSL (sometimes known as FTPES). Good practice. No one wants the files they are uploading sent around the web in unencrypted, let alone their username and password, which gives full, unencumbered access to their cPanel account! Unfortunately, I don't own my own SSL certificate.
Never mind, HostPapa also offers SSH FTP (known as SFTP - and to be clear this is not FTP over SSH, but it uses the SSH protocol to encrypt the session). Excellent. Secure uploading, without certificates. I use it daily to synchronise my local files to this server.
So, when a number of hosts started finding a rather nasty rootkit on their servers, which seemed to be targeting port 22, the finger was understandably pointed at port SSHD. HostPapa blocked port 22. No more SFTP. No notification. No email. Nothing. Just a timeout on port 22. I contact HostPapa through their usually efficient 'ticket' system. After three messages, I (eventually) receive a couple of useful messages:
Whoa! 2003? That's an exploit that's been around for some time without a fix! Obviously the wrong link, but nevertheless, there is talk of SSHD being the attack vector. Except that cPanel has, by this time, announced that they were the cause of the breach, due to a compromised machine in their support department.
Oh well, I am told just use plain FTP (no thank you), or the cPanel web based file manager. On a side note, it is at this point that I discover that my host uses unencrypted HTTP on port 2082 for their default cPanel interface. There is a HTTPS port on 2083, but it's not advertised. Clearly, security is not a key consideration for HostPapa...
After a few more questions about securing my session, I am told that (contrary to what I had been told previously) FTPES works fine. OK, I'll give it a try. Starting with LFTP from the command line:
Weird. I try with FileZilla from a different client on a different network. Same response. I try with AndFTP from my phone. No dice. I resort to sticking my login details on a random ftp test website which promises to test the server. Couldn't get directory listing!
Meanwhile, HostPapa continue to tell me it is my problem:
So that's it. If I want to use my site, then I have to use unencrypted plain FTP. I can't believe it's just me with this problem. Maybe every one of my clients is misconfigured. Maybe infobyip is misconfigured. Maybe this guy is misconfigured. But I'd be surprised.
In fact, I have an idea for what might be going on. I've told HostPapa about it, but it's been ignored so far. I assume they have a firewall to keep nasty people out of their site. That is a problem for FTP servers which use a huge range of ports for their data transfer connections. So the solution I have heard of before is to inspect packets on port 21, and wait for the PASV command. This tells the client which port to connect on, and means the firewall knows which port to open up, for a specific source IP if necessary. Except that it doesn't work for SSL-encrypted packets, as the firewall has no way of knowing what the message says.
Hence, the login goes fine over port 21, but the line goes silent when I connect to the proposed data port. When using plain FTP, the port is opened and the connection is completed. Moreover, for HostPapa behind their firewall, the packet is not captured, so again the connection is successful. I have asked again, but they still assure me that my FTPS login "works for them".
It is this lack of service, and lack of useful communication that frustrates me with HostPapa. Other hosts (and here) have at least let their customers know. HostPapa just shut off a major access port and assume that they don't need to tell their customers. I can recommend the hosting at HostPapa; it's just the service that make it entirely unusable when things go wrong.
Please comment - I'd love to hear from anyone else who is having similar issues
I’ve had to deal with this problem too. It seems to be no secure way of uploading files to my domain at hostpapa.
Also, the server seems to take forever to load sometimes. I guess my “server” is actually one of a bunch of virtual machines stored in a piece of obsolete hardware…
Bad news is, they won’t refund me the money, so I am stuck with them until I finish my paid service time.
Form is loading...