• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

Should we do something about the abuse within the (free) hosting industry ??

krakjoe

krakjoe

stop staring
NLC
Actually, I think we should, it wouldn't be that hard either, you know how everyone has a hundred accounts on there server that look like they will never be used, registered with some dodgy email address and a non-sense subdomain of your tld ..... well that's not really on, it pisses me off that people think it's alright to signup for a hundred accounts and use one, there's nothing wrong with it persee, but how are the owners of the servers supposed to know when to stop selling or buy a new server when they have no idea if a load of the accounts will ever be used .....

WHM comes with some hooks, so then when an account is created or suspended or modified in some way these hooks are executed, like vbulletin and ipb's hooks for plugins and mods

http://www.cpanel.net/support/docs/hooks.htm said:
  • /scripts/postupcp - Runs after cPanel/WHM updates (/scripts/upcp)
  • /scripts/postcourierinstall - Runs after Courier updates (/scripts/courierup)
    • /scripts/postcourier-authlibup - Runs after courier-authlib package updates
    • /scripts/postcourier-imapup - runs after courier-imap package updates
  • /scripts/postexim4install - Runs after Exim updates (/scripts/eximup)
  • /scripts/postftpinstall - Runs after FTP server updates (/scripts/ftpup)
  • /scripts/postmysqlinstall - Runs after MySQL updates (/scripts/mysqlup)
  • /scripts/postkillacct - Runs after account creation (/scripts/wwwacct)
  • /scripts/postwwwacct - Runs after account creation (/scripts/wwwacct)
  • /scripts/postwwwacctuser - Runs after user creation
  • /scripts/postsuspendacct - Runs after an account is suspended (/scripts/suspendacct)
  • /scripts/postunsuspendacct - Runs after an account is unsuspended (/scripts/unsuspendacct)
  • /scripts/post${pkg}install - Runs within /scripts/bandminup or /scripts/courierup, specify a package name to be run after.
Click to expand...
Most of those are useless for this purpose however some could be very very powerful tools in the fight against abuse .....

How about some of the programmers that are wasting their lives on these forums get together and write some snippets you can insert into some of those hooks so as to connect to a central database ( with publically available data, or using keys whatever, I'll do that bit ) and pull information on new signups and insert information on suspensions etc ... second to that, we could write a signup system ( and standalone one too, for hostees themselves to use on windows or browser or whatever ) that references the information in the database to decide wether to let a new client signup or not, this could be very configurable indeed....

I could do all of that by myself, but I really don't want too, I'd like to get some help with it, and some ideas - ideas aren't my strong point really, so if you have input, or think it'll be a total waste of time even, then please do say so ...
 
Storing the MD5 values of subdomains/domains and emails would be good. It would keep the data private, but also at the same time allow searches, etc.
 
Other than it would not be that hard to add to the /scripts/postwwwacct. Not really.
 
We could write an installer and uninstaller in a bash script, how does an xml backend sound ?? that way the data would be available to a wide range of other applications not just php ... js even ....

Here's some suggestions from me ....

/scripts/postwwwacct - should insert a new record into the records table, hashes of all information will be kept instead of plain text as Richard suggested ..
Information collected should be
  • wether the account is free or paid
  • the (sub)domain they are using
  • the email address they used
  • the address of the server that made the request
  • constant contact for manual record control ( eventual or not )
/scripts/postsuspendacct - should insert a record in the suspensions table identified by the (sub)domain and containing
  • the reason for the suspension, nonpayment, abuse, illegal activity, whatever ...
  • time of the suspension
  • constant contact for manual record blah blah

/scripts/postunsuspendacct - this should delete the record corresponding to that subdomain in the suspensions table

/scripts/postkillacct - should delete the record in the records table corresponding to that account ....

Just these quite basic things would enable signup scripts ( and or /scripts/postwwwacct ) to check several things and take several actions based on its findings, on account creation you could; check if that domain is hosted elsewhere, check how many servers that domain is hosted on, wether the other accounts are paid for or not, you can check if this user has ever been involved in illegal activity, you can see if the user has this domain in suspension on any other servers and why, all of the findings can enable you to make immediate contact and or suspend or terminate that account ..... I'm out ....

Richard, your thoughts ?? anyone else ??
 
wether the account is free or paid
Click to expand...

Quite hard to tell on an automatic system. You have to remember, without a large setup of packages (EG: custom adding of resellers packages as well as your own if they are free or paid), and then having to edit something each time you change a plan.

I think it should be stuck to free hosting.
 
good point, I haven't really thought out the practicalities of each suggestion just yet, but I suppose it wont really work that one ... so yeah free only then ....

So then richard, if this information were available and the code to utilize it will you employ it on your server(s) ?
 
I sure would. I have 2 cPanel servers and 1 DirectAdmin server dedicated for free hosting, it would be a great plus to me.

One problem is - What actually happens if it detects a problem? Stopping the setup of the account could be a problem, but how about it sends an email to the admin/owner of the server with the information it collected from other servers? (EG: How many other accounts the user has)
 
Not a problem, you're already in the scripts directory and running as the correct user to execute /scripts/killact along with all the account information, you can suspend or delete the account immediately, and or contact the server owner and or user with the action taken and reasons why .... you could have variable levels of "strict" too ....

EDIT : also, having thought about it a little more, hashes aren't really suitable because they are one way, so the data that gets to the server will be nonsense, and we'll need it to be plain text to take action, so instead, when a host signs up to get the api code, it will include an api key, sent with every request to authenticate them along with their username and password, and then the data they send will be deciphered xor with that key, a 128 bit key will do I reckon ..... so long as the key is kept private we should be okay and no plain text will be sent ..... I think that's better because then we can use the account information in actions/communications ...
 
Last edited:
Hey Joe - I can't help much with the programming but i do like the idea. If you want to make a project out of this script - then you can use freehostnet.info if youd like (and if i can still remember my optinom password :p).
 
Thanks, but I registered "hostinquest.com" earlier today ....

Host - noun. A computer containing data or programs that another computer can access by means of a network or modem.
Inquest - noun. A seeking of knowledge, data, or the truth about something.

So I guess that gives the project a name, "Host Inquest" .... I'm gonna get on and write some of the basics for the site today, I do however need lots and lots of help, I don't have the time to start and finish entirely on my own, and I know lots of you out there can program and you really should, it's for a good cause .... if you think you'd like to work with me on this then please get in touch or post here and I'll send you some stuff to do ....
 
Last edited:
Joe... I went and got my laptop powercord... let me know what needs to be done.. i ran out of vodka and need something to do with the rest of the nite... i downed 3 mtn dews.
 
frontend. I don't have access to a cPanel server ATM, but I do have a reseller account and I am going to be CoLoing a server soon.
Chris
 
I'm not sure if kurt was offering to do a design or not ....

We need a basic interface for hosters to signup and get an api key, the signup bit it done already, we need a design and a form in that design that will collect just a first and last name and an email address ( and whatever captcha you want to use ), the email address will be verified with a random 32bit string and then the user will be emailed thier api key ( I've not done the last bit yet ) .....

So thats how far I got, it would be lovely for the website to catch up ..... anyone who is working on it and needs ftp access drop me a pm and an email address I can send a login too ....
 
Don't forget the admin-approve. This is not optional... (This would be me being an --- when i need to be) Spammers could easily add as many IPs to the DB ad they want to (and make the project useless).
So heres what I got for the signup info:
Site (domain):
Server IP (key works only for this server):
Key (Random):
Password (host gets to choose this one):
eMail address (eg (not legit php) <? echo rand() . '@requestingdomain.com'; ?>. This makes sure that the admin has catch-all enabled and the admin owns the domain. We could also require a file upload to the domain.
First Name (not much goes here)
Last Name (could be checked agienst whois, if needed)

Give me what you think about the above.
Chris
PS Joe, please email me ftp info <? echo rand() . '@lewisoft.net'; ?>
 
Wait, what would spammers have to gain from registering thier email address ??

In the interest of keeping the database as small as possible, I don't want to restrict a key to a server, once you have verified a user enough to give them a key, theres no point going through the same process again, not to mention storing the data for that process, even for a temporary amount of time ...

Because I'm not going to restrict the api key, there's no point in collecting a domain from the hoster on registration ....

The email address has to be real; that's it, because this will be used for all communication, not just sending an api key, but everything, also, I don't want to overload people with an api key and a password, it's unecessary, there won't be an "interface" for the end user on the website, theres no need for one and it will waste resources on what could become a very used system, all communication will be done automatically, between the server that sends the request and the server(s) hosting the application, I won't be making the information publically available in any way ....

I imagine the website and signup form to be very lgiht on resources, with the absolute minimum of everything - a index page explaining what is going on, a get code page ( and or installer download ), where we explain how the end users server will be setup and why ( or they can download the installer and learn as they go, eventually ) and a statistics page, but not personal data, just numbers, how many sites monitored etc, a howto page where we exaplain how to optimially setup the various checks you can make, and lastly a support page to ask questions ...

@Kurt
Look at my last paragraph of the last for the sort of thing that's in me head ...
 
Last edited:
You must log in or register to reply here.
Back
Top