• Announcements

    • MannDude

      Current state of vpsBoard   02/04/2017

      Dear vpsBoard members and guests:

      Over the last year or two vpsBoard activity and traffic has dwindled. I have had a change of career and interests, and as such am no longer an active member of the web hosting industry.

      Due to time constraints and new interests I no longer wish to continue to maintain vpsBoard. The web site will remain only as an archive to preserve and showcase some of the great material, guides, and industry news that has been generated by members, some of which I remain in contact to this very day and now regard as personal friends.

      I want to thank all of our members who helped make vpsBoard the fastest growing industry forum. In it's prime it was an active and ripe source of activity, news, guides and just general off-topic banter and fun.

      I wish all members and guests the very best, whether it be with your business or your personal projects.

      -MannDude
Aldryic C'boas

You're all doing it wrong.

26 posts in this topic

Hello,

 

well I must say that your well written article just revived me from the desperation I see from all this 1$/mo VPS providers .

thank you so much for this valuable info.

 

Highest Regards

Mohammed H

1 person likes this

Share this post


Link to post
Share on other sites

Great insight and helpful. Thanks.

1 person likes this

Share this post


Link to post
Share on other sites

Your words flow like beautiful water down a stream.

tldr: sexy

3 people like this

Share this post


Link to post
Share on other sites

Waiting to respond is a great piece of advice. I have learned to do that over time. I write out what I want to say initially, work on something else for a while, come back, and strip out all the potentially unprofessional bits. Assume that whatever you tell a client in a ticket will end up on WHT, and you'll keep an even keel.

1 person likes this

Share this post


Link to post
Share on other sites

I smiled at this post :)  Good one.

 

My rule continues to be, anyone whom calls himself / herself / itself an expert needs a serious timeout.  Expert status is something given by the public at large over time, long after you are good at what you do.  Expert isn't some sales enhancer.  Quite the contrary.   That term strikes seasoned business folks as ego bloat, lies or simply deception.   Who truly wants to work with an expert?

 

I regularly see the term EXPERT thrown about.  Way more than I recall in decades past.

 

There are some talented folks out there in VPS and hosting land.  Some genuine bad ass ninja skill types.  Magicians behind the scenes.  But experts even there?  Only if they need to hawk some containers on ego push credit in their busted homemade marketing.

 

Pricing part hits home with me.  Price is a custom thing based on what your spend is, on what your staff costs and on what end of accounting you find acceptable to live off of.   

 

Too many, meh, almost every lowend company peeks at the competitions pricing matrix and self adjusts, barely.   This approach is a very bad one.  Work on justifying the right price with actual features, benefits, real resources.  This is to say your pricing should built backwards from the end profit goal.

 

Software and development, yes big big hole in most shops.  They are left to buy prebuilt modules for everything.  It gets ugly and code insecurity and non-familiarity with things is high risk.  Development costs money and time cycles.  So it's pay someone to come on board, develop the skills yourself or continue to run blindly.

 

Solid reference piece from Ald though.   Time to convert it into a checklist :)

1 person likes this

Share this post


Link to post
Share on other sites

Very well written as always. :)

 

Just one point to add with Fraud and Abuse. There is much you can do in this area, never just accept loss. Try and think outside the box, you can often find patterns or methods to mitigate risk. Unfortunately this is a bit of a 'closed' strategy (only effective if others don't know what you are doing) but it can be very effective if you can afford the time to come up with an effective solution. Dont just do a standard WHMCS + Maxmind, or similar solution, you can trust people out there know the weaknesses of such solutions. Think it through based on the abuse you have seen in the past, and work out how to mitigate the risk (e.g as Aldryic said manual review, requirements for client details to be residential address).

 

"It's not easy to create in-house platforms (as an increasing number of people are finding out - the hard way)"

 

At X4B our billing & management systems are entirely in-house. Our primary motivation for this was security & secondarily flexibility (PAYG/Cloud style billing in WHMCS is a mess). Whenever I see a newish provider stating they have their own in-house billing system, or in house vps control panel I immediately cringe as the result (unless they are a large / established company they probably cant afford it). I know I am the pot calling the kettle black, but its a huge cost / risk - I would know.

 

Developing such a system is not for the weak of heart. While I don't regret the approach we took (rarely even for a moment), I certainly have a lot more respect for what WHMCS does than what I did to begin with. For example, one of our biggest upgrades has been worked on for what is now 3 months. The upgrade is to implement an invoicing system (which WHMCS provides). That is the separation of service, from billing. Even invoicing is deceptively simple, there are many edge cases (upgrades, cancellations, overdue, payment when overdue).

 

Any company who undertakes this while selling $4/1G VPS's is setting themselves up for a world of hurt. Software development is definitely a big cost (expecially if you don't have the expertise / cheap labour to do it in-house).

 

Note for those curious - the code is complete testing is currently being performed with the intention of rolling out the (complete) system for the start of the financial year. Bits and pieces may be seen before then.

Share this post


Link to post
Share on other sites

 

It's not easy to create in-house platforms (as an increasing number of people are finding out - the hard way)

 

I wouldn't say it's hard. More time consuming then anything else, at least in my experience. It requires skill obviously, it's going to take an extremely long time to finish complete in-house solutions. Specially if you're small and don't have an army of developers behind you. Most people don't have that kind of time and or money. A few years ago I made a lightweight whmcs clone out of asp.net in a span of a month because I had a lot of time on my hands. That was when I was just discovering programming. So the task in-itself isn't really difficult. Just out of reach for most due to lack of time or money, or both.

1 person likes this

Share this post


Link to post
Share on other sites

The problem with in-house platforms is vulnerabilities which would require a lot of security testing.

Panels like Solus and Virtualizor also faced this when they were launched after security tests which was most probably more than what you can do on in-house platforms.

Even if you are coding everything right, most likely there will be a few of them so i prefer to stick with third party apps with modifications to be on safe side.

 

Nice thread by the way.

1 person likes this

Share this post


Link to post
Share on other sites

Very well written. I completely agree with writing every response as it if were to be posted on WHT or other forums.  Professionalism is becoming harder to come-by these days!

Share this post


Link to post
Share on other sites

The problem with in-house platforms is vulnerabilities which would require a lot of security testing.

Panels like Solus and Virtualizor also faced this when they were launched after security tests which was most probably more than what you can do on in-house platforms.

Even if you are coding everything right, most likely there will be a few of them so i prefer to stick with third party apps with modifications to be on safe side.

 

Nice thread by the way.

 

No idea about Virtualizor, but the code quality of SolusVM is absolutely atrocious - easily some of the worst PHP I've ever seen. The issues with SolusVM largely stem from poor developer habits.

 

If you use a reasonable platform (not PHP), abstract things correctly, are aware of the different (applicable) types of vulnerabilities, and follow strict code quality/cleanliness guidelines, there's no reason why your code would contain any of the usual types of vulnerabilities. See also defensive programming.

1 person likes this

Share this post


Link to post
Share on other sites

The problem with in-house platforms is vulnerabilities which would require a lot of security testing.

Panels like Solus and Virtualizor also faced this when they were launched after security tests which was most probably more than what you can do on in-house platforms.

Even if you are coding everything right, most likely there will be a few of them so i prefer to stick with third party apps with modifications to be on safe side.

 

Nice thread by the way.

well I will have to disagree with you. sticking with 3rd party apps is dangerous too since its source code is available (even if its encrypted, it can be decrypted). and when the source code is available 0days will be too. while in-house platforms with good programming habits is more secure (at least when its source code is not disclosed).

what happened with me and a lot of providers out there due to WHMCS exploits in the past years was all because of this sticking 3rd party sh*** encrypted apps (even though I still use them) but eventually I will develop my own.

 

Highest Regards

Mohammed H

1 person likes this

Share this post


Link to post
Share on other sites

Even with in house developers you always have rogue employees or developers that can cause issues with security. Best way to lock down the system is with the network you know what ips need to access what data all else should be denied and the issue is resolved. Admin areas, billing portals, servers in general if you lock down the network, ie transparent filters, firewall, ACL, software programs that try to communicate will not be able to, unless allowed. One security issue is resolved with this method.

 

Having developers to add your own skins or portal on top of whmcs or another control panel using an API is what some companies do to save money on developer cost and pci compliance licenses, if you are attempting to build your own billing portal from the ground up this can get very expensive. Everyone is becoming a VPS host, LOL I love some of the tickets and responses I see from shared hosting providers also. Best piece of advice I can give to anyone wanting to become a host regardless if its VPS hosting or some other kind of hosting. Learn the systems from the ground up. Break the system as many ways before making it live so you know what will happen. Always create backups of anything you want to keep. If your drive crashes or your site is hacked and you didn't setup backups guess what? Must not of been important. Always create a backup of a file or system before making changes and most important of all. If your not sure use Google or another search engine and do some research on it and keep documentation on it before committing to the changes you are attempting.

 

Besides that the article is well written and I wish the best to any and all hosts.

1 person likes this

Share this post


Link to post
Share on other sites

PCI-DSS can be quite an issue.

I've done about 8 audits and they are quite peaky about every single requirement.

But a lot of payment providers do handle payments PCI-DSS complient - so as long as you do not store credit card information but tokens or uids you are fine.

But still a good example about things you easily forget when building your own stuff.

Share this post


Link to post
Share on other sites

well I will have to disagree with you. sticking with 3rd party apps is dangerous too since its source code is available (even if its encrypted, it can be decrypted). and when the source code is available 0days will be too. while in-house platforms with good programming habits is more secure (at least when its source code is not disclosed).

what happened with me and a lot of providers out there due to WHMCS exploits in the past years was all because of this sticking 3rd party sh*** encrypted apps (even though I still use them) but eventually I will develop my own.

 

Highest Regards

Mohammed H

 

No, that's not how it works. That's a perfect example of security through obscurity, which isn't actually security.

 

Your code should be secure from a purely technical point of view. If you need to hide your code to keep it 'secure', there is almost certainly something wrong with your code, and somebody will eventually find it, whether you're aware of that or not.

1 person likes this

Share this post


Link to post
Share on other sites

Thanks for pointing things out that I have never considered.

 

Overall it was very well written and everything was stated correctly.

 

Thank you

Share this post


Link to post
Share on other sites

This is a very informative thread. Thank you for the contribution!

Share this post


Link to post
Share on other sites

very good read, feels good to let it off your chest, doesn't it?

Share this post


Link to post
Share on other sites