LimestoneNetwork: Regarding Their TOS

Moderator update: By request of the thread starter this is being modified to show as resolved and that there was a communication breakdown. Please see: [url]

I posted a thread in the LimestoneNetwork forum, it was deleted by LSN's staff. So I'm reposting here:

Quote:

Originally Posted by intel352

[EDIT]TO PREFACE: The server in question is an x64 Centos 5 install, and in short, the server was set up on a Saturday, and compromised by the following Thursday[/EDIT]

I referred a client to Limestone, based on my own personal experience with my server from Limestone.
He promptly ordered a server, and today (Saturday) would mark 1 week from the date his server was activated (8/2).

The server activation email stated that the firewall had been activated for his security. WHM/Cpanel was installed on the server as well.

My client immediately set up his own domain, and the domain of a client of *his* on the box. I then proceeded to assist with setting up a new website for the latter domain, and attempted to help troubleshoot errors resulting from a bad named.conf file, as well as trying to get the hostname sorted out.

Before we could proceed further, on 8/7, my client reported issues with his POP email on the new server, quoting an error message regarding MTA, and then later notified me that he had been sent an email notification regarding SPAM occurring from one of his IP addresses.

Now, I have no clue what happened, as he reported this issue to Limestone, and immediately his server was apparently seized, locked down, wiped, and his account was terminated. He tried to contact Limestone on multiple occasions to find out what was going on, and met silence, until around 1pm on 8/9 (today). That was when he was notified that his harddrive had been wiped, which of course prevents us from finding out who/what penetrated the box, any history of what or how anything occurred, the ability to restore any data lost, etc.

While the Terms of Service state that a client is responsible for all actions on his own server, including spam, etc, I would have thought Limestone would at least have presented an interest in finding out how/why the server was compromised, in addition to keeping an active communication with the customer, in addition to at least providing the customer the *ability* to retrieve files from the harddrive before erasure.

[DIGRESSION]
This apparent policy by Limestone has me VERY concerned that if I were to host clients on my OWN server, what happens if it becomes compromised, and Limestone proceeds to wipe my CLIENTS data without notification, without attempting to let me retrieve my data, etc? Quite likely that would result in a lawsuit against me, which I would then promptly pass upwards in a lawsuit against Limestone. But that's speaking hypothetically. I mention this point specifically, as I'm hoping Limestone will review their policy for future clients, to at least take a server offline for security, but *preserve the data*.
[/DIGRESSION]

Back to the topic, I am now wondering how secure a server is that Limestone provides to their client?
My client was by no means a linux guru, so granted, he likely should not have been managing his own server. But I personally would expect that the server by default is *up to date* when provided, and the firewall is provided in a secure state (otherwise, what's the point of activating the firewall) by default.

Since I know my client wasn't technically savvy enough to have disabled any part of the firewall, then my ultimate question to Limestone is, how [in]secure is a server that is put online by Limestone? What if a lack of effort towards base security (which at least would be expected, as then when you hold the client liable for all actions of his server, you at least know LSN has no blame to bear, due to providing a properly secured server from the start), is actually to blame for this compromised server?

This incident has shaken my faith in Limestone, and reflects poorly on me, as I'm the sap that referred my client to Limestone in the first place.

I patiently await Limestone's response.

Sincerely
Jon Langevin
current client of LSN, left feeling shaky and insecure...

Follow-up post:

Quote:

Originally Posted by intel352

It appears Limestone didn't follow their own policy regarding handling of spam and/or a compromised server...

Quote:

Originally Posted by Limestone TOS

Spam/Bulk Email Policy

SPAM complaint procedure:

* Identify the server the spam was initially sent from (via IP)
* Create a comprehensive list of the spam complaints associated with the server in question.
* An instance of a spam complaint is defined as one marketing E-mail.
* An Abuse Notification may, and typically will be, comprised of numerous spam complaints.

First Spam Abuse Notification (Limestone -> Client):

* Provide the Abuse Notification to the client, and assess a $25 fine. Failure to pay the fine within 24 hours may result in service interruption, due to suspension.
* After three Abuse Notifications are issued service may be subject to termination, as well as ineligibility to order any future servers.
* If an IP range or IP address has been black-listed as a result of a spam complaint, Limestone Networks will issue a fine of $200 and may terminate the service.
* Upon receiving complaints, Limestone Networks will notify the client by issuing an abuse notification.
o On the first notification, Limestone Networks will warn the client, as well as issue a $25 fine.
o On the second notification, Limestone Networks will issue a fine of $25.00 per complaint received, with a maximum of 5.
o On the third complaint, Limestone Networks will terminate service as well as issue a fine of $25.00 per additional complaint received, with a maximum of 10.
* Compromised Servers Issued Spam Notifications: If Limestone Networks suspects that a client's server has been infiltrated in an effort to send Spam/Bulk e-mail, Limestone Networks will offer the following options:
o Offer a free Operating System reinstallation, setting the configuration back to the original state it was provisioned in.
o If Operating System reinstallation is not accepted as an option, Limestone Networks may offer to manually retrieve/repair the files on the server, at a fee to be assessed and paid prior to any work being done.
o On the second instance of server compromise Limestone Networks reserves the right to terminate the client's services.

If any Spam complaints are disputed, and fines wish to be disregarded, full logs, as well as any requested information must be provided within 24 hours of the initial Abuse Notification. Failure to dispute, or provide required information within the 24 hour time period is acceptance of the notification, and all fees associated with it.

I just heard from my client, he said Limestone won't tell him how the server was hacked, they say they suspended his account due to spam (again, against their TOS).

So now he's going to issue a chargeback, and get a server elsewhere...

Limestone has REALLY done a poor job handling this situation...