Readers know that I’ve been a longtime supporter and have given high praise to my (now former) web host, NearlyFreeSpeech.Net. I’ve supported them because they do fair usage-based-billing in a market of “unlimited” that’s really limited, because I’m a big fan of their stand against SOPA, on content neutrality, and other matters of libertarian ethics, and because they have legitimately smart engineers running their T1 support.
During this time, I’ve overlooked a couple of bad policies, not the least of which is running PHP in Safe Mode (which even according to the PHP people is “highly discouraged“), which has notably made me a lot less secure due to the bad workarounds I’ve had to implement.
To understand the rest of this story, you have to remember four things:
With that background established, picture the scene: another busy day of programming. Out of the blue, I got an e-mail:
We have been forced to remove your ssh keys due to abusive levels of unattended access. Please review our ssh policies to make sure your usage is permissible.
At this point I am thinking I am under attack or something. I respond with some general information about the fact that I use SSH to deploy and ask for a link to the policy.
Here is the full content of the policy:
What can I do if I want a script to run every so often on my site (like cron)?
There is a web service that many of our members have been able to use successfully, www.webcron.org, that will enable you to set up periodic requests for a page on your site. By making that page a script, you can achieve the same effect. Note that this service now charges a few dollars per year as of October 2008.
We do not presently support this feature ourselves, because our shared hosting environment is highly dynamic, meaning that when no one is looking at your site, it “isn’t there.” This means that there is nowhere for cron to run. We do plan to add a similar feature in the future, but until we do, we are very grateful to webcron.org for offering this free service.
While we allow limited usage of this nature, please remember that our service is not designed for continuous automated access, and we take a dim view of excessive resource usage. Please exercise good judgment in your use of this type of automation.
As of October 2008, we are aware that webcron is no longer offering their free service to new users. We are working on an alternative and will post more information on our blog as soon as it is available.
I read this to mean “We actually encourage finding some way to do this! Just don’t bug support about it and don’t use a lot.”
The problem is that what constitues a lot is subjective. In case somebody is googling for this and is wondering what the soft limit is, a one-second session every five minutes is too much.
The engineer went on to say:
We do not allow automated processes of any sort. Our Terms & Conditions of Service also prohibit disruptive activities, and this certainly qualifies.
This isn’t at all true–they encourage automated processes! They’re building this very feature into their panel. They just “take a dim view of excessive resource usage.” Whatever that means.
And it’s a perfectly fine thing to decide that they don’t want all of my SSH traffic, even if it’s out of the blue. That is entirely their decision to make. But what I would expect in this situation is:
Hey, we just realized you are hammering our SSH server. I know you’ve been doing this for awhile, and it seemed OK, but please stop. You can either tone it down to X or migrate to another host over the weekend.
That’s a perfectly reasonable reaction and it gives me enough time to plan a sane migration. But it’s not what they said. When I apoligized and offered to move in a few days:
You’re right, [my SSH use] does seem pretty excessive… I’m in the process of migrating everything to a dedicated box so that I’m out of your hair. I totally understand why you took action, but I would have appreciated a 48-hour “heads up” on this so that this wasn’t out of nowhere for me and I could have planned the migration properly.
Here is what they had to say:
The question is not one of “usage” it is of abuse. You were doing something that is not allowed at all, and you did it to such an extent that you were literally over half of all ssh activity this past week. I’m sorry, we’re not in a position to give someone 48 hours of notice when we discover abuse of that scale. We did take the mildest possible action (removing the keys) to stop it, and naturally we notified you immediately. We stand behind our actions in this matter.
“Not allowed at all” is pretty strong language for something that I can find neither in their ToS or their FAQ (it is a big FAQ, I could be missing it…) And “abuse” is a strong word for something that has gone undetected for over a quarter, and that their engineers have actively participated in rotating my SSH keys multiple times to enable.
And that, I’m afraid, is the end of that relationship. As much as I’d really like to like them, you can’t run any kind of business when your web host is in “reactive, kill first ask questions later” mode rather than pro-active “This seems like a lot of usage to me, let’s send an e-mail” mode. (Not to mention that their PHP config is an enormous bag of hurt that has cost me many hours.)
For about the same amount of money (perhaps even cheaper, it’s hard to compare) I’m now running on Linode, where the pages load faster, where I get dedicated CPU time, and where safe mode is disabled. If it can handle superfeedr (which has some kind of counter on their site that goes up to 13 billion), patio11, Mono, pixlr, lowendbox, and a metasploit author, I’m pretty sure that some guy and his five-minute cronjob are not going to constitute half of their traffic.