Readers know that I’ve been a longtime supporter and have given high praise to my (now former) web host, NearlyFreeSpeech.Net. I’ve supported them because they do fair usage-based-billing in a market of “unlimited” that’s really limited, because I’m a big fan of their stand against SOPA, on content neutrality, and other matters of libertarian ethics, and because they have legitimately smart engineers running their T1 support.
During this time, I’ve overlooked a couple of bad policies, not the least of which is running PHP in Safe Mode (which even according to the PHP people is “highly discouraged“), which has notably made me a lot less secure due to the bad workarounds I’ve had to implement.
To understand the rest of this story, you have to remember four things:
- I maintain this site from a git repository over SSH. See this post for the nitty gritty details.
- I maintain an open-source build server that watches my repositories for changes, including my websites. This script would try and open an SSH connection about once every 5 minutes for a session that lasts about 1 second.
- This setup has remained essentially unchanged in all aspects of traffic and request throughput for at least the last three months, if not longer.
- During the time I’ve been doing this, their engineers have been rotating my SSH keys at my request on a regular basis, and presumably at any one of those numerous times would have notified me if there was a problem.
With that background established, picture the scene: another busy day of programming. Out of the blue, I got an e-mail:
We have been forced to remove your ssh keys due to abusive levels of unattended access. Please review our ssh policies to make sure your usage is permissible.
At this point I am thinking I am under attack or something. I respond with some general information about the fact that I use SSH to deploy and ask for a link to the policy.
Here is the full content of the policy:
What can I do if I want a script to run every so often on my site (like cron)?
There is a web service that many of our members have been able to use successfully, www.webcron.org, that will enable you to set up periodic requests for a page on your site. By making that page a script, you can achieve the same effect. Note that this service now charges a few dollars per year as of October 2008.
We do not presently support this feature ourselves, because our shared hosting environment is highly dynamic, meaning that when no one is looking at your site, it “isn’t there.” This means that there is nowhere for cron to run. We do plan to add a similar feature in the future, but until we do, we are very grateful to webcron.org for offering this free service.
While we allow limited usage of this nature, please remember that our service is not designed for continuous automated access, and we take a dim view of excessive resource usage. Please exercise good judgment in your use of this type of automation.
As of October 2008, we are aware that webcron is no longer offering their free service to new users. We are working on an alternative and will post more information on our blog as soon as it is available.
I read this to mean “We actually encourage finding some way to do this! Just don’t bug support about it and don’t use a lot.”
The problem is that what constitues a lot is subjective. In case somebody is googling for this and is wondering what the soft limit is, a one-second session every five minutes is too much.
The engineer went on to say:
We do not allow automated processes of any sort. Our Terms & Conditions of Service also prohibit disruptive activities, and this certainly qualifies.
This isn’t at all true–they encourage automated processes! They’re building this very feature into their panel. They just “take a dim view of excessive resource usage.” Whatever that means.
And it’s a perfectly fine thing to decide that they don’t want all of my SSH traffic, even if it’s out of the blue. That is entirely their decision to make. But what I would expect in this situation is:
Hey, we just realized you are hammering our SSH server. I know you’ve been doing this for awhile, and it seemed OK, but please stop. You can either tone it down to X or migrate to another host over the weekend.
That’s a perfectly reasonable reaction and it gives me enough time to plan a sane migration. But it’s not what they said. When I apoligized and offered to move in a few days:
You’re right, [my SSH use] does seem pretty excessive… I’m in the process of migrating everything to a dedicated box so that I’m out of your hair. I totally understand why you took action, but I would have appreciated a 48-hour “heads up” on this so that this wasn’t out of nowhere for me and I could have planned the migration properly.
Here is what they had to say:
The question is not one of “usage” it is of abuse. You were doing something that is not allowed at all, and you did it to such an extent that you were literally over half of all ssh activity this past week. I’m sorry, we’re not in a position to give someone 48 hours of notice when we discover abuse of that scale. We did take the mildest possible action (removing the keys) to stop it, and naturally we notified you immediately. We stand behind our actions in this matter.
“Not allowed at all” is pretty strong language for something that I can find neither in their ToS or their FAQ (it is a big FAQ, I could be missing it…) And “abuse” is a strong word for something that has gone undetected for over a quarter, and that their engineers have actively participated in rotating my SSH keys multiple times to enable.
And that, I’m afraid, is the end of that relationship. As much as I’d really like to like them, you can’t run any kind of business when your web host is in “reactive, kill first ask questions later” mode rather than pro-active “This seems like a lot of usage to me, let’s send an e-mail” mode. (Not to mention that their PHP config is an enormous bag of hurt that has cost me many hours.)
For about the same amount of money (perhaps even cheaper, it’s hard to compare) I’m now running on Linode, where the pages load faster, where I get dedicated CPU time, and where safe mode is disabled. If it can handle superfeedr (which has some kind of counter on their site that goes up to 13 billion), patio11, Mono, pixlr, lowendbox, and a metasploit author, I’m pretty sure that some guy and his five-minute cronjob are not going to constitute half of their traffic.
Want me to build your app / consult for your company / speak at your event? Good news! I'm an iOS developer for hire.
Like this post? Contribute to the coffee fund so I can write more like it.
Comments
Comments are closed.
Tags 
- Subscribe via e-mail
Have you looked into Amazon’s EC2?
Also, “reactive, kill first ask questions later” seems to nail down the recent US foreign policy pretty well.
cite. I don’t scale in any meaningful capacity. A well-tuned lighttpd server with 256MB of RAM can easily sustain traffic the likes of the HN front page. You have to be serving a lot more expensive pages than I do to need that kind of power.
You were more than reasonable. One ssh session every five minutes might be unusual among their customers, but it does not represent any significant use of computing resources.
They are being ridiculous and technically absurd. Do they also rate limit your websites to one request per minute, or one per five minutes for SSL?
I always run my own servers, but I’ve heard good things about linode. Honestly though, I am pretty sure no other hosting co that offers shell access would give you any static about such a trivial thing.
I just have to chime in on this. I still use NFS.N for some stuff, but only because they happen to fill most of my important criteria where many others have failed and, frankly, because I can’t afford a dedicated server at the moment. Their web interface is a dream to work with, but the staff, while certainly in the know, are, for lack of a better word, downright bitchy if you happen to wrong them even slightly. Which isn’t at all a hard thing to do.