Apache upgrades, No more Telnet, no more Frontpage Extensions!
Posted (August 13th, 2008 at 4:03 pm PST) by PatrickThe winds of change are blowing! Starting next week, we will begin to phase out telnet and Frontpage, as well as upgrade apache services to Apache2.2 (from Apache 1 and Apache 2).
If you are still using telnet to connect to a shell, you should immediately switch to SSH. For information on SSH and how to use it with DreamHost, see this wiki article.
As we posted back in June, Microsoft has discontinued Frontpage, which means we have no way to support its extensions in Apache 2.2.
- Whatever extensions you have will stop working.
- You will no longer be able to upload your site within Frontpage using Frontpage Extensions. You will need to use an FTP client instead. You can find information on FTP clients here. Note that Frontpage does have a built-in FTP client that you can use as well. Instructions on using Frontpage as a FTP client can be found here.
If you have any questions or concerns, please contact support.
37 Responses to “Apache upgrades, No more Telnet, no more Frontpage Extensions!”
2get
Disabling telnet is a problem for those of us who occasionally reside behind firewalls that block SSH (SSH prohibited by security policy).
I feel sorry for anyone who might be relying on it, but I’m ultimately glad they’re taking out the trash regarding frontpage. Garbage like that creates HTML coding nightmares.
@Marty - blocking ssh for security policy makes about as much sense as making people walk around naked to make sure that they aren’t hiding anything. Whoever instituted that policy is remarkably stupid. Either that, or you’re working somewhere where you probably shouldn’t be working on your blog while you’re at work.
The biggest question is WHY ARE YOU LEAVING FTP ENABLED IF YOU ARE DISABLING TELNET?! There are plenty of free SFTP programs out there, and if you are disabling telnet for security reasons, why on earth would you leave FTP open, when it has the exact same security issues?!
SFTP is much slower than FTP .. i have benchmarks to prove it
If I do not have my own trusted computer, then I would not use SSH/SFTP, because on a public computer, one is exposed to MIM attacks. So, for situations like this, I set up a thoroughly limited FTP account, for a very specific and limited use, and would not want DreamHost to disable http://FTP.
In my opinion, security best practices should be taught to all users, and users of worse practices should be warned that they should know what they are doing, rather than limiting all users only to the “good” practices with no education to support the move.
A step in the right direction nonetheless, we cant fault them for getting part of the way. Besides end users shouldnt need dreamhost to force good security on them, they should already be practicing it, and shame on them if they fall prey. Dreamhost making additional security improvements to help users is a pleasant addition.
I agree that removing FTP technically would be a good idea, but practically, lots of embedded devices and normal peoples’ software doesn’t support SFTP, so best to leave it.
Apache 2.2? does this mean large file support?
I haven’t had a reason to distribute large files yet, so I wouldn’t know if there’s some patch for apache 2.0 allowing large files which DH has applied…
Congrats on removing FrontPage extensions. People relying on FrontPage to publish web pages really shouldn’t be publishing web pages considering that it contributes to the huge amount of horrible code out there to begin with.
@Bootstrike - Speed isn’t as important as security (especially for shell access, rather than the end-user’s Web experience).
@TjL - I completely agree. FTP should be dropped, as well.
@Tom J Nowell - Yes, users should know better than to use telnet/FTP. However, in a shared environment, any poorly secured account increases risk for us all. Security is only as strong as the weakest link. That said, most security holes are probably via front-end Web services people have installed, not the back-end login. Hopefully DreamHost has configured the servers to isolate user accounts as well as possible.
I first thought that FTP should be dropped as well, but FTP can also be used to transfer files as guest and that alone puts FTP in a whole different category than Telnet and SFTP.
@Henrique Rodrigues - I’m interested in the the feature you’ve mentioned. I’m not familiar with “guest” http://FTP. How is FTP used by “guest”? What is “guest”? Why can’t “guest” use sFTP?
@Nyhm - You can not use Anonymous FTP with SFTP or SCP. So FTP is a requirement for some individuals who are paying for said services. And with FTP having less overhead than HTTP you generally have increased speeds via http://FTP. Thus FTP is nice for those of whom are using the FTP to distribute files.
Telnet should in no way ever be used unless you are absolutely positively sure about the security of said server. Plaintext passwords within an FTP account are just as bad, however there’s no way around this unless you introduce FTP with TLS support. (Which few (good&free) clients for Windows exist. Linux & Mac are another story though 
@Zach - Thanks for the explanation; now I see what H.R. was referring to. I can certainly see where Anonymous FTP would be important for sites distributing large files. Also, the security problems of FTPing to a shell account do not apply to Anonymous FTP, because the connection doesn’t have to be strongly authenticated or kept private.
I’m glad DH is taking positive steps toward providing a more secure service in general.
@Thomas: no DH doesn’t support large (2+ gb files) at this time i know this cause i uploaded a 3.79 gb file and it failed lol, so this 2.2 upgrade is GREAT for me! 
(no I’m not THAT Josh)
Well, not failed, but failed to be served heh
my site is down
And I’m sure, it is because of this post, about stuff that will happen during the week! >.<
@Amir: SSH _prevents_ MiM attacks. Unless you ignore server certificates or your client is compromised (which can happen on an untrusted computer).
I tested the FPE this morning just to see if it was indeed no longer working. It isn’t. I then went ahead and used my FileZilla FTP client using the main administrative FTP account and connected to the site and - nothing. No files were visible except an old archive folder from a few years ago. That was pretty interesting. Why can’t I see the files using FTP? I could see them using FPE last Friday night (but not using FTP). So the “wait and see” attitude that was suggested to me has only confirmed my suspicion that waiting would not change anything. Someone on the DreamHost staff has got to check off the right permissions in the file attributes for us to see our files or we effectively have no rights to our own site.
While I’m sure security is vastly important for many types of financial, governmental and scientific/military type sites, if I’m posting pages they’re meant to be seen and read. Hundreds of millions of sites out there simply FTP their billions of pages up to their sites to be read. Personally, I back up all my sites every day in three places. This high security risk stuff is a bit too cloak and daggerish for me. The real security issue most often boils down to people using passwords like “maggie” and “stormy” and all sorts of other basic names and dictionary words that no amount of encrypted security measures are going to be able to address. The biggest security threat out there is called “User”… in Linux L-User or as one of my network engineering instructors used to like to say “Users are Lusers”.
I don’t like frontpage.
Frankly I don’t like Front Page either except as an editor to high-light certain code in a hurry from a view-source page I’ll save so I can copy/paste and modify it if need be for use somewhere else.
My problem is how come no FTP view file access rights on the domain my people expect me to work on? I keep trying using FTP and all I see is an old archive directory and it’s file contents - but all of the other directories that hold the actual files are showing up as empty, e.g. the files are there but none of the files are visible.
I KNOW that they’re there though because they were there Friday when I looked with Front Page - so why is it that they STILL don’t show up using FTP??? Don’t tell me DreamHost makes us pay EXTRA for the “priveledge” of using http://FTP.
BTW - if you type in FTP as the last word in a sentence followed by a period, it translates as http://FTP (adds the http://)
Yeah, well what if your employer has a telnet gateway and no ssh gateway? Then how am I supposed to get a shell session from work? I was using pine for email from work so I don’t have to use the slow web email interface. And Motorola is not going to change their entire global network for one person. So I think it sucks. Is there a way maybe one machine can be left with telnet access and it only accept connections from known IP addresses?
Jeff- Try tunneling. My old ISP used to block SSH traffic (why, I dunno, it was stupid), so I had to do that. SSH is great about being able to get around blocks.
As far as the people wanting to ditch FTP, well, look at the number of people who use FTP compared to those who use telnet? Way more people. Also, telnet allows a bit more access to things (such as executing scripts and apps), where as FTP is file maintenance only.
LOL and FTP is soooo secure. DUH.
Security is a good thing, and it’s great that Dreamhost is moving in that direction. But on a shared server for as low as $6.00 / month, I don’t personally expect a hosting provider to push for huge leaps in behavioral / cultural change. FTP has been the layman’s defacto protocol for quite a while. Drop that, and you inconvenience a large part of your market share until awareness shifts. Even with FTP gone, there’s nothing to prevent a user from using a script with security holes. Protecting users from themselves is always a double-edged sword, and the only way to protect users from each other is limiting access to each other’s accounts and rationing resource usage.
@Bootstrike - Opening a locked door takes longer than opening an unlocked door. I can provide benchmarks.
ANy reason why this font looks so horrible for me? Does everyone have problems reading this page? or is FF3 screwing with it O_o
@L4: I use FF3 and it looks just fine. Maybe you don’t have a compatible font? What OS are you using?
@All: I do think this is a good step in the right direction. FPE has been a long target for server exploitation. Telnet is overall insecure. I used it in some extreme circumstances but as it stands I have a SSH server running here at home that I can route through now if I have to. In addition the Apache upgrade is welcome.
i just tried using telnet and can still login. why is that?
First!
@LinkCannels: Can you still login today? I just tried and it is blocking my connection as expected.
Who in the right mind would use telnet? Security breach waiting to happen.
W00t! No more scummy FrontPlague! Also Telnet has become a double-plus ungood - SSH muchly more betterer!