Just a thought...

[arot]

I think it would be more useful to put the network status monitor on a non-protected / restricted page, just like it was a few months ago.

Is a little annoying to type username and password when you only want to see if the server is having any problem.

What do you think?

[Vin DSL]

Personally, I like it the way it is. Typing a username and password is a small price to pay for this modicum of security. I judge it to be a fair trade-off...

[arot]

...it could be implemented with an option to use cookies to store information (user and password) and the user is who decides to use this option or not (use cookies or not)

This interest is because I am checking so often the server status (mine is Neutron) to check all services are O.K. and is quite annoying enter the username and password 5 times a day.

On the other hand, I do not think to see the server status can handle any security issues, because you are only viewing an On / Off option, nor server / services configuration or any other information.

[jason]

Actually, having open access to the server status is a security risk because you are advertising the names of the servers to the world. In order for a hacker to get to a server, he (or she, but most are males) has to know where to look. He also has to have some idea about what's running on the server. There are a number of brute-force approaches he can take to get this such as trying random domain names or random IP addresses, but chances are that this approach will be futile. Think about all of the IP's out there--most will connect to routers, servers that run things the hacker isn't looking for, and user's PC (home or officce). Anything connected to the 'net runs the risk of being hacked, but the risk can be lesened by not advertising it.

JPC lists a lot of info about their servers on various places on their site. They do this to attract customers. As a "power user" I want to know exactly what I'm getting before I sign up for hosting. If a host didn't disclose the OS, HTTP server, and other tools (such as PHP version, MySQL, etc) they were running, I wouldn't give them a second look. When they make the server name list available as well they are giving hackers a free ticket into the server. "Server xyz is running Apache, PHP 4, MySQL--come and get it..."

Granted this isn't the only way a hacker can get in. In many cases its possible to do it through our very public domain names (we don't want to hide them because they bring us business, but they can also bring hackers). Again, anything that's connected to the Internet is vulnerable to hacking, but there are many precautions that can be taken to limit the risk, and not publishing the list of server names to the general public is one of those precautions.

--Jason

[arot]

O.K. Jason. I understand the security risks can cause the public information.

But, how about using cookies? This can get the two targets:

1. Server names and services status are in a protected area
2. Users do not have to type again and again the same username/password

Technology is out there to solve this little points. This way, machines and users are both happy.