How do you stay up-to-date on vulnerabilities, monitoring, etc.

[Live Free]

Has the definition of fully managed changed over the last few years in the hosting industry?

I’ve been with my current provider for maybe 7-8 years. I would assume I’d be getting what I signed up for... which back then explicitly included security patches, basic configuration and optimization, making sure your core software was up to date and you weren’t running an obsolete version of PHP...

I guess I’ve been asleep for ten years, because today it looks like fully managed means if you have a specific request and need help updating something basic like php, sure, give us a call...

I don’t really want help upgrading basic software I can do myself upon request or automatic upgrading of CentOS that requires zero of their time/resources.

What I want is a hosting provider who upgrades essential components when they’ve reached their EOL, who will patch known vulnerabilities automatically, and who won’t let me continue to lease slow, obsolete hardware they no longer even offer at the same price I could get twice the horse power...

Sorry for the rant.

1. Fully managed, in today’s market, means OS Upgrades and automated processes, support upon request only.

2. Are there providers who will handle things like know vulnerabilities and PHP/Apache EOL updates without request?

3. In today’s complex environment, particularly with the growing frequency of vulnerabilities and exploits, how does a non-sys admin stay up-to-date on patches, let alone find the time?

My host announces vulnerabilities and provides instructions to patch major vulnerabilities in their blog. Who checks their web host’s blog every day? Sometimes they post bulletins for critical updates to their infrastructure, but they expect customers paying for their highest level management plan to keep up with and update patches themselves.

Yes, I’m aware they’d probably do it if you ask them each and every time. But that’s not the point.

/End Rant.

What I’d really like to get out of this thread: how do you stay up-to-date with every major known vulnerability and necessary server updates as a tech-interested but non-sys admin user, on a managed hosting plan.

Do I really have to spend 20-30% of my project time on these issues?

 

[DragonByte Tech]

how do you stay up-to-date with every major known vulnerability and necessary server updates

Using WHM / cPanel, with automatic updates turned on. This means that every night, the server will auto update to the latest versions of everything. For MySQL, it auto updates to the latest minor version within your branch (e.g. MariaDB 10.2 or MySQL 5.6). For PHP, it's the same.

If there's a major news story (Heartbleed), and even just once every now and again, I manually run yum update on the server just in case there's a kernel update that wasn't auto applied, and I login to WHM every now and again in case a kernel update necessitates a reboot or there's new WHM / cPanel features I need to configure.

on a managed hosting plan.

I don't use a managed hosting plan, because if you're comfortable with using the CLI (even if it's just comfortable following instructions written by others) it's a waste of money.


Fillip

 

[Tealk]

I use cron-apt to get informed when there are new updates.

 

[S Thomas]

You have pretty much a wrong definition of "managed" - or I just never experienced what you expect from "managed". Never seen a host who would take the responsibility for my custom code.

2. Are there providers who will handle things like know vulnerabilities and PHP/Apache EOL updates without request?

I hope not, because it would be stupid and in a lot of cases, if not even in most cases, a breaking change. This needs to be communicated. Probably no host will include upgrading your custom software you have installed (e.g. XF). That's what maintenance services are for.

3. In today’s complex environment, particularly with the growing frequency of vulnerabilities and exploits, how does a non-sys admin stay up-to-date on patches, let alone find the time?

Get a specialized service for that. Yes, that costs a lot more than a "managed" server, but you are asking for way more aswell.
Or get a shared hoster. Or even a webhosting. At the end of the day, it just matters how much you are willing to pay.
You could even ask your managed hoster if he could install minor and patch releases without you asking for that. Some will do that, some will do that on a monthly base, some just won't.

 

[eva2000]

There's 2 forms of managed hosting

1. proactive
2. reactive

The problems you mention with managed hosting is that majority are reactive based and hence much cheaper than proactive managed hosting. Though even alot of proactive managed hosts don't go as far for some aspects.

It's why for my own Centmin Mod LEMP stack users on official community forum/social media followers, I also keep them informed of more critical security updates for linux/kernel, centos, nginx, php and mariadb mysql via dedicated forums at https://community.centminmod.com/categories/software-news.17/

i.e.

• CentOS security https://community.centminmod.com/forums/centos-redhat-oracle-linux-news.31/?prefix_id=33
• PHP security updates recently https://community.centminmod.com/th...7-1-22-7-2-10-security-bug-fix-updates.15620/
• Nginx https://community.centminmod.com/forums/18/?prefix_id=5
• Centmin Mod keeping up to date guide at https://community.centminmod.com/threads/how-to-keep-informed-of-centmin-mod-related-updates.11443/. I leverage custom slack channels to pull in rss/feeds from security notice/alert sites for a range of software i.e. nginx, php, wordpress, linux/centos, openssl, cpanel/whm security/releases and even xenforo's bug reports forum RSS feeds as well as web hosts' status feeds/alerts.
• I also deploy workarounds for security fixes/alerts for my users when software devs don't offer fixes i.e. Wordpress DOS Attack Flaw Security CVE-2018-6389

End result is I am pretty much on top of everything relevant to my needs/Centmin Mod and I do pass the most critical update news onto my Centmin Mod LEMP stack users. For past 16+ years I have used unmanaged hosts - currently use around 30+ web hosts for various servers 95% are Centmin Mod LEMP based (past 7+ yrs) and 5% cpanel/WHM Though I am a control freak, so letting other folks do what I can do better myself is a difficult task

As the saying goes, if you want something done right either do it yourself or pay the right someone to do it for you But a certain amount of self reading/up keep is probably necessary as how else would you know if the person you paid is doing it right ?

No one has ever been been at a disadvantage in reading and learning more in terms of knowledge

I suggest you setup your own custom slack channels and start importing rss feeds for software/news you want to track. Very useful