This concerns all users of CGI/PHP scripts. The exploitation of security problems in web applications is usually automated and rarely targeted to high-profile sites. Attackers use databases of known vulnerabilities to compromise websites indiscriminantly and steal server resources. It is your responsibility to apply security updates to your third-party web applications.

Web applications which permit a remote user to set an arbitrary recipient allow spammers to send junk mail on your behalf. Spammers have automated methods to detect and exploit such applications. It is easy for us to track down accounts that have been used to relay spam even through web applications, since our mail system will record the user ID of programs that have sent mail. We provide a supported mailer application, mail.fcgi. As with other csoft-cgi applications, it supports different layouts and languages. It uses an internal table to avoid revealing recipient addresses.

CGI scripts whose sole purpose is to count page hits are not allowed. FastCGI applications are okay, as long as they do not establish any kind of network connection (e.g., a database connection) at every invocation. Counters like these are inaccurate, they slow down the loading of web pages and are unnecessary with Apache logs. Apache logs are fully accurate and do not waste resources.

In any case, always assume that your website will have to handle several hits per second. Even if it is low-profile, search engines can generate a flurry of hits at any time.

We do not allow CGI or PHP applications for handling HTTP errors (such as 403 or 404). FastCGI applications are okay, again, as long as they do not establish network/database connections at every hit. HTTP errors are already logged to your ErrorLog file (which you have to enable from csoftadm).

Whenever possible, we recommend that you test and debug experimental software on another system before deploying it on the master server. In some cases, it can be convenient to use a backup server to test experimental software. Since we provide redundant servers, you always have access to one or more backup server containing a mirror of your files.

A wealth of tools are available to help debugging and testing, such as top, ps/ pstree, gdb and valgrind. For C and C++ applications, use of the -g flag is recommended even for production binaries (the debugging info is not loaded into memory, it only uses disk space).

Any type of user application that runs persistently on the server should use some sort of synchronous I/O multiplexing such that the application does not use CPU unnecessarily when it is idle. Programming interfaces that allow synchronous I/O multiplexing include:

• The select(2) and poll(2) interfaces.
• The kqueue(2) interface (*BSD servers only).
• The libevent library.
• The Perl POE framework (select() and poll() are also usable from Perl).
• The liboop library.
• GLib's main event loop.

Server-side software is our speciality, so don't hesitate to contact our technical support department if you need assistance.

IRC bots such as eggdrop are not allowed on the main server arrays. However, we do have servers that are available for this purpose at no extra cost. If you would like to use a bot, please send a request to our technical support department and we will provide you with shell access on such a server.

We allow web-based IRC clients such as CGI:IRC under our IP-based packages (Budget and up), but the list of allowed channels must be restricted. The user must not be permitted to join arbitrary channels. Your script must also bind to your own v-host IP address. In CGI:IRC, we would therefore require the following settings in cgiirc.config:

vhost = your-vhost-ip
allow_non_default = 0

Users are not allowed to run any type of server-side daemon which forwards connections to arbitrary remote hosts, without explicit approval from us. We are constantly monitoring connections made from our servers to remote locations, and this allows us to detect proxy activity very quickly. We will immediately suspend accounts which are found to run proxy software without our permission.

We have very quick and efficient methods of detecting spam originating from accounts on our servers. Our policy is to immediately suspend accounts responsible for spamming, unless the spam is a result of a security breach in some user application (for example third-party PHP script), and we can to easily disable the specific application and contact the owner about it.

It is needless to mention the following, but the execution of Denial-of-Service type attacks on the servers will always result in immediate account suspension and possible termination.

Network scanners such as nmap, scanners for security vulnerabilities or exploits are proscribed on all of our servers, regardless of whether their intended purpose was legal or not. If you want to use our servers to perform very specific security audits against your own equipment, please contact us about it first.