Archive for the ‘Server Administration’ Category

100% uptime

Monday, September 8th, 2008

Its a pretty common question in hosting, whether it be shared, reseller, VPS or dedicated hosting and that is, is 100% uptime possible? Why do all hosts offer 99.8% or 99.99% uptime and not 100%? In this blog I will discuss this, and give some suggestions on how it is possible.

Is 100% uptime Possible?

Well the simple answer is no and that is what most people will say. I mean at the end of the day how can you offer 100% uptime if your upstream providers (datacenters, network providers, hardware etc etc) can not offer a 100% uptime gaurentee. Then of course there is the fact that servers should be rebooted every now and then when there are important updates…. So the question should be is 100% uptime possible when you dont include scheduled downtime?

Well lets take a look at the numbers

Uptime %        Downtime per Month       D’time per year
100             0                                 0
99.99          4.32 mins                  52.56 mins
99.9           43.2 mins                      525.6 mins
99.8           86.4 mins                      1051.2 mins

Ok so at a first look 43.2 mins downtime (the average that datacenters offer) is a lot, but when you look at it in a yearly perspective it seems much better. But anyway thats diverting from the main topic, I meant to show these numbers just to give an idea of what you are dealing with in terms of guarentees.

What can you do to maximise uptime?

There are quite a few things that you can do to stop downtime, and to make sure that you offer the best uptime possible. I am going to split this into two, there are some very easy things you can do that are mainly common sense and wont cost you anything (but time), and then there is the more costly and that will squeeze that last few percent away so you can truley achieve 100% uptime.

So lets start with the easier and cheaper method:

  • Monitoring – This is the easiest and probably the way you can maximise your downtime the easiest. Monitor your servers so that if they go down you can get to it quickly and fix it. This can save hours of downtime.
  • Checking Logs – It may sound very time consuming but once you get an eye for it you can scan the needed logs (messaages, httpd error etc ) quickly and look out for certain lines which warn you about certain things.
    A simple command like cat /var/log/messages | grep fail
  • Constant Security – Securing your server properly can help keep your server up. I shouldnt need to state why. This security includes Updates to software on the server and site software (eg blog software).
  • Optimization – Make sure your server is running as well as possible. Doing this will make sure that any small spikes in traffic will not harm you
  • Monitoring Load – Make sure you log in during peak time to check the load, memory and general performance of the server. Do not overfill the server and take heed when you may need to upgrade

Okay so that was the cheap and easy option. Its pretty simple really and it is generally a good idea to do all the above just to keep your server running well.

So now onto the more expensive solutions for the people who require that extra 0.0001%. I would not reccomend this unless every minute of downtime costs you, as these options are by no means cheap and are not easy to do.

I want to keep away from a bullet pointed list on this, as there is no “set” list of things you do to keep the server up 100% of the time. It can be small things to installing a more effecient web server just as lighttpd to creating a dedicated database server. This really should be customized on a site-to-site basis, you need to analise where the server weaknesses are and fix them. That is the basic way of doing it.

However if you want 100% uptime gaurenteed, well thats the interesting bit isn’t it. You then need to discount for all different types of downtime including network downtime. Well for this sort of solution you are looking at Geoloadbalancing, that is servers that are based in multiple locations around the world. To make this option viable you are looking at having to spend a lot of money, and having to custom code syncing solutions so that the website and databases are as up to date as possible. As for the geoloadbalancing there are multiple ways of doing it and the best is getting a “portable” IP which allows you to “move” it between locations. Thats pretty complicated and they are hard to get so the other way is roundrobin DNS. I will let you google that, and maybe I will explain it later in a blog… but right now I think I have blogged to much and your probably falling asleep. So yeah, if you have any questions go ahead and ask :D

Tags: , ,
Posted in Server Administration | No Comments »

Server Hardware & What to choose

Monday, August 11th, 2008

Well here I was thinking about the topic I should blog about. I was so desperate for a topic I even asked a few clients and thankfully Moris gave me an idea. He wanted me to write an article for AMD vs Intel, however in my opinion that is hardware related and is something more related to a hardware website. Not to mention the fact that I don’t actually think I would be able to write that much on that topic…. Well anyway it got me thinking about hardware and that is how I got to this topic.

We get a lot of requests each week asking for advice on server hardware and what the server hardware should be. So that is the topic of this article and I hope that you find it useful.

Main Considerations

When thinking about a new server the main thing that you should be thinking about is the type of site you run and what resources it uses the most of. That is whether it’s database intensive, has a lot of visitors, or its a shared host.

CPU

In this part of this blog I could go into the differences between AMD and Intel; however, I will try to keep away from that argument,  I will give you what I personally think and what many people in the industry think. That is that Intel currently have the edge over AMD on higher end processors and because of this in most cases I recommend that you go for an Intel processor.  Now the question is what clock speed and how many cores should it have? Well that deeply depends on the type of task you want it to complete.  For a VPS you will want more cores and processors as you will be sharing these out, and for a shared hosting site you will want a reasonable amount. You should concentrate on clock speed if you are planning to have a large number of processes which is common on application servers or on some database servers.

It is obviously hard to give you an exact guide on which CPU you need however hopefully I can give you a few things to think about. If you have any questions or want some help with exact specifications please feel free to drop sales an email for a free consult.

As a quick summary below are the rough specifications that you will need for certain types of servers:
Shared/Reseller Hosting:  Single/Dual Woodcrest 2Ghz
VPS Hosting: Dual Clovertown/Harpertown
Database: Singe Clovertown

RAM

Ram is always an interesting issue as you need as much as you need and it depends on server configuration,  the type of sites/application running on the server and the configuration of the server.  So this is one thing that you will need to keep an eye on, however in this day and age 2GB RAM is the minimum I would advise for a server. You need to keep checking on your free memory and make sure you have at least  a couple of hundred MB of memory free.

I will again write a semi-summary of what I believe is needed:
Shared/Reseller Hosting: 4GB minimum
VPS Hosting: 8GB minimum
Database Hosting: 4GB minimum

Hard drive

Now this is the interesting part and there are so many possibilities. In most cases you will be fine with a normal 7500rpm hard drive, however if you are expecting to do a lot of reads then a faster hard drive may be better.

In general for database servers you will want a much faster hard drive, normally I would advise the SA-SCSI hard drives for database servers. This will offer much better performance and will speed up the server more than a faster CPU and RAM will do.

Then you come on to RAID and all the different types. I just thought I would give a quick summary of the main types of RAID and what they do.

Raid 0 – This is a stripped disk array and will provide an I/O improvement . It requires at least 2 drives and the result would be the hard drives appear to be joined. We recommend this for gaming servers and high volume websites.

Raid 1 – This is a mirroring array and provides high performance, as its able to perform 2 separate reads or writes per mirrored pair. This is a full redundancy array and we would recommend it for any website that requires on the fly backup. However I would not suggest that you use this as your only backup.

Raid 5 – This requires a minimum of 3 drives. A Raid 5 array offers highest data transaction Read rate, medium data transaction Write rate and good cumulative transfer rate.I would recommend this for high volume MySQL based sites

Raid 10 – Raid 10 includes high Reliability and performance embedded in a single RAID controller. The minimum requirement to form a RAID level 10 controller is 4 data disks. This solution is good for all sites, as the increased reliability

Picking a server can be a daunting task for anyone and I hope this guide has made it easier for you. I wish I could give a personalized guide to you but I believe that I have given a rough guide that should cover most bases. Feel free to ask any questions that you come up with and hope you enjoyed the blog :D

Tags: , ,
Posted in Server Administration | 1 Comment »

Security, Security, Security

Sunday, March 2nd, 2008

With the growth of the internet also came the growth of hacking. It has increased so much so that according to Zone-H there are over 2,500 recordered hacks each day. Some people may be suprised by this figure, others wont be. In my opinion that is not the suprising fact, the shocking fact is that the number of reported hacks is growing by 40% each year!!! Are the hackers getting smarter?

Generally the hackers will get in due to one of three reasons:

  1. Out of date scripts – Everything from Kernels to Apache have updates and a lot of these updates are to fix security bugs. So if you are running out of date scripts with known security holes. A lot of hackers will take advantage of these holes and gain root access to your server
  2. Insecure Scripts - Most of the hack attempts that we have to deal with at Seeksadmin are due to insecure scripts such as PHPbb, Vbulliten or many other common scripts. If these are not kept up to date they are very dangerous allowing a hacker to gain root access.
  3. Insecure Passwords: Not much explanation is needed, if you have a short or weak password it is easier to guess and it can easily be brute forced.

So what can you do? Well keep everything up to date, and use a decent password? It wont ensure that you are 100% secure however it will go a long way to stopping you being hacked.

At the moment Seeksadmin is concentrating on security and we are trying to raise awareness in security and how to keep your system secure. In accordance with this we are offering a FREE remote scan and a $5 local scan. After these scans you will recieve the security holes in your system and we will reccomend a few things you can do to help secure your system. We also have free security consultation so if you have any questions please contact us at sales[@]seeksadmin[dot]com

Tags:
Posted in Linux Servers | No Comments »

Basic SSH Security

Thursday, June 28th, 2007

There are a few ways to sort server security, but one of the major ways to harden your server is to secure SSH. On a default machine you login as root directly, on the default port. This means you are susceptable to brute force and all other sorts of attacks. What I am going to write about is a short and simple guide about how to secure your SSH and what this does. You dont have to do all of these allthough I would deeply reccomend doing the steps below.
1. Changing SSH Protocol

I guess a good place to start would be what are the differences between the two SSH protocols (1 and 2), as not many people know this. You dont need to know, but I think that you should know the reasons you are doing this. I will try to cut the crap out of it and keep it simple. Basically SSH2 uses seperate protocols for transport, authentication and connections, splitting all your data up making it just that little bit more secure. It also has stronger cryptographic integrity checks and has better encryption. Basically what I am trying to say (but in tech talk) is that this is one change you should always make. Now lets get on to making the change.

Step 1) Use nano, pico or vi (your favourite text editor) to open up /etc/ssh/sshd_config for editing

Step 2) Find the Line #Protocol 2,1

Step 3) Uncomment the line and change it to

Protocol 2

2. Changing the SSH port

This is what we like to call security by obscurity, it is one extra thing the hacker has to guess before he can get in, although practically a port scan would be able to find the port. However i have found that changing the port does stop a lot of brute force attacks from occouring.

NOTE: Make sure you add the port you want to use to the firewall AND/or add yourself to the allow list so you can connect to the port and dont lock yourself out.

Step 1) Again open up /etc/ssh/sshd_config with your favourite editor

Step 2) Find the line #Port 22

Step 3) Uncomment the line and replace with the following (where port 2777 is a random, unused port)

Port 2777

NB: To find out if the port is being used use the comand lsof -i:portnumber eg lsof -i:2777

3. Disable Direct Root Login

Unlike the other steps we have used this requires a bit more than editing the config file, but its not hard so dont worry about it. Again this is a little of security by obscurity adding an extra layer the hacker/cracker has to get through if he wants access to your machine, making that bit harder.

A lot of other guides you will see will tell you to add a cPanel account etc etc, but lets just make it easier shall we.

Step 1) Type the following in SSH replacing username with a random username eg sekadmin

adduser sekadmin

Step 2) Now lets give sekadmin a password

passwd sekadmin

You will now be given a password prompt twice. Make sure the word is not a dictoinary word, I would reccomend looking at my password article for the best password.

Step 3) Now we need to give sekadmin, the correct privilages so he can su – to root.

Step 4) Open up /etc/group with your favourite text editor. Find the line that starts with “wheel” and add your username on at the end of the line. Then close and save the file.

Step 5) Now you will need to test the login works so create a NEW ssh session and try to connect using the username that you just created. Once logged in type “su -” and then the root password to see if that works. If it works everything went ok and you continue on to the next step

Step 6) Once again open up our favourite file /etc/ssh/sshd_config in your text editor

Step 7) Find the line #PermitRootLogin yes, uncomment it and change it to no.

Other Methods

There are also some other methods that you can use. One of the other methods I like to use is binding SSH to an IP. If you do this, the best thing to do is use a spare IP that is not being used by a website. This will offer the most security.

Anouther great thing to do is to disable password logins totally and use an ssh key. I will not write anything about that here, because it can be a blog post on its own for a rainy day ;)

AFTER all changes

Just before I forget, to make all your changes take effect you will have to restart ssh

service sshd restart

Tags: , ,
Posted in Linux Servers | No Comments »

Passwords

Tuesday, January 30th, 2007

A common problem for many people is remembering their passwords and at the same time making it cryptic enough. I thought I would share my password “remembering” techniques with you, which will help you keep things secure. There are three main methods you can use and I will describe that below.

Rythm/Pattern

Now it may sound weird to have rythm in your password, but when you think about it, it isn’1 too strange. It is all about memory, and you are more likely to remember a password when it has some rythm to it, that you can remember. For example remembering a password such as

sardines0012a

is not going to be easy. (At least I dont think so). Whereas if you have a password with rythm/a pattern

sand00handx

its much easier to remember.

Words

Anouther method that can also be very easy to use is to remember a word and then add your birth date on the end. An example of this is

Seeksadmin1980

This is very effective and very easy to remember as its 2 very memorable facts. It is also pretty hard to guess unless you know what word I had use and what number (it doesnt have to be birthdate, it could be the date you ordered the server)

Pattern

Now this is my favourite and preffered method. This is also different to the pattern/rythm method i described above. So what is it about? Well thats pretty simple, you make a patern on your key board. Here is an example

!ӣ$%67890

if you are very clever you will have noticed that is holding the shift key pressing 1 to 5 and then letting go of shit and pressing the rest of the numbers. It is very easy to remember as its just a pattern on the keyboard. It does not really require you to remember each number/letter just the pattern. The last example ill give is

zaqwsx.;[]‘/

Which is z -> q, w->x ,->[, ]->/. This type of password is pretty much impossible to guess, and yet in my opinion is one of the easiest to remember.

Other Tips

Vary the methods you use of remembering your passwords and of course vary the passwords you use. Whether its something simple such as changing 1 digit for each server or adding the server name on the end of the password, it is important that the servers have different passwords. If you have a secure password, this is one less way a hacker can gain access to your system.

Tags: ,
Posted in Linux Servers | 1 Comment »

Simple Server Security

Tuesday, December 26th, 2006

I am sure many of you will be thinking that it is our job to secure your servers and you are right, but much of this you need to know and it will do no harm in you knowing. So if you dont feel like you can do anything here, just open a ticket and we will do it for you. Everything here is pretty simple, and this will be good for anyone who wants to learn, and be slightly more independent.

This guide is mainly for WHM and cPanel as the things are made much easier with cPanel and WHM however we can do them even if you dont have it.

1. Shell Limits

You should enable shell resource limits to prevent users from consuming all the server resources. DDOS exploits typically do this. A quick way to set this for people using WHM is in the root WHM reseller go to Shell Fork Bomb Protection

2. Background Process Killer (People using WHM)

In WHM enable each item in WHM -> Background Process Killer, to remove any IRCs or other malicious bots

3. Apache

In Apache RLimitCPU and RLimitMEM should be set to stop any spammers or DDOSers using all the processes on your server. You can do this in WHM in the Modify Apache Memory Usage page.

You should also make sure that mod_userdir is disabled apart from one main domain, or just make sure its disabled totally, otherwise hacks may use it to try and hide their activities.

You should also enable SUEXEC to reduce the risk of hackers accessing all your sites if the server is comprimissed.

4. PHP

In the php ini (you can find the location via a php info file) you should change enable_dl to Off. This prevents users from loading php modules that effect everyone on the server. Note: IF you use dynamic libs like ioncube you will have to load them directly from the php.ini

You should also change the disable functions to
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Some webscripts break with these so you may have to remove a few, but these scripts are dangerous

You need to make sure PHP open_basedir is enabled. In WHM you can do this via WHM -> Tweak Security -> php open_basedir tweak. This prevents PHP scripts from straying outside of their account.

PHPSuExec can reduce the risks of hackers accessing all the sites on the server via a compromised PHP web script. There are some side effects of this, but this is a much safer method. If your server is full I would not recommend it, but on
brand new servers this is the best thing to do as its safer.

5. Control Panel

Make sure your control panel is updated to the latest stable version regularly.

Make sure that SSL login is forced, ie the secure ports. In WHM you can do this via WHM -> Tweak Settings -> Always Redirect users to the ssl/tls ports when visiting /cpanel, /webmil etc

Make sure boxtrapper is DISABLED. The reason for this is that if its enabled you can easily be listed in an RBL and usually has the effect of increasing overall spam load not reducing it.

Make sure you have some sort of limit of emails sent per hour

Make sure users CAN NOT reset passwords via email

Tags: , ,
Posted in Linux Servers | No Comments »