Category Archives: VPS

Firewalls 101: Hardware, Software & Web Application Firewalls – Part 2

English: This picture describe the engine of t...

Let’s continue our discussion of firewalls. In the first part of this series, we talked about firewalls as a general concept. Today we will discuss hardware firewall and software firewall technology. Then in the next post, we will look at web application firewalls (WAFs).

For this three-part series, we are reviewing the following articles: “Hardware Firewall vs. Software Firewall” (Michigan Cyber Initiative); “Best Practices: Use of Web Application Firewalls” (Open Web Application Security Project); “What You Should

Know About Firewalls,” (PCWorld); and “Better Protection – Hardware or Software Firewall?” (PChuck’s Network).

In the last post, we also reviewed furwalls – walls of genuine animal fur or a synthetic alternative that are quickly becoming more popular than wallpaper or fake wood paneling in home and office environments. Today, in addition to discussing hardware and software firewalls, we will look at how to make sure live walls of fur are adjusted frequently and best used to properly motivate your employees.
Continue reading Firewalls 101: Hardware, Software & Web Application Firewalls – Part 2

Firewalls 101: Hardware, Software & Web Application Firewalls

 

SVG version of Image:DMZ network diagram 2 fir...
DMZ network diagram 2 firewalls

Firewalls: We all know they are vital for Internet security, but what are their basic purposes and flavors? This series serves as a basic beginner’s guide to firewalls of the three major types: hardware, software, and web application (WAFs).

For this three-part series, we will look at information from several different sources. The primary ones will be “Hardware Firewall vs. Software Firewall,” from the Michigan Cyber Initiative; “Best Practices: Use of Web Application Firewalls,” from the Open Web Application Security Project (OWASP); and “What You Should

Know About Firewalls,” by Michael Desmond for PCWorld. This first part will focus on firewalls generally. The second part will target the differences between hardware and software firewalls; and web application firewalls will be explored in-depth in the third installment.
Continue reading Firewalls 101: Hardware, Software & Web Application Firewalls

What is server hardening? Advice for Linux, Windows & NSA Datamine Servers – Part 3 (Windows)

Windows Home Server screenshot
Windows Home Server screenshot

Well, here we all are (except for my cousin Steve, who had to go to his tuba lesson), taking a final look at server hardening in our final segment of this series. Considering the series as a ham sandwich, we’ve looked at the topic generally (top bread), as well as basic techniques that can be used to improve security on Linux systems (just ham… we’ve run out of vegetables). Today we look at Windows servers (bottom bread, which many sandwich enthusiasts believe is the best part).

Note that some concepts related to server security are of use to anyone interacting with a server; but generally speaking, they are of particular use to those with dedicated and VPS accounts. Both of those types of hosting environments allow you system administrative responsibilities that you cannot access through a shared account. That system access means you can change default settings and implement policies that are otherwise under the auspices of the hosting company.

We’re actually looking at three types of servers. In addition to Windows and Linux, we are also reviewing the NSA Datamine server. That server allows you to quickly and efficiently transfer all of your information into the federal government database so that you can know, once and for all, if you are a threat to the social order. If that’s the case, millions of microscopic, lightly humming insectile nanobots come directly to your location, get into flying carpet formation, and spirit you away to a safe location.

We are reviewing thoughts from three primary sources for this series: “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com; and “Baseline Server Hardening,” by Microsoft’s TechNet. Unfortunately, none of these articles focuses on the NSA server. That information had to come to me in a densely encoded daydream.

How to Harden Your Windows Server

Prior to getting into specifics for server hardening, Microsoft outlines four baseline installation rules – essentially prerequisites for a secure server:

  • The initial installation of the OS and any additional applications all arise from legitimate and credible sources.
  • The server should only be on reliable networks while both installation and hardening are underway.
  • The initial installation contains the most up-to-date service packs and any other security-related system updates.
  • Following completion of base installation, you follow the same procedures on all additional servers.

Again, that careful OS and software implementation lays the groundwork for a server they can be reasonably hardened. Also, if you’re going to eat a popsicle while hardening the server, don’t give bites to it, even if it says it really likes cherry flavor. Servers cannot harden while experiencing brain freeze.

  1. Group Policy Templates – Microsoft covers these templates in a specific section of its recommended guidelines. Though policies for the group can help protect the server in some ways, you also need to change security templates. In other words, these are two different levels to allow hardening that must be combined to be reasonably effective.
  2. Partitions – NTFS should always be used in place of any file allocation table (FAT) partitions. Simply put, NTFS gives you access to security parameters you don’t have with FAT. You can use Convert to change any FAT systems to NTFS. If you do convert, you want to open Fixacls to change the ACLs (access control lists). Otherwise, all users will have access to that portion of the system by default. It’s like a salad bar without a sneeze guard.
  3. Passwords – You can use extremely lengthy passwords in Windows environments, upwards of 100 characters. Go long and strong: combinations of symbols, letters, numbers, and – if you want to get really fancy – ASCII device control characters. Note that the usable ASCII ones will not print and can be created by using “Alt” combined with various digit combinations. Specifically, Microsoft recommends passwords never be eight characters or less and that one of the first seven should be a symbol or ASCII. Finally, differentiate your passwords for each machine.
  4. Renaming – This technique is so basic that it almost seems silly. However, renaming your Administrator account can be incredibly helpful because it’s the general focus for infiltrations. Then create a new account, call that one Administrator, and limit its rights. That new faux-Administrator account can have a lengthy and intricate password. Don’t worry about getting into that account often. It’s just a decoy for anyone trying to get into the system. Apply this method throughout your system, on all individual devices. Also, the real Administrator account should have a different name on every server. If that seems to be going too far for everyday use, at least differentiate the passwords, even if not the names. Similarly, if you have any sons, it’s acceptable to name each of them George Foreman so long as they each have different keys to your heart.

Conclusion & Continuation

That should give you a basic sense of Windows server hardening. Here are additional details if you want to explore the topic further.

In closing out our server hardening trilogy, here is information on our dedicated, VPS, and colocation services.

By Kent Roberts

What is server hardening? Advice for Linux, Windows & NSA Datamine Servers – Part 2 (Linux)

English: Screenshot of Alpine via SSH on a Deb...
Screenshot of Alpine via SSH on a Debian Server

Hello friends and neighbors. This post, as it turns out, is the follow-up to our groundbreaking, skybreaking article on server hardening; it also is the prequel to our final post on Windows server hardening. This post, the meat of the sandwich (ham, in this case), is on how to harden Linux servers.

Server hardening is a simple concept, and it’s crucial to initiate if you want safety for your website. Essentially, simiarly to the experience of an end-user on a client machine, when you use a server, the systems are not built (their default settings) for high-end security. They’re built, rather, for features. In essence, the Internet is optimized for usability/freedom over administration/security. Securing a system, then, is a matter of revoking freedoms or modifying expectations in order to ensure a secure experience for the system and for all users.

We aren’t only concerned with Windows and Linux servers though. Actually, the NSA Datamine server is one of the most secure options out there. Everyone is thrilled by this server. It’s been called “bootserverlicious” by P. Diddy and “P.-Diddy-riffic” by a worldwide consortium of boot servers.

To get a sense of server hardening on any of the major OSs, we are looking at three sources: “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com (good info, though the language is a little rough); and “Baseline Server Hardening,” by Microsoft’s TechNet. Each of these posts broadens our horizons and is lactose- and gluten-free so that it doesn’t distract from the extra-cheese, thick-crust pizza we’re inhaling.

How to Harden Your Linux Server without Having to Think

No one ever wants to have to think. Let’s not do it, then. Let’s refuse to think, and just feel our way to a hardened server. Don’t call me “baby,” though, please, because that’s disrespectful, sugar. Anyway, the Linux server: here are approaches you can use specific to that OS.

1.    Non-Virtual Worlds: Go into BIOS. Disallow any boot operations from outside entitites: DVD drive or anything else that’s connected to the server. You should also have a password set up for BIOS. GRUB should be password-enabled as well. Your password should be “moonsovermyhammy123987”; I recommend tattooing it on your lower back for safekeeping.

2.    Partitioning as a Standard: Think (no, don’t!) of how a virtual environment or virtual server is constructed. Division into smaller parts is an essential security concept. Any additional pieces of the system will require their own security parameters and challenges. That means you want a streamlined system, of course, like a digestive tract without all the intestines and stuff; but it also means you want everything divided into disparate sections. Any app from an outside source should be installed via options as follows:

/

/boot

/usr

/var

/home

/tmp

/opt

3.    Packet Policies: Along the same line, you don’t want anything unnecessary. That’s the case with anything you’re doing online. Let’s face it: the web is essentially insecure. It’s like a dinosaur with a new outfit that she’s afraid to show off to her other dinosaur friends … sort of.

Here’s the command to check:

# /sbin/chkconfig –list |grep ‘3:on’

And here’s the command to disable:

# chkconfig serviceName off

Finally, you want to use yum, apt-get, or a similar program to show you what’s on the system; that way you can get rid of whatever you don’t need. Here are the command lines for those two services:

# yum -y remove package-name

# sudo apt-get remove package-name

4.    Netstat Protocol: Using the command line netstat, you see what ports are being used and what services are accessible through them. Once you’ve done that, use chkconfig to turn off anything that’s not serving a reasonable function, such as a service that’s just counting over and over again to a billion but won’t tell you why. See below and this netstat-geared article for more specifics.

# netstat -tulpn

5.    SSH: You want to use secure shell (SSH), but you also want it configured properly to maximize your security. SSH is the secure, cryptographic replacement for telnet, rlogin, and other earlier protocols that sent all data (passwords included) as “plain text” (no “scramble” prior to transfer, basically).

You typically don’t want to communicate via SSH as the root user. Sudo allows you to use SSH. See /etc/sudoers for specifics; you can customize them using visudo, available via VI editor.

Finally, switch the port for SSH from 22 to a larger number, and change the settings so that it’s not possible for all account holders to tunnel in through Secure Shell. Here are the file and three specific adjustments:

# vi /etc/ssh/sshd_config

  1. PermitRootLogin no
  2. AllowUsers username
  3. Protocol 2

Conclusion & Continuation

All right. Basic explication: Done. Linux: Done (well, it’s significantly more complex than discussed above; see here for further details). Windows: Next.

Finally, I assume if you’re reading this article, you might want to take a gander, or even a poke, at our dedicated servers, VPS hosting, or colocation.

By Kent Roberts

cPanel vs. Plesk vs. Bobby Lou’s CP Extraordinaire – Part 3

 

Português: Criando contas de FTP no Painel Ple...

It’s time for the final part of our exploration into cPanel and Plesk: the two most popular control panels’ similarities and differences. If we think of the series in terms of the body segments of an ant (which we probably should), we’re complete with the head and thorax (Part 1); propodeum and petiole nodes (Part 2); and now, without further ado, it’s time for the gaster (the most attractive part of the ant, according to 4 out of 5 entomologists).

To get a more comprehensive understanding of the two control panels from a variety of viewpoints, we are reviewing four sources for this series: articles from Worth Of Web; by Tim Attwood of HostReview, by Claire Broadley of WhoIsHostingThis?; and by Aiken Lytton, also of HostReview.

Additionally, I have found the top competitor for cPanel and Plesk within the large and growing Internet cockfighting community: Bobby Lou’s Internet Control Panel Extraordinaire. Founder and developer Bobby Lou shared his thoughts with me during an interview while we were inner tubing down the Snake River in Wyoming.

In the first part of this series, we went over OS compatibility (Windows/Linux), intuitive vs. non-intuitive user interface, and subscription costs. In the second part, we discussed setup, everyday use, and migration between the two platforms (and remember that, though Bobby Lou didn’t directly answer the migration question, we did learn that roosters don’t migrate due to henhouse-related responsibilities). Today we will finish up with external database requirements, OS control, and a few final words on user experience.

Comparison: cPanel & Plesk – The Stunning Conclusion

Today we will continue to look at specific aspects of the systems that make them similar and different. This final post will be a little more pointed, drawing from the more opinionated commentary of Aiken, which I hadn’t cited previously and covers some similar ground from earlier sections, but with more specific one-sided arguments.

Extraordinaire, says Bobby Lou, “is an argument for secession of the cockfighting world into its own parallel reality of pleasure and pain, mostly pain – actually entirely pain. None of us enjoy this lifestyle. We were born into it. It’s like being Amish, except no hats.”

External Database & Plugins

Aiken mentions that cPanel is easier to customize due to the large array of plugins. It’s similar in this way to WordPress and other popular CMSs. Additionally, Plesk requires an external database. That’s not the case with cPanel. Essentially, then, it’s less needy out of the box and easier to enhance as you go.

Extraordinaire has plugins that allow you to “cockfight one piece of code against another,” says Bobby Lou. “It completely fries your server, but it is well worth the inconvenience and expense to see code getting raw and essentially biting off pieces of its own body. It’s horrible, disgusting, and highly recommended.”

OS Control

We discussed previously compatibility – that Plesk is offered in both Windows and Linux versions, whereas cPanel is only a Linux service. We did note that Enkompass has been developed by cPanel for the Windows OS. However, it’s not cPanel “proper” and is not a widespread option through hosting companies.

Essentially, then, Plesk is less OS-specific. However, it is not as flexible with third-party add-ons – and third-party add-ons are widely developed for cPanel in part because programmers are so fond of Linux. One user on Stack Overflow calls UNIX-based systems such as Linux “a developers play ground” [sic], in contrast to the more user-focused Windows OS.

Plesk does offer greater control at the OS level than does cPanel, per Aiken. However, its advantages are more likely experienced by a web hosting company than by the end user (i.e., more of a system administrative advantage than a webmaster advantage). The increase in control is probably not worth it, and assuming you want to retain the system for at least a year and pay annually, cPanel is a little more affordable.

Notably as well, Plesk is clunkier on Linux, says Aiken. Bobby Lou agrees: “It’s like a cock with the bird flu. He can’t see straight. His aim is amiss. He can’t feel any pain. He’s like a Buddhist monk, assuming the monk also has a life-threatening brain disease.” Aiken also praises cPanel for its UX, which I’ll cover next.

User Experience

It’s worth looking at another take on UX (user experience) as well. Plesk can seem simpler from the outset, as we discussed in a previous section. Once we move more fully into the platform, though, intuition is better integrated with cPanel, says Aiken. He specifically advises using the control panel with the CloudLinux OS if you have multiple sites or otherwise want to break up your server into a number of different virtual environments.

Bobby Lou mentions that the user experience for his OS is “virtually identical to a cockfight. Using my platform is like stepping into the ring. The bell sounds, and an angry maniac is trying to perpetrate avicide against you. Secure against roosters? Yes. Secure against my mood swings and subversive, penetrative coding tactics? No sir.”

Conclusion

Now we’re complete with our study of cPanel and Plesk. Keep in mind that adherents of one platform or the other can be a little biased with their assessments. Nonetheless, Aiken did make several good points regarding the general preferability of cPanel for many users (assuming you’re open to using Linux rather than Windows).

We offer each of the CPs as a piece of all our hosting packages: shared, dedicated, and VPS. When I offered Bobby Lou a truckful of pumpkins to buy out his rights in Extraordinaire and sign a code of silence for all business interactions in perpetuity, he jumped out of his inner tube, ran out into the woods, and has never been seen again.

By Kent Roberts

What is High-Availability? Part 3 – Additional Problem-Solving

 

English: The SA Forum “Walter’s Moments” carto...

High-availability, as I have discussed in the previous installments of this series, is a concept that has changed and grown over time. In the past, high-availability was the condition exhibited by a man in a dive bar in Duluth, Minnesota, systematically handing out his landscaping business card to all the female patrons with the words, “I have a lot to offer, and I hope you’ll give me a chance with your shrubbery.”

In the age of information technology, however, high-availability has become more reputable. In fact, high-availability is desired by all those conducting business online. It’s the nature of a system with very little downtime.

To review, optimizing an infrastructure for uptime is often wrongly considered to be, simply, an effort at preventing failures from occurring. Per Microsoft, it’s difficult and sometimes impossible to predict when failures will occur. High-availability involves a thorough focus on recovery, decreasing the length of any downtime instances. For this same reason, I run training drills so that when someone knocks my books out of my hands, I can pick them up before many of the other doctoral students notice.

To look at high-availability from a number of different perspectives, we’re looking at articles from Microsoft, Oracle, and Linux Virtual Server. Today, we are continuing to explore the Oracle piece, also briefly noting commentary from the Linux Virtual Server site.

While we review the idea of high-availability, let’s grab the keys to my father’s Cadillac, drive it out into the mountains, and make clucking and whirring noises to attract the Abominable Snowman. Then let’s offer him a fully-loaded bacon double-cheeseburger and tell him he’s the only one who understands us.

Availability: High-Availability Problem Solving, Continued

In the last post, we looked at comments by Oracle on various technologies that can be used to optimize availability. Let’s continue to look at additional safeguards that can be implemented so that a system is less likely to experience downtime. For the same reason, safety, we will wear full body armor on our trip and carry a sack of water balloons to throw at our beloved monster if he becomes enraged.

As a general rule of thumb, redundancy is the core component of recovery. When there are multiple instances operating simultaneously (active-active availability technology) and when additional systemic components are on standby to be activated as needed (active-passive availability technology), failure can, in a sense, become irrelevant. The system remains consistent throughout, just like the snoring soundtrack that will be playing on our boomboxes at home while we are on our critical mission.

Additional Local High-Availability Solutions

Let’s look at a few additional problem-solving tools for use on a local system, courtesy of Oracle.

Routing and state replication

Stateful applications should have the ability to include additional instances of client states. This capacity allows the applications to continue to run smoothly if processes fail that are handling client requests – similarly to a request to a Snowman to “calm down.”

Failover

Load balancing allows for redundancies of all instances. That way, when a failure of an instance takes place, any requests that would otherwise be sent to that instance are instead forwarded to the other, still-functional instances.

Load balancing

If you have more than one part in a server that is intended for the same purpose, load balancing becomes possible, allowing work to be evenly divided. For that same reason, we will evenly distribute the water balloons.

Migration

Migration helps when services only allow one instance. If that instance fails, the service switches over to a different part of the cluster. If necessary, the entire process can switch over to the other cluster location.

High-Availability Integration

Part of what makes redundancy difficult is the integrated nature of a system. One part is reliant on another part. Availability must be integrated as well. This concept means that downtime does not result due to that reliance or dependency. That’s why, when we get to the mountains, it’s every man for himself.

Patches & Rolling

Rolling within a cluster allows patches to be installed and uninstalled without the need for downtime.

Configuration

In a cluster, configuration needs to be consistent. When configuration is administered properly, requests are handled in the same way regardless which component is conducting the work. Configurations should also be synchronized, as should our water-balloon defensive maneuvers, and the administration itself should be conducted in a way that optimizes availability.

Clustering & Nodes

As a final note on maintenance of high-availability, let’s take a brief look at the piece from Linux Virtual Server. It underscores the importance of clustering that is similarly advocated in the Oracle article.

Redundancies within a cluster, says the LVS site, allow for redundancy throughout all levels of the system – both hardware and software. The nodes within a cluster can all be running the same operating system and applications. When daemons or nodes fail, if seamless reconfiguration is in place, the additional nodes pick up the slack. We should remember this principle in the mountains, because Terry is coming along, and we all know he’s not great at throwing balloons.

Conclusion & Poem

You can see how extensively the notion of redundancy has been studied and how many technologies have been developed to allow the maximum possible uptime. High-availability, after all, is crucial to allowing businesses to continue to operate, regardless if something goes wrong at the level of the server.

Again, bear in mind our 100% uptime guarantee. This guarantee is available to all our shared hosting, dedicated server, and VPS clients.

One final poem in parting… This one, as you can imagine, goes out to the Abominable Snowman, and I personally hope he reads and enjoys it:

Hey you, please don’t eat us

We really think you are good-looking

Your political philosophy is sophisticated and respectable

And I heard you’re a whiz at squirrel cooking.

By Kent Roberts