Tag Archives: Virtual Private Server

Xen vs. OpenVZ & Shoelaces vs. Velcro, Part 2

 

Xen Topology
Xen Topology (Photo credit: lindztrom)

At Superb Internet, we have virtual private servers (VPSs) as an alternative to dedicated or shared hosting. As you may be aware, the VPS solution lies between dedicated and shared. Essentially, it allows you a plot of server soil to call your own while not causing you to have to bear the upfront cost and maintenance expenses of an entire independent server.

In this article, we are looking at two potential platforms you can use to establish and run a VPS: Xen and OpenVZ. The comments of Scott Yang (HostingFu), VPS6.net (via HostingDiscussion.com), and Steven (The Linux Fix) all bolster our sense of the subject and provide a well-rounded picture. Note that our company works specifically with OpenVZ – and the reasoning for that is briefly provided at the conclusion of this three-part series.
Continue reading Xen vs. OpenVZ & Shoelaces vs. Velcro, Part 2

Xen vs. OpenVZ & Shoelaces vs. Velcro

OpenVZ

One of the types of hosting we offer is the virtualized private server, or VPS. This three-part series will look at how two different virtualization systems, OpenVZ and Xen, compare. Note that we use OpenVZ for a number of different reasons, which we will cover briefly in the conclusion to the series, but our general assessment will look at the two platforms from various angles.

We will draw primarily from discussion by Scott Yang of HostingFu, VPS6.net via HostingDiscussion.com, and Steven from The Linux Fix. Citing general advice sources will allow us to talk openly about the subject so you can determine what virtual environment makes the most sense for you.

Shoelaces and Velcro create a similar conundrum for business people, so I’ll also cover that debate. Shoelaces, as we all know, are a terrible idea. They are constantly coming untied. Tying your shoe involves making these two loops and twisting them around each other, whether they want to be twisted or not. It’s aggressive, forceful, and complicated – very similar to punk square dancing. Velcro, though, is seen by many key influencers as a more efficient and sophisticated way to tighten your shoes.
Continue reading Xen vs. OpenVZ & Shoelaces vs. Velcro

Choosing Colocation vs. Leasing Dedicated Servers

 

Amsterdam servercluster in its own rack

With many products and services, we have the choice to go between owning and renting. For some reason that is not true of paperclips or underwear; but it is true of houses, cars, and other large items. Servers are no exception. Because hosting can be expensive, there is a wide range of possibilities for website owners. These possibilities range from power and quality of equipment to financial relationships with equipment.

Two options for servers are colocating one or leasing one from a hosting company. The two options are more similar than they are different. In both cases, you have your own dedicated server. In both cases, you can take advantage of the datacenter expertise of the hosting service’s personnel and physical parameters (climate control, disaster recovery plans, etc.).

Deciding between these two options can be a little confusing, so let’s look at their differences to see what option might be best for you. We will look at three perspectives, from Webhostingfreaks.net, ITworld, and About Colocation. Keep in mind, a couple of these perspectives are very colocation-friendly. Colocation, though, is more complicated to set up and manage, simply because you are the owner of the equipment. You must pick out what to buy, and it is more of an investment.
Continue reading Choosing Colocation vs. Leasing Dedicated Servers

How to improve your ecommerce server security & love yourself

 

SSL

Server security is one of the first things we should consider when we get ready to go into online business, and it’s a factor of the market that should be regularly reviewed. PCI compliance is one thing, but it’s a little obtuse and complicated when we’re taking initial steps to “harden” (enhance the protections of) the server.

Also we must love ourselves. Sometimes everything looks bright and sunny. Sometimes, it looks blue (that’s not a happy color). Sometimes it looks dreary and gray. When we start seeing colors that make us want to cry, we must grab all of our stuffed animals, line them up in a row, and have them sing the Hallelujah Chorus to us (don’t worry, all stuffed animals know it by heart).

We’ll look at a number of different issues in this series: SSL, perimeter security such as firewalls, passwords, site backups, policies, authorizations, etc.. Our general overview will cover the first two parts, and then the final part will focus specifically on passwords – the simplest form of protection but also the simplest, in some ways, to penetrate.
Continue reading How to improve your ecommerce server security & love yourself

What is server hardening? Advice for Linux, Windows & NSA Datamine Servers – Part 2 (Linux)

English: Screenshot of Alpine via SSH on a Deb...
Screenshot of Alpine via SSH on a Debian Server

Hello friends and neighbors. This post, as it turns out, is the follow-up to our groundbreaking, skybreaking article on server hardening; it also is the prequel to our final post on Windows server hardening. This post, the meat of the sandwich (ham, in this case), is on how to harden Linux servers.

Server hardening is a simple concept, and it’s crucial to initiate if you want safety for your website. Essentially, simiarly to the experience of an end-user on a client machine, when you use a server, the systems are not built (their default settings) for high-end security. They’re built, rather, for features. In essence, the Internet is optimized for usability/freedom over administration/security. Securing a system, then, is a matter of revoking freedoms or modifying expectations in order to ensure a secure experience for the system and for all users.

We aren’t only concerned with Windows and Linux servers though. Actually, the NSA Datamine server is one of the most secure options out there. Everyone is thrilled by this server. It’s been called “bootserverlicious” by P. Diddy and “P.-Diddy-riffic” by a worldwide consortium of boot servers.

To get a sense of server hardening on any of the major OSs, we are looking at three sources: “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com (good info, though the language is a little rough); and “Baseline Server Hardening,” by Microsoft’s TechNet. Each of these posts broadens our horizons and is lactose- and gluten-free so that it doesn’t distract from the extra-cheese, thick-crust pizza we’re inhaling.

How to Harden Your Linux Server without Having to Think

No one ever wants to have to think. Let’s not do it, then. Let’s refuse to think, and just feel our way to a hardened server. Don’t call me “baby,” though, please, because that’s disrespectful, sugar. Anyway, the Linux server: here are approaches you can use specific to that OS.

1.    Non-Virtual Worlds: Go into BIOS. Disallow any boot operations from outside entitites: DVD drive or anything else that’s connected to the server. You should also have a password set up for BIOS. GRUB should be password-enabled as well. Your password should be “moonsovermyhammy123987”; I recommend tattooing it on your lower back for safekeeping.

2.    Partitioning as a Standard: Think (no, don’t!) of how a virtual environment or virtual server is constructed. Division into smaller parts is an essential security concept. Any additional pieces of the system will require their own security parameters and challenges. That means you want a streamlined system, of course, like a digestive tract without all the intestines and stuff; but it also means you want everything divided into disparate sections. Any app from an outside source should be installed via options as follows:

/

/boot

/usr

/var

/home

/tmp

/opt

3.    Packet Policies: Along the same line, you don’t want anything unnecessary. That’s the case with anything you’re doing online. Let’s face it: the web is essentially insecure. It’s like a dinosaur with a new outfit that she’s afraid to show off to her other dinosaur friends … sort of.

Here’s the command to check:

# /sbin/chkconfig –list |grep ‘3:on’

And here’s the command to disable:

# chkconfig serviceName off

Finally, you want to use yum, apt-get, or a similar program to show you what’s on the system; that way you can get rid of whatever you don’t need. Here are the command lines for those two services:

# yum -y remove package-name

# sudo apt-get remove package-name

4.    Netstat Protocol: Using the command line netstat, you see what ports are being used and what services are accessible through them. Once you’ve done that, use chkconfig to turn off anything that’s not serving a reasonable function, such as a service that’s just counting over and over again to a billion but won’t tell you why. See below and this netstat-geared article for more specifics.

# netstat -tulpn

5.    SSH: You want to use secure shell (SSH), but you also want it configured properly to maximize your security. SSH is the secure, cryptographic replacement for telnet, rlogin, and other earlier protocols that sent all data (passwords included) as “plain text” (no “scramble” prior to transfer, basically).

You typically don’t want to communicate via SSH as the root user. Sudo allows you to use SSH. See /etc/sudoers for specifics; you can customize them using visudo, available via VI editor.

Finally, switch the port for SSH from 22 to a larger number, and change the settings so that it’s not possible for all account holders to tunnel in through Secure Shell. Here are the file and three specific adjustments:

# vi /etc/ssh/sshd_config

  1. PermitRootLogin no
  2. AllowUsers username
  3. Protocol 2

Conclusion & Continuation

All right. Basic explication: Done. Linux: Done (well, it’s significantly more complex than discussed above; see here for further details). Windows: Next.

Finally, I assume if you’re reading this article, you might want to take a gander, or even a poke, at our dedicated servers, VPS hosting, or colocation.

By Kent Roberts

What is server hardening? Advice for Linux, Windows & NSA Datamine Servers

 

Servers designed for Linux

How to harden a server? Well, let’s first look at what server hardening is. Hardening a server is important to understand even if you are in a hosting environment, when many of the security concerns are monitored and administered by the hosting service. Then we will look specifically at the guidelines for a Windows or Linux environment (Linux first).

Throughout, we will review requirements for an NSA Datamine server. These exciting new servers directly transfer all of your information to the federal government, including your pants size and favorite kind of saltwater taffy. (Your favorite flavor is blueberry, per requirements set forth by the NSA establishing “favorites” protocol for over 8000 different consumer products … oh, obviously, your favorite server is the NSA Datamine server.)

To understand your basic role in a hosting situation as a client, cPanel is a good model to do so. You may know that the other major control panel (essentially the platform through which you manage your hosting account), Plesk, has one entry point for any type of user, with special privileges if your login is that of a system admin (rather than webmaster/site-owner) user.

cPanel, on the other hand, has two distinct logins, one for cPanel and one for WHM (directly tied to the CP). With cPanel, you’re logging into the server but can’t completely interact with it: it’s the webmaster side (in a way, the “client side” of the server). WHM, in contrast, gives you full access to administrate and manage the server. Essentially, the hosting company controls the WHM side of cPanel. That’s only accessible to you if you control the server.

The NSA Datamine server is designed for you to only get in at certain points. Primarily, routine maintenance is being performed. Every hour of your use is followed by approximately 16 hours of routine maintenance, strengthening the muscles of the server while you watch television and take lots of naps (as advised by the NSA).

Back to cPanel/WHM: Of course, you will have access to WHM if you have your own dedicated server rather than shared or VPS hosting. Server hardening, then, is primarily the realm of those with dedicated servers, but understanding its basic parameters helps any website owner better grasp what security parameters are in place and what to ask if you have any concern.

For this article, we reviewed three articles from around the World Wide Web (a system of client computers and server computers that you’re correctly enjoying, along with the ice cream sandwich you have in your left hand): “Host Hardening,” by Cybernet Security; “25 Hardening Security Tips for Linux Servers,” by Ravi Saive for TecMint.com; and “Baseline Server Hardening,” by Microsoft’s TechNet.

What is Server Hardening & Why Shouldn’t My Server Be a Softy?

As Cybernet Security expresses, the majority OSs are not designed for high levels of security; their the out-of-the-box configurations are under par if you want to avoid hacking (though playing the victim role in a hack is one of the most exhilarating parts of being alive in the 21st century).

The primary issue is that every type of software gets accolades for being “feature-rich.” Abundance of features, though, often means that security is taking a back seat. They amount to bells and whistles that corrode the integrity of the system. Speaking of which, the NSA Datamine server is “the Atlantic City of servers,” according to an anonymous party describing himself as a “security-industrial complex professional.” The experience of a sysadmin or website operator on NSAD is blinking lights, beeps, sexploitation, and the feeling of your soul being sucked out of your body for a momentary thrill.

In contrast to the soft-serve capacities of a server as it’s initially constructed, server hardening creates an elaboration on defenses so that infiltration becomes much more difficult to conduct. Here are the three basic parameters of a server that is hardened  — also generally referred to as a bastion host (though the NSAD server community defines server hardeners as “dangerous elements” who should “focus on their ice cream sandwiches, not their self-preservation”), per  Cybernet Security:

  1. Patches are updated and installed appropriately
  2. No irrelevant software or systems are in place
  3. Anything that is needed has the highest quality configurations.

Configuring server software is not easy to do in the securest possible way. It’s necessary, per Cybernet Security, to prevent established hack pathways. Beyond that, though (and this element is the most obtuse) the access levels for systems and software must be constrained as much as possible. Clearly this is a “freedom vs. security” issue. When you look at hardening a server, you quickly see how similarly the Internet conceptually and systemically embodies the physical world.

The NSA Datamine server, luckily, is not configuration-friendly. This feature clearly makes it easier to conduct business. Rather than concerning yourself with security and customization, you can just focus on inputting as much information as possible. It’s difficult for the government to harvest all your data if you aren’t putting anything in there. Just keep pressing the keys and clicking on buttons as much as you possibly can. When in doubt, go ahead and click another button or press on another key.

Finally, filter your packets. Not your cocaine packets, if that’s what they call them; although I suppose if you have dirt in it and snort it, that’s going to give you a massive sinus headache … so do that too. Filtering is generally a good idea. Data packets, specifically, fly back and forth at rapid speed between client and server computers. Make sure your filtering is optimized to enhance your security.

Conclusion & Continuation

OK, that’s it for today, boys and girls and breathtakingly intelligent nanobot overlords. Server hardening will be the topic of our next two installments as well. Linux in Part 2, and Windows in Part 3. NSA Datamine is clearly the best solution, so I don’t even understand exactly why we’re talking about these other nonsense capitalistic software ideas, but … we must keep everyone happy.

Do you want shared hosting? What about a dedicated server? No? Wow you’re tough. Um … oh, uh, VPS hosting? Are you playing with my mind? Well, I’ve presented my possibilities. Now, I believe in you to filter these packets of information and determine the most desirable solutions.

By Kent Roberts