64-bit Linux: important security vulnerability identified

Published on September 19, 2010 at 3:32 pm by iWeb Technologies in: Web Hosting Articles, iWeb Articles

Last friday a security vulnerability affecting 64-bit Linux operating systems has been identified (see: http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081 and http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3301).

This vulnerability is potentially very harmful because it allows an ill-disposed hacker to take over a web server and give him full root access thanks to a backdoor. Continue reading »

Install Guide: Setting Up A New Dedicated Server

Published on March 3, 2009 at 9:45 am by heri in: Web Hosting Articles

So there you are, with a new dedicated server, with plans on deploying new websites and new web services. Most likely, you already have a working, tested, and locally developed website, on a development machine, or provided by a third-party service provider who has done the programming for you.

If you are an experienced sys-admin, the following might not be interesting for you, but for web developers and those new to web hosting, the following article can be a welcomed guide on first steps. The checklist should also viewed differently, depending on what stack your technology is running on.

One of the first steps upon getting a dedicated server is first security hardening. (Note: there was also a checklist published on the iWeb blog recently for ongoing maintenance). On a Linux server, here are the first steps:

  • changing the ssh port, and also create another account for your daily use. Disallow root logging. You can also bind sshd to a single IP address, different than the main IP to the server
  • disable telnet
  • disable identification output for Apache (to prevent hackers to know your version of Apache)
  • get a new username & password for the mysql server (if relevant)

For those who are on CentOS, here’s an old but exhaustive guide on security.

The next step you would want to look into is optimizing your server. Optimization goes beyond the scope of one blog post, but here are pointers:

  • Update & Install required software and servers,
  • Optimizing MySQL, such as buffer size, table cache, query cache setup, number of connections etc. Warning: If you do not understand really what a variable does in the my.cnf file, do not try to change it. Prefer to work on low-hanging fruits, such as using EXPLAIN to speed up queries. Here’s a good blog post about MySQL optimization, or you can go directly to the reference manual
  • Optimizing Apache, with the SpareServers, Timeout, MaxClients etc. variables in the httpd.conf file. You can use ab or httpperf afterwards to test performance, and also keep an eye on RAM consumption ( ps -aux | grep httpd )

Optimization can take a huge amount of time, so you would need to dedicate in advance a fixed amount of time for this section; and then go back to optimization when “real” server problems occur (long query serving, memory swaps, dying processes etc.)

The third step is now to install your website:

  • uploading the code by using a source control tool such as svn, git, or rsync (or by traditional tools like ftp, depending on the project)
  • enabling the web application, and do various housekeeping tasks such as setting directories for assets serving, setting up the cache directory, configuration files to connect to the database,
  • send login credentials to authorized users

Setting up DNS settings is obvious, you can do it anytime during deployment, altough it might be preferable to do when the server has been properly secured and optimized:

  • change settings at your domain name provider to point to the IP address of your new dedicated server
  • assess if you want to setup name servers or not
  • if you use a third-party service for your web infrastructure (such as Google Apps, Zimbra or any other), you also need to setup DNS entries to point to those services
  • if you plan to send emails, in the case of a web application where users can signup and receive email notifications, you’d need to spend a fair time setting up the MX settings. Hotmail and AOL are especially known to be very demanding and flag as spam pretty much every web-generated email, so you need to setup proper SPF records. You can use this SPF setup wizard.

The next step is monitoring and scaling, and depends on the planned load for your server, such as if you’re setting up a new website, or if your business is already expanding:

  • Setting up third-party services to monitor the status of your website, you can also use professional services which will send you a text message on a cell phone as soon as a service is down
  • Install tools for services logging and monitoring (munin, monit, or nagios)
  • Setting up software proxies or load-balancers (such as haproxy, pound, mod_proxy_balancer or mod_jk)

By following those steps, you should be ready by now to get the first wave of new visitors, and hand off the work to marketing :)

Again, as stated previously, this is not by all means an advanced and exhaustive guide, but rather as a quick checklist that will help you setting up a new dedicated server.

If you were interested, here are other guides:

Mirroring Debian, Ubuntu, MySQL and many other major software at iWeb

Published on November 7, 2008 at 9:34 am by heri in: Web Hosting Articles, iWeb Articles

iWeb is now mirroring major open source and Free Software such as Debian, CentOS, Ubuntu, Fedora, the Linux kernel, and MySQL at mirror.iweb.com

mirror linux debian centos ubuntu

These mirrors are updated in real-time, so any update to any of these software will be available in the mirror. For iWeb customers, it means installing new software or updating existing software will be significantly faster, especially if you are running dedicated servers, as these are now configured to fetch software from the iWeb mirror first. The mirror is also public, so you can see it as one of iWeb’s contribution to the open source community. 

We will also be putting in other major software repositories, and any updates to the mirror will be announced on the blog as well.