syamsul's domain

Thanks to the excellent tutorials over at Slicehost, I got an idea of some the things you need to do to secure your brand new virtual private server (VPS) straight away.  To me, the main takeaways with regard to security would be:

1. create a privileged user with Sudo access

2. disable the root account login

3. use strong passwords e.g. a combination of letters in upper and lower case, numbers and other characters

4. setup iptables firewalls

I had no idea how well these steps were working though in preventing unauthorised access and I don’t really have the time to access the the system logs every day. Wouldn’t it be great if there were a way you could just receive a daily email summarising significant security-related server activities?

Well there is! You just need to setup Logwatch by following the steps in this tutorial

You won’t get any emails set to you however if your VPS hasn’t already been configured properly to send email. This excellent tutorial explains how to setup Exim4 to send emails from your VPS.

One thing I noticed about this method though is that you may not receive emails sent to your email account; apparently some email providers automatically discard emails sent from servers without proper reverse DNS records. So if you find yourself not getting emails from logwatch, you will need to set up reverse DNS on your VPS (which you usually can do in your VPS control panel – or ask your provider to help you). Alternatively, you can set your VPS to send emails via the Gmail SMTP server – which practically guarantees that sent emails reach your inbox.

The first times I received my Logwatch reports via email, I have to admit to being shocked at just how many intrusion attempts my VPS receives on a daily basis! Several thousand a day (why do so many people have so much free time?) I found out that you can tweak your iptables to limit the number of intrusion attempts. In my example below, any IP address that has more than 3 SSH login attempts over 10 minutes gets blocked for 10 minutes.

-N SSH_CHECK
-A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
-A SSH_CHECK -m recent --set --name SSH
-A SSH_CHECK -m recent --update --seconds 600 --hitcount 4 --name SSH -j DROP
-A SSH_CHECK -j ACCEPT

Note that this isn’t the most comprehensive guide to security on a VPS, but it’s a start!

It really irks me that even the latest-and-greatest Windows 7 64-bit Home Premium can’t get some simple functions right. Case in point: my amazing stubborn un-removable printers!

Yep, there are 3 instances of FX DocuPrint here because the first two  (which no longer work as the networked printer has since gone local) won’t disappear no matter how many times I remove them as Administrator!

Most people suggest using Print Management in the Microsoft Management Console; alas, the former isn’t even listed as a snap-on in my version of Windows that came with this free Lenovo Nettop. And it seems like I’m not the only one facing this annoyance.

At least it doesn’t actually impair performance or printing though; for now, it’s a cosmetic anomaly which won’t usually bug me as I usually work on my iMac.

There are quite a number of tutorials available on backing up to Amazon S3, which is popular due to its redundancy and low cost (15cents per gigabyte). I prefer Rackspace Cloud Files though due to its lower upload fees (8cents vs 10cents per gigabyte of bandwidth).  We will use duplicity to create the backups because it is bandwidth efficient and also allows us to encrypt our backups.

We will also be setting up the cloudcity script to make it easier to automate the backup and restore process.

First set up build essential so that you can do necessary compiling later.

apt-get install build-essential

Install duplicity

Debian Lenny and Ubuntu < 10.04 come with older versions of Duplicity. We need to add additional repositories to install a newer version of duplicity from.

On Debian Lenny

nano /etc/apt/sources.list

add this line

deb http://www.backports.org/debian lenny-backports main contrib non-free

Next run the following commands in succession

apt-get update
apt-get install debian-backports-keyring
apt-get -t lenny-backports install duplicity

On Ubuntu 9.10 and earlier

sudo add-apt-repository ppa:duplicity-team/ppa

On older (pre 9.10) Ubuntu systems:

sudo nano /etc/apt/sources.list

Add the relevant Duplicity source; for Ubuntu 8.04 it would be:

deb http://ppa.launchpad.net/duplicity-team/ppa/ubuntu hardy main

deb-src http://ppa.launchpad.net/duplicity-team/ppa/ubuntu hardy main

Next run these commands

sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 7A86F4A2

sudo apt-get update

sudo apt-get install duplicity

Check that the installed version is > 0.5

duplicity –version

Setup your GPG keys for encryption of your backups

gpg –gen-key

You’ll be walked through a few options for your key, select the following:

Key type – DSA and Elgamal (Default)
Key size – 2048 bits (Again, the default)
Expiration – Do not expire
Name, Comment and Email – You can enter whatever you like here
Password – Make sure you remember whatever you type, there’s no way to get it back if you forget!

When it talks about “generating entropy” to make the key, it means that the server needs to be in use in order for it to get some random numbers. Just go refresh a webpage on the server a few times, or run some commands in another terminal window.

IMPORTANT

Create backups of your keys by following the steps here:

https://help.ubuntu.com/community/GnuPrivacyGuardHowto#Backing%20up%20and%20restoring%20your%20key%20pair

Copy the backups to a safe and secure location – OFF this computer.

Install python-cloudfiles

Browse to http://github.com/rackspace/python-cloudfiles/downloads

Download and extract the tgz of the latest release. Then install it.
e.g.

wget http://github.com/rackspace/python-cloudfiles/tarball/1.7.2

tar xzvf rackspace-python-cloudfiles-48dd7c8.tar.gz

cd rackspace-python-cloudfiles-48dd7c8

python setup.py install

Setup cloudcity

Browse to http://github.com/jspringman/cloudcity/blob/master/cloudcity
Copy the text of the cloudcity script and edit the following lines at minimum:

# Cloud Files information you can get from https://manage.rackspacecloud.com/
export CLOUDFILES_USERNAME=your_username
export CLOUDFILES_APIKEY=your_api_key

#This is the password you typed in when creating your GPG keys earlier
export PASSPHRASE=your_gpg_passphrase

# Specify the name of the container/directory in your Cloud Files account where the backup files are to be stored
TARGET=”cf+http://cloudfiles_container_name”

# List ONLY the directories that you want to backup, for instance
INCLUDE_LIST=( “/home” “/root” “/var/www”)

Edit the other parameters as desired.

Create a file for the script
e.g.

nano cloudcity.sh

and paste the edited script contents discussed above.

Next give it permissions to run

chmod +x cloudcity.sh

Ok you’re ready to backup!

./cloudcity.sh

When completed, you will see

“Backup complete”.

You may wish to setup a cron job to call this script every night.

To view restore options

./cloudcity.sh –help

Be sure to keep a copy of cloudcity.sh!

Restoring on another computer

In the event of a catastrophic crash, the computer you are restoring your backups to will need to be set up the same way as above but with ONE difference; do not create GPG keys again, but restore your keys (that you’d backed up earlier) following the steps here

https://help.ubuntu.com/community/GnuPrivacyGuardHowto#Restoring%20your%20keys

Now use cloudcity.sh to restore your backed up files!

Note: Here is a similar tutorial on backing up your MySQL databases to Rackspace Cloud Files

http://blog.jtclark.ca/2010/02/backup-mysql-to-rackspace-cloud-files-with-duplicity/

A couple of months ago I wrote about how I’d migrated this blog to a Virtual Private Server (VPS)  from a shared hosting provider. Well, since then I’ve moved back to a shared hosting provider.

Why the switch back? At the time, I was learning how to manage a VPS for work-related purposes so it was exciting to apply what I’d learnt to my own personal blog. But it only took a few months for a few things to sink in:

1. Managing a VPS takes quite a bit more time than a shared hosting account – not just the setup, but also the maintenance of security patches etc
2. A VPS with enough resources to take the same traffic as shared hosting service costs more than the latter
3. A VPS with managed services (so that you don’t have to deal with the maintenance) costs US$30 upwards
4. My blog doesn’t really get so much traffic that it needs the resources of a VPS (a little ego-shattering but true)
5. I run a standard install of WordPress (plus a few plugins) which are well supported by just about every shared hosting service

Ultimately, a VPS gives you a great deal of flexibility and power – but if you’re only going to be hosting a simple low-traffic blog on it, then it’s overkill in terms of cost and effort (i.e time). Perhaps some day when I have more need for the resources will I switch back to a VPS.

Right now I’m on a US-based shared hosting provider by the name of powerMonster.

Don’t be put off by the odd sounding name – the cost is low, speeds are fast (I’m on their Litespeed/DirectAdmin server in Los Angeles) and they have excellent technical support – responding to my support tickets in 15 minutes or less! I’d greatly recommend anyone looking for a fast webhost with good service to check them out!

I’ve just been with Sparkstation for slightly more than a day on their Linux VPS ( and not, it’s not necessarily the same VPS this blog is presently on!)  I thought I’d share some initial impressions, seeing that there is nary a review of their VPS hosting services to be found anywhere!

I chose their cheapest VPS plan (VPS Value) without any control panel because I’m comfortable with managing my VPS without Cpanel or Plesk etc. Also, I wasn’t sure how this experience would turn out, as I was more familiar with (cheaper) VPS hosting in the United States.

I got my welcome emails for my VPS barely minutes after I made the payment via Paypal- very refreshing indeed! I logged in by SSH and checked that the processor was indeed an Intel(R) Xeon(R) CPU E5420 @ 2.50GHz (8 cores), as claimed.

At first I felt rather let down when I tested the connection speeds – it felt no more responsive than a VPS in the USA! I submitted a trouble ticket on Sat evening, and that very evening they diagnosed that it was an upstream issue, offered to move me to a different IP and did so shortly after I confirmed that I’d like this to be so. Very professional and quick resolution!

I’d ordered a VPS with Debian 4 thinking I would upgrade it to Debian 5 myself, but doing so proved to be troublesome and also broke the capabilities of Plesk Power Panel. Unlike with most OpenVZ hosting solutions, the user isn’t given the ability to rebuild his VM and switch Linux distributions on the fly (e.g. switch from Debian –> Ubuntu -> Fedora etc). This is probably a limitation of Parallels Virtuozzo? Anyhow, since CentOS 5 is the most updated Linux distro offered, I submitted a ticket to technical support on Sunday morning requesting for a complete rebuilding of my VM to one based on CentOS 5. Before Sunday noon, I got an email saying this was completed

Now, these 2 support incidents showed that Sparkstation support is indeed available over the weekend! They may not have 15 minutes response times, but then again they do not claim to provide it. For both incidents, they responded to my tickets in about 2 hours which I find to be decent.

I was initially worried about 256MB RAM not being enough at all for even small sites because with the OpenVZ VPSes I have been on, I quickly end up creeping into the (unreliable) “burst RAM” with a LAMP stack and a simple Joomla site. But it seemed that I needn’t worry after all – the SLM system that Sparkstation has chosen to implement in its Virtuozzo VPSes are noticeably more efficient in memory utilisation. I also like how this means that should a flood of visitors hit my site, it won’t shut down and require manual “rebooting” (as is wont to be the case on an OpenVZ VPS in my experience).

Finally, I find the pricing to be very reasonable, comparable to say renowned US-based Knownhost’s VPS when ordered without a Control Panel? The comparison doesn’t quite work with a control panel though – it seems like the likes of Knownhost or Media Temple are able to offer steep discounts on control panels, probably due to their sheer size? And they bundle managed services too…. Regardless, Sparkstation does appear to offer the best pricing among Singapore based hosting providers offering unmanaged, control panel-less Virtuozzo-based linux VPS.

Will post an update after I’ve spent some more time with this VPS.

And  I should probably post about the other VPSes I’ve been with too!

It has been 2.5 years now since I changed hosting providers for this blog.

As you (probably don’t) recall, this blog began its life on Blogger. Not satisfied with the limitations of Blogger (which has since joined the Google family), I was excited to discover WordPress which I then found the super affordable Focushub to host on. A year or 2 later, I needed a little more and went on to hosting by Oryon Networks (by the way, Oryon Networks is an EXCELLENT webhosting – the hosting is incredibly speedy and any emails and support tickets I sent to them were responded to in about an hour or less – even on weekends!)

Today, I’ve finally made the next step, from a hosted solution (Blogger) to a shared hosting (Focushub & Oryon Networks), and now a Virtual Private Server (VPS).

Now what is a VPS you ask? Basically it works almost like a dedicated server, only that it’s much cheap since you’re paying for a virtualised instance of a dedicated server, utilising a fraction of its resources (CPU, RAM and hard drive). The advantage of using a VPS is really root access – you can install ANYTHING, compared to a shared hosting environment. You also have more RAM available to you, where in a shared hosting environment this will be shared with all the other websites on the same server (probably up to 150 or so – or even more, if the hosting provider engages in overselling!).

So why isn’t everyone on a VPS? Even though the prices of VPSes have fallen rather dramatically especially recently, you do need to be a little more adept technically as you have to essentially become a system administrator for a (virtualised) server. Asking for easy-to-use control panels like cPanel, or even getting the hosting company to manage the VPS for you will incur additional (and sometimes, substantial) costs.

For me, I’ve come to a stage where I’m willing to learn how to manage my own (virtual) server. Of course, it doesn’t hurt that my hosting provider also offers semi-managed services for free i.e. hand holding for times I mess up bad