|
fuf posted:Thanks that's Interesting stuff Have you looked into a managed solution? Someone more versed in the UK market can chime in, but looks like webhosting.com.uk provides a managed Plesk VPS. If (when) your instance spontaneously catches on fire, it's always good to have someone on speed dial. Of course support's always great until you actually have to use it! SP isn't multi-tenant, so don't expect these clients to have access to a panel nor does it provide an integrated email suite. In such situations you can setup your users with Zoho or Google Apps. Email is a beast to keep clean - even I find myself rotating IP addresses in from my subnet on occasion when a server blows up from a compromised account. Unless you've got access to more than 1 IP address on the server it's best not to host email yourself.
|
# ? Jan 1, 2018 20:46 |
|
|
# ? Jun 4, 2024 08:31 |
|
Yeah, IMHO farm out email services to g-suite and just charge a markup rate for management.
|
# ? Jan 2, 2018 21:30 |
|
nem posted:EIG wrecked the industry, VPS is becoming oversimplified, and in due time a dedicated security researcher is going to turn the landscape into a hellscape by unearthing a serious bug. I'm not always right, but when I am I wish I hadn't been right. This bug would allow an attacker to peek around filesystem caches as well as anything in resident memory, including any private server keys/passwords... quote:A vulnerability found by security researchers in Intel processors manufactured over the last ten years is poised to wreak havoc on the world of computing. And the fix? Well, it might not be pretty. https://twitter.com/misc0110/status/948706387491786752
|
# ? Jan 4, 2018 09:27 |
|
Would it make a difference if a host is running multiple virtual machines versus “shared hosting” that doesn’t involve virtualization?
|
# ? Jan 4, 2018 20:58 |
|
Nope. Very roughly put: these bugs basically allow anyone to read any physical memory on a machine. ie: javascript running on vm "A" can read vm "B"s memory. (Which is why cloud providers are making GBS threads a brick and doing mass patches and reboots).
|
# ? Jan 4, 2018 21:03 |
|
Yeah I was just thinking about that. “Hey if I can read memory anywhere arbitrarily it doesn’t matter if there is virtualization or not!”
|
# ? Jan 4, 2018 21:27 |
|
Hi, Just wondering if digital ocean is still one of the new cool hosts? I have been using them for a while, and recently got hacked, and was told to destroy my droplet and create a new one to fix the problem (it was about a year and a half old, with no problems until I installed Redis last week, google searching finds that may have been why my server was hacked, which was my fault not theirs). I don't blame them for the hack, or dislike their service, but I was figuring since I have to resetup my server, reinstall the OS, reinstall WHM/Cpanel, resetup a dozen or so domains and their websites (the hack was a malware one that was the kind that downloads, encrypts, and deletes all of my data and will resell it back to me for some bitcoins, I have some of the data backed up but not all) I figure I may as well see if there is any new cool service around.
|
# ? Jan 9, 2018 00:54 |
BJA posted:Hi, What security measures & practices did you have in place when you got hacked (firewall, fail2ban, key based auth, etc etc)? Can you tell us a bit more about what led you to believe Redis was the culprit? With a VM there's much more burden on you rather than on the host for keeping it secure. Of course the host can screw you over by allowing social engineering, not staying up to date on patching their host machines, etc.
|
|
# ? Jan 9, 2018 01:06 |
|
BJA posted:Hi, DigitalOcean has a ton of new cool poo poo coming soon. I used to work there until last month. Stick with them. Trust me. I’m still under NDA but it’s really cool poo poo.
|
# ? Jan 9, 2018 01:19 |
|
BJA posted:Hi, Did you have redis exposed to the internet ? That's a common way to get owned When you're rebuilding it might be worth looking at using config management like ansible, because using tooling like that makes rebuilds a lot less painful
|
# ? Jan 9, 2018 01:29 |
|
fletcher posted:What security measures & practices did you have in place when you got hacked (firewall, fail2ban, key based auth, etc etc)? Can you tell us a bit more about what led you to believe Redis was the culprit? None of the things I needed I am sure, which is why I said it was my fault, not theirs I'd be interested in some articles on the things you mentioned, but should I consider a managed vps or something?
|
# ? Jan 9, 2018 01:32 |
|
BJA posted:None of the things I needed I am sure, which is why I said it was my fault, not theirs I'd be interested in some articles on the things you mentioned, but should I consider a managed vps or something? You know DigitalOcean has free firewalls now too. Just keep your web app updated. Use the DigitalOcean firewall to block off all unnecessary ports. No need to learn iptables E: it’s dope too. It’s at the hypervisor so traffic never even touches your droplet.
|
# ? Jan 9, 2018 01:37 |
BJA posted:None of the things I needed I am sure, which is why I said it was my fault, not theirs I'd be interested in some articles on the things you mentioned, but should I consider a managed vps or something? The Digital Ocean documentation is actually a decent place to start: https://www.digitalocean.com/community/tutorials/7-security-measures-to-protect-your-servers They have a lot more specific articles depending on what exactly you are looking to do: https://www.digitalocean.com/community/tags/security/tutorials Any publicly addressable machine on the internet will be getting hit by automated attacks 24/7 within seconds of being booted up. So for your redis example, one of the layers of security that could have saved you was if you had a firewall setup that only allowed ports 22 (ssh) and 443 (https) then your unprotected redis service wouldn't be accessible by any joe schmoe on the internet.
|
|
# ? Jan 9, 2018 01:48 |
|
BJA posted:Hi, Unlikely that Redis was the cause, unless you installed a really old release from "Jim Bob's Repo Emporium" that hasn't been updated since 2011. I see a 2015 CVE that allows remote code execution via Lua. Installing from EPEL would obviate it as it would have been patched and a new Redis released on EPEL. What else are you running on there? Wordpress sites? User accounts besides "root"? Those are the most common vectors that I see that once compromised allows an attacker to do whatever in the hell she chooses with impunity. Edit: as root, public key authentication is the only means by which you should be permitted to access your server. No keyboard-interactive/saved passwords. Got fail2ban running as a deterrent to brute-force attempts? If your site in any way leaks your email address and it's on haveibeenpwned.com or you use the same password elsewhere or a top 10 million password... nem fucked around with this message at 11:02 on Jan 9, 2018 |
# ? Jan 9, 2018 10:55 |
|
nem posted:Unlikely that Redis was the cause, unless you installed a really old release from "Jim Bob's Repo Emporium" that hasn't been updated since 2011. I see a 2015 CVE that allows remote code execution via Lua. Installing from EPEL would obviate it as it would have been patched and a new Redis released on EPEL. The only reason I assumed this was because googling around some people said they had been hacked shortly after installing it (within a few days) like I did, it was the only thing I had recently changed, and I probably did what jre said since I pretty much installed it, and left it as is: "Did you have redis exposed to the internet ? That's a common way to get owned"
|
# ? Jan 9, 2018 11:34 |
|
BJA posted:The only reason I assumed this was because googling around some people said they had been hacked shortly after installing it (within a few days) like I did, it was the only thing I had recently changed, and I probably did what jre said since I pretty much installed it, and left it as is: Found the possible exploit. That's clever. Put redis under its own account and disable shell, chsh -s /sbin/nologin redisuser. Also run redis under a socket. Unix domain sockets are ~25% faster than TCP if memory serves me correct and you're not opening it up to the world. Always keep your users separated and give them the least privilege necessary to carry out a function. Database server just performs database routines. Web server just performs serving web requests, etc. You'll end up with several accounts and it's for the better as you can isolate whenever a breach should occur.
|
# ? Jan 9, 2018 12:01 |
|
nem posted:Found the possible exploit. That's Don't expose databases / keystores to the internet. Redis and mongo are particularly awful in terms of their security posture and have been heavily targeted in the last 18 months.
|
# ? Jan 9, 2018 20:45 |
|
Too bad about the MailChannels price increases. I've had a package through Lithium Hosting for over a year as a little extra layer of anti-spam protection, and the price has doubled (through no fault of their own).
|
# ? Jan 24, 2018 14:07 |
|
fuf posted:Too bad about the MailChannels price increases. Lots of of people / companies are dropping them completely as a result of their sudden price hikes. Some companies paying 4x more per month for the same exact service. It's a terrible business practice to force existing customers to pay more for the same service. This is our 12th year as a hosting provider and have NEVER forced customers to pay more for their plan, only ever created new plans for new customers. They also modified their reseller / partner program which we were one of the first to test and participate in. Now to be a reseller and utilize their billing system modules, you have to commit to 4M messages per month at over $1000 / month. This means any other MailChannels reseller/partner has also had to jack up their pricing or look for an alternative service. We're still able to sell their service for less than buying from them directly, but our margins are seriously reduced. We no longer sell to new customers but are keeping the service active for existing customers. We'll also continue to provide MailChannels email protection to our Shared Hosting customers free of charge.
|
# ? Jan 24, 2018 14:49 |
|
DarkLotus posted:This is our 12th year as a hosting provider and have NEVER forced customers to pay more for their plan I greatly appreciate you doing that. Kept me on Lithium for 8 years now and I even feel guilty when I pay my bill.
|
# ? Jan 25, 2018 01:25 |
|
I don't even know how to get started with web development these days do I want XAMPP, Git, Github subscription, and Digital ocean? like I want to be able to develop on my desktop, push button, have it uploaded to web. Shared hosting is not a proper solution to the web app I want to build.
|
# ? Jan 25, 2018 04:11 |
|
Alpha Mayo posted:do I want XAMPP, Are we to assume from this that you are going to be writing your web app in PHP and using MySQL/MariaDB as a database?
|
# ? Jan 25, 2018 04:21 |
|
Yeah unless that's fallen out of favor. It's the only web language I'm familiar with but I am open to other ideas.
|
# ? Jan 25, 2018 04:42 |
|
Try heroku?
|
# ? Jan 25, 2018 04:51 |
|
Alpha Mayo posted:Yeah unless that's fallen out of favor. It's the only web language I'm familiar with but I am open to other ideas. Web development thread in CoC is where you should ask about this. ( PHP will not be recommended because it's bad...but maybe it's not worth learning something else if you're just trying to get something out the door. )
|
# ? Jan 25, 2018 07:54 |
|
Thermopyle posted:Web development thread in CoC is where you should ask about this. ( PHP will not be recommended because it's bad...but maybe it's not worth learning something else if you're just trying to get something out the door. ) Yeah I am aware that PHP is bad. This is more of an educational project though I know the long-term goal of what I want to make, so learning a new language is fine with me. Didn't mean to derail, forgot where the web development thread is. Also I forgot about using Vagrant instead of XAMPP (I hate running a bunch of servers on my desktop). I'll just rent a droplet for $5/month and see where it takes me.
|
# ? Jan 25, 2018 09:42 |
|
Thermopyle posted:PHP will not be recommended because it's bad Alpha Mayo posted:Yeah I am aware that PHP is bad. Stick with PHP7, enable strict-type checks, use Laravel/Lumen, and have a blast not having to nuke your npm repo every other update, which has the footprint of a blackhole. All the retarded programmers flocked to Node and moreover npm is an absolute political quagmire. But, on the other hand, if you can see the forest through the trees, async programming is pretty sweet . Most of the PHP hate is seated in old logic that because it's accessible it yields bad programming. That much is true. Snag a good framework and don't write poo poo code.
|
# ? Jan 25, 2018 14:52 |
|
Yes, the only choices are node and PHP.
|
# ? Jan 25, 2018 14:56 |
|
Thermopyle posted:Yes, the only choices are node and PHP. Cool. Time to throw Ruby and Python into the wood chipper on that note. On global usage numbers alone I’d agree. Use the right tool for the job and call it a day. Sometimes it’s Node. Sometimes it’s PHP. Sometimes it’s Python. Sometimes it’s Haskell. Once upon a time it was Ruby. And back when humans learned to walk upright it was Perl.
|
# ? Jan 25, 2018 15:11 |
|
I didn't know PHP7 made some progress with typing, which was my biggest problem with PHP. Weak typing feels so sloppy and gave me so many headaches before. My other problem was that it felt like a procedural language with objects later bolted on, though that isn't as much an issue with modern frameworks Before I had to program around how PHP behaved, instead of telling PHP how to behave.
|
# ? Jan 25, 2018 15:16 |
|
Anyone know a half decent plesk shared host for cheap? <500mb disk, <1gb bw, php7+ (7.2 ideal), ssh required.
|
# ? Jan 29, 2018 22:33 |
|
Signed up for a Droplet last night, didn't get to logging in to it for first time with ssh until now. just a no-name IP address.quote:You are required to change your password immediately (root enforced)
|
# ? Feb 10, 2018 17:37 |
|
Alpha Mayo posted:Signed up for a Droplet last night, didn't get to logging in to it for first time with ssh until now. just a no-name IP address. fail2ban. Hackers keep ARIN ranges for DO, Linode, AWS in a hot list to continuously try. Sometimes the box changes hands and "root:Password" works. And if you run Apache, a sieve for mod_evasive is good insurance.
|
# ? Feb 10, 2018 18:57 |
|
Alpha Mayo posted:Signed up for a Droplet last night, didn't get to logging in to it for first time with ssh until now. just a no-name IP address. do yourself a favor and use ssh keys so you don't even have a password for the box and it's not sent via email.
|
# ? Feb 11, 2018 01:01 |
|
Yeah I set up fail2ban and ssh keys and made a regular sudo wheel user for admin and disabled root login and ssh password login. That guy who got hacked through redis got me worried about how I handle everything. . I'm not really sure if I'm supposed to run my own firewall? The site has firewall rules that you set and it says everything is blocked if not allowed there, but some of the guides mention a need for a firewall. I installed UFW and it ended up loving up iptables, which was a mess it left behind after uninstall too. I had to nuke that box and start over anyways (something unrelated, involving permission issues and me typing sudo chmod -R 777 on the wrong parent directory). My ultimate goal is to have Vagrant running on my home PC running as a mirrored dev environment with the ability to push the changes over to the droplet using something like Git.
|
# ? Feb 11, 2018 01:38 |
|
Alpha Mayo posted:Yeah I set up fail2ban and ssh keys and made a regular sudo wheel user for admin and disabled root login and ssh password login. That guy who got hacked through redis got me worried about how I handle everything. Nah just use the digitalocean firewall. I mean you can setup iptables but the DigitalOcean firewall is at the hypervisor layer so traffic never reaches your droplet.
|
# ? Feb 11, 2018 02:23 |
|
Looks like there is a new ispmail guide for Debian stretch. There goes a few hours this weekend
|
# ? Feb 16, 2018 17:44 |
|
Anyone got any recommendations for a VPS with at least 4 cores, SSD and gigabit throughput? Not sure who the preferred providers are these days.
|
# ? Feb 21, 2018 04:43 |
|
do you actually honestly need gigabit? if not digitalocean can do about 300mbps edit: actually ~530mbps for me Rufus Ping fucked around with this message at 06:22 on Feb 21, 2018 |
# ? Feb 21, 2018 06:16 |
|
|
# ? Jun 4, 2024 08:31 |
|
Rufus Ping posted:do you actually honestly need gigabit? I'm assuming most providers are going to provide at least gigabit, but I just want to guarantee that we're not going to be limited to 100mbps or something stupid like that. I considered the large VPS/cloud providers like digital ocean but their pricing kinda sucks, I was hoping someone would have a suggestion for something goon run that isn't oversubscribed garbage but also isn't going to cost me over 100/month. Also I forgot to say but I'm looking for 16+GB of ram. ElCondemn fucked around with this message at 09:12 on Feb 21, 2018 |
# ? Feb 21, 2018 09:08 |