Don’t Forget To Do A Spring Clean On Your Server

Over time some of us tend to get a collection of scripts on our servers that we don’t use. It may be a script that you were testing, something you wanted to check out but didn’t use or an old script that was replaced with something else.

I had two incidents this week that related to old scripts. One was a phpBB2 forum. The owner had set this up some time ago (approx. 1 year) but it hadn’t really taken off. He had emailed me that he was continually receiving high cpu load email alerts from his server. When I checked, it was MySQL that was causing the high load. I then had a look with phpMyAdmin and saw that this phpBBdatabase had over 240,000 records in the posts and topics tables and over 1 million records in the ‘words’ database. phpBB has a cron job that builds a database of words and phrases to improve search speed. Because there were so many posts this cron job was taking a long time to run and stressing the CPU a little. The posts were all from automated porn posting ‘bots’ that were just continually adding random pornography related posts. Given that the forum wasn’t getting any real use we simply removed it. It’s not the first time I’ve seen this issue though – forums are a target for automated posters of porn and general spam. If you have set up any forums in the past but didn’t get aroundto using them, now might be a good time toremove them – they may be causing unnecessary server load.

The second incident was a script that creates online forms. The whole thing was written in PHP and could create a form on-the-fly. The owner started to get hundreds of notifications from this form and didn’t know where the notifications were coming from. A quick text search on the server revealed a directory that had this form script in it. Additionally, there was no default page in that directory (i.e.index.php, index.html) and directory listing was turned on. What that means is that the list of files was there for anyone who discovered the directory. This is a common technique for hackers. If, for example, I know that by default a script that I can exploit is usually installed in /nastyscript/ I could easily set up a spider to check domains for that directory. So there are 3 tips in this instance:

  1. Remove your old scripts.
  2. Always have a default file or turn off directory indexing on your server.
  3. Don’t install to the standard directory for a script. In the example above it would have been better to install to something like /nastyscript_131/ or something similarly random.

WHM – Exclude specific accounts from backup

I had a situation recently where a hard drive filled up because of the daily/weekly/monthly backup. It was a 1 Terabyte drive in a server that was used for hosting so it was a bit unusual, given that there were only 30 or 40 hosting accounts on there. It turns out that there were soem old accounts from an application that is no longer used. That particular application had a large amount of database (MySQL) data and when the CPanel account was compressed the size of the backup file was around 217GB. Multiply that by 3 for daily, weekly and monthly and you can see that it was using up an awful lot of hard drive space.

The customer wanted to keep the data for now, but it wasn’t important enough that it should be backed up. The solution is to go into the WHM backup configuration and scroll to the bottom and click on the  ‘Select>>’ button. This allows you to de-select the accounts that you don’t want backed up. Alternatively, if you are abit of a unix head or want to disable backup of accounts with your own script, all you need to do is add the accounts that you don’t want backed up to /etc/cpbackup-userskip.conf. Just add the account username, one per line.


Dedicated Server Google Knol

Filed under General | 1 Comment

I’m in the process of writing a Google Knol about dedicated servers. Over time it will become a guide for people who are getting started with their first dedicated server. I’ll be adding some of the tips and information from here as well as some additional information about choosing hosts, server specifications etc. The knol is right HERE.


What is a Brute Force Attack?

Filed under General | Leave a Comment

This is a term that you will often see if you are browsing around internet security related sites. A brute force attack is usually carried out with some sort of automated script. The attacker will often use a list of common usernames and passwords, but could also have the script written in such a way that it simply goes through all the letters of the alphabet, numbers and other characters in order to get the correct password which will allow them into the site they are attacking.

A good analogy would be if you had a combination lock that had three numbers. If you tried all of the numbers from 000 to 999 you would undoubtedly ‘crack’ the combination. That’s a fairly slow way of doing it of course – scripts can generate  numbers and letters much faster than you could turn the tumblers on a combination lock!

Knowing how a brute force attack works should make it very easy to understand that the longer your password is, and the more punctuation and other non alpha-numeric characters you have … the harder it is to ‘crack’.


Getting To Know SSH and The Unix Shell

If you don’t have an IT background, then working on your server is a bit like working on a car for the first time. There’s a lot of stuff under the hood but it all looks like a whole lot of hoses, wires and thingamajigs. That can be scary and it’s true to say that just as you can disable your car if you move the wrong wire, you can do damage to your server if you use the wrong commands.

The best way is to ease into it. Become comfortable with some of the simple commands before you try anything fancy. In this article I’m going to look at some basic commands that will provide you some information about your server.

The first thing to remember is that most flavours of Unix (e.g. RedHat, CentOS etc) are case sensitive and most commands should be entered in lower case. So, the command DF will  yield a ‘command not found’ error, whereas df will tell you how much disk space you have free.

In order to run these commands you will need to use a SSH client program. SSH or ‘Secure Shell’ has, for the most part, replaced the old and somewhat insecure Telnet program. They both do much the same thing except that Telnet is in clear text and SSH is an encrypted link. If you are using windows then you should download Putty which is a free SSH client. There is a setup guide at http://gears.aset.psu.edu/hpc/guides/putty/. Just ignore the part about enabling X11 Forwarding – we don’t need that.

Once you have installed Putty and successfully commected to your server you will see a prompt that looks something like this:

[joe@www admin]#

This is what we refer to as the ‘command prompt’ as it is the place where you enter any commands that you want the server to run.

So…what commands can you run without causing any problems? Thousands … literally … but we will look at just a handful here to get you started.

df – This command will tell you how much hard disk space your server is using (think of it as ‘disk free’). Let’s look at the output. Type df at the command prompt and pressyour ‘Enter’ key.

The output will look something like this:

[joe@www admin]#df

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00   74718304   6661240  64200272  10% /
/dev/hda1               101086     11731     84136  13% /boot
tmpfs                   225228         0    225228   0% /dev/shm
/dev/hdc2            145739192    465284 137870756   1% /mnt/disk2
/dev/hdd1            240362656  66950244 161202612  30% /mnt/disk3

The important column is the second last column – the one with the percentage figure. That number tells you how much of the disk is in use. For example, the first disk in that list is using 13% of its total space and the last one is using 30% of its total space. If you would like to know more about the other numbers in that output, there’s a good primer at http://www.oracle.com/technology/pub/articles/calish_filesys.html.

free – this command will tell you how much total and free RAM your  server has. Type free at the command prompt and press your ‘Enter’ key. The output looks something like this:

[joe@www admin]#free

                        total        used          free        shared    buffers     cached
Mem:       2055416    1631192     424224          0      180224    1061592
-/+ buffers/cache:     389376    1666040
Swap:      2040244        208    2040036

From the above we can see that this server has 2GB of RAM (total) and that it is currently using approximately 1.6GB of that RAM. That doesn’t mean that the applications on the server are using most of the RAM though. Note the two columns ‘buffers’ and ‘cached’. The operating system uses buffers and cache internally to manage its own operations and optimize performance. In reality, the applications on the server are using around 389MB of RAM and the operating system is utilizing much of the remaining RAM.  The ‘Swap’ figures show how much ‘swap space’ the server has and how much it is using. Swap space is similar to Windows ‘virtual memory’. If the server uses up all of the physical RAM it will start to swap idle programs out to disk. Generally speaking you should ensure the server has enough physical RAM that it doesn’t need to swap to disk. Disk based memory is much slower than your ‘real’ RAM.

Now that we’ve covered a couple of the simple command, there’s a good list of some other commands at http://www.reallylinux.com/docs/basic.shtml.

Just be careful if you use the passwd command. It will change your password instantly. Oh, and don;t go changing your password to anything simple. Remember, security starts with a strong password!