For this reason, we urge our users to ensure that any WordPress user accounts, especially those with admin/editor/contributor access have their passwords reset to one that meets or exceeds the recommendations shown on the WordPress website. A good password should be a  non-repeating string at least 8 characters long that includes upper and lower case letters, numbers and special characters.

While we are taking steps to mitigate the attacks at the network level, there is only so much we can do. If your installation has a weak password, it will remain at risk.

There is little information regarding the precise nature of the WordPress exploit that intend to use, so again, it is important that you ensure your WordPress installation, theme and plugin files are all up to date.

As we hear more, we will post it here.

In the short term, we recommend this plugin (although we cannot accept any liability for any problems it may cause):

http://wordpress.org/extend/plugins/limit-login-attempts/

This will refuse login attempts from any IP address that fails to login correctly more than a handful of times.

You can also restrict access to your WordPress login screen by adding an extra layer of security using the webserver’s built in password protection facility. This is described in our support website here:

https://support.krystal.co.uk/entries/23594403-How-to-password-protect-WordPress-wp-login-php

Back in the day when I started using email – when CompuServe was just starting to get into the UK market (yes, my beard is grey) nobody really worried about having their email account hacked. We were more concerned with master boot record viruses on floppy disks (remember those?) and getting more than 28kbit/s down our phone line.

All hackers should try bending spoons instead

These days, the story is different. The high speed internet has become a playground for misenthropes and malcontents who will exploit every opportunity to peddle porn, spam, or just disrupt your daily business for their own entertainment. The romanticised view of hackers depicted in The Matrix are somewhat departed from the reality. Attacks are becoming more commonplace and more severe, and as a hosting company we have to continually modify our tactics in an attempt to mitigate the worst effects.

Most recently we found a handful of email accounts on one of our servers sending out relatively low volumes of spam. It took us a few hours to track down the last of them, but by that time the server had been listed on SpamCop and other realtime black list providers.

Why did we not detect the unauthorised use of these accounts until it was too late? Because they were being accessed using the correct login username and password. And how did that happen, you may ask – well, that’s a good question, so let me explain.

Inherently insecure

Internet e-mail relies on a few protocols including (but not limited to) SMTP, POP3, IMAP. The problem with these protocols, like so many that were originally created decades ago, is that they are inherently insecure. That is to say, the information that go back and forth between your computer and the server is not encrypted. In tech-speak it’s called being sent “in the clear”. It’s a bit like sending all of your letters in the mail in a clear envelope – anyone can read it. Not only is the content of your email sent in the clear, but your username and passwords are also up for grabs (although we’re not discussing it here, your password is a strong one, isn’t it?).

You might have been using non-SSL email for years at home or in the office without any problem. This is because there is little opportunity for anyone to listen in on your wired connection, and most wireless internet hubs/routers supplied by ISPs to their customers are encrypted also, so between your computer and your phone line, you are reasonably safe. It’s also testament to the IT industry than nobody who works for the large telecoms providers has been arrested for stealing your account information by snooping your data at one of the large switching centres – but they could – quite easily. So how do your account details get leaked?

Dirty Wifi, dirty, dirty WiFi

Google Camera Car

Enter stage left, WiFi. Wireless networking is great isn’t it? I mean, you can go and enjoy a pie and chips at your local and still look like your working hard on answering support tickets… but I digress. The problem with Wifi is that it comes in many flavours, and some are more secure than others – and some are completely open. It’s now well known that Google, when it collected public WiFi information using it’s camera cars, it also collected countless usernames and password of email accounts.

Always be sure you know which WiFi network you are joining connecting to, and always make sure it asks for a connection password otherwise you may be open to snooping. I could go and setup a mobile WiFi network from my car and sit outside a Starbucks, and within an hour I could probably lure dozens of people to connect and capture their email account details. When was the last time you checked with the owner of the premises what their WiFi network was called?

When you go on holiday, and you connect to your friendly beach bar’s WiFi you might think you are secure because you had to enter a password. Sadly there are weak WiFi encryption systems (WEP was compromised long ago) out there that make it relatively trivial for someone else connected to the network to eavesdrop on your session. If you connect to an untrusted WiFi network (i.e. one that is not owned by you), then check the SSID (the name that comes up on your computing device) with the owner and also make sure you have to enter a password.

Super duper SSL to the resue

So, how do we protect against this invasion of our privacy?

SSL (Secure Sockets Layer) is a method by which your normal “in the clear” information is wrapped up inside an encrypted envelope. SSL is employed on the Web to secure ecommerce and baking websites, and it does much the same for your e-mail. The conversation between your email software and our email server is virtually uncrackable by people listening in. Even if you connected via a rogue WiFi network, your email connection would be safe as long as you were using SSL for both your incoming and outgoing connections.

The Post Mortem

In every case of a hacked email account on our systems, when we enquire with our customer regarding their email practices, they invariably reveal that they use mobile devices or laptops. Further, they admit to connecting to the internet from untrusted locations, WiFi hotspots and the like. They also invariably have not enabled SSL on those devices.

Not only does this cause massive inconvenience to us in tidying up the aftermath, but it can also mean that the customer concerned has to seriously consider the impact the attack has had on their personal security.

The hackers will also go back through all the email on the account, and may have found emails from banks, online retailers, medical/personal information etc, that might allow them to exploit the target’s personal identity in other ways, so really, if you do one thing this week – enable SSL on your incoming and outgoing email.

Your SSL settings are always available for your email account via your cPanel. Just follow these instructions to obtain them:

https://support.krystal.co.uk/entries/23114231-What-are-my-email-configuration-settings

Further reading

http://www.securityweek.com/e-mail-hacks-bigger-problem-you-think

Open Source Search Server

We’ve had a number of requests recently from our clients who want to run Sphinx on their cPanel accounts, so here is a quick tutorial on how to get Sphinx installed on cPanel in a non intrusive and safe way. Although this is unsupported, we are able to install this for our clients on our business hosting plans.

Sphinx on cPanel

Before we start, this is how to install Sphinx on a per user basis, so your cPanel account will need shell access and compiler access. This can be set in [WHM »Security Center »Compiler Access] and [WHM »Account Functions »Manage Shell Access] respectively.

As the cpanel user, in shell, first let’s setup the folders and download and then install Sphinx. You can find the latest version here: http://sphinxsearch.com/downloads/release/. We are going to use version 2.0.6-release.

cd ~/
mkdir local
mkdir src
cd src
wget http://sphinxsearch.com/files/sphinx-2.0.6-release.tar.gz
tar zxvf sphinx-2.0.6-release.tar.gz
cd sphinx-2.0.6-release
./configure --prefix=$HOME/local/ --exec-prefix=$HOME/local/
make
install

Assuming you’ve encountered no errors, we need to add the binaries to your path. So open up  your favourite editor (we’ll use nano here) and add $HOME/local/bin to your path by adding :$HOME/local/bin to the end of your current path as defined in ~/.bash_profile

nano ~/.bash_profile

Your PATH variable will look something like this :

PATH=$PATH:$HOME/bin:$HOME/local/bin

Make sure you reload your profile:

source ~/.bash_profile

Sphinx should now be installed and ready to run. Make sure when editing your sphinx.conf file you keep everything local to your userspace. I like to use ~/local/sphinx/ as the store.

Keeping everything ticking

To make sure Sphinx is always running you can setup a cron job inside cPanel to run the searchd periodically:

/home/[USERNAME]/local/bin/searchd --config /home/[USERNAME]/local/sphinx/sphinx.conf

This will attempt to start up searchd every time it’s run – and if it’s already running it won’t do anything.

Things that might go wrong

1) If you are getting permission errors you need to make sure that your sphinx.conf file is only using files in your home space, for example:

searchd
{
	port				= 3312
	log				= /home/[USERNAME]/local/sphinx/searchd.log
	query_log			= /home/[USERNAME]/local/sphinx/query.log
	pid_file			= /home/[USERNAME]/local/sphinx/searchd.pid
}

2) If other users are using sphinx on the server, then you may need to change the port from 3312 to something else.
3) If you are getting ./configure or make errors, then you need to make sure compiler access is enabled, and that you have full shell, not just jailshell.

I’ve had a few hobbies in my life that could potentially kill me if done badly. My mom, ever the pessimist, would say, “always put on clean underwear, just in case”. I think it’s because her generation is more worried about turning up in the emergency room with dirty unmentionables than whether they were going to survive any injuries – I digress. The point is, when it hits the fan you want to be prepared.

Most Content Management System packages, forums and e-commerce software packages these days offer their administrators quick and painless built-in upgrade functionality. On one hand, this is great, because keeping your website software up to date and plugging security holes is essential to any good security strategy.

However, from the point of view of a tech support department, I regard the days when vendors release upgrades with a degree of world weary resignation, and this is why. For a myriad different reasons, automated upgrades can and do go pear-shaped, and the results are often a broken website, a support request, and possible delays and loss of business while we work to straighten it out.

Sadly, we still see a rush of such requests every time new major versions of popular packages are released. So, when you come to upgrade anything on your website, and I mean ANYTHING, then the first thought that should enter your mind is to BACKUP YOUR DATA!

By taking a few minutes to create home directory and a database backups you can upgrade with confidence, knowing that any problems can be quickly and easily corrected. It really is simple to do, and only takes a few minutes.

How many backups are too many?

No amount of backups are too many backups! Why would I say this? After all, Krystal backs up your cPanel account, so why would you want to take your own backups? We might have a 100 Terrabyte plus behemoth taking regular snapshots of your websites, but we only retain these backups for a few days.

If your website gets hacked then cleaning it up can be a complex affair. There is also no guarantee once you have restored any files using our automated backups, that the hackers won’t have left covert modifications that may not show up for days or weeks, by which time any clean backups have been rotated out of our systems.

If you earn a living from your website then it makes sense to take your own backup of your files and databases at least once a month and retain them for at least six months. That way, if our backups don’t go back far enough, you still have an extra safety net. Storage these days is less than 50p per Gb, so there is really no excuse for not archiving your backups.

Most websites that are CMS based maintain separation between the CMS software itself and the data/images that drive them. Recovering a CMS driven site (Joomla!, WordPress, Drupal etc) from a hack is usually as simple as replacing the CMS software’s core directories with backups (leaving your uploaded content and configuration files intact). So, as long as you have backups, restoring your site should take no longer than a few minutes.

A quick preview of us getting our hands on all the new gear:

Software

Before we get into all of the shiny hardware, a quick word about software!

The integrity and resiliency of our data are the most important things when it comes to our backups. When it comes to file systems that provide integrity and resiliency it’s almost impossible to look past ZFS and this is what we have decided to go for. This will provide us with a solid base to host multiple instances of R1Soft server backup for our cPanel clients to use!

Hardware

This machine is a bit of a beast, it requires 4 power supplies to keep it running! Here are the brief specifications:

CPU: 16 Cores at 2.6GHz each (2 x E5-2670 Intel Xeon)
Mem: 192GB ( 24 x 8GB )
Network: 2 x 10Gb cards

Disks:
Boot drives:
2 x 256GB SSD drives from different manufactures in Raid 1

Backup storage:
3 x LSI SATA controllers with 16 channels
48 x 3TB SATA drives in ZFS RAIDZ2 with
4 x 256GB SSD drives as read cache

This will give us roughly 108 TB of usable space with 1TB of SSD caching.

To put this into perspective, our current backup server that services most of our shared servers uses around 20TB !

Pictures

SSD Drives:

Motherboard with 192GB of ram and both CPUs:

1 box of 3 – 3TB SATA drives in caddies waiting to go:

A lot of memory:

For every friend you refer who enters with your unique code, you get 10 more entries in to the draw! So if you refer 10 friends, thats 100 more entries!

Remember you can share your code anywhere – twitter, facebook, email….

Good luck and Merry Krystmas!

Simply visit http://krystal.co.uk/krystmas to find out more! Once you have entered the prize draw,  share and for each friend you refer you will get 10 MORE ENTRIES!!

Merry Krystmas one and all!

No purchase necessary.

Today’s update – Speed!

Speed Matters
Google now factor speed in their algorithm for ranking websites (Source: http://googlewebmastercentral.blogspot.com/2010/04/using-site-speed-in-web-search-ranking.html) and numerous reports indicate that visitors to websites become frustrated if a page takes even more than 1 second to load, often browsing away to another site.

The pursuit of speed and fast loading websites has always been important to Krystal and so I wanted to let you know about a number of steps we’ve taken to make your web hosting the fastest it can be.

Firstly, we’ve installed a faster web server, called nginx (pronounced “engine-x”) in front of your website. Nginx proxies requests and operates a lighter framework than Apache (the standard web server) speeding up page response times. You and your clients should already be able to notice a decrease in page load times.

Secondly, we’ve REDUCED the number of sites we put per server. We’ve purchased additional servers and spread accounts and load out across our fleet. This means each server has less work to do and therefore more time per site, which translates in to less waiting around. I believe that we now put the LEAST number of sites per server of any shared host in the UK! We make less money per server but we hope that we’ll gain fanatical clients who’ll tell others how good we are. 

Finally, we’ve sped up our premium web hosting. Our “Sapphire” and “Diamond” web hosting plans now have DOUBLE and QUADRUPLE the server resources they had before  (CPU and RAM). With no more than 60 sites per server these accounts have a lions share of the server. For those of you who are after the very best in load speeds, or want a dedicated server like experience but at a fraction of the cost these are an excellent option.

But we haven’t just stopped there. In order to offer the fastest UK web hosting we’ve also added the option of Solid State Disks (SSD).

Solid State Disks will certainly be the future de-facto standard for computer hard drives as the performance they offer is unrivalled. They differ from normal hard drives in that they don’t have spinning platters, acting more like computer memory (RAM), instead. Because there’s no moving parts they’re in the region of 20 times faster. Combined with the new premium CPU and RAM limits we’ve introduced we think we’ve got a strong contender for the fastest web hosting available in the UK! As a result of the expense and smaller size of SSDs, these plans do offer less disk space and cost more but will give you the very fastest performance available. Krystal also offer the most amount of SSD space of any hosting company in the UK with 5GB on the Sapphire plan and 10GB on the Diamond.

All of our premium web hosting plans include more frequent backups, out of hours emergency phone support, a free SSL certificate and domain name for life and PCI-DSS compliance making them ideal for the most demanding businesses and power users. If you’re thinking that your website or company could benefit from Krystal’s premium hosting then please take a look at https://krystal.co.uk/web-hosting-uk/, contact us or ring 03333 44 1337.