I have been involved in the development of a complex PHP web applications that does very large amounts of processing, includes several files with thousands lines of code, does multiple and complex db queries etc. So far it has been running only on non-public development servers and has been surprisingly fast given what it does.
But I am concerned about what might happen when it is time for it to start running on a website with many users.
Is there a way to estimate in advance how serious that problem may be?
I have some concerns with hosting an external URL. I have these two websites www.benchmarkportal.com and www.bmponlinestore.com and my question is, is it possible for www.bmponlinestore.com to launch if ever I click on www.benchmarkportal.com/store/ url with the url name unchanged meaning it wont change to www.bmponlinestore.com? scenario:
step : when I click on www.benchmarkportal.com/store/
result: the contents of www.bmponlinestore.com shows up but without changing the url name(the url will still be www.benchmarkportal.com/store/)
so let's get this all hashed out... it'll be interesting to see how people handle various situations.
Before responding, let's keep this thread signature free.
I recently came across an issue where a customer wanted to bring their own Microsoft products/licenses to the table. Got a few questions for the other providers out there... this really needs to be hashed out.
Microsoft is very strict when it comes to enforcing their license policies, we all know this much.
So... when a customer wants to install their own software, what do people do to help ensure that whatever agreement you have with your upstream provider or Microsoft isn't in voliation by allowing someone to bring their own licenses?
What steps do you take to ensure validity of said licenses?
How do you define, much less enforce, these guidelines?
What role, if any, should a provider play in doing their part to help stem illicit license abuse?
I'm starting to test out VPS panels and found vePortal 2. I purchased it and installed it. Now I'm checking some security, as we all know about the terrible result of HyperVM as everyone blindly used it because it was "pretty" but it was not secure.
Some serious concerns I'd like to share with vePortal 2.
1) It makes no backups of any of the files it modifies during install, or so I haven't seen any, like httpd.conf.... more of a pain than anything. There is no way to auto uninstall it either..
2) vePortal gives full root access to the Apache user, letting apache run any root commands! They add this to your /etc/sudoers apache ALL=(root) NOPASSWD:ALL
[root@nd11108 myadmin]# su -s /bin/sh apache -c "whoami" apache [root@nd11108 myadmin]# su -s /bin/sh apache -c "sudo whoami" root
This is a root exploit waiting to happen. I asked them about this and got the response.
Quote:
It would be a security breach if a) apache was allowed SSHD Access, or b) the server was running scripts that havn't been marked secure, We have a very comprehensive team of beta testers including one of the largest providers around, They and their staff have not been able to break the security or integrity of the panel as of yet.
All panels in one way or another have root control over the system, for example they wouldnt be able to have a SSH Console without it, as only specified commands would work, we do have a list of the commands required by vePortal if you wish to limit it, but the console and the Shell Commander functions would stop working.
Regards, Gavin H. Chief Information Officer
That's funny I have been using the panel a few minutes and already found they've ignored the biggest security hole possible..
3) In 5 minutes I've found multiple XSS vulnerabilities in the admin area... Like search customers, I was able to generate JavaScript alerts in multiple fields....
4) It stores the MySQL root password in clear text in a .php file... yeah that's real secure. Why does it even operate under the MySQL root user, its using a single database....
5) I forgot to add, it doesn't recognize ANY OpenVZ Vps's you've created manually. It has no idea they exist and you cannot view them at all.
I'm sure I could dig deeper into the source code and find more but it's not worth it. Judging by what I found without actually trying to spend time on security I completely removed the product.
The panel does look nice but it sure gets a mark of insecure for me, I would advise others seriously look into the security of this new panel if you're considering using it.
I have just finished testing with my HP DL380 G3 server and I have been looking at different companies / facilities to ship it off to for co-location.
How do you ease your own concerns of hardware failures on the server (aside from HDD which are easy to replace) when it is so far away.
I control a datacenter / networking environment for my company, so I have immediate access to any of our gear that breaks, but I will not be co-locating within our facility for obvious reason.
Are most people using left over Dell / Compaq / HP stuff or custom builds? I went with HP because of the built-in iLO capability to lessen the need for so much remote hands in the event of a reboot etc.
I guess the biggest thing that is worrying me right now is a catstrophic hardware failure such as motherboard / cpu. All others can be quickly fixed (HDD, RAM, etc), but with a motherboard / cpu failure, the extended downtime can be long while spare are ordered / shipped.
Unlike earlier versions of Microsoft Windows Server, the 2008 version gives you a default logon screen that is very similar to Vista. Instead of the the interactive dialog box that prompts you for a username, password, and sometimes domain, users will find a “push button” screen displaying all users with login permissions. To log into an account all the users will now need to know is the password. This makes things much easier for hackers as the only thing they will now need to guess is the password.
There are a couple of ways to resolve this problem. First, the server administrator can set the local security policy to not display the last username and disable fast user switching. Second, in the System Remote Settings dialog, the remote desktop options can be set to allow computers with Remote Desktop that support Network Level Authentication.
Since the first method is covered in a few blogs, I’ll limit myself to discussing the second method. In the latest versions of Remote Desktop Connection client (version 2.0 for Mac and the version shipped with Windows Vista), Network Level Authentication is supported. This means users must send the username and password before Windows 2008 accepts the connection. Earlier versions of RDC (like the one found in many installations of Windows XP) don’t support NLA. So technically, users will only need to supply the IP or domain name of the remote Windows server, leave the username and password blank, and interact with the logon process that is provided at connection time. Windows 2008 servers that do not have the NLA option set for remote desktop connections are vulnerable since the interactive logon screen (post-connection) is displayed to users using earlier versions of RDC.
This last point may be of significance to service providers offering Windows 2008 dedicated servers. If the server is set up with default settings, the NLA option is disabled and new users will by default be made to change passwords on first logon. Users using new versions of RDC will not be able to logon because the initial password change sequence on first logon is not compatible with NLA. The server will return an incorrect password message to the RDC client even though the user has provided the correct username and password. The only way to establish first connection is thus to use a non-NLA supporting version of RDC so that the user can establish connections without supplying credentials and then going through the password change wizard during the initial login. But as mentioned, having NLA disabled on server side is not an ideal practice at this point.
So there are a couple ways to do this. The service provider should disable the “change password on next logon” option during the user creation process and get user to manually change the password after logon. Or alternatively, assist the client/user in changing passwords through the console internally.
I've been having trouble with my VPS for a while now. In the QoS alerts page in Virtuozzo it seems to be a problem with numtcpsock and tcprcvbuf, mainly numtcpsock.
Copy these into the browser: i18.photobucket.com/albums/b106/gnatfish/qosnumtcpsock2.jpg
Anyone know of some good server load testers ( commercial )?
Im not looking for application based load testing, I need real web server load testing... need to see how much traffic this one site can take before it cries.
I'm having the oddest issue. For some reason, some of the websites on my server load fine, and some take a really long time to load (2 minutes).
Now, the server load is fine, and the size of the sites aren't the issue either. I've restarted Apache and a couple more services, and still the same sites seem to load very slow.
What could be causing this since it's only effecting certain websites?
I would like to know how to check load via ssh and check files causing load?
I want the ssh codes for 2 different set of control panels, one with cpanel+whm and other with kloxo+hypervm
and I would also know how to check the files causing the load, such as some files could have been interrupted while processing, so they could be causing load some times, so I want to stop such processes if any are running on the vps on my friends accounts
I just got a futurehosting VPS recently and something is puzzling me. Is it normal that an idle CPanel virtuozzo VPS that has no sites on it should display "top" loads of between 1 and 4 regularly? I've been watching the load for a bit now and it keeps jumping between 0-4. When it goes 1 or above, the WHM panel becomes really slow, timing out... They seem to use a beast 8 core machine, so it would take some activity to cause even a 1 load..
I do not have much knowledge about VPS hosting, on a dedicated I would expect the loads to stay 0-0.2 at this point... Is the 1-4 load showing the result of heavy usage by other VPS users on the node? There is absolutely nothing that could cause a load in my vps as far as I see... Is this perfectly normal on any VPS?
I'm on LON03 server and I recive yesterday from Future Hosting this advise about hight load.
I got then 1 month ago, and the solution was *JUST* to remove a phpBB website with 80+ users. I do not believe that the VPS could get this kind of loads.
Funny is that the VPS was "monitored" by them at the same time. They say the load spikes out for times to times in a matter of seconds.
This load is taken from the Parallels Infrastructure Panel or even the Node Panel, not from the VSP itself. Even when I'm logged in.
I've been a client for 6 month, and 2 of the last 3 constantly getting CPU hight usage. Strange is, that I come from a 512mb/25gb PowerVPS server to a 1GB/30GB server, with the *SAME* sites.
Anyway, the prupose of this topic is to:
- check if anyone had this problem (problem is: beeing sure that this load is IMPOSSIBLE to be created from yout service)
- recommend a decent VPS provider besides Future Hosting and PowerVPS.
It has been running fine for almost six months now and now from past few days it's all gone in black zone?
PID USER PR NI %CPU TIME+ %MEM VIRT RES SHR S COMMAND 32084 nobody 16 0 73 2:00.34 0.9 162m 75m 8260 R /usr/local/apache/bin/httpd -DSSL 13857 nobody 16 0 50 1:13.53 0.7 147m 59m 7900 R /usr/local/apache/bin/httpd -DSSL 32114 nobody 15 0 36 1:46.67 0.4 117m 30m 8600 S /usr/local/apache/bin/httpd -DSSL
I get equal share from CPU plus it has got 384MB of memory? Why load is so high when I check in VPP......it is going in black and yellow zone in resources all the time?
the loads on my server is VERY HIGH and it needs to be upgraded fast.
I really have no clue as what to do... and i do not know any expert other than you people here - to help me out and put me on the right track.
i was thinking of
1) Getting a server with better CPU and more RAM 2) Load Balancing
However I know nothing of load balancing (other than how to spell it correctly )
1) Which of the above two options should i choose? 2) what are the extra costs in load balancing? 3) what should i know about load balancing before deciding? 4) How does load balancing work? I know there are two server - like one for database and one as webserver... but how does this work together? 5) what config should i be looking at in the two servers?
I'll stop here else i can go on and on and on...
I am giving the details of my server and service below, in case you guys need it.
We host a large number of small websites and are looking for high-availability and the ability to do maintenance on our application servers, so I'm looking for a load balancing solution. At this point, I'm considering Zeus ZXTM LB software, the Coyote Point e350si, and potentially an F5 1500 LTM.
The F5 solution is a total budget buster, and the Coyote Point UI is rough around the edges, but I've used them and they are reliable. Zeus looks like a winner with a great UI, but I haven't heard much about their reliability.
Bandwidth requirements are low at this point, so this is mostly about reliability and ease of configuration of a moderately complex set of services.
Any opinions on these vendors, or alternates I should consider?
I run a GSP (Game Server Provider) and i just baught 2 new octi xeon servers(Intel 5320)
i am having a problem with the load balancing, it dosen't balance de cpu usage on all cores but only on one, and it gets at about 80-85% and 3%CPU usage on the other one.
I'm just curious, how many around here use load balancers in front of their webservers, and what kind of traffic do you push with them? (What kind of load balancer as well) Any other specifics would be nice as well.
My VPS holds about 80 domains and low-use accounts.
Every night, from around 1.30am, the load suddenly skyrockets and will usually be around 5 to 10 for a few hours. Occasionally it'll spike to 30+ for a few minutes.
I had some antispam software running, and a couple of other packages (mail queues, mail manage etc), so I disabled all of that and removed all the crontab entries etc.
It's not really made any difference.
I can see the load stats going back 8 hours, as part of the ASSP spam package (I've just left the ASSP server load cron running just so I can continue monitoring it!)
Can the apparent load on my VPS be caused by other VPS's on the same node?? So in reality, my load is fine but is being affected by other people's VPS's?
I hope that makes sense. I'm 99% sure that my VPS is 'clean' (in so far as cron entries)
I'm asking the question because I took a second VPS on the same node and that one too has high loads overnight when there's nothing running on it (ie, no add-on software, no Cpanel accounts added)