Suhosin Extension for PHP

Suhosin is a security patch/extension for PHP.

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

Here is a recent SecurityFocus talk/article with the author of this package, that goes into the details of the project and what is ahead…
PHP Security From The Inside

While this patch [or extension] is simple to setup under Linux, the Windows side is a bit more difficult: as no binaries are provided, which necessitates a build of PHP w/extension from source…

And anyone thats ever tried to build win32 PHP knows what a headache that can be. What PHP.net provides in source is about 20% of whats needed, and contains extension libs that are from year 2000.

_Though I will say_ that some extensions/dlls CAN be built, that do not depend on anything else.

Securing Your Server and Web Applications

There is no shortage of bad, incomplete, and outdated information on the Internet and in print. And if that was not bad enough, there is also the problem of information overload.

Here are a few resources that can get you up to speed…

  • Chapter 3: PHP from book “Apache Security”, by Ivan Ristic [of mod_security fame].
    A good overview of some security issues with PHP. Most of the mentioned measures will be most useful in a hosting environment.
  • Center for Internet Security (CIS) Benchmarks for the Apache Web Server.

    CIS is the only distributor of consensus best practice standards for security configuration. The Benchmarks are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as GLB, SOx, HIPAA, FIRPA and other the regulatory requirements for information security.

    I recommend CIS Level-1 security for the Apache Web-Server. A number of the steps are OS-independent, and have been implemented under the Web-Developer Server Suite.

  • The OWASP Guide to Building Secure Web Applications

    The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.

  • Web Application Security Consortium
  • SANS Information and Computer Security Resources [with emphasis on the Reading Room]

Googlebot Likes 404s

I’ve been playing around with the Google Webmaster Tools and have noticed one thing on the site verification process, that is not present on the Diagnostics/Crawl Errors tab…

Last attempt [date]: We’ve detected that your 404 (file not found) error page returns a status of 200 (Success) in the header.

Google will be unable to verify your site [for this service] if it is setup in a way where all URLs that do not exist, redirect back to the main page. But more importantly, from the look of things, this also has an effect of receiving a penalty and/or keeping your site out of the Google index.

DynamicSide.NET was like that, and Enotarize.com was even worse, not redirecting back, but rather just displaying the main page on any and all URLs [what can I say, its a very simple site, pre-beta].

And I was wondering why I have not been seeing much traffic on those two from Google search.

With DynamicSide.NET, there seemed to be some type of a penalty [nothing under the webmaster tools, but I have a feeling something is going on]. And with Enotarize.com, it looked like it was not being indexed at all, for some time. I’m sure that also had/has an effect on DeveloperSide.NET, as I’m linking back to both sites.

On another note, content that did exist on your site at one point, that has been removed, should return HTTP Status code ‘410’ “gone”, over the ‘404’ “not-found”.

And what about a situation where content has moved URLs, yet there is no simple way for you to redirect… A good example of this situation is under our Forums, with the switch from phpBB to SMF. They both have non-compatible ways of associating URLs to posts and topics. Right now I’m just redirecting everything hitting the old phpBB ‘viewtopic.php’ URLs to the main forum URL. Perhaps I should be using a ‘303’ “see-other” code…

Status Code Definitions
Webmaster Guidelines

Lets Start a VPS/VDS WAMP Hosting Service

I’ve got an idea, lets start a VPS/VDS WAMP [Windows,Apache,MySQL,PHP] Hosting Service, using Windows Server 2003 as the guest OS.

First, we will need a dual CPU setup with the Intel-VT or AMD-V architecture extensions, lots of RAM, and SCSI drives under RAID. As you really do need a dual cpu setup to run these solutions.

The top two choices for a Virtualization Solution (aside from VMware) that supports Windows as a guest OS are…

  • Virtuozzo
    A true VPS solution with operating system-level virtualization. Provides multiple Virtual Environments (VE), that multiplex between one main Kernel. Lowest-overhead, fastest-performing solution. Can probably manage 100 linux-based VE/VPS instances on a Server; 3 times the number compared to other solutions.

    Cost is an issue… $1000 per socket [physical CPU]

    You will need to license their management tools. Good luck trying to figure out what you do need, and the difference between these two [I think the later is a web-based interface to the former?]…

    Management Console VZMC (GUI based)
    Single Server License $200 per seat.
    Unlimited server license $1000 per seat

    Control Center VZCC (web-based management)
    Single Server License $300 per seat

    Support will also run you $400+.

    The end-user will need the Virtuozzo Power Panel (VZPP).

  • XenServer
    A paravirtualization solution that has the industry’s support and backing. Modifies the guest OS [or makes use of the mentioned cpu extensions] to cooperate in the virtualization process.

    Cost, for 2 sockets, per year…
    XenServer $99 [licensed to run 8 virtual machines on each system]
    XenEnterprise $488 [has no limit, maybe could handle 30 linux-based VPS instances]

    A number of third-party tools are available.

Lets note that the above products can only handle 2-3 times less the number of Windows-based instances [just a guess on my part].

Lets look into the licensing costs/issues of a setup like this…

Virtual Machine Technology FAQ

Each copy of Microsoft Windows Server, whether used as the OS for a virtual machine (“guest OS”) or as the OS for the server (“host OS”), must be separately licensed. For example, if a user is running Windows Server 2003 Enterprise Edition as a host OS on a server and creates two virtual machines, each with its own copy of Windows 2000 Server (each a guest OS), the user would require one Windows Server 2003 Enterprise Edition license and two Windows 2000 Server licenses.

Licensing does not depend on which virtualization technology is used. With a license for Windows Server 2003 R2, Enterprise Edition, you can run one instance of the software in a physical operating system environment and up to four instances in virtual operating system environments.

The MSRP on Windows Server 2003 R2 is $999 for the Standard Edition, and $3999 for the Enterprise Edition. So for 1 host and 40 max win32 guests, that would cost us $25,000 (~60% of retail). There is one problem with this… Microsoft can’t make up its mind on whether the License ties into the device or the end-user, and who exactly the licensee is. In this VH context, this might break a few clauses.

Luckily, Microsoft does have the Service Provider License Agreement (SPLA) which would allow us to lease the OS on a month to month basis for hosting. Its pay as you go, so if we only have 1 customer, we are paying for 1 license and for 1 month. While I cannot locate a pricing list, it is my understanding that the cost is usually at 3% of the perpetual price (retail, or average?).

Lets add another $5000 for the cost of renting the server and another $5000 that Virtuozzo will extort in licensing fees (for 40 users) [both for one year].

At this point, assuming 12 months and 40 accounts, we are in for $25,000. To break even, we would have to charge $50 per month. Which is still about $20 more than what you could charge for a Linux VPS. And at those prices we would be working for free. For one person to do this, and make a living, well, you would need lots of paying customers and farm of servers. Hosting is a cutthroat business.

More info on the subject…

There are also other noteworthy solutions like VMware (full virtualization) and Virtual Iron (based on Xen, except with Native Virtualization).

VMware has some really great things going for it, like ease of use, and their appliance initiative.

Spry seems to offer a dedicated server with Virtuozzo already setup, with 100 VE/VPS licenses — Linux as host/guest OS.

DynamicSide.NET Now Accepting DNS Records

Dynamic DNS at DynamicSide.NET

I’ve put up a working Dynamic DNS solution. Record update is immediate. Though your ISP/system/browser DNS cache might make you wait 10-15 minutes.

Mail and Web-Forwarding functionality have been temporarily disabled. But the dynamic dns part is good to go…

Create an account, and try it out.

*.dynside.net sub-domains are out for the time being — as I deal with our new DNS situation… but if you have a registered domain name, and can point it with your registrar to nameservers ns1.dynside.net and ns2.dynside.net, you are good to go.

I’m going to have to lose the Host’s nameserver entries for dynside.net, and just do my own authoritative DNS entirely. Not the best situation, but its the only way I can give away sub-domains, without entering a wildcard record with Linode DNS and delegating all unknown hosts back to me [there system will not accept an ‘*’ type of record].

I think I can get that up tomorrow.

Update 01/28/07
DNS for dynside.net sub-domains has been enabled.

Serious DNS Issues With Linode

Today, when I got out of bed, and started up my system, zero of our hosted domains at Linode were resolving.

Tracking down the problem, I realized that while I could resolve the Linode.com nameservers [ns1.linode.com and ns2.linode.com] and ping their IPs — I could not get an answer to any record queries… Everything was dead in the water… Same effect as pulling the plug on the server.

I filled out a support ticket, and went to the Linode IRC channel. I showed that ‘dig @ns1.linode.com devside.net’ was not returning anything, while the NS server IP’s were reachable. Pretty quickly someone was working on it, and got it resolved.

I left the house for a few hours, only to come back to the same exact issue. Again, went to the IRC channel, notifying whoever was listening that the Linode nameservers were not responding to queries…

A very odd experience was about to follow that moment, a defining moment, a moment that separates your life into before, and after that moment…

No one seemed to know that the nameservers were freaking out, not answering queries for hours, maybe days at a time — for god only knows how long — maybe for the last two month? Hosted domains were not being resolved, nor did the users seem to care about that fact.

I asked something about the DNS issue, I don’t remember what. Suddenly, the users on the channel turned on me like a pack of hungry wolves. To them I was crazy, that I was demanding a solid DNS Service, that no one provides authoritative DNS Servers, and I must have been born with a silver spoon in my mouth for demanding some type of a $1200/month rackspace managed account service. They informed me that I should just go get a ZoneEdit account and run DeveloperSide.NET off it. That the DNS Service from Linode.com is beta and I should be grateful it even exists [never did I notice any beta labels]. I thought to myself whats next, when will I wake up from this dream? Could the provided Server IPs also be dynamic? Have I just moved DeveloperSide.NET to someone’s garage?

At that point, it really hit the fan, they started to come out of the woodwork from every direction. I was informed that there is no difference between an ISP/Host’s NS Servers and something you run yourself locally. I told them that many differences exist, the simplest one is the ping time to the Server’s IP. Here is an example…
ping ns1.linode.com Average = 34ms
ping ns1.dynside.net Average = 247ms
[ns1.dynside.net is at 90ms this time around — still 3 times the wait with all the uncertainty]
I was told that I have a serious misunderstanding of how DNS works. You can’t ping a nameserver, it does not answer to ICMP resource record queries.

Battling the mob, I managed to get through to someone at Linode who went working on the problem, again. It was fixed [something to do with Nagios taking up too many resources and the ‘oom killer’], but not before another problem occurred. This time, the devside.net zone would not get loaded to the nameservers. Some type of timing issue. Resolved after some time.

Not being able to rely on a host’s nameservers (with that notion being ludicrous IMHO), I’ve updated the list of nameservers with my domain registrar and have added ns1/ns2.dynside.net to the list. I have no idea how long DeveloperSide.NET has been down.

On top of all that, I’m still getting old cached dns data from some nameservers that still have it at ev1server.net. What a mess.

All in all, I cannot recommend Linode.com as a VPS provider at this time. As it turns out, their nameserver service _is_ beta and has only been implemented for a few months. To me, that just make no sense whatsoever, for a VPS provider — that has been in business for a while. I’m going to stick around, see what happens. But any more problems like this, and I’m gone.

Update:

It has been 4 months since the original post. Linode has been good ever since. A few hiccups here and there, but overall I have not had any major issues. Not bad for $20/month. And I was pleasantly surprised, when checking my account a few days ago, that it has been upgraded from 128MB to 256MB… Though I will need to backup and reboot before I get to allocate the extra ram.