Archive for the ‘Work’ Category
Tuesday, February 22nd, 2011
Your server has fast Internet access, and tens of hundreds of GB free of storage. Why not use that storage and high speed connection to store files, and share files with other users?
If you need to share files with other users on the Internet, or easily access files remotely, a good web-based software to use for that purpose is eXtplorer. Featuring modern Javascript-based menus, and a sleek PHP backend, eXtplorer is strongly becoming my favorite way to access files remotely. Sure, I could use SFTP to store files on a server, but what happens when you need to access files on your server from someone else’s computer? You could always download a standalone SFTP client, but that’s such a hassle- and eXtplorer is easily accessed from any web browser.
This weekend, I was doing some research into a way to offer offsite Linux server backup solutions to my clients. While doing my research, I stumbled upon eXtplorer. At first, I was skeptical. I’ve looked at easily a dozen Open Source file managers. After using eXtplorer over the course of several weeks, I found that the software was sleek, functional, and easy to use. Needless to say, I was impressed.
 eXtplorer's list of files in the current directory
As you can see, eXtplorer features a clean user interface, with friendly graphics. It’s intuitive to use, and has very few disadvantages.
 eXtplorer's Sleek Right Click Menu
I was also impressed by eXtplorer’s sleek right-click menu, which works in Opera, Firefox, and Internet Explorer. The menu is Javascript based, and seemed to be bug-free.
 eXtplorer's "View File Contents" feature can even display images.
If you need to, you can even view the contents of a file, via the “View File Contents” feature. This feature supports images, as well as text documents.
One disadvantage of eXtplorer is that it requires a few modifications, to be securely used in a multi-user environment. In a default configuration, eXtplorer allows the creation of symlinks, which can override the location for a user’s profile. This means that a user can view files outside his or her path, which would normally be considered an information disclosure vulnerability. In addition, an “About…” dialog allows a user to view PHP’s phpinfo(); function, which tells a possible malicious user a lot of information! EXtplorer also supports connecting to remote FTP sites, which could also prevent a security vulnerability. However, all of these features are easy enough to disable.
 eXtplorer with symlinks disabled
As you can see, both the “New file” feature, and the “About…” feature have been disabled. This is necessary to prevent the creation of symlinks, and the disclosure about system settings via the “About…” page.
In summary, eXtplorer is definitely work looking into, if you need a way to share or host files over the Internet. If you don’t want to use FTP, and are in search of a web-based file manager, eXtplorer is easily the best choice in Open Source web-based file managers. It’s few security issues are easily fixed, and readily documented. In my next blog post, I specify the exact changes necessary to disable symlinks, disable the about page, and disable remote FTP access.
Tags: file management software, web-based software
Posted in Work | 1 Comment »
Tuesday, February 15th, 2011
Last week, I covered basic Apache and Nginx performance details, and my general observations. Without any further delay, I will now cover the technical details of the benchmark, and the exact benchmark numbers.
The test server used in this benchmark was running Debian GNU/Linux 5.0.8. The version of Apache used was 2.2.9, and the version used of Nginx was 0.6.32. The server is equipped with a RAID-0 array benchmarking at 118 MB/sec, and 1.5 GB of RAM. The processor used in the benchmark was a dual core Pentium-4, at 3.0 GHz.
The main benchmarking software used was Seige, version 2.66. Testing was done on a gigabit LAN connection. Pmwiki was the PHP application that was used as a benchmark page, and MySQL support was disabled (to strictly test PHP web application performance). In addition, all non-essential modules in Apache were disabled (mod_ssl, mod_security, etc).
The benchmark was performed a total of 3 times for each amount of concurrent users. As the server’s CPU temperature reached abnormal levels, testing was temporarily paused. Once CPU temperatures reached normal operating levels, testing resumed.
The raw benchmark data is available here: Nginx/Apache Benchmark Data.
The benchmark data presents one conclusion- that Nginx handles high traffic conditions better than Apache, and continues to handle high server loads, as the loads increase. Apache’s failed transactions increases exponentially with a higher concurrent users, whereas Nginx has a lineal increase in failed transactions with a higher concurrent users load. In addition, Apache did fail to respond several times during the benchmark, and required a manual restart of the Apache service. Nginx recovered from high traffic loads gracefully, and did not require restarting of the Nginx service after benchmarking.
One reason that Nginx handles high server loads better than Apache is the reliance of PHP support handled through php-fpm. There are rumors of Nginx supporting PHP in future builds (perhaps similarly to the way that Apache does- via a module). If those rumors are true, Nginx may behave similarly to Apache in regards to PHP performance. Currently, php-fpm launches PHP requests in as a dedicated service, as opposed to Apache’s way of invoking PHP at every request.
In any event, this benchmark shouldn’t be taken as a recommendation of Nginx over Apache. Each web server software solution has it’s advantages and disadvantages, and those should be carefully considered before the selection of a web server. However, if performance under high amounts of traffic is what you need, look no further than Nginx!
Tags: Apache, Benchmarks, Nginx, Server Performance
Posted in Work | No Comments »
Monday, February 7th, 2011
Running a web server isn’t necessarily as easy as it used to be. With more and more high speed users requesting resources from our web servers, web server performance is becoming an important focus with web entrepreneurs. With resources such as social networks, unexpected high server loads can be generated by a single user sharing a link to your web server. DoS attacks can also play a large role in bringing your server down from a high volume of requests, often without warning. If you’ve never had a high volume traffic spike before, it is only a matter of time before you do.
With today’s dynamic websites, web server performance plays a large role in handling an unexpected traffic spike. Although dynamic pages don’t seem to take longer to load on a web server than a static page, heavy server loads (more than 20 concurrent users) result in exponentially long delays in a web server’s response time.
Nginx (pronounced ENGINE-X) is a relatively new web server that is highly praised for it’s performance under high server loads. Although competitor web server software such as Apache offers more features, Nginx is designed primarily with web server performance in mind. Nginx currently has a 6.62% market share in the busiest sites on the Internet, as referenced by Netcraft’s December 2010 Web Server Survey. Nginx’s market share might seem small, but in the highest traffic sites, changes in server software don’t happen overnight.
http://news.netcraft.com/archives/2010/12/01/december-2010-web-server-survey.html
With Nginx’s rising market share, we have to wonder what the performance advantage of switching to Nginx over Apache is. The only real way to show Nginx’s performance advantage is to compare it with a popular web server software solution, such as Apache. According to Netcraft, Apache currently holds the highest market share of web servers.
 Pmwiki was used to benchmark Apache and Nginx performance When I recently benchmarked Apache and Nginx performance, there were several trends that I noticed. Rather than post the hits/second, CPU load, and page render times, I’ve decided instead to post the trends that I noticed while performing this benchmark. Next week, I will post the exact benchmark scores of each server application, as well as my conclusion. Here were my observations on the way Nginx and Apache responded to a high amount of concurrent users:
- Apache and Nginx begin to show noticeable performance loss at around 25-35 concurrent users, averaging around 420 transactions per minute. These are, by far, not normal traffic loads. Bear these numbers in mind when comparing Apache and Nginx performance- under the conditions of the test that I performed, traffic was non-typical.
- Once failed transactions begin to occur (Apache’s failure point was at around 55-60 concurrent users, Nginx at 180 concurrent users), Apache’s failure rate at higher concurrent users was exponentially higher, whereas Nginx’s failure rate was linearly higher. When Apache was tested with 200 concurrent users, the failure rate was 24%. When Apache was then tested with 220 users, the failure rate grew to 48%. When Nginx was tested with 200 users, the failure rate was 5%. Nginx’s failure rate finally reached 20% at 280 concurrent users.
- At a high number of concurrent users (200), transactions per second were at 7 for Nginx, and 4 for Apache. At 280 concurrent users, Apache’s transactions per second dropped to a mere 1.66 transactions per second. What this means is that Apache took longer to successfully complete a transaction, at an exponentially larger rate. Nginx’s transactions per second was still at 7.18 transactions per second, at 280 concurrent users.
Next week, I will post the exact benchmark numbers, test conditions, and my conclusion on the test.
Tags: Apache, Nginx, Server Performance
Posted in Work | No Comments »
Monday, August 16th, 2010
This post is a continuation of my previous blog post, Top 10 Technology Tips for Web Entrepreneurs. In this last section, I will cover mainly tips useful for web entrepreneurs doing project management work.
6.)If you outsource technology staff, hire competent workers, and retain them.
The most expensive part (in terms of both time and money) of outsourcing a part of your technology infrastructure is the process of finding and selecting a talented professional. Once you have selected the professional that will be working on your technology infrastructure (be it your server, or your website), make sure that you retain that individual. If you select a new coder every time your web application needs a bug fix or feature added, for instance, the underlying code will have become so cobbled together that it will take increasing amounts of time for a coder to understand how it works. Even the most talented coders all write code a little differently. This differences (without a dedicated code cleanup project) tend to add up over time, and can result in unexpected bugs. If budget is an issue, you can save quite a bit of money by working with the coder directly (outside of a freelance bidding website), although you should only do this for coders that you trust.
7.)Never pre-pay, or release funds on a project early, unless you absolutely trust the freelancer.
I’m surprised how much I’ve seen this situation come up- a client will pre-pay for some coding work, and never hear from the coder again. Another situation that I’ve seen happen frequently is that a coder will get 50% of a website or software application completed, get paid 50% of the project budget, and then will never complete the software application! This is simple- before you pay a freelancer, make sure that the project is 100% completed to your specifications. Don’t forget that documentation, either!
8.)Don’t rush a deadline, or deploy a software application too early.
We’ve all been tempted to rush a deadline on a project. Let’s face it- sometimes projects get delayed for reasons outside of our control. Sometimes, we’d like to go ahead and deploy a software application or website early, and “fix the bugs later”. This causes two main issues- first that your clients and users will see these bugs (and then might go to your competition in disgust, or at the very least have a negative experience with that application), and secondly that “later” may not ever come. As you have other projects down the road, you may forget to fix the bugs or issues that were present in the first place! Simply put, it’s best for your image and brand name that you wait until applications or features are 100% ready before deployment. Your clients will thank you!
9.)Don’t spend 90% of a software application’s budget on the user interface, concentrate on core software features at first.
It’s surprising how many times I see beautiful user interfaces that don’t actually accomplish anything. Your users and clients won’t care if your graphics came from 1990, as long as the interface is intuitive, and serves a purpose. Concentrate on function over form, for the initial application. After you have developed core features (that are genuinely useful to your clients and users), then you can work on the user interface.
10.)Never underestimate the potential for SEO to increase your business dramatically.
Most of us are aware of the amount of business and traffic that search engines can bring your website. What not necessarily everyone is aware of, is how much business you can gain from a well organized SEO campaign. I would estimate that with my Linux consultant business, that I gain approximately 2-3 clients per month from SEO. This may not seem like much to some people, but bear in mind that most (if not all) of my clients are “repeat customers”. This is from my limited SEO work, which I would estimate at 1 hour/month invested. Not too bad, if you ask me. The best part about SEO is that it isn’t industry specific (with regard to results), and practically every industry can greatly benefit from a well targeted SEO campaign.
I hope that these technology tips may have helped someone prevent a costly mistake, and that these blog posts have been a valuable resource for any web entrepreneurs looking for some additional tips and guidance. If you have any further questions about outsourcing, server maintenance, or choosing a web host, feel free to contact me.
Tags: linux security, Top 10 Tips
Posted in Work | No Comments »
Monday, August 9th, 2010
As a freelance Linux consultant, I’ve worked with many clients who have both succeeded and struggled with their online business ideas. In doing so, I’ve noticed several trends that clients have when they struggle with their business ideas (related to technology, anyways). I’ve written this series of blog posts so that others may learn from these mistakes, and avoid making them. Here are 5 of the top 10 technology tips for web entrepreneurs:
1.)Choose your domain carefully, and make sure that it’s easy for others to remember, and type.
Your domain is the most crucial part of your online marketplace- make sure that others can easily remember and type it into their browser’s address bar. Picking a domain with excessive repeating characters (like waatches.com) is a recipe for disaster. Instead, if your first choice for a domain is already chosen, think of a creative way to get around the problem that others will remember (like discountwatches.com).
2.)Once you have your domain, change your business email address to match that domain.
Too many times, I’ve also seen business cards that had a Gmail, Hotmail, or Yahoo email address. This is not only unprofessional, but it makes clients doubt your dedication to your business. After all, email setup is cheap. If you must have a Gmail account, at least forward all mail from your domain to your Gmail account, and then setup Gmail to send mail using your domain.
3.)Take your time, and select a good web hosting provider.
As I mentioned in a related article, Choosing a Web Host, it is absolutely critical that your website is hosted on a reliable provider. Servers can be upgraded over time, but changing hosting providers is a long and expensive process (in downtime, lost sales due to poor network performance, and the costs of switching everything over to a new server). Sometimes the difference between a reputable and stable provider, and a poor one is a tiny difference in money. Make a wise decision the first time, and choose a good web hosting provider.
4.)Always have excellent documentation on your server, and the software that runs on it.
One of the most expensive and frustrating challenges can be if the coder designing software for your website doesn’t leave any documentation. This is not only limited to coders, but can also include Linux consultants, as well. Simply put, ask for documentation before you pay your coder or administrator. Don’t be rude about it, but instead just politely ask for documentation for the project that was completed. A professional freelancer will understand completely, and have no problem leaving you documentation. The documentation doesn’t have to be too detailed (for instance, a step-by-step explanation of all commands entered on your server would be excessive unless the freelancer was compensated extra), but your documentation should convey how the software solution operates, and where any configuration files are located.
5.)Invest in your technology infrastructure.
One of the biggest issues that I’ve seen is clients who treat their technology infrastructure as a one time expense. Instead, you should think of your technology infrastructure as a business investment. Common repeated expenses include server maintenance, as well as software updates and upgrades. Neglecting the maintenance of either your server, or the web applications running on it, is a certain recipe for disaster. For instance, a typical server maintenance program from a talented Linux consultant can cost as little as $40 per month, but it can help prevent much more costly issues (as well as prevent costly downtime).
Next week I will post the remaining tips that I have for web entrepreneurs, the conclusion of this two part series…..
Tags: linux security, Top 10 Tips
Posted in Work | No Comments »
Tuesday, May 4th, 2010
A security audit is probably one of the least requested services that I perform, and for a good reason. Truth be told, most of my clients don’t think about security when it comes to their Linux server. After all, Linux is an extremely stable and secure Operating System. Assuming that some sort of basic Linux server maintenance is being performed, the server should be safe from most types of root compromises. However, server maintenance usually won’t protect your server from the more popular web application attacks.
A good security audit will test your server for:
- XSS vulnerabilities
- Operating System vulnerabilities
- Weak user names and passwords
- SQL Injection vulnerabilities
- Server application vulnerabilities
- Insecure configurations
- Information disclosure vulnerabilities
Using advanced scanning tools, you can test for all of these potential vulnerabilities on your server. Tools such as nmap allow for advanced port scanning, and the tests the ability of an attacker to detect possible sensitive information about your server. Tools such as Nikto scan a server for web application vulnerabilities, and reveal information disclosure vulnerabilities.
If you hire someone to run a security audit on your server, ask questions beforehand, such as what scanning suites will be used, and ask for references. Any professional should have quite a few references, and should be able to identify the scanners that will be used against your Linux server. In addition, ask them if after hours scanning is available, so that your business is not adversely affected by these scans.
If you have any further questions about security audits for your Linux servers, please feel free to contact me.
Tags: linux security, server security
Posted in Work | No Comments »
Saturday, February 20th, 2010
I wrote a new article this weekend, titled Web Application Protection- Ways to Protect a Web Application from Hackers. I wrote this article to help some of my clients, who have asked about the different methods available to prevent an attacker from successfully compromising a web application. The methods recommended include setting up SSL to encrypt traffic, using mod_security, and using iptables to block netblocks or domains that would never use the web application (for instance .cn, .af, .lt, .ru, etc). However, there are a few methods that I didn’t talk about:
Use .htaccess to further restrict requests to web directories
Using .htaccess files can be a great way to restrict access to a web application, or add a password authentication feature where such a feature does not exist (for instance, to protect a private wiki). A nice benefit that .htaccess authentication gives us is the ability to authenticate against a MySQL or LDAP database. Combined with SSLv3 encryption, .htaccess authentication can be very secure.
Snort-Inline
Although I did mention mod_security can be used to firewall the web application (if you are running Apache), another solution is to use Snort-Inline to secure your web application. Although not for the faint of heart (it’s fairly easy to make a mistake when installing Snort-Inline, and lock yourself out of the server), Snort-Inline goes above and beyond what mod_security offers. Acting as a Network Intrusion Prevention system, Snort-Inline doesn’t stop at just filtering web application attacks, but can also be extended to monitor practically every major server software solution.
Hopefully, these tips will have helped out both clients and readers alike- in today’s world of automated bot scans and worms, it is far too common that web applications are exploited. Some of these measures will mean the difference between a successful compromise, and a harmless attempt.
Here is the article:
http://linuxconsultant.info/tutorials/web-application-protection-protect-a-web-application-from-hackers.html
Tags: Apache security, Linux firewall, web application protection
Posted in Work | No Comments »
Sunday, December 20th, 2009
We have all heard the saying, “an ounce of prevention is worth a pound of cure”. This is especially true when the topic of server maintenance comes up.
All too often, I have worked on Linux servers that were woefully out of date, or that didn’t have a backup plan in place. Sometimes a client’s initial problem could have been fixed easier and cheaper just by following some routine maintenance tasks. At a minimum, here is a list of things that should be done monthly to maintain a Linux server:
Installation of Operating System updates
Examine all available system and daemon logs for irregularities
Confirm backup integrity
Check available system resources (and make plans to upgrade resources, when necessary)
These simple maintenance tasks can help prevent ugly surprises (no one likes those), and increase server uptime. In addition, the installation of Operating System updates helps keep your server secure (the second most common compromise method is through insecure software). Most of us know the security impacts of not installing security updates on our workstations- why not carry over that mentality to your server?
Also, it wouldn’t hurt to occasionally check for updates on software which might not come from your Linux distributor (such as WordPress, PhpBB, etc). Too often, my clients will think that their site is secure, only to be surprised when an old exploit is used against their blogging or forum software.
The best part about regular server maintenance is that is isn’t really expensive when compared to the cost of fixing an out of date server. My own Linux server maintenance services start at just $25. The nice thing about the way that I have organized this offering, is that it gives my clients choices as to the level of maintenance that is performed on their server monthly. Some of my clients prefer little more than Operating System updates, while others sleep better at night knowing that their server’s security has not been compromised. In addition, I also email my clients monthly reports, which let my clients know exactly what is going on with their servers. I have example reports available for the Basic, Advanced, and Premium maintenance plans.
Which plan you decide is best for your server is entirely your choice- but I’m a big fan of the advanced maintenance plan. It combines the most common (and important) maintenance tasks together, in a package price that’s easy to afford. The important thing to remember is that no matter who works on your server, it is maintained in a sensible and responsible manner. Nothing is worse than a disaster that could have been avoided with routine maintenance!
Posted in Work | 1 Comment »
Tuesday, October 13th, 2009
This weekend, I spent all day Saturday posting articles to websites, and getting backlinks for a client. The client wanted a fairly easy goal- 100 backlinks. However, the client didn’t want to pay an arm and a leg for these backlinks (honestly, who would). I admit that I briefly thought about outsourcing the work, and saving myself the time and effort of getting backlinks for this client’s website. After all, who wants to spend their Saturday in front of a computer, posting content to a website?
When I came up with this SEO plan for this client, I realized that it would be less effort and stress NOT to outsource the work. Yes, I would essentially be working for less than what I normally charge (I didn’t even want to think about what this paid per hour). Yes, this work is less than glamorous (really, who enjoys building backlinks?). However, if I would have outsourced this particular task, I would have spent many days going back and forth with the freelancer building backlinks (differences in time zones, and all of that). Plus, the client would have paid more money in the end (the amount that I quoted the client was the average outsourced price, I could have cut maybe 20% off of that by haggling, and then add in the costs for me to supervise and double-check the work of the freelancer).
Don’t get me wrong here, I’m not against outsourcing. Heck, a part of my business depends on it. When your budget isn’t too tight (here, the amount that I quoted the client was quite low), you can find freelancers that will be able to follow the specifications on work without much supervision. However, link building campaigns are horrible campaigns for finding talent (if you want it done cheap). As an example, I once had a freelancer who, upon “completion” of the SEO backlinking campaign, I discovered had linked his own blog instead of my client’s website (the freelancer was instructed to use three links per article, and the freelancer used 2 of those three links to promote the freelancer’s own blog). As another example, I had a freelancer work on a similar campaign a while back, and the freelancer did great work. Minimal supervision (always good) was required, and the individual understood the work to be done. The difference between these two outsourced projects was the price. The project that had a bad freelancer was a short and cheap project. Conversely, the project that had a higher budget and a longer deadline had the better freelancer.
The way that I see it, if I can get a particular task done in less than a day, sometimes it’s best not to outsource. I’m paying that price right now, where I’m waiting on a Perl programmer to email me a fix to his script (it’s been 5 days now). Outsourcing has it’s place- just not with the small and cheap projects.
For those who are wondering (this isn’t a service I advertise), I do often manage projects involving outside coders or freelancers. I’ve been involved with projects ranking from 30 line scripts, to large software deployments. My experience has told me that sometimes, it’s best not to outsource a particular project. Instead, roll up your sleeves, and get the job done yourself. It might not be fun, but neither is the hassle of outsourcing work!
Posted in Work | 1 Comment »
Tuesday, September 29th, 2009
If it’s one thing that I hate worse than spam, it’s CAPTCHA. We’ve all seen CAPTCHA ages before, they look like a three year old scribbled some random letters on a piece of paper, and than spilled a can of paint in the middle of that paper. Somehow, we are supposed to be able to read these letters, and insert the correct characters in order to submit a form. Most of the time, the CAPTCHA level of noise, or amount of ink splots and other material added to distort the letters, is so high that I can’t even tell if a character is even a member of the same alphabet that I use.
Perhaps the most damaging part of CAPTCHA is the assumption that you are up to no good. A website is placing an undue amount of stress upon you, for what? To enter a comment on a blog? To register for an email address? To send someone a message? I wonder how many potential customers and clients alike have been turned away from a website or vendor because of their CAPTCHA implementation. Personally, I’m afraid of it as well (on my contact form), that’s why I haven’t implemented it yet on that form.
However, alternatives to CAPTCHA are gaining ground. Acceptable alternatives, in my opinion, involve the least troublesome challenges to your website visitors or clients. Examples include:
Simple math questions (What is four plus three?)
Logic questions (when you freeze water, is it cold or hot?)
Requiring the user to select pictures of familiar animals (click on the kittens)
The problem that most opponents have with CAPTCHA alternatives is that they can be easily spoofed, if the script creator doesn’t add enough random challenges into the mix. Admittedly, if your form only contained the challenge, “Is ice cold or hot?”, you would be in some trouble shortly. However, you can always combine challenges, and with a set greater than 20 challenges, have a very formidable defense against spam bots. Especially, when you combine images with text. Consider the following challenge:
Is ice hot or cold? ________
Now, this challenge isn’t particularly difficult for most spam bots, you just need to re-write some code. You could even allow it to guess, buy inputting as the answers “is”, “ice”, “hot”, “or”, and cold”- until you finally got the right answer. However, let’s take it a step further. Let’s do this:
 _______
Now, we’ve got the same question, just inserted into our site as an image. Assuming that the image is randomly named, this is an excellent way of combining different CAPTCHA workarounds. Now, in order to defeat our form script, a bot writer will have to implement OCR technology into his script, and also implement a routine that submits every word in the challenge sentence, in order to try and fool our form script.
Now, let’s make things interesting. In our form script, let’s have a set of, say 20 questions. These 20 questions are selected from a database (to make things a bit easier to add or remove questions), and we randomly pick our question from that database. We can go further from our “Is ice hot or cold”, to include such questions as “What is the name of the planet that you live on?”. In this last example, the correct answer, earth, is not located anywhere in that question. Now, the person writing a bot to spam our form has to hand write each and every answer to every question.
We can stop this game at any time, but the bottom line is that with the proper amount of preparation, our form script can be harder to beat than CAPTCHA. Most importantly, it will not cost us ANY visitors, clients, or customers. The humans can still easily submit information to us using our form, and all of the spam bots won’t know what to do with our web form.
Now, the tricky part is just getting everyone else to switch over from CAPTCHA to one of these alternatives. Perhaps over time, these alternatives to CAPTHA will gain in popularity. Only then will I finally be able to create an account on a website without pulling my hair out at a mixture of something from Picaso’s works and the modern alphabet.
Posted in Work | No Comments »
|
