Tag Archives: servers

What You Need to Know About the Heartbleed Bug

Heartbleed LogoIf you haven’t already heard, a major exploit in OpenSSL was discovered recently. The Heartbleed Bug, which is as scary as it sounds, allows an attacker to capture potentially sensitive information from a server’s memory by exploiting a flaw in the implementation of the heartbeat function of OpenSSL’s SSL/TLS implementation.

How it Works

SSL/TLS, the encryption protocol commonly used for securing traffic between web browsers and servers, has a feature called a “heartbeat.” Every now and then, an exchange like this happens between the client and the server:

Client: You still there? If so, send back “ALIVE,” which is five characters.

Server: ALIVE

If the heartbeat succeeds, the connection stays open. This keeps happening, over and over, with a different value being passed each time.

Now here’s what happens if someone exploits the Heartbleed bug:

Client: You still there? If so, send back “KITTEN,” which is 300 characters.

Server: KITTEN, and here’s a block of random memory from RAM!

In this manner, an attacker can get a random 64KB chunk of data from memory every time a heartbeat is sent, thanks to a lack of validation of the length parameter. (So an attacker can just repeatedly make attempts.) Eventually, they’d get lucky and find something interesting. Such as the SSL certificate or users’ passwords and data.

Exploiting this bug is trivial. (There were people posting scripts to test for the vulnerability minutes after it was announced. Just imagine how quickly malicious types got to work implementing exploits for the bug!) It’s also possible that someone knew about it months or even a couple years ago, and has been exploiting it ever since. Bloomberg even suggests that the NSA has known about it for two years, and has been exploiting it rather than disclosing the problem.

Is it Fixed?

Yes! Your Linux distro should already have patched builds in their package manager, so it’s just a simple manner of running a couple of commands to update your openssl and libssl1.0.0 packages, then restarting any services that depend on SSL. (Or just do a full reboot if you’re paranoid.) In the case of Ubuntu, you’d just do something like this to update the packages:

sudo apt-get update
sudo apt-get dist-upgrade

You should now revoke any SSL certificates and issue new ones, in case they were leaked in an exploit of the bug.

What Should I Do, as a User?

Change your passwords! For anything important—email, banking, etc.—you should consider picking a new password.

Deploy GitHub Repositories with GoHub

One popular way to deploy a web application, or even a set of static HTML files in the case of Jekyll blogs, is to add a bare repository on your server with a post-receive hook that catches the files when they’re pushed and copies them into the right place. But that’s a little inconvenient. To deploy you have to grab your computer, pull down the latest changes and then push to your second remote. What if you want to do it from your phone, reviewing pull requests and merging them on the go? What if you want to edit your Jekyll blog’s repository on Prose and have the changes immediately take effect?

That’s the problem GoHub attempts to solve. It’s a tiny webserver (written in the Go language) that listens on a port for messages from GitHub’s WebHook API. Any time a commit is pushed to GitHub, they send a JSON notification to your GoHub listener, and it runs the shell script of your choice when the specified branch (usually “master”) changes.

The original GoHub script was created by adevan, but I made my own fork that includes some extra goodies. It includes a magical setup script that sets everything up for you, as well as an Upstart script. (Configurations and logs are also under /etc/gohub in the fork.) So if your Linux distro is still using SystemV instead of Upstart, you probably want to use the original instead of the fork. (At least until I get around to writing a SystemV script and amending the setup…) If you’re on Ubuntu, you’re good.

Assuming you already have Go installed, it’s a simple matter of cloning the repository and running the setup script.

Continue reading →

ServerBear: Performance Benchmarking For Linux Servers

The popular options for VPS hosting for the past few years have been the venerable Linode, VPS.net (my provider of choice since 2009), the late SliceHost, Rackspace and Amazon EC2. A new name has been cropping up more and more lately, though: DigitalOcean. After seeing it mentioned yet again recently, I decided to check out their web site and see what all the fuss about. Apparently, they’re very competitively priced, charging about one quarter the price for a comparable offering for Linode. There are pros and cons for each (Linode offers more CPU cores, DigitalOcean has SSDs, for instance) but the price is very attractive. Heck, shared hosting from reputable providers tends to cost around that.

Fast forwarding a bit to spare you the gritty details, I went looking for benchmarks to see how DigitalOcean stacks up against the major competitors. In doing so, I found a new Interesting Thing.

ServerBear provides “a no hassle all-in-one UnixBench, IO, IOPS & Network performance test for Linux Servers,” and compiles an index of benchmarks for the different price points offered by dozens of web hosts. You can look up a service, such as DigitalOcean in this case, and view benchmarks for each plan purveyed by the host.

Continue reading →

Fixing Slow Hosts File Lookups in OS X Mountain Lion

Mac users with custom entries in their /etc/hosts files may have noticed that, under Mountain Lion at least, lookup times for local resources are incredibly slow. I routinely set up names that point to virtual hosts on my laptop so I can give projects their own local domain instead of having http://localhost/projects/something/index.php or somesuch. Typing something.dev is much easier. I noticed that, since upgrading from Snow Leopard to Mountain Lion, Firefox would spend several seconds trying to look up those names before consulting the hosts file and loading the page.

While I don’t know why it’s happening, exactly, I do have a fix. The wait goes away if you put the local entries on one line.

Instead of having something like this:

#virtual hosts
127.0.0.1 myproject.dev
127.0.0.1 wordpress.dev
127.0.0.1 somesuch.dev

You need to have this:

#virtual hosts
127.0.0.1 myproject.dev wordpress.dev somesuch.dev

Leave the lines that say “localhost” alone, of course. Messing with those could cause all manner of Bad Things.

Load Test Your Server with Blitz.io

Want to test how your server performs under load? If you’re in the process of optimizing a server, or have just installed a caching solution, it’s good to see the effect your changes have had.

Blitz is a configurable service that will pound your site with page requests, allowing you to specify the concurrency, timeout, and duration of the onslaught. As it goes about this, it builds statistics and plots them along timelines. You can watch response times, errors and timeouts as it slowly ramps up the number of concurrent users until it reaches the maximum. At the end, it even projects how many hits per day your setup can handle at that rate.

The service has a generous free tier, though they offer paid upgrades for higher concurrency and duration. The free tier offers 250 concurrent users over a one minute rush. (Though if you sign up with this invite link, they will add additional concurrencies to your account.)

I found Blitz very useful when I was trying to squeeze faster response times out of my WordPress setup, tweaking my caching system options and adjusting Nginx and PHP configurations. Since they use the connections at their datacenter, you get more real-world results than if you simply ran Apache Bench locally on the server, or from your residential internet connection. Both tools have their uses, of course, and Blitz is a good one to have in your arsenal.

Checking the Status of a Minecraft Server with PHP

Have you ever needed to have a script check whether a Minecraft server was online, or retrieve its listing information, like the “Message of the Day” (server description) or the number of active players? Maybe you run your own server, and want to display the status on a community website. Or perhaps you have something more ambitious in mind.

After reading up on the protocol Minecraft uses for the in-game listing of your favorite servers, I put together a simple PHP class that makes it easy. Here’s a fancy demo that makes use of it.

The library, which you can download on GitHub, along with the aforementioned demo page, looks like this:

Continue reading →

Proxying Web APIs with NGINX

Here’s a cool thing I bet you didn’t know could be done with the NGINX server: proxying APIs from web services. Why would you want to do that? Well, for starters, you can avoid running into cross-domain scripting issues.

Your client-side JavaScript can query an API that doesn’t offer JSON-P support, by having it pass through your server first. You can even cache the results for awhile, so you don’t run into rate limit issues. And if JSON-P is a necessity, you can transform the API response from vanilla JSON to JSON-P by echoing some additional content into the request.

You can read how to do all this in an informative blog post by the founder of DuckDuckGo. It’s pretty much a matter of adding a location block that uses the proxy_pass function to pass the request along.

nginx JSON hacks [Gabriel Weinberg]

What to Do After You Install Ubuntu Server in VMwware Fusion

I recently installed a fresh copy of Ubuntu Server in a VMware Fusion virtual machine, so I could test some things out locally. (It’s a great way to set up a local development server with a similar configuration to your production server.) The initial setup was painless, but I had an amusing problem after. The default keyboard mapping didn’t match up with my MacBook’s keyboard, so pressing the arrow keys would lead to unexpected behavior. Obviously this is problematic behavior when the only way you have to interact with the OS is text-based…

Fortunately, the solution is simple.

You just need to run sudo dpkg-reconfigure console-setup and follow the on-screen prompts. You would usually use the arrow keys to traverse the menus, but that isn’t exactly possible, is it? Pressing the first letter of the option you’re looking for until it cycles up and is selected works fine, though. (Apple Laptop, USA-style layout, etc.) The full instructions on what you should pick for MacBooks are available here.

Now, moving in and out of the VM window is a little bit annoying, so I installed an SSH server.

Continue reading →

What are Some Good Places to Find Linux Server Tutorials?

Are you planning on moving from shared hosting to a more robust hosting platform, such as a VPS? It’s easy enough to find a provider, such as VPS.net, Linode or Slicehost. But that’s just the beginning. You have to learn how to set up and maintain your new server.

Here are a few resources to help you figure things out:

  • HowtoForge — All sorts of Linux tutorials. They have guides to setting up server configurations on the various Linux flavors, as well as basic  introductions to Linux.
  • Slicehost Article Repository — Even if you aren’t a Slicehost customer, you will find some invaluable guides and tutorials here.
  • Linode Library — Much like Slicehost, Linode maintains a collection of useful tutorials.
  • Official Ubuntu Documentation — Select your version of Ubuntu and look for the “Server Guide” link.
  • Google! — Search engines are your friend. If you don’t know what something means or you want to learn how to do something, search for a tutorial. The chances are good that someone else has already written something on the subject.

If you really get stuck, try leaving your question on your host’s forum or on Server Fault.

PHP 5.3.3 Adds PHP-FPM

If you run alternative server software like NGINX or Lighttpd instead of Apache, you know very well about how you need to run PHP as a standalone FastCGI daemon. (This is because there is no equivalent to Apache’s mod_php.) If you have the faintest idea what I’m talking about, you may be interested in something new in PHP 5.3.3.

The latest PHP release includes PHP-FPM, the PHP process manager.

I’ve managed to find one decent guide to compiling and setting it up so far. It looks fairly simple. I might have to give it a try sometime, as my current setup (which doesn’t use PHP-FPM) tends to hang occasionally.