Welcome to Vastspace, provides Reliable Web Hosting since 2014

Welcome to Vastspace

Blog

Blog

Google Authenticator

 

To protect your SSH server with an two-factor authentication, you can use the Google Authenticator PAM module. Each time you are connecting to your server via SSH with Google Authenticator PAM installed  you have to enter the code from your smartphone with Google Authenticator installed.

On Red Hat, CentOS and Fedora systems install the ‘pam-devel‘ package.

# yum install pam-devel make gcc-c++

Install Wget if you have not installed one yet

TOTP (timebased one-time-password) security tokens are time sensitive. Hence, make sure that your system has ntpd running, and is configured to start the service at boot

# service ntpd start
# chkconfig  ntpd on

Download and extract Google authenticator module under Home directory (assume you are already logged in home directory of root).

# cd /tmp
 # wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
 # bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
 # tar xf libpam-google-authenticator-1.0-source.tar
 # cd libpam-google-authenticator-1.0
 # make
 # make install
 cp pam_google_authenticator.so /lib64/security
 cp google-authenticator /usr/local/bin

Before configuring SSH, first set up Google Authenticator. Run “google-authenticator” as the user you wish to log in with via SSH. You will be prompted with a few questions.

Do you want me to update your "~/.google_authenticator" file (y/n) y
 
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DABCD12E3FGHIJKLMN
Your new secret key is: ABCD12E3FGHIJKLMN
Your verification code is 98765432
Your emergency scratch codes are:
  01444567
  32123245
  33330123
  23328901
  54444489
 
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
 
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
 
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

This requires all users to use Google Authenticator for SSH authentication. To only require those users with Google Authenticator configured for their account (the ~/.google_authenticator file exists), then instead enter “auth required pam_google_authenticator.so nullok“.

The order in which you place items in this file matters. Given this configuration, you will first be prompted for your Google Authenticator verification code, then for your system account password when you SSH into the system.

Modify /etc/ssh/sshd_config. Verify these settings:

PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
# service sshd restart

When you SSH into the system as a user configured for Google Authenticator, you will have to enter the verification code that is displayed in you Google Authenticator app, and then by your system password at the next prompt:

login as: root
Verification code: 01234567
Password: *******

‘SEO by Yoast’ Vulnerable To Hackers

Yoast, a popular SEO plugin for wordpress version 1.7.3.3 and below have been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.
Customers are advised to take immediate action and upgrade their Yoast to the lastest 1.7.4 and 1.5.3 for Premium version.

Cisco IPv6 Denial of Service Vulnerability

Cisco has identified a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. The vulnerability is due to improper processing of malformed IPv6 packets carrying extension headers. Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System X (CRS-X) running an affected version of Cisco IOS XR Software are affected by this vulnerability.

Users and administrators are encouraged to review the Cisco Advisory (link is external) and apply the necessary updates.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150220-ipv6

What is IP Reputation Protection?

DNSBLs and RBLs are generally used on mail servers to reject or flag messages sent from sites that have been Blacklisted. If your mail server has been added to the DNSBL’s database, emails sent are likely rejected or identified as SPAM.

Our IP Reputation Protection System queries major DNS-based Blackhole List databases and SenderBase which is one of the world’s largest email and web traffic monitoring network, and process these results to send alerts to our support team to take immediate action. We help the customer to identify the root cause, contacting the various DNSBL agency to request removal and mitigate the impact on emails returned to sender due to a blacklist.

If the event your mail server has been blacklisted, we usually take less than an hour to restore your mail service with IP Reputation Protection.

For SmarterMail user, upgrade to Version 13.3

If you have a backdated copy of the SmarterMail, in particular to two of the vulnerabilities found in the earlier version I would suggest to get the latest copy and move up to 13.3.5535. You can download the latest from here: http://smartertools.com/smartermail/mail-server-download.aspx.

Just in case you have forgotten the steps on how to “properly” upgrade your SmarterMail. Please make sure you have a backup before proceed.

  1. Stop IIs www publishing service or SmarterMail web service.
  2. Uninstall SmarterMail without removing the existing folders or files.
  3. Install the latest copy of SmarterMail.
  4. Once it’s completed, start SmarterMail web service or IIs www publishing service.

 

Wait for a minute or so, sign in to admin portal to make sure everything is working. Sometime it might take a little longer to start up if you have a slower server and many mailboxes. Just be patient, do not attempt to restart your Smartermail Service unless it has stopped for some reasons.

 

  • ADDED: Updated administrative logging to include the friendly name of the event that was fired in addition to it’s id number.
  • FIXED: A temporary disk error when reading an account’s userConfig.xml file will no longer result in the user’s settings being reset to the defaults, including a blank password.
  • FIXED: A user with read-only control of a shared calendar can no longer delete instances of a recurring event.
  • FIXED: A zero byte fileStore.xml file will no longer prevent SmarterMail from starting properly.
  • FIXED: Adding a calendar event using Android’s default calendar app with Exchange ActiveSync now syncs correctly.
  • FIXED: Adding a recurring event that occurs on a specific week of each month now syncs correctly using Exchange ActiveSync.
  • FIXED: Adding a task using Outlook 2013 with Exchange ActiveSync now syncs correctly.
  • FIXED: Adding duplicate entries to trusted senders is no longer allowed.
  • FIXED: Availability conflicts are now calculated correctly when adding or editing a new calendar event in webmail.
  • FIXED: Birth dates set on iOS devices using Exchange ActiveSync now sync correctly.
  • FIXED: Changing an event’s start time that includes a domain resource now properly updates the availability of that domain resource.
  • FIXED: Contacts imported from a CSV file that include only white space in certain imported fields are now saved properly, such that they can be successfully synced with Exchange ActiveSync.
  • FIXED: Creating a calendar and immediately deleting an event using the Mac OSX calendar app with Exchange Web Services now syncs correctly.
  • FIXED: Declude spam weights now save correctly.
  • FIXED: Domain resource availability is now calculated properly when determining scheduling conflicts.
  • FIXED: Editing a password brute force or denial of service abuse detection rule for XMPP now correctly sets the service field to XMPP.
  • FIXED: Email folders that contain special characters are now sorted correctly in webmail.
  • FIXED: Exchange ActiveSync responses will no longer send an empty Exceptions tag, which would cause Outlook 2013 to crash.
  • FIXED: Folders with special characters in their name now sync correctly using Exchange ActiveSync.
  • FIXED: Made changes to how folder renaming is handled to prevent a scenario that could cause mailbox corruption.
  • FIXED: Renaming a folder that contains special characters using Exchange ActiveSync no longer causes an error in webmail when trying to view that folder.
  • FIXED: Setting a contact’s birth date on a client synced using CardDAV will no longer save as one day off for users in time zones with positive offsets from GMT.
  • FIXED: Temporary files created during Exchange ActiveSync SmartForward, SmartReply and other email attachment operations are now immediately cleaned up when no longer needed.
  • FIXED: The number of items sent back per Exchange ActiveSync response is now correctly determined using the WindowSize specified by the client.
  • SECURITY: Resolved an XSS vulnerability related to replying to an email.
  • SECURITY: Resolved an XSS vulnerability related to viewing email.

Speed Up WordPress with Cloudflare

One weakness that WordPress is usually very slow. Vastspace’s website is built with wordpress and installed with many plugins rely on jQuery file and CSS style sheet that hurt the loading time. Result in poor website performance grades with test tools like pingdom website speed test and Google PagesSpeed insights.

We could end up with a very sluggish site that will not only be a hassle for repeat visitors, but will most certainly lose your subscribers and customers due to the impatient nature of web browsers. Also not forgetting that customers are visiting you from different geographical locations.

Think about this, someone just gave you a good reference with a link, and yet you are doing both of you a disservice by having a slow loading site that nobody would want to wait around for. That means if your site takes longer than 10 seconds to load, most people will leave, lost before you even had the chance to convince them to stick around and give your website a glance.

On top of that, many SEO experts have claimed site’s speed affects rankings in search engines. If your site is slow, you are not only losing visitors out of impatience, but you are also losing them by having reduced rankings in search engines.

On wordpress we have tried plugins like WP Super Cache and W3 Total Cache, load time has improved but result is still below satisfactory. We barely passed the 50/100 marks with both pingdom website speed test and Google PageSpeed insights. The load time took much longer because Vastspace server is located in Singapore Data Center was quite a distance from the test locations.

 Cloudflare makes your site faster

Unlike the traditional CDN, CloudFlare is basically a Web Application Firewall, a distributed proxy server, and a content delivery network (CDN). It optimizes your website by acting as a proxy between visitors and your server which helps protecting your website against DDoS attacks.

Unlike many CDN services, CloudFlare does not charge for bandwidth usage on basis that if your site suddenly gets popular or suffers an attack, you shouldn’t have to dread your bandwidth bill. According to CloudFlare, on average a website using the CDN will load twice as fast, use 60 per cent less bandwidth, have 65 per cent fewer requests, and it is more secure with the Web Application Firewall. CloudFlare operates out of 28 data centers around the world and uses a technology called Anycast to route your visitors to the nearest data center.

And most importantly, Cloudflare is free (https://www.cloudflare.com/plans). However,  Vastspace uses Cloudflare PRO for real-time statistic and additional page rules.

With Cloudflare, Vastspace’s website speed test scores 85/100 from 6 different locations and 87/100 for Google PageSpeed insights. Despite of the slower load time was caused by the plugins known as Revolution Slider at the front page we are extremely happy with the result.

 

 

Cloud Server with SSD vs spinning drives

We have been talking much about our new Cloud server with SSD and its performance. Today, we want to make a comparison and benchmark on the cloud servers with spinning drives SSDs.

Vastspace SSD Cloud Server nodes use only enterprise SSD drives ensuring fast and consistent command response times as well as protect data loss and corruption.

We have done the read & write tests  for our Cloud SSD VPS against a popular SSD VPS before. Today,  we are carrying out test on 2  identical Cloud servers with SSD and Raid 10 15,000 rpm SAS drives respectively.
The test Cloud Servers comes with 2 CPU core, 2Gb memory and 20Gb of disk space.

Both test servers are installed with CentOS 6.5 x64 and hosted in Vastspace Singapore Data Center.

The result is obvious that SSD Cloud server beat the Cloud server with spinning drives hands down, despite the Raid 10 15K rpm SAS drives is still slower in terms of write speed compares to the solid state drives.