“BGP” also known as the Border Gateway Protocol is the hidden beast behind any service provider, providing highly available routes and remedying failed links to upstream providers on the fly. BGP is often overlooked and not understood, yet chugs away making sure that end users get the fastest route possible. My goal here is to try and explain the basics of this protocol and explain how SingleHop uses it to provide light speed (no pun intended) service to our customers!

BGP was created to replace EGP (Exterior Gateway Protocol) in the early 90’s due to the explosive response that the internet recieved. EGP was not scalable enough to handle the growth, and with it’s backbone-centered tree and the newly announced IPv4, it didnt have a chance. BGP is still the most used large network routing protocol used today.

BGP peers are established between an upstream provider and the customer network manually in order to establish the intial relationship. The customer then configures their router to send certain traffic (via ASN) through the newly configured peer in a multihomed network configuration. You can view any providers peering arrangements using a variety of tools. My personal favorite is Fixed Orbit. Check out SingleHop peering arrangements here:

http://fixedorbit.com/AS/32/AS32475.htm

Not a lot, right? But that’s certainly not the case. Since SingleHop peers with these providers, we in turn have access to their peers once traffic is handed off to them. To see a good example, click the AboveNet peer in the above URL:

http://fixedorbit.com/AS/6/AS6461.htm

Much better

BGP works by registering a table of IP prefixes which signify network reliability among ASN’s (Autonomous System Number). It then makes routing decisions based on path, network policies or other rule sets configured in the router itself.

Once BGP is up and running, the BGP peers converse update messages about destinations to which the “speaker” offers connectivity. This is how BGP “learns” routes and provides the fastest path (depending on the network topology) to the source IPs destination. In fact, to show you how rapid changes BGP propogates, i’ve provided a SingleHop BGP view from the beginning of my blog post, and the end (see figure 1 2 and 3).

In the above pictures, the red dot signifies the SingleHop Network and our 3 upstream providers (peers). As you can see, Cogent Communications (http://fixedorbit.com/AS/0/AS174.htm) has made a couple changes! They stopped advertising “AS2497” and AboveNet picked it up immediately — all on the fly, and it most likely required no human intervention. Talk about team work!

SingleHop utilizes BGP to control our own destiny. It allows us to advertise our own address space, control how our multiple providers hear it, and influence how they route their traffic based on those advertisements. BGP also allows SingleHop multiple paths to the same provider in the event of an upstream outage — and even redirecting traffic automatically to other provider links in the event of a carrier failure. SingleHop houses redundant network hardware, but think of BGP as redundant software, running on redundant hardware — An extra layer! All of those attributes combined and the result will be a rock-solid, self healing network

E2200 versus the E6320, which is better?

Which processor is better depends a lot on your definition of better.

The E2200 is clocked at 2.2GHz and slightly outperforms the E6320 which is clocked at 1.86GHZ. This slight performance boost does come at a price though. The E220 runs hotter than the E6320 and as such, there is a greater risk of it overheating. For those of you of the “green” persuasion, since the E6320 runs cooler, it is more power efficient and reduces carbon emmissions. Obviously there are benefits to be had from both processors, so it just comes down to which metric is most important to you.

Some people ask me whether they should use PHP 4 or PHP 5. I always recommend PHP 5. I do this because I am big in keeping up to date. I usually update my servers at least once a week, more if I get the time. PHP 4 is not going to be patched, under any circumstances, by the makers of PHP after 2008-08-08. They announced this when they released PHP 4.4.8, the latest version of PHP 4 at the time of this writing. I do not just update the services I run on my computers; I update the libraries and the kernel as well. This is what our Kernel and OS updates handle, just the kernel and the other packages on your system that may only be locally accessible. I also make a personal note to not use any operating systems that have reached EOL (End Of Life). It also helps me with troubleshooting other issues that may arise, such as installation of an application.
If you decide to use PHP 4, you should work towards converting everything to be PHP 5 compliant. This will ensure that your application is secure and stable for years to come. Updating your scripts is equally important as it can allow an attacker to compromise your system. From there, they can take any sensitive information on your server or use it to attack other servers. This could lead to downtime on your site. You may have to completely take it down to resolve the security problems. There could also be other stability problems with your site. PHP 4 could have memory leaks and remote DOS vulnerabilities. Both of these situations can lead to downtime for your site.

My personal advice is to stay on top of the software you use. This usually just means subscribing to their mailing lists. This keeps you in the loop as far as new versions or security issues. If you update regularly you can prevent major problems from occurring. And on a final note, when you migrate to a new server, it is always wise to use that as an excuse to run newer versions of everything. It gives you a period of time where you can test your application and ensure it will run for years to come!

There are two different firewall options included with Windows, and with your Windows Dedicated Server, the one you are most likely aware of is the standard Windows Firewall, and then there is the basic firewall that is located in Routing and Remote Access. Since most of you won’t have a need to enable RRAS, I will cover getting the Windows firewall setup to cover your needs. I will cover RRAS at a later time, since it can also be sued for setting up an easy VPN, or even make a Windows machine act as a full blown router.

The previous two posts in this blog were about securing your server (Securing your cPanel Dedicated Server). It is impossible to overstate the importance of this topic. Phishing is now one of the biggest threats in terms of cyber-crime, or even just global crime in general, with organized bands of hackers now working in concert to invade your server.

Control panels make administering your server very simple and give you the ability to increase your dedicated server’s security in a just a few clicks of the mouse. I’m going to show you just a few of the many security options the WHM/cPanel has built in to protect your cPanel dedicated server.

In order to defend your server you need to protect the ways someone might try to gain unauthorized access to your server. Two of the most popular ways to gain access on a WHM/cPanel server are through the root password and through the Apache web server. So here are a few things to protect your dedicated server.

Enable cPHulk – Bruteforce Blocker
The best way to secure your server is to not offer a connection to a service, but in most cases that isn’t possible. In most scenarios you might need multiple people to have the capability to login from any location. That’s where cPHulk comes in.
When cPHulk detects a brute force attack, it responds by disabling authentication to your vital services: cPanel, WHM, SSH, FTP, IMAP, and POP3 from further attacks by that IP address.

cPHulk is unnoticeable to the attacker, authentication attempts will appear normal, even when disabled. Thus, you get more information about attacks. The easy to use user interface. You can even customize authentication thresholds and lock out times!

To access the cPHulk Brute Force Protection feature, click on Security, on the main screen of your WHM interface, then click on Security Center. When the page opens click on cPHulk Brute Force Protection. Click on the Enable button to enable cPHulk Brute Force Protection. Here you can customize cPHulk to meet your needs and protect the server.

JailShell
If someone does gain access to your server through a shell account, you can limit the damage they can do by using jailshell as the default shell for all new accounts and modified accounts. Jailshell is a very limited shell that allows clients to logon to your server via SSH. It limits them to their home directories, keeping the rest of your files on your server from being viewed.

You can enable jailshell as the default shell for new and modified accounts by going to Tweak Settings under Server Setup on the WHM main page. Scroll down to “System” and check the box next to ” Use jailshell as the default shell for all new accounts and modified accounts”.

Enable Mod_Security
You could keep your entire server up to date with the latest patches and updates, but it won’t do you any good if you have insecure code running on your webserver. Today remote buffer overflows have been replaced with sql injections and php script exploits
Mod_Security is an open source intrusion detection and prevention engine to protect web applications from known and unknown attacks.

To install mod_security you need to compile it into apache using easyapache. Once that is done you can view attempted attacks on your apache server by going to WHM, click on Add-ons in the main screen of your WebHost Manager interface, Click on Mod_Security and the list of security violations will be shown.

While we don’t guarantee these steps will make your server fully secure from attacks, it will greatly reduce your chances of compromise. If you need help in setting up any of these security features please submit a ticket at https://control.singlehop.com
For more information please check out these pages

http://www.cpanel.net/security

http://www.modsecurity.org

It seems common that people that are into video games or computers in general will at one point in their life attempt to build their own computer. After you have purchased and received all your parts you’ll notice the most common things. A mother board, the processor, fans, graphics cards and so on. Eventually everyone comes across a tiny little packet of white goo and thinks “Goo?! What is goo supposed to do in my computer?” Well that my friend is what is known as thermal grease.

Thermal grease is a substance that is used to transfer the heat from your processor to the heat-sink more efficiently than not having anything on the processor. There are different kinds of thermal grease such as ceramic-based, metal –based, carbon-based and liquid-metal based. The most common form of thermal grease these days is ceramic-based which is included with every retail AMD and Intel processor you buy. If you look on the bottom of the heat-sink fan you will see a black pad. That is the thermal grease. When you have a setup like this you do not have to apply any thermal grease to the processor as it will bind from the heat-sink. Ceramic-based is also white due to the kind of materials they use to create the grease. The most efficient form of thermal grease is metal-based grease which is similar to ceramic-based but includes metal particles to increase the heat conductivity of the grease. The most popular form of metal-based grease in the hobbyist community is Arctic Silver.

Applying thermal grease to a processor is quite easy but often misconceived. First you need some isopropyl alcohol wipes to clean off both the heat-sink and the processor. Seat the processor in the socket on your mother board and grab your tube of thermal grease. You only need to apply a tiny bit no larger than a dime to the middle of the processor. Once that is completed take out a business card you don’t care about and use it to spread the thermal paste across the metal die of the processor. You only want it on the metal portion of the processor and not on any other part as thermal grease is conductive and will fry your processor should it make contact. The object when spreading the grease is to make a paper-thin layer of the grease to make a flush contact between the processor and the heat-sink. Now I know you’re thinking “Well that doesn’t seem like much grease wouldn’t more be better?” And the answer is a sound No. This is because the more thermal grease you have will make less heat transfer to the heat-sink. The heat will become trapped in the grease cooking it to a hard crusty substance and then the heat transfer will be degraded even more.

I hope this helps a few people out there when building or repairing their computers as this is quite a common misconception regarding thermal grease and processors. I know when I first built a computer when I was 12 I made the mistake of applying pounds of thermal grease to it and ended up with an exploded processor. This was also before computers had temperature monitors and would shut off before the processor exploded.

-Sam

So you just got this brand new dedicated server and you want to make sure that it is protected enough so that criminals will not easily access your private information and hopefully move on to another target.

First things first. Realize that a server that connected to the internet will be attacked, the machine is vulnerable and EVERYTHING on the server is vulnerable to theft, (Credit card numbers, software, trade secrets, resources, etc)

These are the basic action steps you must make sure you have done on every computer you use, server, desktop, laptop, whatever.

STEP #1 - Use a Secure Password
You will hear this over and over again, “Use Strong passwords to protect your computer and services.
Don’t use the same password to protect your server.” And this is true you need to make sure you use a secure
password and make sure that you update your web hosting company whenever you change your password.
But, for many people the problem is remembering all those different passwords. Here are some tips you can
use to create secure long passwords that are also memorable.

Use passphrases come up with sentences that you know you will always remember. For example
“I have two brothers and one sister, they were born in New York” you can convert that to a
password/passphrase like this.

Ih2b&1s,twbiNY

if you check this password out at http://www.microsoft.com/protect/you…d/checker.mspx it will return a STRONG rating. If you want to have it become a BEST rating check out my next tip.

Create a two factor password. A two factor password is just a technique of creating a unique password for
each and every site or server you login to but still be able to remember each password.
So you already have your password that you created in the previous step. This is your key. The next step is
the hash. You can generate a hash, for example, by going to the website for which you are creating the password.
Use something unique to that website that captures your interest and you will be sure to notice the next time
you come back.

Lets say you are Logging into singlehop.com You might choose one
of the following

singlehop
SHC = SingleHop.Com
Poindexter
Frog

then choose a symbol to be used in all your passwords to separate the hash from the key, so it
might look something like this:

SHC#Ih2b&1s,twbiNY

Now you have a unique password for that site that you can easily remember. Check it out at
http://www.microsoft.com/protect/you…d/checker.mspx and you get a BEST rating.

Remember this isn’t the BEST way to secure your server, just the most basic.

STEP 2: Limit Access to Users,Services & Locations
Computers are capable of many actions and can offer multitude of services to your clients and
employees that they can access from anywhere in the world. But of course unless you protect yourself you
are also providing those things to those who want to use your server for their own purposes.

Ports are how these services communicate to the world. But not all the services you have need to be open
to the entire world. Attackers will scan machines in search for open ports to exploit. To protect yourself,
you need to make sure that you are only running services that you need to have running on a server in order
to keep your website up and be able to access it remotely.

If there are some services that you need to have running on your server but you don’t want to talk to the
rest of the world, definitely use a firewall. A firewall will block/allow ports access to and from the internet.

Once you have stopped running unneeded services, you have narrowed down the attack vectors someone
can come in through. Now you can better monitor those few openings rather than all 65353 ports on a server.

Also if there are services that not everyone should have access to, decide whether you want to limit those services
to only a few IP addresses. Your firewall can be set to only allow the IPs you choose to access those services.

There are also ways to better secure your server, by monitoring any attempts to break in and automatically blocking
attackers.

STEP 3: Always Get the Latest Updates & Patches for Your Server

As long as technology keeps changing there will always be holes and vulnerabilities and people looking to exploit them. Attackers are always changing the rules. So your operating system must always be on top of the latest changes. The other reason why you need to always perform the updates as an example, Microsoft has whats known as Patch Tuesday, the first tuesday of every month they release security updates and patches. Aside from protecting your computer from vulnerabilities, it shows attackers the holes and vulnerabilities they never knew about.

So attackers will grab the patches and reverse engineer those patches and create exploits they can use against servers that have been too lazy to update.

Linux Operating Systems are no different, they to always have updates and patches coming out but these are more frequent and unscheduled. The other added advantage of using a Linux based operating system versus a Windows Operating system (from a security standpoint) is , when you update a Windows server only the Microsoft operating system and a few key applications are updated and patched because they are maintained by Microsoft. Any third party apps you need to make sure they are patched and secure.

On the other hand though, when you update a Linux server all of the applications that got installed using the built in package manager will be updated. This makes things a lot easier.

So no matter what Operating system you choose to use the 3 basics you need to remember are

1. Use Secure Passwords/Passphrases
2. Limit Access to Services, Users & Locations.
3. Always Get the Latest Updates & Patches for Your Server

If you need any help setting these up, please contact Singlehop Support

Luis Arauz
Data Center Manager
Singlehop Services INC

SingleHop has the distinguished pleasure of being able to provide each and every one of our customers an extended network uptime guarantee. What does this mean to our very intelligent and informed customer base, you ask? It means that we’ll make sure to keep connectivity maximized for each and every point, within, to and from our network, to minimize interruptions to ongoing service. You can read more about our network hierarchy here:

http://www.singlehop.com/why_singlehop/network_hardware.php