Hashemian Blog
Web, Finance, Technology, Running

Migrating To Cloud, Digital Ocean, Cloudflare

by @ 4:14 pm
Filed under: computers,email,internet,technology,web — Tags: , , , ,

When I started this site decades ago, I followed the usual path at that time to launch sites, shared hosting. There were many vendors to choose from but nothing like the quantity and diversity of what’s available today. I registered the domain, settled on a small vendor for $5/month, got my cPanel and terminal login and off I went.

My server didn’t have much processing juice, storage, and bandwidth compared to today’s levels but plenty enough to host my website and email and other services within the same account. Things were running smoothly but as you’d guess, the account eventually started to push the envelope with the hosting limitations and over the next few years I migrated from vendor to vendor in the perpetual quest for more resources and better prices.

Still all this time I was a slave to the hosting companies and their rules. If my services were abused by outsiders my account was suspended. If my site was spamvertized, my account was suspended. They’d change prices, modify account agreements, deprecate services, migrate servers, upgrade products, get merged or acquired and I had to go with the flow.

So a few years ago I finally decided to give self-hosting a try. I signed up for Comcast Business with static IP addresses, got a decent used computer and migrated all the services to a corner of my home. I was paying more for business Internet at home but I was saving on hosting costs.

Self-hosting Server at Home

This arrangement worked fine for many years but there were downsides too and with the passage of time those downsides became more prominent. To cite a few,

  • Being in a residential zone, power outages are inevitable and my puny UPS couldn’t handle long blackouts, such as those arising from intense storms.
  • Computers and equipment crash or power may be cut because of workers or a tripped breaker. If there’s no one at home to power up the equipment, services would remain offline.
  • The ambient temperature must be kept at a reasonable level. That means running the A/C on hot days even if no one is at home.
  • Hardware failures would mean outages until parts could be replaced and of course a good backup strategy is a must.
  • Software updates are necessary to support the latest or minimum required protocols or to patch vulnerabilities. For example making sure that TLS1.2 or IPv6 are supported or patch for Shellshock or Heartbleed bugs.
  • Monitoring and battling abusers and hackers become a daily stressful job.
  • With the static IP, it becomes impossible to be even slightly anonymous while surfing, unless one pays for a separate internet service.

In short, self-hosting became way too onerous and the cloud had finally reached a robust point where migrating back to providers could be a prudent move once again.

The first service to be migrated was email. I have covered the email migration to Google Workspaces in a previous post and have not looked back. The stress relief was almost immediate.

A few months later it was time to migrate the web services. For hosting I chose Digital Ocean. I had used Digital Ocean before for my day job and was impressed with their facilities and prices. Unlike the bigger players in the cloud space such as AWS or Azure that can inundate users with options, Digital Ocean has simple and straight forward options and pricing to choose from. I quickly set up a droplet (their parlance for a virtual server), transferred the files over, tested the web services, fixed the errors and incompatibilities and finally put the server into production. (My referral link, Get $100 credit with Digital Ocean.)

Shutting down the home server for the last time was a bitter sweet moment but there was no turning back and there was a tremendous feeling of relief.

The final piece of this project came with the addition of Cloudflare. Essentially Cloudflare is a web acceleration and SSL/TLS termination service and they have a lot of free services for the small operators. A few noteworthy advantages of Cloudflare are,

  • IPv6 reach. If a website is only available on IPv4, suddenly it’ll be accessible to all IPv6 clients as well.
  • Powerful and flexible firewalling and security capabilities, including DDoS handling.
  • Latest TLS and HTTP protocols.
  • Powerful web caching and acceleration features with automatic CDN.
  • Reliable and fast DNS hosting.
  • Web analytics.

A few months have now passed since I moved my server to the cloud and perhaps the only regret is not doing it sooner. I am saving money by using less power at home, terminating the static IP’s, and downgrading to lower internet speed. But more importantly I am saving my sanity by drastically reducing the stress of maintaining my own server.

Also, with the static IP’s gone, I can now replace the Comcast assigned cable modem with my own modem and hopefully save even more money every month. But that’s another project and maybe another post.

What The Linux Ghost Bug Teaches

by @ 6:07 pm
Filed under: computers,hacking — Tags:

A couple of weeks ago it was revealed that a known Linux bug, Ghost (short-ish for the gethostbyname() function in the older glibc library versions) is riskier than previously thought. So the internet became abuzz with warnings to those who might not have updated their Linux distros.

I have several versions of Fedora running on various machines and updating them was simply not an option. Unfortunately they are also too old and patches are no longer available. But here comes the beauty of Linux, the open source code model. Combine that with a virtual server like Hyper-V and you have all the tools you need to create the patch yourself.

This is what I did to create patches for one of my platforms:

  • Created a guest virtual machine on the virtual server.
  • Downloaded the needed version of Fedora from this archive.
  • Installed the OS on the guest machine.
  • Downloaded the appropriate source code version of glibc. rpmfind.net is a good place to find many source code packages.
  • After installing all tools and libraries necessary to compile and build glibc, I used this StackExchange post as a guide to patch the C files based on the documented modifications and built the rpm package.
  • After installing and testing the newly built glibc library on the guest machine, I copied the rpm files to the production machine and installed them.
  • After a reboot, the bug was patched.

C code

Now many would object to running an older and unsupported version of Linux for production but I am not so sure that jumping to every new version as soon it is released contributes to additional safety. Staying with older versions does make the job of patching these sorts of bugs more cumbersome, but there's something to be said about the educational value of patching these bugs at more basic levels than just running the yum or apt-get commands. I, for one, learned quite a bit from this exercise.

 

PHP - echo'ing String Fragments Using Periods Vs. Commas

by @ 10:18 pm
Filed under: computers — Tags:

One of the mysteries of PHP's echo function is the supposed equal treatment of multiple strings separated by periods (.) vs. those separated by commas (,). Actually echo is a language construct, but I digress. In both cases echo appears to concatenate the string fragments and output the resulting string.

In actuality, the period is the real concatenation operator in PHP. The comma on the other hand signifies echo's ability to accept variable-length arguments. Judging by Google search, most people just accept the fact that they can use either periods or commas with the echo function to get the job done.

But there's a subtle difference that's mostly overlooked because it rarely mucks up the results. Take a look at the two code lines below. You might expect to see 12 for both cases, but that is not so.

php echo

The reason is that with periods, some or all expressions are evaluated first and the results are concatenated. Then echo outputs the result after all fragments are concatenated. With commas echo walks the argument list, evaluating expressions and spitting out the results as it goes along.

Klaatu-Barada-Nikto, The Original Ctrl-Alt-Del

by @ 2:58 pm
Filed under: computers,microsoft,space

The Day the Earth Stood StillI was watching the classic 1951 movie, The Day the Earth Stood Still, and found it amusing that the command Klaatu-Barada-Nikto given to the robot Gort by actress Patricia Neal, almost had the same effect as Ctrl-Alt-Del has on many computers today.

In that scene, the robot was on the verge of rampaging and destroying Earth when the actress was able to reset it by giving it the voice command, Klaatu-Barada-Nikto.

Wonder if Microsoft guys had seen that movie when they came up with the Ctrl-Alt-Del keyboard combination to reboot a computer.

Strangely, I had never heard of this movie nor the voice command which seems to have a high degree of cult fame, nor the actress Patricia Neal whom I found to be particularly beautiful.

 

Linux Shellshock Bash Bug Workaround

by @ 12:55 pm
Filed under: computers,hacking,internet — Tags: , ,

The warnings about the shellshock bash bug are ominous and not unfounded. This is perhaps a greater risk than Heartbleed. Here are the gory details of this bug.

To test your system for this bug run the following command from the shell:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

if you see the word 'vulnerable' anywhere in the output, like below, you have the bug.

shellshock bash bug

Because bash is such a fundamental part of Linux/Unix and used in so many ways and so prevalent, it wouldn't be that difficult for malicious hackers to use this bug to penetrate a machine and do all kinds of bad things including completely take over the machine. Web sites would the most obvious target of such attacks.

Now how to fix this. New bash versions with the bug patched have become available so users can update bash and be done. But this is not as easy to do for everyone. Some people may have older, obsolete versions of Linux, so they may not find the new patched bash version. They would need to get the source code and the patches, and then build and install it themselves. Yes, I know everyone should be on the latest version of everything, and I am guilty as charged, but let's dispense with the tarring and feathering for now.

Redhat however, in its haste and panic, had released a workaround on this page with a small block of C code that once installed, would disable function definitions and therefore mitigate this risk. They called it dangerous because one must assume this workaround would disable a legitimate feature of bash and possibly cause system failure if it were being used. Unfortunately a while later this workaround vanished (Update: actually here is the Redhat page for LD_PRELOAD mitigation. I don't know,  maybe the page never vanished at all. Just use the steps on that page then), but not before I had availed myself to it. For me, the ease and speed of its deployment made it worthy of a try. And here are the steps.

1- Put the following C code in a new file, bash_ld_preload.c.

#include <sys/types.h>
#include <stdlib.h>
#include <string.h>

static void __attribute__ ((constructor)) strip_env(void);
extern char **environ;

static void strip_env() {
  char *p,*c;
  int i = 0;

  for (p = environ[i]; p!=NULL;i++ ) {
    c = strstr(p,"=() {");
    if (c != NULL) {
      *(c+2) = '\0';
    }
    p = environ[i];
  }
}

2- Compile bash_ld_preload.c to get bash_ld_preload.so using the following command.

$ gcc bash_ld_preload.c -fPIC -shared -Wl,-soname,bash_ld_preload.so.1 -o bash_ld_preload.so

3- copy bash_ld_preload.so to the /lib/ directory like so:

$ cp bash_ld_preload.so /lib/

4- Add the following to the file /etc/ld.so.preload on a line by itself:

/lib/bash_ld_preload.so

5- Restart all relevant services or just reboot the system to be sure.

 

There you have it. I deployed this on several machines that run various applications. It killed the bug and there were no adverse effects. That means that those machines were not using the function definition feature of bash. Of course at some point we may write code or install applications that need to use this feature and if we have forgotten about this workaround, there will be a lot of head-scratching.

So, use the above workaround at your own risk. It will probably work for you, but the best approach as always is to update your platform and of course your version of bash.

Apple Hitting Lows

by @ 12:36 pm
Filed under: business,computers,technology — Tags:

Apple shares hit a 52-week nearing $400/share today, even below some of the price points from when Steve Jobs was alive. The news surrounding Apple isn't very rosy. iPhone continues to lose market share to Google's Android, iTunes is losing market share to Amazon, and the PC/laptop markets are shrinking in general dragging Apple down along the way. Analysts aren't predicting a good quarterly report next week.

Now I admit to not being an Apple fan but the one force that was keeping the company firing on all cylinders was Steve Jobs and that is undeniable. When he was there the first time, the company was doing exceptionally well, when he was forced out Apple became a dud, then he returned and Apple came roaring back.

Now Jobs is gone once again and Apple continues on the momentum that he brought with him but that momentum is naturally wearing off. Jobs was a genius and a visionary and it is because of him that Apple has continued to do well much longer than I had anticipated. But eventually the vacuum of vision and innovation must show its effects.

I do wish the company well, but companies don't thrive on well wishes. Jobs was the secret sauce behind the resurgence of Apple and without him the inevitable must now happen. Apple will no doubt survive, but thriving doesn't seem to be the cards.

Man outsources coding to China

by @ 5:16 pm
Filed under: business,computers — Tags: , ,

Love this story. Software developers are certainly infamous for being lazy. Most of us are, and that drives us to write code to automate things or write utilities to give to others to perform certain tasks. It's all about finding clever ways to make things easier for us and our employers.

But one guy took it one step further and secretly outsourced his coding responsibilities to a Chinese firm paying them a fraction of his salary and spending his own days having fun. His employer was oblivious to this for years until they ran an audit and discovered the scheme.

The blog post below is really about this coder's exploits and a cautionary tale for others to keep tabs on their networks. Still a part of me wants to high-five him for his cleverness right up to the point he was caught.

Verizon Business Security Blog » Blog Archive » Case Study: Pro-active Log Review Might Be A Good Idea.

Year 2038 problem

by @ 9:11 pm
Filed under: computers — Tags: , ,

25 years from now we could be dealing with an issue similar to the Y2K issue, year 2038 problem.

This problem was brought to my attention by  user 'Ken' commenting on the countdown tool page on this site. Basically *nix systems keep time in 32-bit integer formats counting seconds since Jan. 1, 1970. On Jan. 19, 2038 the 32-bit integer will overflow, resetting to 0 and many systems may interpret that as year 1901.

Certainly a vexing issue, but one with some time remaining to resolve. Even better, some of us will either be retired or simply no longer around to worry about it at all.

A number of fixes and workarounds have been proposed, chiefly among them using a 64-bit integer to keep time. That will do quite nicely and we won't have to worry about the rollover issue for some 292 billions years 🙂

Disabling SELinux

by @ 6:16 pm
Filed under: computers,hacking — Tags: ,

I know it's sacrilegious for some to disable a security feature on a platform, but SELinux (an enhanced Linux security feature) has left me no choice but doing exactly that on Linux.

SELinux was added to Linux to give it additional security measures beyond what it inherited From Unix. By default many of the Linux distros such as Fedora have SELinux built into their kernels and enabled upon install.

The issue is that SELinux can be so restricting and obsessive about curbing malicious activity that it can also hinder normal operations leading to server stress or errors. Having been bitten by SELinux multiple times, I have vowed to deactivate it every time I install Linux on a host. The one time I forgot to disable it, the Varnish server I have setup for my company nearly died taking the company's web site along for the ride. Looking inside the messages file, this arcane message is what I saw in prodigious numbers:

setroubleshoot: SELinux is preventing irqbalance from mmap_zero access on the memprotect Unknown. For complete SELinux messages. run sealert -l efce…

I know the security sticklers would accuse me of not setting up SELinux correctly and for the record SELinux is very configurable. But my most favorite setting for SELinux is disabling it in the /etc/selinux/config file by setting SELINUX=disabled.

I don't have the time nor the inclination to learn SELinux's every minutia, which may or may not protect my hosts completely anyways. The old fashion file permissions, file ownership, suexec, sudo, suid, running daemons with least privilege, and a good dose of firewalling is good enough for me. Feel free to disagree.

Apple Discrimination

by @ 5:14 pm
Filed under: computers,politics — Tags: , , ,

A few weeks ago my children dragged me into the local mall's Apple store, kicking and screaming where I bought them each a Macbook, a cheap Linux knock-off in a shiny skin.

I am a devout Apple-hater and have been so since 1988 when I had to write a LISP program on a Macintosh desktop. Nothing this company does or produces has ever looked remotely exciting or interesting to me and let's not even get started with the ridiculous prices. I personally own nothing from this company and am proud of that fact.

I could have bought my children very nice Windows laptops at a third of the price, but that wasn't an option. Apple seems to have plenty of people under its spell. They can sell them street garbage stamped with the bitten-apple image like it's some magical product from Venus.

Since Apple has the policy of not selling to Iranian-Americans, I just wonder where the Apple police was on the day I wasted my hard-earned money on their junk.

Apple sucks. Always has, and probably always will.

Older Posts »

Powered by


Read Financial Markets  |   Home  |   Blog  |   Web Tools  |   News  |   Articles  |   FAQ  |   About  |   Privacy  |   Contact
Donate Bitcoin: 1GfrF49zFWfn7qHtgFxgLMihgdnVzhE361
paypal.me/rhashemian
© 2001-2021 Robert Hashemian   Powered by Hashemian.com