Current state of vpsBoard 02/04/2017Dear vpsBoard members and guests:
Over the last year or two vpsBoard activity and traffic has dwindled. I have had a change of career and interests, and as such am no longer an active member of the web hosting industry.
Due to time constraints and new interests I no longer wish to continue to maintain vpsBoard. The web site will remain only as an archive to preserve and showcase some of the great material, guides, and industry news that has been generated by members, some of which I remain in contact to this very day and now regard as personal friends.
I want to thank all of our members who helped make vpsBoard the fastest growing industry forum. In it's prime it was an active and ripe source of activity, news, guides and just general off-topic banter and fun.
I wish all members and guests the very best, whether it be with your business or your personal projects.
I have multiple web sites (and a few other processes) I want to run in an environment that is flexible and as low maintenance as possible. This includes my sites and customer sites, production and development. Most share a common platform (Python, Django, Postgres, Linux (mostly Debian)). I need to be able to give
At the moment they are all running in separate VPSs, and some on shared hosting. The problem with multiple unmanaged VPSs is that it is a lot of stuff to manage.
I have been experimenting with running the sites on a single VPS with multiple users. It is a "cloud" one so can be scaled up as needed, and there is only one OS and shared libraries to upgrade. The problem is relying on permissions to separate sites from each other, and to give users access to sites is quite fiddly, particularly as I am paranoid enough to run app servers as a different user from the code they exectute. I have not ruled it out as a solution, but it is not as straightforward as expected
I thought of running my own VPSs on a dedi, which is cost effective, but adds one more component to manage. It gives me a lot of isolation.
I think some sort of container or jail solution will give me the best of both worlds, but I am not familiar enough with it to pick suggestions? I am willing to consider using any *nix OS, although Debian Linux is what I am most familiar with.
Resource isolation is not an issue: it will not be running anything I expect to cause problems. Easy admin and security are.
Article Link: http://krebsonsecurity.com/2016/08/the-reincarnation-of-a-bulletproof-hoster/
@HostSailor, any comments? Curious as to what the purpose of this all is.
httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:
RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY HTTP_PROXY is a popular environment variable used to configure an outgoing proxy This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.
httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.
What can happen if my web application is vulnerable?
If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:
Proxy the outgoing HTTP requests made by the web application Direct the server to open outgoing connections to an address and port of their choosing Tie up server resources by forcing the vulnerable software to use a malicious proxy httpoxy is extremely easy to exploit in basic form.
See here: https://httpoxy.org/
The assigned CVEs so far:
CVE-2016-5385: PHP CVE-2016-5386: Go CVE-2016-5387: Apache HTTP Server CVE-2016-5388: Apache Tomcat CVE-2016-1000109: HHVM CVE-2016-1000110: Python CloudFlare sites protected from httpoxy: https://blog.cloudflare.com/cloudflare-sites-protected-from-httpoxy/
So maybe you live under a rock and avoid news sites, congrats on being a rare creature and happy day to enjoy that quiet by the stream.
Rest of us have been snorting as the Panama Papers hack job matures and controlled media IV drips bits and pieces (even though they've had the data for a year or three). Terabytes of data on Panamian offshore / money laundering operations all formed by one incorporator Mossack Fonseca, a Panamanian law firm.Now one site has called out Mossack Fonseca's website security, namely really old versions of open source software. Most notably, drumroll: Wordpress. (But Wordpress is soooooooo secure) :)
Drupal and Wordpress are implicated and both were way way old and insecure versions.
... found that the firm’s WordPress-powered site is currently running on version 4.1 (released in December 2014), based on its version of autosave.js, which is identical to the autosave.js file shipped in 4.1. Since that time WordPress has had numerous critical security updates. The main site is also loading a number of outdated scripts and plugins. Its active theme is a three-year-old version of Twenty Eleven (1.5), which oddly resides in a directory labeled for /twentyten/. source: http://wptavern.com/outdated-and-vulnerable-wordpress-and-drupal-versions-may-have-contributed-to-the-panama-papers-breach
Do we have any resident cobblers / DIY types who are using Linux for CCTV / security related? I mean legit Linux DIY not premade embedded systems.
I am fussing with some China dump wifi cameras (read cheap). Quite interesting little units for the price (bound to be more like them). ~ $15 a camera delivered.
RTSP streaming from these and seems to be a really common software stack they are loading into lots of these China cams from many many brands.
Do we have people using the Open Source Zoneminder DVR / CCTV software? Considering trying to get Zoneminder running on one of my unused ARM boards (yes it exists for ARM also).