Blogs on detail technical administration tasks related to cloud hosted virtual private servers with Linux or Windows operating systems

How To Disable TLS 1.0 & TLS 1.1 on a Windows Server, VPS or Cloud VM

We talked extensively about Google, Microsoft and PCIs push to create a more secure internet. From supporting an open-source SSL certificate initiative like Let’s Encrypt to prompting “Not Secure” warning when visiting all HTTP sites through chrome, IE, and Mozilla. Those of you who are running an e-commerce site are familiar with PCI and already know that PCI has deprecated TLS1.0 & TLS 1.1 so the minimum requirements are TLS 1.2 and the gold standard is TLS 1.3. For those of you how are not familiar with PCI you can find out more here.

Transport Layer Security (TLS) is a critical part of a secure online transaction between two systems as it secures communications by authenticating one or both systems. Serious vulnerabilities prompted PCI to deprecate SSL/early TLS on 30 June 2018. So if you are using a Windows server or Windows VPS or Windows cloud VM you can do your part and be an agent of change by disabling TLS 1.0 and TLS 1.1 on your server. Doing so not only secures your server but also forces others who are still using SSL/early TLS to make the switch to more secure encryption technology.

Here is the step by step instruction on how to disable TLS 1.0 and TLS 1.1 on a Windows server:

  1. Open up Registry Editor by clicking on the Start Button, type in Regedit, and then hit Enter. Since we are dealing with registry, we strongly suggest backing up the current Registry state. Misuse of the Registry might have detrimental effects on your system. (In the Regedit screen highlight computer >>File >>Export >> Save file to a location you want)
  2. In Registry Editor, locate the following registry key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.0\Server ( or TLS 1.1)                

  1. On the Edit menu, click Add Value.
  2. In the Data Type list, click DWORD.
  3. In the Value Name box, type Enabled, and then click OK.

Note if this value is present; double-click the value to edit its current value.

  1. Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
  2. Click OK. Restart the Server.

How To Configure Remote Desktop On Linux VPS / VM

Desktop environment is a bundle of programs that provides a graphical user interface (GUI). It provides end-users with a user-friendly and intuitive way to interact with computers. When it comes to virtual private servers (VPS) or Cloud Servers if you need a remote desktop environment you typically go with a windows VPS, you can simply use predefined applications and services to RDP to the windows server. When it comes to Linux VPSs you typically will be given a SSH access to manage and configure your server, although most Linux system administrators are comfortable managing their VPS through SSH access but sometimes the desktop environment is required during the application installation.

Unlike Windows and Mac, for Linux environment, you have many different desktop environments to choose from such as GNOM, Cinnamon, KDE, MATE, XFCE and etc… Most often than not (depending on the desktop environment) you need to have console access to complete the desktop environment installation and setup on your VPS or hosted server. Here at Cirrus Hosting every Cloud VPS/VM comes with console access free of charge.

XFCE is a light, fast and stable desktop environment and in this blog, we will cover how to setup XFCE on Debian 10.3 and remote desktop to your Linux VPS.

It’s a fairly simple and straight forward process, first you need to SSH to your server and type:

# apt install xfce4

Apt package manager will download and install all the required packages. Once the installation is completed we need to set up a remote server software. In this example, we are going to use tightvncserver:

# apt-get install tightvncserver

After installation is completed we need to run and you will be required to create a password to access your desktop.

# vncserver

To connect remotely to your desktop environment you can use VNC viewer. Type your server IP address and the password you created earlier to access your desktop.

Colocation Data Center with Cirrus Hosting – In the Age of COVID-19 Pandemic

IT professionals are constantly performing risk assessments to identify and modify their security and operational strategy. However, pandemics like COVID-19 presents different sets of challenges as non-essential businesses urged to close and employees are directed to work from home. This pandemic possesses a range of serious challenges in terms of managing, monitoring, security and business continuity specifically to on-premise server setups. As your IT team might not be able to go to the site to physically access the servers, you might not have enough bandwidth to support remote access as more people are instructed to stay home and work remotely or you might not be able to upgrade your gears and increase your pipeline.

In this post, I would like to highlight some of the features of colocation with Cirrus Hosting, at our prime downtown location.

  • Reduced downtime: Here at Cirrus Hosting we have significantly improved our capacity and peak throughput by upgrading our core routes and networking gears. We also increased our pipeline by almost tenfold. We utilize multiple major upstream providers to ensure continuous Internet connectivity, greater route diversity and ultimately enhanced internet performance. In terms of electricity, our data center has 2 feeders from a substation, multiple backup generators with separate generators supporting the cooling infrastructure, automatic transfer switches.
  • Security: The downtown facility is SSAE 16 SOC 1 Type 2 audited. There are multiple layers of security in place to protect your assets like 24/7 On-Site Security guard, tailgate proof mantrap, key card and biometric access, CCTV. You also have the option to work with our network security team to implement firewalls, intrusion dedication and prevention solutions.
  • Flexibility: You do not need to worry about lack of expansion capacity, we have ample space for your future needs with 20k SQF of space. You can add cabinet, power circuits and bandwidth as your business needs grow. This flexibility enables you to make long term plans without requiring a substantial upfront cost.

As you know in many regions co-location facilities are deemed essential services and staff are getting an exemption. You can take advantage of our remote hand services, extend your team by adding on-site expert technicians who are ready to provide you with assistance at the datacenter. Services like swapping removable media, racking and staking equipment and visual verification for remote troubleshooting.

To find out more about our colocation plans please visit here or call 1.877.624.7787

About Cirrus Hosting

Cirrus Tech Ltd. has been a leader in providing affordable, dependable cloud hosting as well as website hosting services in Canada since 1999. They have hosted and supported hundreds of thousands of websites and applications for Canadian businesses and clients around the world. As a BBB member with an A+ rating, Cirrus Hosting is a top-notch Canadian web hosting company with professional support, rigorous reliability and easily upgradable VPS solutions that grow right alongside your business.

Payment Card Industry – PCI Compliance

If you are running an e-commerce business chances are you have heard about the PCI compliance. The goal of PCI is to set security standards for safer online payments. The Payment Card Industry Security Standard Council developed a security standard called Payment Card Industry Data Security Standard (PCI DSS) to be incorporated into the data security compliance program of credit card issuers like MasterCard, Visa, American Express and many more. 

If you accept online payment – collect, process and store credit card information – you are required to adhere to a set of standards set by PCI standards Council. Failure to adhere to PCI compliance might result in fines and penalties, legal costs, loss of customer confidence and revenue loss. 

PCI compliance continues the process, as a business owner you need to continually Assess your online payment process and analyze server vulnerabilities. Remediate the vulnerabilities by applying security patches and you should submit a quarterly scan Report to the acquiring financial institution. Most of the PCI compliance requirements are common sense security measures such as:

  • Configure and manage your firewall
  • Install SSL certificate
  • Control and monitor the server/data access
  • Update the OS and Antivirus regularly
  • Regularly test the servers and apply security patches as soon as they become available

To become a PCI compliant you are required to go through an audit process, many approved scanning vendors in the market will conduct the external vulnerability scanning service to validate that you meet the standards set by the PCI DDS. 

At Cirrus Hosting we offer a wide range of service dedicated server, public and private cloud so you can customize a solution based on your requirements to host your sensitive financial information. Our data center in downtown Toronto is PCI compliant and our knowledgeable technicians can help you through the challenging process of passing a vulnerability scan.  

Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attack

As our dependence on computers and computer network connectivity grows so do the vulnerabilities and the risk of falling victim to a costly cyber-attack(s). We tend to forget that most computer systems and their underlying technologies are susceptible to cyber-attacks. According to Kaspersky researchers, Denial of Service (DoS) and Distributed Denial of Service (DDoS) are the most prevalent type of cyber-attacks in 2019. But what is Denial of service attack – DoS attack is a malicious attempt to slow down or render a website or computer unavailable by flooding a server or network with a large number of simultaneous requests. When the network and computer resources are exhausted, the victims’ system is unable to fulfill legitimate requests and the victim’s website or computer becomes inaccessible. The DDoS attack is more sophisticated as it uses hundreds or even millions of compromised devices to lunch a Denial of Service attack.   

Here is the list of most common DoS attacks:

  • SYN Flood:  SYN flood targets the TCP layer. In general to establish a connection in TCP/IP network a three-way handshake method is used, whereby both client and server exchange SYNchronize-ACKnowledge (SYN/ACK) packets (SYN, SYN-ACK, SYN).  Hackers attack the server by sending a series of SYN requests; the server responds with SYNC-ACK and leaves an open port ready to receive the response from the client. In order words, attackers create multiple half-open connections with the server in an attempt to exhaust the system resources to the point that the system becomes unresponsive to the legitimate traffic.
  • UDP Flood: It targets the User Datagram Protocol (UDP), unlike TCP the UDP protocol does not require a three-way handshake however when server receives a UDP packet at a specific port, it first looks for the application listening to the port and if there are no applications receiving the packets server responds with Internet Control Message Protocol (ICMP), notifying the client that the destination was unreachable. When Hackers lunch their attacks by sending series of UDP packet requests to random ports server has to go through the above-mentioned process as a result system is forced to send multiple ICMP packets to the point the server becomes unreachable to legitimate requests/clients.
  • HTTP Flood: this is an application layer attack whereby HTTP client (web browser) sends an HTTP GET or POST request to the application or web server. Attackers utilizing multiple bots to send GET requests to retrieve the large image, documents or files from the server. In HTTP POST attack hackers try to trigger a complex and resource-intensive process like database search.  In both cases, the webserver is overwhelmed and unable to service the legitimate request.  

According to Kaspersky in 2019, 84% of DoS attacks are SYN flood, 8.9% UDP flood and 3.3% HTTP flood. Due to the nature of these types of attacks no organization is 100% immune. One of the most high profile DDoS attacks in 2018 was the GitHub, hackers launched the first wave of attacks peaked at 1.35Tbps followed by 400Gbps secondary attack which brought down the host. In a separate incident in September 2016 OVH was under DDoS attack peaking over 600Gbps which affected their operations. 

The reality is that due to the nature of DDoS attacks no one is 100% immune, however, there are various DDoS mitigation and resilience options available to reduce the impact of DDoS attacks.

  • Over Provisioning, Increase bandwidth capacity improves resilience to withstand low to mid-volume DoS attacks and provides much needed extra time to take action to mitigate the attack. At the server level, extra resources combine with solutions like mod_ evasive is a good place to start.
  • Cloud DDoS mitigation services, whereby the incoming traffic goes through a 3rd party network that has a much bigger bandwidth which means they will absorb the attack before it reaches your server. They are specialized in early DoS attack detection and mitigation.
  • A hybrid solution, for an enterprise organization a hybrid solution –a combination of cloud and on-premise DDoS mitigation – strikes a balance between security and flexibility.

Here at Cirrus Tech. we are continuously monitoring and improving our infrastructure. In order to increase our resilience against DDoS attacks, we have significantly improved our capacity and peak throughput by upgrading our core routers and networking gears. We are on track to increase our pipeline by almost tenfold by the end of 2019. We recommend our web hosting clients to scan their website, application, and plugins and eliminate any vulnerability from their website; keep their PHP, WordPress, and plugins up-to-date. We also suggest to our Linux VPS and Cloud VM clients to configure mod_ evasively or if you lack the expertise you can contact our support team for assistance and recommendations.

New Vulnerability in Exim Mail Server, CVE-2019-16928, cPanel & WHM Patch Is Out

National Vulnerability Database (NVD) posted a warning on 27/09/2019 about the new vulnerability
effecting Exim Versions 4.92 to 4.92.2, to read more please click here. For those of you who are not
familiar with Exim, Exim is an open-source message transfer system and its main task is to accept the
messages from the source and deliver them to the final destinations (to a remote host or a program). Since
cPanel & WHM uses Exim this vulnerability could affect any server running cPanel & WHM or any Linux
server running Exim mail server. We advise you to upgrade your cPanel & WHM by taking the following
steps in the WebHost Manager interface:

WHM >> Home >> cPanel >> Upgrade to Latest Version

If you have subscribed to our Management plan III and IV we will be scheduling a management task to
update your cPanel&WHM.

What Is a Web Server?

A web server is a software that is running on dedicate, virtual or embedded server, which is capable of delivering the requested data made through the web. Typically web server’s task is to process and deliver the requested information (website contents and data) that is stored on the server. Thanks to uptick in internet of things (IoT) adaptation the web server is embedded in smart devices such as wireless security camera, fridge, and thermostat so that you can manage and monitor your devices on your network.

Some of the well-known web servers are Apache, NGINX, and IIS; the most common communication protocol used between the browser and the web server is Hypertext Transfer Protocol (HTTP). Once the web server receives your request it will fetch the requested data (document, Image or files) and send it backs to the browser.

Vulnerability in Exim mail server, CVE-2019-10149, cPanel & WHM patch is out

National Vulnerability Database (NVD) posted a warning on 06/05/2019 about the flaw that was found in Exim Versions 4.87 to 4.91 to read more please click here. For those of you who are not familiar with Exim, Exim is an open source message transfer system and its main task is to accept the messages from source and deliver them to the final destinations (to a remote host or a program).  Since cPanel & WHM uses Exim this exploit could affect any server running cPanel & WHM bellow v78.0.27. We advise you to upgrade your cPanel & WHM by taking the following steps in the WebHost Manager interface:

WHM >> Home >> cPanel >> Upgrade to Latest Version

Individual Linux distros also released their patches, for more information please refer to Debian, OpenSuse, and Red Hat.

How to update my VPS and how to upgrade my Control panel

The most important task of every server administrator or web admin is to keep OS (Windows or Linux), Applications and Control Panel up-to-date.  It does not only make your infrastructure more secure but also you can take advantage of new features. Microsoft and other software companies are constantly working to release patches to fix vulnerabilities, applying the patches in a timely manner increases your server security significantly and saves you a lot of time and money to restore your server from backup. If you are using a control panel to manage your website and emails then you should keep Plesk and cPanel up-to-date to not only keep your site secure but also you can take advantage of latest applications and tools offered by Plesk and cPanel. In this blog, I cover how to update the OS and Plesk / cPanel.

  • Updating Windows 2012/2016 VPS: As you now Microsoft Windows offers automatic OS update download and install; however as a server or web admin you prefer to manage server load and have a say on how and when to download the updates, install and reboot the server.
    1. RDP to your VPS as Admin or with your own username and password if you have administrative privileges
    2. Click on start or point your mouse to the lower-right corner of the screen and on Search
    3. Type “Windows Update” and click on “Windows Update”
    4. Click on Check for updates, windows looks for latest updates available.
    5. You have the option review the available updates, you can either install all the available updates of select those you would like to install at this time. Click on update and install.
  • Updating Linux VPS: Linux update is simple and straight forward
    1. Lunch a terminal emulator like PuUTY to SSH to log in to your Linux VPS
    2. To update the sever type the following
RHEL / CentOS Ubuntu
# yum –y update # apt-get update && apt-get upgrade
  • Upgrading Plesk to the next release: Upgrading the control panel is a bit tricky, to be safe I suggest that you take a backup of your entire website on your local computer and also to avoid any surprises/glitches just wait a few days after the new release to update your control panel.  Please check the new Plesk version is compatible with your VPS OS version. If you are using Plesk 10 or 11 please consider migrating to a new setup than upgrading Plesk. During the upgrade process, your websites will be down and your Plesk panel will be unavailable.
    1.  Log in to your Plesk panel
    2. Click on “Updates and Upgrades ”under Tools& Settings”
    3. Click on “install or Upgrade Product”
    4. Choose a Plesk version from the drop-down list and click Continue.
  • Upgrade cPanel / WHM: I suggest that you take a backup of your entire website on your local computer and also to avoid any surprises/glitches just wait a few days after the new release to update your control panel. 
    1. Log in to WHM
    2. Type “Upgrade” in the search bar and click on “Upgrade to Latest Version”
    3. Click on “Click to Upgrade”

Different types of RAID and RAID levels, advantages and disadvantages

One of the challenging tasks of every system administrator is to strike a balance between reliability and performance when choosing a dedicated server. Some might say choosing a rite Redundant Array of Independent Disks (RAID) option and level is critical, but what is RAID and why is it so important?

Wikipedia defines RAID as “data storage virtualization technology that combines multiple physical disk drive components into one or more logical units for the purposes of data redundancy, performance improvement, or both. ”  RAID should be considered as part of a business continuity plan and it improves reliability by replicating the data on one or multiple disks. It also improves the performance by enhancing the read write function from/to one or multiple drives. There are two main component in every RAID setup RAID level and RAID control.

Table below shows some of the most common RAID levels.  

Level Minimum # disks Redundancy Disk space utilization Read speed Write Speed Ideal Application
RAID 0 2 None 100% Fast Fast Image & video editing
RAID 1 2 Yes – 1 disk 50% Fast Moderate DB & critical data
RAID 5 3 Yes – 1 disk ~80% Moderate Slow Archiving
RAID 6 4 Yes – 2 disks ~70% Moderate Slow App server
RAID 10 4 Yes – 1 disk 50% Fast Moderate Critical data

In a nutshell RAID controller task is to control the RAID array, to make sure drives are working as the logical unit and computer recognize it as such. There are mainly two types of RAID controller, software and hardware RAID controller. Software RAID relies on computer CPU to control the read / write process, although sever CPU is supper fast these days but still it creates computation overhead and utilises server resources depending on the RAID level. Hardware RAID controller on the other hand is equipped with internal processor like ARM or ASIC to control the array.

Comparison table below shows some the advantages and disadvantages of different RAID types.

RAID Controller Advantage Disadvantage
Software Low cost, easier to reconfigure the array Slow, changing the failed drive is not easy, not suitable for RAID 5 & 6
Hardware card Faster read / write, replacing failed disk is easy Requires additional hardware
Hardware card+ cache Improves I/O performance Cost , susceptible to loss of data in case of power failure