Categories

Tech Advice

November 10, 2009

Migrate to a Faster Database Server in Minutes

Earlier this year, we deployed another MySQL database server (db2.modwest.com) for our shared hosting customers. It's a beast of a machine, and still has lots of horsepower to spare. In fact, compared to db.modwest.com, it's roughly 4x more powerful and currently doing a lot less work.

In addition to having lots of power to spare, db2 is also running MySQL 5, rather than MySQL 4.1. Version 4.1 will be "end of life" at the end of this year, meaning that MySQL will no longer provide bug or security fixes for it. MySQL 5 has some cool new features, as well, and so we encourage everyone with databases hosted on db.modwest.com to switch them over.

Most modern applications (such as Joomla, Wordpress, or Drupal) should be perfectly happy with MySQL 5; though if you have a custom application, you should probably ask your webmaster to read through MySQL's guide to upgrading from 4.1 to 5.

To make one step in the migration process easier, we've recently whipped up a web tool to copy a database from one server to another. It's here:


We hope you'll enjoy the increased performance of db2, and the increased features and security of MySQL 5, and let us know of any trouble along the way.

Posted at 09:47 AM in Operations, Tech Advice, Web Design and Development, Web/Tech | | Comments (0) | TrackBack (0)

July 31, 2009

Escalating War on Spam

Herbal Vi@gra, no-prescription pills, bodily-enhancement miracles, mortgage scams, cable descramblers, non-existent lonely women fishing for a date with absolutely anyone, fake bank login reminders, designer watches and handbags and various junk you don't want. Sound familiar?

These past few weeks, we've noted a dramatic increase in spam delivered to customer and staff mailboxes on our shared hosting system. Our Support Team has heard from many customers recently who reasonably assumed our spam filtering technology was simply turned off. It was a problem, and it got noticed.

So, we began an incremental process of increasing the sensitivity of some of the tests which help determine whether an individual email is spam or not. Each test assigns points, and the total points represents a confidence level that the message is indeed spam. For more on how this works, see this post.

It's important to make changes gradually, because dramatic changes to the scoring system can result in "false positives", or legitimate email that gets flagged as spam, which we try to avoid for obvious reasons.

To measure the effects of our changes, we worked this month to track statistics on the amount of mail being handled, the percentage of it which was flagged as spam, and the level of "spamminess" of messages delivered. The overall dataset we examined was over four million deliveries from July 2009.

Spam Surge

The first thing we've learned is that while the amount of low-scoring spam certainly increased, it wasn't just a failure of the filtering software. There was a generalized surge in overall messages received -- probably due to the avalanche of new spam! Here's a visualization of this phenomenon that Erik made for us today:


Spam-timeline

There's one bar per day in July, and taller bars represent a higher volume of incoming mail. The darker inner bar represents the proportion of overall mail that day which was flagged as spam. July 31st is shorter because we pulled the stats about halfway through the day, but you can see that there was as much spam detected in the first half of the day than all mail combined from some days earlier in the month.

You can also see that the overall volume of mail increased dramatically, and the amount flagged as spam has increased near the end of the month.

How Spammy?

We wanted to not only know that more mail was being flagged as spam, we also wanted to know just how "spammy" it was. Here are two graphs that present that data.

First, a daily graph of average spam scores. For reference, a score of 8 or above is almost certainly spam.

Avg-daily-spam-scores

The humps earlier in the month are weekends -- days on which there's a lot less legitimate email, so spam constitutes a higher ratio of deliveries.

Next, here's a representation of the distribution of spam scores at several points in the month. The first pie chart represents the 12th through 17th of July. The second represents the 26th through 31st of July, and the final pie chart is just for July 31st. We made our most recent filtering improvements on July 30th.

Spam

You can see that a few weeks ago, spam scoring 8 points or higher constituted about one third of all messages. Today, that proportion is roughly two thirds. That means that a lot of previously low-scoring spam is now being scored higher.

How You Can Help

Spam apparently isn't going away; in fact, it is increasing. We believe that mailbox owners should have as much control as feasible over deliveries to their mailbox, and that's why we built the OnSite Spam Protection tool.

In our previous review of spam stats, we came to the realization that a lot of our customers have the default "Moderate" setting for spam filtering enabled. Turning that up to "High" or even "Very High" is a safe bet for most people. This and other strategies are discussed in our spam FAQ.

We think the changes we made this month have improved the spam situation quite a bit. Do you agree? Please, let us know here or here.

-JM

Posted at 03:31 PM in Email, Tech Advice | | Comments (0) | TrackBack (0)

July 13, 2009

Alternatives to FTP

We're not quite ready to say "R.I.P. FTP", but it's true that FTP has an inherent security flaw: your username and password are passed in clear text from your computer to the server. This means that  malicious software on your computer could trivially capture your FTP credentials the next time you update your site.

We were alerted recently when a customer reported that some files in their website had been modified to include a strange looking IFRAME tag, which apparently loaded malicious code from a server in Russia every time a visitor arrived at the page. This prompted Google to temporarily list the customer's site as "Dangerous" in search results.

A quick check of the logs indicated the customer's account had been logged into via FTP from many IP addresses around the world, some of which uploaded the various malicious changes to the site. Our customer was able to securely upload a clean backup, and changed of course their password immediately.

We're not sure how the bad guys got ahold of this customer's FTP credentials, but if this was a case of spyware on the customer's PC capturing his cleartext username and password during a site update, then using an alternative to FTP could have helped avoid this painful event.

Two of the simplest alternatives are SFTP and SCP. Both protocols encrypt the connection from beginning to end, so cleartext "sniffers" can't read the traffic. SFTP support is often built in to FTP clients such as FileZilla, Cyberduck, and the built-in client of Dreamweaver, but may not be enabled by default. Check the help files for your favorite file upload program to learn how to enable SFTP.

WinSCP provides SCP and SFTP support, and a familiar Windows Explorer style interface, too.

There are no important differences between SFTP and SCP (both encrypt authentication and file transfers), so use whichever one your program supports. If your file upload program only supports old-fashioned FTP, it is time to upgrade.

Posted at 04:56 PM in Tech Advice, Web Design and Development | | Comments (0) | TrackBack (0)

May 31, 2009

New Database Server Deployed

We've just deployed another MySQL database server for customers on the shared system. It goes by the name of "db2.modwest.com", and it's running MySQL 5. It's a powerful, brand new server and we encourage anyone using the older database servers to switch.

Adding a new database on the new server is easy. Just log into OnSite and click Add or Drop Database. Right now, the migration process is manual, but we'll be glad to assist upon request. One caveat: if you're running an older PHP application and currently using "db.modwest.com" (which runs MySQL 4.1), double check that your application is compatibile with MySQL 5, because there are some differences, such as new reserved words.

Enjoy!


Posted at 11:33 AM in Operations, Tech Advice, Web Design and Development | | Comments (1) | TrackBack (0)

May 15, 2009

PHP upgraded... and everything else

We have known for quite a while that we needed to upgrade PHP. In fact, it was a top requested answer to the question "What else can Modwest do to help our clients succeed?". We're listening! The answer is is now marked as "Done"!  =)

We gave a brief introduction to the new environment for shared hosting accounts last month, and thanks to great feedback from some intrepid customer beta testers, we have now made the new environment the official environment for all new shared hosting accounts at Modwest.

The cool thing is that anyone who signed up before May 2009 can be switched over to the new setup easily.  Yesterday, we added a new FAQ for people ready to switch:

 Modwest FAQ: What do I need to know about the new environment?


So, if you're an existing customer and trying to install the latest version of Wordpress, Joomla, or Interspire products, you've got a modern version of PHP to work with.

Enjoy!

-JM

Posted at 10:12 AM in FAQs, Operations, Tech Advice, Web/Tech | | Comments (0) | TrackBack (0)

March 13, 2009

When You Need a Boost

A common challenge in running shared hosting servers is how to ensure everyone gets a fair portion of the shared resources, and prevent any one misbehaving or resource-intensive script from affecting the performance and stability of the server for everyone else. One of those shared resources is memory (or RAM).

A site needs memory, and the server needs to provision it, at the instant a visitor arrives at a website, and during every successive page load. Simple HTML websites need very little memory; complex sites, based on robust content management systems like Joomla or Drupal, can use quite a bit.

Where memory really gets eaten up fast though is during on-the-fly image resizing, a feature common to many content management systems, image gallery applications, and banner ad management software.  Even if an image is only three or four megabytes on your hard drive, resizing it on a webserver can take ten times that much memory!

The actual formula is something like (pixel height * pixel width * color depth), plus some overhead for data storage. To illustrate, I just built a quick image resizing memory requirement estimator tool. Resizing images on your computer prior to upload is an easy way to reduce your server memory requirements.


To manage shared memory and preserve service quality on the Modwest shared hosting system,  we maintain generous resource limits, and today we have some new flexibility to announce.

When memory limits are exceeded, the page will fail to load, display a dreaded Internal Server Error and usually throw a line in your error log similar to:

FATAL:  emalloc():  Unable to allocate 11306785 bytes


If resizing images prior to upload is not an option, or if you're exceeding memory limits for reasons other than image resizing, there is a solution:

We can now increase memory limits on a site-by-site basis.

We're calling it a "Memory Boost". It's not advertised on our website yet, but it is available now.

Each Memory Boost makes an additional 32 Megabytes of memory available to your scripts running on the Modwest shared system.  Up to two may be added to a site at $5/month each.

Memory Boost won't make a slow site run faster, but may come in handy for memory-hungry sites on our shared system that are bumping up against those service-quality resource limits from time to time.

Need a 'Boost? Just contact us.



Posted at 08:18 AM in FAQs, Tech Advice, Web/Tech | | Comments (3) | TrackBack (0)

February 13, 2009

Bad Guys Want Your Password

It might be tempting to assume that since you're a good person and have nothing to hide, strong passwords are unnecessary. Here's why that's not true:

Every day, Bad Guys try to break in to every computer on the internet. This is an automated process conducted by a network of criminal-controlled "bots", continuously trying usernames and passwords that might be valid.

Last month we experienced two painful reminders of this fact; both involved customer passwords being guessed and their accounts used without their consent. Both events caused brief service interruptions.

Too early on a Sunday morning in January, our operations team received alerts that the number of outbound email messages being refused by remote servers had suddenly increased. Upon investigation, we discovered that a single authenticated user was sending tens of thousands of messages through one of our mail servers. The messages were coming from multiple sources (in China, Indonesia, and Romania) and contained various advance fee scams (where a wealthy heiress offers you 10% of her 38.5 million dollar fortune, just for helping out).

We immediately terminated the connections, deleted the outbound mails, and changed the customer's password.

Also in January, we experienced several network disruptions caused by brief but massive floods of data emanating from our SSH shell server. It turned out that one customer's account was being used by people in multiple countries as a launch point for probing thousands of other servers, for the purpose of identifying additional easy-to-guess passwords! (And the cycle continues...)


While we have further work to do on the matter, we've recently made changes to OnSite to require stronger passwords.  For a super-strong password, you should use eight or more upper and lower case letters, numbers, and special characters (like #, @, %). For assistance, Microsoft offers a password strength checker and pwgen.net will generate random strong passwords for you.

We're also talking about password strength in the Feedback Community, so please drop by and let us know what you think.


The Bad Guys show no indication of slowing their continuous assault, so we hope everyone will take this opportunity to review and update their passwords. Even if you have nothing to hide.


-JM



Posted at 08:05 AM in Tech Advice | | Comments (0) | TrackBack (0)

January 13, 2009

Clearing Up the MD5-Signed Certificate Issue

We have had some questions recently about the news that Berlin researchers had "broken SSL" by exploiting weaknesses in the "MD5" algorithm. Some of the news reports were alarming, and seemed to imply that worldwide electronic commerce was in grave danger as a result of their discovery.

While the weakness of MD5 has been known for a long time, the big news from Berlin was about how the team of security researchers and a room full of 200 Playstation 3 units managed to use those weaknesses to generate a counterfeit SSL certificate.

In theory, the researchers could have set up a fake https://www.paypal.com, and if they subsequently directed visitors to it (via DNS Poisoning or some other redirection exploit), their fake site would be indistiguishable from the real thing.

But here's what the news doesn't mean.

  • It doesn't mean that MD5-signed certificates already in use are "vulnerable" to something.   There is no new exploit expressly designed to hack into sites utilizing MD5-signed certificates, for example.
  • It also doesn't mean that the encrypted communication between site visitors and web servers with MD5-signed certificates is any less secure.


If your Modwest purchased-and-hosted certificate is MD5-signed, we will be happy to reissue and reinstall it upon request. Although your certificate is still secure, if you'd prefer a re-issued (non-MD5) certificate, just contact support and we'll take care of it.

To identify whether your SSL certificate is MD5-signed, you could use the SSL Blacklist Firefox plugin (despite its alarming warnings). Or visit your site securely (HTTPS-mode), double-click the SSL padlock, and look in the Details section for the 'Certificate Signature Algorithm'.

For more information, see this FAQ from RapidSSL or Verisign's Blog for even more details and debate.


-JM













Posted at 03:47 PM in Current Affairs, E-Commerce, Tech Advice, Web/Tech | | Comments (0) | TrackBack (0)

January 09, 2009

Feedback Community Launched!

Since our open beta announced in October, we've had some really helpful input by a handful of Feedback Community members, fixed a few things, and improved a few things. So it's time to draw back the curtain and invite all Modwest customers to participate.Feedback Community Screenshot

Marianne is our Community Manager and as she said in an email invitation this morning:

It's not a survey. It's not really a forum, either. It's probably like nothing you've seen before, and if you visit the site you'll see what I mean.

  • Share your ideas and feedback
  • Discuss web hosting (and other web topics) with us and other customers
  • Win prizes for participating in contests
  • Let's get to know each other and hear what everyone has to say!


We also have some contests with real prizes planned, so we hope you'll check it out.

You can log in to the Feedback Community with any valid OnSite username, so feel free to forward your invitation to all your mailbox owners too!

See you in the "MFC"!

-JM


Posted at 12:00 PM in FAQs, Modwest Team, Tech Advice, Web Design and Development | | Comments (0) | TrackBack (0)

July 03, 2007

MySQL 5: Smarter, Faster, Better

As we recently announced, Modwest now offers a choice of either MySQL 4.1 or MySQL 5.0 on our shared hosting system. We're now encouraging anyone looking for a database performance boost to migrate their existing 4.1 databases over to the fast new 5.0 server, which is handling about 80% less traffic currently. (Just be sure to watch out for the new reserved words and remember there are many possible reasons for a site to seem slow.)

In addition to advanced database features such as stored procedures and views, MySQL 5.0 implements a new "greedy optimizer" which they say can increase performance on complex multi-table JOIN statements by a factor of 1000.  So besides running on a server with a ton of horsepower to spare, MySQL 5.0 should be inherently faster as well. 

For more about MySQL 5.0 features, bug fixes, and performance enhancements, check out their "What's New" page. If you're ready to migrate, our FAQ has all the details.

Posted at 03:56 PM in Tech Advice | | Comments (0) | TrackBack (0)

November 2009

Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          

Archives


Subscribe to this blog's feed
Modwest.com >>
Modwest System Status >>