Virtual Private Servers (VPS), the term virtualization has created a lot of buzzes. However, at the same time, it is still not very clear what it really is and what it entails. In this blog post, I’ll be covering the basics of What Server Virtualization is, its types and the Pros and Cons for the same, to help you leverage the best of it.
Before we move on to Server Virtualization, let’s have a look at what Virtualization in general means.
Virtualization refers to the act of creating a virtual version of something, including virtual computer hardware platforms, storage devices, and computer network resources. In simple words, it refers to running more than one Operating System on a single physical hardware. An easy example to understand this is, partitioning a single hard drive into two hard drives. This way there are ‘virtually’ two hard drives but in reality, there is only one.
What is Server Virtualization
Server Virtualization as the name suggests involves ‘servers’. In this a physical server is partitioned into several smaller virtual servers, enabling the server to utilize its resources to the maximum. Here, the server resources are isolated (hidden) from other users in the virtual environment. These virtual environments are known as Virtual Private Servers/Virtual Machines, that in turn act as exclusive physical devices. The software used to partition the server is known as a Hypervisor.
Why use Server Virtualization
Virtualization is an ideal solution for small to mid resource usage applications. Some of the reasons to use server virtualization are:
- Virtualization helps in preserving space, as several resources share the same physical space owing to the partition. This also helps in effective resource management.
- Virtual Servers offer users the privilege of the dedicated server but at a less price. This is helpful in case of small and medium-sized businesses that do not require the whole dedicated infrastructure and resources.
- Backing up of data is simple thereby preventing data loss.
Although there are several reasons to choose Server Virtualization, choosing the right technology too is equally important. There are two widely used types namely, KVM (Kernel-based Virtual Machine) and Virtuozzo.
KVM stands for Kernel-based Virtual Machine, it is a Virtual Private Server primarily for Linux OS though it does support Windows, BSD and Solaris OS’s as guests. KVM is virtualization in the true sense as VPS operates as its own server, not dependent on the host node. It is open source and hardware-based virtualization.
Virtuozzo, on the other hand, is not a free and open source software program. Virtuozzo is container-based and comes with a proprietary Kernel Service Abstraction Layer (KSAL) that manages access to the kernel and prevents any single VPS from bringing the entire physical server down. Also, it addresses virtualization by running a single OS kernel as its core.
Pros and Cons of KVM and Virtuozzo
Even though both KVM and Virtuozzo are popular virtualization software, each has its set of Pros and Cons that end up being the deciding factor. Here is a list of the Pros and Cons of each:
Pros of KVM:
- Being open source, KVM is priced relatively lower.
- As the base of KVM is Linux, the security is enhanced.
Cons of KVM:
- One of the major disadvantages of using KVM is the complexity of the setup and it requires adequate networking knowledge.
- KVM virtualization is available only to certain limited processes and lacks manageability features.
Pros of Virtuozzo:
- Server resources are utilized efficiently.
- Has a web-based GUI Panel. Also, it is an independent platform and, can be used with both Linux and Windows.
Cons of Virtuozzo:
- As RAM is shared, there is always a shortage of RAM. This may lead to the killing of a process to compensate the lack of RAM.
- Sharing of resources isn’t that great.
Server Virtualization is growing and will continue to grow with the advances in technology. If you want full control over your server, then KVM should be your choice. On the other hand, if you have no major requirements, then Virtuozzo is far more affordable than KVM. Eventually what you as a user choose to invest on is personally your choice depending on your usage.
If you have any more points based on your experience, we would love to hear them in the comments below.
The Internet has given us the power to buy goods, make payments etc instantly from the comfort of our own homes. However, along with these benefits, there is an underlying cyber security threat at hand. It was recently revealed that more than 360 million stolen credit card accounts were up for sale on the cyber black market. With several similar incidents like this coming to the fore in the past, it is essential to ensure that you keep critical information about your customers’ secure and save yourself millions of dollars in consumer lawsuits.
We at ResellerBytes have put together a little guide to help you reduce the risk of your LAMP based VPS and Dedicated servers from getting hacked. LAMP is one of the most popularly used Application Stacks. It stands for Linux, Apache, PHP and MySQL.
Mitigate the risks of your LAMP based VPS and dedicated servers being attacked!
The Apache Web Server is one of the most commonly used Web Servers. However, like most other software, it requires appropriate settings, monitoring, and maintenance to guard against vulnerabilities. In this post, we will cover both General guidelines that you can follow to secure your server, as well as certain specific steps that you should address to mitigate the damage caused by such attacks.
General LAMP Server Security Best Practices:
- Sign up for updates and announcements from the Web Server Mailing List.
- Upgrade to the latest version whenever there is an update.
- Install only the modules you require and disable unnecessary ones.
- Make sure you log all admin level accesses with date, times and usernames
- Do not display your server version or OS version in error messages.
For Servers with Apache:
1. Hide the Apache Version number, and other sensitive information
It is essential to hide the Apache Version Number your server is running, as well as other sensitive information. You can do this by following the simple steps listed below.
Add or Edit the following two directives in your httpd.conf file
- ServerSignature Off
- ServerTokens Prod
The ServerSignature appears on the bottom of pages generated by Apache such as 404 pages, directory listings, etc.
The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:
- Server: Apache
2. Make sure apache is running under its own user account and group
When Apache is installed, the default user is set as “nobody”. However if there other applications that also run as the user nobody on your system, then a compromise of Apache can also compromise other installations. It is best to add a separate user “apache” and then modify the following directives in httpd.conf to run apache as it own user.
- User apache
- Group apache
3. Ensure that files outside the web root directory are not accessed.
It is always good practice to restrict access to files outside the web root directory to maintain security and ensure that these files are only accessed by people who need to access them.
<Directory /> Order Deny,Allow Deny from all Options None AllowOverride None </Directory> <Directory /html> Order Allow,Deny Allow from all </Directory>
Note that because we set “Options None” and “AllowOverride None “this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.
4. Turn off directory browsing, Follow symbolic links and CGI execution
You can do this with an Options directive inside a Directory tag.
If you want to turn off all Options simply use:
- Options None
If you only want to turn off some, separate each option with a space in your Options directive:
- Options -ExecCGI -FollowSymLinks -Indexes
5. Install ModSecurity
ModSecurity is an Apache add-on module which can detect and prevent HTTP attacks. It can come in really handy in preventing SQL injections in case your developers forget to add input validation or identify and block information disclosure issues such as leaking detailed error messages, Social Security Numbers or Credit Card Numbers. Follow these steps to install mod-security
- On CentOS: yum install mod_security
- On Ubuntu: apt-get install mod_security.
- service httpd restart
6. Disable any unnecessary modules
There are several modules that are enabled on your Apache Web Server that you may not need. To search for modules installed run:
Here are some modules that are typically enabled but often not needed:
- grep LoadModule httpd.conf
To disable them add a # sign in front of them.
You can also go through the Apache module documentation and disable or enable any that you need.
7. Lower the Timeout value
The default Timeout directive is set to 300 seconds. Decreasing this value help’s mitigating the potential effects of a denial of service attack.
- Timeout 45
8. Limit large requests
In order to mitigate the effects of a denial of service attack, limit the amount of body that can be
sent in an http request. If you do not have large uploads then you can limit this to 1Mb via the below directive.
- LimitRequestBody 1048576
Application and Database Security
SQL injection is another common way of extracting data from poorly coded websites. Here is how you can prevent it and other such attacks.
- Ensure your Applications like Joomla, WordPress, Drupal etc are upto date.
- Subscribe to Bug updates and Vulnerability reports.
- Try and avoid world writable 777 permissions your files or folders.
- Regularly check for viruses or infections by scanning your web package.
- If you are using MySQL or MariaDB run the mysql secure installation script.
- If your application requires you to store confidential information like username, passwords, credit card data etc. then ensure that all communication is encrypted by using a Digital Certificate.
For servers with PHP:
1. Run PHP as a separate User
It is recommended to Install php as a separate user than as an Apache Module. If you install php as an Apache Module then php will run with the apache user permission and any compromise of a vulnerable php script can lead to a server wide compromise.
A better way to install php would be with php-fpm a fastcgi process manager which lets you run and manage php scripts as a separate user.
2. Use the POST method to pass important parameters like credit card information
Many developers already know this. PHP has two methods to pass variable information via a form the GET method and the POST method. The most important difference between these methods is that the GET method makes your pass information visible to everyone via a URL while POST method does not. Hence sensitive information like usernames, passwords should always be passed via the POST method.
3. Always Validate Form and Text Input
Cross site scripting and SQL injection can both be prevented if form or file input is validated.
Cross site scripting allows a hacker to run malicious code on your server by simply uploading a file with malicious code in it to be run on the server and SQL injection allows a hacker to get access to your database by injecting malicious queries in your form to get database information like table name. A simple way to validate php code can be found at http://www.w3schools.com/php/php_form_validation.asp
4 . Hide the PHP version
- Open php.ini and add the following
- Vim /etc/php.ini
- expose_php = Off
5.Log all php errors to a file and not on the website
- display_errors = Off
- log_errors = On
- error_log = /var/log/httpd/php_error.log
For servers with MySQL or MariaDB:
1. Run MySQL Secure Install
After installing MySQL run the mysql_secure_installation script.
- sudo /usr/bin/mysql_secure_installation
This script will prompt you to add a mysql root password, lock root access to localhost and remove any unwanted databases like the test database.
2. Secure MySQL users and Database
Log into your MySQL Server and ensure that all MySQL users have a password and delete any unwanted user. Grant access to only those databases that the respective users would use.
Following the steps detailed above, you can go a long way in ensuring that your customer’s data remains secure. In the next article I will add detail steps on Linux OS and Firewall Security.
Let us know if these techniques were helpful for securing your LAMP servers by leaving a comment below!
Since the addition of VPS on our platform, we’ve only been providing a specific type of virtualization, Virtuozzo. A month ago, we introduced KVM virtual private servers on our platform. That must have got you thinking, “What’s the difference between the two?” This blog post covers the distinguishable features of KVM and Virtuozzo. Virtualization has changed the way we compute. We utilize lesser hardware, save energy and costs as well as run various applications and operating systems on that very server.
Why do we need virtualization?
Apart from saving time, money and energy, it:
- Helps you to manage your resources efficiently
- Provides a secure remote access and thus increases productivity
- Helps against data loss prevention
What makes virtualization possible is a software known as a hypervisor or a virtualization manager. The VM sits between the hardware and operating system and basically allocates the amount of access that applications and operating systems have with the processor and other hardware resources.
Choosing the right technology for virtualization is essential. The two main choices when it comes to virtualization are Virtuozzo and KVM. Depending on your needs, either of these could suit your requirements. Here are the pros and cons of both Virtuozzo and KVM.
Virtuozzo at a glance
With Virtuozzo, the resources of your server are efficiently split. However, it’s not free and it’s not an open source program (unlike OpenVZ). It doesn’t use the normal hardware abstraction layer construction. Instead, Virtuozzo comes with a proprietary Kernel Service Abstraction Layer (KSAL) that manages access to the kernel and basically prevents any single VPS from bringing the entire physical server down. It approaches virtualization by running a single OS kernel as its core. The core is then exported to various partitions on the host and each partition becomes an independent entity better known as a virtual private server (VPS).
KVM at a glance
Kernel-based Virtual Machine (KVM) is a virtualization infrastructure for the Linux kernel that turns it into a hypervisor. It only works with the Linux OS but does support Windows, BSD and Solaris as guests.
Virtuozzo is container-based while KVM is a hardware-based virtualization. KVM runs on x86 and x86-64 systems with support for virtualization extensions. It’s an open source choice and consists of a loadable kernel module. This module provides the virtualization infrastructure core and it also provides a processor specific module.
Pros and Cons of Using Virtuozzo
- Independent Platform – You can use Virtuozzo with Windows or Linux without any hassle
- Web-based GUI panel – The Virtuozzo Power Panel is a GUI based web powered panel, which enables you to handle servers on their own over the web
- Easy Restoration – Restoring is easy and comes with full root access. You’re also able to restore an individual file or the entire VPS
- RAM is shared – If the server doesn’t have enough RAM, Virtuozzo struggles and usually will fail since the system depends on virtual RAM. Ultimately, it will kill processes when it runs out of RAM
- Lack of device support – In some cases, Virtuozzo won’t allow custom devices. For example, VPNs
- Resource sharing isn’t great – The resource sharing of Virtuozzo isn’t that great. If one user is using resources heavily, it can slow things down.
Pros and Cons of Using KVM
I’m sure you already know that KVM is one of the top open source choices for virtualization. Then again,
Pros of using KVM
- Excellent Security – Since the base of KVM is made up of Linux, it uses the SE Linux advanced security system. This helps to ensure security of the virtual machines meets a very high level. KVM has also received awards for meeting the security standards of the government.
- Available for Anybody to Use – The open environment of KVM means anybody can use it and customize the system to fit specific requirements.
Cons of Using KVM
- Complex Setup – One of the main disadvantages of using KVM is the complex setup process. It’s actually more complex than other systems
- Limited Processors – Keep in mind that the system doesn’t work with all processors
- May Require Built-in CPU Virtualization Support – In some cases, KVM may require built-in CPU virtualization support to ensure the best possible performance
Overall, using KVM can be beneficial, it could outweigh the disadvantages for some users. But then again, the use case depends on the user. Here are a few highlights that you can have a look at
|Can only host Linux operating systems||Can host Linux, Windows and custom OS options|
|Most Virtuozzo hosts are oversold||Is better isolated even though it can be oversold|
|More affordable, provides users with speed and scalability||Offers private virtualized hardware and is more customizable|
|Easier to set up||Requires more networking knowledge|
If you’re looking for full control over your server, KVM is your go-to. On the other hand, Virtuozzo is a great choice if you don’t have any special requirements and is more affordable than KVM. Then again, it’s vital to crosscheck and look at the benefits and how they apply to your situation. If your choice of virtualization boils down to the two of these, make sure you weigh your options before making a decision. What do you prefer using for your customers? Do let us know any other parameters of comparison that you found useful to evaluate.