ryanduff.net

I heard about WebHostingTalk’s security breach recently and after reading the comments on Slashdot, I became a bit concerned people were missing the issue. People discussed offsite backups and offline backups, but while that might have mitigated the issue, its not what’s at fault.

What’s at fault is the fact that their database servers could be connected to from their backup servers. Backup servers should only be able to be connected to from the boxes they’re backing up data from. You should send your data there, not download your your data to the backup server.

My sss/rsync scripts run from the box I’m backing up and that box has no way to connect back to the box I’m backing up from. If that’s the way WebHostingTalk’s servers were set up, there would be no hack. Yes, they might have been able to delete the backups, but not be able to connect to the database servers and wipe the tables on them.

Ryan Networking backup, database, hack, server, webhostingtalk

I’ve been using virtualized systems for years now and finally began using Xen. Xen is similar to a bare-metal hypervisor like VMWare ESX but instead of using a proprietary host OS, Xen uses Linux. Most of the common Linux distros like Debian/Ubuntu, RHEL/Fedore/CentOS, etc provide support for Xen out of the box. I’m used to using Linux and have used it for years, so it just made sense.

Previously I had used VMWare Workstation for creating test servers, etc., but that required a full host operating system. For a while, I had used Windows, then I was using Linux, but it was still clunky. I had to manually start machines after reboot and if I upgraded the kernel on the host, I had to re-run some perl script to configure VMWare. After a while, I realized it was time to let go and do things the smart way, the Xen way. However, I do still use Parallels Desktop on my Mac just to have something available when I travel.

I have a custom server in my basement that I built a few years back and have modified over time. It has a 2TB RAID 5 array that I use for my network storage. It also has a dual-core AMD processor that I might swap out for a quad-core Phenom early next year. Just before rebuilding it as a Xen box, I upgraded the RAM to the maximum 8GB. Oh, and I added a 640GB drive to store my Xen machines.

I got the Xen Dom0 built the other week and have it running just enough to basically boot and allow me SSH access. This was really just a matter of doing a base install plus the Xen kernel and booting to the Xen kernel post-install. I kept the services to a minimum for security purposes and will run what’s needed off one of the DomU machines. Before I rebuilt this box with Xen, the host OS also doubled as the file and print server. This will be moved over to the first Xen DomU I create.

CentOS 5.2 comes with Xen 3.0 and unfortunately, none of the default repos have Xen built other than 3.0. Xen 3.0 is fairly outdated and I was looking to update to a more recent version to take advantage of the new features. The only options for updating were to upgrade/install from source or to use the wonderful Gitco repo that has a few Xen versions built for EL5 based operating systems.

I’m now the proud owner of a Xen box! I’ve learned quite a bit so far and have gotten my first DomU created. I’ll detail that more in a later post. I’m also looking at setting up Puppet to deploy and manage my machines. That’ll probably be the second DomU that I create.

Ryan Networking network, puppet, virtualization, xen

I’ve finally made the transition to my new routers at home. I don’t have anything wireless N yet, but I bought two new Linksys WRT600N’s just for the Gigabit switches built in. I wanted the speed for when I transfer large files, and since all my laptops have Gigabit NICs I can just plug in for a few minutes if I need to transfer something. The main reason for this is that my office is upstairs and my server is located in the basement where it’s nice and cool.

I’ve been a DD-WRT fan for many years, and had been a hardcore user of the Linksys WRT54G (and later WRT54GL after Linksys cut the memory in the WRT54G). I’ve had my eyes on the new N routers, especially one with a Gigabit switch and finally pulled the trigger the other month. I’m running a v24 pre SP2 build (svn 10431 to be precise) and it seems to be working fine. I have my main router set up to handle DHCP and the second router forwards request to the main one. Wireless is set up on both so no matter where I am in the house I have coverage.

I also set up a second BSSID, or virtual wireless access point to allow visitors internet access. The SSID doesn’t broadcast, but it’s open for up to 5 users if you know the name. It’s cut off from the rest of my network for security. I just got tired of dealing with people visiting and having them connect directly to my network and having to give them credentials to connect. Not cool. This was a feature of DD-WRT v24, if your router supported it. Cliff Pennock has an awesome tutorial on how to set this up.

I’m quite content now that I have everything working as expected and my network is blazing fast. Now I can get back to working on my Xen server and building virtual machines!

Ryan Networking dd-wrt, linksys, network, wrt600n