Contact
Site: US UK AU |
Nexcess Blog

Posts by: Brad

A computer scientist deeply involved in Unix/Linux systems, networking, and electronics.

Four Ways to Win at PCI Compliance

October 5, 2017 0 Comments RSS Feed

Four Ways to Win at PCI Compliance If you’re an online merchant, and your store accepts credit cards as payment, then you’ve probably already heard the term PCI compliance. If you haven’t, then start here, and then come back to this post.

The Payment Card Industry Data Security Standard (PCI DSS) was created by banks and credit card companies to protect their cardholders. Failing compliance can result in fines ranging between $5,000 to $500,000. Add to that the probable loss of consumer confidence, civil litigation, and suspension of credit services, and the inconvenience of maintaining PCI compliance far outweighs the cost of ignoring it.

Read more

Posted in: eCommerce, Security

SSLv3 Support to be Disabled due to CVE-2014-3566 (POODLE)

October 29, 2014 0 Comments RSS Feed

We have been following the recently discovered vulnerability known by CVE-2014-3566 (popularly referred to as POODLE). This specific vulnerability has affected the SSLv3 protocol which is supported by most Nexcess servers. SSLv3 (also known as SSL 3.0), is an old and outdated Internet cryptographic protocol that was designed to ensure secure connections for various services including HTTPS. While more modern protocols such as Transport Layer Security (TLS) have generally replaced it, SSLv3 has remained available on most systems to allow fallback compatibility to older legacy software.

POODLE itself is a man-in-the-middle type of attack. This type of attack is difficult to exploit and we have seen no cases or evidence of it affecting any of our systems. Regardless, we have chosen to disable SSLv3 on all of our systems within the coming few weeks. Unfortunately, this necessary step may cause compatibility problems to users using old browsers (specifically Internet Explorer 6 on Windows XP). Any clients using IE6 attempting to connect to a site with SSLv3 disabled will not be able to do so.

Read more

Posted in: Nexcess

CVE-2014-0160 (Heartbleed) Patched on Nexcess Systems

April 8, 2014 2 Comments RSS Feed

As of 1:45AM EDT on April 8, 2014, all Nexcess managed systems vulnerable to CVE-2014-0160 (Heartbleed) were patched. This security vulnerability is widespread with multiple operating systems globally and not a Nexcess-specific issue.

CentOS released an official OpenSSL patch removing the recently discovered vulnerabilities. OpenSSL was upgraded seamlessly. However, all services linked against the older vulnerable version of OpenSSL had to be restarted to apply the newly patched OpenSSL version. These services include: Apache, PHP-FPM, InterWorx and mail services (imap4-ssl, pop3-ssl, smtp, smpt2) and there was a very brief service interruption as these services were restarted.

The online Heartbleed testers such as http://possible.lv/tools/hb/ simply connect to the server and see if the heartbeat feature is enabled. The CentOS patch installed on our systems (https://bugzilla.redhat.com/attachment.cgi?id=883475) actually fixed the issue vs. simply disabling the heartbeat feature altogether. This means while the system is indeed patched, the online checkers will still show the system as vulnerable as they can’t tell if you are running the patched version or not since there is no known PoC to test against.

Posted in: Linux, Nexcess, Security

Accuracy, Resolution, and Precision

April 24, 2013 0 Comments RSS Feed

Accuracy, Resolution, and Precision

Accuracy, resolution, and precision are easily confused parameters used to describe the performance a system is capable of. While working on a recent temperature monitoring network using digital temperature sensors made by Texas Instruments, I had several choices on how much accuracy I wanted the system to have. Upon further reading I had realized I could control the accuracy of the system to some extent, it was resolution that was out of my control. Resolution and accuracy seemed synonymous at first glance, but are actually very different things.

Resolution is simply the smallest change that can be measured. In the case of my temperature sensors, their resolution would be how small of an increment of temperature change can be detected by the sensor. When choosing a temperature sensor for an application, the needed resolution would need to be considered when selecting the actual component. In the case of simple ambient air temperature monitoring, ±.5°C would be more than adequate, but most modern sensors can far exceed this specification. Read more

Posted in: General, Nexcess

Troubleshooting Tips For a Failed Site-To-Site VPN Tunnel

February 7, 2013 3 Comments RSS Feed

Troubleshooting Tips For a Failed Site-To-Site VPN Tunnel

Troubleshooting a site-to-site VPN tunnel that is not working can be a difficult task, luckily most VPN appliances provide ample debugging information for you to diagnose the issue. When viewing this debugging information, a good set of steps can be taken to isolate the exact issue without wasting time. These steps are listed here and can help streamline the troubleshooting process for you.

We use Juniper VPN hardware at our side here at Nexcess and have successfully created tunnels to just about everything including Cisco ASA and PIX, Checkpoint, Sonicwall, Netgear, and Zyxel to name a few. From a troubleshooting standpoint, it doesn’t really matter what device you are using at each end of the tunnel as long as there are no known interoperability issues between the two. While setting up these tunnels, issues have come up and as a general guideline there are basically three things that you should look for when a tunnel fails to work as expected: Read more

Posted in: General

Possible APC Vulnerability Fixed on Shared Servers

September 12, 2012 0 Comments RSS Feed

An issue was identified on newer shared servers (including shared SIP and shared OBP servers) that use PHP-FPM along with APC for an opcode cache. This issue had the potential for clients to see other users shared private data within the APC user cache, if and only if a user had chosen to use the APC user cache within their application and was storing data there. The only case where a user would have been using the APC user cache is if they had manually set it up themselves. We have never recommended using APC for user data cache, Memcached is a better secure solution for users applications.
Read more

Posted in: Nexcess, Security

PCI, Magento, and Storing Credit Card Information

March 30, 2012 1 Comment RSS Feed

PCI, Magento, and Storing Credit Card Information
The question of whether you can store credit card information within Magento comes up a lot here at Nexcess. The answer to this question is unfortunately not very clear when looking for an answer elsewhere including on the Magento website. To clarify the answer to this question, there are a few things that need to be understood including the difference between PCI-DSS and PA-DSS compliance.

PCI-DSS is the compliancy of your entire online environment which includes your systems, practices, software, etc. This is the standard that is required to be able to process on-site payments. Magento IS PCI-DSS compliant when the rules of PCI-DSS are followed which include:

– Build and Maintain a Secure Network
– Protect Cardholder Data
– Maintain a Vulnerability Management Program
– Implement Strong Access Control Measures
– Regularly Monitor and Test Networks
– Maintain an Information Security Policy
Read more

Posted in: Magento, Security

Choosing a Load Balancing Solution

January 13, 2012 0 Comments RSS Feed

Choosing a Load Balancing Solution

When a website reaches the point where a single web server can no longer handle the amount of traffic to the content or services it provides you must find a way to reliably distribute its load over two or more individual web servers. This type of service is called load balancing which is where a specific device or service accepts connections, processes them using a balancing algorithm, then directs that incoming request out to an available server of many servers to handle the request. To perform load balancing, there are a few options you can choose from. DNS load balancing is possible, but not widely used. Software based load balancing where software performs the balancing of requests on a linux server is a powerful and reliable method of distributing load. Hardware load balancing where you have a dedicated hardware device handles the load balancing can be used for advanced applications and needs.

Read more

Posted in: Nexcess

Testing Network Performance and Throughput with Iperf

November 4, 2011 1 Comment RSS Feed

Testing Network Performance and Throughput with Iperf
Scenario 1: You you have two servers located a large geographical distance apart, say one in The US, the other in the UK. You are copying a large file between these two locations via scp but you are only averaging 200Kbps. You know it should be faster and want to increase the TCP window scaling size according to the bandwidth delay product, but want a reliable way to test the changes easily to see if there is improvement.

Scenario 2: You have a local two server gigabit network where each server has a nice GigE network card connected via a good gigabit switch. You want higher transfer speeds between the servers and are considering enabling jumbo packets on the servers and network switch but need a way to verify that the changes have actually increased throughput.

Scenario 3: You use VOIP for your phone system and have a remote office that has terrible call quality to your Asterisk server. You think the network connection is to blame but need a way to verify the amount of jitter and packet loss.
Read more

Posted in: Linux

Monitoring Linux Bandwidth Utilization with IPTraf and Iftop

October 4, 2011 1 Comment RSS Feed

Monitoring Linux Bandwidth Utilization with IPTraf and Iftop
I often find myself needing a simple tool to diagnose TCP and UDP connection issues in real time. While tcpdump is an excellent tool for debugging issues at the packet level, a higher level tool is often better to diagnose network flow and bandwidth utilization. There are two that I have found that work very well for this type of debugging.

The first is IPTraf which is a IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, and IP checksum errors. IPTraf is part of the Centos distribution can be installed on any Centos 5 server via yum:
Read more

Posted in: Linux