New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/why-sites-hosted-outside-of-chinahong-kong-will-never-succeed-based-on-accessibility-alone/

Why sites hosted outside of China/Hong Kong will never succeed based on accessibility alone.

We’ve seen this many times and will add one more vector that some are not aware of and this is also in general for overseas users and websites but especially pertaining to the internet in China.  One thing about China whether you are talking about China Unicom, Telecom, Mobile etc… the experience, speed and international connection will be different in all areas of China.  This is a big risk in a sense, we’ve had clients say “from our office in Guangzhou our USA website loads fine”, but how about other areas and cities of China?

We’ve had clients come to us puzzled saying they receive reports that their site hosted outside of China is loading slow or not at all.  This does not mean it is blocked by the GFW by default, in most cases it is simply a routing and bandwidth issue and this varies by Province and City.

Now imagine the same issue for us here in North America, imagine if eBay was always loading slow or not at all ?  You wouldn’t use it even if you had a good impression.  The feedback from China on not being able to load a site properly is that they perceive it to be an issue with the company since all of the other sites they use in China load fine ,they don’t realize this.  If your site doesn’t load fast in China your chances of attaining clients from China are virtually 0 as they would just move on to another site that does load properly.  Just like many Chinese companies do not realize their site hosted in China may not load well for the rest of the world.  It’s a huge issue that costs business that even some in IT are not aware of until they travel in China.

The Google Factor That Is Often Overlooked We always advise to try to keep everything loading from your own server and not third parties.  A good example of this is that a site may not load properly just because of issues connecting to Google.  A good example is using Google Font APIs, this has caused sites not to load until the connection times out (often several minutes).

The solution is to download the CSS code to your own server.

And most importantly if you have an audience inside and outside of China, it is worth hosting directly inside China.  When not possible due to ICP or other issues, we recommend Hong Kong.  It is the only location directly connected by land to Mainland China and the ping can be as low as 10ms to Shenzhen, China.  But beware to choose a provider with “direct peering and routing into China” as many companies in Hong Kong actually do not have direct connectivity to China and end up routing through the USA (which defeats the purpose of Hong Kong).  When hosting in Hong Kong on a server that has a direct route to China, this can solve virtually all of the issues.

The above is simply a must if you are targeting users in China.

The Creative Solution

A quick and easy solution we’ve implemented many times is simply to move the DNS to Hong Kong and user a caching proxy as a sort of CDN and this essentially gives most users in China the same experience as if your site were hosted in China.  The beauty of this solution is that no real migration aside from DNS is necessary, your backend data and site can still remain in the USA or where it is really hosted, and you could still use alternate hosts or direct IP access for direct access to the real backend server.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/what-now-my-hosting-company-is-not-an-it-company/

What Now? My Hosting Company is not an IT Company?

There is a huge difference between just a “Hosting Company” and an “IT Company that provides in-house Hosting”.   The most common time to learn this is ironically when things go wrong and your site is down and your business is sustaining losses.

This is not something they teach you in Business 101, but is something that would probably be apt.  Perhaps the best way to explain the difference is to mention some real life examples.

Client ABC is with XYZ Hosting Company and their business runs off their services.  Client ABC brings us concerns about their Hosting with XYZ company due to various performance issues and perceived downtime that is impacting their business.

Client ABC contracts our company to get to the bottom of the issues.  Half of the time we find that the Host is not at fault, but the Client is simply a victim of their own success (eg. an overloaded server) and they are on a package that simply cannot sustain their business needs and amount of usage.  Often upgrading is not the answer but sometimes it is.  If we see for example high CPU usage, we may recommend more RAM or more CPU cores depending on the situation and analysis from our test lab.   From there we make recommendations and advise their best course of action depending on their budget and situation.  The most frequent approach often means creating a comprehensive IT business plan and implementing it, whether that be separating their database from their web server and other functions, to redesign, performance tuning, overhauling their code etc…  An IT provider is like a Digital Contractor for your online business.

The real question is why would a client of another Hosting company come to us?  There are many reasons, but primarily a lot of businesses don’t understand the difference.  In fact most Hosting companies are simply that, a hosting company, they are not there to redesign your database, troubleshoot your scripts, or interpret your business requirements.  They are essentially your virtual landlord, they provide what you pay for, if what you pay for is being provided properly and you have issues with your server or site, this is where you need to have an IT team of your own or outsource for consulting help.  A Hosting company is not going to have the foresight or expertise to advise you of your overall IT situation or even try to prevent pitfalls in your online site because it is not their line of business and not what you are paying for.

That’s where a full-IT company that provides Hosting can offer you a lot of assistance.  Being familiar with, IT business and hosting is a must for any serious consulting company who offers service to online businesses.  However, finding a company which does it all and from in-house is often why we are sought out.  Even if you do not go with our service, we constantly advise that you need a full-time IT time whether in your company or outsourced to another provider.  It does make a lot of sense if your IT provider can also provide hosting services.

One benefit is simply having to deal with one firm and having no delay in the IT side accessing your hosting/infrastructure to correct issues.  Imagine if company ABC has Hosting with one company and outsources IT with another.  Or more often, no IT provider and their local IT staff is away and they have a serious issues with their online IT infrastructure.  This often means even if the business finds an IT provider, the provider cannot even begin to help or investigate until a certain staff member has come back from vacation or leave.

The take away from this is to be aware what your business is paying for and make sure you have an IT behind you.  If you separate your IT from your Hosting make sure the two can get in touch or have express permission to gain access to do their job, or make sure the staff member has left information and details with someone in your management, especially in case of an emergency.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/the-number-one-question-to-ask-your-cloud-vps-hosting-provider/

The Number One Question To Ask Your Cloud VPS Hosting Provider

This is a question that is rarely asked or considered and has both huge operational, performance and security implications.  Some providers acknowledge the issues behind them but largely have not resolved or them or found any workable solution.

This one question is one that will make most network and sysadmins cringe.

Do you use Shared Storage?

The nature of Cloud generally makes this a “Yes” but there are many ways of implementing this with completely different security, reliability and performance implications.

This is referring to the most common Cloud VPS architecture today, the basis is shared-central storage, also known as a SAN (Storage Area Network). Typically companies get a “storage node” or server, it will be connected in various ways and have a large amount of hard drives.  Sometimes 10gbit ethernet or fiber channel.

However, this introduces many issues in the delivery, reliability and security of such Cloud based products.

On a practical and performance note it naturally leads to the next question you should ask.

How many people are sharing the same storage?

In all fairness, some providers or especially sales may not know but this is definitely not a good thing.

If you aren’t getting firm stats, it is fair to say the Shared Storage Node is probably overloaded.  In practice we are aware of a typical node sharing anywhere between dozens, hundreds of even thousands of users.  Even the best, fastest ,most expensive storage nodes can keep up with the bandwidth requirements if all Cloud servers are very busy or active on the Disk IO front.  There are other issues too, sometimes a single Cloud Node (the server you share with others) will overwhelm it’s bandwidth even if the Storage Node is fast enough.

Make no mistake, an expensive Storage Node even with SSDs will not produce good performance when overloaded.

How reliable is Shared Storage?

Shared storage is only as reliable, as the architecture, planning and competence of the administration behind it.  But with all things being equal there are a few significant risks present that cannot be accounted for.

What if the shared storage node goes offline?  If this happens all Cloud servers running off it instantly go down and their underlying businesses grind to a halt.

What could cause the node to go offline?  Many issues, whether as simple as power supply failure (even with dual), memory failure (even a single bad stick of RAM could cause this), user error, hacking, a failed switch or network card etc..

What can be done to protect against this?  Some companies will have redundant storage nodes, so it may be possible to bring the other back online but it often does not happen or does not come back for whatever reason.

What Other Issues Should be Noted?

Redundancy cannot do much if the node is hacked or is data is damaged or deleted for any reason.  In fact we’ve seen some peers shut down over this, how do you recover if all of your clients servers go down?   The answer is often not.  In another case we were told in confidence, a peer company had a junior admin make a mistake and deleted the entire storage nodes content.  That is not the only risk, we’ve heard a story of a junior admin simply setting a default weak password on the node, it was hacked and all data was lost.  More times than company’s realize, these Storage Nodes are left exposed to the public internet with little or no security.

Are We Going Back In Time?

Some have noted that with some Cloud, it may actually be worse than the Shared Hosting that a lot of people moved off of.  We are no advocate of Shared Hosting, but Cloud done wrong or overloaded could be even worse than the old, traditional shared hosting.

How About Security Issues?

Aside from other issues we’ve discussed there are some company’s who distribute your server to multiple datacenters without your permission.  What if your data or content is legal in one country but not another, or what if putting it in a certain country puts your business at risk for espionage?

This cannot be ruled out, especially among those who have physical access to the storage node and/or remote access.  To make things even worse a lot of Cloud Providers are not really providers at all, but simply resell so they actually have no idea or control over their client data.

It should also be noted that in many countries, you should expect that the provider has given a third party, government entity backdoor access to the shared storage.  This could not only be an issue for your company but client’s who are using your service.

This is just a quick note that in the IT industry, we should all rethink the implications behind Cloud and know there is a lot happening behind the scenes which could be a huge risk to your business.

It all comes down to knowing your provider, asking the right questions and being satisfied that your risk is remote and mitigated.

What is compevo’s Approach?

Our approach is that we do it all in-house so we can guarantee the security of our client’s data.  In terms of our Cloud implementation, we were the first provider to do it differently.  We do not use Shared Storage Nodes, due to the performance and security issues that arise from it, however our Cloud still has all the benefits intended with our proprietary in-house solution.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/vps-down-who-pulled-the-plug/

VPS Down! Who Pulled The Plug?

This is something we have never seen but nevertheless interesting and something all admins and anyone on a Linux/Unix based machine must be careful and aware of.

We got a ticket from a client worried that something was wrong with their server, they were installing something when it suddenly went down.  We checked and their hostnode(s) and Cluster were up without any issue, but indeed the server was powered off for some reason.

We checked the logs from their server and will share this interesting excerpt:

mc root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody

The above were literal commands being typed.  Our guess is somehow a script on the client end gone wrong that iterated through /etc/passwd and accidentally executed those names as commands.

The only problem command at the end of the day was “halt”, enter that command and your VPS/Server will indeed power off and this is what happened.

It is a good reminder that often it is the strangest but most basic answer when things like this happen.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/reality-of-data-storage-management-in-it-and-server-hosting-environments/

Reality of Data Storage Management in IT and Server Hosting Environments

Things have changed a bit over the years, with the advent of large and cheap storage, many businesses of all sizes have simply increased the burden and challenge of managing so much data.  In fact, it is and can practically be a full time job for some IT staff who are overstretched with daily tasks and projects, creates a recipe for disaster.  Yes, backups that don’t happen or don’t work are still commonplace and we often hear about it from our clients after they discover through either a mistake, bug and/or set of strange and unexpected circumstances that for whatever reason their backups were not being performed properly.

What Types of Data and Backups Are Critical?

This depends on your business type, but for starters we usually tell our clients in general to look at the following issues.

E-mails, e-mails, e-mails (and often that becomes a new project where we have to migrate them off an insecure e-mail or free-mail system they’ve been using simply because it was convenient).  E-mails need to be archived and backed up for not only legal reasons, but practical ones.  Often times valuable information such as who helped with X task or project or may have critical information that no one else knows is hidden in the archive of company e-mails, whether or not the employee is still current (and we have seen employees tracked down and rehired in these cases).  There are also other issues the business may have with regulators or clients and a dispute occurs, this is all the more reason to have that archive as it can often settle disputes and misunderstandings very quickly.

Accounting data is an absolute must, everything from receipts, full ledgers etc should be archived for legal reasons should the need for an audit be required.  Many companies often think of the government first, but often times there is forensic analysis done and fraud or other corporate crime is uncovered and often the financials/accounting will provide valuable and crucial information.  There are also more practical reasons with things as simple as a client needing all receipts for various reasons such as insurance etc.

General Data would be any files, documents, pictures, spreadsheets etc.. that are a part of your business.  The tricky part becomes ensuring all data is stored in a central location or at least in a uniform way, such as on certain workstations or other devices that push the data to a backup server (or a pull) as long as there is some accounting done to make sure it is happening.  The most simple solution is a corporate VPN and fileserver to all work is performed there, and if not possible all the time, there should be a standard protocol and backup application that synchronizes all work to a central backup location.

Where should data be stored?

This is an issue often overlooked and it can render backups useless or as good as never having any.  We recently had a client who had full, complete and working backups but lost everything.  Due to a natural disaster their backups were all lost which is not so unlikely especially for hard disks (they are extremely vulnerable to shock and other elements).  It wasn’t a bad idea to have local hard disk backups on a fileserver, but unfortunately their management thought “off-site backups are unnecessary and too pricey”.  Of course this is hindsight to the decision makers, but what is the cost of backing up all data remotely vs losing precious operational data and the resulting downtime?  Also consider that remote backups should be on another continent to rule out a single and large disaster taking both your location and your backup location down.

How should data be stored?

As we alluded to above you should not only think of where your data is stored but how it is stored.  At this time SSD is quite not affordable enough for large scale data hosting, except to those with an extremely large budget.  One thing we often suggest is to use BD-R (Blu-Ray discs) as they can last extremely long and as long as they are not physically damaged the data will be preserved.  In fact some of our staff and clients have CD-Rs from 1999 that still work fine to this day, it all comes down to the quality of the media and perhaps just as important, how they are stored.  Even better, BD-Rs cannot be erased so there can be no accidental deletion.

First Steps In Securing Your Data

Your IT team should ensure they have identified the issues above and accounted for backups, and fill in any holes that have been left open.  The most important thing is to have remote backups with another provider in different continents and to be sure of what is actually being backed up on a regular basis.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/what-are-the-best-locations-for-vps-and-dedicated-server-hosting-in-asia/

What are the best locations for VPS and Dedicated Server Hosting in Asia?

We get this question nearly every day with people facing the tough question of where in Asia to host.  The simple answer is that it depends on your budget and what market you are primarily intending to reach.

It is important to remember that virtually everywhere in Asia, there are significant differences in the type and quality of bandwidth, with bandwidth traditionally being local and higher prices are commanded for the very expensive overseas bandwidth.  In Asia you get what you pay for so it’s important to make the right choice.

Hosting in China

The majority of enquiries we get are about hosting something in China.  If you are hosting web content you need an ICP license which is not hard if you have a contact in China but otherwise Hong Kong makes more sense.

However, even direct connectivity to Hong Kong can be almost as good as being in China, in some conditions it is still not as good so try hard to get into China if you can.

China arguably has better pricing on international bandwidth and perhaps more diverse peering, but also suffers from more congestion than some other areas of Asia.

Hosting in Hong Kong

Hong Kong is a great alternative to China and perhaps one of the best areas in all of Asia to host.  If not for one reason, some Hong Kong providers (including us) have direct China peering, it is a huge plus.  On top of that if you pick a good provider you can get access to great international bandwidth to China and the rest of the world but do your research careful.  We have seen many types of setups in Hong Kong, everything from local to Hong Kong, to routing to China via the US (much cheaper but much slower of course!).  Then there are some foreign providers that have connectivity there, however almost everything goes through Tokyo which is again bad for most of the rest of Asia.

Hosting in Singapore

Singapore is a very hot market with strong demand and is similar in many ways to Hong Kong.  It is not at all a bad place to host, but unless it has direct routing to Hong Kong or China, it may not be as ideal. The final answer depends on your audience and how important the HK/China market are you to your strategy.

Hosting in Korea

Korea is another great place but further out in Asia and has great international routing and bandwidth.

In some scenarios it has good speed and ping to China, especially if you are on Korea Telecom, however most providers do not use it and this means your route may not be direct to China.

Security

When it comes to security we would rank China and Hong Kong #1 and #2, respectively, your data is extremely safe and secure there from the hands of foreign entities and governments.

Conclusion

We hope this gives you some background on the pros and cons of different parts of Asia.  Stick with what makes sense most for your business, goals and targeted audience.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/60million-bitcoin-heist-from-bitfinex-exchange/

$60Million Bitcoin Heist from Bitfinex Exchange

Security is paramount in the financial world and Bitcoin is no exception, although banks get robbed and defrauded each day as well, there is a lot more attention surrounding virtual currency.  However, these stories are captivating because Bitcoin has no centralized management and is still attractive to this day for users and businesses.

The first thing we will point out is that there are some in the security community mentioning that many dubious heists in the past have been suspected or confirmed insider jobs.  Bitfinex is facing the same scrutiny by some in the industry.  It would honestly be hard to pull off a job like that without some intimate and detailed knowledge of the system.

There are only two possibilities to consider in these situations which is if there is insider information was it through hacking/social engineering or did someone inside give them enough information whether knowingly or unknowingly?

Should it be a true and if it was a security compromise due to a compromised staff member, this is a hard lesson learned throughout the world that it is difficult to maintain control when so many people have access to certain information or the ability to perform transactions.

There are many ways to mitigate the physical and virtual hacking risk but it’s too soon to say what did or didn’t go wrong until more facts about what happened are revealed.

This also highlights one problem with Bitcoin, which is that with the blockchain being so large (at least 80GB at writing), it is impractical for many users to manage their own wallet.  When you use online services or exchanges to hold your wallet there is always the chance that your Bitcoins could be stolen in a heist like this because it’s an attractive target and with less risk than physically robbing a bank.

Of course it’s possible you could have your coins stolen in your personal wallet at home or hosted privately, but thieves will always strike large and attractive targets such as exchanges.

Perhaps one day there will be a central exchange or a number of trusted exchanges (similar to the idea of root DNS) that can all be queried to check the legitimacy of a transaction without the user having to have all of the data on them (eg. all 80+ GB and growing).

Whatever the outcome we don’t expect Virtual Currencies to go away and suspect some sort of centralized authorization or verification system will be used in the future.  Even, so like with physical currency there will always be theft and fraud, and users will have to constantly keep on top of security issues just as you would for your physical wallet.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/vps-and-dedicated-server-hosting-comparison-by-downtime-experience/

VPS and Dedicated Server Hosting Comparison by Downtime Experience

We felt compelled to make this blog post about a recent client experience we had, where they left a very well-known hosting company because the host truly had no expertise to help them.  When things go right everyone is happy, but when things go wrong this is where you learn how much or little your host and/or IT company can really do for you.  It’s when our clients truly learn the value of a full-fledged IT services provider, vs a provider that is not able to do troubleshooting or any out-of-box troubleshooting.

Our client’s experience with the other host went well enough at first, but when it came time to migrate a Dedicated Server running their own OpenVZ instances to newer hardware and a different architecture, that’s when things went wrong.  In some ways we do not blame the host, but our way of handling client tasks is much more hands-on and planning based.  However, if you are with most other hosts, they simply often don’t have the time or resources, or knowledge to focus on your task (and in all honesty some would rather have a client leave if their issue is too complex).

This is where marketing in the hosting industry can do a disservice to the client, who may have a false sense of security or comfort in features such as “live migration” or terms like “redundancy”, making people believe they have the integrity of a Clustered Service when they do not.  According to our clients coming from other hosts, the most common issue with downtime and dataloss comes from hardware failure in centralized Cloud storage or a non-Clustered node.  Unless you have a Clustered service any issue with your hostnode will cause downtime and possibly dataloss, however our customers using our Clustered Service have never experienced this.

Online Live Migration often works well in OpenVZ, but this depends on a few factors.  First of all the architectures must be the same x86 vs x64, and the kernel’s on OpenVZ must be a match, if not you will get a HZ error or swappages error and the live migration will fail.  Even if those factors aren’t an issue, how do you live migrate a constantly changing VPS Container whether this be log files changing, web access, database etc..  The answer is that you can’t really, it almost always fails.

The client who came to us found this out after several hours of downtime a day while their host attempted to migrate offline.  There is a bit of trick in OpenVZ you can do but this is not a built-in features, it takes experienced system administrators to oversee it.  Essentially yes you will be doing an offline migration in some cases but how can you minimize downtime?  You can rsync the private directory several times and in the final run (preferably a time of night or morning when their is minimal user activity), you shut down the source node, do a final rsync (remembering to copy the relevant .conf files) and then restart on the new node (keeping in mind to script in any different settings or parameters that the new node will need).

As you can see above Live Migration is not quite what the industry would have you believe, there are limitations and it takes some planning, skill and experience to pull things off smoothly.

How does compevo handle migrations?

We would handle things the most practical way as mentioned above, but there is still a better alternative for our clients who have Dedicated Servers with us in a Clustered Configuration (essentially a Private Cluster).  Our Clustered VPS and Clustered Dedicated service is setup in a node for node configuration.  The idea is that there is never centralized share storage and if anything happens to a server in the cluster, there is no downtime or data loss.

This feature becomes more invaluable in the case of migrations and wanting to upgrade your hardware, rather than migrating this becomes much easier (although some planning is still necessary).

Our Clusters can migrate all of your VPS’ on the node to the standby node (which always has an identical copy of your data).  It is not really migrating in this case by telling the other cluster to takeover operations without downtime.   You can then quickly take down the server that is not active, upgrade the hardware and it will automatically join the Cluster.

One of our clients said they wished they knew about our Dedicated Clustered service as their company has spent a small fortune doing frustrating migrations with downtime, user and client complaints dealing with another host.

This is another example of why where our clients feel we excel because we are full-fledged IT provider, and we can troubleshoot and find creative solutions that most of our competitors in the hosting industry cannot.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/switching-your-site-to-ssl-read-this-first-before-breaking-your-site/

Switching your site to SSL? Read This First Before Breaking Your Site

Switching your site to SSL sounds like a no brainer but we’ve helped a lot of clients solve unforseen issues with it.  Here are the top issues we commonly see that are service impacting.

1.) Images and/or video not displaying because it is not being called through SSL.  Your browser will not usually explicitly tell you they have been blocked but will let you know some secure items have been.  Unfortunately we wish the browser would show a place holder you can click letting you know an image or video is there but is not secure.  Even that is not ideal.

2.) Important Post Back application such as merchant API calls, PayPal, shopping cart is being passed back by non-SSL.  Most webmasters just redirect all requests for non-SSL to SSL, no problem right?  No, big problem because a post to an important URL will no be preserved and will break whatever important function is behind it.  To fix this, it will involve auditing all of your current on-site and off-site scripts that interact with the URL/domain you want to convert.

3.) The customer does not have a dedicated IP address to actually support their SSL certificate.

4.) Issues with WWW and non-WWW SSL requests not being secure and prompting a warning from the browser.  You can’t redirect SSL properly if your certificate is not a wildcard or does not have “Certificate Subject Alt Names” or SAN.  Our SSL certificates support www and non-www by default for no extra cost which is important if you receive requests to both hostnames.

5.) The customer is not sure how to install the SSL certificate and requires assistance.  With our service we do provide free install to most major control panels and for all of our customers.

https://compevo.com/SSL_Certificate_Providers_Review_Comparison_and_Installation-157-articles

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/wordpress-hosting-performance-issues/

Wordpress Hosting Performance Issues

WordPress is by far one of the most popular blogging platforms but also one of the most complex in terms of protecting from attacks.

One example was a client who kept upgrading his package with another provider until switching to us.  He paid us to consult and look into why his site was slow and not responding properly.

The answer was surprisingly simple, the XML RPC script “xmlrpc.php” was being exploited with thousands of requests per second.  It actually caused the client’s VPS to slow and eventually crash with running out of memory. No amount of memory would ever be enough, and would just buy time.

We advised the customer of the issue and that we don’t fault their previous host as the service itself was stable, but their server wasn’t able to handle the load due to the attacks.

This is one thing that we try to educate our clients with when it comes to issues that are often not a provider’s fault but may appear to be if you aren’t technically savvy.  We’ve had clients on our end who had to keep upgrading simply due to how much RAM their WordPress blog consumes, a lot of them cited no changes on their end but the issue of course is that all the server cares about is if it has enough resources to operate as required.  In many cases, it does not take much traffic to overwhelm or overrun a VPS server’s memory.  For this reason we’ve actually converted some clients away from WordPress if they just wanted a basic CMS system and don’t need some of the plugins.

The main thing that makes WordPress in our opinion is the fact it is so versatile with so many plugins and features, but it is also a hindrance when some of them lead to higher RAM requirements.

We consult on similar issues with clients hosting with us and elsewhere on a regular basis and we can’t stress enough to reach out to your provider for assistance if you are having issues with performance, the answer may surprise you or you may find your blog has been under attack.  At the end of the day proper consultation will save you money and time.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/edac-ramdimm-server-ecc-codes-guide/

EDAC RAM/DIMM Server ECC Codes Guide

There are many results on the net about this but not many comprehensive guides about how to deal with EDAC errors, what they mean, how bad they are and most importantly how to find which RAM/DIMM chip is responsible for the error (very important in a high availability and mission critical environment).

This is the benefit of ECC RAM over the old style or non-ECC Desktop RAM, errors can be corrected without causing a crash and they usually give you a good warning or heads up when a stick of RAM is going bad.

Examples of EDAC errors on a Centos 6 Linux Server

Apr 10 13:10:35 evodal11 kernel: [2067900.686028] [Hardware Error]: MC4 Error (node 1): DRAM ECC error detected on the NB. Apr 10 13:10:35 evodal11 kernel: [2067900.686141] EDAC amd64 MC1: CE ERROR_ADDRESS= 0xbd7198020 Apr 10 13:10:35 evodal11 kernel: [2067900.686212] EDAC MC1: CE page 0xbd7198, offset 0x20, grain 0, syndrome 0xbf41, row 6, channel 1, label “”: amd64_edac Apr 10 13:10:35 evodal11 kernel: [2067900.686218] [Hardware Error]: Error Status: Corrected error, no action required. Apr 10 13:10:35 evodal11 kernel: [2067900.686322] [Hardware Error]: CPU:6 (10:8:0) MC4_STATUS[Over|CE|MiscV|-|AddrV|CECC]: 0xdc20c000bf080a13 Apr 10 13:10:35 evodal11 kernel: [2067900.686436] [Hardware Error]: MC4_ADDR: 0x0000000bd7198020 Apr 10 13:10:35 evodal11 kernel: [2067900.686493] [Hardware Error]: cache level: L3/GEN, mem/io: MEM, mem-tx: RD, part-proc: RES (no timeout)

In plain English the above is saying there has been a hardware error “CE” (Correctable Error) and that “no action required” since it was corrected.  However our policy is that if these are numerous or flooding your console the DIMM is about to die and must be replaced.  If it happens a few times a day it is likely nothing to worry about, however if it happens with increasing frequency then the DIMM should be replaced.  This is where EDAC CE errors are useful to know, as they are a prediction of how healthy your DIMM is and usually most fatal UE (Uncorrectable Errors) that crash your server can be avoided by taking quick action when you see these errors.

As you can see above it doesn’t say anything about the channel or csrow but in the case of Centos the CPU:6 and the MC1 part indicates the error is with the second memory bank (as MC0 is the first bank).

CPU:6 in this case can be interchanged as csrow6 means, memory bank#2 and slot#7 (since CPU sockets, RAM slots, memory controllers etc.. start counting at 0 the csrow6 means slot#7).

A very important tool edac-utils

It is available under Centos as “edac-utils”.

Here is an example of running edac-utils to identify which DIMM is causing the errors and an explanation:

[root@evodal11 ~]# edac-util mc1: csrow6: ch1: 11 Corrected Errors

mc1 is Memory Controller 1 (or in this case literally the #2 second memory controller).

csrow6 in this particular server would be slot #7 on memory controller/bank#2 (usually associated with the respective CPU or in this case it is tied to CPU#2).

mc0 would have been the first Memory Controller.

BIOS and bad DIMMS

Often your BIOS will warn you about this and even disable the bad DIMM at some point due to “multi-bit ECC” errors.  If this is the case NEVER re-enable the DIMM or clear the list of bad DIMMS because your server will not post, and even worse unless you recall which DIMM was bad you will have to remove each DIMM until the server posts in order to find which one was bad.

Conversely if you have replaced a bad DIMM you will need to clear the list of bad DIMMs for it to be recognized.

Conclusion

Dealing with EDAC/CE errors is easy as long as you have the right tools and know how to read the errors, you can prevent fatal RAM failures by replacing problematic DIMMs before they fail, while saving time and money on your dedicated server maintenance and operations.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/domain-registrar-renewal-hijack-scam-warning/

Domain Registrar Renewal Hijack Scam Warning

Domain Registration renewal hijacking is nothing new, and it is dangerous because you could end up accidentally transferring your domain to a third party or provide your information to hackers/phishers.

We have seen numerous examples of this over the years with increasing frequency and we have been receiving reports from our customers and even other third parties asking us for assistance in deciphering if these e-mails are legitimate (which they are not).

For people who regularly deal with hosting or manage domains this is fairly easy to see that it is not legitimate and is not a renewal message from your registrar.  However, it appears the senders bank on the fact that many non-technical people will receive this kind of message and will probably not know it is not authentic.  The fact that the e-mails continue is likely proof that this is an effective method that is deceiving people and that they are either being scammed or transferring their domain to another party (or at least to new expensive registrar located overseas).

Known Domains Used (they use multiple domains and will likely continue registering and using new domains):

megservdom.com

filesaser.com

In all cases these domains seem to be registered in China.

A copy of the e-mail in question with the subject line “compevo.com” (or “yourdomain.com”):

  ATTENTION: IMPORTANT NOTICE

Domain Registration Service SEO Company Notice#: 543167 Date: 03/11/2016

EXPIRATION NOTICE

DOMAIN: compevo.com Notification Purchase Proposal

EXPIRATION PROPOSAL DATE: 03/19/2016

To: DOMAIN ADMINISTRATOR, COMPEVO 555 WEST HASTINGS ST VANCOUVER BC, V6B 5G3, CANADA

Domain Name: Registration SEO Period: Price: Term: compevo.com 04/02/2016 to 04/02/2017 $61.00 1 Year

SECURE ONLINE PAYMENT

Domain Name: compevo.com Attn: DOMAIN ADMINISTRATOR

This important expiration notification proposal notifies you about the expiration notice of your domain registration for compevo.com  search engine optimization submission. The information in this expiration notification proposal may contain confidential and/or legally privileged information from the notification processing department to purchase our search engine traffic generator. We do not register or renew domain names. We are selling traffic generator software tools. This information is intended only for the use of the individual(s) named above. If you fail to complete your domain name registration compevo.com  search engine optimization service by the expiration date, may result in the cancellation of this search engine optimization domain name notification proposal notice.

PLEASE CLICK ONSECURE ONLINE PAYMENT

TO COMPLETE YOUR PAYMENT.

Failure to complete your seo domain name registration compevo.com  search engine optimization service process may make it difficult for customers to find you on the web.

CLICK UNDERNEATH FOR IMMEDIATE PAYMENT

PROCESS PAYMENT FOR compevo.com SECURE ONLINE PAYMENT

ACT IMMEDIATELY

This domain seo registration for compevo.com  search engine service optimization notification proposal will expire 03/19/2016.

Instructions and Unsubscribe Instructions: You have received this message because you elected to receive special notification proposal. If you no longer wish to receive our notifications, please unsubscribe here or mail us a written request to US Main Office: Domain Registration Service SEO Company, Los Angeles, CA 90036 or Asia Main Office: Domain Registration Service SEO Company, Shenzhen Futian. If you have multiple accounts with us, you must opt out for each one individually in order to stop receiving notifications notices. We are a search engine optimization company. We do not directly register or renew domain names. We are selling traffic generator software tools. This message is CAN-SPAM compliant. THIS IS NOT A BILL. THIS IS A NOTIFICATION PROPOSAL. YOU ARE UNDER NO OBLIGATION TO PAY THE AMOUNT STATED UNLESS YOU ACCEPT THIS NOTIFICATION PROPOSAL. This message, which contains promotional material strictly along the guidelines of the CAN-SPAM act of 2003. We have clearly mentioned the source mail-id of this email, also clearly mentioned our subject lines and they are in no way misleading. Please do not reply to this email, as we are not able to respond to messages sent to this address.

What it looks like when you try to pay:

Note that the domain itself contains no valid contact information (no phone number or other contact details other than an e-mail form).

The company who is registered to the domain that asks you to make payment to is from China “JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD”

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.

Domain Name: MEGSERVDOM.COM Registrar: JIANGSU BANGNING SCIENCE & TECHNOLOGY CO. LTD Sponsoring Registrar IANA ID: 1469 Whois Server: whois.55hl.com Referral URL: http://www.55hl.com Name Server: F1G1NS1.DNSPOD.NET Name Server: F1G1NS2.DNSPOD.NET Status: ok https://www.icann.org/epp#OK Updated Date: 05-mar-2016 Creation Date: 05-mar-2016 Expiration Date: 05-mar-2017

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/how-to-configure-postfix-private-e-mail-server-in-linux-to-reduce-spam-through-rbls/

How To Configure Postfix Private E-mail Server in Linux to Reduce SPAM through RBLs

One of the greatest headaches for any sysadmin is running private e-mail servers, the great thing is that your messages are much more secure than hosting on a free, public e-mail service, but it can be a full time job fending off the inevitable throngs of SPAM that will hit your mail servers and clutter up your inboxes.

The following sections in Postfix’s main.cf does wonders, and especially adding the two RBLs SORBS, and spamhaus reduced over 90% of SPAM instantly:

setup these sections in postfix’s main.cf like this

# sender restrictions smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_invalid_hostname, # I don’t below because if you send from sendmail with say email@host it will be blocked #warn_if_reject reject_non_fqdn_hostname, warn_if_reject reject_non_fqdn_sender, warn_if_reject reject_non_fqdn_recipient, warn_if_reject reject_unknown_sender_domain, warn_if_reject reject_unknown_recipient_domain, reject_unauth_destination,     reject_rbl_client zen.spamhaus.org,     reject_rbl_client dnsbl.sorbs.net, #reject_rbl_client dnsbl-1.uceprotect.net, permit

# recipient restriction smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_non_fqdn_recipient, #reject #permit

The Results

Our honeypot tests showed a reduction of more than 90% of SPAM just from those two RBLs, if necessary we recommend the manual implementation of uceprotect because the few messages that slipped through were from IPs in the UCEprotect RBL list.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/dedicated-server-vs-cloud-debate-advice-and-best-practices/

Dedicated Server vs Cloud Debate, Advice and Best Practices

This is a topic that could possibly span a whole book to cover correctly and is something many of our customers ask us about on a frequent basis.  To properly and honestly answer this question we ask the a series of questions in response so we can advise whether a Cloud VPS Server makes sense over a Dedicated Server.

What are your goals for this project?

How much bandwidth, IO and CPU does your application use?

Do you plan to host it on a single Cloud VPS or Dedicated Server?

What is your budget?

The above is the simplified version of how we approach the situation, we cannot simply give a blanket answer to a situation we do not fully know.  It would be a disservice to the client to be advised to go Dedicated or Cloud VPS without properly understanding their needs.

“Our Cloud VPS”

All clouds are not equal in value, performance or reliability.  In our Cloud we have a 1 to 1 redundancy on all nodes and we do not rely on shared storage.  Based on 9 years of production and 0 dataloss and downtime for our customers we believe this is the way.  We have acquired many customers from other providers who faced dataloss and massive downtime due to central storage failures or hacking.

We also admit that we’re the only provider we know who uses the 1 to 1 redundancy, where two physical servers make up the node with independent, live mirrored storage.  We also don’t have any IO bottlenecks because we do not use shared storage, all storage is local, while at the same time being live mirrored to the stand-by server in a way that it does not degrade production performance.

“Other Cloud VPS”

Most other providers use some sort of shared storage, or in other words have a central point of failure.  Besides being more prone to failure due to hardware faults and even hacking, centralized storage on the average tends to be much slower.  VPS by nature is already shared, traditionally by servers on the same node, and many will note even on local shared storage, performance can be degraded based on the other containers sharing the node.  Imagine the same thing, only with several nodes sharing the same storage.  Even if we assume the IO of the storage array is sufficient (which often is not the case), another common bottleneck often rears its head at the network level (with the network link between the node and storage becoming saturated).

Dedicated Server, Private, Dedicated Cloud/Clustered Hybrid

The great thing about a Dedicated Server is that you get all of the resources to yourself, for 100% exclusive use, it is why they are still popular today.  There is no risk that another user can crash your server or slow you down when you are not sharing any of the hardware whatsoever.

If you must go with a single dedicated, we always recommend RAID 1 or RAID 10, for performance and reliability.

However we recommend you get at least 2 identical servers and have us configure your own Dedicated, Private Cloud service.  This way you get the best of both worlds, the benefits of dedicated and the benefits our our redundant Cloud technology.

The Difference Between A Dedicated Server and Cloud Server

Some of the industry marketing is so misleading that we find ourselves explaining to customers that a Cloud Server is still on shared infrastructure, and Dedicated is a physical server allocated so you can use 100% of the resources without sharing anything.

When it comes to the cost between Cloud and Physical, there reaches a plateau with Cloud that it becomes more expensive as you increase your RAM and HDD space.  At that point it makes financial sense, aside from the great benefits of 100% resource allocation, to switch to a Dedicated Server.  However, we always advise to get at least 2 servers and create your own Private Cloud VPS on them.

Conclusion

We hope this explains some of the pros and cons, we recommend forgetting the Cloud if the storage is shared and if your budget allows, make your own Private, Dedicated Cloud.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/buy-and-install-your-ssl-certificate/

Buy and Install Your SSL Certificate

1.) Buy your SSL Certificate from an online provider.

*This information still applies even if you have not bought from us. 2.) From the shell of your webserver:

Create Private Key: =============================== openssl genrsa -out ssl-private.key 4096 Generating RSA private key, 4096 bit long modulus …………………++ ………………………………..++ e is 65537 (0x10001)

Create the CSR (Certificate Signing Request): =============================== *Note that under “Commom Name” you must enter the exact host name the SSL certificate will be used for. eg. Only one host such as compevo.com or www.compevo.com can be secured  (note that it is either or unless you have purchased a SAN or wildcard certificate)

openssl req -new -key ssl-private.key -out ssl-request.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [GB]:CA State or Province Name (full name) [Berkshire]:BC Locality Name (eg, city) [Newbury]:Vancouver Organization Name (eg, company) [My Company Ltd]:compevo communications Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server’s hostname) []:www.compevo.com Email Address []@compevo.com

Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []:compevo communications

Copy the contents of “ssl-request.csr” ================================================= Enter it into the Management area for your SSL certificate. Then click “Submit Certificate”

Choose an e-mail associated with the domain you are securing that you have access to. Then click “Submit Certificate”

Check your e-mail for the approval request (subject: SSL Certificate Request Confirmation)  and approve it as long it is as you expect (eg. remember when you did the CSR and we said to use the correct hostname, make sure it is what you expect otherwise cancel or don’t approve it and make a new CSR).

  Follow the approval link in the e-mail.

==================================

Order Approval Please review the information below and either approve or reject this certificate request. If you have any questions about this certificate request, you may contact one of the individuals listed below, or RapidSSL.com Support.

Order Information Order ID     639 Validity (months)     24 Server count     1 Web server Special instructions     none

Certificate Information Subject Alt Names     www.compevo.com compevo.com Common Name     www.compevo.com Organization: Org. Unit Org. Unit UID Country:

Contacts Role     Name     Phone     E-mail     Title Technical:     Domain Administrator     +1.6044849873     @compevo.com     compevo Domain Administration Administrative:     Domain Administrator     +1.6044849873    @compevo.com     compevo Domain Administration Domain Approver:               @compevo.com Please select one of the options below. If you approve this request, the certificate will be immediately generated, the credit card will be charged (if applicable), and the certificate will be emailed to the intended recipients. Please press the button below only once as this process may take a few seconds. ====================================

Receive Your Certificate by e-mail:

“www.compevo.com SSL Order: 29 Complete”

Install The Certificate (included in the e-mail body): ========================= We saved the contents as ssl-cert.crt Add the following to your vhost.conf

*Substitute hostname with the name of your domain. #begin enable SSL SSLEngine on SSLVerifyClient none #download and save the SSL cert with the filename below SSLCertificateFile $path/$hostname-ssl-cert.crt SSLCertificateKeyFile $path/$hostname-ssl-private.key #Chain Cert Intermediary file if needed/specified (download and save as filename below) SSLCACertificateFile $path/$hostname-ChainCert.pem

Conclusion & Summary

All the steps above can be achieved with this simple bash script:

#!/bin/bash

hostname=$1

if [ -z $hostname ]; then echo “Usage $0 hostname” exit 1 fi

path=`pwd` echo “Creating Private Key $hostname-ssl-private.key” openssl genrsa -out $hostname-ssl-private.key 4096

echo “Creating CSR $hostname-ssl-request.csr” openssl req -new -key $hostname-ssl-private.key -out $hostname-ssl-request.csr touch $path/$hostname-ssl-cert.crt

echo “========================================” echo “Add the following to your vhost: #begin enable SSL SSLEngine on SSLVerifyClient none #download and save the SSL cert with the filename below SSLCertificateFile $path/$hostname-ssl-cert.crt SSLCertificateKeyFile $path/$hostname-ssl-private.key #Chain Cert Intermediary file if needed/specified (download and save as filename below) SSLCACertificateFile $path/$hostname-ChainCert.pem #begin stop SSL ” For Cpanel:

Source: http://realtechtalk.com/cPanel_How_to_set_SSL_and_Dedicated_IP_in_cPanel-1596-articles

Account Functions -> Change Site’s IP Address Choose the domain and then click “Change” Choose the new IP

1.) Setup SSL Certificate in cPanel Click on “SSL/TLS Manager” under the “Security” section. 2.) Under ” Private Keys (KEY)” Click “Generate, view, upload, or delete your private keys.” Choose “Key Size: 4096 bits” Click “Generate” button. 3.) Under “Certificate Signing Requests (CSR)” Click “Generate, view, or delete SSL certificate signing requests.” Choose your Key (private key created in Step 2-it should be chosen for you by default). Fill out the rest of the form especially for “domains” and then click “Generate”

4.)Go to your SSL Provider and upload or paste the generated CSR code from Step#3

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/vpn-blocking-by-netflix-sets-a-dangerous-precedent/

VPN Blocking by Netflix Sets a Dangerous Precedent

It could very well be that the issue of Netflix blocking VPN Account providers may be the defining moment for net neutrality and concern about internet privacy and freedom.

Just as soon as Netflix announced the block and people reported their favorite VPN was unable to access Netflix, it was reported that solutions from most VPN providers came out, while some were never affected.  To be fair and to be sure, you can bet Netflix does not want this publicity nor do they want to upset their customers.  Most analysts believe it is a result of the content providers themselves putting pressure on Netflix.

This is reminiscent of the Napster situation back in the early 2000s but possibly more dangerous because legitimate, paying customers of IPTV services feel they are under attack or getting the short end of things.  Shutting down Napster and similar services only caused copyright infringement to grow and become more popular and accessible.  Then along came the distributed BitTorrent protocol and it has made the situation far worse for copyright holders.

But in this case we feel there is more at stake and whether Netflix likes it or not, it has become a symbol of anti-neutrality in its attempts and apparent advice to customers to “stop using your VPN service” even if the VPN is in their service zone (eg. Canadians using a VPN in Canada being denied access to the Canadian Netflix for using a VPN).

What may happen?

There are many other similar services such as Hulu that others can use and if the paid content providers really do end up permanently blocking all VPNs it will just encourage people to stop using such services.  While we do not agree with the ramifications of Netflix blocking VPN services, it has to be said that they are in a tough position.  Netflix surely must know that it risks alienating its customer base or pushing itself out of the market.  It is a dangerous business move because people may stop using Netflix and similar services, the same market would then consider their local telco provider, or go back to purchasing physical media and/or downloading from elsewhere.

What is the future?

Ultimately we think there will be concessions from the content providers and services like Netflix, however if this does not happen then there are a few possible outcomes.  First of all Netflix will likely not last long and will lose a large chunk of its customer base, and secondly there may be other providers that popup from overseas that would offer similar services.  There are many websites that people use, reportedly hosted overseas that offer similar content and blocking VPN access would likely just make people find one of many methods, possibly free or cheaper to get the same content.

We believe somewhere in the future that the restrictions will be eased, just like Napster forced the music industry to start offering online downloads of music.  If there is no way to access this content on a service like Netflix, then people will always find an alternative and it is likely to be one that does not benefit Netflix or related services.

New Post has been published on compevo communications

New Post has been published on https://compevo.com/blog/ipv6-slow-adoption-due-to-complexity-and-lack-of-training-compared-to-ipv4-addresses/

IPV6 Slow Adoption Due to Complexity and Lack of Training compared to IPV4 Addresses

IPV6 is slowly gaining steam with more ISPs offering it but it is still very much voodoo for many in the industry from what we hear.  From our side we are slowly hearing more VPS and Dedicated Server customers request IPV6 which we have no problem providing since we have shortage of IPV6.

We would be the first to admit that things like subnetting such a massive amount of IPs is daunting and a bit of a pain but the slow implementation mainly comes from the end user side and ISPs.  For example think of this as a comparison:

/32 IPV4 =  1 single IP

/32 IPV6 = 79,228,162,514,264,337,593,543,950,336

*Does anyone even know how to read a number as big as the above?

So IPV6 presents technical issues for both end users, developers, and IT staff to be quite frank for many reasons, one of them is partially how do you deal with such a large amount of IPs and how do you track them?  It is a daunting task compared to IPV4, not that there aren’t solutions, there are common practices of subnetting etc… into multiple /48s and then /64s but this all takes time, retraining and ensuring both sides are ready for IPV6 when much of the internet is still not using IPV6.  Don’t get us wrong, IPV6 is the future and transition must take place but the above are some of the key hurdles in implementation.

The one saving grace that has helped many of our customers is that having a non-intelligent switch that has no layer-3 features means IPV6 works without the need for software updates or hardware replacements, however some companies (especially smaller to mid-size companies) are using legacy equipment where they may not have time, skill or expertise to replace or upgrade their equipment (or want the hassle of testing, installing and potential downtime on their corporate networks).

Then there is the software side, for years many have disabled IPV6 on their computers or other devices because it has caused problems and many developers and distro managers recommended it.  Those days are largely over but to top it off the configuration of IPV6 IPs is different in many OS’s, this means once again updating scripts and other tools.

Is any of this the end of the world?  Definitely not, it is all doable but we think it needs to be said in a practical manner that there can be a lot of challenges in terms of time, resources, training and upgrades or at the very least thorough testing.

With that said IPV4 in our opinion will always be used, will always be important but with the IPV4 shortage, as new hardware, and applications are deployed they will be done so with IPV6 in mind so things will gradually transition in our opinion but it is far less slower adoption than many predicted.