September 2007 Newsletter

Hi,

Some of you may have noticed you haven’t heard from me in a while, and quite a few of you are unlikely to have seen these newsletters before, you can review the back issues here. Newsletters at one time were very regular – but it became clear that many users only preferred to hear from us when important changes were coming – personally I’d like to see combination of the two, so expect to see this new newsletter “semi-regularly”!

BetterWebSpace
BetterWebSpace has continued to grow, with this week marking BetterWebSpace’s 5th Birthday! We’ve slowly built a strong subscriber base of very loyal customers, this continued growth has slowed some of the changes to the business that I anticipated making by now (don’t get me wrong I’m not compaining at all!). The promised new support system has been put on a back burner until it’s compatible with some of our other systems.

Reminders & Notices

Firstly, I’d like to remind users that the changes we put in place for PHP Nobody Email, and PHPSuExec are both still in place and will continue to be so, we will be auditing the server for those sending from nobody again soon and contacting those that need to upgrade their settings/code.

Secondly, over the next couple of weeks and months an awful lot is going on, so please read this newsletter (and notices in the near future) cover to cover!

SPAM

Outbound Spam

It has come to our attention that a lot of users are either running insecure/vulnerable scripts or have incorrect permissions for their directory structure allowing non-customers to upload files to their webspace, which are capable of generating several thousand spam messages an hour.

This is a friendly reminder that spam will not be tolerated on the BetterWebSpace network (that includes customers of our resellers as well!), and that we reserve the right to suspend or withdraw services to customers who’s accounts have been allowed to send out spam and that we may charge a fine to cover the cost of the cleanup operation after such an attack has occured.

Things to check:

  1. Your password is secure and not easily guessed.
  2. Your installed scripts are current and are not open to any security vulnerabilities (regularly check your script vendors website to be sure).
  3. Your directory structure has the correct permissions to prevent such files being uploaded or run

Inbound SPAM

We do everything we can to minimise the spam you actually receive, but we can’t do it without your help!

If you don’t use the email addresses on your domain, set your default address to :fail: No such user here to prevent mail building up on the queue and allow us to identify dictionary attack users.


Server Upgrades & Maintenance

Major Email Upgrade

cPanel are trying to improve some of the file locking and CPU issues we’ve seen in recent releases of cPanel, one part of this will involve changing the format in which your email is stored on our servers. This in itself is a big job and should be a one-off upgrade, but should allow us to get better email performance on our servers. The old format will no longer work when cPanel 12 is released.

What do you need to Know?

  1. Neomail webmail client will no longer work, it is incompatible and the writers of Neomail are not converting it to the new format. Your Neomail address book will also no longer work (it may be found in your home directory under (/home/<username>/.neomail/user/addressbook), a conversion script may convert this – but you should make a note of all of your addresses.
  2. Root mailboxes, users who are used to logging into their webmail with their cPanel username and being able to view email for all of their email accounts will find this may not work, it was a security bug before and has been closed up. However the webmail client Horde are adding it into later releases of their software so this “feature” should be back soon.

When Will This Happen?

This needs to happen as soon as possible, as such we are giving less than one weeks notice that upgrades will being in the week commencing Monday 1st October. From 20:00 BST daily – MAKE YOUR BACKUPS BEFORE THIS TIME

Please note users on harry.securesitex3.com (69.56.232.42) are already upgraded and using this system.

MySQL 4.1

Several of you have asked recently about MySQL being upgrade from 4.0 to 4.1 on the cPanel servers, for a long while this was considered unstable, this was largely due to customers installed scripts (coded by customers themselves, installed from fantastico or purchased/downloaded from another source) being incompatible with the new security systems in MySQL 4.1. We now consider there have been enough time for the vast majority of scripts to have been upgraded to support the new systems, and will be announcing maintenance windows for this upgrade shortly.

It is your responsibility to make sure you are running the most current (and hopefully more secure) version of scripts which you install in your account (where fixes/upgrades are available you should apply these ASAP), this includes making sure that any PHP scripts you have coded yourself are secure, remember if your account is compromised in any way, you are accountable.

If you are unsure about doing your upgrades, contact us. Often we are happy to quote you for a custom job for these.

PHP5

This is another common question! PHP5 is coming, so watch this space!

Until next time!

Keiron
BetterWebSpace
Where hosting just got better…

November 2006 Newsletter

Hi,

This is a newsletter that you really need to read cover to cover! There are some big changes coming on the servers in the coming month – that may affect your site! Failure to make the necessary changes may make your site unavailable to users.

Support
You may have noticed we are no longer supporting the Joint Support Forum, this is a decision we made recently (and new users haven’t been added in a long while). For the moment the tutorials page and email are the first points of contact, the new support desk will be launched in the new year once some minor issues with it are fixed by the developers.

cPanel Manuals!
I’ve lost track of the number of people over the years who’ve asked where they can find more information on cPanel, our tutorials and Google are often the first place people look. However I was recently alerted to a new book on Amazon entitled CPanel User Guide and Tutorial, it may be worth a look for those of you wanting something you can scribble notes in as well! (scribbling on the screen for online tutorials makes such a mess!)

Server Upgrade & Maintenance

Several of our servers are long overdue for a full security audit and kernel upgrade, we plan to schedule these for the coming week.

As such I’d like to schedule a maintenance window nightly during this week (16th – 20th October 0200-0400 GMT / 0300-0500 BST), short outages will be possible. Each server will be rebooted during this time and is only expected to be offline for 20 to 30 minutes, and not the entire duration.

Email from Nobody?

Every day we see hundreds of emails being returned which have been sent out from the user “nobody”. The user “nobody” sends out emails from PHP software when it hasn’t been configured correctly to give a correct return address. We’d like to stop this for two reasons:

  • It clogs up the mail server as the mailbox “nobody” often gets filled up very quickly and mail sits on the queue.
  • You don’t get your return emails to tell you whether an email address is invalid, often this results in the user being allowed to continue using your forum, or you emailing them in a mailing list when they aren’t a valid email address.

There are a few major culprits as far as software goes at the moment and these are:

  • phpBB – Consider applying the following modification or asking us for a quote to get it done for you. phpBB Modification.
  • Niche Portal Builder – We see many from this, We’re not sure if this one is incorrect configuration or a problem with the script. Please check with the vendor if you are using this software.
  • Custom Scripts – If you are using the php mail() function please ensure you are setting a valid from address in the headers.

This is something we’ll be checking up on in the coming months. Please make sure your website is in order today!

Your Responsibility!

It is your responsibility to ensure that all the software on your website is kept updated with the necessary version(s). Where there are security fixes/upgrades available you should apply these ASAP. It is often worth visiting the writers of your software and signing up to their mailing lists, remember if your account is compromised in any way, you are accountable.

If you are unsure about doing your upgrades, contact us. Often we are happy to perform them for you as a custom job.

Member Spotlight

I’d like to get back to spotlights on our members in newsletters as well as necessary information, so if you’d like to tell us a bit about your website and services, and what you do – get in touch!

Until next time!

Keiron
BetterWebSpace
Where hosting just got better…

PHPSUEXEC – Urgent Update

Dear Customers,

We’d like to announce that we have installed PHPSUEXEC on a few of our existing servers.

This change was made URGENTLY yesterday on one server, due to the exploits of several users dragging the server down, a few changes are needed to ensure your website runs smoothly. Until that time you MAY experience errors viewing your site. We apologise for the inconvenience this may be causing, but it became a close call last night between doing this and switching the server off completely!

A few changes might be needed on your website’s configuration files (.htaccess) (do not panic!).

All the php_flags in your .htaccess will have to be moved to php.ini, which you will have to create in your public_html directory.

Example:
.htaccess ? php_flag register_globals on
php.ini ? register_globals=on

The file php.ini will handle all the extra settings you need to set in php.
So, basically you will have to move every command on .htaccess that starts with php_flag.

Differences between phpsuexec and “regular php”:
When using the common PHP installation on a webserver, php runs as the user nobody and it doesn’t require the execute flag to be enabled.

The problem on this is that if mod_openbasedir is not installed (we have this at BetterWebSpace), every user will be able to read your php files because everyone is virtually sharing the same username (nobody).

As most of you already know, PHP Files are not meant to be read, but parsed, and that is where the problem resides. PHP Files have to be parsed, otherwise everyone who is able to read your php file will see settings that you would probably want to keep private, such as your MySQL username and password.

PHPSUEXEC fixes all this because it requires php to be run as the file owner’s username. (for example: andre)

This is not everything it fixes though. PHPSUEXEC is also here to fix file ownership problems. This has been a common issue on a few Content Management Systems such as Joomla and also on the popular blog software: WordPress.

It also adds security to your files as you can use permissions such as 600 or 700 in your files and your visitors will still be able to view them (parsed) in their browsers.

PHPSUEXEC will also refuse to serve any pages that are at security risk, for example with 777 as permissions. (will generate an Internal Server Error)

Troubleshooting Internal Server Errors (Error 500):
Everytime an internal server error occurs, it will be added to your Error Log in cPanel. (cPanel ?? Error Log). This will usually give you a clue on where the error resides. In most cases it will be either a permission error on a bad command in your .htaccess file (remember that all php values have to go to your php.ini file).

Directories that need to be written onto will no longer require 777 as permissions and phpsuexec will refuse to write or read on directories exposed with such permissions. You will have to chmod them to 755 always.

To simplify it, just remember that you should never have a file or folder with world-writeable permissions, because you no longer have to.

MIMETypes:
If you added a Mimetype to the system in order to run html files as php scripts (AddType as .htaccess command), you will have to remove it and add an ApacheHandler instead. This is easy to do though. Just log into your control panel, then click on Apache Handlers and add the following:

Extension: html (or htm)
Handler: application/x-httpd-php

QuickStart for impatient users:

Technically, PHPSUEXEC will make sure your scripts and directories abide by the following security rules:

  • User executing the wrapper must be a valid user on the server.
  • The command that the request wishes to execute must not contain a /.
  • The command being executed must reside under the user’s web document root (public_html).
  • The current working directory must be a directory.
  • The current working directory must not be writeable by group or other.
  • The command being executed cannot be a symbolic link.
  • The command being executed cannot be writeable by group or other.
  • The command being executed cannot be a setuid or setgid program.
  • The target UID and GID must be a valid user and group on the system.
  • The target UID and GID to execute as, must match the UID and GID of the directory.
  • The target execution UID and GID must not be the privileged ID 0.
  • Group access list is set to NOGROUP and the command is executed.

Protecting your php.ini file:

To protect your php.ini you should set its permissions to 600. Additionally you can add the following line to your .htaccess file:

Code:
<Files *.ini> Order deny,allow Deny from All </Files>

WordPress Bloggers:
If you encounter any problems with your .htaccess file (mod_rewrite instructions), you can fix this by downloading the following:
http://boren.nu/archives/2005/03/07/…ewrite-plugin/

We have updated WordPress in Fantastico so it is configured for phpsuexec from the start. So if you are desperate you can always reinstall WordPress from Fantastico. (Just remember to download a database backup first!). After it’s installed, just change your MySQL configuration settings in WordPress.

Drupal and other Content Management Systems:
You might experience a few errors, such as “Call to undefined function: user_access()”. Add the following code to php.ini to fix it:

Code:
session.save_handler = files session.cache_limiter = nocache

That’s it. I know it may look complicated, but it should be technically easy.

Thanks!

BetterWebSpace
Where hosting just got better…