- Beardie name(s)
- Cailyth, Pinky, & Brain
Hello all,
Some of you know that once in a while, I perform some major maintenance that requires the website to be down for a little while. Well, tonight it is that time again.
Downtime Start: Appx. 8 PM PST
Downtime End: Appx 11 PM PST (hopefully much sooner)
Results:
- BeardedDragon.org will be running on a more stable server environment
- A fix to the database has been applied to stop the Unicode errors!!!
- You should otherwise not notice a difference other than it continues to work!
Issues:
- Please reply here or email me at beardie at bearded dragon dot org if you experience any issues on the site. I'm trying to catch everything, but over the years, little details don't get tracked as well as I would have liked and may get missed.
For those wanting to know the details...
I've been working on building out a new server for the site. While our old one still works just fine and is powerful enough for the load we have, it is aging a little. Being a physical server with only a single hard drive, there is the risk that the hard drive may fail. In addition, we're pretty overdue on updating the operating system and major server software components (mail server, etc.). I've applied all the minor updates, but not the major upgrades to the software or OS. And for the operating system, it's very difficult (if not impossible) to actually perform a major version upgrade on a remote server.
Sooo... the solution... we're going CLOUD! For many, this is a buzz-word that has been done to death. I've actually never liked the term. But ... well... it's the truth. I've opted to migrate to a virtual server in the Amazon EC2 cloud.
This gives me a few key benefits (among others):
- Ability to upgrade or downgrade (cost savings) the basic resources as needed (CPU, memory, storage)
- Self-service changes (nice to be able to easily set things up without a huge order processing process)
- Better resource monitoring
At this point, I've already prepared the server and migrated the email server, and all of my other websites (personal sites mainly). BeardedDragon.org is the last because it is the biggest and the more complicated setup.
For those wanting the REAL details...
I'm running the new server with:
- CentOS 7 (latest updates)
- Apache 2.4
- MariaDB (replacing MySQL)
In addition, I'm part of the beta group for the Let's Encrypt effort. Some of you know that I switched the website over to use SSL encryption a little while back (two years, I think now?). SSL Certificates can cost money (not a lot, but some) and have typically involved an overly complicated process. Let's Encrypt is a significant effort heavily supported by the EFF (Electronic Frontier Foundation, whom I support) as an initiative to get ALL websites using encryption. Doing so helps reduce having compromised passwords, and other disclosure people don't realize happens all the time when using a non-SSL website. Let's Encrypt provides SSL certificates free of charge! And they make it such that the certificates can be obtained immediately, and renewed in an automatic fashion while maintaining a secure practice.
So, with Let's Encrypt, I'm able to use proper TLS certs for BeardedDragon.org and every one of my websites (before only had it for BD.org). I also can now have properly encrypted connections for all email sent/received.
Along those lines, and with the much newer Apache version, I'm supporting HSTS. This tells your web browser that if you just type "beardeddragon.org" into your web browser, without specifying "https://", that your browser should assume https by default for it. That way, it never tries to use
"http" (unless you explicitly tell it to). There is a minor security risk in http while redirecting to https, and HSTS helps remove that risk and is generally a safer practice is your site is all encrypted.
I'm also taking measures to ensure the forum data is safe from a catastrophic failure. Data is backed up nightly to another cloud service, using CrashPlan (by Code42).
Along the security line of thinking, I'm installing Snort. This is an intrusion detection system. It will monitor all network activity on the server and look for various patterns of potential compromise or communications with known bad systems. I can then take action to block access or otherwise resolve the concern.
Similarly, I'm installing ModSecurity, which is like Snort, but more focused on web server traffic and identifying attacks against the website itself. I've used ModSecurity on the current site for some time, and it does help block attempts to compromise the server.
There are numerous other tech that goes into the behind the scenes... I'll just list of some names for those who care... firewalld (with rules to block all outbound traffic except as specifically allowed), Splunk (for log monitoring and centralization), Greylisting (reduces spam I get so I see your support emails).
As you may guess (if you didn't already know), I'm a security guy. Really... it's my day job. So, when implementing the server for BeardedDragon.org I want to try and be as secure as I can with it.
The BD.org forum software still will need to be updated, but I will handle that later.
Cheers,
-Alex
Some of you know that once in a while, I perform some major maintenance that requires the website to be down for a little while. Well, tonight it is that time again.
Downtime Start: Appx. 8 PM PST
Downtime End: Appx 11 PM PST (hopefully much sooner)
Results:
- BeardedDragon.org will be running on a more stable server environment
- A fix to the database has been applied to stop the Unicode errors!!!
- You should otherwise not notice a difference other than it continues to work!
Issues:
- Please reply here or email me at beardie at bearded dragon dot org if you experience any issues on the site. I'm trying to catch everything, but over the years, little details don't get tracked as well as I would have liked and may get missed.
For those wanting to know the details...
I've been working on building out a new server for the site. While our old one still works just fine and is powerful enough for the load we have, it is aging a little. Being a physical server with only a single hard drive, there is the risk that the hard drive may fail. In addition, we're pretty overdue on updating the operating system and major server software components (mail server, etc.). I've applied all the minor updates, but not the major upgrades to the software or OS. And for the operating system, it's very difficult (if not impossible) to actually perform a major version upgrade on a remote server.
Sooo... the solution... we're going CLOUD! For many, this is a buzz-word that has been done to death. I've actually never liked the term. But ... well... it's the truth. I've opted to migrate to a virtual server in the Amazon EC2 cloud.
This gives me a few key benefits (among others):
- Ability to upgrade or downgrade (cost savings) the basic resources as needed (CPU, memory, storage)
- Self-service changes (nice to be able to easily set things up without a huge order processing process)
- Better resource monitoring
At this point, I've already prepared the server and migrated the email server, and all of my other websites (personal sites mainly). BeardedDragon.org is the last because it is the biggest and the more complicated setup.
For those wanting the REAL details...
I'm running the new server with:
- CentOS 7 (latest updates)
- Apache 2.4
- MariaDB (replacing MySQL)
In addition, I'm part of the beta group for the Let's Encrypt effort. Some of you know that I switched the website over to use SSL encryption a little while back (two years, I think now?). SSL Certificates can cost money (not a lot, but some) and have typically involved an overly complicated process. Let's Encrypt is a significant effort heavily supported by the EFF (Electronic Frontier Foundation, whom I support) as an initiative to get ALL websites using encryption. Doing so helps reduce having compromised passwords, and other disclosure people don't realize happens all the time when using a non-SSL website. Let's Encrypt provides SSL certificates free of charge! And they make it such that the certificates can be obtained immediately, and renewed in an automatic fashion while maintaining a secure practice.
So, with Let's Encrypt, I'm able to use proper TLS certs for BeardedDragon.org and every one of my websites (before only had it for BD.org). I also can now have properly encrypted connections for all email sent/received.
Along those lines, and with the much newer Apache version, I'm supporting HSTS. This tells your web browser that if you just type "beardeddragon.org" into your web browser, without specifying "https://", that your browser should assume https by default for it. That way, it never tries to use
"http" (unless you explicitly tell it to). There is a minor security risk in http while redirecting to https, and HSTS helps remove that risk and is generally a safer practice is your site is all encrypted.
I'm also taking measures to ensure the forum data is safe from a catastrophic failure. Data is backed up nightly to another cloud service, using CrashPlan (by Code42).
Along the security line of thinking, I'm installing Snort. This is an intrusion detection system. It will monitor all network activity on the server and look for various patterns of potential compromise or communications with known bad systems. I can then take action to block access or otherwise resolve the concern.
Similarly, I'm installing ModSecurity, which is like Snort, but more focused on web server traffic and identifying attacks against the website itself. I've used ModSecurity on the current site for some time, and it does help block attempts to compromise the server.
There are numerous other tech that goes into the behind the scenes... I'll just list of some names for those who care... firewalld (with rules to block all outbound traffic except as specifically allowed), Splunk (for log monitoring and centralization), Greylisting (reduces spam I get so I see your support emails).
As you may guess (if you didn't already know), I'm a security guy. Really... it's my day job. So, when implementing the server for BeardedDragon.org I want to try and be as secure as I can with it.
The BD.org forum software still will need to be updated, but I will handle that later.
Cheers,
-Alex