On the http://rimuhosting.com/cp/vps/kernel.jsp page you can now select the 4.0 kernel for your VM. Includes: OverlayFS, carries on with support required for Docker and SELinux, lots of new nf/eb table options, openvswitch, nfs4 support and too many other new kernel tweaks to mention. Plus newer, fresher kernel code with lots of fixes to bugs (which likely are not affecting you).
We have only produced a 64 bit kernel this time around. That should be fine even for 32 bit distros.
If you like being on the latest and greatest then this experimental kernel is for you. If it doesn't work out, restart your VM with our very stable and tested 3.12 kernel. (Also: let us know if you needed a kernel option we do not have enabled. Also: we have a pv-grub option should you need to have full control over every module in the kernel.)
If your server is running well and you are happy with things, feel free to leave your kernel as-is.
Our new networking cage (prior to being filled with Cisco gear)
Dallas is our busiest location. We have many, many cabinets there filled with wonderfully shiny servers (all black, as befits our Kiwi origins). That setup has grown somewhat organically since 2005. Our core networking wiring was starting to be a little scary. And network capacity (ports and bandwidth was staring to be an issue).
So for our 10th year in Dallas we opted to rebuild our network from scratch. Get new, faster networking gear; tidily re-cable everything with fiber; simplify things as much as possible; and increase our uplink capacity.
Back in February we added a new core/distribution layer using Cisco Nexus 7 equipment. This gear lets us use lots (and lots) of 10G and 40G connections. And it does a pretty decent job at moving network packets around, too. The switchover from the old core to the new core went smoothly (thank you to those networking guys involved there!)
The new core gear has allowed us to increase our data center uplink capacity. (And we have plans to triple the capacity in the next few weeks).
We will also be switching from gigabit links between cabinets and our core networking to 10 gigabit fibre links. We have already done this for most of our cabinets, and the remainder should be done in the next few weeks (as the switches and cabling we ordered arrive). A number of cabinets have also had their switches upgraded (from non-fiber friendly models to newer models).
Since even 10G is not fast enough for everyone, in some cabinets we are installing 40G switches. With 10G access ports to each server. This gives us a few options for network attached storage and for some of our enterprise customers with particular private networking requirements.
The new Dallas networking setup should future proof us for a few more years.
Like all good network setups we hope you never have to pay it another thought!
We have implemented some brute force SSH attack protection on VMs.
Your servers should start to receive fewer connections from bots trying to bruteforce crack passwords on your server user accounts.
Behind the scenes we have setup honey trap servers. Botnets with no good reason to connect to these servers attempt to connect to the servers and brute force passwords there. We monitor these failed attempts. And then block those IPs on our VM host firewalls. You do not need to configure anything on your VM.
The upshot is should be fewer SSH brute force attacks on servers. Improving your server security, and lowering load on hosts.
On a not unrelated note: please use good strong passwords. Particularly on important accounts. $commonword with a number on the end is no longer sufficient.
Image Credit: Dino Giordano
Apache is probably the most common web service our customers use. It is an amazingly powerful and mature tool for serving all your website needs. And is very easy to get up and running with
Our team is often asked to tune apache to run more smoothly, more quickly, and more reliably. With a few simple server side tweaks you can easily polish your server till it is ready for 'production' use of your website. Continue reading
As part of our mission to wipe the 'ghost' vulnerability (CVE-2015-0235) from our customers servers we have created 'deghost'.
Deghost is a cross-distro script to determine the vulnerability of a libc library on a server and then patch that where possible.
In most cases this is as simple as apt-get install libc6 or yum upgrade glibc. But like most things there are a lot of corner cases. This script tackles things like switch from squeeze to squeeze-lts repositories. Changing to old-releases repositories for unsupported ubuntu distros. And offers a (non-default) option to --break-eggs and do a dist-upgrade to the latest Debian/Ubuntu release.
We are excited to announce that we now offer servers in Frankfurt, Germany. This will be a great for users wanting a server central to the EU, and complements the plans we already offer in London.
You can see more information about the data center at http://rimuhosting.com/datacenters.jsp
We are using new generation Haswell-EP based servers there, with ECC registered DDR4 memory and large, fast Intel enterprise SSDs.
If you are interested in setting up a server, check out our plans.
If you are interested in dedicated server options there also pop in a query so we can talk through the options.
Image credit: melanie
Intel have just released their next generation dual proc Haswell-EP-based servers. We ordered a batch from our trusty systems integrator. And this morning the servers arrived at our Dallas data center loading dock! Those same servers are now available now on our dedicated server ordering page.
Pricing is from USD 409/m with a base config of 32GB of memory and 2x1TB hard drives.
The Haswell-EP follows on from the older Nehalem-EP, Westmere-EP, and Sandy Bridge-EP systems.
We are currently offering two of the Haswell-EP CPUs. The 6 core E5-2620v3 (2.4Ghz) and the 8 core E5-2630v3 (2.4Ghz).
Benchmarks show the Haswell-EP systems out performing similar clock speed previous gen CPUs by about 20% overall.
The new CPUs come with a new socket so there is a new main board with lots of important performance improvements:
- RimuHosting are currently using the SuperMicro X10DRI mainboard.
- This mainboard is based on Intel's C612 chipset.
- All SATA ports are SSD-loving SataIII 6gbps. Previously only 2 ports were Sata III and the remainder were SataII.
- Memory slots are DDR4. DDR4 runs at a faster speed than DDR3 (we are currently using DDR4-2133). Throughput can be increased by up to 50%. On these servers the memory is ECC registered. DDR4 power consumption is a bit lower leading to cool, reliable systems.
As usual we have options with redundant power supplies on A+B power. We also offer Intel SSD storage; hardware RAID; memory up to 256GB; and private networking.
If you wanted a Haswell-EP server in a location other than Dallas, just email us and we can quote for that in one of our other data centers.
Recent browser versions (e.g. Firefox 33) refuse to work with older Webmin installs.
They give a sec_error_invalid_key error, offer a 'Try again' button, but do not offer an option to add an exception.
Firefox 33 no longer supports certificates with private keys smaller than 1024 bits.
You can replace your webmin certificate with a new one by running this command:
openssl req -x509 -newkey rsa:2048 -keyout $file -out $file \
-days 3650 -nodes -subj \
openssl x509 -x509toreq -in $file -signkey $file >> $file
This command will create a 'pem' file with both the private key and self-signed certificate in the same file. -nodes will let you create the file without a passphrase. The -subj option saves you having to manually enter certificate details.
Or you can do it by setting ssl=0 in /etc/webmin/miniserv.conf; restarting webmin with "/etc/init.d/webmin restart" then using the web interface to make the certificate change at
Webmin -> Webmin Configuration -> SSL Encryption -> Self Signed Certificate
A quick new feature: You can now view CPU graphs for your VMs the RimuHosting control panel.
If you are using SSL in your web server, you probably want to read this.
Google recently published details about an attack that targets SSLv3.
The exploit first allows attackers to initiate a “downgrade dance” that tells the client that the server doesn’t support the more secure TLS (Transport Layer Security) protocol and forces it to connect via SSL 3.0. From there a man-in-the-middle attack can decrypt secure HTTP cookies. Google calls this the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. [...] In other words, your data is no longer encrypted.
The default configuration for most web servers still allows SSLv3 and often also SSLv2. And other potentially weak ciphers. However it is easy to fix, Continue reading