Spectre and Meltdown article roundup

Our team is working on the best approach to secure our customers' systems against the recently reported Spectre and Meltdown vulnerabilities.  Our first step is to understand the problem and its mitigations.  This post provides a roundup of discussions and work on the topic with a focus on mitigation for the Xen hypervisor.

The vulnerabilities


Spectre (aka “Branch target injection”) includes:

SP1) speculative execution to perform bounds-check bypass (CVE-2017-5753)

SP2) utilizing branch target injection (CVE-2017-5715) to cause kernel code at an address under attacker control to execute speculatively


SP3) third variant (CVE-2017-5754) rogue data cache load.  Relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block.  Subsequent memory accesses may cause an allocation into the L1 data cache even when they reference otherwise inaccessible memory locations. As a result, an unprivileged local attacker could read privileged (kernel space) memory (including arbitrary physical memory locations on a host) by conducting targeted cache side-channel attacks.

Continue reading

Posted in Rimuhosting | Tagged , , , | Comments Off on Spectre and Meltdown article roundup

Kernel 4.14 LTS released

Walnuts - by George HodanWe have added the latest 4.14 kernel to our list of stable kernels for 64bit VPS servers.

The 4.14 kernel includes a large number of performance enhancements, including ...

  • filesystem io
  • block_mq scheduler improvements
  • new selectable scheduler options for disk io
  • improved cryptographic performance
  • cgroup2 support merged

Continue reading

Posted in Featured | Tagged , , | Comments Off on Kernel 4.14 LTS released

Letsencrypt with Zonomi and Rimuhosting name servers using hooks

SSL is good, you should use it everywhere!

Letsencrypt it is a project that allows you to obtain signed certificates for free (you should consider donating though) to secure your website. Big efforts have been done to make this accessible to anyone.

In order to issue SSL certificates Certificate Authorities will check that you can control the domain, by either 1) sending validation emails to specific addresses within domain, 2) requesting special files in the website for the domain or 3) setup special DNS records that are checked during the certificate issue, Letsencrypt specially likes to do the latter two. These special files or DNS records are normally called challenges, and if you host DNS zones with Rimuhosting or Zonomi name servers now there is an easy way for you to issue Letsencrypt certificates.

(Photo by Steven Lilley )

Continue reading

Posted in HOWTO, Rimuhosting, Security | Tagged , , , | Comments Off on Letsencrypt with Zonomi and Rimuhosting name servers using hooks

Virtualmin Changes binding from ip:80 to *:80 and breaks older configs … FIX

We have found some virtualmin installs will change the format of new virtualhosts from ip:80 to *:80 sometimes which breaks virtualhosts as the *:80 overrides the ip:80.
This can result in websites showing another website content, and usually shows up right after you add a new domain in virtualmin.

Continue reading

Posted in Rimuhosting | Tagged , , | Comments Off on Virtualmin Changes binding from ip:80 to *:80 and breaks older configs … FIX

Reboot-less Xen patching

Recently there have been two sets of Xen vulnerabilities.  One being disclosed in September, the other earlier today.  Historically we have had to organize host updates which required downtime to reboot VMs.

For these last sets of vulnerabilities we have been able to use a recently introduced live patching feature in Xen to mitigate the vulnerabilities for most of our hosts.  The live patching swaps out an exploitable function, with a patched function.  It can do this without restarting the host or the VM.

Live patching will work for most (but not all) vulnerabilities.  Resulting in fewer VM restarts, and less client disruption.  Taking a little more hassle out of your hosting.

Posted in Rimuhosting | Tagged , , | Comments Off on Reboot-less Xen patching

DKIM and subaddressing added to 25mail.st

We have added a couple of features to the 25mail.st service.

First, we now support DKIM email signing. This lets our email servers sign outgoing messages so that recipients can verify that the email was sent from an authorized server. You will need to add a DNS entry for each email domain wishing to have their emails signed. Adding a 25mail.st DKIM key will not affect other email servers you may be using. To get it setup see: https://25mail.st/faq.jsp?is_require_login=Y#dns

We have also added subaddressing. So you can invent subaddresses on the fly (e.g. peter+work@example.com or peter+tag@example.com) and by default they will all arrive to that user's mailbox. For more details see https://25mail.st/faq.jsp?is_require_login=Y#subaddressing

Photo credit: cayusa

Posted in Rimuhosting | Tagged , , | Comments Off on DKIM and subaddressing added to 25mail.st

Whitelist your own computer in fail2ban

Fail2ban is a great "dynamic" firewall for servers that is installed by default on many of our VPSs, and we can install it on your VPSs at your request. It protects against brute-force attacks, where an attacker is trying to guess a password or exploit certain classes of vulnerabilities on servers.

One potential problem with fail2ban and similar tools is the false positive problem, that is, banning yourself from your own VPS, particularly if you don't always get your password right. In this post, I'll explain how to fix that problem using fail2ban's whitelist feature.
Continue reading

Posted in HOWTO, Rimuhosting, Security | Tagged , , | Comments Off on Whitelist your own computer in fail2ban

Lets Encrypt with Virtualmin

Virtualmin now supports Let Encrypt, this means you can easily get multiple SSL certificates easily and free if needed.

Here is how you can set that up.
Step 1: Login to your virtualmin, select the domain from the drop down in the top left.

Step 2: Click 'Edit Virtual Server' , under the 'Enabled Features' you will see 'SSL Website Enabled'. check the checkbox and save


Step 3: Expand the left menu under Server Configuration click on Manage SSL certificate. The top Far right should have a tab named 'Let's Encrypt' which you can click on.

Step 4: Change the 'Months between automatic renewal' from Manual to every 2 months or similar and save.


Step 5: Test the domain works with https and you are done.


Notes: You will need apache 2.4 to allow multiple SSL certificates on a single IP,

Posted in HOWTO | Tagged , , , , | Comments Off on Lets Encrypt with Virtualmin

ClamAV: mpool_malloc and disk space

ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats. The most common use we see is to check emails for bad content.

Some of our users have recently been seeing errors from "freshclam" processes that look like the below entry. These will occur quickly and will often cause log files to grow very fast, to the point your server may have run out of disk space.

Tue Nov  1 00:17:18 2016 -> WARNING: [LibClamAV] mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to http://bugs.clamav.net

Continue reading

Posted in Security | Tagged , , , , | Comments Off on ClamAV: mpool_malloc and disk space

Using Fail2ban on wordpress wp-login.php and xmlrpc.php

A fair few customer of ours use wordpress and occasionally notice that there are people hammering on a few URLs

This can cause high load, slow websites and a number of issues, espoecuially when you have more than a single IP hammering away at that.

The solution is simple, and it involves using fail2ban. Here are some simple fail2ban recipes that will stop most of that in its tracks.

Create a file /etc/fail2ban/filter.d/wordpress.conf with the following contents

failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
ignoreregex =

You can add as many regex in there as you want on new lines, but these will cover that for now. It opays to check the apache logs to make sure this regex is going to work on your server, and the fail2ban logs after applying to make sure its banning them

Create the file /etc/fail2ban/jail.d/wordpress.conf file add the following rules into that

enabled = true
port = http,https
filter = wordpress
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/httpd/access_log
maxretry = 10
findtime = 600

The log paths i have used in here cover a few places, likely you will need to remove ones you dont need or have. The first log path is redhat/centos based, the next is debian, and the third is for those with virtualmin.
Other potential log paths may be something like the following
Plesk: /var/www/vhost//statistics/logs/log or /var/www/vhost//system/logs/log
CPanel: /home//log/log

Make sure you keep an eye on the fail2ban log, and make sure that the ban is happening. It should look like this

2016-11-01 18:40:50,672 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 19:47:53,081 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 19:54:56,550 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 19:57:53,747 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 20:04:57,198 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 20:33:35,094 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 20:43:35,755 fail2ban.actions[958]: WARNING [wordpress] Unban
Posted in Rimuhosting, Security | Tagged , , | Comments Off on Using Fail2ban on wordpress wp-login.php and xmlrpc.php