sales

June 5, 2014

Sysadmin Tips and Tricks - Understanding the 'Default Deny' Server Security Principle

In the desktop world, people tend to feel good about their system’s security when they have the latest anti-virus and anti-spyware installed and keep their applications up-to-date. Those of us who compute for a living know that this is nothing close to resembling a “secure” state. But it’s the best option for non-technical people at this time.

Servers, on the other hand, exist in a more hostile environment than desktop machines, which is why keeping them secure requires skilled professionals. This means not only doing things like keeping applications patched and up-to-date, but also grasping the underlying principles of system security. Doing that allows us to make informed and skillful decisions for our unique systems—because no one knows our servers as well as we do.

One very powerful concept is “Default Deny” (as in Deny by Default), by which means that "Everything, not explicitly permitted, is forbidden." What does this mean, and why is it important?

Let’s look at a simple example using file permissions. Let’s say you installed a CGI (Common Gateway Interface) application, such as some blog software, and you’re having trouble getting it to work. You’ve decided the problem is the permissions on the configuration file. In this case, user “rasto” is the owner of the file. You try chmodding it 755 and it works like this:

-rwxr-xr-x 1 rasto rasto 216 May 27 16:11 configuration.ini

Now that it works, you’re ready to move to your next project. But there’s a possible security problem here. As you can see, you have left the configuration file Readable and Executable by Other. There is almost certainly no reason for that because CGI scripts are typically run as the owner of the file. There is potentially no reason for users of the same group (or other random users of the system) to be able to Read this configuration file. After all, some configuration files contain database passwords. If I have access to another user on this system, I could simply “cat” the configuration file and get trivial access to your data!

So the trick is to find the least permissions required to run this script. With a little work, you may discover that it runs just fine with 700:

-rwx------ 1 rasto rasto 216 May 27 16:11 configuration.ini

By taking a little extra time, you have made your system much more secure. “Default Deny” means deny everything that is not explicitly required. The beautiful thing about this policy is that you can remove vulnerabilities that you neither comprehend nor even know about. Instead of making a list of “bad” things you essentially make a list of “good” things, and allow only those things to happen. You don’t even have to realize that someone could read the file because you’ve made it a policy to always allow the least amount of access possible to all things.

Another example might be to prune your php.ini to get rid of any expanded capabilities not required by PHP scripts running on your system. If a zero-day vulnerability arises in PHP that affects one of the things you’ve disallowed, it simply won’t affect you because you’ve disabled it by default.

Another scenario might be to remove packages from your system that are not being used. If someone tries to inject some Ruby code into your system, it won’t run without Ruby present. If you’re not using it, get rid of it, and it can’t be used against you.

Note: It’s very easy to be wrong about what is not being used on your system—you can definitely break things this way—I suggest a go-slow approach, particularly in regards to built-in packages.

The important thing is the concept. I hope you can see now why a Default Deny policy is a powerful tool to help keep your system more secure.

-Lee

June 3, 2014

My 5 Favorite Sublime Text 2 Plugins

I can’t believe that is was only a mere year ago since I learned of Sublime Text 2. I know, I know … where have I been? What kind of developer was I that I didn’t even know of Sublime Text? I’ll take the criticism, as I can honestly say it has been the best text editor I have ever used.

It’s extremely fast. I rarely wait for saves, uploads, or syntax highlighting, it keeps up with everything I do and allows me to develop directly from the keyboard. I hardly ever reach for my mouse!

It looks awesome. It has kind of retro-look for those developers who remember coding purely from the terminal or DOS. It really brings back memories.

It can be extended. Need some extra functionality that doesn’t come out-of-the-box? Sublime Text 2 has a range of available plugins that you can install to enhance your capabilities with this awesome text editor. In this blog, I’ll cover my top five favorite plugins of all time, what they do, and why they’re great!

1. BracketHighlighter

Many people believe that bracket highlighting should be a ready-made helper for developers of all languages. I agree on this point, however, at least Sublime Text 2 provides a plugin for this. It’s a very simple addition; it allows you to see if your opening brackets have an accompanying closing bracket. Many developers will tell you stories of these large and complex programs that consumed much of their time as they searched for one simple error … only to find that it was just a missing closing bracket.

In addition, it highlights opening and closing tags and quotes, for those of you who do a lot of HTML/XHTML, both bracket and tag settings are customizable.

For more details on the plugin check out the BracketHighlighter GitHub page.

2. DocBlockr

This is a neat plugin that speeds up and simplifies documentation. It supports PHP, Javascript, Java, Action Script, Objective C, C, C++, and Coffee Script.

By typing this:

/** (Press Enter)

The plugin automatically returns this:

/**
*
*/

Boom, the quickest way to document that I’ve ever seen.

In order to document your functions, just put it in your comment:

/** (Press Enter)
function myFunction(var1, var2) { }

And, it'll become:

/**
*[myFunction description]
* @param {[type]} var1 [description]
* @param {[type]} var2 [description]
* @param {[type]}
*/

function myFunction (var1, var2) { }

When you want to do variable documentation, the structure is similar:

/** (Press Enter)
myVar = 10

The plugin will fill out the documentation block like this:

/**
*[myVar description]
* @type {Number}
*/

Tell me that this isn’t nifty! If you want to try it out or just get a closer look at this plugin, head here.

3. Emmet (previously known as Zen Coding)

Unfortunately, I encountered some oddities when I tried to install Emmet with SublimeLinter, so I decided to disable the Linter in favor of Emmet to give it a spin. I absolutely love Emmet.

It provides a much more efficient way to code by providing what they call “abbreviations.” For example, if I want to create a div with an unordered list and one bullet point in it, Emmet lets me save myself a lot of time ... I can type this into Sublime:

div>ul>li

And press Control+E, and my code automatically turns into this:

<div>
    <ul>
        <li></li>
    </ul>
</div>

If I need to add multiple <li> tags, I can easily replicate them with a small addition:

div>ul>li*3

When I hit Control+E, voila! The unordered list structure is quickly generated:

<div>
    <ul>
        <li></li> 
        <li></li>
        <li></li>
    </ul>
</div>

That's just the tip of the iceberg when it comes to Emmet's functionality, and if you’re as impressed as I am, you should check out their site: http://docs.emmet.io/

4. SFTP

I think the title of the plugin says it all. It allows you to directly connect to your server and sync projects and files just by saving. You will never have to edit a file in a text editor, open your FTP client and upload the file again. Now, you can do it directly from Sublime Text 2.

When used in conjunction with Projects, you’ll find that you can easily save hours of time spent on remote uploading. By far, SFTP for Sublime Projects is one of the most essential plugins you’ll need for any project!

5. SideBarEnhancements

This is a small plugin that makes minor adjustments to the Files and Folders sidebar, providing a more intuitive interface. Though this doesn’t add much functionality, it can definitely speed things up. Take a look at the plugin on the SideBarEnhancements GitHub page

I hope this list of Sublime Text 2 plugins will enhance your capabilities and ease up your processes, as it has done for me. Give them a try and let me know what you think. Also, if you have a different favorite plugin, I’d love to hear about it.

-Cassandra

May 29, 2014

Startups and BBQ – The New Memphis

BB King. Elvis. Graceland. Jerry Lee Lewis. Beale Street. Cotton. Shipping. Martin Luther King. Civil Rights on the national stage. All of these things come to mind when you think of Memphis, Tennessee. You can now add one more to that list: Startups.

Yep. That’s right. Startups.

Memphis has a long history of economic success. From the early days of its settlement, it was a shipping and trading hub for the early United States thanks to the Mississippi River. It progressed into one of the world’s largest cotton producers, even having a cotton exchange similar to the stock exchange on Wall Street. As our country grew, so did Memphis’ value because of geographic location. Today, more than 60 percent of the U.S. population is within a one-day drive of Memphis. It has grown into a logistics hub and houses several North American railway companies, as well as FedEx.

What’s awesome to see on my second stop of our 2014 small-market tour, is that there is an undercurrent happening in Memphis that is shifting the landscape of the economic success of the region to technology. And it’s happening through the leadership of folks like Eric Mathews and Patrick Woods. Mathews heads up StartCo, a regional accelerator with 20 startups, all of which have come to Memphis to develop their companies. Woods is in charge of a very unique program, started by A>M Ventures that helps early stage companies get the right message out about their products, who they are, and where they are going.

Our team met Woods at SXSW in 2013. Over the past year, we have worked together to help Woods’ outreach efforts by building a bridge from Memphis to Silicon Valley and through other early stage startup communities. We connected with Mathews at SXSW this year through one of our strongest partners, the Global Accelerator Network. Mathews was very convincing. He not only showed me a startup community that was thriving, but he also fed me world-class BBQ at the same time.

Did somebody say BBQ? You don’t really have to ask @KelleyHilborn or me twice. Our Pavlovian response kicked in and we had our flights booked before you could flip a coin.

Last week marked the annual celebration of Memphis’ BBQ Fest – one of the largest festivals of its kind in the world. It also marked the first week for the StartCo teams, and we were there to welcome them with some SoftLayer Catalyst goodness (as a side to that BBQ).

We met with all of the teams and were greeted by folks from all over the world. Teams from NYC, Europe, Silicon Valley, and even local Memphis were made up of entrepreneurs who were eager to hear about Catalyst and how we could connect them to our community. From big data companies, to analytics companies and even a company that manufactures a chip for your dog, these teams definitely have the smarts and character to disrupt and succeed.

Our office and mentor hours provided us a strong foundation to connect with the startups one-on-one. BBQ Fest and events with A>M Ventures, StartCo, and our friends from Keen.io gave us an opportunity to spend two full days with the entrepreneurs, getting a higher sense of where they hoped to take their businesses.

The teams in Memphis are just as hungry, innovative, capable, and smart as any we work with in our startup ecosystems around the world. What we loved most about our time in Memphis was how welcoming the local leaders were, and further how open-minded they are to making a positive impact on this world. The leadership that is building this tech ecosystem from the ground up is doing so in an open, communal, and giving way, which all tech ecosystems need to be built upon.

Because of this philosophy, they are ensuring their success. They’re creating a community based on collaboration and mutual success. It reminds me of cities like Boulder and Portland. These cities were built on the same principles, and they enjoy greater success than many other larger markets.

And SoftLayer was there at the beginning. We’re excited to watch this ecosystem grow, and to continue collaborating to help support people like Mathews, Woods and many others in Memphis who see the forest through the trees.

Next stop on the small market express…Kelowna, British Columbia. Our very own @gkdog will be delivering a keynote and sitting on a panel, instilling our community and strategic philosophies on his home Canadian turf.

-@JoshuaKrammes

May 20, 2014

The Next Next

Last month in Europe, I had a chance to participate is some interesting discussions at The Next Web (TNW) Europe and NEXT Berlin conferences. The discussions centered around where we are on the curve of technology development, what the scene looks like now, and what the future holds. TNW Europe inspired me to share my thoughts here on the topic of inevitable market evolution, in particular which aspects will be instrumental in this progress and the empowering phenomenon of embracing the possibility to fail and change.

Attending NEXT Berlin boosted my confidence about those conclusions and motivated me to write a few words of a follow up. Connected cars, or “new mobility,” Internet of Things, smart houses, e-health, and digitalized personal medicine, application of cloud and big data in various industries from automotive, to home appliances, to army, and to FMCG, all are proof that the world is changing at a stunning pace. And all that is fueled by the evolution of organizations and how they set up their IT, hosting strategies and environments.

The most invigorating talk, in my opinion, at NEXT Berlin was given by Peter Hinssen. His keynote on The New Normal gave the audience a couple solid “ah” and “ha” moments. Here are some of the highlights I took away from the talk:

  • Technology is not only relevant to (almost) every aspect of our lives; it is in fact obvious, if not commoditized. Digital is present everywhere, from grocery shopping, to stopping at traffic lights, to visiting a dentist office, to jogging, to going to the movies, to sharing holidays greetings with our friends, to drinking fresh water from our taps, and so on. Technology we use privately usually surpasses what we use at work. The moment we receive access to something new, we immediately expect that to be working seamlessly and we get irritated if it doesn’t (think: national coverage of LTE, Wi-Fi available on board of aircrafts, streamed HD on-demand television, battery life of smart devices). We take technology for granted, not because we’re arrogant, but because it is omnipresent.
  • Information and technology are becoming equally available to all, leveling the landscape and helping organizations stay ahead and constantly re-invent themselves. Access to data and new tools is no longer a privilege and luxury that only the biggest fish can afford. Nowadays, thanks to an expansive spectrum of as-a-service offerings, every organization can get an insight of their buyers’ attitudes and behaviors and change accordingly to gain competitive advantage. Those who resist to constantly remodel the way they operate and serve the market, will be quickly outrun by dozens of those who understand the value of being agile.
  • Organizations and markets run on two different clocks: one is internal, the other is external, and very often they are unsynchronized. The bigger the gap between the clocks, the less chance for that organizations survival. People learn new technologies very fast and become their users faster in private than professional space. Legacy processes, miscommunication, misperception, and sometimes ignorance overshadow the reality that the progress is on a slower lane when it comes to business. The development is unstoppable and it keeps on becoming more complex and more intense. Not to fall behind, organization need to become ‘fluid’ to respond real-time to those flux conditions.
  • Society and markets are operating as networks. In order to serve them efficiently, businesses need to reorganize their structures to operate as networks. With the dominance of social, the typical organizational hierarchy is detached from buyer’s mentality. In our private lives, we trust more of our peers, we give more credibility to influencers who have solid network of followers, and best ideas are fueled by different, unrelated sources. Applying the same principles to professional environments, restructuring the organizational chart from top-down reporting lines to more of a network topography, hence going beyond traditional divisions, silos, and clusters, will boost the internal creativity and innovation.
  • Information is not a pool with a fixed option to “read” and “write “anymore. It is actually fluid and should be seen more as a river with infinite number of branches and customers sitting at the heart of each cluster. It is not an organization who decides what and when is being said and known. The discretion belongs to users and buyers, who share widely their insights, reviews, likes, and opinions and whose recommendations—either coming from an individual or in an aggregated form—are much more powerful. At the same time that set of information is not static, but dynamic. Organizations should respect, embrace, and adapt actively to that flow.

Peter claims we’re probably not even half way down the S curve of that transformation. Being part of it, seeing those disruptive organizations grow on our platform, having a chance to talk to so many smart people from all over the world who shape the nowadays societies and redefine businesses, is one of the most thrilling aspects of working for SoftLayer. Even if my grandma still associates cloud with weather conditions, I know my kids will be all “no way” once I tell them a story of how we were changing the world.

Wondering what will be the age test for them…

- Michalina

May 8, 2014

SoftLayer Security: Questions and Answers

When I talk to IBM Business Partners about SoftLayer, one of the most important topics of discussion is security. We ask businesses to trust SoftLayer with their business-critical data, so it’s important that SoftLayer’s physical and network security is as transparent and understandable as possible.

After going through the notes I’ve taken in many of these client meetings, I pulled out the ten most frequently asked questions about security, and I’ve compiled answers.

Q1: How is SoftLayer secured? What security measures does SoftLayer have in place to ensure my workloads are safe?

A: This “big picture” question is the most common security-related question I’ve heard. SoftLayer’s approach to security involves several distinct layers, so it’s tough to generalize every aspect in a single response. Here are some of the highlights:

  • SoftLayer’s security management is aligned with U.S. government standards based on NIST 800-53 framework, a catalog of security and privacy controls defined for U.S. federal government information systems. SoftLayer maintains SOC 2 Type II reporting compliance for every data center. SOC 2 reports are audits against controls covering security, availability, and process integrity. SoftLayer’s data centers are also monitored 24x7 for both network and on-site security.
  • Security is maintained through automation (less likely for human error) and audit controls. Server room access is limited to authorized employees only, and every location is protected against physical intrusion.
  • Customers can create a multi-layer security architecture to suit their needs. SoftLayer offers several on-demand server and network security devices, such as firewalls and gateway appliances.
  • SoftLayer integrates three distinct network topologies for each physical or virtual server and offers security solutions for systems, applications, and data as well. Each customer has one or many VLANs in each data center facility, and only users and servers the customer authorizes can access servers in those VLANs.
  • SoftLayer offers single-tenant resources, so customers have complete control and transparency into their servers.

Q2: Does SoftLayer destroy my data when I’ve de-provisioned a compute resource?

A: Yes. When a customer cancels any physical or virtual server, all data is erased using Department of Defense (DoD) 5220.22-m standards.

Q3: How does SoftLayer protect my servers against distributed denial of service (DDoS) attacks?

A: A SoftLayer Network Operations Center (NOC) team monitors network performance and security 24x7. Automated DDoS mitigation controls are in place should a DDoS attack occur.

It’s important to clarify here that the primary objective of this DDoS mitigation is to maintain performance integrity of the overall cloud infrastructure. With that in mind, SoftLayer can’t stop a customer from being attacked, but it can shield the customer (and any other customers in the same network) from the effects of the attack. If necessary, SoftLayer will remove the target from the public network for periods of time and null-routes incoming connections. Because of SoftLayer’s three-tiered network architecture, a customer would still have access to the targeted system via the private network.

Q4: How is communication segmented from other tenants using SoftLayer?

A: SoftLayer utilizes industry standard VLANs and switch access control lists (ACLs) to segment customer environments. Customers have the ability to add and manage their own VLANs, providing additional security even inside their own accounts. ACLs are configured to permit or deny any specified network packet (data) to be directed along a switch.

Q5: How is my data kept private? How can I confirm that SoftLayer can’t read my confidential data?

A: This question is common customers who deal with sensitive workloads such as HIPAA-protected documentation, employee records, case files, and so on.

SoftLayer customers are encouraged to deploy a gateway device (e.g. Vyatta appliance) on which they can configure encryption protocols. Because the gateway device is the first hop into SoftLayer’s network, it provides an encrypted tunnel to traverse the VLANs that reside on SoftLayer. When securing compute and storage resources, customers can deploy single tenant dedicated storage devices to establish isolated workloads, and they can even encrypt their hard drives from the OS level to protect data at rest. Encrypting the hard drive helps safeguard data even if SoftLayer were to replace a drive or something similar.

Q6: Does SoftLayer track and log customer environments?

A: Yes. SoftLayer audits and tracks all user activity in our customer portal. Some examples of what is tracked include:

  • User access, both failed and authenticated attempts (destination IP is shown on a report)
  • Compute resources users deploy or cancel
  • APIs for each call (who called the API, the API call and function, etc.)
  • Intrusion Protection and Detection services that observe traffic to customer hosts
  • Additionally, customers have root access to operating systems on their servers, so they can implement additional logging of their own.

Q7: Can I disable access to some of my users through the customer portal?

A: Yes. SoftLayer has very granular ACLs. User entitlements are segmented into different categories, including Support, Security, and Hardware. SoftLayer also gives customers the ability to limit access to public and private networks. Customers can even limit user access to specific bare metal or virtual server.

Q8: Does SoftLayer patch my operating system?

A: For unmanaged cloud servers, no. Once the updated operating system is deployed on a customer’s server, SoftLayer doesn’t touch it.

If you want help with that hands-on server administration, SoftLayer offers managed hosting. In a managed hosting environment, Technical Account Managers (TAMs) are assigned as focal points for customer requests and issues. TAMs help with reports and trending data that provide recommendations to mitigate potential issues (including OS patching).

Q9: Is SoftLayer suited to run HIPAA workloads?

A: Yes. SoftLayer has a number of customers running HIPAA workloads on both bare metal and single-tenant virtual servers. A Business Associate Agreement (BAA), signed by SoftLayer and the customers, clearly define the shared responsibilities for data security: SoftLayer is solely responsible for the security of the physical data center, along with the SoftLayer-provided infrastructure.

Q10: Can SoftLayer run government workloads? Does SoftLayer use the FISMA standards?

A: The Federal Information Security Management Act (FISMA) defines a framework for managing information security that must be followed for all federal information systems. Some state institutions don’t require FISMA, but look to cloud hosting companies to be aligned to the FIMSA guidelines.

Today, two SoftLayer data centers are audited to the FISMA standards – Dallas (DAL05) and Washington, D.C. (WDC01). Customers looking for the FISMA standard can deploy their workloads in those data centers. Future plans include having data centers that comply with more stringent FedRAMP requests.

For additional information, I highly recommend the on-demand SoftLayer Fundamentals session, “Keep safe – securing your SoftLayer virtual instance.” Also, check out Allan Tate’s Thoughts on Cloud blog, “HIPAA and cloud computing: What you need to know” for more on how SoftLayer handles HIPPA-related workloads.

-Darrel Haswell

Darrel Haswell is a Worldwide Channel Solutions Architect for SoftLayer, an IBM Company.

May 2, 2014

Keyboard Shortcuts in the SoftLayer Customer Portal

I’m excited to introduce a new feature in the SoftLayer customer portal: Keyboard shortcuts!

Keyboard shortcuts give you quick access to the most commonly used features by simply typing a few characters. For those who prefer never having to reach for the mouse to navigate an application, you should find these handy additions quite helpful.

After you log into the Customer Portal, type “?” (shift + forward slash) on any page, and you'll see a full list of available keyboard shortcuts:

Keyboard Shortcuts

On the Keyboard Shortcuts help page, you have the option to enable or disable the functionality based on your preference. Keyboard shortcuts are enabled by default. Disabling this feature will turn off all keyboard shortcuts except the “?” shortcut so that you can access the enable/disable feature preference in the future if you change your mind. This preference is stored in a cookie in your browser, so changing computers or deleting your cookie will re-enable the feature.

The shortcuts are grouped into three sets: Global, Tabs, and Grids.

Keyboard Shortcuts

Global Navigation

You have the ability to navigate to any page in our application by typing in the respective position number in the menu combined with dashes (-). For example, typing 1-5-2 will open Support (1) > Help (5) > Portal Tour (2).

Use the “go to” key combinations to jump to a new location from anywhere in the portal. For example, type (g) and (d) to visit the Device List. Typing (g) and (u) allows you to access the list of portal users, and (g) and (t) takes you to view tickets. If you want to add a new ticket from anywhere in the portal, type (+) and (t). It’s that simple.

Keyboard Shortcuts

Tabs

Many of the pages within the portal have tabs that appear just above the main content of the page. These tabs often allow content to be filtered, or provide access to additional features related to the page topic. Each tab can be accessed by using a simple two-keystroke combination, such as (t) then (f) to reveal the Filter tab on the page.

Keyboard Shortcuts

Grids

Whenever a page contains a grid — a tabular listing — you can now perform common operations from the keyboard. Jump quickly from page to page (first/last or next/previous) or refresh the grid contents with a single keystroke.

Keyboard Shortcuts

Please give this new feature a try for yourself! We welcome your feedback. Please let us know if you would like to have us implement any other keyboard shortcuts in the future.

-Daniel

May 1, 2014

New App Release: SoftLayer Mobile for Windows 8.1

Today, the SoftLayer development team is launching a new platform accessibility tool for SoftLayer customers who want to easily manage their infrastructure from Windows. We've gotten a great response from the users of SoftLayer Mobile app for Windows Phone, so we turned our attention to creating an app for customers on Windows 8.1: SoftLayer Mobile for Windows 8.1.

With a growing number of users adopting and embracing Windows 8.1 on their PCs, and the Windows Store is becoming a vibrant community of useful apps for those customers. There are more than 145,000 apps on the Windows Store, and that number is expected to increase exponentially following Microsoft’s recent introduction of "Universal Apps for Windows Phone 8.1 and Windows 8.1.” With all that goodness and an expanding market, it was imperative for our mobile development team to build an app for customers using Windows 8.1 as their default OS or carrying Windows RT tablets.

Why Windows 8.1?

Our team wants to provide simple, efficient ways for customers to connect to SoftLayer infrastructure and perform any necessary management tasks while on-the-go. Our team is inspired by the power of connected devices in Windows ecosystem. By developing an app for Windows 8.1, we will slowly bring the phone, tablet and PC onto one streamlined platform — a concept many smart devices are adopting quickly.

What’s Fresh?

New Dashboard

The SoftLayer Mobile app for Windows 8.1 is a fresh new approach to its Windows Phone sibling. The app provides a dashboard view after authentication that provides a snapshot of some of the most commonly used information and controls in the portal.

Currently, the dashboard supports four different panels: Tickets, devices, accounting and bandwidth. All display an overview of relevant information for you and your environment. The dashboard also allows you to quickly add a ticket or make a one-time payment on your account.

SoftLayer Mobile for Windows 8.1

In-line Ticket Updates

In the new tickets module, you can update tickets without ever leaving the page. This functionality is similar to what you see on many social websites, and it's integrated to be seamless.

SoftLayer Mobile for Windows 8.1

Search Everywhere!

One of the coolest additions to the new app is the introduction of search functionality in each module. Now, you can search a ticket, a device, or an invoice by just typing into the search box! The search capability lets you spend less time scrolling and more time working.

SoftLayer Mobile for Windows 8.1

Bandwidth Display

Smart phones have apps that measure and report how much data you are using, and your infrastructure should be similarly transparent Bandwidth usage is an important aspect of server management, so we built the bandwidth module to show your infrastructure's public and private traffic for current and previous billing cycles. This view also helps you see when a server is about to reach its limits so that you can plan accordingly.

SoftLayer Mobile for Windows 8.1

The module provides two ways to look at the data:

  • In a tabular form by clicking the “Show/Hide Traffic Details” button.
  • In a graphic representation by clicking the “View Graph” button.

SoftLayer Mobile for Windows 8.1

Same Functionality. Better Experience.

Sometimes change is not always needed for a nicely crafted feature. The new app keeps the same feature richness of the Windows Phone app and arranges it in a user-friendly way. For example, in the devices module, you can navigate to between different tabs to get the information you need, from password lists and attached tickets to a specific device or monitoring alarms.

The “Remote Control” section on the module allows you to perform actions such as rebooting, power cycles, restarts and pinging servers. In addition, you can view hardware and software installed on the device along with the hardware and network components attached. In the current phone version, you can only see the root password for the device, but in the Windows 8.1 app, you see all passwords for the server.

SoftLayer Mobile for Windows 8.1

What's Next?

During the development of this app, the team's goal was to test to adopt a framework that would be ideal for scaling. More and more developers are adopting a Model-View-Model (MVVM) approach to mobile and web app development, so our goal was to use that approach for this project. The significant challenge we faced when adopting this approach was finding a well-supported framework that met our application's needs. We weren't able to find suitable frameworks that committed regular updates in SDKs or in APIs, so we ended up using the same MVVM principles without any underlying framework. In the end, the project allowed us to create our own framework for future projects!

There are many exciting features that are lined up for the Windows 8.1 app. Download it now: SoftLayer Mobile for Windows 8.1

After you try it out, please submit your feedback ... We want to keep improving the app by providing the features and functionality that matter most to you.

-Imran

April 29, 2014

The Media Industry is Making the Move to Cloud

Rumor has it that at the entire rendering of James Cameron’s “Avatar” using 3DFusion required more than 1 petabyte of storage space. This is equivalent to 500 hard drives of 2 terabytes each, or a 32 year-long MP3 file! The computing power behind this would consist of about 34 racks, each with 4 chassis containing 32 machines. All of that adds up to roughly 40,000 processors and 104 terabytes of RAM.

High-res, long-form media files that can reach hundreds of gigabytes of storage are regular phenomena in the media industry. Whether it’s making the next “Avatar” or creating the next big, viral ad campaign, technology is fundamental to the media industry. But, the investment required to set these up is enough to boggle the mind and dissuade even the high risk-takers. So, why buy when you can rent?

Cloud allows you to rent, own, use, and return the infrastructure with no capex. That gives users access to unlimited compute power, including servers, network, storage, firewalls, and ancillary services, all available on demand, with pay-as-you-go billing offered hourly or monthly.

Cloud services are an increasingly viable avenue for the industry to leverage and support the performance needs of online media storage, as well as collaboration environment. The benefits of a customizable approach to the cloud include: digital archives, production support, broadcast facility resiliency, high-intensity processing, and derivatives manufacturing for transcoding and encrypting. An on-demand, scalable infrastructure is the next step toward reducing production and operations costs, simplifying data access, and delivering content faster to the end user.

This year at ad:tech asean, SoftLayer will present on how the media industry is utilizing cloud infrastructure. So, I thought this would be a good opportunity to share some interesting customer stories about media companies at the top of their games and successfully growing their businesses on the cloud. Here are two of those stories.

The Loft Group, an Australian creative digital agency, specializes in creating e-learning campaigns for global brands. The company won a contract with cosmetics giant L’Oreal but realized that in order to go big with their platform, they needed technology that provided their support team with the necessary analytics. The Loft Group selected SoftLayer as the cloud platform for its digital e-learning campaigns. Moving their services to the cloud helped the company achieve global scale, consistent performance across multiple countries and grow at a pace which slashed a 3- to 5-year transformation timeline down to just months.

According to eMarketer’s forecast, global e-commerce sales will top $1.2 trillion by 2016. That growth is projected to continue by 20 percent every year. Ad personalization is playing a larger part in maximizing e-commerce business. To keep up with the demands of real-time ad personalization, companies like Struq, an ad personalization platform, require an infrastructure that can process high volumes at high speeds.

Struq offers highly targeted ad campaigns across a range of promotional platforms. The company often handles more than 2 terabytes of raw event data every day, processing more than 95 percent of requests in fewer than 30 milliseconds. And when the company’s growing European customer base demanded immediate server allocation, Struq turned to SoftLayer for scalability. We were able to offer on-demand provisioning as well as the low latency their customers required. A detailed story of how Struq achieved the requisite scalability and success with SoftLayer is available here.

More stories to come, so stay tuned! In the meantime, you can hear more customer stories during the first leg of ad:tech asean, a prelim roadshow in Jakarta, Kuala Lumpur and Bangkok.

-@namrata_kapur

April 23, 2014

Security: 10 Tips for Hardening a Linux Server

In light of all the complex and specialized attacks on Internet-facing servers, it’s very important to protect your cloud assets from malicious assailants whose sole purpose is to leach, alter, expose, siphon sensitive data, or even to shut you down. From someone who does a lot of Linux deployments, I like to have handy a Linux template with some extra security policies configured.

Securing your environment starts during the ordering process when you are deploying server resources. Sometimes you want to deploy a quick server without putting it behind an extra hardware firewall layer or deploying it with an APF (Advance Policy Firewall). Here are a couple of security hardening tips I have set on my Linux template to have a solid base level of security when I deploy a Linux system.

Note: The following instructions assume that you are using CentOS or Red Hat Enterprise Linux.

1. Change the Root Password
Log in to your server and change the root password if you didn’t use a SSH key to gain access to your Linux system.

  • passwd - Make sure it’s strong.
  • Don't intend on using root.

2. Create a New User
The root user is the only user created on a new Linux install. You should add a new user for your own access and use of the server.

  • useradd <username>
  • passwd <username> (Make sure this is a strong password that’s different from your root password.)

3. Change the Password Age Requirements
Change the password age so you’ll be forced to change your password in a given period of time:

  • chage –M 60 –m 7 –w 7 <username>
    • M: Minimum of days required between password changes
    • m: Maximum days the password is valid
    • w: The number of days before password will warn of expiration

4. Disable Root Login
As Lee suggested in the last blog, you should Stop Using Root!

  • When you need super-user permissions, use sudo instead of su. Sudo is more secure than using su: When a user uses sudo to execute root-level commands, all commands are tracked by default in /var/log/secure. Furthermore, users will have to authenticate themselves to run sudo commands for a short period of time.

5. Use Secure Shell (SSH)
rlogin and telnet protocols don’t use an encrypted format, just plain text. I recommend using SSH protocol for remote log in and file transfers. SSH allows you to use encryption technology while communicating with your sever. SSH is still open to many different types of attacks, though. I suggest using the following to lock SSH down a little bit more:

  • Remove the ability to SSH as root:
    1. vi /etc/ssh/sshd_config.
    2. Find #PermitRootLogin yes and change to PermitRootLogin no.
    3. Run service sshd restart.
  • Change the default SSH 22 port. You can even utilize RSA keys instead of passwords for extra protection.

6. Update Kernel and Software
Ensure your kernel and software patches are up to date. I like to make sure my Linux kernel and software are always up to date because patches are constantly being released with corrected security flaws and exploits. Remember you have access to SoftLayer’s private network for updates and patches, so you don’t have to expose your server to the public network to get updates. Run this with sudo to get updates in RedHat or CentOS: yum update.

7. Strip Your System
Clean your system of unwanted packages. I strip my system to avoid installing unnecessary software to avoid vulnerabilities. This is called “reducing the attack surface.” Packages like NFS, Samba, even the X Windows desktops (i.e., Gnome or KDE) contain vulnerabilities. Here’s how reduce the attack surface:

  • List what is installed: yum list installed
  • List the package name: yum list <package-name>
  • Remove the package: yum remove <package-name>

8. Use Security Extensions
Use a security extension such as SELinux on RHEL or CentOS when you’re able. SELinux provides a flexible Mandatory Access Control (MAC); running a MAC kernel protects the system from malicious or flawed applications that can damage or destroy the system. You’ll have to explore the official Red Hat documentation, which explains SELinux configuration. To check if SELinux is running, run sestatus.

9. Add a Welcome/Warning
Add a welcome or warning display for when users remote into your system. The message can be created using MOTD (message of the day). MOTD’s sole purpose is to display messages on console or SSH session logins. I like for my MOTDs to read “Welcome to <hostname>. All connections are being monitored and recorded.”

  • I recommend vi /etc/motd

10. Monitor Your Logs
Monitor logs whenever you can. Some example logs that you can audit:

  • System boot log: /var/log/boot.log
  • Authentication log: /var/log/secure
  • Log in records file: /var/log/utmp or /var/log/wtmp:
  • Where whole system logs or current activity are available: /var/log/message
  • Authentication logs: /var/log/auth.log
  • Kernel logs: /var/log/kern.log
  • Crond logs (cron job): /var/log/cron.log
  • Mail server logs: /var/log/maillog

You can even move these logs to a bare metal server to prevent intruders from easily modifying them.

This is just the tip of the iceberg when securing your Linux server. While not the most secure system, it gives you breathing room if you have to deploy quick servers for short duration tests, and so on. You can build more security into your server later for longer, more permanent-type servers.

- Darrel Haswell

Darrel Haswell is an advisory SoftLayer Business Partner Solution Architect.

Categories: 
April 23, 2014

Sysadmin Tips and Tricks - Stop Using Root!

A common mistake newer Linux system administrators make is the overuse of root. It seems so easy! Everything is so much simpler! But in the end, it’s not—and it’s only a matter of time before you wish you had not been so free and easy with your super-user, use. Let me try to convince you.

Let’s start with a little history. The antecedents of Linux go all the way back to the early 1970s, when computers cost tens of thousands of dollars (at least). With that kind of expense, you as a user would hardly have a computer sitting on your desk (not to mention they were at least refrigerator-sized), and you would also not have the use of it dedicated to your needs. What was obviously needed was an operating system that would allow multiple users to use the machine at once, via terminals, in order to make the most use of the computing resources available.

If you think about it, it’s clear that the operating system had to be very good at keeping users from being able to stomp on each other’s files and processes. So the early UNIX™ variants were multi-user systems from the get-go. In the ensuing forty years, these systems have only gotten better at keeping the various users and processes from harming each other. And this is the technology that you’re paying for when you use Linux or other modern variants.

Now, you may think, “That doesn’t apply to me—I’m the only user on my server!” But are you, really?

You probably run Apache, which is generally run as the user httpd or apache. Why not root? Because if you run Apache as root, then anyone on the outside who manages to get Apache to execute arbitrary code, would then have that code running as root! Next thing you know, they can execute "rm –rf /," or worse, invade your system altogether and steal proprietary information. By running as a non-root user, even if the attacker gets total access to that user, they are limited to what that user can touch. Thus, user httpd is compromised, but not the entire server.

The same thing is true for mail servers, FTP servers, and so on. They all rely on the Linux permissions system in order to give the programs access to as little as possible—ideally, only exactly what they need to do their jobs.

So, think of yourself as another process on the system. When you log in as your regular user, you are limited in what you can do. But this is not intended to harm you or irritate you—indeed; the system is designed to keep you from accidentally doing damage to your server.

For example, consider if you wanted to completely remove a directory called ‘home’ within your home directory. Note the ever so slight difference between the first command:

rm –R home

And the second command:

rm –R /home

The first command removes a directory called ‘home’ from wherever you happen to be sitting on the file system. The second removes all users’ home directories from the system. One little slash makes all the difference in the world. This is probably why it has been said that Linux gives you enough rope to hang yourself with. Executing the second command as root looks like this:

server:# rm –R /home 
server.com#

And it’s just gone! Whereas if you accidentally put that slash in there while logged in as your user, you would get:

server:# rm –R /home 
server:# rm: cannot remove `home’: Permission denied

This will annoy you, until you realize that if you’d done it as root you would have wiped out all your customers home directories.

In short, just like the processes that run on your machine, you would be well served to use only the permissions you need. This is why many Linux distributions today encourage the use of sudo—you don’t even become root, but just execute things as root when needed. It’s a good policy, and makes the best use of four decades of expertise that have gone into the system you are using.

- Lee

P.S. This is also why you pretty much never want to chmod 777 anything!

Pages

Subscribe to sales