19Jul/170

Analysing log files in Windows and Linux

Everyone knows the scenario, you want to analyze an issue of your server or local computer but where to find all those log files?

In the following tutorial we are going to analyze specific log files in Linux and logs in the Windows Event Viewer. An additional chapter will go through the log analysis via Systemd.

Linux log files

Unfortunately, it is quite different from distribution to distribution, which information can be extracted from specific log files. In the following we will analyze the log file structure of Debian 8 and CentOS 7.2. The first location to look for log files should always be /var/log/. Depending on their configuration, Apache, Nginx or similar applications write log files to this folder too. System log specifications and locations can be found in the file /etc/rsyslog.conf.

Debian 8:

  • /var/log/auth.log

Logs of successful and failed authentications to your system can be found in this log file. It is also logged when a user invokes commands via sudo.

  • /var/log/messages

This file contains log entries of general system information, amongst others, you will also find the system upstart logs.

  • /var/log/dmesg or dmesg

The kernel ring buffer can be read with dmesg. You will find information about the system upstart, runtime kernel module messages and many further messages according to the hard and software of your system. By default, dmesg shows the full ring buffer. However, the output can be customized by adding specific parameters. A thorough documentation can be found on the manual page (man dmesg).

  • /var/log/syslog

This is one of the most important log files in general. Every Linux process is free to log to the syslog by implementing the syslog interface. It also logs the system upstart and executed cron-jobs.

CentOS 7.2:

As the log file structure is quite similar to the one of Debian 8, we will just mention the differences.

  • /var/log/secure

This log file is the equivalent to /var/log/auth.log in Debian systems. All kind of authentications are logged here.

  • /var/log/messages

There is no separation of /var/log/messages and /var/log/syslog in CentOS, all system logs of processes which implement the syslog interface can be found here.

  • /var/log/cron

Cron specific log files are not part of the syslog as in Debian. They can be found in the above mentioned file.

 

Log analysis via Systemd

Systemd is basically the standard Init system of nearly all major Linux distributions today. Since at least April 2015, when Debian and Ubuntu switched to Systemd, every Linux administrator or user has been in touch with Systemd. As Systemd is a complex system, we will only take a look into the log analysis functionality provided. Every process in Systemd is identified as a unit. All active units can be shown via the following command:

systemctl list-units

When appending the parameter --all, this command also shows all inactive units.

Logs being created by Systemd are managed in the so called Journal. These logs can be accessed via the journalctl binary. If journalctl is called without any parameter, it will print out the whole Journal. However, it is also possible to output the log entries of specific units only. In the following example, we are going to analyze the log files of the Apache web server.

journalctl -u httpd

It is also possible to restrict the output with the parameters --since and --until.

journalctl -u httpd --since "2016-11-01 20:00:00" --until "2016-11-03 20:00:00"

The above command will output the Apache log entries between 2016-11-01 20:00:00 and 2016-11-03 20:00:00. It is also possible to use keywords like "today" or "yesterday".

You can also output the log files of more than one unit at the same time. In the following example we will output all Apache and Nginx log entries which have been logged since yesterday.

journalctl -u httpd -u nginx --since yesterday

If the parameter -f is used, all desired log entries are shown in real time.

The above was only a slight view into the possibilities of journalctl, there are several other useful features which are described on the manual page (man journalctl).

 

Log analysis via Windows Event Viewer

Windows Event Viewer Overview

In the above picture in the left navigation you can see the entry "Windows Logs". The following entries are most important.

  • Application

This entry will show the events of locally installed applications.

  • Security

Here you can see successful and failed login attempts.

  • System

This entry logs operating system internal events and errors.

Via the entry "Custom Views" -> "Server Roles" -> "Remote Desktop Services" you can see RDP related events and errors.

Potential hardware issues can be identified via "Application and Service Logs" -> "Hardware Events".

Useful for error analysis can also be the overview which can be seen via "Overview and Summary" -> "Summary of Administrative Events", it provides a summarized overview of the system status in general.

29Jun/171

Plesk Onyx basics: The first steps

Plesk is a commercial web hosting platform developed by Parallels. It is available for Linux and Windows based operating systems and therefore for any operating systems offered by us.

Together with our partner Plesk, we are currently offering you Plesk Onyx one month for free. Simply select one of the below listed editions of Plesk Onyx and try it, before you buy and pay for it! Only available in combination with our VPS. Further information can be found in our news section: Plesk Onyx now one month for free.

The current version of Plesk is version 17 (Onyx) which we offer in three different editions:

  • Web Admin Edition: This edition is targeted at users who only want to administrate their own websites. Unnecessary features such as customer/reseller management are not included in this edition.
  • Web Pro Edition: With this edition, you can host up to 30 different domains. Also, all features apart from the reseller management are available in this edition.
  • Web Host Edition: With this edition, you can host an unlimited amount of domains. There are no restrictions on behalf of Plesk. The Web Host Edition is the most extensive of all Plesk editions. It includes every feature - from reseller management over security core features until automatic outbound spam protection.

This tutorial, however, is restricted to the basics you need to know. We will show you how to add domains, FTP accounts, databases and e-mail accounts.

At first, we log in at our Plesk webinterface. In order to do so, we use the browser and type in our IP address and port 8443 (e.g. https://198.51.100.3:8443).

We login with the login credentials we received via e-mail...

... and land directly on the main page of the Plesk webinterface. In our case there is already a domain added, in your webinterface the main page might look a little different.

Add a domain:

We click on "Add domain" on the main page and land on the following page:

We fill in all the text boxes. In the box "Domain name", we fill in our domain (without "www"). Our example domain is "example.com". As location for our new website we choose "Create a new webspace".

When choosing IPv4/IPv6 addresses, we choose the IP addresses which we want to use for our newly created domain. Choosing the username and the password are, of course, completely up to you.

The first step is already done now. After clicking on "OK", the new domain is added on our server.

Now we can upload the data for our homepage to the server. Usually, this is done via FTP. Luckily, Plesk already created an FTP account for us when creating the new domain. So all we have to do is opening an FTP client of our choice (e.g. FileZilla) and connect with the login credentials we just set for our new domain.

What is missing now is a database for our website. By clicking on "Databases" and "Add database", we can create a new database:

Again, we fill in all text boxes. In order to connect to that database, we have to create a new database user. Please note down its username and password, you will need it for your website later! When asked about access control, we choose "Allow local connections only".

After we created the database, the following screen will pop up:

Here, we could also import a dump of an already existing database. However, this tutorial is limited to the basics only.

Create an e-mail account:

What we need now is an e-mail account for our domain we just added. Plesk offers a comfortable way to do so as well. We click on "Mail" on the left side of the main menu and then choose "Create Email address":

After we filled in all the text boxes we click on "OK" in order to create the new mail account. Please remember to note down the access data, you will need them later!
Once the mail account is created, we can login on our mail webinterface on "webmail.example.com" for sending and receiving e-mails.

Sounds good to you? Great 🙂

If you are ready to try Plesk Onyx now, we would like to mention our current campaign with Plesk Onyx one more time. Get Plesk Onyx one month for free, in combination with one of our VPS. Select the model of your choice in our VPS overview and opt for your preferred Plesk Onyx edition during the configuration process.

Posted by: Florian | Tagged as: , , , , 1 Comment
14Jun/174

The SSL certificate

Some of you might wonder in which situations an SSL certificate should be used. This tutorial will help you to find an answer whether or not you should upgrade your website or anything else by adding encryption.

The most important parts of a certificate are the public key and the private key.
The following image shows you what is happening when a client tries to establish an encrypted connection to some webserver.

 

ssl

First the client contacts the server and offers available encryption types, the server and the client come to an agreement on which type to use.
The web server sends the public key to the client so the client will be able to encrypt its requests. The webserver got his private key to decrypt all encrypted client requests. With the private key you are able to decrypt all client requests which were encrypted with the public key, that is why you should never hand out your private key to any third party.

To show you the advantage of using encryption, we created an HTML page containing a simple form which can be found on many websites. In the textfields we entered a username and password.

The username we chose: test@contabo.de

The password we entered: "unencryptedpassword"

To show the difference between encrypted messages and not encrypted messages, we captured some packets using a networking-tool.

Without any encryption we could easily extract the username and password used, we could also see which sites we visit.

pw_unencrypted

With encryption enabled we could not find neither username nor password.
It just shows a packet containing some encrypted data, without the private key we cannot determine which data was actually sent.
pw_encrypted

If you are running a website, an email server or just an FTP server, it is always up to you to offer encryption or not. Offering encryption to your customers is the best way to act professionally.

There are many types of encryption, this post just handles certificates. Usually encryption algorithms have not changed for years, if you are going to optimize your server you will of course have to think about encryption types, etc.

 


The real meaning of those connection warnings:

If you are running a web interface (cPanel, Plesk, Webmin etc.) you probably encountered a warning as follows:

ssl_err_en

"The connection is not private", usually you should rethink if you really want to proceed. There is the possibility that some server got hijacked and you are redirected to the wrong website. In this case the warning pops up because the certificate is not valid for the domain we entered. On a web interface you will get a similar warning when using a so called "self signed certificate". Your browser got a list of authorities which it will trust, signed certificates by one of those authorities will not show any warning.

It can be really unwanted if that warning is showing to all of your customers, sometimes this warning is misinterpreted and the website will be left.

There is only one way to remove this warning, you need to get a certificate signed by some official authority.

Some official authorities, such as "Lets Encrypt", will sign your certificate for free, this is a nice option but not really recommended on a production environment. Usually the domain validated certificate or wildcard  certificate is being used for production environment, those certificates usually are valid for 365 days (1 year).

There are some differences between single domain, multi domain and wildcard certificates. Usually you would want a certificate for "yourdomain.tld" or "www.yourdomain.tld". A single domain certificate will be valid only for one of those domains, a multi domain certificate alias UCC (Unified Communications Certificate) is valid for all domains included within that certificate. In case you want "www.yourdomain.tld", "yourdomain.tld" and "subdomain.yourdomain.tld" within a single certificate, a UCC should fit your needs.

There is also some extended validation available, some bigger companies take advantage of this (e.g. PayPal pp_ev). At this point I want to mention that the private key and certificate will always remain the same, there is no encryption change, the certificate will just get signed.

Right after you got your certificate signed by some official authority, everyone will be able to access your encrypted website without any warning.

ssl_ok_en

Important:
Encryption is important, all services (email server, FTP server, web server, etc.) running on your server should offer a way to establish an encrypted connection. There is no need of installing a signed certificate on each service, for most services self-signed certificates are fine.

 

Posted by: Gianni-Donato | Tagged as: , , , , 4 Comments
1Jun/172

Using your nameservers in cPanel and Plesk

To use your domain in the Internet, you need to configure nameservers. The nameservers are needed to resolve the domain names into IP addresses. We recommend to use our nameservers (ns1.contabo.net, ns2.contabo.net, ns3.contabo.net) for your domains. We provide redundant servers in different data centers and you can easily manage your DNS zones over the customer control panel. But for several reasons it can be necessary to use your own nameservers.

This tutorial provides short instructions how to manage your own nameservers with cPanel and Plesk. For most domains extensions (TLD), it is necessary to use at least two different IP addresses for two different nameservers.

In this tutorial we are going to use the domain "yourdomain.com" and want to use the nameservers "ns1.yourdomain.com" and "ns2.yourdomain.com" with the IP addresses "1.1.1.1" and "2.2.2.2".

cPanel

To use an additional IP address for a second nameserver, you will need to add the IP address in WHM at "IP Functions" - "Add a New IP Address". The DNS server will be accessible on all configured IP addresses on your server. You can use different IP addresses for the nameservers than for your website.

To use the nameservers with your domains, you will need to add them in WHM at "Server Configuration" - "Basic Webhost Manager® Setup". At the end of the page you can enter the nameserver you would like to use. After you entered the nameserver, you need to select "Configure Address Records". Please enter the IP address you want to use for this nameserver and press "Configure Address Record". After this is finished you can close the windows using "Close". Please note, that in some conditions -- for example if the nameservers are currently configured on a different server -- the entries for the nameserver will not be updated immediately. After you have finished, please press "Save changes".

Now you can "Create a New Account" with your domain at WHM - "Account functions". The configured nameserver will be used in the configuration of your new account and the DNS zone will be created with default values. You can see all DNS entries at WHM - "Edit DNS Zone".

On this page you can manage all DNS entries of your domain. Most entries are for internal usage and should not be changed. To manage user defined values, we recommend to use the "Zone Editor" at "Domains" in the cPanel account.

At last, you will need to configure your domain settings at your domain registrar. You need to change the nameserver entries. If you want to use subdomains of your domain, for example "ns1.yourdomain.com" for your domain "yourdomain.com", you will need to configure so called "Glue Records". This means, the domain registrar does not only save the name of your nameservers, but also the IP address. In some cases it is required to configure the new IP addresses for the nameservers at the current DNS zone of your domain.

After you have finished the configuration, it can take up to 24 hours until the new settings are propagated correctly. To test your nameservers and the name resolution for your domain, you can use tools like intoDNS. This tool will test the settings at your DNS provider and of your nameservers.

Plesk

At first you will need to create your domain in Plesk. At "Websites & Domains" you can see an overview of your domains.

To use a second IP address for your nameservers, the IP address needs to be configured at "Tools & Settings" - "Tools & Resources" - "IP Addresses". The DNS server responds to all configured IPv4 and IPv6 addresses. You can use different IP addresses for your nameservers than for your websites.

All DNS zones in Plesk will be configured based on a DNS template. You can find the settings at "Tools & Settings" - "General Settings" - "DNS Template". In the DNS template you can configure all entries you need for all domains on your server. Beside some default entries and entries for internal services like webmail, the settings for the nameservers can be found here. By default Plesk creates two nameserver entries "ns1.yourdomain.com" and "ns2.yourdomain.com", but with the IP address of your domain. If you want to use the same nameservers for all your domains, we recommend to change the NS entries and the IP addresses of your nameservers in the template. If you want to use different nameservers, you can also change these settings later in the DNS zone of your domain. After you have finished the configuration of the DNS template, you will need to apply the DNS template to all domains.

Now you can see the new settings also in the DNS zone of your domain. You can manage the DNS zone at "Websites & Domains" - "yourdomain.com" - "DNS Settings". There you can add, edit and delete DNS entries.

At last, you will need to configure your domain settings at your domain registrar. You need to change the nameserver entries. If you want to use subdomains of your domain, for example "ns1.yourdomain.com" for your domain "yourdomain.com" as your nameservers, you will need to configure so called "Glue Records". This means, the domain registrar does not only save the name of your nameservers, but also the IP address. In some cases it is required to configure the new IP addresses at your current DNS zone of your domain.

After you have finished the configuration, it can take up to 24 hours until the new settings are propagated correctly. To test your nameservers and the name resolution for your domain, you can use tools like intoDNS. This tool will test the settings at your DNS provider and your nameservers.

Posted by: Torsten | Tagged as: , , , 2 Comments
13Apr/170

Installing Windows Hyper-V 2016 on a dedicated server

Welcome to our tutorial about installing Hyper-V on your Dedicated Server with Windows Server 2016.

Step 1

Installing Hyper-V

After receiving the login information to your dedicated server you might want to find out how Hyper-V can be installed. Hyper-V is an additional Server-Role for Windows which can be added within the Server manager.

On the upper right side you will find the option "Add Roles and Features"

 

After clicking on that option a new windows will popup.

Navigate to "Server Roles" and select Hyper-V

Now select the checkbox and click on next.
You will be asked if the install manager is allowed to automatically reboot your server.


At least one reboot is required !

The installation can take up to one hour, depending on the rented dedicated server model and the storage configuration it might be completed within several minutes.

 

 

Step 2

Configuring Hyper-V

For configuration we are going to use the Hyper-V Manager, you can access this tool by clicking on "Tools" on the upper right side within your Server-Manager window.

Before creating a virtual machine, we have to configure the network interface. Open the "virtual Switch Manager" to perform the necessary steps.

Now we are going to create a new external switch:

Enter a name and description (notes) of your choice.

Select the external network and make sure that the checkbox "allow management operating system to share this network adapter" was selected. If it was not selected your server might be inaccessible afterwards.

Step 3

Configuration of the Network

On the taskbar at the very right side you will see the network icon.
Perform a rightclick to open the following dialogue:

Another window will open, navigate to your network devices:

Now rightclick on the recently created network device and select "Properties":

Select "Internet Protocol Version 4" and once more select "Properties"

Insert your Server's IP-Configuration.

Please double check the information you are setting up, otherwise your server will be inaccessible.

Step 4

Creating a virtual machine

For now we are almost done, the next step shows you how to create a virtual machine.

Within the Hyper-V Manager select "New" to create a new VM:

Configure the VM with your preferences:

Tip: Selecting "Generation 2" for Windows 8 (Windows Server 2012) VMs and later will improve the performance.

As network device you should select the Hyper-V Switch we have created before.

Select the .ISO you want to install and start the installation.

After the installation was completed you need to set up a public IP within the VM.
If you do not have any additional public IPs assigned to your account, please contact us at support@contabo.com to order additional IPs.

After a public IP was set up, your VM will be able to establish connections.

2Mar/172

Changing the Windows Administrator password – The easy way

Today we are going to show you how to change your Windows Administrator password the easy way.
This tutorial works with almost all Windows versions starting from Windows XP/NT (Windows Server 2003).
On Windows 10 or Windows Server 2016 you should make sure that you are using local user accounts - not any online accounts.

Start the CMD.exe with administrator privileges, e.g. "Windowsbutton +R" and type in CMD.exe

cmd_en

The CMD.exe application should now pop up soon, the syntax for changing the password is very simple:

net user <username of the account you want to change the password> <new password>

Example :

net user administrator SomesecurePW2016

Of course you should never use this as a password, nor should you ever use it only for "testing" purpose.

Another option would be to use "*", this will prompt you to enter a password. On a desktop Windows operating system like Windows 10, you could remove the password by just entering an empty value.

pw_en

Posted by: Gianni-Donato | Tagged as: , , , , 2 Comments
9Feb/170

Advantages of ZFS

ZFS as a rather new filesystem offers various advantages in comparison to regular filesystems like ext3, ext4 and NTFS. We have summarized the most noticeable ones as follows:

The main benefit of using a ZFS filesystem is guaranteed data integrity

ZFS protects your data by enabling volume management on filesystem level. This feature makes “Copy on Write” (CoW) technology possible. When a block of data is altered, it will change its current location on the disk before the new write is finished. If your system crashes or loses power in the process, that data would be lost or damaged. ZFS does not change the location of the data until the write is completed and verified, thus keeping your data safe in case of a system crash. To verify data integrity, ZFS uses checksums to ensure that the data remains original from write to write. This means that every write is tested, which in turn eliminates bit rot. ZFS not only protects your data with the CoW feature, but offers additional RAID protection in comparison to standard RAID levels. RAID-Z3 allows for a maximum of three disk failures in a ZFS pool. Regular RAID only allows for two disk failures per volume. ZFS offers the ability to set up a multi-disk mirror (nRAID). Usually the RAID mirrors are composed of a single disk and its copy. With a multi-disk mirror you can have multiple copies, which adds levels of data integrity not found in typical RAID setups and is great for read speeds.

Highly Scalable

The storage capacity of ZFS is years ahead of what might become a problem soon for regular filesystems. The possible maximum of a ZFS storage pool is 6 EiB = 16 * 2^60 Byte, which is as much as 3,000,000 6TB HDDs. A configured ZFS pool can easily be changed in its size to accommodate a growing need for more storage. The pool can be upgraded step by step with larger disks, without compromising the filesystem or complicated procedures. Harddisks can even be added on different physical ports or in a changed order in a new computer system, as long as the ZFS version on the target system is the same or higher. You will be able to use your migrated data as soon as the import is completed.

Improved Performance

ZFS also allows to send writes to individual physical disks, instead of just the RAID volume. Because of this, ZFS can stripe writes across RAID volumes, which is speeding up write performance. In the case you need to sync mirrors with only a little bit of information, you do not have to wait for it to sync any of the empty disk space, which can take a good amount of time. ZFS incorporates algorithms to ensure that your most recently used and most frequently used data are kept in the fastest system storage media. Spinning disks are known to be slow and SSD drives come at a very high price compared to regular disks. By using these algorithms in combination with flash-based ZFS write cache and L2ARC read cache devices, you can speed up your performance by up to 20% at low cost. Other great feature of ZFS are the intelligently designed snapshot, clone, and replication functions. ZFS snapshots only update based on what has changed since the last snapshot. This means that clone and replication tasks are less time consuming compared to traditional replication technology.

Easy to administer

Creating a new ZFS-Pool is fairly simple. The available storage devices can be listed with “rmformat” and can be created with the “zpool create -m /mountpunkt Contabo1 DEVICE” command. The new filesystem is automatically mounted and immediately accessible. There is no need to format the new ZFS-Pool. If additional storage space is needed, you can easily add a new device with the “zpool add Contabo1 DEVICE” command. This compares to the classical RAID 0 in which the data is distributed on all available devices.
In general a setup for data integrity is much more adviseable. With the “zpool create Contabo1 mirror DEVICE DEVICE” command you can easily create a ZFS-Pool with mirrored disks as in comparison to a classical RAID 1. You can also add several mirror disks to enhance data integrity even more with the “zpool create Contabo1 raidz DEVICE DEVICE DEVICE DEVICE” command for example. This will create a ZFS-Pool with four disks, in which one is allowed to fail without issues. When using the raidz2 option instead of raidz, two disks can fail at a time.

There is also the option to add Hot-Spares to a ZFS-Pool in order to have a replacement disk ready at all times. If a live disk fails the Hot-Spare will be used automatically to start a rebuild and take the place of the failed disk. This can be done with the “zpool add Contabo1 spare DEVICE” command, which will add the last disk in our example to the pool as Hot-Spare.
With "zpool list" you can review all existing ZFS-Pools with size, usage and health status.
With “man zfs” and “man zpool” you can review the commands that will give you full control over your ZFS-Pools.

A short overview of the mostly used commands:

- Creating a RAID-Z pool
zpool create NAME raidz DEVICE DEVICE DEVICE
- Creating a mirrored pool
zpool create NAME mirror DEVICE DEVICE
- Listing of available pools
zpool list
- Show I/O for all pools
zpool iostat 1
- Show attributes of pool devices
zpool vdevs
- Add disk to a pool
zpool add NAME DEVICE
- Delete a pool
zpool destroy NAME
- Creating and mounting a ZFS-Pool
zfs create POOL/NAME
- List pool filesystems
zfs list
- Creating and mounting a ZFS-Pool on a non-default mountpoint
zfs create POOL/NAME /MOUNTPOINT
- Create a snapshot of a filesystem
zfs snapshot POOL/FILESYSTEM@SNAPSHOTNAME
- Mount a ZFS-Pool
zfs mount POOL/FILESYSTEM /MOUNTPOINT
- Delete a ZFS-Pool
zfs destroy POOL/NAME

Which operating systems are compatible with ZFS?

ZFS was initially designed for Solaris, but can be used today on FreeBSD, FreeNAS, Proxmox and most linux distributions.

Posted by: Philipp | Tagged as: , , , , , No Comments
13Jan/170

Manage Windows Updates in Windows 2016

In Windows Server 2016, the administration of the (automatic) Windows Updates has changed slightly. The following tutorial will show you how to check and manage the Windows updates for your Windows Server 2016 system.

1. Please connect to your server using RDP and open the Settings App via the Start menu.

Afterwards you can click on "Update & Security" which will forward you to the following screen.

Everything regarding updates can be done via this screen.

You have the option to "Check for updates", which will check for the latest updates and automatically download and install them. If some updates require a reboot, Windows will schedule it accordingly.  It is possible to set "active hours" from the link "Change active hours" where a time frame can be given in which Windows shall not reboot the device automatically.

It is further possible to set a custom day and time for the reboot via the link "Restart options".

The link "Update history" provides an overview about recent updates where it is possible to uninstall recent updates and to check further recovery options.

The link "Advanced options" provides you with the option to also update other Microsoft products through Windows updates and to "Defer feature updates", which is described by Microsoft as follows:  "When you defer upgrades, new Windows features won't be downloaded or installed for several months. Deferring upgrades doesn't effect security updates. Note that deferring upgrades will prevent you from getting the latest Windows features as soon as they're available".

The link "Privacy settings" will forward you to the general privacy settings of Windows.

Posted by: Dirk | Tagged as: , , , No Comments
17Nov/160

Let’s Encrypt!

In times when data security is an important topic, encryption is a vital part of it. Unfortunately, in most cases, it is a complex task which many users are not able to handle properly due to the lack of expert knowledge in this field. To secure a website via Secure Socket Layer (SSL) or Transport Layer Security (TLS) for being accessible via Hypertext-Transfer-Protocol Secure (HTTPS), a certificate is needed.

Encrypted connections are based on certificates, if a user is accessing a website via HTTPS, an encrypted connection is being established. Before this encrypted connection can be established successfully, the certificate provided by the accessed server is being verified if it can be trusted. This verification of trust is basically done as follows:

  1. Signature verification of the certificate based on the chain of trust
  2. Verification if the accessed domain corresponds to the domain which is valid according to the certificate

What is this chain of trust all about?

In general every operating system and even browsers like Firefox or Google Chrome come with pre-installed certificates from trusted certificate authorities (CAs). These certificates are always trusted if they are not revoked in the meantime. The chain of trust verification basically verifies, if the signature of the certificate in question is already trusted by the pre-installed certificates of the trusted certificate authorities. It is called chain of trust as it is for example possible, that the signature of Let's Encrypt is not trusted on your system but the certificate which is used by Let's Encrypt in order to sign your certificate is also signed with a certificate of a third trusted certificate authority which is trusted on your system. Therefore Let's Encrypt guarantees that your certificate can be trusted and the third certificate authority, which is trusted on your system, guarantees that Let's Encrypt can be trusted as well.

How does the Let's Encrypt project differ to other certificate authorities?

As establishing and running a trusted certificate authority is expansive, normally a fee has to be paid in order to have your certificate being signed from a trusted certificate authority. Let's Encrypt did establish a trusted certificate authority which offers the signing of certificates for free and aims to improve and automate the process of certificate creation and installation in general. The main idea behind this project is to create a more secure and privacy respecting web.

Free certificates with our Webspace Packages

As we already informed you with the post Webspace: Free SSL certificates available now!, domains added via our Webspace Packages are already equipped with a Let's Encrypt signed certificate. Even the renewal of the certificates is handled completely automatically.

Let's Encrypt via AutoSSL in cPanel

Since cPanel & WHM Version 58.0.17, Let's Encrypt is officially supported by cPanel. Currently it is necessary to integrate it via shell by invoking the installation script located at /scripts/install_lets_encrypt_autossl_provider as root user. After successful installation it is possible to choose Let's Encrypt as the default certificate provider via Home >> SSL/TLS >> Manage AutoSSL.
autossl_lets_encrypt Specific user settings can be done via the "Manage Users" tab.

Let's Encrypt via extension in Plesk

Also Plesk in versions 12.5 and later supports Let's Encrypt by an extension. The installation and configuration steps in this tutorial work for both Linux and Windows installations.

To install the extension, please go in Plesk to:

"Tools & Settings" >> in the area "Plesk" >> "Updates & Upgrades"

A new tab is opening. Eventually you have to confirm a self signed certificate for this site in your browser. On the site, please choose "Add/Remove Components".

plugin

Please mark the extension for installation like in the picture above and start the installation with "Continue". The installation finishes with the message "All operations with products and components have been successfully completed.". With a click on "OK" you will come back to the main menu. You can close the browser tab then.
Now you have to request the certificate and activate it for the domain. To do so, please change to "Websites & Domains" and choose "Show more" to increase the available list of options for your domain. As you can see, there is now an additional option for Let's Encrypt.

letsencrypt

Please open this link and check the e-mail address. Consider if the site should be available over www too and if necessary, set the tick at "include www.yourdomain.com as an alternative domain name.". With a click on "OK", you will start the request for the certificate. When the process has finished, your site should already be reachable over https. To be on the safe side, you can now go to the the "Hosting Settings" of your domain and check in the area "Security" the option "Permanent SEO-safe 301 redirect from HTTP to HTTPS". This will prevent unencrypted connections to your website. In the option below you can choose the just ordered certificate manually to be used for your site if has not been chosen automatically.

If there was an error shown during the certificate request, please check if the A record of your domain is pointing to the IP address of your server. This also applies to the subdomain with www.

Let's Encrypt usage without an Administration Panel (Debian 8)

The usage of Certbot is recommended together with Let's Encrypt. We are using the Apache webserver and the operating system Debian 8 for our example.

In order to install Certbot together with all dependencies, the following commands have to be executed as root user:

# Activate Debian Jessie backports repository

echo "deb http://ftp.debian.org/debian jessie-backports main" >> /etc/apt/sources.list && apt-get update

 

# Installation of Certbot

apt-get install python-certbot-apache -t jessie-backports

 

After the installation it is possible to automatically generate signed certificates for your domains via Certbot. The certificates will be configured automatically within your Apache webserver too. The following command invokes a configuration dialogue which is asking for information like domain name(s) and your e-mail address. After submitting the required information and agreeing to the terms of service of Let's Encrypt, your signed certificate(s) will be created and configured within Apache. It is also possible to decide whether your domain shall be accessible via HTTP and HTTPS or if HTTPS connections shall be forced.

# Starting the automated configuration dialogue

certbot --apache

If you desire to configure your certificate(s) on your own, the following command can be used for creating the signed certificate(s) only.

# Creation of certificate(s) only

certbot --apache certonly

Certbot does not only support Apache with Debian 8 as operating system, there are several combinations of webservers and operating systems possible which can be seen via the following link: Certbot.

Let's Encrypt installation without Administration Panel (CentOS 7.2)

As the usage of Certbot on CentOS does not differ from the usage on Debian 8, we are just taking a short look into the installation of Certbot on CentOS. As the Apache/httpd default package (yum install httpd) on CentOS does not include the SSL module, you need to make sure to have this module installed before installing Certbot.

# Installation of Extra Packages for Enterprise Linux and optionally mod_ssl

yum install epel-release mod_ssl 

# Installation of Certbot

yum install python-certbot-apache

 

Configuration of an automated certificate renewal

Since Let's Encrypt certificates are only valid for three months, it is vital to configure an automated renewal.

As the Certbot package of Debian 8 already configures a cron-job for the certificate renewal we are going to show you how the cron-job can also be configured for a standard CentOS installation.

# /etc/cron.d/certbot

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew

 

This cron-job runs every 12 hours and triggers the renewal of all your certificates, if they will expire in less than 30 days. It is recommended to leave this value of twice a day as this will help recognizing that a certificate has been revoked.

 

 

Posted by: Dirk | Tagged as: , , , No Comments
27Oct/160

Data loss and how to avoid it

A typical situation: You have been on vacation and have made a lot of great photos which you want to upload to your server in order to share them with your friends and your family. Especially the photo where you were diving with the great white shark. So you uploaded them to your server and after that the photos were deleted from the SD card because you need free space for the next travel. Just working on an update to your website in a hurry, a quick "rm -rf" in the wrong directory and the photo gallery is gone. Annoying!

This is a situation that can occur but the data does not have to be lost. In general, the customer is responsible for a backup and we want to show you how to approach the perfect backup system.

But what is a backup?

With a backup you are creating a copy of your data to be stored on an external storage device. This storage device should be independent of your server, so it could be a hard disk on your local computer, a USB stick or our FTP backup storage.

Different backup types

  1. Full Backup: As the name already indicates the full backup is a complete copy of your data. The advantage here is that all data is complete, but you need a lot of disk space to store your data. If you only perform full backups the available space at your data storage medium will shrink very fast.
  2. Differential Backup: Before performing a differential backup you need a full backup as a differential backup contains only data which has changed or is newly created in comparison to the full backup. Therefore, it is faster but you are also saving data which is already saved in previous differential backups because you save all data that differs from the last full backup.
  3. Incremental Backup: Similar to the differential backup you have to perform a full backup. But instead of always saving all changes that differ from the latest full backup, only the data being changed after the previous incremental backup gets backed up. The only disadvantage is, that if you want to restore that data you need the last full backup and all incremental backups in order to restore to the latest data.

Where to save the backup files

We offer an FTP backup storage, available with various storage space options. If you are interested in this offer, please contact us: support@contabo.com
You can access the backup storage via FTP and FTPS. With support for these protocols it is perfect for file storage. The way to access our backup space is already described here: https://contabo.com/?show=tutorials&tutorial=backup-space.

"I do not need a backup, my server is secured by a RAID system."

CAUTION! A RAID does not replace the creation of backups! A RAID should indeed provide redundancy. If more than one drive fails at the same time or your data is deleted because of an attack from outside or a similar event, a RAID will not help saving the situation. We have read this sentence above numerous times and with our experience we can say, that customers who think that their data is secure because they have a RAID system are very disappointed, if a situation as described occurs. A RAID is very effective to avoid downtime because of a defective HDD and to prevent the need for laborious data restoration.

Nevertheless the mentioned redundancy is not the same as a backup.

"I have an SSD VPS. Because of the snapshot feature I do not have to worry about backups."

Since we have been offering our VPS SSD products with the snapshot feature we have heard this sentence very often. But it is the same as with a RAID. Snapshots are not backups!

What are snapshots good for?

A snapshot freezes the current state of the file system which still points to the same "physical" storage. Snapshots are perfect for "Let's do it and see what happens..." type of situations. If the change does not work you can go back to the state before you have started your work.
So is it a backup? No! Snapshots depend on the VPS and on the host server system the VPS is located on. As already described before, the backup has to be saved to an external location, e.g. our FTP backup storage.

How to create a backup?

All important data has to be saved. Normally you know where this data is located. To store all necessary data an automatic backup routine is the perfect choice.

Using a Linux based OS we recommend to create script which creates a tar.gz file of the data that should be saved and after that, automatically transfers it to the backup storage and also deletes older backups. As this should be done periodically you can use a cron job. If you use a Windows OS you can create a powershell script to do the same steps likewise.

Please note that it does not matter if you use Linux or Windows. You have to know what you are doing as the backup is the only way to restore your data if you are facing an issue with your server.

Of course we always try to support you if you have any questions regarding your backup solution: support@contabo.com.

The last step: Securing your backup

Security of private data gets more and more important. Encryption of the backup files is therefore recommended.

Using a Linux OS you can use tools like gpg to do so. Please find a very good tutorial below:
http://www.cyberciti.biz/tips/linux-how-to-encrypt-and-decrypt-files-with-a-password.html

If you are a windows user we recommend using Veracrypt:
https://veracrypt.codeplex.com/wikipage?title=Beginner%27s%20Tutorial

Posted by: Matthias | Tagged as: , , , , No Comments