CFObjective Notes: 6 ways to secure, tune & fail-proof your VPS in a snap! - Jon Cavanaugh

May 16, 2013

6 ways to secure, tune & fail-proof your VPS in a snap! - Jon Cavanaugh (Hostek)

How to shape up your VPS
Every environment is different
key is do what can be done now

What intrusion is acceptable?
Nothing. No kind of hacking into the server is acceptable
but lots of customers just let things go, let WordPress updates lag behind

Ports at Risk
lots of times developers want to leave ports open, but that leaves ports open for EVERYone
what IP address are you coming from?
ideally, 443 and 80 are the only ports open on the server
in the real world, we have to connect to the machines so that's not always doable
pick a "window" for development
-- open a port for a season (3 - 4 months), have dev team use that, then shut it down and pick a different one.

You may have the strongest password ever, but if you have an port open, people ARE trying to break in thru that port

Recommend - have a separate server for your SQL server, don't put it all on 1 box

Can go from WWW to/from SQL server via private connection so it's safer

Tip 1 - review security now and turn it on
is a hardware firewall an option?
software firewall an option?
stay informed
-- Charlie Arehart, Pete Frietag both write great blogs on this topic
am i losing cpu/memory resources because i'm not blocking bogus traffic?
stop bogus things from hitting the server. increases performance for "real" users on the site

http://wiki.hostek.com/ColdFusion_Security_Threats

If we don't have someone scheduled to think about security updates, we can get behind.

"It's not that bad"...yes it is. don't "leave stuff alone".
If you can patch something, do it.

Tip 2 - Plan for updates
OS Updates should be automated
-- debatable. some OS updates can cause issues.
-- do the updates on a saturday, test on sunday, so the site is working before monday's traffic, etc.
Application updates should be automated
-- also debatable for the same reasons, but still overall a good practice
-- tho they need to be monitored. don't just blindly do an update and not watch to see if it broke anything

Better stability can be expected
keep the OS updated
keep the app server updated
backup first
monitor your site

create a page that queries the database w/ the production dsn
have that page monitored (don't give out the url)
then you know your app server and sql server are running, at a minimum

Performance
Review your hardware (ask)
-- if you host w/ a 3rd party, ask what kind of hardware you're on
-- especially if it's virtual.
-- don't want to get stuck on an old box that eventually dies because it wasn't well maintained
-- it's good to be curious and ask your host. "am i on the latest server/app/os"?
-- how does the host tell me when stuff is down? email? rss feed? find out my options

Avoiding Surprises
-- if you live in certain neighborhoods you lock your doors
-- lock up your stuff, on the web too

Tip 3 - Do App Safety
protect from injection
don't save clear text cc numbers in a database!
if you use a CMS, update it frequently!
Using IIS (isolate users)
-- create an individual user and app pool for each website on the server
Using Linux (we recommend Cpanel)

Monitoring
Get SeeFusion. it's 199 bucks

The Performance Trifecta
- Great Infrastructure
- Redundancy is key (uplinks, switches, firewalls, storage, electricity, etc)
* Consider SSD's if you do "dependency injection, or something like that that's hitting the file system a lot"
-- huh!? is this for real? and specific to DI-frameworks? Hmmm...

The JVM
Eden - onapplicationstart.name -- things that live for the lifespan of the app

Minor vs full garbage collections

after a few minor garbage collections, things live in the 2 "survivor spaces"
eventually get moved to the "tenured space"
when that fills up that then "world stops" and java says "I'm not doing anything except a FULL garbage collection" now
...and that's all stacked on top of the "permanent generation".

that's great, but how do i tune it?

Start w/ a 64-bit JVM
- set the heap fairly high to start
- it also helps to have an idea of the application's memory footprint

If your app supports Java 1.7, update to it so you get all the latest security fixes (CF10 does support this)

Also be sure to "pin" the heap
(set -Xmx and -Xms values the same)
-- DONT use big/small values. set them the same. to minimize the number of full garbage collections that run

Twitter, for example
the "eden" space would be pretty high
lots of requests, lots of minor garbage collections
java sees lots of minor g/c, thinks lots of objects need to be tenured

Pin NewSize Values
- the Eden space need to be large enough to handle incoming requests but still leave enough room for application footprint in Tenured space

Specify a Survivor Ratio
- large-ish survivor spaces help prevent premature tenuring of objects

Pin your Permanent Generation
(set PermSize and maxPermSize values the same)

keep an eye on PermGen
-- if 256 was good, but now your'e having to restart every few days, maybe bump up PermGen
-- want PermGen about 70% occupied

Mike Brunt's blog for more info on this

Use Visual VM to look at things

Another tip:
Set PermGen to 1/4 of your heap size (or maybe half), then use Visual VM about a week later to see how performance has been w/ that setting

Optimizing the database
-Index the databases
-anything with a "where" clause needs an index on some variant of that/those columns
-Enable Connection Pooling on DSNs
-- set an appropriate timeout (between 10 and 20 is probably good)
-- short timeouts can be counter-productive, so make sure it's not TOO short (so it doesn't time out in the middle of a long query)

MS SQL server -- set to the "latest compatibility level"

Cache your queries whenever possible
-- improves performance
-- helps keep site online if DB server becomes temporarily unresponsive

Don't use MS Access to power a web server (in other news, water is wet)

More info:
https://wiki.hostek.com/ColdFusion_Performance