How will CentOS 5 end of life affect me?

On 31st March 2017, CentOS 5 reaches end of life.
We recommend that you update to CentOS 7.

Over time technology and security evolves, new bugs are fixed and new threats prevented, so in order to maintain a secure infrastructure it is important to keep all software and systems up to date.

Operating systems are key to security, providing the libraries and technologies behind NGINX, Apache and anything else running your application. Old operating systems don’t support the latest technologies which new releases of software depend on, leading to compatibility issues.

Leaving old CentOS 5 systems past March 2017 leaves you at risk to:

  • Security vulnerabilities of the system in question
  • Making your network more vulnerable as a whole
  • Software incompatibility
  • Compliance issues (PCI)
  • Poor performance and reliability

CentOS End of life dates:

  • CentOS 5 : 31st March 2017
  • CentOS 6 : 30th November 2020
  • CentOS 7:  30th June 2024

Faster:

Just picking up your files and moving them from CentOS 5 to CentOS 7 will speed up your site due to the newer software.

  • Apache 2.2.3 -> Apache 2.4.6
  • PHP 5.1 -> PHP 5.4
  • MySQL 5.0 -> MariaDB 5.5

Are you still using an old operating system?

Want to upgrade?

Not sure if this effects you?

Drop us a line and see what we can do for you!

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

Adding Google Analytics tracking to WordPress via a plugin

Before we start you will need a Google Analytics account.  See our other guide for setting up a Google Analytics account.

There are many Plugins that add Google Analytics to a WordPress site. Some will add Google Analytics reports into your WordPress site admin interface and other will just push your site’s data to Google Analytics meaning you have to view it on the Google Analytics website.

For this post we are installing Google Analytics Dashboard for WP.  As with any Plugin you need to consider security.  Look for Plugin’s that have had lots of downloads and good reviews and also that have been updated within the last 6 months. Plugin are made by anyone with programming skills and like most things people lose interest or run out of time to keep their made plugin secure and updated.  An insecure plugin could be the way hackers get into your website and cause issues.

To install Google Analytics Dashboard for WordPress:

  1. Log into your WordPress site (www.example.co.uk/wp-admin)
  2. On the left hand side go to Plugins and click Add New.
  3. Search Plugins in the right hand corner of the page for ‘Google Analytics Dashboard for WP‘ and click Install Now.Google Analytics Dashboard for WP
  4. On the install page click Activate Plugin – you will now see Google Analytics on your left hand menu
  5. Select Google Analytics – General Settings and click Authorise Plugin
  6. Click the red link (Get Access Code) on this page to generate and get your access code. A new window will pop-up asking you to allow specific data from your Google Analytics account to be used by Google Analytics Dashboard for WP. After agreement, an access code will be provided.
  7. Copy the code, paste it in the field called Access Code and save it by pressing the Save Access Code button.
  8. Once set up please be aware it may take up to 24 hour for data to appear in your reports.

You are now set to explore and set up Google Analytics Dashboard for WP as you wish. For more information and a more in depth video on how it works please visit the Google Analytics Dashboard for WP Documentation, Tutorials and FAQ page.

 

 

How to set up Google Analytics for your website

There are three parts to setting up Google Analytics to start collecting basic data from your website.

  1. Create a Google account or activate (access) Google Analytics on your existing google account
  2. Set up a property in your google account.
  3. Follow the instructions to set up web tracking

Only you as the website owner can set this up as it comes under your personal google account so your web host or developer will not be able to set this up for you. However it is very easy to do and a simple guide is below:

Create a Google account or activate (access) Google Analytics on your existing google account

First you will need to create a Google Analytics account. To do this, visit Google Analytics Signup Page.

If you already have a Gmail/Google account, then use that to sign-in with. If you do not have a Gmail/Google account, then you will have to create an account for yourself.

If during the sign in/up process you end up on the wrong page just visit https://analytics.google.com/ to get you back on the right page.

Set up a property in your google account

Once signed into your Google Analytics go to the ADMIN tab along the top of the page

In the ACCOUNT column, use the dropdown menu to select the account to which you want to add the property.
In the PROPERTY column, select Create new property from the dropdown menu and select website.

Tips for completing the form

Website Name: you can simply use your URL if you wish.

Website URL: just type in your website address! Select the protocol standard (http:// or https://). Enter the domain name, without any characters following the name, including a trailing slash (www.example.com, not www.example.com/).

Industry Category:  this is optional and can be left blank if you struggle to find an appropriate category for your business.

Reporting Time Zone: Pick your time zone. This is key for making sure the way Google Analytics counts days lines up with your own business day.

Data Sharing Settings (if shown): completely optional. Select and deselect as you feel comfortable.

Click the blue Get Tracking ID button. Your property is created after you click this button, but you must set up the tracking code to collect data.

Follow the instructions to set up web tracking

There are several ways to collect data in Analytics, depending on what you want to track. This Set up Analytics tracking guide gives you the instruction on the best installation method for what you wish to track.

If you are using WordPress please refer to our Google Analytics for WordPress post.

Whatever method you use to set up Google Analytic please be aware it may take up to 24 hour for data to appear in your reports.

HashGate

HashGate: An intrusion detection tool

HashGate is a simple intrusion detection tool we wrote for use internally and in customer environments to monitor files and alert us on any unauthorised changes to them.

We try very hard not to re-invent the wheel and are already big users of tools such as Tripwire and Rookit Hunter but we wanted something lightweight for monitoring site files, not system files.

HashGate is written in Python using only core modules and aims to work on all platforms that can run Python 2.7, not just Linux!

Our main use for HashGate is for monitoring files on WordPress & Magento installations which more commonly are exposed to vulnerabilities allowing hackers to modify files. HashGate records the hashsum of all files in the specified directory and stores them for checking periodically, we run our checks hourly via cron.

Below is an basic example output where a file has been modified:


alex@dogsbody-alex:~$ ./hashgate.py -ca /tmp/files.cache -f /home/alex/Documents/Junk/ -t check
The following files were modified:
/home/alex/Documents/Junk/wordpress/index.php
----------------------------------

Other features of HashGate include whitelisting, which allows us to ignore files that frequently change and don’t need to be monitored such as WordPress’ cache files or Magento’s sessions directory.

There is also VirusTotal checking, this is where HashGate will check flagged files hashes against VirusTotal’s database of malicious files to determine if the change was malicious or not. Due to the nature of VirusTotal’s API we’re only able to do 4 requests per minute so if lot’s of files are flagged it will add some extra time to hash checks.

We have recently open sourced this tool and you can find some more information and a list of the full features and usage in the Github repo, if you feel something can be written better or there’s a feature you’d like to add we invite you to contribute and help us build a better tool. We make use of tools like HashGate in some of our server monitoring packages so be sure to check them out and get in contact if they could be of use.

PHP 5.5 support will stop on the 10 July 2016

Quick Public Safety Announcement, PHP 5.5 is end of life on the 10 July 2016.

Anything not running PHP version 5.6 or newer exposes your site to significant security vulnerabilities.

We have ensured that all our customers are safe and ready. Unsure if you are affected? Want a hand upgrading? Get in touch!

 

composer-PHP-usage-chart-2016-01

I am a big fan of graphs, Jordi Boggiano has provided this is a great overview of the PHP versions out there in the wild!

We are very happy to see a big drop in PHP 5.3 and 5.4 since they have long passed end of life and a surprisingly quick rise in the brand new PHP 7.0. :)

 

Feature image by See1,Do1,Teach1 licensed CC BY 2.0.

Pushover Alerts

Alerts & Webhooks with AWS Lambda

Here at Dogsbody Technology we monitor servers and services for hundreds of clients, you may have read our previous blog post talking about our Warboard and how we make use of it. This blog post covers the other tools we use for responding to incidents and issues real time, our Dogsbody Technology Webhooks.

The main thing we use the webhooks for are Pingdom, Newrelic & Sirportly alerts. When an incident is triggered in Pingdom or Newrelic they will make an API call to our webhook with the relevant information we require to investigate an incident, the webhook will then determine the priority of the incident and send an alert to our Pushover user accounts so we are alerted and can respond to the incident.

High priority alerts, such as site outages also trigger a rotating blue police style light which is accompanied by a siren sound from the office speaker.

 

Office Siren

The Dogsbody Technology office siren

 

We also use the webhooks to notify a user when certain interactions happen in our ticketing system Sirportly, such as being assigned a new ticket or when one of their existing tickets is replied to.

To ensure our webhooks would have near to 100% uptime and we wouldn’t miss an alert, we decided the best place to host them would be using AWS Lambda & AWS API Gateway. These two services combined allow us to run the webhooks with Amazon’s high availability infrastructure while only paying small amounts on a per request/alert basis, which is the perfect type of model for this service.

To put into perspective how cost effective AWS’ pricing model for our alerts is, last month (June 2016) we received 25,282 alerts for all of our endpoints combined. This worked out at a total monthly cost of … $0.10! AWS actually provide you with a free amount of lambda execution time per month which we haven’t even reached yet, we’re only getting charged that 10 cents for the API Gateway.

Let us know if you find any of the services and technologies mentioned above interesting and we can write some more in-depth blog posts on those subjects, and even some guides on using them. The alerts talked about in this blog post come with the majority of our server monitoring packages, so be sure to get in contact if you need any of our services.

Let’s Encrypt: Security Everywhere

Let’s Encrypt is a new Certificate Authority (CA) who are making waves in the web community. They have lowered the access barrier for SSL certificates significantly and are pushing their competition to improve; fast.

“A Certificate Authority is an entity that validates other digital certificates… …Creating a Chain of Trust between a website and the browser.”

Read more about Certificate Authorities or how to trust over the Internet.

Why Lets Encrypt is revolutionary:

  • Let’s Encrypt removes the pay wall for SSL certificate’s making them free for everyone.
  • Its quick. Seemingly instant certificate authentication and provisioning.
  • Open client options for many different programming languages and environments.
  • Certbot (the official client, developed by the Electronic Frontier Foundation (EFF)) is incredibly simple to set up and run HTTPS in seconds. See for yourself.
  • Automated SSL regeneration. A new certificate just when the old one expires.
  • Raising the standards for CA security checks. Let’s Encrypt have implemented new security checks which ensure that you are the domains owner and that it’s secure to issue you the certificate. Read more.
  • Short validation periods. Let’s Encrypt certificates are only valid for three months which in comparison to other CA signed certificates is shorter. You may be thinking this is bad, long validation periods means less work to maintain. But should the next Heartbleed vulnerability come along and your certificate is leaked to the public, the perpetrator only has less than three months to use it then it will no longer be valid.
  • Supported, as of last year Let’s Encrypt are trusted in most browsers. Test it for yourself. Read more.

It’s free, easy and simple to do so there is no reason not to get started straight away.

Quick (nearly instant) certificate provisioning is our favourite benefit. We often have new customers come to us that have been caught out by expiring SSL certificates not leaving enough time for the renewal to take place, which with Extended Validation certificates can be weeks! Let’s Encrypt is our first port of call to mitigate the missing certificate. Giving us a temporary solution while their other certificate is renewed.

At Dogsbody Technology we love SSL and have already started implementing Let’s Encrypt when we can. If you want to see the benefit of SSL drop us a line.

Feature image made by Got Credit licensed CC BY 2.0.

IPv6 Day 2016

Today is IPv6 day. IPv6 day aims to evaluate and promote public IPv6 deployment as it was designed to eventually completely replace IPv4.

We embrace IPv6 technology at Dogsbody Technology and want to help promote it, so we thought we’d write a blog post telling you why we think it’s great.

But first, what is IPv6?

IPv6 was invented to address the issue of IPv4 exhaustion. It allows for a much larger number of IP (Internet Protocol) addresses, which is what computers use to identify and communicate with one another over the internet. Once all of these addresses are taken, no one new would be able to connect to the internet. There are around 3.7 billion public IPv4 addresses, which are now virtually exhausted due to the ever growing number of computers and people who are connected to the web. Compare this with roughly 340 undecillion, or 340 trillion, trillion, trillion that you get with IPv6.

With IPv6 every human on the planet could use billions of addresses a second and we’d still not run out.

An IPv6 address is written differently and so needs different DNS records.  If you do a DNS query on www.dogsbodytechnology.com you will see two responses. A traditional A record that includes the IPv4 address and a new AAAA record that shows the IPv6 address:

www.dogsbodytechnology.com. 900 IN A 139.162.200.233
www.dogsbodytechnology.com. 900 IN AAAA 2a01:7e00::31:9003

IPv4 Addresses are in the format “ddd.ddd.ddd.ddd” where each “ddd” ranges from 0-255.

IPv6 addresses are in the format “hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh” where each “h” is the value 0-15 written in hexadecimal.

IPv6 addresses can also be shortened so that leading zeroes can be removed (like IPv4) and consecutive blocks of 0000 can be replaced by a double colon (::) e.g.

2a01:7e00:0000:0000:0000:0000:0031:9003
2a01:7e00:0:0:0:0:31:9003
2a01:7e00::31:9003

There are lots of fantastic guides explaining how computers understand and use these addresses that will do a much better job of explaining than we could hope for in a small blog post.

Advantages:

  • Won’t run out.
  • Routing is more efficient.
  • Makes address allocation and network management simpler.
  • Improved end-to-end connection, helping things such as file sharing and online gaming.

Disadvantages:

  • Makes addresses harder to remember for humans.
  • Can make it easier to track an individual’s use of the internet.
  • New hardware may need to be purchased.
  • It’s going to take a long time to transition fully.

Some of the above disadvantages are lessened and/or avoided with the use of a dual stack (running IPv4 and IPv6 side-by-side)

Regardless of the down sides, we’re big fans of IPv6, and all of our servers use it where possible.

There is even a chance that you’re using it right now to view this website.  Contact Us if you want to make sure future visitors can access your site over IPv6.

Certificate Authorities or how to trust over the internet

A common misconception we see all the time is that HTTPS is only useful for scrambling (encrypting) connections between you and a website, but this is only half of its potential.

So how do we know we are connected to Facebook’s servers when we access www.facebook.com?

HTTPS ensures this, by making two important aspects of security possible: encryption and authentication. It does this by sending additional data (SSL certificates) before each connection. This certificate tells the client how to encrypt their connection and which Certificate Authority will authenticate who they are.

A Certificate Authority is an entity that validates other digital certificates.  They do this by “signing” certificates (with each others keys) and creating a Chain of Trust between a website and the browser.

This is the chain of trust for https://www.dogsbodytechnology.com (feel free to check this yourself in your browser now)

CA_Hierarchy

  1. *.dogsbodytechnology.com
    The first certificate your browser receives is the site certificate. This certificate details all of the domains that it is applicable for, in this case any domain ending dogsbodytechnology.com. As well as an “Issued By” field which details the certificate that signed it, giving your browser the information to verify it.
    When setting up a secure website (HTTPS) one of the first steps is to get a certificate authority to sign your certificate. Their signature connects you to a root certificate which browsers and software knows it can trust.
    Comodo signed our certificate so our “Issued By” field points to them.
  2. COMODO RSA Domain Validation Secure Server CA
    This is one of Comodo’s many intermediate certificates. There can be multiple intermediate certificates in the certificate hierarchy however each extra hop reduces trust.
    This certificate is not known by the browser so the webserver should send this certificate (and all intermediate certs) with the site certificate. This is sometimes known as the certificate bundle.
    This certificate’s “Issued By” field links to the root certificate giving us the next link in the chain to verify this certificate.
  3. COMODO RSA Certification Authority
    This is a root certificate, it is stored locally on your operating system (OS) with other root certificates your OS trusts. These are the master certificates of certificate authorities who have been thoroughly authenticated so your browser can trust them definitively.
    Some products such as FireFox for example, provide their own selection of root certificates which is used over the operating systems.
    While each certificate stores the field “Issued By” to verify it, root certificates are Issued By themselves, so no further checking is possible or necessary, they are trusted absolutely. This is a Trust Anchor, the end of the verification process.

Now that the browser can link your certificate with a root certificate it knows it is talking to authorized servers for the site and the rest of the connection can continue.

We secure websites every week contact us today and see how we can help you.

The Warboard

The Dogsbody Technology Warboard sits on the wall in our office and allows us to see a detailed overview of the infrastructure we monitor real time, this has proved it’s self to be invaluable for spotting potential issues and remedying them before they ever become an issue.

We’re responsible for monitoring and maintaining hundreds of servers on a daily basis.  Checking the status of this infrastructure manually would be virtually impossible. To make this job easier we use tools such as Pingdom and NewRelic however we still felt the need for a high level overview of all servers.

When there is an issue with either a service failing on a server, or the health of a server deteriorates Pingdom and NewRelic will alert us real time via custom webhooks we have written. These are great for reacting to an issue when it happens, however it doesn’t give us a clear overview of the infrastructure we monitor before an issue occurs, this is why we created the Warboard.

The Warboard is displayed in such as way that we only see the metrics we need to. Services at the top of the Pingdom column are ordered by highest response rate, servers in NewRelic are ordered by the highest metric for each server (if CPU utilisation was a higher percentage than memory, disk usage and disk IO it would be used). We display the Warboard on a wall mounted TV for the whole team to see.

Warboard

Example screenshot of the warboard

In the Pingdom column red checks are checks that are currently down, blue checks are paused and green checks are up. In the NewRelic column red checks are servers that have hit their high threshold on their policy, amber checks have hit their warning threshold, blue checks are servers that are no longer reporting and green checks are servers that have not reached a threshold.

We also have a column for Sirportly, our ticketing system. This shows how many tickets each team member has. Below this is an overview of events in our Google Calendar where we can see upcoming events and scheduled maintenance.

The Warboard backend is all written in Python and the frontend is Python (Flask) using the Jinja2 templating engine. We’ve made the Warboard public on Github, so feel free to contribute, modify it and use it in your own environment if you please.

If you’d like us to monitor your infrastructure be sure to take a look at our maintenance packages and get in contact.