Windows Web Hosting, Web Technologies, etc
Posts tagged Windows Administration
Smartermail, Spamassassin, Virtuozzo VPSs
Jan 17th
A follow up to Smartertools answers the cry on the fight against spam with smartermail 4.0.
Alot of clients have been asking about how we’re handling spamassassin with Smartermail 4.0. It’s no secret that spamassassin on a windows server runs horribly slow. If more than a handful of domains are involved I have no doubt that spamassassin would cripple the server if not fail completely. However I also believe that greylisting is the more effective component in the smartertools anti-spam arsenal and will reduce spam to a fraction of what it would be with just spamassassin alone.
So there’s a ton of interest in farming out spamassassin to a Linux vps. Why, you ask? Well quite simply spamassassin runs like a mad cow on steroids on a Linux server. Okay maybe I’m exaggerating but it’s a ton faster. Plus as hard as it is to admit it, being a die hard windows geek, it was developed on Linux and the community support for is still very much linux so it just runs better. Fortunately, smartertools (under the leadership of Tim Uzzanti, formerly of Crystaltech and my two superhero-style developer home-boys Grady W and Bryon G) saw ahead and knew this could be a problem. What did they do? They devised smartermail to support not only a remote spamassassin processing server on linux but if need be a farm of spamassassin processing servers. By going with a linux install of spamassassin you’ll gain the added support of the spamassassin community (also linux geeks er um developers .. ehh linux developer, geek … same thing 
).
What’s so great about Spamassassin on Linux?
Out of the box spamassassin isn’t very effective. Okay, it’s good but not nearly as good as it should be. To really take advantage of spamassassin you’ll want to add a few functions:
- DCC, DCC is the Distributed Checksum Clearinghouse. Basically your server creates a checksum from messages you receive compares this checksum to a distributed database of checksums to decide if the message is spam or not and then scores it accordingly. Basically you and a bunch of other mail server operators are teaming together to create a distributed, constantly updated database of spam and non-spam messages. Very cool.
- Vipul’s Razor, is similar to DCC but uses the Cloudmark Spamnet network (my understanding is it’s the same database that backs their commercial services).
- Pyzor, Similar to Razor, Pyzor is a completely free database and client written in .. you guessed .. python. It was developed out of fear that the Razor database being commercial may be ripped away from the opensource community at some point.
Now, these three tools will slow down your message processing (around 2-10 seconds generally and you should set a timeout so that they don’t hold up email too long) but they really add some power behind Spamassassin.
You now have evolved from the rules only processing of spamassassin into a rules processing system combined with a series of independent distributed message clearinghouses. I should note that if you have any volume whatsoever DCC is going to want you to setup your own DCCD (which we have setup currently but are still beta testing smartermail 4.0 before rolling out completely).
Why Rules? Don’t the Spammers Know These Rules too?
So now you have the default rules (around 91 I believe) and the clearinghouses. But what good are the rules right? I mean afterall if I have them the spammers have them too. Now enter the SpamAssassin Rules Emporium (SARE) a series of frequently updating rules that you can download at various times updating your rules using a tool like sa-update. This means your rules are constantly evolving just like the spammers are. Now we got kerosene on the fire. We have a set of consistently changing rules (which you’ll want to pick from carefully remember these could be touchy and some rules may flag good mail as bad) and a series of Independent distributed message clearinghouses.
A note about rules from SARE: There are different levels of rules, some that when tested against a mail test database picked up only spam messages but not all of the spam messages, some that picked up more spam messages but flagged a few good emails as spam too and finally some that picked up all the spam messages but flagged more ham as spam. It’s really up to you to decide what’s safe and what’s now.
Which rules do you deploy? Our own testing has shown that greylisting filters 90% of the spam and that spamassassin does a good job of flagging almost all of those that get through greylisting with just the safe level of rules employed. We have about 501 tests we run each message through currently and it takes between 1.2 and 5 seconds without the distributed database checks, with the database checks it takes 1.2 seconds to 20 seconds. Now our system hasn’t been fully optimized and tweaked yet but it’s getting there.
Rules and DCC what else does Spamassassin Give me?
So now we have a constantly updating database of rules, a way to compare our messages to a distributed database of email signatures to see if others have flagged them as spam and… here’s the coolest part. You know those annoying image emails you get selling viagra or stocks? That you can’t for the life of you figure out how to filter? Well spamassassin has OCR (object character recognition) plugins available that will read these messages and then review the text to see if it’s truly spam. This is VERY cool! But as the cat and mouse game goes, have you noticed that your image spam is becoming colorful now? Strange backgrounds? Multi-colored text? You know all those tricks we perform with CAPTCHA to keep bots from registering on our forms? Yeah the spammers are using those techniques in spam messages now (the rat bast*rds).
The Spam Fighting Duo becomes a powerful Dynamic Trio!
Spamassassin is very cool and Smartermail has gotten even cooler. Now enters the final member of our Team of Superhero Techno-tools, SWSoft‘s Virtuozzo. Virtuozzo is a OS virtualization VPS engine. What’s this mean? Hardware virtualization systems like Microsoft Virtual Server and VMWare have a overhead (reported on the order of 20%) due to virtualizing the hardware. This means 4 VPSs on a single server will only deliver the processing power of the single box at 80%. With hardware virtualization you gain a great deal of flexibility in being able to run mixed guest operating systems on a host system (IE, running Linux and Windows VPS’s on a Windows Host machine) but you pay for that with a performance loss (most argue with today’s processing power it’s an acceptable loss but you decide for yourself).
With OS virtualization you are still very much virtualized but you run the same Guest OS as the Host OS so you can’t run Linux on windows. But guess what? You aren’t getting bottlenecked as you are in HW virtualization. Now Virtuozzo gets even cooler. You get all the raw power, plus now that you’re using the same OS at the Host and across all of your guest OS’s they can actually share common memory and diskspace. So the 2GB of diskspace you’d normally lose in a 10GB VPS partition isn’t lost at all. You only give up any diskspace for files that differ from the host machine’s version (for instance if you created your own bind binary it and it’s necessary libraries would be unique to your vps and use your diskspace and memory allotment of your VPS servers) I believe this is around 100 to 200MB on average.
Next you get something called Virtuozzo templates. These are ready made application, operating system and in some cases full VPS machine templates that are shared across multiple VPS virtual engines (VE’s or VPSs if you will). So now you can have a series of very similar VEs (vps’s) running on a single hardware node all sharing resources. This means although your apps and virtual machine is very much separated and secure you’re not running all of the overhead of the guest operating system on your virtual machine and you’ll gain performance over a HW virtualized system. Our own informal testing showed this to be a great benefit and very much worth the tradeoffs between HW and OS virtualization for a hosted application and webhosting platform.
So why Virtuozzo for our spamassassin VEs?
- The performance difference between HW virtualization and OS virtualization. HW virtualization is great, adds alot of functionality that you may or may not need and will get the job done but OS virtualization is the only way to go in a production hosting environment that demands maximum performance, reliability and scalability.
- Shared OS resources reducing the need for redundant processes and diskspace waste. Allowing for more VPSs per HW node and thus lower cost.
- The ability to create templates of a working VPS design and then replicate it across hundreds of VPS’s within a matter of minutes (I didn’t really get into that but it’s extremely cool)
- The ability to patch a single VPS and then create a template for this patch and replicate it automatically across all VPSes.
- The ability to move a VPS from one HW node to another HW node with near zero downtime (again extremely cool)
- Finally, it’s a platform we’ve already adopted and have been using for about 3 years now and are extremely familiar with it and find it quite popular in the hosting industry.
I know there’s already been a ton of work on a VMWare image in the smartertools community and this is without question trail blazing efforts. For many servers the ready built solution is a clear winner. I mean afterall how many admins are going to have a Virtuozzo Linux HW node sitting around? Please don’t think I’m downplaying this solution or the great benefit this donation to the community has been, it’s a very very clever solution. But I honestly believe the more practical solution is a dedicated Linux VPS. Under high loads any mail server is going to slow down and require maximum disk I/O. Dedicated some of this disk I/O to a VPS engine on the same machine (using HW virtualization no less) is going to come at a cost and potentially not provide the performance required.
Side Note: Early on our shared mail servers were using SATA raid arrays. SATA drive I/O is known to burst to SCSI levels but won’t sustain those levels. As a result we had no choice but to move from SATA to SCSI and that was the only difference between the two configurations. Disk I/O is king in a mail server and fast drives and plenty of them in a RAID array is the only way to go for a mail server. Giving up some of this disk I/O to a collocated VPS scares me in our own environment. Your environment is probably much different and may or may not have the same issue but that’s for you to decide.
We’re creating these VPS engines so that we can offer not only a farm of Spamassassin servers for our shared hosting mail servers that we’re able to dynamically add additional nodes to quickly, but provide dedicated managed Spamassassin VPSs to our dedicated hosting clients and potentially mailserver admins worldwide regardless of where their mail servers reside.
Think about it, a plug and play spam fighting solution. This may not be an original Applied Innovations “Innovation” (that distinction goes to: someone_else )but it’s definitely one we’ve taken to the next level and that my friend is just why our company is named Applied Innovations, it’s not just a name, it’s what we do.
The Applied Innovations Spamassassin VPS solution is currently available in beta mode. It will be fully available following the completion of our beta testing. If you’re an Applied Innovations dedicated hosting client and need a spamassassin managed VPS online today, let us know and we’ll quote you a price.
Smartertools answers the cry for help in the war on spam with SmarterMail 4.0
Jan 9th
A few months ago we were invited by the smartertools team to become a beta tester for Smartermail 4.0. The biggest change in Smartermail 4.0 for us is the improved spam fighting techniques. With the earlier versions of Smartermail, RBL checks and bayesian filtering was released, unfortunately spammers were already aware of bayesian filtering and had already found ways to corrupt the effectiveness of bayesian filtering. RBLs are just hit or miss and not really effective for the most part (they tend to throw the baby out with the bath water). One of our comments at that time was “hey look at spamassassin” but unfortunately the bits had been set in stone and it couldn’t be implemented. Appearantly we weren’t the only ones commenting on this because today we have spamassassin integration but it’s integrated far better than I could have expected.
Enter the ninja.. Spamassassin
Spamassassin is a widely used anti-spam tool mainly used in linux. it uses a set of rules that are constantly being updated, revised and added to but also supports using 3rd party resources like razor, DCC, and pyzor which are distributed spam databases if you will.
Smartertools really researched spamassassin and realized that a windows platform would simply not run it as effectively as on unix. So they not only integrated spamassassin but set it up such that you can run a farm of linux based spamassassin servers to filter mail through. Very cool! That there is smart planning!
Daddy don’t want your mail unless you really want to get it to him.
Next is the addition of greylisting. Greylisting is an extremely simple idea. It basically rejects a message on the first attempt and then accepts it on the second attempt. Legitimate mail servers will send a message and if it doesn’t send the first time will re-attempt to send the message again a few minutes later and will continue to re-attempt the message for a set period of time until it finally times out at which point it’s bounced. The thought being is that spammers are hit-and-run mailers. They have so many email addresses to attempt to deliver to that they simply attempt a send, if it doesn’t go through immediately they move on to the next address and abandon the previous one. Now Grady (from Smartertools) said greylisting would probably be the biggest help in the fight on spam and I didn’t believe him. Boy was I wrong. Greylisting by itself has almost completely eliminated spam on our beta test domains. I’d say less than 10% of the spam quantity is making it past greylisting and that’s a high ballpark estimate.
What’s the trade-off for all this?
Well there’s no such thing as a free-lunch. Greylisting does delay your messages for a couple minutes and I personally have found it to not be a problem. However if it does cause a problem for you, Smartermail allows you to opt out of greylisting on your domain if you wish.
Any messages that make it through greylisting are then fed to spamassassin’s rules, dcc, razor, pyzor and ofcourse the RBLs and only then a message is delivered. Now you’re probably wondering won’t all of those post greylisting tests delay my email from being immediate? Well we’re seeing between 1 and 10 seconds per message for processing through spamassassin and based on the accuracy it’s a very acceptable trade-off and this is running on a standard linux VPS account.
Why is all this necessary?
Spam has reached epidemic proportions and has simply grown out of control. 2/3rds of all email I used to receive on my personal domains was spam. Think about that 2/3rds of every email I’d have to wade through was spam. This means only 30% of the time I spent working in outlook was spent doing anything productive. For us as a hosting company spam represents a major part of our support requests each day and as a result costs us a great deal in time, resources and manpower. Not to mention the lost revenue, time and manpower it costs our clients each day. Not to mention the cost in server hardware necessary to deal with the increased message processing (thanks to spam!). Spam is simply out of control and needs to be stopped. By implementing systems like SmarterMail 4 we may not be able to stop spam but we can definitely lessen the impact it has on us and our customers.
Uninstalling Windows OneCare in Vista RC2
Oct 14th
I upgraded my home PC to Vista today from XP Mediacenter edition and earlier this week I had an email that the new OneCare 1.5 beta was released and “NOW WORKS WITH VISTA”. So I figured I’d install the new version of OneCare.
First, you have to uninstall OneCare before installing a new version, the problem is trying to uninstall OneCare I kept getting an error ’0×2′. DOH!
So here’s the trick to uninstalling OneCare (courtesy of this link).
- Download the Windows Installer Cleanup Utility: msicuu2.exe
- Run this program. If it doesn’t run/install right click on it and select “Run as Administrator”. That solved this step for me.
- After installed, run this utility by going to: Start -> All Programs -> Windows Installer Cleanup.
- ‘Cleanup’ all of these apps. If you don’t see them all don’t work, I only had 3 or 4 of them:
Dr Watson for Microsoft Windows OneCare Live
Microsoft Windows OneCare Live
Microsoft Protection Service
PX Engine
Microsoft Malware Protection Engine Files
Microsoft Malware Protection On Access Scanner Try to uninstall onecare and if it fails then proceed to step 6.
Download the Windows Live OneCare uninstall program: 48034
Run the uninstall program you just downloaded, rightclicking and running it as admin if it fails. Now the first time I ran this my box bluescreened (yeah they still exist go figure!) but when it rebooted and I ran it again, it ran without a problem and uninstalled the app without a problem.
That’s it that’s how I managed to uninstall OneCare from within Vista RC2 (Build 5744)
PHP is not secure on Windows!
Sep 19th
Today I was told “PHP is not secure on Windows” and “if you ran PHP on a windows server your server would get hacked“. To add insult to injury, it was then implied that running PHP on your server would steal resources on your server that would otherwise be available to your ASP or ASP.net applications and that if you wanted to operate a serious website you would never run PHP on a windows server.
This article will hopefully provide you details on how to better configure your IIS6 shared hosting servers so that your server isn’t as vulnerable to being attacked and can run not only PHP but also ASP, ASP.net, PERL and any other scripting language you want while remaining secure, stable and fast! At Applied Innovations we’ve supported ASP & PERL on windows since our inception in 1998, PHP on windows since 1999 and ASP.net since the early pre 1.0 betas. We’ve watched these technologies all mature and develop and we’re proud to say that not only can you run these all on a windows based server but you can do it while remaining secure, stable and offering best in class reliability when run on Windows 2003 and IIS6.
The biggest problem with IIS6 and that everyone believes the Microsoft marketing (afterall, if Microsoft says it, it must be true) that “IIS6 is secure out of the box”. They then proceed to create their websites all sharing a single application pool and all running as “Network Service” the default identity for the default application pool. This IIS6 configuration may be secure for a single site on a single server out of the box and is without question more secure than it’s predecessors. However, for shared hosting where hundreds of websites share (read compete for) a single physical machine’s resources, then this base configuration needs a little work. Fortunately, Microsoft is committed to seeing it’s hosting partners excel in the hosting marketplace and provides us with the information on just how to do this.
Creating a secure shared hosting environment in IIS6
1. Application Isolation on Windows 2003 & IIS6. IIS6 allows for you to run each site in a separate application pool. By running each site in a unique application pool you’re able to isolate one site’s executing code from another. The advantage here is if each site is in a unique pool and something happens on one site that causes that pool to fail, only that pool is affected and meanwhile the rest of the sites on the server continue to run as if nothing every happened. An outstanding paper by Microsoft is available on this topic here: Configuring Application Isolation using Windows Server 2003 and IIS 6.0. This paper also explains how to take advantage of the new reliability and resource control features built into IIS6, such as rapid fail protection, memory limitations, automatic application shutdown and recycling, etc. You should read this paper before continuing. Did you finish reading it? Good now go back and read it again. There’s alot of information there.
2. User Permission Isolation to Secure Applications. The second step to securing IIS is to not use the default application pool identity “Network Service” and instead create a unique user for each application pool. You’ll find that it’s still very common for most hosts to run IIS using the “Network Services” account. In fact still today almost every ASP.net developer when requesting you to adjust file permissions ask you to grant permissions to ASPNET (the user ASP.net runs under in Windows 2000 by default) or “network service” the Windows 2003 default user. The correct instructions should be “grant permissions to the user your Application Pool executes as”. The secure way to isolate your applications/sites is to create a unique user for each application pool and execute the pool as that user. This user will ONLY be used for executing this application pool and will not be used for anything else. You would then grant that user access controls (or ACLs) to only the files, directories and resources on the server that are absolutely required access by this user. The easiest way to do this is to assign the users as members of the IIS_WPG group and grant or deny permissions to the IIS_WPG group on the server resource. By tightening ACLs should one of your application pools be compromised and a hacker use it to attack the file system on your server they would be sandboxed and only allowed access to those areas on the server that the user of that application pool runs as or has access to. The key is is limiting the area exposed to being compromised. Additionally, by running each website as a unique user and only granting access to the website files for that particular website then should that one pool be compromised they would not be able to access the files of the other websites on that server. NOTE: you should never grant IIS_WPG access to a website’s wwwroot and instead grant it on a per user basis. Details on how to properly configure ACLs and what steps need to be taken can be found here: Using Isolation to Secure Applications (IIS 6.0).
If you followed the two steps above you’ll have isolated every website into their own application pool and you’ll have each site running as a unique user that only has access to it’s own files and minimum system resources, effectively sandboxing every website. You now have your server configured so that no one website can access the files or resources of any other website on your server. Should any one website become hacked and a hacker execute code, that code would not be able to affect any other site on the server and not be able to further compromise your server. This is a secure, sandboxed, hosting environment and anything less than this is not secure for shared hosting. Once you have a secure hosting environment you can then safely allow ASP, ASP.net, PHP, Perl or any other scripting engine you want (Provided you properly configure it). The key is that you’ll want these applications to run within the isolated application pool as the isolated application user for that site so that they remain sandboxed.
Unfortunately doing all of this will not make you invulnerable to getting hacked but will help to reduce the number of attack vectors that could result in your hosted websites getting hacked. Additionally, should a site get hacked you have now limited the impact on your server, regardless of what scripting language your web applications run under.
You’re also probably wondering what this has to do with running PHP under Windows securely? You see, it’s not the PHP programming language that gives PHP a bad name, it’s not Microsoft trying to slander PHP either, it’s the web developers that use PHP to write insecure web applications that are then executed on insecure web servers. It’s these insecure scripts on insecure servers that make people say PHP is not secure on Windows. If a website running a PHP application is hacked and the user that this site runs as has full access to all the other sites on that server, then you don’t have one compromised website but dozens of compromised websites!! This also isn’t a Windows only issue. These hackers know that web developers are lazy and like to grant world writeable to all folders and all files instead of specific pages or subfolders (Linux guys take note: CHMOD 777 -R is not a good thing!). Thus, I wrote this article because it’s widely assumed that PHP is not secure on windows hosting, when the truth is nothing is secure on windows hosting (even ASP and ASP.net) unless the hosting is secured first.
So is it the system administrator, the webmaster, the application developer, the language developers, the OS developers or the hacker squirreled away in the basement in his mommy’s house that’s at fault?
It’s everyone’s fault!
- the system administrator needs to secure his server and audit it regularly, keeping the scripting languages, OS, etc all patched and up to date.
- the webmaster needs to use secure passwords, maintain secure file permissions, keep his scripts and applications up to date.
- the application developer needs to keep his scripts secure and not vulnerable to common issues like SQL injection and cross site scripting attacks.
- the language developers need to always stay ahead of hackers, paying attention to hacking trends and not only fixing bugs and security holes but finding them and trying to compromise their own platforms before the hackers do.
- the hacker, well not much we can do with him but if we all do our part then these guys aren’t going to have sites to hack and eventually they’ll leave that basement and go find something useful to do with their time. World peace could be a start!
I’d love to hear what other’s have to say and welcome any and all feedback. My next article will address just why a windows web server running PHP and ASP.net is not just for hobbyists and can be done in a production web environment reliably, securely and still remain extremely stable. In the meantime if you’re looking for proof of this concept and want a stable, reliable windows hosting platform that allows you to run PHP4, PHP5, PERL, ASP, ASP.net 1.1 and ASP.net 2.0 , please visit Applied Innovations at www.appliedi.net .
Connecting To Server Console In Terminal Services
Aug 18th
This was pointed out to me by my colleague Carlos, If you want to connect to the server console of a Windows 2003 server through terminal services (if you don't know what this means, it's the same as if you connected a keyboard, mouse and monitor to the server and logged in directly from in front of the box) you can execute the following:
If you want to connect to a terminal server via the command prompt you can do so by typing the following: “mstsc -v:servername /F –console”. ‘mstsc’ represents the remote desktop connection executable file, -v specifies which server to connect to, /F is for full screen mode, and –console to indicate that you want to connect to the console.
That's a pretty handy little trick as some applications will only run from the console and many popup messages only display on the console.
If that doesn’t work try: mstsc -v:servername -console
