OpenSSL vulnerability – Heartbleed Bug statement

You might think the Heartbleed bug is already history, but in recent days some of our customers have requested a public announcement due to the unprecedented media profile of this particular security vulnerability.

Whilst the media are (rightly, to an extent) making a lot of noise about this bug and its significance to the Internet population at large, the truth is we as sysadmins haven’t treated this security threat any differently to any other.

heartbleedThere are lots of important security vulnerabilities uncovered which have the potential to give an attacker full access to your server (arguably more serious than this case) – so we patch and workaround security vulnerabilities on an almost daily basis as part of our fully managed service. There is simply no reason or benefit to announce each and every one of these – our customers use our service to stay focused on their business rather than technical details like these.

Our expert technical team are always there in the background, performing server tune-ups to ensure that the configuration is optimal and secure at all times, so that you don’t have to.

If you somehow managed to miss the media coverage and the myriad of announcements and emails in your inbox about the Heartbleed bug, you can find more details regarding this vulnerability alert issued by the OpenSSL group on April 7, 2014: http://heartbleed.com/

Some of the services that we provide were using software vulnerable to this bug and therefore we have taken the necessary steps to address this:

Managed VPS, Cloud VPS, and Dedicated servers

These servers are based on CentOS Enterprise Linux, which uses Red Hat Enterprise Linux as its upstream. The vulnerability was introduced to Red Hat / CentOS in version 6.5 released in December 2013. Consequently new servers provisioned after this date were vulnerable to Heartbleed.

Our engineering team installed a number of critical security updates and regular updates (including RHSA-2014:0376-1, CVE-2014-0160) on all affected servers during an emergency maintenance window at the beginning of last week.

The emergency maintenance was completed successfully without incident.

Jelastic PaaS

Jelastic servers are based on CentOS 5 which was not affected by Heartbleed. CentOS 5 has long-term support for an older version of OpenSSL (0.9.8e) with selected and carefully tested patches backdated to the older version from newer versions of OpenSSL and the patches did not include the vulnerable code.

SSL certificates

If your services were affected by this bug, it is recommended to reissue your SSL certificates using a new key. If your SSL certificate was purchased via Layershift, we will be happy to assist you with this process, please contact us via www.layershift.com/support

Generating Jelastic SSH keys with PuTTYgen

We’ve just added key-based SSH access to our Jelastic PaaS, and with many of our Windows users using PuTTY as their preferred SSH client it seems a good moment to give a brief PuTTYgen walkthrough. Here’s how to generate SSH keys using PuTTY.

1. Download and open puttygen.exe (included with putty-version-installer.exe, or standalone)

2. Enter the following parameters (the defaults are fine):

type of key

3. Note the OpenSSH compatible output at the top of the window. This is what you’ll need to copy/paste into the Jelastic dashboard. You can always access this again later using the ‘Load an existing  private key file’ option.

4. Enter a ‘Key comment’ to help you to identify this key later. For example something describing where you use this key. We’re just using rsa-key-jelastic since we’ll use this key with our Jelastic PaaS.

5. Your key is saved encrypted on disk, and the ‘key passphrase’ will be used to unlock it when you want to use it. In other words, this protects your key from malicious use, so treat it like any other password – use something long and strong!

6. Save the private key part to your computer before exiting PuTTYgen (note: you can save the public key file too if you wish, but it’s not saved in OpenSSH format so it’s not useful here).

Don’t forget to copy/paste the public key (in OpenSSH format) from step #3 into your Jelastic dashboard. See our Jelastic SSH Access KB article for more details.

Configure PuTTY to use your SSH key

1. Add the private key to PuTTY, under Connection > SSH > Auth. Just browse for your .ppk file (private key saved from PuTTYgen). The other settings on this screen can be left as the defaults.

puttyconf

2. (optional) Configure your username, under Connection > Data so that you don’t have to enter it manually every time you connect. Your Jelastic SSH user ID is located in the SSH Access settings section of your Jelastic dashboard. We’re using user 3072 in our example. Make sure to replace this with your specific user ID.

3. Finally, configure the host name (gate.j.layershift.co.uk) and SSH port (3022) for the connection. We recommend that you save the session profile so that you can connect again easily in future.

4. Then just hit ‘Open’ to establish your SSH connection. Enter your SSH key passphrase, and you’re connected. Take a moment to verify the SSH fingerprint presented during the authentication phase matches the one published in our KB article.

Next time you can just ‘Load’ the saved session and ‘Open’.

Now you can use PuTTY to connect to your Jelastic PaaS servers via SSH using key based authentication.

Not using Jelastic yet? Try it now absolutely free.

New: Jelastic SSH Access

Ever wanted to combine the awesome power of our Jelastic PaaS with command line utilities of the latest generation PHP frameworks, Composer package management, or just enjoy the simple elegance of vim for some on-the-fly last minute edits?

Guess what – now you can! We’ve added an SSH gateway to our platform so now you can log in to any of your Jelastic nodes and configure key based authentication for your git repos, run artisan, and validate your httpd.conf before restarting apache!

GlassFish users can now use asadmin to start the local Derby (JavaDB) database engine if it’s needed by their project (stopped by default to save resources), whilst MySQL, MariaDB, PostgreSQL and MongoDB users can run their respective CLI utilities directly on the server to perform import/exports and other administrative functions.

This new functionality is available to all Layershift Jelastic PaaS customers right now. Check out our Jelastic SSH Access KB article for details. Give it a try and let us know what you think!

Missing out? Try our Jelastic PaaS free. No credit card details needed.

How to Tune the Garbage Collector in Tomcat

The guys at PayPal recently switched away from Java, citing (perhaps false/questionable ?) performance gains. One important, but easily overlooked, way to keep your Java app performing at its best is to make sure that the JVM is well tuned to your needs – that includes taming the Garbage Collector.

If Java had true garbage collection, most programs would delete themselves upon execution.

- Robert Sewell

Java’s Garbage Collector does an important job, and if you tune it properly, you can prevent memory intensive programs from freezing your system. It’s easy to assume that if you know how to develop large programs and applications, you probably already know how the Garbage Collection process works. Ergo if you choose the right Garbage Collector algorithm, it means you totally understand the features of the program you have developed.

If you’re not quite sure how the whole process works, we’ll try to summarise the most important aspects for you.

Meet the Garbage Collector, it will save your day!

You’ve just developed a large application, and you couldn’t be more excited! But, as this application runs, it creates objects; as it continues to run, many of these objects are no longer required and they cause your program to run out of memory for no apparent reason.

Read more…

Hosting the Christmas Holiday @Layershift

Merry Christmas from LayershiftThe Christmas holiday season is already kicking into gear, with people travelling across country, and even around the world, to spend precious time with their loved ones. For many, hosting servers and services are already far from their minds – but of course when you open up that website to spend a Christmas gift voucher, or play that new online game, you still expect it to work flawlessly.

Layershift Christmas opening times

Just like you, we try to give our hard working teams a nice relaxing Christmas so that they can spend quality time with their families and loved ones.

We all know that the internet never sleeps, and certainly server problems are not so kind as to respect any holiday season – so be assured that even though we will be running with a skeleton staff (to give our team as much of a well deserved break as possible) over the Christmas period, we remain ready to handle any issue and provide assistance 24×7: even on Christmas Day itself.

Read more…

Next Page »