Stoned-IT

The datacenter that houses the german VPS servers has upgraded the Ams-IX connection from 1-gbit to 10gbit. This should resolve most bandwidth limits for traffic towards the Netherlands.

The VPS servers hosted in Germany (ip range 188.40.173.x) now have access to native IPv6 connectivity. The IPv6 connectivity used to be a tunnel to SixXS, but is now native. At this time we only have a single /64 for all vps servers combined, but that should be sufficient. If you want v6 adresses, please let us know, or just use autoconfiguration.

On another note, the vps servers in Rotterdam (range: 193.200.132.x) will notice some network-downtime tonight, due to network-maintenance at the upstream network provider. There will also be some on-site maintenance on the cooling-system, but we do not expect any server-downtime.

The network downtime in Rotterdam will be between 00:00 and 05:00 on July 3rd 2010, CEST.

Some good news for users of the KVM virtual machines. Traffic limits have been increased by at least 100%. The fee for extra traffic will also be lowered in the coming days. The product page has been changed to reflect the new traffic limits.
The prices of various KVM-based virtual machines have also been lowered significantly.

We have recently upgraded the servers that run the VPS’s. New VPS’s will be created on the newer servers, which run quad-core Intel i7 CPU’s. These servers are also housed in a bigger and better-connected datacenter with a largely redundant network and better cooling and power system.

Existing VPS systems can and will be migrated to new systems in the coming weeks, after this has been communicated with the users.

The new datacenter and servers use KVM as a virtualisation platform, which allows us to have virtual machines running other operating systems then Linux, as well as having more flexibility in how virtual machines are configured. We can also use a lot more data-traffic in the new facility, so network traffic limits have been increased significantly for these systems.

If you want your system migrated to the new infrastructure, do not hesitate to contact us at order <at> stoned-it <dot> com

One of the virtual machines from a customer experienced a hack this week. Nothing too serious, but a script kiddie managed to break into a user-account and used this access to install more exploit scanners on our hardware.

I was called by my friendly network-admin to tell me that we were saturating the network-connection, and he kindly told me which machine was the culprit. It then didn’t take too long to find out what the problem was, which was quickly resolved by closing that user-account and killing the attacking processes.

Looking into the files left behind by the attacker gives some nice insight into the typical script-kiddie way of doing business. I’ll try to give a short peek behind the scenes.

First the machine was being scanned by a ssh password scanner. After a while a succesful login was found, and our attacker logged in. This was on May 2nd, and our attacked hung around for about 15 minutes, installing and downloading various attack programs.

He logged in a few more times during the next 2-3 days, but probably had his tools doing their job already, reporting their findings without him having to log-on to check.

The tools installed included:

• A shoutcast server
• Port-scanners
• SSH password scanners
• A list of more then 400000 username/password combinations
• A VNC authentication scanner
• Trojan.Linux.RST.b

I’ve reconfigured the configuration of memory for the guests. You should (if you reboot your system) now see double the amount of memory as you would before. Half of this amount is guaranteed, and is what you are actually paying for. The other half of the memory can be used if it’s available.

So if you have a 512MB machine, you should see about 1GB of memory, of which 512M is guaranteed and reserved for your system. You can use the remaining capacity when it’s available, but this space isn’t guaranteed and your processes using it could be killed by the out-of-memory system.

If you need more guaranteed memory for longer periods, please upgrade your account. If you don’t want to see and be able to use the extra capacity, let me know and I’ll present you with your guaranteed amount permanently.

If you ever used the https sites at stoned-it you might have noticed that the certificate was signed by a Certificate Authority that isn’t included in most browsers (yet). I used to use a CACert.org certificate, which works very well, as long as your browser includes it’s CA certificate.

I now found another Certificate Authority that could provide me with a free server-certificate, and which _IS_ included in the default browser-set (at least with firefox, seems to not be included in IE8). So you should now be presented with a StartSSL signed certificate and no longer be greeted with a certificate warning if you don’t have the CACert.org certificate installed.

The Stoned-IT.com zone, and zones connected to the VPS’s have been moved from ns1.maniac.nl/ns1.nerdnet.nl to the nameservers of openprovider. This should guarantee a better reachability of the DNS records.

Stoned-IT can now also handle domain registrations and ssl-certificate requests.

There is now also a RoundCube installation which you can use as webmail client for any IMAP server. You can find the link under the Links header, or by going to https://vps.stoned-it.com/roundcube/

VPS.Stoned-IT.com uses OpenVZ virtualisation to provide it’s users with Virtual Linux Environments. In this article I will try to describe how OpenVZ works, why we use OpenVZ, and what the advantages and disadvantages of using OpenVZ are.

OpenVZ

OpenVZ is a virtualisation technology that was developed by Parallels, and is the basis for their Virtuozzo platform. OpenVZ consists of the open sourced parts of Virtuozzo.

OpenVZ works somewhat like Solaris Zones or FreeBSD jails, in the aspect that it utilizes a single operating system kernel and creates various user-environments within the single operating system space. The various user-environments are called Virtual Environments, of VE.

Users in a VE will have their own view on the available resources in the system. They are only able to see and interact with processes running in the same VE, they only have access to files and diskspace assigned to the VE and can only see network-traffic destined to the IP address assigned to the VE.

Advantages and disadvantages

Due to the fact that OpenVZ uses a single operating system kernel to provide various Virtual Environments the overhead of OpenVZ is very low. No memory is wasted by loading copies of the kernel for every VE, no translation is needed for I/O going to the storage or network.

This allows for very lightweight VE’s, with some environments taking less then 8MB of memory and only a few megabytes of diskspace.

Another advantage of OpenVZ is that it doesn’t require any hardware-assisted virtualisation on the system and it doesn’t need to ‘emulate’ any cpu or I/O instructions, which would put a large strain on the resources.

A disadvantage of the OpenVZ VE’s is that only Linux environments are possible, since the kernel is shared between all environments it’s not possible for a VE to make modifications to the kernel. It’s also not allowed for the VE’s to change their IP-configuration, to act as NFS servers or to mount filesystems, as this would have an impact on the host’s security system.

Your files and processes are visible on the host-system, but hidden from other users of the system. Only the root-user on the host can access your resources. This access is also used to make backups of all your files, so we can help you with a restore in case you accidentally erase some files.

It is possible to mount iso images and use sshfs systems using fuse, but kernel-mode mounting is not available.

Why OpenVZ

For VPS.Stoned-IT.com we decided to use OpenVZ, since it allowed us to use available hardware (without hardware assisted virtualisation) and provide cheap and fast Virtual Environments. The low memory usage and high throughput allows us to provide the users with more memory and I/O speed than would be possible using other techniques.

The VPS hosts at Stoned-IT.com are now IPv6 enabled, and all hosts have been given a IPv6 address.
More addresses are available on request. If you can’t reach the outside world, you need to create a default-route in your VPS to the venet0 interface:

ip -6 route add default dev venet0