Neverside

Not quite sure about IRC security, but if it's a problem putting it on your server, I say we just relocate to another public irc server and make our own channel. Like Lucifel and Rider suggested.

___________________

Portfolio | Myspace | Last.fm | Virbº

Shawn suggested getting a shell, which I'd rather do. They're pretty inexpensive.

___________________

Free-Speed Nation

Why does this site cost $450/mo to run? There are about ten posts per day.

Edit: And with this kind of traffic, is there a huge threat that someone will try hard enough to compromise it?

Edit 2: I just read the actual news post saying it's going from $250 to $150. Even so, it looks like you could run this site off of a $30/mo shared host at the moment.

Last edited by Rad, April 12th, 2007 04:29 AM (Edited 2 times)

Heh the hosting situation is a tangled mess of pain and suffering :P

When Neverside was released (from TF), we upgraded to a large server at ThePlanet for $249/mo, with the expectations of needing the full resources of that system in the near future. Initially that server was split between Shawn and myself, so the expense wasn't too extreme between the two of us. After Shawn moved on from his position at NS, the full amount was for me to pay. The way NS was developed has tied it, to a degree, to the particular combination of server software that it runs on (Apache 2, PHP4, and MySQL 4 - though in my tests it works with MySQL 5 as well... NS + PHP5 crashes the server though haha), as well as a specific custom file/directory structure on the server. It also does not get along with any of the typical hosting panels (cpanel, plesk, etc - we even had trouble with directadmin). A number of months ago I made an "attempt" at migrating NS over to a different server that I had then agreed to split with Wilfried (Nphase), not knowing about the tight software requirements at the time. I migrated all of my other sites there, and then found it impossible to get NS working in that environment (which runs cpanel). I was committed to that new hosting agreement for a time, so I have had to maintain both for the time being. I decided to eat the cost of the NS server for a short while until the new NS was complete since moving it is such a hassle/distraction, but didn't expect my development to take as long as it has. This new server is meant to replace the inefficient situation, condensing both servers down to a single less expensive one, which is powerful enough for both absolutecross.com's needs, and the next stages of growth projected for NS after the new release, given new promotion and advertising plans.

Regarding NS and the dedicated server use - that's correct, in terms of resources it could easily work on a virtual host level right now. However unfortunately its technical requirements prevent that. The site that "does" require a dedicated server is absolutecross.com, which receives substantially more traffic than NS - its requirements are more on a bandwidth and disk i/o level, and not so much on a processor level, since AC is still a static html based site. I considered moving over to a grid-based setup from MediaTemple or Mosso, but after researching and talking with their reps, found the setups to rigid to work with the current NS configuration. So hence the dedicated server with SoftLayer.

So far as security/risk of being compromised... it's not really an issue usually of how popular the site is (though of course that increases the risk of malicious types of attacks) - automated scanners looking for vulnerabilities will take advantage of anything they find, whether the hosted sites are big or small - they are not necessarily interested in damaging or defacing a website, but more at gaining control over more servers to use for their own purposes.

Anyhow, hope this helps clarify the situation

___________________

-- Dave
Neverside Admin

absolutecross.com

Last edited by AbsoluteCross, April 12th, 2007 05:50 AM (Edited 1 times)

Just out of curiousity, what prevents Neverside from running on a virtual server?

To name a few (I believe there are others, though I've of course not tested NS in reality on virtual hosting)...

- As stated above, NS doesn't play well with hosting control panels - almost all virtual hosting environments have these and are not optional.
- As mentioned, NS is tied down to PHP4 and Apache 2, a combination that is uncommon with virtual hosts (e.g. cpanel has Apache 1 and PHP5). PHP5 + NS crashes the server. Apache 1.x breaks NS's subdomain user profiles among other things where mod_rewrite is concerned.
- NS requires a wildcard DNS entry that interacts with mod_rewrite to produce the automatic user subdomain profiles (etc). Every host I've asked has said they won't do this.
- NS has many "real" subdomains as well, many of which have custom httpd.conf files.
- Though many hosts "claim" to offer immense amounts of disk space, the reality becomes quite different when you actually "do" reach multiple GB of data. NS's files, attachments, images/thumbnails, and the mysql database itself are in the 3GB range currently, not including NS's custom per-section log files (which are quite a bit more). Speaking of mysql, many hosts in my experience put limits on mysql database site.

As mentioned before, whether NS currently needs a dedicated server or not, absolutecross.com does - and NS would be hosted along with that of course. The new version of NS requires a dedicated server as well, as we need custom libraries that will be processing audio and video files, not commonly available on virtual hosts (not to mention the processing required would get us kicked off immediately).

Hope this clarifies.

___________________

-- Dave
Neverside Admin

absolutecross.com

I'm not sure if absolutecross.com or any of your other sites have eCommerce or other such important information on them, but if they do, as it seems they do from your desire for security, I would definitely block IRC. In fact, I would block everything except your run of the mill web ports, 80, 443, 21 for ftp, and if you do video streaming the ones required for that. If for some god awful reason you are using tomcat, you need port 8080 open as well, though I've seen worms propogate across port 8080. Then again, tomcat is consider worse than a worm by some...

I do network security for a living, and I know when my internal sites set up a web server, it gets port 80 and 443 only, sometimes just 80 depending what type of server it is. I'll laugh at them if they request IRC, unless they're yknow, my boss or something. ftp from inside the network, but since you're not a LAN you need that from outside as well.

The boys are right, just use efnet or something, and just advertise where you are. That way when you guys piss off the world, you won't get the NS server attacked anyway.

Again, I do network security, not server, so I'm not sure how to harden your server as far as disabling services go, but if you have the option to control what network ports are open to you, I could do the work down for you.

___________________

:: pop ::

Wouldnt it be cheaper for you to buy a server and colocate it in a data centre. That would save you a fortune.

Thanks for the tips and feedback Nykoelle - very much appreciated

I'll talk to Shawn sometime this weekend about IRC shell accounts and see if that's a route I want to take, or if we'll go with #neverside on another network. As no one has spoken up in favor of keeping IRC on the server with links/research for me to study on why, we'll be going with one of the 2 above routes.

So far a colocation... I'm definitely considering that for a future option, though there are various catches that prevent it for now. For one, I don't have the up-front capital available for a server-class system (which are a lot more than the average home PC). The current finances coming in from the sites are not stable enough to take out a loan on either. Also my understanding is that colocation often tends to be mostly do-it-yourself (probably not always the case of course), and a lot more "if it's broke, you come down here and fix it yourself". There's also the usual aspect of outgrowing hardware and/or hardware becoming obsolete - so eventually you have to buy yet another server (whereas dedicated you can just switch to a new plan... add a second server if needed that same day for $1xx or so, versus another $xxxx+ investment). Also with dedicated at so much higher quality and such lower prices these days, the price difference between dedicated and colo (as colo still costs for the rack space, the bandwidth, etc) is getting smaller. In the long term, when the finances are there for the initial investment, scaling to multiple servers becomes a real concern, and the ability to fully support any technical problems are in place, then colocation may well be the better option for us.

___________________

-- Dave
Neverside Admin

absolutecross.com

I love Rad, and that is for the record.

When we went to ThePlanet it was the same server specs as what TF, AC and all of that was on at EV1Servers. So it was pretty common to do that then.

Jeremie has a voodoo config that doesn't play nice with control panels or anything of the sort and since I have left and the traffic here has dramatically dropped it's only common to drop down to a lower price per month (which really, Dave's getting a bit more powerful server or just as powerful anyways with the same bandwidth at a very big reduced cost).

Because of certain things Dave also went over to Wilfried (nphase to you all) for AbsoluteCross.com and split that server in half so that is where the $250 + $130 or something a month for $380/mo in server expenses that were unnecessary. Given Dave's limited knowledge of the setup here it's safe to say he just went with the simple route to avoid any issues and problems.

I talked with Dave a few weeks ago about getting off of this setup as it is unnecessary and to just simply reduce all of it's costs so he could save that up and pass it off to a designer or contract developers to help him with the forthcoming version of this "site".

So in the end, Dave is reducing costs by about $200/mo which can be put forth with more important things. Running on a VPS is fine for personal projects, development and so forth but overall a VPS is not meant for the likes of a site like AC, so he's looking at killing two with one stone and since the bandwidth of AC is pretty large, VPS usually don't match in bandwidth allowances, and those who do are majorly overselling or limiting in the hardware allowances.

As for IRC, I was never comfortable with it running on the same server as the website anyways, not so much for the 'security' risks as only a moron who can't keep software upto date would suffer from almost all ircd exploits, but for the DDoS attacks which is caused by connections and bots, not by 'security issues'.

An IRCd shell provider would be ideal, most are located at say gigenet.com or staminus.net which both have ideal and great filtering for all that kinds of stuff, shells are offered cheap and the maximum allowed users for the basic plan far exceeds who uses it anyways.

So in the end, Dave is making this change so he can throw money at more worthwhile resources for getting this place where he wants it to be. If he did this almost a year ago he would have saved almost $2,400... not bad eh? So the sooner it's done the better, regardless of '10 posts per day'.

Peaces and reeses

___________________

The Audoptic Weblog. It's where the magic happens.