ServePath Blog

On November 13, 2008, ServePath’s new Customer Portal (v2.1), located at https://my.servepath.com,  will be live for all current and new ServePath customers. In case you missed my previous post about some of the changes, I encourage you to look here. Once the cutover is complete, you will no longer be able to access the old customer portal. All of the functionality and features that existed in the old portal will be present in the new one (but potentially in different areas) along with plenty of new or enhanced ones.

We have compiled a list of 10 FAQs in order to help you along:

FAQ: My.ServePath 2.0

1.    How can I be alerted to ServePath maintenances and outages proactively?

You can subscribe to the ServePath Network Status RSS feed by clicking on the RSS icon next to “Network Status” on the home page. This will notify you via your RSS feed reader whenever we update the status on the website. If you’re interested in subscribing to the ServePath blog, you can do that from my.servepath.com as well by clicking on the RSS link next to “News” from the home page.

2.    How can I order new products and services through my.servepath.com?

Our current lineup of products, services and upgrades can be ordered through the my.servepath.com customer portal by clicking on the “Services and Hardware Upgrades” banner on the home page. You can select new hardware upgrades for your existing server, services such as our Unified Security and Backup package or our Proactive Monitoring Suite, or choose from a wide variety of other services and tools we can provide you with.

3.    Where can I find my Account Team’s contact information?

The members of your account team are listed on every page of the new my.servepath.com customer portal. Contact information for our Billing, Support and Sales departments are all readily available so that you can contact us anytime.

4.    How can I Remote Power Cycle or run a Security Scan on my server?

Remote Power Cycle and Server Security Scan tools are now located on the “Servers” page. From there, you can power cycle your machine or run a Nessus scan to check for open ports that may pose potential security risks on your servers.

5.    When I create a case, I see some Knowledge Base articles. How does this work?

Our case creation system will search our Knowledge Base for any articles that may relate to the case description you enter. You case is created as normal, but we will provide you with any articles that may pertain to the issue to that you are submitting. You then have the option to help yourself and close your case if you choose to. Once you select an article, you can let us know whether or not the article resolved your case by clicking on the “Yes” button. If it did help, you then have the option to close your case. If not, our Support team will still investigate the case as normal. Our Knowledge Base can also be searched from the Support tool without entering a case, so you have 24×7 access to our library of thousands of support articles.

6.    Where do I go to manage my passwords?

You can manage your passwords through the “Manage Passwords” tab from the Support menu. You can easily add system or service passwords to share with our Support teams so that we can login to your systems and help you troubleshoot the issue you are experiencing. This is a tool for you to share passwords with our Support team or keep a log of passwords to share with your server administrators. Please note that changing passwords here does change the passwords on your servers.

7.    Where can I go to give feedback to ServePath?

We have a number of ways for our customers to provide us with feedback regarding our portal, website, products and anything else you wish to share. To send us a feedback message, you can click on the “Feedback” link located at the top-right of the screen. You can also provide us with feedback under the Support menu by clicking on the “Customer Survey” tab or by clicking on the “Take our Survey” link from the home page under “Quick Links”.

8.    Where can I access my Network Statistics?

Network statistics, which many of our customers utilize on a daily basis, have been moved to the main navigation for easy access. You can also click on “Network Statistics” under the “Quick Links” section of the home page. This will take you to the Network Statistics tool where you can view bandwidth and transfer utilization graphs for any time period you specify by server and by VLAN.

9.    Where can I access my billing information?

Billing and account information is located under the “My Account” page. You can also cancel your account or services from this page.

10.    How do I reach a Support Representative immediately?

We have 24×7 Support representatives available via chat for any time you need them. There is a Live Chat link on every page in the new my.servepath.com portal for you to get quick access to any of our Support Representatives.

If you have any questions, comments or suggestions for improvements or new features, be sure to fill out the new Feedback form within the Portal. Also, you can always create a Support ticket using the Support tool for anything that is not immediately obvious.

We hope you like it!

ServePath engineers have been working hard on providing a newly redesigned, more efficient and effective Customer Portal. The new portal was quietly released to all ServePath customers recently so I wanted to take a bit of time to point out a few of the notable changes that can be found there.

First, both portals are currently available (old here and new here), but this won’t be true forever. Once the new portal is finalized, the old one will be gone…forever! There is also a direct link to the new portal on the old login page currently.

Once you log in to the new Customer Portal, you will immediately see a redesigned interface with new sections. Note, your login information works on both portals. For posterity’s sake, I will be including screenshots of both versions.

New ServePath Customer Portal:

Old ServePath Customer Portal:

For starters, the Dashboard has been drastically redesigned to group pertinent information together, namely:

• Products/Services - Call-outs at the top of the page to critical or new product or service offerings (e.g., Services & Hardware upgrades and the ProActive Management Suite)
• Support information – who your account manager is, phone numbers for support and billing and a Live Chat button
• Quick Links – these are links that many of our customers frequent, carefully compiled to streamline the experience
• Network Status – current RSS feeds from the ServePath Status blog
• ServePath Blog feed – quickly scan recent ServePath blog entries
• Survey – answer a few questions and be entered in a monthly drawing for Amazon gift cards (HINT: it takes about 30 seconds to fill out the survey!)

Also live with the new portal is a revamped Support Section. With the new Portal, you can choose the “Create a Case” Quick Link and within one click, be able to enter a support ticket immediately:

Most notable is that you can, on the same screen, drill down to the exact server(s) or other hardware that you need help with. Once you select a particular server or set of servers, for example, you will also be able to select their associated IP addresses as well.

Also, when a Case is entered, after the form is submitted and the Case is created, the user is presented with a list of Knowledge Base (KB) articles that may be relevant to the Case. Users can potentially resolve their issues based on the suggested articles, however, if the solution is not present, the user’s Case is already in the system. If a particular KB article solved the issue, the user can attach that article to the Case and close the Case themselves.

On the old portal, the process of entering a ticket took a bit longer and did not offer the user the ability to resolve their own case. An example of the same type of ticket entry as shown in the previous image is listed below:

There are other numerous changes in the new ServePath portal. If you are a current ServePath customer, I encourage you to compare the different versions. We are currently working on the next revision to the new portal as well, so if you have suggestions, comments or, gasp, criticism, feel free to leave a comment on this post and I will share it with the Engineering team. We will also have a feedback form within the new portal as well soon.

Hope you like the changes! We certainly do.

Note: this post has been updated slightly to correct some minor errors. Also, commands may have been improperly formated due to WordPress’s treatment as such. Converted now to “code” formating.

1. Software Firewall - For security purposes, the software-based firewall that is included in all freshly deployed dedicated server operating system has been enabled and configured to allow on the minimal amount of connectivity required for you to access and configure your server. For Linux/UNIX users, this means that port 22 is permitting SSH connections. Port 80 (HTTP/Web) and port 443 (HTTPS/SSL Web) have been opened to allow all standard web traffic. In addition, the required ports for control panel access have been opened if you have ordered a control panel from ServePath. Finally, ICMP Ping has been permitted to allow our monitoring services the necessary access to aid in managing out network.

2. File Permission - There are certain files whose presence in the Linux file system can present a security risk and should be remedied as soon as possible. When the SUID (set user ID) or SGID (set group ID) bits are set on an executable, that program executes with the UID or GID of owner of the file as opposed to the user executing it. This means that all executables with SUID bit set and are owned by root are executed with the UID of root. This situation is a security risk and should be minimized unless the program is designed for this risk. To find all files on your file system that have the SUID or SGID bit set, execute the command:

# find / -path /proc –prune –o –type f –perm +6000 –ls

It is good practice to generate a list of SUID or SGID files on your server as soon as possible and re-run the above command on a regular basis to ensure new binaries with unsafe permissions are not being added to your server. World-writable files are a security risk as well. World-writable files and directories are dangerous since it allows anyone to modify them. World-writable directories allow anyone to add or delete files. To find all world-writable files and directories, execute the command:

# find / -path /proc –prune –o –perm -2 ! –type 1 –ls
 # find / -path /proc –prune –o –perm -2 ! –type l –ls

Another file permission issue is when files are not owned by any user or group. While this is not technically a security vulnerability, an audited system should not contain any unowned files. This is to prevent the situation where a new user is assigned a previous user’s UID so that the previous owner’s files, if any, are all owned by the new user. To find all files that are not owned by any user or group, execute the command:

# find / -path /proc –prune –o –nouser –o –nogroup\
 # find / -path /proc –prune –o –nouser –o –nogroup

3. Listening Ports - It is very important to ensure that all listening ports on your server are limited to only those that are necessary for you’re your server and its applications. To get a list of listening network ports, run the following command:

# netstat –tulp

Disable any ports that are not necessary. To do so, kill the PID (process ID) shown by netstat. The only port that your server must be listening on is SSH (port 22/tcp). Other ports that will need to be listening depend upon the specific purpose of your dedicated server. Note that by killing the PID of the process you are not preventing your server from starting the same service again on bootup. In order to see what programs your server is launching on startup, execute the following command:

# chkconfig –list |grep on (Red Hat systems)
 # chkconfig –list | grep on (Red Hat systems)

# ls -l /etc/rc2.d/S* | cut -d/ -f6 (Debian systems)

This command will show you which programs are to be executed in which run levels. In Red Hat, full multi-user mode is 3. To disable a service permanently, issue the following command:

# chkconfig <service_name> off where <service_name> equals the name of your service, such as httpd

To disable any service in Debian, simply execute the following command:

# rm –f /etc/rc2.d/S*<service_name>

Please note that the above commands do not actually disable the service, they simply prevent the service from being executed on startup.

4. Unlocked User Accounts - The first thing you should take stock of on a new server are the users with unlocked accounts. Users with unlocked accounts are allowed to login if assigned a valid shell, and should be kept to a minimum. To get a list of unlocked users, execute the following command:

# egrep –v ‘.*:\*|:!' /etc/shadow|awk -F: '{print $1}'
 # egrep –v '.*:\* | :!' /etc/shadow | awk -F: '{print $1}'

If you do not recognize any user returned by the above command, check to see if that user owns any files by executing the command:

# find / -path /proc -prune -o -user <user_name> -ls where <username> is the name of the user you do not recognize, such as jdoe

If the user does not own any files, or files that will not hinder the stability of your server, delete the user by executing the command:

# userdel –r <user_name>

5. Enable/Disable Features - All of the following lines and values should be added to the file /etc/sysctl.conf if you want to enable or disable the feature mentioned. You will need to restart your system for these changes to take effect:

6. Basic Access Control - One of the most important things you can do to protect your server is to implement very basic access control. Access control can eliminate a majority of the risk involved in running out of date services on the Internet. In order to implement an effective access control policy on your dedicated server, you will need the following pieces of information: The IP address or addresses of your Internet connection. For some, this may be one static address, while for others it is a pool of addresses. If you have more than one Internet connection, please be sure to get ALL the IP addresses you could be assigned at any time. You may need to contact your Internet Service Provider for this information.

7. Restrict SSH Connections - While we do not recommend anybody running outdated software, especially something as crucial as SSH, a not insignificant portion of the risks involved in running an outdated SSH server can be mitigated by only allowing certain IP networks to access your SSH server via iptables. Execute the following command to only allow SSH connections from certain IP address:

# $IPTABLES –A INPUT –p tcp –dport 22 –s <X.X.X.X/NN> –j ACCEPT

The above line will allow TCP packets destined for port 22 to be accepted if and only if the source of the packets are within the network denoted in <X.X.X.X/NN>. If you have more than one Internet connection, or have multiple networks, simply add another line, replacing <X.X.X.X/NN> with the proper values.

8. Access Control on Control Panel - If your server is running a control panel, you can also improve your security by implementing an access control policy on the control panel administrative port.

Plesk:

$IPTABLES –A INPUT –p tcp –dport 8443 –s X.X.X.X/NN –j ACCEPT

Ensim:

$IPTABLES –A INPUT –p tcp –dport 19638 –s X.X.X.X/NN –j ACCEPT

Cpanel:

$IPTABLES –A INPUT –p tcp –dport 2082 –s X.X.X.X/NN –j ACCEPT

9. Access Control on FTP - Another service you may want to implement an access control policy on is FTP. If you or a small handful of people are the only allowed users to FTP into your dedicated server, then you will certainly benefit from employing some iptables rules by entering the commands:

$IPTABLES –A INPUT –p tcp –s X.X.X.X/NN –dport 20 –syn –j ACCEPT
 $IPTABLES –A INPUT –p tcp –s X.X.X.X/NN –dport 21 –syn –j ACCEPT

Note that both of the above lines must be executed for each source network.

10. Enable IPTABLES - Lastly, if you do not have a hardware firewall you will want to enable iptables, the software firewall in Linux systems. For a detailed iptables tutorial from ServePath, please visit our Support Center pages at: http://www.servepath.com/support/iptables.htm.

Hope that helps you get your Linux Server get even more secured! For other helpful tips like this, be sure to visit the ServePath Knowledge Base.

Have you ever simply forgotten your password to your server or had someone change a login without you knowing it? Passwords seem to be the bane of my existence. I seem to have passwords of varying levels of complexity, based on the sites or machines that I am managing and my brain is not growing any younger. I simply cannot remember them all. So, if you are in that situation, we can now help (assuming you are a ServePath customer, that is).

The Professional Services Team at ServePath has been hard at work trying to better your experience as a customer (or potential customer). Professional Services can help with a wide variety of challenges, including:

• Web Server Configurations
• Custom Backup/Recovery Solutions
• Emergency Data Recovery for Downed or Compromised Servers
• Consultative Services

One of these items is that of Password Recovery. In the past, this type of Professional Services request incurred a minimum charge (typically starting around $150 and billed hourly thereafter). Now it is being offered for FREE! But before you try getting “unlocks” on all of your servers, here is some important information about this service:

• You MUST open a standard Support Case or Professional Services Case to start the process — this should be done through your My.ServePath.com Customer Portal
• Previously $150/hr, the INITIAL attempt using a variety of tools and procedures, is now considered a “value-added” service and is FREE — this initial attempt works without “undue complexity or time being spent”
• Should the initial attempt fail or have additional complexities, you can still proceed down a recovery path. However, this process is considered “paid consultation” and will incur hourly charges from Professional Services.
  • If successful, you are billed the amount of time spent to recover your password
  • If unsuccessful, you are only billed the minimum 1 hour charge of $150

The Professional Services Team’s toolsets and experience now allow for password recovery or resets on just about any Operating System that ServePath offers, and typically within minutes of attempting. Just be sure that you initiate the process with a Support or Professional Services Case in order to authorize the procedure.

So don’t fret…let ServePath’s Professional Services Team save the day!