Web Hosting Blog By Leading Edge Hosting

Turning Websites Off???

Can I just say, what an awful practice this is, yes some web hosts actually do enforce bandwidth restrictions with military precision.

At Leading Edge Hosting, we make a policy of not switching customers websites off the minute they exceed their bandwidth allowance, we’d much rather just say look, you’ve gone over your limits, you need to upgrade.

I just don’t understand these hosts that take customers websites down so quickly, it’s hardly “helping your customer to succeed” now is it.

Anyway, rant over, thanks for listening.

Posted in Uncategorized | No Comments »

We Have a New Backup Architecture!

Wow, after around 6 months of work we have finally implemented a nice shiny new backup architecture for pretty much every server we’re running! And we’re rather pleased with it.

I don’t want to go into too much detail, but we bought a pretty decent dell server with RAID purely for storing backups. After a huge amount of (very much appreciated) hard work from our server administrator James, we’ve now got all our servers automatically backing up onto this new dedicated backup server.

Not only that, but our dedicated servers are having a months worth of complete disk images stored (in addition to the standard web files etc), meaning we can restore entire servers in the blink of an eye! God forbid we ever have to though!!

points to us, just for being good at what we do.

Posted in Uncategorized | 1 Comment »

PHP6 and magic quotes

A little advanced warning here, PHP 6 is in development and the developers of PHP have decided to remove magic_quotes().

For those of you who don’t speak fluent PHP, magic_quotes() is a feature built into PHP, designed primarily to protect websites from SQL injection techniques. Unfortunately, lots of developers have used the magic_quotes functionality as their main protection mechanism for their code. This is highly discouraged by the developers of PHP

At this stage, web companies / developers should (must) re-visit any legacy code running on their websites to add additional protection prior to upgrading their servers to PHP6.

We will also be notifying our customers of this important information via email.

Posted in Security | No Comments »

Anti-spam

Several of our customers have been in touch over the past few months wondering why they can’t send email through our systems.

In literally 95% of these cases, it’s because they have somehow been allocated an IP address that is tagged as belonging to a spammer.

Leading Edge Hosting use what’s called a DNSBL, which is a blocklist (blacklist) of IP addresses, shared over the Internet. Their are several blocklists, maintained by different companies, but we use the blocklist provided by www.spamhaus.org

If you find that you cannot send email through our servers, it’s worth checking that your IP address has not been blacklisted. To do this, first find your IP address then visit this link and type in your IP address. If your IP address is listed you are probably being blocked by our server.

If you need to absolutely confirm that our servers are blocking your IP address, an alternative method is to open a Windows command prompt, type: telnet and press enter. The command prompt should change, now open a telnet connection to our servers from your PC by typing: o 123.123.123.123 25

But replace 123.123.123.123 with your IP address (find it using the link above). If the server reports a message that mentions Spamhaus, consider yourself blocked.

So what should you do if you are blocked? Well, spamhaus.org provide facilities to request a de-listing of your IP address, so follow their on-screen instructions, but be careful. Most of the time, when an IP address is blocked, it is because it has been detected sending spam emails. 9 times out of 10 I would imagine that this is because your PC(s) have been, or are, infected with a trojan or virus that is sending spam on your behalf.

We highly recommend using the FREE online virus scanner provided by ActiveScan: http://www.pandasecurity.com/homeusers/solutions/activescan/

Posted in Security | 1 Comment »

Choosing the right web host

Ok, so I know there are loads of posts out there about this kind of thing, but I still wanted to add my 2 cents.

So we’re a web host, and yes we know, there is loads, loads, of competition out there, but to be honest, we don’t really consider most of the smaller web hosts a threat to our business at this stage; our service is good and we believe in it. We also read so many horror stories about startup web hosts who don’t know the first thing about server administration, and who get hacked… quickly!

Which leads me nicely into this post; what should you look for when selecting a web hosting partner?

Well, lets start with the obvious things:

1. You need a web host who performs regular security updates to their servers (Windows or Linux), don’t be afraid to ask about their security policy. Don’t expect exact details about what they do, but do expect them to be able to give you an idea of how they manage security. For example, do they regularly update their servers, are they running a firewall, do they have intrusion detection, do they have rootkit detection software. Those are all questions you should expect to have yes answers to, but don’t expect anyone to tell you what software their using.

2. Are the servers physically located in your country? It’s reasonably common knowledge that Google ranks websites more highly if the server they are on is physically based in the same country as the searcher. So if you’re based in the UK and you’re targetting UK customers, ideally your server ought to be located in the UK too. Perhaps more importantly, the nearer your server is to you and your target audience, the faster it ought to respond.

3. Do they have server monitoring software? A good host should, and they should be able to tell you what their uptime record is.

4. Are they a re-seller? I guess some people might not be overly honest about this, but in my opinion you don’t really want to choose a re-seller. Why? because they rarely have any control over their servers. For example one of our contacts is a reseller for one of the big UK web hosts, if they have a problem with a server, they literally have to get on the phone and wait for their web host to sort things out. This is a poor service compared to a web host who can take the call, get onto the server immediately and sort things out.

5. Do they allow CRON jobs / Scheduled tasks?  If your website needs any processes to run automatically you need this facility. Many of the bigger web hosts don’t allow you to use CRON jobs, I have no idea why! The only thing I can think of is that they’re worried the server could be overloaded with badly run scripts. But, we’re able to prevent out of control scripts wrecking havoc, so why can’t they?

6. Do they allow you to use server directives in an .htaccess file? Vital for search engine optimisation! You need to be able to set up things like 301 redirects, otherwise when you change domains, how will Google know?

7. Are they able to tell you what hardware they’re using? We can, why can’t they? (FYI we’ve just bought lovely Quad Core Intel Xeon Server for our shared hosting platform, nice :-))

8. Do they offer backups? Do they have RAID? If they don’t have either, what are they going to do when their hard drive fails? If it dies, all your data dies with it.

I guess that’ll do for now, I’m sure I’ve got many more things to add to this list, but I hope someone finds it useful.

Posted in Uncategorized | 2 Comments »

Email Newsletters, save our servers!

Ok, so you’ve got a hot new product, or some exciting news about your company that all your clients are going love to read about. I know, why not send a newsletter?

Well, it seems email newsletters are becoming ubiqitous, and why not! They are a great way to communicate with your clients and prospects alike and can really help raise awareness about your business.

You might be thinking from the title of this post that we’re against sending email newsletters, well actually we’re not, we love them, but only when they’re executed properly.

I’m sure we’re not the first web host to have seen this situation arise, and we won’t be the last. But we’ve had several clients just stepping into the world of email marketing who decide that the best way to reach 10,000 people is by creating an email in Outlook, sticking 10,000 email addresses in the bcc field and sending it off.

The problem with this approach is that creates a massive strain on a server that can literally shut it down (yes that means your website will go down right at the critical moment!), and when you’re on shared hosting it’s just not fair on everyone else.

From our point of view as a web host, this situation puts us in an uncomfortable position, let me explain why:

As a good, diligent web host, we have taken the time to install anti-spam and anti-virus software on our shared servers, we don’t want our clients having to suffer mailboxes full of viagra adverts and software that can destroy their computers. This software runs every time an email is received on our servers, it literally reads each and every email that comes onto our servers looking for emails you won’t want to receive.

When an email to 10,000 people reaches its destinations, many of the recipients will be out of the office, or will no-longer have the email address you have, or will simply be unreachable, resulting in ‘bounces’. A bounce is a message that gets returned to you when someones email address is unreachable.

If just 10% of 10,000 emails bounce back, that’s 1000 emails that land back on our servers in one go! That’s a lot of email by anyones standards! But that’s not even the end of it, each one of those 1000 emails then gets checked for viruses and spam before it’s delivered back to your mailbox, and it’s that which can bring down a server.

So what’s the solution? Well, it’s actually suprisingly simple: instead of using Outlook to send your 10,000 emails, use a dedicated email software provider such as Campaign Monitor to send your email, and, most importantly, do not put your real email address in the reply-to or from fields! Put something like no-reply@yourdomain.com so when the flood of emails bounce back, they can be discarded immediately by your lovely web host, saving your server and preventing your website from going down at the critical moment.

Posted in Email marketing | 4 Comments »

How to generate a Certificate Signing Request (CSR)

Ok, I can never remember how to do these off the top of my head, so what better way to keep track of how to do it than to drop it into our blog.

This only applies to Linux servers.

This won’t mean much to anyone who isn’t a server administrator, so you can stop reading now, but this is how to generate a CSR.

As root:

Change to your home directory ~/

Then mkdir (domain name) and cd /newfolder. Inside your new folder, issue the following commands:

Openssl genrsa –des3 –out domainname.co.uk.key 1024

Openssl req –new –key domainname.co.uk.key –out domainname.co.uk.csr

That’s it.

Posted in Server administration | No Comments »

Scary PHP Functions you should disable…

We have just completed a security update on one of our main servers and whilst we were performing the update we realised that there is a distinct lack of information out there concerning the security of PHP functions, and no good lists of functions that should be banned or switched off.

When you install PHP, it doesn’t make a huge amount of recommendations about which functions you should ban on your servers. Although it basically does come out of the box in safe mode, which is great, as a web host trying to offer the best service possible, we like to offer our customers the choice of using PHP’s safe mode or not. We know that as a developer it’s a real pain to be forced to deal with things like magic quotes when you already have tight methods of blocking SQL injection, XSS attacks etc.

So, since we want to leave things as flexible as possible for developers, it’s critical for us to know that our customers can’t write PHP code that could lead to our server being left wide open to attack.

So, being diligent web hosts we searched high and low for a decent list of PHP functions that we ought to ban, and surprisingly couldn’t really find any decent lists.

So, for anyone wondering what functions to ban, here is our list of PHP functions you should definitely not allow your customers to use!

exec, system, passthru, readfile, shell_exec, escapeshellarg, proc_close, proc_open, ini_alter, dl, parse_ini_file, show_source, popen, pclose, pcntl_exec, proc_get_status, proc_nice, proc_terminate, pfsockopen, posix_kill, posix_mkfifo, openlog, syslog, escapeshellcmd, apache_child_terminate, apache_get_env, apache_set_env, apache_note, virtual, error_log, openlog, syslog, readlink, symlink, link, highlight_file, closelog, ftp_exec, posix_setpgid, posix_setuid, posix_setsid, posix_setegid, posix_seteuid, posix_getpwnam, posix_ctermid, posix_uname, posix_getegid, posix_geteuid, posix_getpid, posix_getppid, posix_getpwuid

I’m not going to go into details here, but if you’re in for a fright, look these functions up (especially the posix ones) on the www.php.net website, you’ll be very scared!

Posted in Security | 1 Comment »