Load, in computing, is a measure of the amount of processing a computer system is currently performing, usually in the form of a scalar and as some variation on a percentage.

In a *nix variant, Server load can be calculated by the uptime, top or the w command.
[root@localhost ~]# uptime
15:33:18 up 1:33, 3 users, load average: 0.01, 0.05, 0.09

The last 3 values show the server load for 1 , 5 and 15 minutes, in that order. This means that 1 minute back, the server load was 0.01, 5 minutes back it was 0.05 and 15 minutes back it was 0.09.

How much server load is ok.

What people usually call Server Load or Load is basically CPU load. This value shows how well the CPU is coping up with the tasks it needs to do. The server load is however a poor measure of a server’s performance. Yet it can give the administrator an indication if things are going wrong somewhere.

The ideal load for a single processor server is 1. A server load of 1 means that the CPU is doing all the tasks one after the other in a well oiled manner. There is no waiting Queue of processes.

The higher the server load goes, processes get Queued. That doesn’t mean that the moment the server load goes over 1, services will start failing. A server load of under 10 will result in sluggishness, may not result in failure. A Double digit server load may result in failure, especially if it sustains for a long time.

Multiple processors and server load.

For Servers with multiple processors, load is calculated by dividing the Load with the number of processors.

Actual load = Total load(as shown in uptime) / no. of CPUs

When there are multiple processors, the load gets evenly distributed among the CPUs. If one processor is busy, the task can choose another processor to perform the computation.

High load – How does this happen

In Internet servers, High loads are caused by diverse reasons, each requiring a different approach for correction.

Power users

In a virtual hosting environment, there are many users who use the servers for maintaining websites. Some websites are simple, and some are Processor hungry, bandwidth hungry eCommerce applications. If you or your clients have big ecommerce sites with a lot of visitors, your load may shoot up.

Many users have Database driven sites. When such sites have lot of visitors, the number of Database connections increases and results in high load.

Ideally an Internet server shouldn’t have more than 300-400 small to medium websites. If any of these users turn out to be power hungry, they could destabilise all the other users operations by hogging all the resources.

Script kiddies and attacks

Many times high loads are caused because the server wasn’t secure enough and got cracked. The cracker started running IRC scripts or eggdrops. Sometimes spamming could be reason.

In some cases, a valid user turns into a monster and starts illegally abusing the system by spamming or running insecure scripts.

The first indication of a problem is high load. That should give the server administrator enough hints that something is wrong somewhere.

Run “top” on *Nix systems to see which processes are causing the load. Kill such processes and check out where they originated from. You may discover that something is up. Be suspicious about anything that you see that is causing load.

Running backup on the server, daily stats, server tasks

Sometimes high load is caused due to valid maintenance tasks such as Daily Backups, Daily stats updates and Cron schedulers. It is normal that the server loads shoot up during these times. There is nothing to worry during this time, provided that high load doesn’t sustain for long. Therefore schedule such tasks during non Business hours when the users are minimum and therefore less likely to be affected.

Overselling

Irresponsible overselling by web hosts is a major reason why web Hosts have Server load problems. In overselling what happens is that the web host sells more resources(like space, bandwidth) than is present. The Web Host assumes that all users are not going to be using the space or bandwidth they purchased. For example, the government builds roads thinking that all the people aren’t going to use them at the same time. If the entire population were to step out of their houses, the roads would be totally inadequate.

Overselling is not all that bad, provided the Web Host is responsible in checking server load and acting upon it. Even if a Web host decides to oversell, the load has to be constantly monitored 24/7. If it reaches 2 or 3 fairly regularly, maybe it is time to move some websites to new servers.

About the Author

Sangeetha Naik heads Bobcares.com. She is the co-founder of Poornam Info Vision Ltd., Software and IT services company specializing in Linux based solutions for Webhosts and ISPs. Poornam Info Vision is an ISO 9001:2000 certified company with a team of over 140 engineers.

This article explains that one of the most challenging facets of starting a new web hosting business, or even maintaining an existing one, is keeping your clients happy. Here are some tips to make help make your customers feel satisfied that won’t break the bank.

To attract potential customers and also to keep them, it is important your business tries to satisfy them as much as possible with fast, reliable and efficient customer service techniques. There are important, and also cost effective ways, to maintain your customers levels of satisfaction.

It is important to remember that starting, or maintaining, a working web hosting company does not mean that you need to break the bank to keep your clientele satisfied.

24 Hour Support/Live Chat:

Standards in web hosting have changed in the last couple of years. One of the major changes is 24 hour support. To attract serious clients as of late, it is important to offer a level of support that is at parity with the best.

This might seem an expensive option to provide, however, it does not need to be, especially if you are just starting up a small company. Today there are plenty of web hosting forums and administration forums that allow you to advertise your services for free. Many of these forums always have freelance operators requesting work. It is possible to find the right person for the job at a very low cost.

However it is always important to ensure who you are hiring to help out with your business. Always remember that these people represent your, and your business.

Email Support:

If it is not possible to offer 24 hour support, the luxury of getting a timely response for the client should always be there. There are always talented individuals willing to help out on web hosting forums and can usually be hired for small amounts of money, or, some will generally just work for free to pass the time.

A Service Level Agreement (SLA) should always be advertised to ensure your customers are aware of the timeframe for a response. And if your business is running behind on that SLA, an auto-reply to your inbox explaining the temporary delay might save any angry emails if your deadline is not met.

Knowledge Base/Wiki:

Another option to help solve a client’s issue is a detailed knowledge base or wiki. Most good web hosting companies today have these available to paid clients. As a customer, I always found that a knowledge base was always useful to find out information, especially if a customer service representative was not available.

Information for your knowledge base can be found from a variety of places if you know where to look. For example, web hosting forums are full of free knowledge if you are patient enough to search for questions and answers. Search engines such as www.google.com, www.snap.com are just two good ways to find information for a knowledge base.

Another great option that has taken off as the Internet’s unofficial encyclopedia is www.wikipedia.org. There are developing web hosting wiki’s that are currently on the Internet that could also help you develop your own knowledge base or wiki.

A great example of a knowledge base is http://support.lypha.com/kb/.

Web Forum/Bulletin Board:

If you do not like 24 hour support/live chat or emails, or if you want another alternative for your customers, then you could try implementing a forum into your web hosting support repertoire. The advantage of a forum is this enables new and existing customers to interact with each other.

A web host with a good support network is always a popular selling tool. If it is there to see for potential customers they can see upfront what sort of customers you have, and how they interact. If you have a support or technical-minded customer base, implementing a forum can take some of the support workload off you or your business for no extra cost.

Phone Support:

Over the past couple of years phone support is an area of customer support that has expanded to become a more popular solution. A large majority of companies that offer phone support offer it as a free service to the customer. Larger companies see this as a means to keep a personal touch with their clients.

If you are a small hosting company, this is not always a cost effective solution to offer phone support. However, if you target your sales to a local geographical area it is possible for customers to call you directly for the cost of a local call. By limiting your geographical area it allows customers to understand the nature of your business is to maintain a healthy customer relationship.

In Australia, it is simple to setup a pre-paid phone number that you could use as a support line that customers could contact you locally. If you were a large company this option would seem highly unprofessional, although for a small company having a personal number to call adds a local feel to your business.

In Australia, generally calling a 1300 number is the cost of a local call. For example, http://www.cheap-1300-numbers.com.au.

Web hosting companies with a solid customer service base will always have a much better chance at succeeding as opposed to ones that do not. At the end of the day the customer is the most important asset that any business can have as they generate your revenue. If you look after your customers, then theory has it, they should look after you.

About the Author

Paul Harbeck is located in Melbourne, Australia. He has over seven years experience as a webmaster/admin with several successful websites. The current project he is working on is to launch his own personal website.

Intrusions to your corporate network can be blocked by the implementation of IDS. It can be very powerful if it is implemented the right way. Intrusion Detection System(IDS) is a system that will constantly monitor the corporate networks from all types of attacks and vulnerabilities. IDS looks for the attack signatures which are specific patterns that usually indicate malicious or suspicious event.

Different types of IDS

There are two different types of IDS system. Software IDS which is specific for different operating systems and Hardware IDS which has dedicated real type operating system of its own and it works independently with any type of operating system. The hardware IDS is much more reliable than the software IDS. It can identify about 1500 attack and info signatures. What is a attack and information signature? Attack signatures are those which can pose a threat to the networks, while information signature need not necessarily be a harmful one. In case of software firewall there are chances that we cannot cover all the loop holes of an operating system i.e. we have different flavors of Linux and there are chances that all the pitfalls of different flavors might not be identified. An important point that has to be noted, is that an IDS alarms you of the possible attacks but in order to prevent attacks we need some other devices like firewall. It is better to go for a hardware IDS. If finances do not allow, then go for a software IDS that best suites your operating system.

IDS is at its best when placed at the gateway of the network that is at the point where the corporate network is connected to the outside world. It is the most ideal place where an IDS has to be kept. We have three types of IDS.

• Network Based IDS
• Host Based IDS
• Stack-based IDS

Network Based IDS:

This type of IDS typically uses a network adapter in promiscuous mode that will analyze the network traffic in real time. Now let us define what a promiscuous mode is? Promiscuous mode, in computing, refers to a configuration of a network card wherein a setting is enabled so that the card passes all traffic it receives to the CPU rather than just packets addressed to it, a feature normally used for packet sniffing. Many operating systems require superuser privileges to enable promiscuous mode.

Host Based IDS:

This type of IDS can be used to monitor the system specific logs. While in most flavors like Unix they use sys log and OS specific files. As soon as there is a change detected the host based IDS compares it with the security policies that has been defined and then responds to the change accordingly.

Stack Based IDS:

This is the newest IDS technology and varies dramatically from vendor to vendor. Stack-Based IDS works by integrating closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI Layers. Watching the packets in this way allows the IDS to pull the packets from the stack before the OS or the Application have a chance to process the packets.

Software IDS (snort-2.6.1.2 installed in Fedora Linux)

First of all we will be dealing with the software IDS. The software which I am about to describe is SNORT which I feel is one of the best IDS software for Linux operating systems.

Snort is very useful intrusion detecting system distributed under the GNU GPL license by the author Martin Roesch. Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching. It can be used to detect a variety of attacks and probes. Snort has real-time alerting capability as well, incorporating alerting mechanisms for Syslog, user- specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba’s smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump or as a packet logger that is useful for network traffic debugging. It can also be used as a full blown network intrusion detection system.

Snort logs packets in either tcpdump binary format or in Snort’s decoded ASCII format to logging directories that are named based on the IP address of the foreign host.

The installation of the SNORT is pretty simple. I have tested this on the Fedora machine.

wget http://www.snort.org/dl/current/snort-2.6.1.2.tar.gz
tar -xvzf snort-2.6.1.2.tar.gz
cd snort-2.6.1.2
./configure
make
make install

This will set up Snort for you in the system. Snort can be configured in three modes.

1) Sniffer mode:

To print out the TCP/IP packet headers to the screen which is also known as sniffer mode. You can just go to the location where the binary files are located and then execute it

cd snort-2.6.1.2
cd src
./snort -v

Below is part of the output of this command

12/26-01:53:01.528869 192.168.1.37:22 -> 192.168.1.78:49614
TCP TTL:64 TOS:0x10 ID:43000 IpLen:20 DgmLen:100 DF
***AP*** Seq: 0x6EBF4676 Ack: 0xF56DCB77 Win: 0xAA8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 95144702 596697068

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
*** Caught Int-Signal

=============================
Snort received 4459 packets
Analyzed: 1972(44.225%)
Dropped: 2420(54.272%)
Outstanding: 67(1.503%)
=============================


Breakdown by protocol:
TCP: 1968 (99.797%)
UDP: 2 (0.101%)
ICMP: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 2 (0.101%)
DISCARD: 0 (0.000%)

=============================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0

At the top see how a TCP segment has been tracked by snort. It actually specifies all the TCP segment fields like TTL, Sequence number, Windowing size, Acknowledgment bit, TCP length etc.

2) Packet Logger Mode:

If you want to record the packets to the disk, you need to specify a logging directory and Snort will automatically know to go into packet logger mode:

./snort -dev -l ./log -h 192.168.1.0/24

This command will work only if there is a log folder created in this path. So create a folder called log and then use this command. This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data into the directory log, and you want to log the packets relative to the 192.168.1.0 class C network. In my system it is logged in a file like this
snort.log.1166824939.

Now the packets have been logged in a binary format and is not readable. We can make it readable by issuing the command

./snort -dv -r log/snort.log.1166824939

3) Network Intrusion Detection System Mode:

To enable NIDS mode so that you don’t record every single packet sent down the wire you can use this command. ./snort -dev -l ./log -h 192.168.1.0/24 -c /etc/snort.conf

where /etc/snort.conf is the name of your rules file. This will apply the rules configured in the snort.conf file to each packet to decide if an action based upon the rule type in the file should be taken. If you don’t specify an output directory for the program, it will default to /var/log/snort. For any specific alerts this Will logged in a file called alerts.Now the file /etc/snort.conf wont be there when you install the snort. We have to create one. I have created a basic file which looks very simple. This is what I have set for my local machine.

##

# Define our network and other network#

var INSIDE 192.168.1.0/24
var OUTSIDE !$INSIDE
var NIDSHOST 192.168.1.38
var PORTS 10
var SECS 3

### Log rules

##log tcp $OUTSIDE any -> $INSIDE 23
log tcp $OUTSIDE any -> $INSIDE 21
log tcp $OUTSIDE any -> $INSIDE 79

### Alert Rules

##
alet udp any any -> $INSIDE 53
alert tcp any any -> $INSIDE 53
alert tcp any any -> $INSIDE 80

### Load portscan pre-processor for portscan alerts

##preprocessor sfportscan: proto { all } scan_type { all } sense_level { low }

### Pass Rules (Ignore)

##
pass tcp $INSIDE any -> $OUTSIDE 80
pass udp any 1024: <> any 1024:
pass tcp any 22 -> $NIDSHOST 22
"/etc/snort.conf" 32L, 727C 24,1 Top

This is just a basic configuration file. You can create your own rules basing on the needs of your network. Here in this configuration file I have specified my local network, the host IP and also the outside networks. The next step is to log the data. There are alerts which will work when something unusual is found against normal process. Also I have enabled a preprocessor that will check for any port scanning in the local machine and last one of course mentions about those that can be ignored.

4) Inline mode:

It obtains packets from iptables instead of from libpcap and then causes iptables to drop or pass packets based on Snort rules that use inline-specific rule types.

You can verify if your snort is working properly or not by using this command

./snort -dev -l /var/log/snort/ -h 192.168.1.0/24 -c /etc/snort.conf -T

The output should be some thing like this.

Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort/
Verifying Preprocessor Configurations!
0 out of 512 flowbits in use.
Decoding LoopBack on interface NULL
Data link layer header parsing for this network type isn't implemented yet
--== Initialization Complete ==--
,,_ Snort!
o" )~ Version 2.6.1.2 (Build 34)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.

Snort sucessfully loaded all rules and checked all rule chains!
Snort exiting

For more details of the rules you can download the rules from http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_os/snortrules-snapshot-CURRENT.tar.gz

Also if you are planning for a customized configuration I bet you would surely like to go through the doc files available along with the software. They are pretty good and easy to read as many options has been explained in the doc file that will secure your network from different types of attacks.

Hardware IDS (Implementing the Secure IDS in Cisco PIX Hardware Firewall 501 series)

Now here comes my favourite, hardware IDS. Basically there are many dedicated IDS systems that are right now available in the market. But what Iam going to tell you is an implementation of IDS in PIX hardware firewall. Even though you cannot call it as an dedicated hardware but still I prefer it because we can set to take action when an attack is identified. Here I will be mentioning the details of IDS configuration in the PIX 501 series. PIX 501 series is a firewall which is used in SOHO and the ROBO scenarios. It is the smallest of the hardware firewall in the Cisco series.

Also the commands that I specify here is related to Finesse operating system 6.x version . Of course there won’t be much difference in the later versions. One of the advantage of the this firewall is you can implement IDS as well use the firewall to drop the attack but the disadvantage is that the Cisco Pix 501 series firewall can only support from 50 to 70 signatures which is very less when compared to the 1500 signatures supported by the Cisco IDS.Also there are no options to built the customized IDS signatures.

The Cisco Secure IDS features provide the following:

• Traffic auditing. Application level signatures will only be audited as part of an active session.
• Apply the audit to an interface.
• Support different audit policies. Traffic matching a signature triggers a range of configurable actions.
• Disable the signature audit.
• Enable IDS and still disable actions of a signature class (informational, attack). PIX Firewall supports both inbound and outbound auditing.

Also we need to log the messages. One is you can enable logging in the firewall itself and the next thing is you can use a third party software to log the messages. I would prefer using a third party software because it will not eat up the memory of the firewall. One good syslog software is Kiwi syslog which is free to download and easy to configure.
Let us just take a look at the commands that will enable the IDS in the hardware firewall. “ip audit” is the command that is used to enable the IDS in the firewall.

As I have already mentioned that there are two types of signatures. One is attack and the other one is Info. Each signature is identified by a number. Below is just is a few list of the IDS signatures supported by PIX.

PIX Firewall lists some of the following single-packet IDS signature messages: 1000-1006, 1100, 1102, 1103, 2000-2012, 2150, 2151, 2154, 3040-3042, 4050-4052, 6050-6053, 6100-6103, 6150-6155, 6175, 6180, and 6190
You can disable a signature using this command

ip audit signature 4050 disable

This will disable this particular signature from auditing. Now let us see how we can define the info signatures and the attack signatures

ip audit name attack1 info
ip audit name attack2 attack

I have defined a policy named attack1 which audit the info signatures and attack2 which will audit the attack signatures. In addition, we can set different actions to be taken when an signature is tracked or identified.

ip audit name attack2 attack action drop

This command will drop a connection if it finds a attack signature that has been found matching by the device.

Now after we have defined the attack and the info signatures the next thing we have to do is to apply to a particular interface. Either you can apply it to the inbound interface or outbound. The commands that is shown below help in setting a policy to an interface

ip audit interface outside attack1
ip audit interface inside attack2

You can foil the attempts of many a hackers if carefully taken considerations of the follwing things.

• Network traffic
• Failed login attempts;
• Modifications made to the file system;
• Applications and services currently running;

There are lots of vulnerabilities that appear on a regular basis. Engineers are working round the clock to patch the loop holes. Some may be very simple like dictionary attack while others may be one that can bring the whole network down. The best way to stop them is to think like them and always be one step ahead. What I have mentioned here is just basics of implementing network security using both software and hardware IDS. IDS along with strong firewalls can provide great security to the Corporate networks.

Reference:

http://www.snort.org/docs/snort_htmanuals/htmanual_261/
http://www.snort.org/docs/iss-placement.pdf
http://www.cisco.com/
http://www.freeos.com/articles/3496/
http://en.wikipedia.org/wiki/Intrusion-detection_system
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemint.htm

About the Author

Shyam P. K works as engineer in Bobcares. He primarily works on administering cPanel and Linux servers.