Always Get Better

Posts Tagged ‘programming’

5 Ways to Keep Your Web Server Secure

Tuesday, September 19th, 2017

Equifax recently revealed that they were hacked and exposed the personal information of over 143 million people. You may not be sitting on such identity-theft rich material, but keeping your server secure is absolutely a must for any business. Fortunately it really isn’t very hard to achieve and maintain a decent level of protection.

1. Hire a Competent Developer

Cloud computing makes web servers super accessible to everyone; unfortunately that means it’s really easy  to get a website running and get a false sense of security thinking everything is right when it’s not. A lot of developers claim they can do it all for you when all the really know is how to install Apache but not how to lock it down.

A good giveaway is: If your developer can’t get by without using a gui tool or web interface to set up and administer the website, they don’t have any business on your server. These are great tools for setting up local development environment but they take shortcuts to make things more convenient for the user – not to improve security.

So if your guy doesn’t have deep command line knowledge and the ability to work without these tools, fine. He’s still a great developer, he can build  you a secure website following all the security best practices. He just doesn’t have any business touching your web server; have someone else set up the “live” environment.

2. Lock Down Ports

When you’re setting up a web server, lots of supporting programs get started that don’t directly affect your website. Things like email, ICMP, DNS, time and DHCP are important to keep the system running but have no business leaving the local network. Everything that you don’t absolutely need to access should be locked down. No access except from inside the server.

Web services like Apache and nginx are specifically designed to prevent people from using them as attack vectors to control your system, and they get compromised routinely. MySQL has no chance at all – don’t open it to the outside world… ever.

3. Separate Database Servers

It’s super common to find database servers improperly configured so they become a major security hole. On MySQL, most people don’t know to add users better than “GRANT ALL PRIVILEGES ON x.* TO y@z;”. Since the SQL server itself is often running with elevated system access, it only takes a single unsecured query to let people create files wherever they want on your server.

The easiest way to prevent this from affecting your websites is to move SQL to another server. Not only do you get the bonus of having a machine configured exclusively for web work and another exclusively for DB work, but bad things happening on one won’t mean bad things happening on the other.

4. Keep Up With Software Patches

If you want to keep your server secure, keep it updated right away when vendors release updates for their software.

In a world full of zero-day exploits, any software with a security update is definitely a risk. Maybe even part of a malware package being sold in some dark corner of the Internet.

Don’t be a victim, keep your server secure by keeping it up to date.

5. Enforce User Permissions

One of the most compelling reasons to use Linux traditionally has been the strong separation between services using user permissions. Even Windows Server supports it these days.

If you’re using PHP, don’t use Apache’s modphp, use php-fpm. Set up your pools to give each website its own user. Again it’s all about compartmentalization. Bad things will happen and a good sysadmin makes sure the damage done by those bad things gets contained to a small area.

BONUS #6: Keep Your Server Secure by Never Logging In

Never allow yourself or anyone else to log into the web server.

There’s no reason for it. If you need to deploy a website update, use a CI tool like Jenkins. If you got rooted, trash the server and launch a new one.

People make mistakes, people forget about config changes, people can’t be trusted. You don’t need to worry about password scheme, RSA keys, iptables goofs or any of a million common problems if you just acknowledge the human risk factor and remove it from the equation.

When we move to programmed servers, we make it easier to bring new people on board, faster to verify and test new software versions, more repeatable in the case of a data failure, and more secure across our entire network. Don’t make humans do the work of computers, automate all the things!

How to Win at Work

Sunday, April 17th, 2011

It isn’t really hard to do well in a job; you just have to apply yourself and put the work first. Just like during the interview, your boss or employer’s motivation is not to give you a hard time or to make your life difficult; all they really want is to get the work done and make money.

A lot of employees seem to approach their job the same way they approached high school: as an institution with fixed rules and authority figures. In this mindset, the best way to succeed is by doing what the teacher (boss) dictates to the minimum acceptable level. Over time, it is possible to rise to the top on the merits of “years of good service”.

Let’s be honest with ourselves: there is surely a more fulfilling way to spend the majority of our day.

Fail Fast
If we look at the best, most successful entrepreneurs, we’ll find a list of failed companies leading up to their home run enterprise. Good entrepreneurs know that there is no secret to success – it is necessary to keep trying and learning from failures until we finally reach our goals. The best thing we can learn is to fail fast so we can move on to success faster.

This flies in the face of the ordinary way of thinking which is to avoid failure. Failure hurts, but if we can learn to accept it, we can open the way to more resounding success.

Do It On Your Own Time
Your boss does not care about your personal growth. As a programmer, the company is not obligated to teach you the newest programming technology. The company is interested in turning a profit, and in order to afford to pay an employee, they need to earn several times the cost of that employee in order to maintain profitability.

So how do you get new skills and remain relevant in a changing work environment? You need to study and learn, especially during your free time. Not sure what you should be studying? Read job boards – you will get a feeling for what is trending and what skills are in demand. You don’t have to be job seeking, but having a polished resume and portfolio will keep your mind sharp and improve the quality of work you already deliver.

Make the Boss Look Good
While you’re busy learning all your new languages and technologies, the boss is responsible for making sure work gets done and that profits are earned for their boss. So what’s the best way to get bumped up in line for that next promotion? Make your boss look good.

If you are pulling your weight plus more, your boss will look more effective, which will raise everybody’s boat. The best way to get noticed is by being responsible for everyone’s success. But wait – didn’t we say to embrace failure? By failing early and fast, we set ourselves up for our greatest successes. Don’t settle for status quo – always get better.

Memcache as MySQL’s Hero

Sunday, April 10th, 2011

It’s hard not to love memcache. As soon as you manage a web site that has more than a few concurrent visitors, the performance benefit of caching becomes immediately obvious. MySQL is a fast database and can outperform a lot of its competitors, but no matter how quickly it can pull results it can never outperform the retrieval speed of the server’s RAM.

The basic premise is: instead of pulling a model out of the database, see if it has already been loaded into memory by checking a key-value diction (for example: User5677). If the user has not been read from the database yet, the key-value store will be empty and we can fetch the record. Next time we need that data we check the key-value again and avoid querying the database.

This really saves us whenever we have data that changes infrequently. Take, for example, an ecommerce website: since the products and categories on the site will change very rarely, it makes a lot of sense to store them in memory for fast recovery. Even more volatile information (like user data) can be stored in the cache, as long as the application knows to empty that cache key when the data gets changed.

Memcache is an ideal tool for managing these kinds of caches, and provides a lot of flexibility for growth.

History Lesson
Earlier this week I promised to go deeper into memcache’s origins. Memcache was originally developed at Danga as a way to reduce the database load and improve the speed of LiveJournal.

Rather than developing a standalone server application, Danga’s engineers designed memcache to sit on lower-end hardware and on web servers where it would use a small amount of the overal memory. Memcache instances don’t talk to each other: the client machines are aware of all the memcache instances and attempt to write their information evenly to each. This allows memcache to scale almost limitlessly without adding significant overhead to the caching process.

When to Use
Quite simply: if you’re building an application for the LAMP stack, build in memcache support. When treated as a necessary component from the beginning, caching support adds almost zero overhead to development; however it will always pay off as soon as real world traffic is coming to your site.

Display Class Objects in CheckedListBox

Sunday, March 28th, 2010

If you want to use anything more complex than a list of strings in a ListBox, you’re in luck because the control accepts all types of objects.

Custom Objects (Blog Posts) Displayed in a CheckListBox

Custom Objects (Blog Posts) Displayed in a CheckListBox

In this case, I want to display a list of posts found in a blog. Blog is a class which contains Posts, an array of Post classes. To start, I created the CheckedListBox in the form designer, and I add the posts to it like this:


If I do nothing else, the ListBox will call the Post’s ToString() method and will display as:


We have two options for displaying this correctly:

1. Override the ToString() method. I don’t recommend doing this because ToString() is much more appropriately used in a debugging context.

2. Add a string converter: This will automatically convert each post object to a usable string when called by an object like a ListBox. ListBox uses Convert.ToString() – this uses that converter more appropriately. ToString() should only be used as a fallback.

// Use System for the Type object
using System;
// Use ComponentModel for the TypeConvert base class
using System.ComponentModel;

namespace SiteAssistant.Blog
    /// <summary>
    /// Converts a post into a list-friendly string, for checkbox lists
    /// </summary>
    class PostConverter : TypeConverter
        /// <summary>
        /// Indicates whether the Post can be converted to a destination type
        /// </summary>
        /// <remarks>
        /// We only support conversions to STRING at present
        /// </remarks>
        /// <param name="context"></param>
        /// <param name="destinationType"></param>
        /// <returns></returns>
        public override bool CanConvertTo(ITypeDescriptorContext context,
            Type destinationType)
            if (destinationType == typeof(string))
                return true;
                return base.CanConvertTo(context, destinationType);

        /// <summary>
        /// Converts the post to the destination type. If the destination
        /// type is not supported, the base Conversion is applied.
        /// </summary>
        /// <remarks>
        /// We only support converting posts to strings at present.
        /// </remarks>
        /// <param name="context"></param>
        /// <param name="culture"></param>
        /// <param name="value"></param>
        /// <param name="destinationType"></param>
        /// <returns></returns>
        public override object ConvertTo(ITypeDescriptorContext context,
            System.Globalization.CultureInfo culture, object value,
            Type destinationType)
            if (destinationType == typeof(string))
                string text = "";
                Post p = value as Post;
                // Ensure that the Post is not null, avoid errors
                if (null != p)
                    text = p.Title;
                return text;
                return base.ConvertTo(context, culture, value, destinationType);

The code we write in .NET is like the meat inside a sandwich. The framework is the bread that wraps around our logic and keeps our application together. Our new Posts string converter will be called by the application without us needing to override the Convert function.

It doesn’t happen by magic of course. The final change we have to make is to add information about our conversion function to the posts class:

    public class Post
        // Rest of the code goes here

That’s all there is to it! Now we can pass a list of Posts to the CheckedListBox and manipulate each item directly. In this application, I will be using this technique to provide the Post object to the text editor with a double-click.

Google Launches Its Own Programming Language

Thursday, November 12th, 2009

Google has taken another step toward world domination with the launch of an experimental new programming languages aptly named “Go”. Go promises to pick up where C and Python left off, providing programmers with a new garbage-collecting low level languages suited to efficient server programming.

I spent the better part of last night looking for a way to get Go‘s tool chain to run under Windows using Cygwin. Unfortunately the tools can’t be created; even if they could, they would produce binary files which would be unusable within Cygwin/Windows due to their low-level nature.

If you are a Windows programmer hoping to give Go a try, your best bet is to download the andLinux distribution – this is a native Linux distribution that runs similar to a virtual machine under Windows. Once you have set it up, go to the Installing Go page for instructions on getting started with the new language.

Speeding up Report Calculations

Saturday, October 10th, 2009
Get Yourself Out of Debt
Creative Commons License photo credit: faungg

When creating reports that are calculation-heavy, it’s tempting to create functions like ‘calculatePercent()’ or ‘calculatedMedian()’ so the correct numbers are available on demand.

Sounds good and convenient, but what happens when you have 100 different calculations to make across 50,000 data records? Each report will take 5 million passes to generate. That could take a long time especially if there are multiple reports being generated.

DRY – Don’t Repeat Yourself

Fortunately, the solution is straightforward. Rather than passing through those 50,000 records 100 times (once for each percentage needed), create an array for your values and calculate ALL of them in one shot. Then, just have calculatePercent() and calculateMedian() call from that array. Sounds simple, and it is as the pseudocode below shows:

for each record:
for each value:
valueList[value].append( record[value] )

Looking Out My Back Door 2008

Wednesday, December 31st, 2008

Good-bye 2008, you have been good to me. Over the course of the past 12 months I have learned a great deal about who I am and what I can accomplish, leaving me in fine form to hit the ground running in 2009.

Thank you for taking the time to visit my little piece of cyberspace and commenting on some of what I wrote. The discussions were always respectful and informative; there are a lot of smart people riding the intertubes.

I’d like to take a moment now to stop and reflect on the last 12 months before starting the New Year.

I started this blog early in January, and skipped all formalities by jumping into a discussion about difficulties I had been experiencing with Google. I still think that was a good choice – I want to avoid making a big deal about this blog (except for occasional posts like this one, obviously) and starting off with the solution to a problem I had been facing was the perfect way to start splashing in the blogosphere. For the remainder of the month I discussed solutions in ASP.NET and the joys of working from home, both subjects which I had a great deal of experience with being simultaneously a full-time student and a full-time programmer.

My studies shifted to bizarre Java tricks and database connection tips in February, yielding one of my more popular articles about correctly using the memory management capabilities in C# to properly control database connections in ASP.NET. I am particularly proud of that article because it represented a step forward for me in the way I am able to communicate my ideas, not to mention it solved some of the more frustrating programming problems I had been having at the time.

In March my writing took a bit of an ironic tone, starting with my discovery of Google’s “bad page” warning. My writing suffered as I was unfortunately busy with everything from moving into a new home, to end-of-year college projects, to a massive assignment at work, and launching a second blog. As a result Always Get Better stagnated slightly, however the traffic continued to grow.

April saw a return to writing about useful tech tips and obscure programming knowledge. I also wrote the blog’s most popular article to date about methods for closing forms in C#; it still generates confusion and misunderstanding so I may revisit the concept in a more detailed article in the New Year. SQL tricks and platform differences were a big deal as well and will continue to be moving forward since I absolutely love SQL.

I realized that perfection was not a destination but rather a road to be followed halfway through the year and as a consequence started to take myself less seriously. My biggest time waster in May was in finding solutions to simple ASP.NET problems so I made more effort to publish those as I went along.

June was another bad month for blog posts. I only ended up posting a single token snippet referencing parse optimization in SQL on the final day of the month. Lame.

July was an incredibly busy month at work but I managed to post while I went through the pain of switching to Vista

The stress of July led me to reminisce about the time I once wasted playing MUDs. August was a month of ASP.NET issues, Internet Explorer oddities, and a positive change in my thinking about the future of this blog.

In September I had a paradigm shift in my perception of Flash as a programming platform with the discovery of Flex Builder 3. I have learned so much about this tool since those early days and am eager to share some of the knowledge I gained in a series of upcoming posts.

The lights went out on Always Get Better in October. This was a dark month for a number of reasons but I can’t make any excuses for not posting at all. One thing I did realize during this month was the need to back off some of my other projects and focus more energy on my writing online. By this time next year I hope to be earning enough from my blogs that I can afford to spend a greater portion of my time working with them.

November was a month of Flex, Adobe woes, a change in providers, Drupal databases, Drupal layout, and Drupal administration. I launched a second blog – this time politically-related – with help from my brother which has taken off at an alarming rate.

This month was the real eye-opener for me. With so many feeds and connections opened up to me, I feel as though I am watching the recession unfold in slow motion; but I don’t necessarily feel any more informed. Blogs often feel like the same news regurgitated and wrapped in commentary which is a great way to form opinions on issues but not necessarily a great way to understand the complexities of those issues. In my own work, I hope to teach as much as to give opinion – I leave the real journalism to the journalists and pillars of media like the New York Times. Although they claim to have a leaky boat I think they will weather these rocky waters just fine and be prouder for it.

2009 and Beyond
I am endlessly optimistic about the new year and experiences it will bring. I will do my best to make this blog better and will continue the network-building activities I have started this year. My greatest failure in 2008 was not promoting this site very much – in the New Year I will get the word out. Hopefully the items I write will be of use to someone out there. With any luck they might even pop a note in the comments to let me know I was able to do a decent job.

Thank you for sticking with me through this year, and I look forward to an interesting New Year!