There are too many misunderstandings about VPS systems.
They are definently not more secure than many shared environments and are also just as suseptable to bottlenecking of some system resources and bandwidth.
Security
The client is responsible for securing their VPS server. Yes, most providers advertise “MANAGED” or “FULLY MANAGED” vps servers but that is very misleading and it’s important everyone understands this before they get in over their head.
When you obtain a managed VPS (from nearly any provider), your server will be provisioned from one of the default templates they have previously created. This template will include the OS/control panel/web and other servers/firewall and sometimes other security features like mod_security or suhosin. All of these will be set to basic or default configurations (unless requested otherwise) so they will be compatible with most site types. This is not a fault of the provider because they have no idea what every client will need and every client will have different needs so, these templates must be universal. Some providers like Wiredtree will also slightly tweak the Apache, PHP and MySQL configuration to add a little better general performance but it is still very universal and will not be optimal for every client. It is then up to the client to further optimize, monitor and better secure the server to their own personal needs. Most clients now obtaining VPS systems are not Linux administrators (most of which have no Linux experience) and this is where trouble starts, especially with security.
Clients new to a VPS or dedicated server often think that they are ready to go at this point and will only notice a problem if they see an error on their web site. There is much more that should be done on a new VPS for security and performance improvements.
Back to the basic/default configurations above…
Your firewall will have many options that can be enabled or adjusted and it’s important that you at least know what these options are. Check also that it is running and not still set to config or testing mode!!
mod_security (if installed) has no rules applied by default. You must either enable the default ruleset or add your own custom rules.
Suhosin (if installed) should probably be disabled unless you want to learn its confusing config options.
PHP, MySQL and Apache should all be optimized further to better support your store but these will require knowledge. Most of you already know that default PHP settings do not work with CS-Cart but, there are also MySQL and Apache adjustments that can greatly improve performance.
Check to be sure if any other additional options have been installed that will need additional configurations.
Change the SSH port!!!
The default port 22 is scanned for by every automated bot and you will have 1,000s of brute force attempts daily if not changed. You should also consider disabling root logins and setup a wheel user.
Disable any unused services…
8 ) Make sure you have some sort of automated account backup system…
Many VPS hosts will take daily snapshots of your system but these don’t help you much if you need to restore a single account, file or database. A snapshot will restore an entire VPS and you don’t really want that just to replace a single file you deleted by accident…
There are many other things that should also be done to improve server security but guys like me need need to have something to do. The above will at least get you started out on the right track with a new server.
Everyone using a VPS should also monitor their system and logs very often. The host (if managed) will likely provide service monitoring and restart them if they fail but that is about it. They will not log in to check your logs or research unless you notify them of a problem so, you should be proactive and do this yourself daily if possible. This can help to resolve problems before they become serious.
Another thing normally done by ‘managed’ providers is, they set most services and software to automatically update as needed and this can cause big problems. Very often, new releases (of anything) will have new or different configuration options that you should be aware of prior to adding them to your system. The update may also contain bugs and could break your system until a fix is applied. These updates are normally set to run in the middle of the night so it could take awhile before you even notice a problem. You should run updates manually yourself so you have an opportunity to see what has changed and test the results.
Ok, enough of that stuff
Bottlenecking
Everyone understands that sharing cpu, memory and storage on a single server can be a problem even in a VPS environment especially if the provider is over-selling so I won’t beat that to death.
If the provider is honest you should be getting the cpu and memory resources purchased but you may still encounter bottlenecks with drive read/writes and also throughput. This is because, many VPS clients have a VPS because they’ve outgrown a shared environment and require more bandwidth and other resources. You put 5, 10 or more of these high traffic containers on a single server and their traffic will be fighting over the drive array and single network card they share on occasion. Shared uplinks can also influence bandwidth and is common with most web servers (VPS, Dedicated and Shared).Not only does all traffic on a server share a single NIC but, the uplink itself is also shared with many other servers on the rack/shelf. This is very common because, a dedicated uplink costs MUCH more money monthly. A rack full of average dedicated servers will normally consume much less throughput than a rack full of loaded shared servers sharing an uplink but, a rack full of loaded VPS systems can get even worse.
Another major security concern with VPS systems is if a vulnerability is found within the virtualization system used and also the hosts ability to enforce strong passwords with their staff. It is possible to destroy every virtual server operated by a company if access is gained to the master system that controls them. This has been well proven in the last few years and the worst of which has been the famous Vaserv hacking that took out over 100,000 sites [URL]http://www.theregister.co.uk/2009/06/08/webhost_attack/[/URL]
There have been other similar attacks like with santrex last year but nothing nearly that extreme yet.
Sorry for writing another book here but it is important that some of you (who are not Linux Gurus) understand that a VPS is not a ready to go out of the box solution like your old shared hosting was.
In our opinion the reason hosting has become such an important issue for CS-Cart users is that CS-Cart has become bloatware and excessively resource intensive. As we’ve stated we’re currently with HostGator.com who are among the top hosts in the US.
With CS-Cart 1.3.x not 1 single time did we ever get suspended for resource over-usage. Within 1 week of upgrading to 2.1.4 we were temporarily suspended. We run several 2.1.4 stores and all have been suspended multiple times due to resource over-usage in our current shared environment.
This is why we need to increase the resources allocated to our sites and thereby reduce the temporary suspensions caused by CS-Cart 2.1.x. Unfortunately it’s looking like a dedicated server is the only way to go if we’re to continue using CS-Cart.
I have moved many clients from Hostgator for that same reason but to be fair, some of those stores should not have been on a shared server at all. We have actually migrated more from Siteground and Godaddy than anywhere else so this is definitely not a slam on HG
CS-Cart is very heavy and many budget hosts won’t put up with it because it limits how many clients can be packed on a server.
Define safety. If you mean security or the potential for other sites on a shared system getting hacked and that having an impact on your site. Possibly. But I don’t know of any malware environments that work at the level of the a Linux server versus a site. But I’m sure they exist. And if they exist at the Linux OS level, no reason they couldn’t exist at the VPS controller level too.
Raid implementation is a function of the underlying VPS manager/controller software. It could be that a VPS’s disk configuration is associated with a Raid controller and another’s is not. Not sure. Make sure your host is providing you hardware RAID and not software RAID if you expect disk performance (/etc/mount will tell you).
But if you have Raid requirements and that degree of fail-over protection, I’m surprised you’d use anything but a dedicated server that you could fully control and tune appropriately.
Also, many hosts assume that if you want a VPS that you are qualified to administer an operating system in addition to Apache, PHP, etc.
Not trying to disuade anyone, just want folks to be aware that the issue lies more in the integrity of the hosting provider than in the technology used.
… but to be fair: don’t search for a provider with 99.9% uptime and don’t switch over the the web hosting offers and “thoughts” just because your site is going down. Everyone will get a downtime - now or later… There isn’t a 100% uptime even for clouds…
[quote name=‘S-Combs’]I have moved many clients from Hostgator for that same reason but to be fair, some of those stores should not have been on a shared server at all. We have actually migrated more from Siteground and Godaddy than anywhere else so this is definitely not a slam on HG
CS-Cart is very heavy and many budget hosts won’t put up with it because it limits how many clients can be packed on a server.[/quote]
Martfox has moved more then 50 CS-Cart customers to their servers as well, but the reason wasn’t the “heavy” coding - just they were not able to configure their servers to work with CS-Cart.
[quote name=‘colortone’]indy0077, the cscart demo linked in your credits, took 7.7s to load in pingdom. Is this on USA shared server?[/quote]
“My Pingdom” test says 3.4 s. Probably the results depend on how busy the ping server is at the moment and on the current netwok queries. It’s on a UK server.
Here you can see 3 tests within 10 minutes: two from Pingdom and one, from another multiple pings over the world (see the screenshots).
[QUOTE]In our opinion the reason hosting has become such an important issue for CS-Cart users is that CS-Cart has become bloatware and excessively resource intensive. As we’ve stated we’re currently with HostGator.com who are among the top hosts in the US.
With CS-Cart 1.3.x not 1 single time did we ever get suspended for resource over-usage. Within 1 week of upgrading to 2.1.4 we were temporarily suspended. We run several 2.1.4 stores and all have been suspended multiple times due to resource over-usage in our current shared environment.
This is why we need to increase the resources allocated to our sites and thereby reduce the temporary suspensions caused by CS-Cart 2.1.x. Unfortunately it’s looking like a dedicated server is the only way to go if we’re to continue using CS-Cart.[/QUOTE]
Hello Paul,
We have been running a Hostgator Level 3 VPS with CS-Cart for nearly two years now and they have been nearly flawless, no complaints whatsover & our site speed is consistently as fast as 98% of any CS-Cart sites I have ever visited.
However, let’s face it, CS-Cart is a very feature rich platform and will never run well on an overloaded shared hosting environment, nor would I ever expect it to. Nothing wrong with Hostgator, you just may need to bump up your hosting plan a notch.
We have been running a Hostgator Level 3 VPS with CS-Cart for nearly two years now and they have been nearly flawless, no complaints whatsover & our site speed is consistently as fast as 98% of any CS-Cart sites I have ever visited.
However, let’s face it, CS-Cart is a very feature rich platform and will never run well on an overloaded shared hosting environment, nor would I ever expect it to. Nothing wrong with Hostgator, you just may need to bump up your hosting plan a notch. ;)[/QUOTE]
Thanks that’s good to know. How many CS-Cart 2.1.x sites are you running on Level 3? The reason is we have 4-5 CS-Cart 2.1.4 sites and they’re suggesting we should go with Level 4 or 5.
Wow, this has turned out to be a very educational thread! I love it!!
It is an interesting thought. To VPS or not to VPS? We actually use shared and VPS but it depends on the site/traffic. We have tried the sites with more traffic on shared servers but have not had very good results. Even on optimized servers intended for CS-Cart we saw issues. Likewise, we have ran in to issues on the VPS packages. So bottom line is it requires time, whether you are on a shared, VPS or even a dedicated server.
As long as you are purchasing a slice of someone else’s machine, you are succeptable to their decisions on how to load the machine. It is their system and you are buying a piece of it (whether it’s a shared virtual server or a VPS). Hence, other sites on the server can always impact the performance of your site (I.e. out of your control). That’s just the way it is.
So again, it’s more about the integrity of the host than anything else.
If you’re not happy about the performance of your store at your site, first contact your provider, express your concerns, back it up with data and give them a chance to respond. It is always easier to keep a customer than find a new one.
[quote name=‘mayanetwork’]Thanks that’s good to know. How many CS-Cart 2.1.x sites are you running on Level 3? The reason is we have 4-5 CS-Cart 2.1.4 sites and they’re suggesting we should go with Level 4 or 5.[/QUOTE]
Hello Paul,
Only running one site at this time. Hostgator makes it very easy to switch between their VPS plans, so if you are on a somewhat tight budget, you could start with a Level 3 or 4 and run your sites for a period of time to check actual performance, if you are not satisfied, then bump it up another notch. It just depends how big your sites are and many visitors they are getting. Personally, I will not try to run our site on low resources in an attempt to save 10-20 dollars a month, simply not worth it for us & I want extreme performance, always, or I will quickly make the necessary changes to get it.
Only running one site at this time. Hostgator makes it very easy to switch between their VPS plans, so if you are on a somewhat tight budget, you could start with a Level 3 or 4 and run your sites for a period of time to check actual performance, if you are not satisfied, then bump it up another notch. It just depends how big your sites are and many visitors they are getting. Personally, I will not try to run our site on low resources in an attempt to save 10-20 dollars a month, simply not worth it for us & I want extreme performance, always, or I will quickly make the necessary changes to get it. ;)[/QUOTE]
I agree that making a hosting decision for a $10-$20 savings is not our goal. Our #1 goal is to stop our CS-Cart 2.1.4 sites being suspended caused by CS-Cart’s resource over usage; even with SmartOptimizer I might add.
Google penalizes sites that go down often and therefore our rankings decrease and consequently our sales and most importantly if our site is down we’re obviously not making any sales.
Secondly we would like an increase in performance that the VPS allocated resources give us such as a Level 4 or Level 5 VPS. The other issue that’s not really been brought up here is that most VPS servers are managed by the host. Many replies here imply that you require a certain level of server knowledge if you want a VPS plan.
HostGator’s VPS plans are all managed by them but you do get all the root access and other server control items mentioned here but I just wanted to clarify you don’t have to use root access or adjust your server settings if you don’t have the server knowledge or desire to do so, at least to my knowledge. Feel free to correct me if I’m wrong.
HostGator’s VPS plans are all managed by them but you do get all the root access and other server control items mentioned here but I just wanted to clarify you don’t have to use root access or adjust your server settings if you don’t have the server knowledge or desire to do so, at least to my knowledge. Feel free to correct me if I’m wrong.
[/quote]
Suggest you re-read S-Combs excellent description of where the host provider leaves off and the responsibility of the site owner comes in.
If you want a secure site that is optimized, then yes, you need intimate knowledge about Linux, Apache, PHP, Firewalls, etc. If you want a clone of a common “container” with standard port access and all the other “general configuration options” then by all means, just purchase a container and keep buying bigger and bigger ones as time goes on. If you reduce the common attacks like SSH, FTP, SMTP, etc. then you will have more resources availabe for delivering your content rather than responding to bogus requests.
[quote name=‘tbirnseth’]Suggest you re-read S-Combs excellent description of where the host provider leaves off and the responsibility of the site owner comes in.
If you want a secure site that is optimized, then yes, you need intimate knowledge about Linux, Apache, PHP, Firewalls, etc. If you want a clone of a common “container” with standard port access and all the other “general configuration options” then by all means, just purchase a container and keep buying bigger and bigger ones as time goes on. If you reduce the common attacks like SSH, FTP, SMTP, etc. then you will have more resources availabe for delivering your content rather than responding to bogus requests.[/QUOTE]
Here’s what HG describes as “Managed”:
“What does Fully Managed mean?
For our clients that decide to add a control panel (cPanel) to their Virtual Private Servers we offer fully managed support. Fully managed support means that we will handle just about any issue or configuration request you may have with your server outside of custom software/script installations (ex: ffmpeg+mplayer+mencoder). Some examples of things covered by our fully managed support may include but are not limited to:
Security audits.
Load problems or sluggishness.
Network related issues.
Failure of server to boot.
Hardware failures
Package installations via package manager (yum,rpm).
And here’s what they’re offering in terms of specs and pricing: [url]http://www.hostgator.com/vps-hosting/[/url] . Forget for a moment whether or not it’s a good idea to go with VPS, does there VPS setup look good and competitive to other well known host’s VPS plans?
we will handle just about any issue or configuration request you may have
[/quote]
Yep, so you need to know enough to know what to ask for. My comments are not specific to any hosting provider so there’s no hammering of any one. If you don’t know enough to ask for what you need then you will get what you get out of the box.
