A Collective Blog of Commenters

Agreed. This is one of the huge benefits of hacker spaces.

Could you recommend good writing about servers with a ratio of maybe 25% “recipes” and mostly concepts?

I really picked up just about all I know in that realm through doing. Having projects I wanted to accomplish, and then ferreting out the information I needed to make them happen.

If you were looking for security, low level network protocol, or possibly specific programming languages, I could make “dead tree” reading recommendations.

3 Likes

Thank you.

No mentor or group of buddies to help after you’d gotten the theory?

I can find a lot of examples. It’s harder to find something readable for the background. I need the history and background.

Without a context, none of it sticks for me.

I think you have some misconceptions about what’s involved in sysadminning that’s going to make things a lot harder for you. When you’re running a server, you’re running some sort of server (Linux/Win/Solaris/etc). Assuming you want to run a Linux server, that’s still really generic. If you know what services you want to learn (httpd, some RDBMS, some app/lang. runtime, etc.) then you’ll have things narrowed to the point that it’d be easier to point you in a better direction.

I’d really suggest at least 75% hands on time, 25% study that’s not hands on, though, with that focused on security hardening, best practices, configuration, profiling, optimization, and troubleshooting/diagnostics for whatever services you’re learning. There’s really not that much to the theory, but there really are a giant heap of details you’ll only learn with a lot of hands on time. Understanding the UNIX philosophy’s cool, but it isn’t going to get your broken httpd redirect working, tune a database, or help you do much of anything. It’s like learning to play a musical instrument or paint - reading about theory is valuable, but you need most time to be hands on practice if you really want to learn.

4 Likes

Oh yeah, this, a thousand times this. Constant vigilance is necessary, and learning on the job isn’t really an option for a live system.

I consider myself fairly expert at maintaining web sites (I maintain and admin several sites, including a large one that gets attacked a lot) and I got nailed good this weekend on a new site that I hadn’t totally secured because it wasn’t live yet and I was still messing around with it. Fortunately the folks at Dreamhost were on top of it:

We have recently scanned one or more users on your DreamHost account for potential security threats. Unfortunately, we found some potential indications that your website(s) *may* be compromised.

We understand that this may not be the best news you can get. This notification is intended to help you through the process and serve as a starting point to assist you in getting your account cleaned and secured.

While we won’t be able to complete these processes for you, if you have any questions about the items that follow please don’t hesitate to reply to this email and we will be happy to clarify any points or offer any further guidance to help you through getting your account back to normal.

We have identified attacker-added malicious content, which may include malware such as backdoor shells, adware, botnet, and spammer scripts. The following file(s) specifically have been identified as attacker-added malware. These files have been DISABLED by setting their permissions to 200 (Owner write-only). These files should be audited and either replaced with known good versions or, if not legitimate site components, removed altogether

The problem turned out to be a zero-day via a compromised WordPress theme.
5 Likes

That’s why I think having a project oriented approach can be helpful. Having a system to set up (virtual or physical) and goals in doing so, are going to cement things in your head far quicker than reading theory. You’ll wind up doing quite a bit of the reading along the way, while you’re trying to solve problems.

Don’t get me started on WordPress. :slight_smile:

4 Likes

Why, what’s your issue with it? What do you prefer and why? I like WordPress-- it’s hugely popular, easy to use, completely configurable, and works great for high-volume sites. It’s easy to install and there’s tons of help available online. Most hosting companies are extremely familiar with it. There hasn’t been a serious attack on WP itself in quite some time.

In my case above, I deliberately and knowingly installed a sketchy theme that wouldn’t have survived past go-live, and I didn’t secure it. Entirely my fault. I was stupid and lazy, and I know better. It was not at all a complicated fix. I nuked the site (overkill, but you know the saying about the only way to be sure) restored from my backup, was back in business in an hour, and that included half an hour of watching to make sure the bad guys didn’t get back in.

1 Like

If you’re talking about hosting with WordPress themselves, then yes.

Why, what’s your issue with it?

I’m a security guy, most people implement it poorly or don’t patch frequently enough, and there’s at least one new vuln every week.

I wasn’t making the comment from the standpoint of someone who runs software of that nature, so much as from the perspective of someone who is constantly having to tell people why their s*** is broken.

4 Likes

Ah, ok, gotcha. I’d agree that it’s a victim of its own success. Popularity both breeds attacks, and amateurs writing plugins. Dreamhost obviously deals with it often enough that they have scripts and email templates already prepared! :smile:

What do you think is a more secure blogging platform to use with commercial hosting?

3 Likes

You guys, while I’d be pleased to carry on pointing out issues with WP, pointing out resources for some kinds of sysadminning, and related, maybe @hello_friends would like to split this to a separate topic, since this thread already has a lot going on with planning, and adding this tangent might start overloading it a bit more than it needs to be.

5 Likes

Sorry, I’ve gone a little off-topic here, but I’d prefer to stay in this thread. Among the things I’m working on is becoming expert in Discourse so we can plug it into whatever platform we end up with. I’ll shut up now. :wink:

3 Likes

What did I tell you? :wink:

4 Likes

Thanks to you, @tropo and @RatMan for your generous comments! :smiley_cat: I agree that pausing discussion of this question in this thread is appropriate. Blog, onward!

3 Likes

#Blogward, ho!

So when do we want to do a realtime netmeet-type-conference-ish discussion thing?

@waetherman?

7 Likes

Holy crap, you mean all you other guys are real people? That’ll be awesome and weird.

5 Likes

Whoa-ho-hoooo! Hold on there! That’s not what I said or implied. I was expecting hand puppets.

8 Likes

I’m all for having a “meeting” whatever that looks like. Given the nature of this conversation and the people involved, I’d say we should do a slack session. I’d be happy to moderate. I think a realtime discussion of the general items we’ve outlined above would be more useful than this back-and-forth asynchronous conversation at this point, though I think this brainstorming has been very valuable.

The biggest issue that I see is that I think there’s still wide disagreement about the format - some here think that this is going to be a site for them to air their long-form articles, while others are advocating for more short-form blog. The centrality of the commentary - the whole raison d’etre IMO, seems in limbo. We’re going to have to resolve this, I think. For this to be a site that is in any way cohesive, it can’t be all things to all people. I’d rather see us pick one format and do it well than be a random assortment of content and styles all thrown together. If that means that I’m not part of this project, I’m fine with that.

But until that decision is made, I’ll keep on convenin’. I think a weekend session makes the most sense, because some people have day-jobs and might not otherwise be able to participate, but I’m open to a weekday session as well. No time is going to make everyone happy, but let’s pick something that will work for most.

If people want to participate, send me via DM the following;

  1. email address
  2. time zone
  3. time available; can you do weekday during “working hours” or are you only available late/weekend

I’ll take everyone’s info and try to come up with a live meeting time that makes sense. If anyone has a preference for something other than Slack, tell me what and why.

4 Likes

I actually envisioned a hybrid model, but I feel like this format isn’t conducive to decision making, so I’m happy to move to slack with these things undetermined.

3 Likes

Agreed.

Plus those are options that don’t have to be finalized until we’ve experimented a little, and we don’t even have to choose between them necessarily. We could do sub-blogs, multiple entry points with different aggregations, and so on. The suite of options is kind of huge.

Heck, I’m not even sure if I formed a strong opinion on the subject I wouldn’t change my own personal preference when I saw things in action.

I wouldn’t discount this idea out of hand at all. I look at Seed Magazine’s ScienceBlogs as a great model for multiple blogger crosstalk before the Great Science Blog Crisis of ~2009. But that site had good cross-pollination.

1 Like

Returning the favor of the sysadmining advice I received from @nemomen, @RatMan and @tropo, I’ll pass along this thought about setting a meeting with busy people who live and work far away from each other.

Once there’s an email address (or suitable contact info), use a method that works like Doodle Poll to set the meeting instead of asking everyone to send their available times.

With all the hacker mutants here, a FOSS tool would be nice. I also wonder if the boingboing polling feature here couldn’t be adapted to do what Doodle Poll and similar apps do. Maybe even VoIP or group chat with a transcript for the meeting too?

Maybe that was already the plan or slack can do that stuff. If so, never mind. :slight_smile:

2 Likes