CleanTalk anti-spam WordPress Plug-in Review

I’ve been running this blog for a number of years (since 2009), and one thing that really irks me is the amount of spam comments my blog gets. I use comment moderation (sorry for sometimes being way behind in moderation, BTW), so my blog isn’t full of spammy comments. Spammy contact emails can happen as well. But it can obscure real comments that I need to moderate. For example, over the last few years my blog has over 9,500 spammy comments:

CleanTalkNeedless to say, I’m not manually reviewing/deleting 9638 comments! I’m starting up a parallel photography site on WordPress, and thought it was about time to find a new anti-spam solution. I had previously been using Akismet, which clearly was not doing a good job. In fact, I would call it a poor to very sucky job. After some research, I found CleanTalk.  Reviewers said it was much better than Akismet, which was music to my ears.

I disabled Akismet and installed CleanTalk. I gave it approximately a week, to see how well it did. It’s vastly better, and blocked more than 4,600 spam attempts. Only 4 got through and that was before I enabled the SpamFirewall option.

Since enabling the SpamFireWall options, I haven’t had any slip through! Yippee! While I don’t expect any solution to work 100%, CleanTalk is a most significant upgrade and well worth the small fee. Speaking of fees, yes, it’s not a free service. Depending on the number of sites, number of years, and their add-on packages, it still is quite the value. For example, I did 3 web sites for 3 years and it was a whopping total of $38.

They do have a mobile phone app as well, but frankly, don’t bother. While I appreciate their attempt at adding a mobile dashboard, it’s pretty pathetic. And, it’s not like you need to routinely access the service. So for me, it’s just a set it and forget it service and ditch the mobile app.

If you run a WordPress site and tired of spam, give CleanTalk a try. It has a free trial period, which proved to me that it works as advertised and held up to the positive reviews.

Enabling HTTP Strict Transport Security (HSTS) For WordPress

If you are a WordPress site administrator, one of the things you can do to improve SEO results and security is secure your site with SSL. Yes, even if you aren’t doing transactions like ecommerce, paypal, etc. using SSL is still recommended. Depending on your WordPress hosting company, they may even have free SSL certificates for you to use. But there are different flavors and configurations of SSL that can improve or detract from your security posture. One feature that was recently brought to my  attention is HTTP strict transport security, or HSTS.

HSTS, in short, tells your browser that you only want it to use (and enforce) SSL connections. Attempts to downgrade to non-encrypted communications are prohibited. HSTS is a flag that you configure on your WordPress site, and is not enabled by default (that I’m aware of). Since SSL configuration can be tricky, and you can end up with mixed mode content, I recommend a WordPress plug-in called Really Simple SSL.

As the plugin name implies, this makes configuring SSL (with HSTS) super easy and all from the GUI. It also scans your WordPress site for potential mixed content issues and brings them to your attention. My site had a couple of flagged issues that I fixed. The free version of the plug-in doesn’t configure/test HSTS for you, but their premium version does (and makes it 1-click easy).

However, it may still take a bit of configuration tweaking to fully enable HSTS. First, after you enable HSTS in the plugin, go to hstspreload.org and check your results. In my case, I had two errors. My site is currently error free, so I’m using aol.com as an example for what you may see.

First, ignore the no HSTS header error. That is likely caused by the second error and does not mean Really Simple SSL didn’t do its HSTS configuration. I use WP Engine as my provider, so I contacted their help desk and gave them a copy of the error. They did some back-end redirection magic and fixed up the redirection issue in about 15 minutes. My redirection issue was slightly different from AOL’s problem, but caused the same red failure message. After your redirection issue is fixed, re-try the scan. In my case, it came back with a green screen showing everything is good. Next, you can submit your site to be included on the global HSTS list, which I also did. Many browsers like Chrome and Firefox use the HSTS list for additional security measures.

And just to make sure my SSL is in top notch, I went over to SSL Labs and ran a test. And yes, my site is now rated A+, which is exceptionally good. It even catches the fact I’m successfully using HSTS.

And there you go! A simple, but not totally free, way to deploy and check HSTS on your WordPress site. Given the plug-in is just a few dollars, and helps fix up a variety of SSL issues besides HSTS, I think it’s money well spent.

Perl.exe 0xc0000142 Failure Solution

The other day I was trying to use Jeffrey’s “Metadata Wrangler” for Lightroom plugin. However, it was failing with a perl.exe 0xc0000142 error. I had just updated my computer to Windows 10 Fall Creator’s update (1709), so it crossed my mind maybe that was the cause. I had also increased the security settings, but hadn’t experienced any issues thus far. After some digging, I found the issue with Perl and the solution.

In Windows 10 Fall Creator’s update, Microsoft has added new security options that were previously in Microsoft EMET. They call this Windows Defender Exploit Guard. You can find these new settings at: Windows Defender Security Center > App & Browser Control > Expoit protection. Typically everything is on by default except Mandatory ASLR. I had turned it on a few days ago, as I’m kind of a security nut.

Mandatory ASLR

I tried the failing perl.exe on another Windows 10 fall creator’s update without ASLR enforced and it ran. Bingo! So I turned off mandatory ASLR, rebooted, and now perl.exe work fine. This solved the problem with Metadata Wrangler, and it now works as advertised. The Exploit Protection center does allow you to add specific program exceptions, as well. So you could add perl.exe and turn off ASLR, but leave it on for the rest of the system. I suspected I might run into other compatibility issues, so I just turned if off system wide.

VMworldl 2017: What’s new in storage

Session: SER1317BU

Faster storage need faster networks
-10/25/40 NICs are now the norm
-Protocol stack needs to be upgraded with new storage protocols
-Performance of AFA depends on network connection with low latency
-32Gbps FC is shipping, 64Gbps is coming

NVMe – A logical device interface to NVM devices
-PCIe is the physical interface and NVMe is the protocol
-up to 64K queues and 64K queue depth
-All major OSes support NVMe

NVMeoFabric
-Allows large number of external NVMe drives into external storage
-Aims for no more than 10 microseconds latency overhead compared to local NVMe

vSphere 6.5 Features
-VMFS 6.0
*meta data is 4K aligned
*supports 64-bit addressing
*NO in-place upgrade from VMFS 5.0. See KB 2147824

Automatic Unmap in 6.5
-Automatic unmap support when VM is deleted/migrated
-Space reclimation requests from guest OS which supports UMAP
-Only automatic unmap on arrays with UNMAP granularity LESS than 1MB
-Background impact is minimal: set to 25MB/sec max
-Future: Possibly throttle/accelerate UNMAP rate based on array load

High Capacity Drives in 6.5
-Support 512e drives
-Requires VMFS 6
-vSphere 6.0 supports physical mode RDMs mapped to 512e drives
-FAQ: KB2091600

New Scale Limits
-512 LUNs & 2048 paths
-If using 8 paths per LUN, you can now have 256 LUNs

NFS 4.1 Plug-in and strong crypto & HW acceleration support
-NFS 4.1 supported since 6.0
-HW acceleration (VAAI) now supported
-Stronger crypto with AES
-Supports IPv6
-Better security with NFS 4.1

Virtual NMVe in 6.5
-NVMe 1.0 device emulation
-Hot add/remove
-Multi-Q support – 16 queues with 4K depth

VMworld 2017: Advanced ESXi troubleshooting

Session: SER2965BU

Note: This session had a number of log examples and what to look for. Review the session slides for all the details. EXCELLENT session!

Goal: 7 log files, 7 ESXi commands, 7 config files for enhanced troubleshooting

7 Important Log Files

-Host abruptly rebooted – vmksummary.log
-Slow boot issues – /var/log/boot.gz .  You can also enable serial logging (Shift + o)
-ESXi not responding – hostd.log & hostd-probe.log
-VM issues – vmware.log
-Storage issues – vmkernel.log
-Network and storage issues – vobd.log
-HA issues – fdm.log   /opt/vmware/fdm/prettyprint.sh hostlist | less

7 ESXi Commands
-Monitor & configure ESXi – esxcli
-VMkernel sysinfo shell command – vsish get /bios; /hardwareinfo;


-Manage ESXi * VM config – vim-cmd

-VMFS volumes & virtual disks – vmkfstools
-Detailed memory stats – memstats
-network packet capture – pktcap-uw
-monitoring – esxtop

7 Configuration Files
-/etc/vmware/esx.conf – storage, networking, HW info
-/etc/vmware/hostd/vminventory.xml – VM inventory
-/etc/vmware/hostd/authorization.xml – vCenter to ESXi host connection
-/etc/vmware/vpxa/vpxa/cfg – vCenter and ESXi connectivity
-/etc/vmware/vmkiscsid/iscsi.conf – iSCSI configuration
-/etc/vmware/fdm – HA config
-/etc/vmware/license.cfg – license configuration

VMworld 2017: DR with VMware on AWS

Session: MMC2455BU, GS Khalsa

Legacy (physical) DR solutions are not adequate – Long RTOs, lots of surprises, unreliable
vSphere is an enabler for DR – consolidation, hardware independence, encapsulation (VM is a file)

Long distance DR solutions with async replication
-Active/passive
-Active/Active
-bi-directional failover
-Shared site recovery

Metro DR Solutions with sync replication
-Availabiity – Zero RPO/RTO
-Mobility – active/active datacenters
-Disaster avoidance

DR to the cloud with AWS
-Co-located DR costs are high
-DR to the cloud is less expensive

VMware Cloud on AWS
-Managed SDDC stack running on AWS
-Consistent operational model enables hybrid cloud
-Leverage cloud economics
-Goals of DR: Deliver as a service, build on VMware (SRM, vSphere replication, etc.)
-Working on flexible SRM pairing – Decouple on-site upgrade from VMC/AWS
-Loosening version dependencies across vCenter, SRM & vSphere Replication releases
-Working on major UI improvements – HTML5 and “clarity” UI standard
NEW: SRM Appliance based on photon OS

GS then shows a number of video demos showing the full SRM configuration, setup, and failover process. Anyone familiar with SRM will be accustomed to the same workflow, but with a nice new coat of paint on the GUI.

 

 

 

VMworld: PowerCLI What’s New

Session: SER2529BU Alan Renouf

PowerCLI Overview
-623 cmdlets and counting
-PowerCLI is 10 years old
-Name change – VMware PowerCLI
-Move-VM now includes cross vCenter vMotion
-Automate everything with VSAN
-Independent disk management cmdlets – new-vdisk, get-vdisk, copy-vdisk, move-vdisk
-VVOL replication cmdlets
-New Horizon View module
-SPBM cmdlets
-More inventory parameters
-DRS cluster groups and VM/host rule cmdlets

Install: install-module VMware.PowerCLI

Release Frequency
-Less features, but more often
-Less wait on bug fixes
-Focused on your input

PowerCLI 6.5.2
-New ‘inventoryLocation’ parameter – move-vm, import-vapp, new-vapp
-Mount a content library ISO with new-CDDrive
-Fixes and enhancements

Multiplatform Fling
-Photon OS, Mac OS, Linux, Docker

VMware Cloud on AWS?
-Works exactly the same as on-site vCenter

Endless Possibilities
-Content library – more cmdlets to come
-Parameter auto-complete
-vSphere REST API high-level cmdlets
-Powershell DSC (desired state config) – Chef, Puppet, Ansible, Saltstack
-New vSphere Client and Rest API support for Onyx (automated code generator)
-PowerCLI multiplatform 6.0

Community Projects
(FREE) OpBot – Connects vCenter to slack. Download: http://try.opvizor.com/opbot
(NEW!!) PowerCLI Feature request page: https://vmwa.re/powercli

 

VMworld 2017: Architecting Horizon 7 & Apps

Session: ADV1588BU

Note: This session had a multitude of complex architecture diagrams which I did not capture. See the session slide deck, after VMworld, for all the details.

Why? –Business objective/drivers
How? Meet requirements
What? Design and build
Deliver Build and integrate
Validate Met requirements?

Design Steps

  1. Business drivers & use case definition
  2. Services definition
  3. Architecture principles and concept
  4. Horizon 7 component design
  5. vSphere 6 design
  6. Physical environment design
  7. Services integration
  8. User experience design

Use a repeatable model when scaling up:

 

Physical Environment Considerations
-AD
-GPO
-DHCP
-Licensing

Identity Management

Profiles and User Data
-Folder redirection
-Mandatory profile
-User environment manager

AppVolumes
-AppStack replication
-Single site or multiple site
-Use writeable volumes very sparingly

VMware Horizon Apps

Speaker goes over a highly detailed reference architecture with lots of complex slides. And he goes over the LoginVSI setup, both hardware and software.

VMworld 2017: vSphere 6.5 Upgrade Customer Perspective

Session: SER2508BU

Note: The session slides have a lot more details, KB links, etc. so grab the slides if want more details.

High Level Plan
-Enablement
-Workshop
-Test Environment
-Design
-Migration

Enablement

-Product landing page and KBs
-Product documentation
-Whitepapers like what’s new?
-Check the readme for bugs/issues
-Check blogs (Emad Younis)
-Hands-on labs

Workshop

-Migration timeline
-Stakeholder involvement/support
-Scope for the deployment features
-Scope for the migration environment
-Ask: Greenfield or brownfield?

Test Environment (Lab)

-Learn new features
-Test/validate features
-Determine deployment considerations
-Document your design
-Physical, nested, or home lab options
-Test plan –  PSC HA, vCenter HA, VM encryption, etc.
-Determine features to implement, feature configuration, runbook

Design

-Topology – PSC – embedded or external?
-Hardware – EVC mode, VMFS version, networking
-Document features – Predictive DRS, etc.
-Migration plan – The what, who and when (maintenance windows, etc.)
-Output: Design docs, run books, migration plan

Migration

-Use GSS – Basic, production, business critical, mission critical
-Consider VMware Professional services
-Output: Complete environment, updated design doc, updated run books, stakeholder sign-off

 

VMworld 2017: vSphere 6.5Host Resources Deep Dive Pt. 2

Session: SER1872BU Frank Denneman, Niels Hagoort

Note: This was a highly technical session with lots of diagrams. Best bet is to get Frank and Niel’s book for all the details.

Compute Architecture: Shows a picture of a two NUMA node server. Prior to Skylake processors, two DIMMSs per memory channel are optimal. Skylake processors increased the number of memory channels and have a maximum of 2 DIMMS per channel.

QPI Memory performance: 75ns local latency, but 132ns latency to other NUMA node

Quad channel local memory access: 76GB/s. Remote access will be noticeably slower.

vNUMA exposes the physical NUMA architecture to a VM. vNUMA ‘kicks in’ when a VM has more than 8 vCPUs and if the core count exceeds the physical CPU package. ESXi will then evenly split the vCPUs across the two physical CPU packages.

If you use virtual socks, mimic the physical CPU package layout as much as possible. This allows the OS to optimally manage memory and the cache.

“PreferHT” can be useful, see KB 2003582. This forces the NUMA scheduler to count hyperthreads as cores. Use this setting when a VM is more memory intensive vs. CPU intensive.

What if the vCPUs can fit in a socket, but VM memory cannot? numa.consolidate=FALSE can be useful.

One AHCI storage IO needs 27K CPU cycles. If you want a VM do do 1M IOPS, you need 27GHz of CPU power.

NVMe 1 I/O needs 9.1K CPU cycles, which is vastly less than AHCI storage.

With 3D crosspoint, it can max I/O performance at a very low queue depth. This makes it quite useful as a caching tier in vSAN.

CPU Utilization vs. Latency

Workload latency sensitive? No, then tune CPU for power savings. Yes, then tune for lowest latency. SAP HANA, for example, could benefit from low latency.

Interrupt coalescing, is enabled by default on all modern NICs. This can increase packet latency. You can increase ring buffers by using KB2039495, which can help with dropped packets.

Polling vs. interrupts

Pollmode driver (DPDK) can optimize network I/O performance.

Low CPU utilization = higher latency
Higher CPU utilization = lower latency

vSphere 6.5 as vRDMA, which can significantly boost network throughput.