Two months ago, Unihost transferred all KVM VPS to the SSD. Old HDD-based structure was outdated and didn’t fit the demands of our clients. The results were quite good — VPS became much faster and our users supported the initiative.
Now, our OpenVZ VPS line-up is about to make the same leap. So we decided to do a little postmortem on our KVM VPS transfer.
Reason to act
Both Unihost and our clients like our old KVM VPS line-up on HDD. The hardware wasn’t new, but it worked reliably and offered a lot of storage. And if someone wanted a faster server — we could always point to our dedicated line-up.
And then we went worldwide. And turned out, that KVM VPS on HDD is literally past-gen. At least two years ago VPS on SSD became the one true king of the market due to their sheer speed.
As we looked at the situation, we found more problems. Ever since we started supporting international payment systems, we’ve had an avalanche of financial frauds and online-criminals who wanted to host fraudulent and malicious websites on our servers, as well as make bot-networks and distribute spam.
In order to take care of it, we had to disable the instant VPS activation. It was replaced by a complicated verification procedure that included a detailed ID check, phone call and other similar paranoidal methods.
This saved us from the online criminals, but the verification took its toll on our legal clients too. Since our VPS structure was already outdated, we had a perfect chance to upgrade all of it at once.
We’ve had a meeting and brainstormed ideas. Tried some fashionable problem-solving methodics. As a result, we’ve had a list of tasks:
- Create a competitive, modern VPS solution;
- Make a transfer for current clients as painless as possible;
- Improve VPS-related verification;
- Improve safety on the VPS;
- Solve issues with IP blocking due to spam and other abuses.
Introducing the new structure
We decided to start with replacing the servers for the VPS. We’ve already had some ideas and proposals for it, so we quickly found a solution that everyone liked.
Old servers | New servers | |
CPU | Xeon® E3-1231 v3 | 2x Xeon® E5-2630v3 |
RAM | 32 GB DDR3 1600 MHz | 128GB DDR4 ECC 2133 MHz |
Storage | SATA 6 Gb/s Hitachi HDD in RAID 1 | 4x800GB Samsung SSD in MegaRaid |
If this doesn’t tell you anything — just know that everything became a lot faster:
- Quad-core CPUs were replaced by a pair of more modern octa-core CPUs.
- The amount of RAM quadrupled;
- HDD were replaced by the faster SSD storage units.
Here’s a comparison between our old youngest plan KVM-384 and our current youngest plan KVM-1.
SPECS | ||
Type | KVM-384 | KVM-1 |
CPU | 1×3.4 GHz | 2×2.4 GHz |
RAM | 768 MB DDR3 | 1500 MB DDR4 ECC |
Storage | 30 GB HDD | 15 GB SSD |
CPU TEST (the more, the better) | ||
Type | KVM-384 | KVM-1 |
Dhrystone 2 using register variables | 3681,5 | 6501,6 |
Double-Precision Whetstone | 700,1 | 1690,2 |
Execl Throughput | 1326,5 | 2203,4 |
Pipe Throughput | 2561,2 | 4191,4 |
Pipe-based Context Switching | 913,2 | 1538,3 |
Process Creation | 1082,2 | 1932,2 |
Shell Scripts (1 concurrent) | 2432,5 | 4649,4 |
Shell Scripts (8 concurrent) | 2250,6 | 4335,2 |
System Benchmarks Index Score | 2076,9 | 2895,4 |
STORAGE TEST | ||
Type | KVM-384 | KVM-1 |
3221225472 bytes written, in seconds: | 50,91 | 6,94 |
Writing speed: | 60,34 MiB/sec | 442,72 MiB/sec |
Reads, #/s: | 170,15 | 5630,07 |
Writes, #/s: | 113,43 | 3753,05 |
Fsyncs, #/s: | 357,51 | 12005,27 |
8,6 GB copied, in seconds | 144,183 | 11.9649 |
Copying speed | 59,6 Mb/s | 718 Mb/s |
WORDPRESS TEST | ||
Type | KVM-384 | KVM-1 |
Page loading speed, ms | 1810 | 903,7 |
Requests per minute | 1492 | 6331 |
Reading speed, MB/s | 80,14 | 337,23 |
Result
- Performance nearly doubled, websites started to load 2 times faster, while drive performance increased at least tenfold.
- VPS’ price increased by a factor of 1.5, but now it includes an ISPmanager Lite 5 control panel, which is usually priced at $4/month.
Simplifying the verification
We couldn’t just cancel the verification completely — it would bring too many chargebacks, as well as attempts to use our services in unlawful manner. Neither could we continue with our complicated verification procedure — a lot of legal users need their VPS ASAP, while the verification takes quite a while.
At the end of the day, we compromised. The instant VPS activation made a comeback, but now each user needs to complete verification in three days too. Verification is standard — a scan or a photo of the ID, as well as a PayPal screenshot or a photo of the credit card. We can also expedite the verification via a phone call, if it is necessary.
Of course, verification is necessary only for the new clients.
Result
- VPS are available the moment the payment has been completed
- The number of fraudulent and malicious users is steadily dropping;
- Verification still takes quite a lot of time. But now it is at least somewhat alleviated.
Stopping the spam
Spam, to put it simply, is unsolicited mail. Also, spam is a bane of any hosting provider, due to sheer number of people who try to send it.
The thing is, the IPs that send spam get blacklisted by the email providers. This means that all the messages they send — even the completely normal ones — automatically get sent to the Spam folder. And this means that those IPs can never be used again.
We could have simply locked the port 25 down on our servers and unlock it only after the verification.
We could have installed the traffic filters that lock down any gross (as in number, not content) outgoing mail.
But at the end of the day, we decided to make our own solution.
Solution
By default, e-mail is sent via the port 25. That’s the one the filters at our datacenter are pointed to. But our VPS’ are sending all the mail via the port 2525 to the relay-server.
This is our eFa server. eFa stands for email filtering application and it automatically sorts mail, blacklists spam and sends the remaining messages to their recipients via the port 25. The application is self-learning, which means that it become better at its job every day.
Result
- Users do not have to change any settings;
- Criminals can no longer send spam from the hacked servers;
- Spam is securely locked down all across the board;
- Users no longer can send mail from several dedicated IPs. In order to do this, they need a dedicated server.
Automating the antivirus
Websites can be hacked in different ways. The end result depends on the goal the hacker had in mind.
Losing control over the website or even its complete termination is relatively tame. The website will be restored from the backup, which at Unihost is updated daily, and will go on.
But if the hacker was stealthy and simply added something to the website’s code base, things can get messy. The owner won’t even know that the website has been hacked, while his server will be participating in the DDoS attacks, hosting phishing pages and send spam. And the owner will get an abuse from the provider and be stripped of the server.
In order to prevent this, we decided to implement an automatic antivirus scan.
Every two days, our script creates copies of the volumes from our clients’ VPS’ and mounts them on a dedicated server. The server scans the volumes and once it finds the virus, shoots an e-mail to the website owner. At the same time, the e-mail is sent to our admins to check whether the virus has been deleted.
Our company’s policy prevents us from interfering with our clients’ code, so we cannot remove the virus automatically. Our client has to it on their own, by using our Knowledge Base or by leaving a request under the administration package.
Result
- Now we are preventing the virus attacks instead of dealing with their consequences.
Transferring the clients to the new VPS
It’s easy to launch the new VPS line-up. It’s much more difficult to transfer the current VPS’ to the new structure.
We decided to make the transfer as smooth as possible. The new structure will be supported for two more months. During this time, our clients will decide if they want to use our new SSD-based VPS or if they want to transfer to a dedicated server.
Originally, we’ve been worried that the new VPS’ won’t have enough storage for the old clients’ data. But it turned that literally no one has had their storage 100% full.
So our marketing department prepared the letters and started sending them out.
Result
- New servers are filling up with VPS’ — both transferred and new ones;
- Verification process works well;
- eFa successfully learns to combat even the most devious spam;
- Virus attacks are prevented at the early stages.
As you can see, we’ve reached all the goals!
The next few months will be very interesting — we plan to update the hosting structure and make our website more convenient, beautiful and modern. Keep an eye on our blog updates to learn more about it!