Essentials

Bitbucket (Free)

I like GitHub. I use it to host my public repositories and I like what it has done for both Git (making it the de facto version control system) and the open source movement (made it easy for people across the world to collaborate on open source projects for free). But as a lone developer who currently manages 41 (and counting) private repos. across two accounts, it would cost me $100 per month to host them on GitHub.

BitBucket, on the other hand, since it added support for Git, does everything that GitHub does, but charges according  to number of users on each repo., and seeing as each repo gets 5 (or up to 8 if you refer people) users for free, I’d be throwing my money away if I didn’t use them.

Dropbox (Free)

At the time of writing my Dropbox account has 23 GBs of free storage, of which I’m using just under 80%. This is quite a bit more than the 2 GBs of free storage you start with, but if you know how, it’s quite possible to get this much (if not more) with relative ease.

Google Apps (Free)

Google Apps is a great way of having a Gmail account on your own domain name. Sure, it’s possible (via a series of email forwards, aliases, additional reply to settings, et al) to sort of do this with a regular Gmail account, but Google Apps is much more fluid, and provided you don’t set-up more than 10 mailboxes on your domain, it’s totally free. (I plan on writing a full review of Google Apps at some point in the future, so watch this space).

Basecamp (Budget package @ $20/month)

Since it’s recent rebuild, Basecamp has gone from strength to strength. I used to use Asana for my project management needs, which is free for up to 30 collaborative members, but Basecamp, which allows me unlimited collaborative members across ten active (and unlimited inactive) projects, just works better.

BE Broadband (Pro @ £28.89/month)

I think this is a very reasonable rate for what I get: 14 meg download speed, a static IP, unlimited downloads, and telephone line rental. I’m tempted to go for a fibre optic connection in my next flat, but I’m happy with this for now.

Hetzner (X2 Dedicated Server @ €29.00/month)

Up until around a year ago I was more than happy using JustHost. I had a 50% off discount code (50OFF), and paid two years in advance, meaning that hosting all my websites cost me less than £2 per month – but this was holding back my development. Since setting up my dedicated server (a local development server with the same set-up) I’ve learnt a lot about server management, Bash, Git, Apache, BIND, Samba, and so much more (even if I did get hacked in the process).

Backup script (Free)

Using a slightly modified version of a script created by Gina Trapani, both of my servers automatically create a backup, which is saved to my Dropbox account, at midnight every day. I mention this only as Chris pays $40 a month per site for for a backup solution called VaultPress.

GIT-FTP (Free)

In a similar vein to the backup script above, whereas Chris spends $15 a month to use Beanstalk to deploy his Git-based projects, on projects where I don’t have SSH access to the server, I use a simple Bash script written by René Moser.

Font Squirrel (Free)

If you’re looking for a custom font to use on a website you can’t go far wrong looking for it on Font Squirrel. Not only do they have over 800 (and counting) font families available, each of which is 100% free for commercial use, but they also provide all the tools you need to make them work. Move over Typekit, Font Squirrel got it covered.

Optional

Orange (Panther 26 @  £32.35/month)

Although not strictly needed for my job, my Android-powered mobile phone lets me keep connected on the move.

Conclusion

Unlike my previous post – which said that even though I was paid a fraction of his start-up costs, I still had all the same abilities as him – this post tells a slightly different story.

Like my previous post, I’ve listed various free alternatives to services that Chris pays for, but on a number of occasions, while the free alternative is OK, you get more for your money with Chris’s option.

For example, I’ve got 23 GBs of free storage on Dropbox, but it has cost me time and effort to amass that amount, which I did by testing beta editions of the software, linking my university account and around four years of referrals.

Also quite telling is what I don’t have on my list, such as the lack of CDN services – although It could be argued that none of my sites need it (I get nowhere near the levels of traffic that Chris gets) – or accounts/invoicing – I don’t have enough freelance clients to make this a necessity currently.

Anyway, all in all, just under £100 is leaving my account each month. Hopefully I’ll be able to get some more freelance clients in the near future, and this amount can go up as I pay for more services, but in the meantime, I think this is pretty reasonable.

It would appear, however, that whoever it was that hacked into my server and turned it into a spam-sending machine, had other ideas.

(This post is a bit long and rambling, so feel free to skip to the end if I start to bore you.)

A bit of background

This time last year, if you had asked me about running my own Web server, I would have told you that I had no interest in it. I was perfectly happy with the cPanel based shared hosting that I was been using, and didn’t see the need for anything else.

This all changed during my time at Propeller Communications, where I was introduced to version control. My first taste of a version control system was Mercurial, and while my own experience of it was rarely bad, and the bundled TortoiseHG was a joy to use, it didn’t take long for me to realise that the de-facto industry standard was Git (thanks, mainly to GitHub), so upon leaving Propeller, I made the switch.

The list of benefits afforded to users of version control is long, but the one benefit that really caught my attention was the ability to push changes I had made on my local machine directly to the server. No longer did I have to use FTP to upload the correct files to the correct place, while remembering to removing files that weren’t needed any more. I simply had to run one command, and everything was taken care of for me.

But, in order to reap the benefits of Git, I needed my sites to be hosted somewhere that supported Git – and to date I’ve yet to find a shared host that does. So it was time to say goodbye to cPanel, and say hello to SSH.

First tentative steps

Prior to setting up my live server, the one the hackers took a fancy to, I had built two local development servers.

The first, which was as much an experiment as anything else, was in built out of an old PC in the office at Ghost Design. The process involved booting off the Ubuntu Server (10.11) CD, selecting all the options I wanted (LAMP, DNS, SSH, etc..), then, after watching the progress bar complete, I installed Webmin to help manage it. This, I felt, went quite well, and allowed me to gain more confidence using the Linux command line.

The second, which I use as a development server in my flat, was built out of a PC that I had been using as a Windows-based media server. The install of Debian 6 was a much more involved process because I had decided to install all the software I wanted manually. I also avoided installing Webmin, as I wanted to learn how do things properly.

The success of these two servers had filled me with confidence, and so on the 8th December 2011, with a small loan from my mum, I ordered a dedicated server from Hetzner. Because a development server should be as close to that of the production server as possible, I went for Debian 6 again, and for the most part, followed the same instructions as I had for my home server.

Skip to the end

On the 30th January I received an email from Hetzner stating that an ISP had reported my server for sending spam. I forwarded this email to Phil, who suggested that an incorrectly configured mail server might be at fault. After removing EXIM, I thought that would be the end of it, but three days later I received another abuse report.

A full week later I was still receiving abuse reports, and crying out to Phil for help. I have no idea how he managed it (via the use of the occult no doubt), but he tracked down the culprit: a whole bunch of unexpected files located in three of the sites/vhosts I was hosting.

Two of the sites were based on WordPress. I vaguely understand how the open source nature of WordPress, combined with an out of date install and some lax permissions, could allow someone to search the source code for exploits, then search the Web for an exploitable server. But the third was a static HTML site, meaning whoever had done this had been able to get access to it from one of the other two sites, meaning, potentially, the entire server was compromised.

To stop the immediate issue of spam being sent, I had to turn the server off, and following Sheepy‘s advice, I’m going to “Nuke it from a great distance and start again”.

Prevention is better than cure

So what can I do differently to prevent this from happening again? I think my main issue was that of permissions. You can afford a level of flexibility, and a more relaxed attitude to permissions on a development server, because, for the most part, it isn’t accessible to the outside world. For obvious reasons, the same isn’t true of a production server.

I’m also going to make sure that any software I use on the server is kept up to date, thereby increasing the chance of exploits being fixed.

Anyway, I’m going to reinstall the server soon, and I’m still hoping to write the server newbie post, so watch this space.