Server Survival

Server Survival
hi!
@ﬁdeloper
serversforhackers.com

View Slide

Server Survival
Server Survival

View Slide

Goal:
(don’t memorize)
understand

View Slide

Programming Stuff Server Mechanics
Semi-Ridiculous Chart of
Learning Curves

View Slide

View Slide

annoying server things
security
supervision
network
permissions

View Slide

Security
enjoying your new server responsibly

View Slide

View Slide

Protection
Process
Compliance
Security “Levels”

View Slide

Protection

View Slide

access
network
basics

View Slide

don’t be root
don’t (only) use passwords
user security

View Slide

user & access
new user
new ssh key
$ sudo adduser fideloper
$ sudo usermod -a -G sudo fideloper
$ ssh-keygen -t rsa -b 4096

View Slide

$ ssh-keygen -t rsa -b 4096 \
-f id_whatever
$ ssh-copy-id -i ~/.ssh/id_whatever \
fideloper@
(added to ~/.ssh/authorized_keys file)
user & access

View Slide

/etc/ssh/sshd_conﬁg
Port 22 (or) 1234
PermitRootLogin no (or) without-password
PasswordAuthentication no
AllowGroups some-group
ssh access
($ sudo service ssh restart)

View Slide

ﬁrewall
network

View Slide

sudo iptables -L -v
ﬁrewall

View Slide

ﬁrewall
sudo iptables -A INPUT -i lo \
-j ACCEPT
sudo iptables -A INPUT -m conntrack \
—ctstate RELATED,ESTABLISHED -j ACCEPT

View Slide

ﬁrewall
sudo iptables -A INPUT -p tcp --dport 22 \
-j ACCEPT
-j ACCEPT
-j ACCEPT
sudo iptables -A INPUT -j DROP

View Slide

ﬁrewall

View Slide

ﬁrewall
drop v reject
default policy
$ iptables … -j REJECT
$ iptables \
--policy INPUT DROP

View Slide

(note: services)
$ cat /etc/services | grep http
http 80/tcp
https 443/tcp
http-alt 8080/tcp

View Slide

ﬁrewall
sudo apt-get install -y \
iptables-persistent
sudo service \
iptables-persistent save

View Slide

ﬁrewall
sudo iptables-save > rules.v4
cat rules.v4 | iptables-restore

View Slide

ﬁrewall
sudo ip6tables -L -v
sudo ip6tables-save > rules.v6
echo rules.v6 | ip6tables-restore

View Slide

$ sudo apt-get install -y \
fail2ban
fail2ban
1. monitors logs
2. bans IPs

View Slide

fail2ban

View Slide

auto upgrades
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Automatic-Reboot "false";
$ sudo apt-get install -y \
unattended-upgrades
ﬁles: /etc/apt/apt.conf.d

View Slide

¡more!
There’s always more
SELinux / AppArmor
2FA for SSH
Securing “secrets” (.env)
Strong PW Enforcement
(But don’t freak out about it)

View Slide

Process

View Slide

policy
legit, send me
that password,
kthnx.
Hi!
I’m *totally*

View Slide

policy
Deﬁne what &
how you’re able to
send to people.

View Slide

policy
Deﬁne what happens
when people
leave.

View Slide

policy
Deﬁne what happens
when new people
come.

View Slide

policy
Decide on
“key rotation”
(and similar access changes)

View Slide

policy
policy + automation
= time
=

View Slide

auditing
aggregate logs ()

View Slide

View Slide

Compliance

View Slide

regulation
• HIPPA/HITECH (health)
• PCI (ecommerce/credit cards)
• FERPA (education)
• Many, many more

View Slide

regulation
• Audits
• Paper work
• And general security

View Slide

how far to go?
“what should I
care about?”

View Slide

supervision

View Slide

fid@host:~# sudo systemctl status ssh
systemctl status
systemctl start
systemctl stop
systemctl enable
systemctl disable
systemd

View Slide

fid@host:~# sudo service ssh status
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; \
vendor preset: enabled)
Active: active (running) since Fri 2016-07-22 19:46:40 EDT; 1h 27min ago
Main PID: 2493 (sshd)
CGroup: /system.slice/ssh.service
├─ 2493 /usr/sbin/sshd -D
├─14218 sshd: root [priv]
└─14219 sshd: root [net]
Jul 22 21:13:28 host sshd[14114]: Accepted password for root from 76.185.167.253
port 56786 ssh2
Jul 22 21:13:28 host sshd[14114]: pam_unix(sshd:session): session opened for user
root by (uid=0)
systemd

View Slide

systemd
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
[Install]
WantedBy=multi-user.target
Alias=sshd.service /lib/systemd/system/ssh.service

View Slide

systemd
[Unit]
Description=Laravel Queue
[Service]
User=forge
Group=forge
Restart=on-failure
WorkingDirectory=/home/user/forge/mysite.com/current
ExecStart=/usr/bin/php artisan queue:work --daemon
[Install]
WantedBy=multi-user.target
/lib/systemd/system/laravel.service

View Slide

fid:~# sudo systemctl enable laravel
fid:~# sudo systemctl start laravel
fid:~# sudo systemctl status laravel
systemd

View Slide

supervisord
fid@spr:~# sudo apt-get install -y supervisor
fid@spr:~# sudo systemctl start supervisor

View Slide

supervisord
fid@spr:~# sudo systemctl status supervisor
● supervisor.service - Supervisor process control system for
UNIX
Loaded: loaded (/lib/systemd/system/supervisor.service;
disabled; vendor preset: enabled)
Active: active (running) since Tue 2016-07-26 17:13:54 EDT;
3s ago
Docs: http://supervisord.org
Main PID: 3712 (supervisord)
Tasks: 1
Memory: 11.1M
CPU: 216ms
CGroup: /system.slice/supervisor.service
!"3712 /usr/bin/python /usr/bin/supervisord -n -c /
etc/supervisor/supervisord.conf
Jul 26 17:13:54 spr systemd[1]: Started Supervisor process
control system for UNIX.

View Slide

[program:lara_queue]
command=php artisan queue:work --daemon
directory=/home/forge/app.com/current
autostart=true
autorestart=true
startretries=3
redirect_stderr=true
stdout_logfile=/home/forge/…/logs/queue.log
user=forge
numproc=4
supervisord
/etc/supervisor/conf.d/lara_q.conf

View Slide

forge: supervisord

View Slide

forge: supervisord
any old daemon

View Slide

Network

View Slide

ifconﬁg

View Slide

ifconﬁg
private network
f@db:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 04:01:31:20:63:01
inet addr:162.243.164.216 Bcast:162.243.164.255 Mask:255.255.255.0
inet6 addr: fe80::601:31ff:fe20:6301/64 Scope:Link
…
eth1 Link encap:Ethernet HWaddr 04:01:31:20:63:02
inet addr:10.136.11.155 Bcast:10.136.255.255 Mask:255.255.0.0
inet6 addr: fe80::601:31ff:fe20:6302/64 Scope:Link
…
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
…

View Slide

network binding
a tcp socket:
:
a unix socket:
unix://path/to/ﬁle.sock

View Slide

network binding
forge@site:~$ netstat -ap | grep http
tcp 0 0 *:http *:* LISTEN 3797/nginx: worker
tcp 0 0 *:https *:* LISTEN 3797/nginx: worker

View Slide

network binding

View Slide

network: mysql
unix socket

View Slide

tcp socket
network: mysql

View Slide

localhost != 127.0.0.1
(in mysql)
network: mysql

View Slide

network: mysql
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 10.136.11.155
f@db:~$ mysql -h localhost -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
f@db:~$ mysql -h 127.0.0.1 -u root -p
Enter password:
ERROR 2003 (HY000): Can't connect to MySQL server on
'127.0.0.1' (111)
✅

View Slide

network: mysql
Enter password:
ERROR 1130 (HY000): Host '10.136.11.155' is not allowed
to connect to this MySQL server
f@db:~$ mysql -u root -p -e "create user root@'10.136.11.155'
identified by 'root';"
Enter password:
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
✅

View Slide

network
but normally it is

View Slide

1.Find networks (interfaces)
2.Learn about socket types
3.See examples of mysql
4.Future: Permissions in Forge
network
review

View Slide

Permissions

View Slide

who can do things
user - ﬁle/dir owner
group - ﬁle/dir group - shared
permissions!
other - anyone else

View Slide

what can they do
read - read file, list directory
write - write to file, add new file/dir
execute - execute command, cd into

View Slide

usr@hst:~$ chown -R www-data:www-data \
/var/www/example.com
usr@hst:~$ chmod -R u=rwx,g=rx,o=rx \
usr@hst:~$ chmod -R u=rwx,go=rx \
usr@hst:$ chmod ug+x,o-x \
/var/www/example.com/artisan
setting permissions

View Slide

d rwx r-x r-x
dir user group other
permissions

View Slide

- rwx r-x r-x
ﬁle user group other
permissions

View Slide

user@host:/var/www$ ls -lAh
total 4.0K
drwxrwxr-x 2 deploy www-data 4.0K Jul 10 21:43 example.com
example
d rwx rwx r-x
deploy : www-data

View Slide

usr@host:/var/www$ ps axf o pid,user,group,comm \
| grep -i '[n]ginx\|[p]hp'
4290 root root nginx
4291 www-data www-data \_ nginx
2887 root root php-fpm7.0
2889 www-data www-data \_ php-fpm7.0
2890 www-data www-data \_ php-fpm7.0
not just ﬁles

View Slide

user@host:/var/www$ ls -lAh
total 4.0K
drwxrwxr-x 2 deploy www-data 4.0K Jul 10 21:43 example.com
php + web ﬁles
file_put_contents(
'/var/www/example.com/new-file.txt',
'Here is a new line'
); // ✅

View Slide

remember
ﬁles owned by www-data
then
run php as www-data
$ sudo -u www-data php artisan foo:bar

View Slide

Just Works™

View Slide

web ﬁles
there’s no place like
forge@host:~/store.helpspot.com/current$ ls -lAh
drwxrwxr-x 15 forge forge app
-rwxrwxr-x 1 forge forge artisan
drwxrwxr-x 3 forge forge bootstrap
-rw-rw-r-- 1 forge forge composer.json
-rw-rw-r-- 1 forge forge composer.lock

View Slide

// File /etc/nginx/nginx.conf
user forge;
worker_processes auto;
pid /run/nginx.pid;
events { … }
http { … }
nginx

View Slide

// File /etc/php5/fpm/pool.d/www.conf
listen = /var/run/php5-fpm.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0666
user = forge
group = forge
-rw-rw-rw
php-fpm

View Slide

// File /etc/php5/fpm/pool.d/www.conf
listen = 127.0.0.1:9000
listen.owner = www-data
listen.group = www-data
listen.mode = 0666
user = forge
group = forge
php-fpm

View Slide

web ﬁles
there’s no place like
forge@host:~/store.helpspot.com/current$ ls -lAh
drwxrwxr-x 15 forge forge app
-rwxrwxr-x 1 forge forge artisan
drwxrwxr-x 3 forge forge bootstrap
-rw-rw-r-- 1 forge forge composer.json
-rw-rw-r-- 1 forge forge composer.lock

View Slide

There’s More!
ACLs

View Slide

ACL

View Slide

ACL
ACL Defaults

View Slide

$ sudo setfacl -Rm \
> g:www-data:rwx,d:g:www-data:rwx \
> /var/www/html
ACL

View Slide

ACL
Owned by root
Group www-data:rwx

View Slide

ACL
User-based!

View Slide

Server Survival
thanks!
@ﬁdeloper
serversforhackers.com

View Slide

pkg managers
1. searching
2. installing

View Slide

pkg managers
apt-get & apt
sudo apt-get update
sudo apt update
sudo apt-get install whatever
sudo apt install whatever

View Slide

pkg managers
search
sudo apt search mysql-server
ubuntu@host:~$ apt search mysql-server
mysql-server/trusty-updates,trusty-security 5.5.49-0…
mysql-server-5.5/trusty-updates,trusty-security
MySQL database server binaries and system database setup
mysql-server-5.6/trusty-updates,trusty-security
MySQL database server binaries and system database setup

View Slide

pkg managers
show
sudo apt show -a \
mysql-server-5.6
Package: mysql-server-5.6
Version: 5.6.30-0ubuntu0.14.04.1
Package: mysql-server-5.6
Version: 5.6.16-1~exp1

View Slide

pkg managers
policy
sudo apt-cache policy \
mysql-server-5.6
mysql-server-5.6:
Installed: (none)
Candidate: 5.6.30-0ubuntu0.14.04.1
Version table:
5.6.30-0ubuntu0.14.04.1 0
500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/
trusty-updates/universe amd64 Packages
500 http://security.ubuntu.com/ubuntu/
trusty-security/universe amd64 Packages
5.6.16-1~exp1 0
500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/
trusty/universe amd64 Packages

View Slide

pkg managers
package=version
sudo apt-get install \
mysql-server-5.6=5.6.16-1~exp1

View Slide

pkg managers
repositories
sudo add-apt-repository \
ppa:ondrej/php

View Slide

pkg managers
ubuntu@host: /etc/apt/sources.list.d $ ls -lah
-rw-r--r-- 1 root root ondrej-ubuntu-php-xenial.list
ubuntu@host: /etc/apt/sources.list.d $ cat \
ondrej-ubuntu-php-xenial.list
deb http://ppa.launchpad.net/ondrej/php/ubuntu xenial main
# deb-src http://ppa.launchpad.net/ondrej/php/ubuntu xenial main
repositories

View Slide

pkg managers
ubuntu@host: ~ sudo apt-key adv --recv-keys --keyserver \
hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
ubuntu@host: ~ echo 'deb http://ftp.utexas.edu/mariadb/
repo/10.1/ubuntu xenial main' \
| sudo tee /etc/apt/sources.list.d/mariadb.list
manual install

View Slide

pkg managers
ubuntu@host: /etc/apt $ vim sources.list
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial main restricted
deb-src http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial main restricted
# # Major bug fix updates produced after the final release of the
# # distribution.
deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
deb-src http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial-updates main \
restricted
# # N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
# # team. Also, please note that software in universe WILL NOT receive any
# # review or updates from the Ubuntu security team.
deb http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial universe
deb-src http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ xenial universe
included repositories

View Slide

pkg managers
repositories

View Slide

–@ﬁdeloper
“Am I done now?”

View Slide

DNS & Domains

View Slide

DNS: ¯\_(ツ)_/¯
~~ just *TRY* ~~
to coherently explain
controlling domains
to the average [non-tech-client-whoever]
challenge:

View Slide

¯\_(ツ)_/¯
(we’ll ignore the seedy
secondary market of
domain-squatting asshats)

View Slide

you bought a domain
DNS

View Slide

…but you control it somewhere else
DNS

View Slide

DNS
“somewhere else” points [sub]domains…
somewhere else…

View Slide

this slide intentionally left blank

View Slide

dig

View Slide

dig
mx records

View Slide

nslookup
mx records again

View Slide

Domains + Web Server

View Slide

set host header

View Slide

default_server

View Slide

(set host header again)

View Slide

meanwhile, ﬁdeloper.com

View Slide

Logs

View Slide

/var/log/*

View Slide

wtf, Vagrant?
less
terrible.

View Slide

fideloper@host  ~  vagrant box
Usage: vagrant box []
Available subcommands:
add
list
outdated
remove
repackage
update
boxes (servers)

View Slide

where’s my stuff?
~/.vagrant.d/boxes
~/.vagrant.d/tmp
C:/Users/[USER]/.vagrant.d/boxes
C:/Users/[USER]/.vagrant.d/tmp

View Slide

• ssh by default
• can add your own (but we’ll do better)
port forwarding
SSH Default

View Slide

port forwarding
$ vagrant ssh-config
Just like ~/.ssh/config

View Slide

port forwarding
$ ssh \
> -i /Users/fideloper/…/virtualbox/private_key \
> -p 2222 \
> vagrant@localhost

View Slide

port forwarding

View Slide

port forwarding
(aside: It’s common to forward to port 80)
config.vm.network "forwarded_port", guest: 80, host: 8000
$> curl -I localhost:8000
HTTP/1.1 302 Found
Server: nginx/1.9.9
Content-Type: text/html; charset=UTF-8
Date: Sat, 02 Jul 2016 17:57:49 GMT
Location: http://localhost:8000/login

View Slide

port forwarding
But, two boxes can’t forward to same port!
config.vm.network "forwarded_port", guest: 80, host: 8888 ✅
ﬁrst box:
second box:

View Slide

sequel pro
2.5 Ways to
Connect to MySQL
(without *any* MySQL conﬁguration)

View Slide

sequel pro
1 - Port Forward

View Slide

sequel pro

View Slide

sequel pro
2 - SSH Tunnel
$> ssh -p 2222 \
-i /Users/fideloper/…/virtualbox/private_key \
-L 3306:localhost:3306 vagrant@localhost

View Slide

sequel pro

View Slide

sequel pro
2.5 - SSH Tunnel

View Slide

• 1. Port forwarding (homestead way - easy)
• 2. Manual SSH tunnel
• 3. Sequel Pro SSH Tunnel

View Slide

sequel pro
Remember the SSH Tunnel!
You can use it in production to view a database.

View Slide

file sharing
config.vm.synced_folder “~/Sites", "/home/vagrant/Sites"
default file share
slow with a large # files

View Slide

file sharing
config.vm.synced_folder “~/Sites", "/home/vagrant/Sites",
id: "core",
:nfs => true,
:mount_options => [‘nolock,vers=3,udp,noatime,actimeo=2,fsc']
network file share
handles large # files better

View Slide

ﬁle sharing
where to run build steps?
(especially ones that watch ﬁles)

View Slide

ﬁle sharing
(I’ve actually used Docker for this instead)
docker run --rm \
-v ~/Sites/some-project:/opt \
some_node_img:latest \
gulp watch

View Slide

adding projects
How I made adding a new project painless
(and stopped editing /etc/hosts)

View Slide

adding projects
An annoying process:

View Slide

adding projects
1. Share More Files:
config.vm.synced_folder "~/Sites/a", "/var/www/a"
config.vm.synced_folder "~/Sites/b", “/var/www/b"

View Slide

adding projects
2. Create another server conﬁg
vagrant@vagrant:/etc/nginx/sites-available$ sudo cp \
laravel-a laravel-b
vagrant@vagrant:/etc/nginx/sites-available$ sudo vim \
laravel-b
server {
listen 80;
server_name laravel-b.dev;
…

View Slide

adding projects
3. Edit /etc/hosts:
1 ##
2 # Host Database
3 #
4 # localhost is used to configure the loopback interface
5 # when the system is booting. Do not change this entry.
6 ##
7 127.0.0.1 localhost
8 255.255.255.255 broadcasthost
9 ::1 localhost
10
11 192.168.33.10 laravel-a.dev laravel-b.dev

View Slide

adding projects
A better way:

View Slide

adding projects
1. One File Share
config.vm.synced_folder "~/Sites", "/home/vagrant/Sites"

View Slide

adding projects
2. Install DNSMasq
brew install dnsmasq
cd $(brew —prefix) # /usr/local
echo 'address=/.dev/192.168.33.10' > etc/dnsmasq.conf
sudo cp -v $(brew --prefix dnsmasq) \
homebrew.mxcl.dnsmasq.plist /Library/LaunchDaemons
sudo launchctl load -w /Library/LaunchDaemons/ \
homebrew.mxcl.dnsmasq.plist
sudo mkdir -p /etc/resolver
echo "nameserver 127.0.0.1" | sudo tee /etc/resolver/dev

View Slide

adding projects
2. DNSMasq continued
fideloper@Christophers-iMac  ~  dig whatever-i-want.dev \
@127.0.0.1
;; QUESTION SECTION:
;whatever-i-want.dev. IN A
;; ANSWER SECTION:
whatever-i-want.dev. 0 IN A 192.168.33.10

View Slide

adding projects
3. Magic Nginx Conﬁg
server {
listen 80;
server_name ~^(.*)\.dev$;
set $file_path $1;
root /home/vagrant/Sites/$file_path/public;
index index.html index.htm index.php;
# And so on …

View Slide

adding projects
cd ~/Sites
mkdir -p ~/mysite/public
echo “ mysite/public/index.php

View Slide

[Bonus] Databases
• User/Network Security
• SSH Tunnel
• mysqldump / xtrabackup

View Slide

[Bonus] Vagrant
• Port forwarding
• Conﬁguration
• My Homestead conﬁg
• NFS cache

View Slide

[Bonus] Philosophy
• Be ready to throw out a server (Ansible)
• Docker is not your ﬁrst answer without ops people

View Slide

Server Survival

Server Survival

Chris Fidao

More Decks by Chris Fidao

Other Decks in Technology

Featured

Transcript