Server Administration For Web Developers

Slide 1

Slide 1 text

Server Administration …..For Web Developers

Slide 2

Slide 2 text

The truth is… I am just an idiot who Jess found on Internet…

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Ubuntu CentOS Fedora Red Hat Debian

Slide 5

Slide 5 text

Ubuntu Debian CentOS Fedora Red Hat

Slide 6

Slide 6 text

Things that annoy developers… • Security • Permissions • ACL • Process Monitoring • Log Management

Slide 7

Slide 7 text

USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

Slide 8

Slide 8 text

USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

Slide 9

Slide 9 text

$ sudo adduser viraj

Slide 10

Slide 10 text

$ sudo usermod -a -G sudo viraj • usermod - Command to modify an existing user • -a - Append the group • -G sudo - Assign the group “sudo” as a secondary group • viraj - The user to assign the group

Slide 11

Slide 11 text

$ ssh-keygen –t rsa –b 4096 –f id_peers • -t rsa - Create an RSA type key pair. • -b 4096 - Use 4096 bit encryption. • -f id_peers - The name of the SSH identity files created. The two files would be id_peers and id_peers.pub

Slide 12

Slide 12 text

Restrict Access PermitRootLogin no PasswordAuthentication no /etc/ssh/sshd_config

Slide 13

Slide 13 text

MySQL Security CREATE DATABASE my_app DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; CREATE TABLE ùsers` ( ìd` int(10) unsigned NOT NULL AUTO_INCREMENT, èmail` varchar(255) COLLATE utf8_unicode_ci NOT NULL, PRIMARY KEY (ìd`), UNIQUE KEY ùsers_email_unique` (èmail`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

Slide 14

Slide 14 text

MySQL Security CREATE USER 'my_user'@'%' IDENTIFIED BY 'some_secure_password';

Slide 15

Slide 15 text

MySQL Security CREATE USER 'my_user'@'%' IDENTIFIED BY 'some_secure_password'; GRANT ALL PRIVILEGES on my_app.* TO 'my_user'@'%';

Slide 16

Slide 16 text

MySQL Security # Hostname CREATE USER 'my_user'@’peersconf.com' IDENTIFIED BY 'some_secure_password';

Slide 17

Slide 17 text

MySQL Security # Hostname with wildcard CREATE USER 'my_user'@'%.peersconf.com' IDENTIFIED BY 'some_secure_password';

Slide 18

Slide 18 text

MySQL Security # By IP Address CREATE USER 'my_user'@'12.124.345.67' IDENTIFIED BY 'some_secure_password';

Slide 19

Slide 19 text

MySQL Security # Subnet 192.168.1.1 through 192.168.1.254 CREATE USER 'my_user'@'192.168.1.%' IDENTIFIED BY 'some_secure_password';

Slide 20

Slide 20 text

MySQL Security # A read-only user GRANT CREATE VIEW, SELECT, SHOW VIEW on my_app.* TO 'my_user'@'- WHATEVER-';

Slide 21

Slide 21 text

MySQL Security # A 90% use-case user GRANT ALTER, CREATE, DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE on my_app.* TO 'my_user'@'-WHATEVER-';

Slide 22

Slide 22 text

USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

Slide 23

Slide 23 text

Default Rules sudo iptables –L -v

Slide 24

Slide 24 text

Default Rules sudo iptables –L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Slide 25

Slide 25 text

Uncomplicated Firewall

Slide 26

Slide 26 text

Uncomplicated Firewall $ ufw allow http $ ufw allow https $ ufw allow ssh $ ufw enable

Slide 27

Slide 27 text

Uncomplicated Firewall $ ufw allow 80 $ ufw allow 443 $ ufw allow 22 $ ufw enable

Slide 28

Slide 28 text

Uncomplicated FireWall $ ufw status To Action From ------ ------- ----- 80 ALLOW Anywhere 443 ALLOW Anywhere 22 ALLOW Anywhere 80(v6) ALLOW Anywhere 443(v6) ALLOW Anywhere 22(v6) ALLOW Anywhere

Slide 29

Slide 29 text

Uncomplicated FireWall $ ufw deny from 1.2.3.4 $ ufw enable

Slide 30

Slide 30 text

Uncomplicated FireWall $ ufw status numbered $ ufw delete [number]

Slide 31

Slide 31 text

USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

Slide 32

Slide 32 text

Fail2Ban “Fail2Ban scans log files and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc.”

Slide 33

Slide 33 text

Fail2Ban $ apt-get install –y fail2ban $ cd /etc/fail2ban $ sudo cp jail.conf jail.local

Slide 34

Slide 34 text

Fail2Ban ignoreip = 127.0.0.1/8 findtime = 600 bantime = 600 maxretry = 5 /etc/fail2ban/jail.local

Slide 35

Slide 35 text

USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

Slide 36

Slide 36 text

Automatic Security Upgrades Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; }; /etc/apt/apt.conf.d/50unattended-upgrades

Slide 37

Slide 37 text

Automatic Security Upgrades APT::Periodic::Unattended-Upgrade "1"; /etc/apt/apt.conf.d/10periodic

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

Permissions – Operations Directories Files read `ls` or read contents of a directory Read file contents write Rename or create a new file/directory within a directory or delete a directory Edit or delete a file execute `cd` into a directory Execute a file – such as a bash command

Slide 40

Slide 40 text

$ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

Slide 41

Slide 41 text

$ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json Permissions

Slide 42

Slide 42 text

$ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json Permissions User & Group

Slide 43

Slide 43 text

$ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json Permissions User & Group Size Last Modified

Slide 44

Slide 44 text

$ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json Permissions User & Group Size Last Modified The preceding “d” denotes this as a directory. Lacking a “d” means it’s a file

Slide 45

Slide 45 text

$ rwx rwx r-x User Group Other

Slide 46

Slide 46 text

Changing Permissions

Slide 47

Slide 47 text

$ chmod [-R] guo[+-=]rwx /some/dir

Slide 48

Slide 48 text

$ chmod [-R] guo[+-=]rwx /some/dir -R = Change permissions recursively (if it is a directory)

Slide 49

Slide 49 text

$ chmod [-R] guo[+-=]rwx /some/dir • u - perform operation on the user permissions • g - perform operation on the group permissions • o - perform operation on the other permissions

Slide 50

Slide 50 text

$ chmod [-R] guo[+-=]rwx /some/dir • + means add permission • - means remove permission • = means set permission explicitly

Slide 51

Slide 51 text

$ chmod [-R] guo[+-=]rwx /some/dir • r - add or remove read permissions • w - add or remove write permissions • x - add or remove execute permissions

Slide 52

Slide 52 text

Changing Permissions $ sudo chmod ug+rwx /some/dir

Slide 53

Slide 53 text

Changing Permissions $ sudo chmod ug+rwx /some/dir $ sudo chmod o-rwx /some/dir

Slide 54

Slide 54 text

Changing Permissions $ sudo chmod ug+rwx /some/dir $ sudo chmod o-rwx /some/dir $ sudo chmod o+rx /some/dir

Slide 55

Slide 55 text

Changing Permissions $ sudo chmod ug=rwx /some/dir $ sudo chmod o=rx /some/dir

Slide 56

Slide 56 text

ACL

Slide 57

Slide 57 text

ACL $ getfacl /some/dir # file: dir # owner: root # group: root user::rwx group::r-x other::r-x

Slide 58

Slide 58 text

$ sudo setfacl -R -m u:peers:rwx /some/dir • setfacl - Set ACL • -R - Recursive down into files and directories • u:peers:rwx - The user peers will get rwx permissions • /some/dir - Apply to the /some/dir directory and all the sub files/dirs

Slide 59

Slide 59 text

ACL $ getfacl /some/dir # file: dir # owner: root # group: root user::rwx user:peers:rwx group::r-x other::r-x

Slide 60

Slide 60 text

$ sudo setfacl -R -m g:www-data:rwx /some/dir • setfacl - Set ACL • -R - Recursive down into files and directories • g:www-data:rwx - The group www-data will get rwx permissions • /some/dir - Apply to the /some/dir directory and all the sub files/dirs

Slide 61

Slide 61 text

$ sudo setfacl -Rd -m u:peers:rwx /some/dir

Slide 62

Slide 62 text

$ sudo setfacl -x u:peers /some/dir

Slide 63

Slide 63 text

No content

Slide 64

Slide 64 text

Logrotate – Application Logs /etc/logrotate.d/app.com

Slide 65

Slide 65 text

Logrotate – Application Logs /var/www/app.com/logs/*.log { su www-data www-data weekly missingok rotate 24 compress notifempty create 644 www-data www-data } /etc/logrotate.d/app.com

Slide 66

Slide 66 text

Logrotate – Other Options /var/www/app.com/logs/*.log { dateext } /etc/logrotate.d/app.com

Slide 67

Slide 67 text

Logrotate – Other Options /var/www/app.com/logs/*.log { delaycompress } /etc/logrotate.d/app.com

Slide 68

Slide 68 text

Logrotate – Other Options /var/www/app.com/logs/*.log { prerotate your-shell-script endscript } /etc/logrotate.d/app.com

Slide 69

Slide 69 text

Logrotate – Other Options /var/www/app.com/logs/*.log { postrotate your-shell-script endscript } /etc/logrotate.d/app.com

Slide 70

Slide 70 text

Logrotate – Other Options /var/www/app.com/logs/*.log { sharedscripts } /etc/logrotate.d/app.com

Slide 71

Slide 71 text

No content

Slide 72

Slide 72 text

$ sudo apt-get install supervisor

Slide 73

Slide 73 text

Supervisord [program:queue-worker] command=php artisan queue:work directory=/var/www/app.com autostart=true autorestart=true user=deployer numprocs=8 redirect_stderr=true stdout_logfile=/var/www/app.com/logs/worker.log /etc/supervisor/conf.d/worker.conf

Slide 74

Slide 74 text

Supervisord $ sudo supervisorctl reread $ sudo supervisorctl update $ sudo supervisorctl start queue-worker

Slide 75

Slide 75 text

Process Monitoring – Other options • systemd • Upstart • Circus

Slide 76

Slide 76 text

Who am I? • Viraj Khatavkar • Mumbai, India • PHP Consultant & Coach • Laravel, CakePHP and VueJS development • @virajkhatavkar • [email protected]

Slide 77

Slide 77 text

THANK YOU Questions?