Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Server Administration For Web Developers

Viraj Khatavkar
April 27, 2017
Technology
0
110

Server Administration For Web Developers

Viraj Khatavkar

April 27, 2017
Tweet

More Decks by Viraj Khatavkar

See All by Viraj Khatavkar
Architecting Design Decisions
viraj
0
1.3k
Embracing TDD - A Beginner's approach to get acquainted with TDD workflow
viraj
1
150

Other Decks in Technology

See All in Technology
Cloudflare Workersで動くOG画像生成器
aiji42
1
450
Kaggleシミュレーションコンペの動向
nagiss
0
220
SmartHRからOktaへのSCIM連携で作り出すHRドリブンのアカウント管理
jousysmiler
1
110
ERC3525 Semi-Fungible token
sbtechnight
0
330
ラズパイとGASで加湿器の消し忘れをLINEでリマインド&操作
minako__ph
0
120
PCI DSS に準拠したシステム開発
yutadayo
0
250
Virtual Thread - 導入の背景と、効果的な使い方 -
skrb
3
250
lt53
98_justdoit
0
110
エアドロップ for オープンソースプロジェクト
epicsdao
0
210
GitHub Codespaces が拡げる開発環境、いつでもどこでも Visual Studio Code で!
dzeyelid
0
150
plotlyで動くグラフを作る
kosshi
0
710
立ち止まっても、寄り道しても / even if I stop, even if I take a detour
katoaz
0
100

Featured

See All Featured
Done Done
chrislema
178
14k
Become a Pro
speakerdeck
PRO
6
3.2k
YesSQL, Process and Tooling at Scale
rocio
159
12k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
17k
Producing Creativity
orderedlist
PRO
335
37k
It's Worth the Effort
3n
177
26k
Designing for humans not robots
tammielis
245
24k
Testing 201, or: Great Expectations
jmmastey
25
5.7k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
38
3.6k
Navigating Team Friction
lara
176
12k
Side Projects
sachag
451
37k
Documentation Writing (for coders)
carmenintech
51
2.9k

Transcript

  1. Server Administration …..For Web Developers

  2. The truth is… I am just an idiot who Jess

    found on Internet…
  3. None

  4. Ubuntu CentOS Fedora Red Hat Debian

  5. Ubuntu Debian CentOS Fedora Red Hat

  6. Things that annoy developers… • Security • Permissions • ACL

    • Process Monitoring • Log Management

  7. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

  8. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

  9. $ sudo adduser viraj

  10. $ sudo usermod -a -G sudo viraj • usermod -

    Command to modify an existing user • -a - Append the group • -G sudo - Assign the group “sudo” as a secondary group • viraj - The user to assign the group

  11. $ ssh-keygen –t rsa –b 4096 –f id_peers • -t

    rsa - Create an RSA type key pair. • -b 4096 - Use 4096 bit encryption. • -f id_peers - The name of the SSH identity files created. The two files would be id_peers and id_peers.pub

  12. Restrict Access PermitRootLogin no PasswordAuthentication no /etc/ssh/sshd_config

  13. MySQL Security CREATE DATABASE my_app DEFAULT CHARACTER SET utf8mb4 COLLATE

    utf8mb4_unicode_ci; CREATE TABLE `users` ( `id` int(10) unsigned NOT NULL AUTO_INCREMENT, `email` varchar(255) COLLATE utf8_unicode_ci NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `users_email_unique` (`email`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

  14. MySQL Security CREATE USER 'my_user'@'%' IDENTIFIED BY 'some_secure_password';

  15. MySQL Security CREATE USER 'my_user'@'%' IDENTIFIED BY 'some_secure_password'; GRANT ALL

    PRIVILEGES on my_app.* TO 'my_user'@'%';

  16. MySQL Security # Hostname CREATE USER 'my_user'@’peersconf.com' IDENTIFIED BY 'some_secure_password';

  17. MySQL Security # Hostname with wildcard CREATE USER 'my_user'@'%.peersconf.com' IDENTIFIED

    BY 'some_secure_password';

  18. MySQL Security # By IP Address CREATE USER 'my_user'@'12.124.345.67' IDENTIFIED

    BY 'some_secure_password';

  19. MySQL Security # Subnet 192.168.1.1 through 192.168.1.254 CREATE USER 'my_user'@'192.168.1.%'

    IDENTIFIED BY 'some_secure_password';

  20. MySQL Security # A read-only user GRANT CREATE VIEW, SELECT,

    SHOW VIEW on my_app.* TO 'my_user'@'- WHATEVER-';

  21. MySQL Security # A 90% use-case user GRANT ALTER, CREATE,

    DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE on my_app.* TO 'my_user'@'-WHATEVER-';

  22. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

  23. Default Rules sudo iptables –L -v

  24. Default Rules sudo iptables –L -v Chain INPUT (policy ACCEPT

    0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

  25. Uncomplicated Firewall

  26. Uncomplicated Firewall $ ufw allow http $ ufw allow https

    $ ufw allow ssh $ ufw enable

  27. Uncomplicated Firewall $ ufw allow 80 $ ufw allow 443

    $ ufw allow 22 $ ufw enable

  28. Uncomplicated FireWall $ ufw status To Action From ------ -------

    ----- 80 ALLOW Anywhere 443 ALLOW Anywhere 22 ALLOW Anywhere 80(v6) ALLOW Anywhere 443(v6) ALLOW Anywhere 22(v6) ALLOW Anywhere

  29. Uncomplicated FireWall $ ufw deny from 1.2.3.4 $ ufw enable

  30. Uncomplicated FireWall $ ufw status numbered $ ufw delete [number]

  31. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

  32. Fail2Ban “Fail2Ban scans log files and bans IPs that show

    the malicious signs – too many password failures, seeking for exploits, etc.”

  33. Fail2Ban $ apt-get install –y fail2ban $ cd /etc/fail2ban $

    sudo cp jail.conf jail.local

  34. Fail2Ban ignoreip = 127.0.0.1/8 findtime = 600 bantime = 600

    maxretry = 5 /etc/fail2ban/jail.local

  35. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

  36. Automatic Security Upgrades Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; }; /etc/apt/apt.conf.d/50unattended-upgrades

  37. Automatic Security Upgrades APT::Periodic::Unattended-Upgrade "1"; /etc/apt/apt.conf.d/10periodic

  38. None

  39. Permissions – Operations Directories Files read `ls` or read contents

    of a directory Read file contents write Rename or create a new file/directory within a directory or delete a directory Edit or delete a file execute `cd` into a directory Execute a file – such as a bash command

  40. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

  41. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions

  42. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group

  43. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group Size Last Modified

  44. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group Size Last Modified The preceding “d” denotes this as a directory. Lacking a “d” means it’s a file

  45. $ rwx rwx r-x User Group Other

  46. Changing Permissions

  47. $ chmod [-R] guo[+-=]rwx /some/dir

  48. $ chmod [-R] guo[+-=]rwx /some/dir -R = Change permissions recursively

    (if it is a directory)

  49. $ chmod [-R] guo[+-=]rwx /some/dir • u - perform operation

    on the user permissions • g - perform operation on the group permissions • o - perform operation on the other permissions

  50. $ chmod [-R] guo[+-=]rwx /some/dir • + means add permission

    • - means remove permission • = means set permission explicitly

  51. $ chmod [-R] guo[+-=]rwx /some/dir • r - add or

    remove read permissions • w - add or remove write permissions • x - add or remove execute permissions

  52. Changing Permissions $ sudo chmod ug+rwx /some/dir

  53. Changing Permissions $ sudo chmod ug+rwx /some/dir $ sudo chmod

    o-rwx /some/dir

  54. Changing Permissions $ sudo chmod ug+rwx /some/dir $ sudo chmod

    o-rwx /some/dir $ sudo chmod o+rx /some/dir

  55. Changing Permissions $ sudo chmod ug=rwx /some/dir $ sudo chmod

    o=rx /some/dir

  56. ACL

  57. ACL $ getfacl /some/dir # file: dir # owner: root

    # group: root user::rwx group::r-x other::r-x

  58. $ sudo setfacl -R -m u:peers:rwx /some/dir • setfacl -

    Set ACL • -R - Recursive down into files and directories • u:peers:rwx - The user peers will get rwx permissions • /some/dir - Apply to the /some/dir directory and all the sub files/dirs

  59. ACL $ getfacl /some/dir # file: dir # owner: root

    # group: root user::rwx user:peers:rwx group::r-x other::r-x

  60. $ sudo setfacl -R -m g:www-data:rwx /some/dir • setfacl -

    Set ACL • -R - Recursive down into files and directories • g:www-data:rwx - The group www-data will get rwx permissions • /some/dir - Apply to the /some/dir directory and all the sub files/dirs

  61. $ sudo setfacl -Rd -m u:peers:rwx /some/dir

  62. $ sudo setfacl -x u:peers /some/dir

  63. None

  64. Logrotate – Application Logs /etc/logrotate.d/app.com

  65. Logrotate – Application Logs /var/www/app.com/logs/*.log { su www-data www-data weekly

    missingok rotate 24 compress notifempty create 644 www-data www-data } /etc/logrotate.d/app.com

  66. Logrotate – Other Options /var/www/app.com/logs/*.log { dateext } /etc/logrotate.d/app.com

  67. Logrotate – Other Options /var/www/app.com/logs/*.log { delaycompress } /etc/logrotate.d/app.com

  68. Logrotate – Other Options /var/www/app.com/logs/*.log { prerotate your-shell-script endscript }

    /etc/logrotate.d/app.com

  69. Logrotate – Other Options /var/www/app.com/logs/*.log { postrotate your-shell-script endscript }

    /etc/logrotate.d/app.com

  70. Logrotate – Other Options /var/www/app.com/logs/*.log { sharedscripts } /etc/logrotate.d/app.com

  71. None

  72. $ sudo apt-get install supervisor

  73. Supervisord [program:queue-worker] command=php artisan queue:work directory=/var/www/app.com autostart=true autorestart=true user=deployer numprocs=8

    redirect_stderr=true stdout_logfile=/var/www/app.com/logs/worker.log /etc/supervisor/conf.d/worker.conf

  74. Supervisord $ sudo supervisorctl reread $ sudo supervisorctl update $

    sudo supervisorctl start queue-worker

  75. Process Monitoring – Other options • systemd • Upstart •

    Circus

  76. Who am I? • Viraj Khatavkar • Mumbai, India •

    PHP Consultant & Coach • Laravel, CakePHP and VueJS development • @virajkhatavkar • [email protected]

  77. THANK YOU Questions?