Server Administration For Web Developers

Transcript

1. Server Administration …..For Web Developers

2. The truth is… I am just an idiot who Jess

   found on Internet…
3. None

4. Ubuntu CentOS Fedora Red Hat Debian

5. Ubuntu Debian CentOS Fedora Red Hat

6. Things that annoy developers… • Security • Permissions • ACL

   • Process Monitoring • Log Management

7. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

8. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

9. $ sudo adduser viraj

10. $ sudo usermod -a -G sudo viraj • usermod -

    Command to modify an existing user • -a - Append the group • -G sudo - Assign the group “sudo” as a secondary group • viraj - The user to assign the group

11. $ ssh-keygen –t rsa –b 4096 –f id_peers • -t

    rsa - Create an RSA type key pair. • -b 4096 - Use 4096 bit encryption. • -f id_peers - The name of the SSH identity files created. The two files would be id_peers and id_peers.pub

12. Restrict Access PermitRootLogin no PasswordAuthentication no /etc/ssh/sshd_config

13. MySQL Security CREATE DATABASE my_app DEFAULT CHARACTER SET utf8mb4 COLLATE

    utf8mb4_unicode_ci; CREATE TABLE `users` ( `id` int(10) unsigned NOT NULL AUTO_INCREMENT, `email` varchar(255) COLLATE utf8_unicode_ci NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `users_email_unique` (`email`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

14. MySQL Security CREATE USER 'my_user'@'%' IDENTIFIED BY 'some_secure_password';

15. MySQL Security CREATE USER 'my_user'@'%' IDENTIFIED BY 'some_secure_password'; GRANT ALL

    PRIVILEGES on my_app.* TO 'my_user'@'%';

16. MySQL Security # Hostname CREATE USER 'my_user'@’peersconf.com' IDENTIFIED BY 'some_secure_password';

17. MySQL Security # Hostname with wildcard CREATE USER 'my_user'@'%.peersconf.com' IDENTIFIED

    BY 'some_secure_password';

18. MySQL Security # By IP Address CREATE USER 'my_user'@'12.124.345.67' IDENTIFIED

    BY 'some_secure_password';

19. MySQL Security # Subnet 192.168.1.1 through 192.168.1.254 CREATE USER 'my_user'@'192.168.1.%'

    IDENTIFIED BY 'some_secure_password';

20. MySQL Security # A read-only user GRANT CREATE VIEW, SELECT,

    SHOW VIEW on my_app.* TO 'my_user'@'- WHATEVER-';

21. MySQL Security # A 90% use-case user GRANT ALTER, CREATE,

    DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE on my_app.* TO 'my_user'@'-WHATEVER-';

22. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

23. Default Rules sudo iptables –L -v

24. Default Rules sudo iptables –L -v Chain INPUT (policy ACCEPT

    0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

25. Uncomplicated Firewall

26. Uncomplicated Firewall $ ufw allow http $ ufw allow https

    $ ufw allow ssh $ ufw enable

27. Uncomplicated Firewall $ ufw allow 80 $ ufw allow 443

    $ ufw allow 22 $ ufw enable

28. Uncomplicated FireWall $ ufw status To Action From ------ -------

    ----- 80 ALLOW Anywhere 443 ALLOW Anywhere 22 ALLOW Anywhere 80(v6) ALLOW Anywhere 443(v6) ALLOW Anywhere 22(v6) ALLOW Anywhere

29. Uncomplicated FireWall $ ufw deny from 1.2.3.4 $ ufw enable

30. Uncomplicated FireWall $ ufw status numbered $ ufw delete [number]

31. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

32. Fail2Ban “Fail2Ban scans log files and bans IPs that show

    the malicious signs – too many password failures, seeking for exploits, etc.”

33. Fail2Ban $ apt-get install –y fail2ban $ cd /etc/fail2ban $

    sudo cp jail.conf jail.local

34. Fail2Ban ignoreip = 127.0.0.1/8 findtime = 600 bantime = 600

    maxretry = 5 /etc/fail2ban/jail.local

35. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

36. Automatic Security Upgrades Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; }; /etc/apt/apt.conf.d/50unattended-upgrades

37. Automatic Security Upgrades APT::Periodic::Unattended-Upgrade "1"; /etc/apt/apt.conf.d/10periodic

38. None

39. Permissions – Operations Directories Files read `ls` or read contents

    of a directory Read file contents write Rename or create a new file/directory within a directory or delete a directory Edit or delete a file execute `cd` into a directory Execute a file – such as a bash command

40. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

41. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions

42. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group

43. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group Size Last Modified

44. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group Size Last Modified The preceding “d” denotes this as a directory. Lacking a “d” means it’s a file

45. $ rwx rwx r-x User Group Other

46. Changing Permissions

47. $ chmod [-R] guo[+-=]rwx /some/dir

48. $ chmod [-R] guo[+-=]rwx /some/dir -R = Change permissions recursively

    (if it is a directory)

49. $ chmod [-R] guo[+-=]rwx /some/dir • u - perform operation

    on the user permissions • g - perform operation on the group permissions • o - perform operation on the other permissions

50. $ chmod [-R] guo[+-=]rwx /some/dir • + means add permission

    • - means remove permission • = means set permission explicitly

51. $ chmod [-R] guo[+-=]rwx /some/dir • r - add or

    remove read permissions • w - add or remove write permissions • x - add or remove execute permissions

52. Changing Permissions $ sudo chmod ug+rwx /some/dir

53. Changing Permissions $ sudo chmod ug+rwx /some/dir $ sudo chmod

    o-rwx /some/dir

54. Changing Permissions $ sudo chmod ug+rwx /some/dir $ sudo chmod

    o-rwx /some/dir $ sudo chmod o+rx /some/dir

55. Changing Permissions $ sudo chmod ug=rwx /some/dir $ sudo chmod

    o=rx /some/dir

56. ACL

57. ACL $ getfacl /some/dir # file: dir # owner: root

    # group: root user::rwx group::r-x other::r-x

58. $ sudo setfacl -R -m u:peers:rwx /some/dir • setfacl -

    Set ACL • -R - Recursive down into files and directories • u:peers:rwx - The user peers will get rwx permissions • /some/dir - Apply to the /some/dir directory and all the sub files/dirs

59. ACL $ getfacl /some/dir # file: dir # owner: root

    # group: root user::rwx user:peers:rwx group::r-x other::r-x

60. $ sudo setfacl -R -m g:www-data:rwx /some/dir • setfacl -

    Set ACL • -R - Recursive down into files and directories • g:www-data:rwx - The group www-data will get rwx permissions • /some/dir - Apply to the /some/dir directory and all the sub files/dirs

61. $ sudo setfacl -Rd -m u:peers:rwx /some/dir

62. $ sudo setfacl -x u:peers /some/dir

63. None

64. Logrotate – Application Logs /etc/logrotate.d/app.com

65. Logrotate – Application Logs /var/www/app.com/logs/*.log { su www-data www-data weekly

    missingok rotate 24 compress notifempty create 644 www-data www-data } /etc/logrotate.d/app.com

66. Logrotate – Other Options /var/www/app.com/logs/*.log { dateext } /etc/logrotate.d/app.com

67. Logrotate – Other Options /var/www/app.com/logs/*.log { delaycompress } /etc/logrotate.d/app.com

68. Logrotate – Other Options /var/www/app.com/logs/*.log { prerotate your-shell-script endscript }

    /etc/logrotate.d/app.com

69. Logrotate – Other Options /var/www/app.com/logs/*.log { postrotate your-shell-script endscript }

    /etc/logrotate.d/app.com

70. Logrotate – Other Options /var/www/app.com/logs/*.log { sharedscripts } /etc/logrotate.d/app.com

71. None

72. $ sudo apt-get install supervisor

73. Supervisord [program:queue-worker] command=php artisan queue:work directory=/var/www/app.com autostart=true autorestart=true user=deployer numprocs=8

    redirect_stderr=true stdout_logfile=/var/www/app.com/logs/worker.log /etc/supervisor/conf.d/worker.conf

74. Supervisord $ sudo supervisorctl reread $ sudo supervisorctl update $

    sudo supervisorctl start queue-worker

75. Process Monitoring – Other options • systemd • Upstart •

    Circus

76. Who am I? • Viraj Khatavkar • Mumbai, India •

    PHP Consultant & Coach • Laravel, CakePHP and VueJS development • @virajkhatavkar • viraj@virajkhatavkar.com

77. THANK YOU Questions?