Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Server Administration For Web Developers

Server Administration For Web Developers

Viraj Khatavkar

April 27, 2017
Tweet

More Decks by Viraj Khatavkar

Other Decks in Technology

Transcript

  1. $ sudo usermod -a -G sudo viraj • usermod -

    Command to modify an existing user • -a - Append the group • -G sudo - Assign the group “sudo” as a secondary group • viraj - The user to assign the group
  2. $ ssh-keygen –t rsa –b 4096 –f id_peers • -t

    rsa - Create an RSA type key pair. • -b 4096 - Use 4096 bit encryption. • -f id_peers - The name of the SSH identity files created. The two files would be id_peers and id_peers.pub
  3. MySQL Security CREATE DATABASE my_app DEFAULT CHARACTER SET utf8mb4 COLLATE

    utf8mb4_unicode_ci; CREATE TABLE `users` ( `id` int(10) unsigned NOT NULL AUTO_INCREMENT, `email` varchar(255) COLLATE utf8_unicode_ci NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `users_email_unique` (`email`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
  4. MySQL Security # A read-only user GRANT CREATE VIEW, SELECT,

    SHOW VIEW on my_app.* TO 'my_user'@'- WHATEVER-';
  5. MySQL Security # A 90% use-case user GRANT ALTER, CREATE,

    DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE on my_app.* TO 'my_user'@'-WHATEVER-';
  6. Default Rules sudo iptables –L -v Chain INPUT (policy ACCEPT

    0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
  7. Uncomplicated FireWall $ ufw status To Action From ------ -------

    ----- 80 ALLOW Anywhere 443 ALLOW Anywhere 22 ALLOW Anywhere 80(v6) ALLOW Anywhere 443(v6) ALLOW Anywhere 22(v6) ALLOW Anywhere
  8. Fail2Ban “Fail2Ban scans log files and bans IPs that show

    the malicious signs – too many password failures, seeking for exploits, etc.”
  9. Fail2Ban ignoreip = 127.0.0.1/8 findtime = 600 bantime = 600

    maxretry = 5 /etc/fail2ban/jail.local
  10. Permissions – Operations Directories Files read `ls` or read contents

    of a directory Read file contents write Rename or create a new file/directory within a directory or delete a directory Edit or delete a file execute `cd` into a directory Execute a file – such as a bash command
  11. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group Size Last Modified
  12. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group Size Last Modified The preceding “d” denotes this as a directory. Lacking a “d” means it’s a file
  13. $ chmod [-R] guo[+-=]rwx /some/dir • u - perform operation

    on the user permissions • g - perform operation on the group permissions • o - perform operation on the other permissions
  14. $ chmod [-R] guo[+-=]rwx /some/dir • + means add permission

    • - means remove permission • = means set permission explicitly
  15. $ chmod [-R] guo[+-=]rwx /some/dir • r - add or

    remove read permissions • w - add or remove write permissions • x - add or remove execute permissions
  16. Changing Permissions $ sudo chmod ug+rwx /some/dir $ sudo chmod

    o-rwx /some/dir $ sudo chmod o+rx /some/dir
  17. ACL

  18. ACL $ getfacl /some/dir # file: dir # owner: root

    # group: root user::rwx group::r-x other::r-x
  19. $ sudo setfacl -R -m u:peers:rwx /some/dir • setfacl -

    Set ACL • -R - Recursive down into files and directories • u:peers:rwx - The user peers will get rwx permissions • /some/dir - Apply to the /some/dir directory and all the sub files/dirs
  20. ACL $ getfacl /some/dir # file: dir # owner: root

    # group: root user::rwx user:peers:rwx group::r-x other::r-x
  21. $ sudo setfacl -R -m g:www-data:rwx /some/dir • setfacl -

    Set ACL • -R - Recursive down into files and directories • g:www-data:rwx - The group www-data will get rwx permissions • /some/dir - Apply to the /some/dir directory and all the sub files/dirs
  22. Logrotate – Application Logs /var/www/app.com/logs/*.log { su www-data www-data weekly

    missingok rotate 24 compress notifempty create 644 www-data www-data } /etc/logrotate.d/app.com
  23. Supervisord [program:queue-worker] command=php artisan queue:work directory=/var/www/app.com autostart=true autorestart=true user=deployer numprocs=8

    redirect_stderr=true stdout_logfile=/var/www/app.com/logs/worker.log /etc/supervisor/conf.d/worker.conf
  24. Who am I? • Viraj Khatavkar • Mumbai, India •

    PHP Consultant & Coach • Laravel, CakePHP and VueJS development • @virajkhatavkar • [email protected]