Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Server Administration For Web Developers

Server Administration For Web Developers

Viraj Khatavkar

April 27, 2017
Tweet

More Decks by Viraj Khatavkar

Other Decks in Technology

Transcript

  1. Server Administration …..For Web Developers

  2. The truth is… I am just an idiot who Jess

    found on Internet…
  3. None
  4. Ubuntu CentOS Fedora Red Hat Debian

  5. Ubuntu Debian CentOS Fedora Red Hat

  6. Things that annoy developers… • Security • Permissions • ACL

    • Process Monitoring • Log Management
  7. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

  8. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

  9. $ sudo adduser viraj

  10. $ sudo usermod -a -G sudo viraj • usermod -

    Command to modify an existing user • -a - Append the group • -G sudo - Assign the group “sudo” as a secondary group • viraj - The user to assign the group
  11. $ ssh-keygen –t rsa –b 4096 –f id_peers • -t

    rsa - Create an RSA type key pair. • -b 4096 - Use 4096 bit encryption. • -f id_peers - The name of the SSH identity files created. The two files would be id_peers and id_peers.pub
  12. Restrict Access PermitRootLogin no PasswordAuthentication no /etc/ssh/sshd_config

  13. MySQL Security CREATE DATABASE my_app DEFAULT CHARACTER SET utf8mb4 COLLATE

    utf8mb4_unicode_ci; CREATE TABLE `users` ( `id` int(10) unsigned NOT NULL AUTO_INCREMENT, `email` varchar(255) COLLATE utf8_unicode_ci NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `users_email_unique` (`email`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
  14. MySQL Security CREATE USER 'my_user'@'%' IDENTIFIED BY 'some_secure_password';

  15. MySQL Security CREATE USER 'my_user'@'%' IDENTIFIED BY 'some_secure_password'; GRANT ALL

    PRIVILEGES on my_app.* TO 'my_user'@'%';
  16. MySQL Security # Hostname CREATE USER 'my_user'@’peersconf.com' IDENTIFIED BY 'some_secure_password';

  17. MySQL Security # Hostname with wildcard CREATE USER 'my_user'@'%.peersconf.com' IDENTIFIED

    BY 'some_secure_password';
  18. MySQL Security # By IP Address CREATE USER 'my_user'@'12.124.345.67' IDENTIFIED

    BY 'some_secure_password';
  19. MySQL Security # Subnet 192.168.1.1 through 192.168.1.254 CREATE USER 'my_user'@'192.168.1.%'

    IDENTIFIED BY 'some_secure_password';
  20. MySQL Security # A read-only user GRANT CREATE VIEW, SELECT,

    SHOW VIEW on my_app.* TO 'my_user'@'- WHATEVER-';
  21. MySQL Security # A 90% use-case user GRANT ALTER, CREATE,

    DELETE, DROP, INDEX, INSERT, LOCK TABLES, SELECT, UPDATE on my_app.* TO 'my_user'@'-WHATEVER-';
  22. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

  23. Default Rules sudo iptables –L -v

  24. Default Rules sudo iptables –L -v Chain INPUT (policy ACCEPT

    0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
  25. Uncomplicated Firewall

  26. Uncomplicated Firewall $ ufw allow http $ ufw allow https

    $ ufw allow ssh $ ufw enable
  27. Uncomplicated Firewall $ ufw allow 80 $ ufw allow 443

    $ ufw allow 22 $ ufw enable
  28. Uncomplicated FireWall $ ufw status To Action From ------ -------

    ----- 80 ALLOW Anywhere 443 ALLOW Anywhere 22 ALLOW Anywhere 80(v6) ALLOW Anywhere 443(v6) ALLOW Anywhere 22(v6) ALLOW Anywhere
  29. Uncomplicated FireWall $ ufw deny from 1.2.3.4 $ ufw enable

  30. Uncomplicated FireWall $ ufw status numbered $ ufw delete [number]

  31. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

  32. Fail2Ban “Fail2Ban scans log files and bans IPs that show

    the malicious signs – too many password failures, seeking for exploits, etc.”
  33. Fail2Ban $ apt-get install –y fail2ban $ cd /etc/fail2ban $

    sudo cp jail.conf jail.local
  34. Fail2Ban ignoreip = 127.0.0.1/8 findtime = 600 bantime = 600

    maxretry = 5 /etc/fail2ban/jail.local
  35. USER ACCESS FIREWALL FAIL2BAN SECURITY UPGRADES

  36. Automatic Security Upgrades Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; }; /etc/apt/apt.conf.d/50unattended-upgrades

  37. Automatic Security Upgrades APT::Periodic::Unattended-Upgrade "1"; /etc/apt/apt.conf.d/10periodic

  38. None
  39. Permissions – Operations Directories Files read `ls` or read contents

    of a directory Read file contents write Rename or create a new file/directory within a directory or delete a directory Edit or delete a file execute `cd` into a directory Execute a file – such as a bash command
  40. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

  41. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions
  42. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group
  43. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group Size Last Modified
  44. $ -rwxrwxr-x 1 forge forge 604 Mar 1 20:48 bower.json

    Permissions User & Group Size Last Modified The preceding “d” denotes this as a directory. Lacking a “d” means it’s a file
  45. $ rwx rwx r-x User Group Other

  46. Changing Permissions

  47. $ chmod [-R] guo[+-=]rwx /some/dir

  48. $ chmod [-R] guo[+-=]rwx /some/dir -R = Change permissions recursively

    (if it is a directory)
  49. $ chmod [-R] guo[+-=]rwx /some/dir • u - perform operation

    on the user permissions • g - perform operation on the group permissions • o - perform operation on the other permissions
  50. $ chmod [-R] guo[+-=]rwx /some/dir • + means add permission

    • - means remove permission • = means set permission explicitly
  51. $ chmod [-R] guo[+-=]rwx /some/dir • r - add or

    remove read permissions • w - add or remove write permissions • x - add or remove execute permissions
  52. Changing Permissions $ sudo chmod ug+rwx /some/dir

  53. Changing Permissions $ sudo chmod ug+rwx /some/dir $ sudo chmod

    o-rwx /some/dir
  54. Changing Permissions $ sudo chmod ug+rwx /some/dir $ sudo chmod

    o-rwx /some/dir $ sudo chmod o+rx /some/dir
  55. Changing Permissions $ sudo chmod ug=rwx /some/dir $ sudo chmod

    o=rx /some/dir
  56. ACL

  57. ACL $ getfacl /some/dir # file: dir # owner: root

    # group: root user::rwx group::r-x other::r-x
  58. $ sudo setfacl -R -m u:peers:rwx /some/dir • setfacl -

    Set ACL • -R - Recursive down into files and directories • u:peers:rwx - The user peers will get rwx permissions • /some/dir - Apply to the /some/dir directory and all the sub files/dirs
  59. ACL $ getfacl /some/dir # file: dir # owner: root

    # group: root user::rwx user:peers:rwx group::r-x other::r-x
  60. $ sudo setfacl -R -m g:www-data:rwx /some/dir • setfacl -

    Set ACL • -R - Recursive down into files and directories • g:www-data:rwx - The group www-data will get rwx permissions • /some/dir - Apply to the /some/dir directory and all the sub files/dirs
  61. $ sudo setfacl -Rd -m u:peers:rwx /some/dir

  62. $ sudo setfacl -x u:peers /some/dir

  63. None
  64. Logrotate – Application Logs /etc/logrotate.d/app.com

  65. Logrotate – Application Logs /var/www/app.com/logs/*.log { su www-data www-data weekly

    missingok rotate 24 compress notifempty create 644 www-data www-data } /etc/logrotate.d/app.com
  66. Logrotate – Other Options /var/www/app.com/logs/*.log { dateext } /etc/logrotate.d/app.com

  67. Logrotate – Other Options /var/www/app.com/logs/*.log { delaycompress } /etc/logrotate.d/app.com

  68. Logrotate – Other Options /var/www/app.com/logs/*.log { prerotate your-shell-script endscript }

    /etc/logrotate.d/app.com
  69. Logrotate – Other Options /var/www/app.com/logs/*.log { postrotate your-shell-script endscript }

    /etc/logrotate.d/app.com
  70. Logrotate – Other Options /var/www/app.com/logs/*.log { sharedscripts } /etc/logrotate.d/app.com

  71. None
  72. $ sudo apt-get install supervisor

  73. Supervisord [program:queue-worker] command=php artisan queue:work directory=/var/www/app.com autostart=true autorestart=true user=deployer numprocs=8

    redirect_stderr=true stdout_logfile=/var/www/app.com/logs/worker.log /etc/supervisor/conf.d/worker.conf
  74. Supervisord $ sudo supervisorctl reread $ sudo supervisorctl update $

    sudo supervisorctl start queue-worker
  75. Process Monitoring – Other options • systemd • Upstart •

    Circus
  76. Who am I? • Viraj Khatavkar • Mumbai, India •

    PHP Consultant & Coach • Laravel, CakePHP and VueJS development • @virajkhatavkar • [email protected]
  77. THANK YOU Questions?