your inner sysadmin - lonestarphp 2015
TRANSCRIPT
![Page 1: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/1.jpg)
Your Inner Sysadmin
Chris Tankersley @dragonmantank LonestarPHP 2015
LonestarPHP 2015 1
![Page 2: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/2.jpg)
Who Am I
• PHP Programmer for over 10 years • Sysadmin/DevOps for around 8 years • Using Linux for more than 15 years • hFps://github.com/dragonmantank
LonestarPHP 2015 2
![Page 3: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/3.jpg)
Here Be Dragons
LonestarPHP 2015 3
![Page 4: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/4.jpg)
Traditional Lamp Stack
LonestarPHP 2015 4
![Page 5: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/5.jpg)
Our Players
LonestarPHP 2015 5
![Page 6: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/6.jpg)
And of course…
LonestarPHP 2015 6
![Page 7: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/7.jpg)
The Server
• /bin -‐ EssenPal user executable files • /boot -‐ Stuff that makes the OS boot up! • /dev -‐ Special device stuff you probably won't touch • /etc -‐ ConfiguraPon files • /home -‐ User home directories • /sbin -‐ System binaries • /usr -‐ MulP-‐user apps and uPliPes • /var -‐ Data usually lives here
LonestarPHP 2015 7
![Page 8: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/8.jpg)
Installing Software
• Compile soXware from scratch • Use the package manager (yum/apt)
LonestarPHP 2015 8
![Page 9: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/9.jpg)
Learn to love the Command Line
LonestarPHP 2015 9
![Page 10: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/10.jpg)
Learn a CLI text editor
• vi/vim • emacs • nano
LonestarPHP 2015 10
![Page 11: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/11.jpg)
Authentication and Authorization
LonestarPHP 2015 11
![Page 12: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/12.jpg)
SSH Keys
• SSH generally uses a Username/Password • SSH Keys pass a public key to the server • Can use a single key for mulPple machines, or mulPple keys for mulPple machines • More secure since ‘passwords’ cannot be stolen
LonestarPHP 2015 12
![Page 13: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/13.jpg)
sudo
You can give admin access to users (or groups of users) without giving them root.
LonestarPHP 2015 13
# Add sudo access to a single user to run as root dragonmantank ALL=(ALL) ALL # Add sudo access to a full group %admin ALL=(ALL) ALL
You can even restrict what commands the users can run # Restrict web developers to only restart Apache and MySQL %webdevs 192.168.1.0/255.255.225.0=(root) NOPASSWD:/usr/sbin/service apache2 restart, /usr/sbin/service mysql restart
![Page 14: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/14.jpg)
Jailing Users
Keeps people from geang to things they shouldn't. Protects the users from themselves.
LonestarPHP 2015 14
![Page 15: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/15.jpg)
Jailed Shells
Gives users a full shell but not the enPre file system. You can pick and choose what programs the user can have access too. Jailkit makes this incredibly easy to set up.
LonestarPHP 2015 15
![Page 16: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/16.jpg)
Jailed SFTP
Locks the user to a specific base path, but doesn’t give them a shell, much like FTP. You get the security of SSH though! It does require a system user however.
LonestarPHP 2015 16
![Page 17: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/17.jpg)
Jailing SFTP
# In /etc/ssh/sshd_config Subsystem ftp sftp-‐internal # At the bottom of the file Match User jailedsftp ChrootDirectory /some/path AllowTCPForwarding no X11Forwarding no ForceCommand sftp-‐internal
LonestarPHP 2015 17
![Page 18: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/18.jpg)
Docker
LonestarPHP 2015 18
If you do it the non-‐Docker way
![Page 19: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/19.jpg)
Scripting Languages
LonestarPHP 2015 19
![Page 20: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/20.jpg)
Bash
Most servers use bash as the default shell. Most shells understand bash's syntax. If you find yourself running the same commands over and over, throw it in a bash script.
LonestarPHP 2015 20
![Page 21: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/21.jpg)
Python
Ships with most distros. Great for when you need more power than what bash has.
LonestarPHP 2015 21
![Page 22: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/22.jpg)
PHP!
Leverage your PHP skills to write shell scripts. • Symfony Console Component • Aura CLI
LonestarPHP 2015 22
![Page 23: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/23.jpg)
Locking Down your Code
LonestarPHP 2015 23
![Page 24: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/24.jpg)
Running Apache as a different user
MPM-‐ITK
LonestarPHP 2015 24
MOD_RUID2
<IfModule mpm_itk_module> AssignUserId [user] [group] </IfModule>
RMode config RUidGid myuser mygroup RDocumentChRoot /var/www/vhosts/domain.com/ www/public
![Page 25: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/25.jpg)
PHP-FPM
user = myuser group = mygroup chroot = /path/to/my/chroot
LonestarPHP 2015 25
![Page 26: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/26.jpg)
Logs
LonestarPHP 2015 26
![Page 27: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/27.jpg)
Logrotate
Rotates logs out for organizaPon (or other purposes)
LonestarPHP 2015 27
weekly rotate 4 create include /etc/logrotate.d /var/log/wtmp { monthly minsize 1M create 0664 root utmp rotate 1 }
![Page 28: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/28.jpg)
Logwatch
Script that runs every so oXen and scans a bunch of logs so you get a preFy e-‐mail with a summary of events
LonestarPHP 2015 28
-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ httpd Begin -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ 0.17 MB transferred in 792 responses (1xx 0, 2xx 786, 3xx 0, 4xx 6, 5xx 0) 199 Content pages (0.09 MB), 593 Other (0.09 MB) Requests with error response codes 400 Bad Request /w00tw00t.at.ISC.SANS.DFind:): 1 Time(s) 404 Not Found /MyAdmin/scripts/setup.php: 1 Time(s) /phpmyadmin/scripts/setup.php: 1 Time(s) /w00tw00t.at.blackhats.romanian.anti-‐sec:): 1 Time(s) /webdav/: 2 Time(s) -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ httpd End -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
![Page 29: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/29.jpg)
OSSEC
Actually a Host Intrusion DetecPon system, but it does this by watching logs. Will alert you immediately to problems, and even shut down the aFacks.
LonestarPHP 2015 29
OSSEC HIDS Notification. 2012 Oct 24 11:38:10 Received From: maple-‐>/var/log/auth.log Rule: 5712 fired (level 10) -‐> "SSHD brute force trying to get access to the system." Portion of the log(s): Oct 24 11:38:09 maple sshd[1062]: Failed password for invalid user alias from 199.167.138.44 port 59988 ssh2 Oct 24 11:38:07 maple sshd[1062]: Invalid user alias from 199.167.138.44 Oct 24 11:38:06 maple sshd[1059]: Failed password for invalid user recruit from 199.167.138.44 port 59884 ssh2
![Page 30: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/30.jpg)
Preventing Intruders
LonestarPHP 2015 30
![Page 31: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/31.jpg)
hosts.deny and hosts.allow
Set of files to allow or deny access to the machine or certain apps/ports on the machine
LonestarPHP 2015 31
![Page 32: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/32.jpg)
IPTables
A firewall that is generally available on Linux machines that can be configured many different ways to allow or block or mangle traffic
LonestarPHP 2015 32
![Page 33: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/33.jpg)
OSSEC
IDS that was logs and will use hosts.deny and iptables to block stuff automaPcally for you!
LonestarPHP 2015 33
![Page 34: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/34.jpg)
Configuration Management
LonestarPHP 2015 34
![Page 35: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/35.jpg)
What is Configuration Management?
Process by which you figure out what goes on your servers, how you want them set up, and keeping track of that informaPon. Files are usually stored in source control on one server and pushed to clients.
LonestarPHP 2015 35
![Page 36: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/36.jpg)
Why do you need it?
• Ever needed to keep track of when files get changed? • Ever needed to roll back a change? • Ever needed to push the same change to a bunch of servers • Ever needed to set up a server exactly the same way as another server?
LonestarPHP 2015 36
![Page 37: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/37.jpg)
General CM Workflow
LonestarPHP 2015 37
Write a Manifest file
Client checks and compiles the manifests
Client makes changes based on manifests
![Page 38: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/38.jpg)
Ansible
• hFps://serversforhackers.com/geang-‐started-‐with-‐ansible/
LonestarPHP 2015 38
![Page 39: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/39.jpg)
Puppet
• hFp://www.erikaheidi.com/page/vagrant
LonestarPHP 2015 39
![Page 40: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/40.jpg)
Server Monitoring
LonestarPHP 2015 40
![Page 41: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/41.jpg)
Quick Poll
• Who here knows that their server is up right now? • Are all of the required services running? • Are there enough resources currently available?
LonestarPHP 2015 41
![Page 42: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/42.jpg)
Service Monitoring with Monit
LonestarPHP 2015 42
![Page 43: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/43.jpg)
Host Monitoring with Icinga
LonestarPHP 2015 43
![Page 44: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/44.jpg)
Software Tools
LonestarPHP 2015 44
![Page 45: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/45.jpg)
tmux/screen
Command line mulPplexer
LonestarPHP 2015 45
![Page 46: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/46.jpg)
tail
Look at the newest entries in a log, or even watch log files as they are generated
LonestarPHP 2015 46
![Page 47: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/47.jpg)
curl
Command line program for transferring data via a URL
LonestarPHP 2015 47
![Page 48: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/48.jpg)
iftop
Displays a breakdown of bandwidth usage by host
LonestarPHP 2015 48
![Page 49: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/49.jpg)
htop
Slightly beFer interface for checking memory and CPU usage
LonestarPHP 2015 49
![Page 50: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/50.jpg)
tcpdump
Allows you to view and record data transmiFed over the network. Couple this with wireshark and you can inspect the packets!
LonestarPHP 2015 50
![Page 51: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/51.jpg)
Servers for Hackers
Chris Fidao @fideloper hFp://serversforhackers.com
LonestarPHP 2015 51
![Page 52: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/52.jpg)
Questions?
LonestarPHP 2015 52
![Page 53: Your Inner Sysadmin - LonestarPHP 2015](https://reader033.vdocuments.mx/reader033/viewer/2022042701/55a61c181a28abd6098b4858/html5/thumbnails/53.jpg)
Thank You!
http://ctankersley.com [email protected]
@dragonmantank
https://joind.in/13537
LonestarPHP 2015 53