Your Inner Sysadmin
Chris	
  Tankersley	
  
@dragonmantank	
  
LonestarPHP	
  2015	
  
LonestarPHP	
  2015	
   1	
  
Who Am I
•  PHP	
  Programmer	
  for	
  over	
  10	
  years	
  
•  Sysadmin/DevOps	
  for	
  around	
  8	
  years	
  
•  U...
Here Be Dragons
LonestarPHP	
  2015	
   3	
  
Traditional Lamp Stack
LonestarPHP	
  2015	
   4	
  
Our Players
LonestarPHP	
  2015	
   5	
  
And of course…
LonestarPHP	
  2015	
   6	
  
The Server
•  	
  	
  	
  	
  /bin	
  -­‐	
  EssenPal	
  user	
  executable	
  files	
  
•  	
  	
  	
  	
  /boot	
  -­‐	
 ...
Installing Software
•  Compile	
  soXware	
  from	
  scratch	
  
•  Use	
  the	
  package	
  manager	
  (yum/apt)	
  
Lone...
Learn to love the Command Line
LonestarPHP	
  2015	
   9	
  
Learn a CLI text editor
•  vi/vim	
  
•  emacs	
  
•  nano	
  
LonestarPHP	
  2015	
   10	
  
Authentication and Authorization
LonestarPHP	
  2015	
   11	
  
SSH Keys
•  SSH	
  generally	
  uses	
  a	
  Username/Password	
  
•  SSH	
  Keys	
  pass	
  a	
  public	
  key	
  to	
  t...
sudo
You	
  can	
  give	
  admin	
  access	
  to	
  users	
  (or	
  groups	
  of	
  users)	
  without	
  giving	
  
them	
...
Jailing Users
Keeps	
  people	
  from	
  geang	
  to	
  things	
  they	
  shouldn't.	
  Protects	
  the	
  users	
  
from	...
Jailed Shells
Gives	
  users	
  a	
  full	
  shell	
  but	
  not	
  the	
  enPre	
  file	
  system.	
  You	
  can	
  pick	
...
Jailed SFTP
Locks	
  the	
  user	
  to	
  a	
  specific	
  base	
  path,	
  but	
  doesn’t	
  give	
  them	
  a	
  shell,	
...
Jailing SFTP
#	
  In	
  /etc/ssh/sshd_config	
  
Subsystem	
  ftp	
  sftp-­‐internal	
  
	
  
#	
  At	
  the	
  bottom	
  ...
Docker
LonestarPHP	
  2015	
   18	
  
If	
  you	
  do	
  it	
  the	
  non-­‐Docker	
  way	
  
Scripting Languages
LonestarPHP	
  2015	
   19	
  
Bash
Most	
  servers	
  use	
  bash	
  as	
  the	
  default	
  shell.	
  Most	
  shells	
  understand	
  
bash's	
  syntax...
Python
Ships	
  with	
  most	
  distros.	
  Great	
  for	
  
when	
  you	
  need	
  more	
  power	
  than	
  
what	
  bash...
PHP!
Leverage	
  your	
  PHP	
  skills	
  to	
  write	
  shell	
  scripts.	
  
	
  
•  Symfony	
  Console	
  Component	
  ...
Locking Down your Code
LonestarPHP	
  2015	
   23	
  
Running Apache as a different user
MPM-­‐ITK	
  
LonestarPHP	
  2015	
   24	
  
MOD_RUID2	
  
<IfModule	
  mpm_itk_module>...
PHP-FPM
user	
  =	
  myuser	
  
group	
  =	
  mygroup	
  
chroot	
  =	
  /path/to/my/chroot	
  
LonestarPHP	
  2015	
   25...
Logs
LonestarPHP	
  2015	
   26	
  
Logrotate
Rotates	
  logs	
  out	
  for	
  organizaPon	
  (or	
  other	
  purposes)	
  
LonestarPHP	
  2015	
   27	
  
wee...
Logwatch
Script	
  that	
  runs	
  every	
  so	
  oXen	
  and	
  scans	
  a	
  bunch	
  of	
  logs	
  so	
  you	
  get	
  ...
OSSEC
Actually	
  a	
  Host	
  Intrusion	
  DetecPon	
  system,	
  but	
  it	
  does	
  this	
  by	
  watching	
  
logs.	
...
Preventing Intruders
LonestarPHP	
  2015	
   30	
  
hosts.deny and hosts.allow
Set	
  of	
  files	
  to	
  allow	
  or	
  deny	
  access	
  to	
  the	
  machine	
  or	
  certa...
IPTables
A	
  firewall	
  that	
  is	
  generally	
  available	
  on	
  Linux	
  machines	
  that	
  can	
  be	
  
configure...
OSSEC
IDS	
  that	
  was	
  logs	
  and	
  will	
  use	
  hosts.deny	
  and	
  iptables	
  to	
  block	
  stuff	
  
automaP...
Configuration Management
LonestarPHP	
  2015	
   34	
  
What is Configuration Management?
Process	
  by	
  which	
  you	
  figure	
  out	
  what	
  goes	
  on	
  your	
  servers,	...
Why do you need it?
•  Ever	
  needed	
  to	
  keep	
  track	
  of	
  when	
  files	
  get	
  changed?	
  
•  Ever	
  neede...
General CM Workflow
LonestarPHP	
  2015	
   37	
  
Write	
  a	
  Manifest	
  file	
  
Client	
  checks	
  and	
  compiles	
...
Ansible
•  hFps://serversforhackers.com/geang-­‐started-­‐with-­‐ansible/	
  
LonestarPHP	
  2015	
   38	
  
Puppet
•  hFp://www.erikaheidi.com/page/vagrant	
  
LonestarPHP	
  2015	
   39	
  
Server Monitoring
LonestarPHP	
  2015	
   40	
  
Quick Poll
•  Who	
  here	
  knows	
  that	
  their	
  server	
  is	
  up	
  right	
  now?	
  
•  Are	
  all	
  of	
  the	...
Service Monitoring with Monit
LonestarPHP	
  2015	
   42	
  
Host Monitoring with Icinga
LonestarPHP	
  2015	
   43	
  
Software Tools
LonestarPHP	
  2015	
   44	
  
tmux/screen
Command	
  line	
  mulPplexer	
  
LonestarPHP	
  2015	
   45	
  
tail
Look	
  at	
  the	
  newest	
  entries	
  in	
  a	
  log,	
  or	
  even	
  watch	
  log	
  files	
  as	
  they	
  are	...
curl
Command	
  line	
  program	
  for	
  transferring	
  data	
  via	
  a	
  URL	
  
LonestarPHP	
  2015	
   47	
  
iftop
Displays	
  a	
  breakdown	
  of	
  bandwidth	
  usage	
  by	
  host	
  	
  
LonestarPHP	
  2015	
   48	
  
htop
Slightly	
  beFer	
  interface	
  for	
  checking	
  memory	
  and	
  CPU	
  usage	
  
LonestarPHP	
  2015	
   49	
  
tcpdump
Allows	
  you	
  to	
  view	
  and	
  record	
  data	
  transmiFed	
  over	
  the	
  network.	
  
Couple	
  this	
...
Servers for Hackers
Chris	
  Fidao	
  
@fideloper	
  
hFp://serversforhackers.com	
  
LonestarPHP	
  2015	
   51	
  
Questions?
LonestarPHP	
  2015	
   52	
  
Thank You!
http://ctankersley.com
chris@ctankersley.com
@dragonmantank
https://joind.in/13537
LonestarPHP	
  2015	
   53	
...
Upcoming SlideShare
Loading in …5
×

Your Inner Sysadmin - LonestarPHP 2015

463 views

Published on

One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like puppet for server management, OSSEC for log management, different command line tools, and nagios/monit for system monitoring.

Published in: Software
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
463
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Your Inner Sysadmin - LonestarPHP 2015

  1. 1. Your Inner Sysadmin Chris  Tankersley   @dragonmantank   LonestarPHP  2015   LonestarPHP  2015   1  
  2. 2. Who Am I •  PHP  Programmer  for  over  10  years   •  Sysadmin/DevOps  for  around  8  years   •  Using  Linux  for  more  than  15  years   •  hFps://github.com/dragonmantank   LonestarPHP  2015   2  
  3. 3. Here Be Dragons LonestarPHP  2015   3  
  4. 4. Traditional Lamp Stack LonestarPHP  2015   4  
  5. 5. Our Players LonestarPHP  2015   5  
  6. 6. And of course… LonestarPHP  2015   6  
  7. 7. The Server •         /bin  -­‐  EssenPal  user  executable  files   •         /boot  -­‐  Stuff  that  makes  the  OS  boot  up!   •         /dev  -­‐  Special  device  stuff  you  probably  won't  touch   •         /etc  -­‐  ConfiguraPon  files   •         /home  -­‐  User  home  directories   •         /sbin  -­‐  System  binaries   •         /usr  -­‐  MulP-­‐user  apps  and  uPliPes   •         /var  -­‐  Data  usually  lives  here   LonestarPHP  2015   7  
  8. 8. Installing Software •  Compile  soXware  from  scratch   •  Use  the  package  manager  (yum/apt)   LonestarPHP  2015   8  
  9. 9. Learn to love the Command Line LonestarPHP  2015   9  
  10. 10. Learn a CLI text editor •  vi/vim   •  emacs   •  nano   LonestarPHP  2015   10  
  11. 11. Authentication and Authorization LonestarPHP  2015   11  
  12. 12. SSH Keys •  SSH  generally  uses  a  Username/Password   •  SSH  Keys  pass  a  public  key  to  the  server   •  Can  use  a  single  key  for  mulPple  machines,  or  mulPple  keys  for   mulPple  machines   •  More  secure  since  ‘passwords’  cannot  be  stolen   LonestarPHP  2015   12  
  13. 13. sudo You  can  give  admin  access  to  users  (or  groups  of  users)  without  giving   them  root.     LonestarPHP  2015   13   #  Add  sudo  access  to  a  single  user  to  run  as  root   dragonmantank  ALL=(ALL)  ALL     #  Add  sudo  access  to  a  full  group   %admin  ALL=(ALL)  ALL   You  can  even  restrict  what  commands  the  users  can  run     #  Restrict  web  developers  to  only  restart  Apache  and  MySQL   %webdevs  192.168.1.0/255.255.225.0=(root)  NOPASSWD:/usr/sbin/service  apache2   restart,  /usr/sbin/service  mysql  restart  
  14. 14. Jailing Users Keeps  people  from  geang  to  things  they  shouldn't.  Protects  the  users   from  themselves.     LonestarPHP  2015   14  
  15. 15. Jailed Shells Gives  users  a  full  shell  but  not  the  enPre  file  system.  You  can  pick  and   choose  what  programs  the  user  can  have  access  too.  Jailkit  makes  this   incredibly  easy  to  set  up.   LonestarPHP  2015   15  
  16. 16. Jailed SFTP Locks  the  user  to  a  specific  base  path,  but  doesn’t  give  them  a  shell,   much  like  FTP.  You  get  the  security  of  SSH  though!  It  does  require  a   system  user  however.   LonestarPHP  2015   16  
  17. 17. Jailing SFTP #  In  /etc/ssh/sshd_config   Subsystem  ftp  sftp-­‐internal     #  At  the  bottom  of  the  file   Match  User  jailedsftp          ChrootDirectory  /some/path          AllowTCPForwarding  no          X11Forwarding  no          ForceCommand  sftp-­‐internal   LonestarPHP  2015   17  
  18. 18. Docker LonestarPHP  2015   18   If  you  do  it  the  non-­‐Docker  way  
  19. 19. Scripting Languages LonestarPHP  2015   19  
  20. 20. Bash Most  servers  use  bash  as  the  default  shell.  Most  shells  understand   bash's  syntax.  If  you  find  yourself  running  the  same  commands  over   and  over,  throw  it  in  a  bash  script.   LonestarPHP  2015   20  
  21. 21. Python Ships  with  most  distros.  Great  for   when  you  need  more  power  than   what  bash  has.   LonestarPHP  2015   21  
  22. 22. PHP! Leverage  your  PHP  skills  to  write  shell  scripts.     •  Symfony  Console  Component   •  Aura  CLI   LonestarPHP  2015   22  
  23. 23. Locking Down your Code LonestarPHP  2015   23  
  24. 24. Running Apache as a different user MPM-­‐ITK   LonestarPHP  2015   24   MOD_RUID2   <IfModule  mpm_itk_module>          AssignUserId  [user]  [group]   </IfModule>   RMode  config   RUidGid  myuser  mygroup   RDocumentChRoot  /var/www/vhosts/domain.com/   www/public  
  25. 25. PHP-FPM user  =  myuser   group  =  mygroup   chroot  =  /path/to/my/chroot   LonestarPHP  2015   25  
  26. 26. Logs LonestarPHP  2015   26  
  27. 27. Logrotate Rotates  logs  out  for  organizaPon  (or  other  purposes)   LonestarPHP  2015   27   weekly   rotate  4   create   include  /etc/logrotate.d   /var/log/wtmp  {          monthly          minsize  1M          create  0664  root  utmp          rotate  1   }  
  28. 28. Logwatch Script  that  runs  every  so  oXen  and  scans  a  bunch  of  logs  so  you  get  a   preFy  e-­‐mail  with  a  summary  of  events   LonestarPHP  2015   28   -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  httpd  Begin  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐      0.17  MB  transferred  in  792  responses    (1xx  0,  2xx  786,  3xx  0,  4xx  6,  5xx  0)          199  Content  pages  (0.09  MB),          593  Other  (0.09  MB)      Requests  with  error  response  codes          400  Bad  Request                /w00tw00t.at.ISC.SANS.DFind:):  1  Time(s)          404  Not  Found                /MyAdmin/scripts/setup.php:  1  Time(s)                /phpmyadmin/scripts/setup.php:  1  Time(s)                /w00tw00t.at.blackhats.romanian.anti-­‐sec:):  1  Time(s)                /webdav/:  2  Time(s)      -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  httpd  End  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐    
  29. 29. OSSEC Actually  a  Host  Intrusion  DetecPon  system,  but  it  does  this  by  watching   logs.  Will  alert  you  immediately  to  problems,  and  even  shut  down  the   aFacks.   LonestarPHP  2015   29   OSSEC  HIDS  Notification.   2012  Oct  24  11:38:10     Received  From:  maple-­‐>/var/log/auth.log   Rule:  5712  fired  (level  10)  -­‐>  "SSHD  brute  force  trying  to  get  access  to  the  system."   Portion  of  the  log(s):     Oct  24  11:38:09  maple  sshd[1062]:  Failed  password  for  invalid  user  alias  from   199.167.138.44  port  59988  ssh2   Oct  24  11:38:07  maple  sshd[1062]:  Invalid  user  alias  from  199.167.138.44   Oct  24  11:38:06  maple  sshd[1059]:  Failed  password  for  invalid  user  recruit  from   199.167.138.44  port  59884  ssh2  
  30. 30. Preventing Intruders LonestarPHP  2015   30  
  31. 31. hosts.deny and hosts.allow Set  of  files  to  allow  or  deny  access  to  the  machine  or  certain  apps/ ports  on  the  machine     LonestarPHP  2015   31  
  32. 32. IPTables A  firewall  that  is  generally  available  on  Linux  machines  that  can  be   configured  many  different  ways  to  allow  or  block  or  mangle  traffic     LonestarPHP  2015   32  
  33. 33. OSSEC IDS  that  was  logs  and  will  use  hosts.deny  and  iptables  to  block  stuff   automaPcally  for  you!     LonestarPHP  2015   33  
  34. 34. Configuration Management LonestarPHP  2015   34  
  35. 35. What is Configuration Management? Process  by  which  you  figure  out  what  goes  on  your  servers,  how  you   want  them  set  up,  and  keeping  track  of  that  informaPon.  Files  are   usually  stored  in  source  control  on  one  server  and  pushed  to  clients.     LonestarPHP  2015   35  
  36. 36. Why do you need it? •  Ever  needed  to  keep  track  of  when  files  get  changed?   •  Ever  needed  to  roll  back  a  change?   •  Ever  needed  to  push  the  same  change  to  a  bunch  of  servers   •  Ever  needed  to  set  up  a  server  exactly  the  same  way  as  another   server?   LonestarPHP  2015   36  
  37. 37. General CM Workflow LonestarPHP  2015   37   Write  a  Manifest  file   Client  checks  and  compiles   the  manifests   Client  makes  changes   based  on  manifests  
  38. 38. Ansible •  hFps://serversforhackers.com/geang-­‐started-­‐with-­‐ansible/   LonestarPHP  2015   38  
  39. 39. Puppet •  hFp://www.erikaheidi.com/page/vagrant   LonestarPHP  2015   39  
  40. 40. Server Monitoring LonestarPHP  2015   40  
  41. 41. Quick Poll •  Who  here  knows  that  their  server  is  up  right  now?   •  Are  all  of  the  required  services  running?   •  Are  there  enough  resources  currently  available?   LonestarPHP  2015   41  
  42. 42. Service Monitoring with Monit LonestarPHP  2015   42  
  43. 43. Host Monitoring with Icinga LonestarPHP  2015   43  
  44. 44. Software Tools LonestarPHP  2015   44  
  45. 45. tmux/screen Command  line  mulPplexer   LonestarPHP  2015   45  
  46. 46. tail Look  at  the  newest  entries  in  a  log,  or  even  watch  log  files  as  they  are   generated   LonestarPHP  2015   46  
  47. 47. curl Command  line  program  for  transferring  data  via  a  URL   LonestarPHP  2015   47  
  48. 48. iftop Displays  a  breakdown  of  bandwidth  usage  by  host     LonestarPHP  2015   48  
  49. 49. htop Slightly  beFer  interface  for  checking  memory  and  CPU  usage   LonestarPHP  2015   49  
  50. 50. tcpdump Allows  you  to  view  and  record  data  transmiFed  over  the  network.   Couple  this  with  wireshark  and  you  can  inspect  the  packets!     LonestarPHP  2015   50  
  51. 51. Servers for Hackers Chris  Fidao   @fideloper   hFp://serversforhackers.com   LonestarPHP  2015   51  
  52. 52. Questions? LonestarPHP  2015   52  
  53. 53. Thank You! http://ctankersley.com chris@ctankersley.com @dragonmantank https://joind.in/13537 LonestarPHP  2015   53  

×