Your Inner Sysadmin - MidwestPHP 2015

Chris Tankersley
Chris TankersleyPHP Programmer at Home
Your Inner Sysadmin
Chris Tankersley
@dragonmantank
MidwestPHP 2015
MidwestPHP 2015 1
Who Am I
• PHP Programmer for over
10 years
• Sysadmin/DevOps for
around 8 years
• Using Linux for more than
15 years
• https://github.com/dragon
mantank
MidwestPHP 2015 2
Here Be Dragons
MidwestPHP 2015 3
Traditional Lamp Stack
MidwestPHP 2015 4
Our Players
MidwestPHP 2015 5
And of course…
MidwestPHP 2015 6
The Server
• /bin - Essential user executable files
• /boot - Stuff that makes the OS boot up!
• /dev - Special device stuff you probably won't
touch
• /etc - Configuration files
• /home - User home directories
• /sbin - System binaries
• /usr - Multi-user apps and utilities
• /var - Data usually lives here
MidwestPHP 2015 7
Installing Software
• Compile software from scratch
• Use the package manager (yum/apt)
MidwestPHP 2015 8
Learn to love the Command
Line
MidwestPHP 2015 9
Learn a CLI text editor
• vi/vim
• emacs
• nano
MidwestPHP 2015 10
Authentication and
Authorization
MidwestPHP 2015 11
sudo
You can give admin access to users (or groups of
users) without giving them root.
MidwestPHP 2015
12
# Add sudo access to a single user to run as root
dragonmantank ALL=(ALL) ALL
# Add sudo access to a full group
%admin ALL=(ALL) ALL
You can even restrict what commands the users can run
# Restrict web developers to only restart Apache and MySQL
%webdevs 192.168.1.0/255.255.225.0=(root)
NOPASSWD:/usr/sbin/service apache2 restart, /usr/sbin/service
mysql restart
Jailing Users
Keeps people from getting to things they shouldn't.
Protects the users from themselves.
MidwestPHP 2015 13
Jailed Shells
Gives users a full shell but not the entire file system.
You can pick and choose what programs the user can
have access too. Jailkit makes this incredibly easy to
set up.
MidwestPHP 2015 14
Jailed SFTP
Locks the user to a specific base path, but doesn’t
give them a shell, much like FTP. You get the security
of SSH though! It does require a system user
however.
MidwestPHP 2015 15
Jailing SFTP
# In /etc/ssh/sshd_config
Subsystem ftp sftp-internal
# At the bottom of the file
Match User jailedsftp
ChrootDirectory /some/path
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
MidwestPHP 2015 16
Docker
MidwestPHP 2015 17
If you do it the non-Docker way
Scripting Languages
MidwestPHP 2015 18
Bash
Most servers use bash as the default shell. Most
shells understand bash's syntax. If you find yourself
running the same commands over and over, throw it
in a bash script.
MidwestPHP 2015 19
Python
Ships with most distros.
Great for when you need
more power than what
bash has.
MidwestPHP 2015 20
PHP!
Leverage your PHP skills to write shell scripts.
• Symfony Console Component
• Aura CLI
MidwestPHP 2015 21
Locking Down your Code
MidwestPHP 2015 22
Running Apache as a different
user
MPM-ITK
MidwestPHP 2015 23
MOD_RUID2
<IfModule mpm_itk_module>
AssignUserId [user] [user]
</IfModule>
RMode config
RUidGid myuser mygroup
RDocumentChRoot
/var/www/vhosts/domain.com/
www/public
PHP-FPM
user = myuser
group = mygroup
chroot = /path/to/my/chroot
MidwestPHP 2015 24
Logs
MidwestPHP 2015 25
Logrotate
Rotates logs out for organization (or other purposes)
MidwestPHP 2015 26
weekly
rotate 4
create
include /etc/logrotate.d
/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1
}
Logwatch
Script that runs every so often and scans a bunch of logs
so you get a pretty e-mail with a summary of events
MidwestPHP 2015 27
--------------------- httpd Begin ------------------------
0.17 MB transferred in 792 responses (1xx 0, 2xx 786, 3xx 0, 4xx 6, 5xx 0)
199 Content pages (0.09 MB),
593 Other (0.09 MB)
Requests with error response codes
400 Bad Request
/w00tw00t.at.ISC.SANS.DFind:): 1 Time(s)
404 Not Found
/MyAdmin/scripts/setup.php: 1 Time(s)
/phpmyadmin/scripts/setup.php: 1 Time(s)
/w00tw00t.at.blackhats.romanian.anti-sec:): 1 Time(s)
/webdav/: 2 Time(s)
---------------------- httpd End -------------------------
OSSEC
Actually a Host Intrusion Detection system, but it does
this by watching logs. Will alert you immediately to
problems, and even shut down the attacks.
MidwestPHP 2015 28
OSSEC HIDS Notification.
2012 Oct 24 11:38:10
Received From: maple->/var/log/auth.log
Rule: 5712 fired (level 10) -> "SSHD brute force trying to get
access to the system."
Portion of the log(s):
Oct 24 11:38:09 maple sshd[1062]: Failed password for invalid
user alias from 199.167.138.44 port 59988 ssh2
Oct 24 11:38:07 maple sshd[1062]: Invalid user alias from
199.167.138.44
Oct 24 11:38:06 maple sshd[1059]: Failed password for invalid
user recruit from 199.167.138.44 port 59884 ssh2
Preventing Intruders
MidwestPHP 2015 29
hosts.deny and hosts.allow
Set of files to allow or deny access to the machine or
certain apps/ports on the machine
MidwestPHP 2015 30
IPTables
A firewall that is generally available on Linux
machines that can be configured many different ways
to allow or block or mangle traffic
MidwestPHP 2015 31
OSSEC
IDS that was logs and will use hosts.deny and
iptables to block stuff automatically for you!
MidwestPHP 2015 32
Configuration Management
MidwestPHP 2015 33
What is Configuration
Management?
Process by which you figure out what goes on your
servers, how you want them set up, and keeping
track of that information. Files are usually stored in
source control on one server and pushed to clients.
MidwestPHP 2015 34
Why do you need it?
• Ever needed to keep track of when files get
changed?
• Ever needed to roll back a change?
• Ever needed to push the same change to a bunch
of servers
• Ever needed to set up a server exactly the same
way as another server?
MidwestPHP 2015 35
General CM Workflow
MidwestPHP 2015 36
Write a Manifest
file
Client checks and
compiles the
manifests
Client makes
changes based on
manifests
Ansible
• https://serversforhackers.com/getting-started-
with-ansible/
MidwestPHP 2015 37
Puppet
• http://www.erikaheidi.com/page/vagrant
MidwestPHP 2015 38
Server Monitoring
MidwestPHP 2015 39
Quick Poll
• Who here knows that their server is up right now?
• Are all of the required services running?
• Are there enough resources currently available?
MidwestPHP 2015 40
Service Monitoring with Monit
MidwestPHP 2015 41
Host Monitoring with Icinga
MidwestPHP 2015 42
Software Tools
MidwestPHP 2015 43
tmux/screen
Command line multiplexer
MidwestPHP 2015 44
tail
Look at the newest entries in a log, or even watch log
files as they are generated
MidwestPHP 2015 45
curl
Command line program for transferring data via a URL
MidwestPHP 2015 46
iftop
Displays a breakdown of bandwidth usage by host
MidwestPHP 2015 47
htop
Slightly better interface for checking memory and
CPU usage
MidwestPHP 2015 48
tcpdump
Allows you to view and record data transmitted over
the network. Couple this with wireshark and you can
inspect the packets!
MidwestPHP 2015 49
Servers for Hackers
Chris Fidao
@fideloper
http://serversforhackers.
com
MidwestPHP 2015 50
Questions?
MidwestPHP 2015 51
Thank You!
http://ctankersley.com
chris@ctankersley.com
@dragonmantank
https://joind.in/13069
MidwestPHP 2015 52
1 of 52

More Related Content

More from Chris Tankersley(20)

Docker is Dead: Long Live ContainersDocker is Dead: Long Live Containers
Docker is Dead: Long Live Containers
Chris Tankersley53 views
Bend time to your will with gitBend time to your will with git
Bend time to your will with git
Chris Tankersley194 views
Dead Simple APIs with OpenAPIDead Simple APIs with OpenAPI
Dead Simple APIs with OpenAPI
Chris Tankersley311 views
Killer Docker Workflows for DevelopmentKiller Docker Workflows for Development
Killer Docker Workflows for Development
Chris Tankersley159 views
You Got Async in my PHP!You Got Async in my PHP!
You Got Async in my PHP!
Chris Tankersley164 views
Docker for Developers - PHP Detroit 2018Docker for Developers - PHP Detroit 2018
Docker for Developers - PHP Detroit 2018
Chris Tankersley865 views
Docker for DevelopersDocker for Developers
Docker for Developers
Chris Tankersley934 views
They are Watching YouThey are Watching You
They are Watching You
Chris Tankersley286 views
BASHing at the CLI - Midwest PHP 2018BASHing at the CLI - Midwest PHP 2018
BASHing at the CLI - Midwest PHP 2018
Chris Tankersley363 views
You Were Lied To About OptimizationYou Were Lied To About Optimization
You Were Lied To About Optimization
Chris Tankersley373 views
Docker for Developers - php[tek] 2017Docker for Developers - php[tek] 2017
Docker for Developers - php[tek] 2017
Chris Tankersley1.1K views
Why Docker? Dayton PHP, April 2017Why Docker? Dayton PHP, April 2017
Why Docker? Dayton PHP, April 2017
Chris Tankersley559 views
Docker for Developers - Sunshine PHPDocker for Developers - Sunshine PHP
Docker for Developers - Sunshine PHP
Chris Tankersley812 views

Your Inner Sysadmin - MidwestPHP 2015