Administering through the eyes of a C ++ programmer
We continue the cycle of Friday's articles " X through the eyes of a C ++ programmer" ( 1 , $$ ). This time under the cut you are waiting for the impressions of an inveterate C ++ programmer from the world of administration. Pain, suffering, joy and other emotions, as always, are rendered by spoilers.I hope it will be interesting for professional administrators to look at the attempts of C ++ nickname, and C ++ developers will learn something new for themselves.
Hosting
Having raised my mind and calculator, it turned out that it is much cheaper and easier to buy hosting from one of the hosting providers. So if you deploy the server in "home conditions", then you have to spend money on UPS, static external IP, the machine itself and other trifles, like electricity.
... So what? Is there no old car?
Acquaintances for whom the project was being made completely refused to keep the noisy Pentium4 on in their house around the clock. And the argument “all serious guys did this” did not roll.
Buy hosting turned out to be easy, it turned out that overseas is two times cheaper than ours. After weighing all the pros and cons, Ubuntu OS 14.04 was chosen.
... and what is this for 'for' and 'against'?
The solution was chosen based on the following numerous factors:
')
This approach to the choice of operating system (and development language) is popular; I always wanted to try this technique.
- i like ubuntu
')
This approach to the choice of operating system (and development language) is popular; I always wanted to try this technique.
After purchasing the hosting and selecting the OS from the drop-down list, server setup over SSH began.
... and how do you feel?
How many times in your life did the batteries in the TV remote sit down or was the remote lost?
Now imagine that in this case you can’t fuck with your hand, transfer the pods of the Soviet TV set to the network, on which your least favorite show begins.
So, in the case of a remote server, the stress from the "loss of the console" is much stronger.
Now imagine that in this case you can’t fuck with your hand, transfer the pods of the Soviet TV set to the network, on which your least favorite show begins.
So, in the case of a remote server, the stress from the "loss of the console" is much stronger.
Bash Vulnerability and SSH
So I was lucky that the beginning of my admin's practice did not fall during the period of finding a heap of critical vulnerabilities in bash. Being under the general impression, I decided to minimize the use of the shell in all services starting from SSH. Under the distribution got a welcome message at login (message of the day). Also in SHH I turned off X forwarding and PAM, banned root, changed the default port, allowed authorization only on asymmetric keys + any small things.... we know you freeloaders, without beautiful windows is not a buzz?
Yes, good. More upset about the lack of message of the day. It is so informative. Even made a script so that you can call it from the console.
In the process, I discovered
ssh -L _:localhost:5432 me@top-me.org -N Great thing for database administration and other trifles: nothing has changed on the remote machine, but you can already reach the localhost ports of the remote machine as the ports on your machine.
... like a trick?
So fit into my needs that on Friday with friends drank health "ssh-L"!
Another nice chip turned out that `tail` can take multiple input files and display them simultaneously in the console.
... what is cool about?
We do:
Now all logs are displayed in one console in real time:
Shine :)
tail -f /var/log/kern.log /var/log/auth.log /var/log/nginx/error.log /var/log/nginx/access.log Now all logs are displayed in one console in real time:
==> /var/log/kern.log <== Mar 16 10:49:39 rating kernel: [2226306.618927] --- top-me.org: possible port scan--- IN=eth0 OUT= MAC=04:01:2a:64:3c:01:28:8a:1c:64:cb:f0:08:00 SRC=184.105.247.244 DST=80.240.141.163 LEN=30 TOS=0x00 PREC=0x00 TTL=56 ID=39877 DF PROTO=UDP SPT=48784 DPT=5351 LEN=10 Mar 16 10:53:57 rating kernel: [2226564.521544] --- top-me.org: possible port scan--- IN=eth0 OUT= MAC=04:01:2a:64:3c:01:28:8a:1c:64:cf:f0:08:00 SRC=207.30.132.123 DST=80.240.141.163 LEN=72 TOS=0x08 PREC=0x00 TTL=42 ID=3852 DF PROTO=UDP SPT=53 DPT=11653 LEN=52 ==> /var/log/auth.log <== Mar 16 11:01:17 rating sshd[31323]: Accepted publickey for ANONYMOUS from 66.66.66.66 port 66 ssh2: RSA ==> /var/log/nginx/error.log <== PHP message: redirecting to http://top-me.org/" while reading response header from upstream... ==> /var/log/nginx/access.log <== 66.66.21.66 - - [04/Mar/2015:12:29:25 +0300] "GET /land_job HTTP/1.1" 200 2601 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0" "-" Shine :)
Iptables
All my few familiar admins set up firewalls. In the beginning, I did not expect a big PROFIT, but I went on about the tradition. According to the first manuals, it seemed that Iptables is a monster and cannot understand it. However, after a short time, the tool opened its secrets:- You can log requests on closed ports... what's the point?There is not much sense, but you can find out interesting things. It turned out that the favorite port of fraudsters is 5060. IP telephony (SIP protocol) works by default on this port.
- You can ban users... felt the power and glad?Yes. I made a special rule where all hacking attempts fell (calls on a closed port, TCP packets, spoofing). Five attempts - and in the ban for 10 minutes. And the unfortunate scrappy at this moment, getting to the open port, will receive the answer that the port is closed.
- You can disable Forwarding
- You can prohibit the protocols partially, etc.
Iptables is a smart thing!
... and what are these emotions not under the spoiler?
Under the spoiler all the emotions do not fit. Iptables is so gorgeous, brilliantly gorgeous, that some poems are worth devoting not to women but to this tool!
Well, for those who want to check the ban on iptables:
- We knock on the closed port a couple of times: top-me.org:8080
- We check that we are banned: http://top-me.org
Nginx
By nginx a huge number of configuration manuals, with many of them in Russian. Unfortunately, this is a problem - some of the articles are written by people who have met with nginx only in theory.
Examples of bad advice:
- It was recommended to write "expires modified 30d;". The author assured that this means that the resource will be re-crafted by the client, if it has changed or if 30 days have passed. And this is not how it works !... guilty himself, it cannot work like this!Yes, somehow I was stupid
- It was recommended to block all people / bots that came from porno resources!... in theory, useful advice!Yeah, but only when moving from Yandex Search, a lot of slag is sent in the headers, and the word "sex" is found there surprisingly often!
In Nginx, everything is logical and reasonable. However, all the advice from the articles should be checked by official documentation. Yes, and it does not guarantee 100% performance.
... what did you like about Nginx?
I especially liked the solution with `include fastcgi_params`: I registered it, and all the Fastcgi settings were set by default for the location; that does not suit - it is possible to correct lower in a config.
We tighten the nuts
I think many have seen the web server, giving by mistake file with PHP code. I wanted to protect myself from such configuration errors, so I configured nginx and php interpreter to run under different users. A script was written that exposes the rights to files and directories so that nginx does not have access to php directories, and php does not have access to static resources.
... and who do you want to surprise with this trivial thing?
Those who have servers sometimes give php files.
Elusive joe
There is a question that has been tormenting me for a long time.Suppose I somehow protected myself from network access and made life difficult for a hacker. However, what prevents the hoster from viewing my files and data ? Yes, it sounds like a joke about the Elusive Joe, which the hoster is not needed for nothing, but still ...
... and you have something to hide?
The question remains, maybe someone knows the answer to it?
No, and this is not your business.
TOR project
The question remains, maybe someone knows the answer to it?
Results
I recommend trying each server administration. A great opportunity to get new friends-tools, to discover something new in old ones, to think about issues that have never occurred to us before.
A bonus for developers will be a large number of examples of how configs should look in programs and useful ideas for configs in projects.
Source: https://habr.com/ru/post/252675/
All Articles