March 20, 2015 at 09:38

Administering the eyes of a C ++ programmer

    We continue the Friday series of articles " X through the eyes of a C ++ programmer" ( 1 , $$ ). This time under the cut you are waiting for the experience of an avid C ++ programmer from the world of administration. Pain, suffering, joys and other emotions, as always, are carried under the spoilers.

    I hope it will be interesting for professional administrators to look at the attempts of the C ++ nickname, but for C ++ developers to learn something new for themselves.

    Hosting


    Porakinin brain and a calculator, it turned out that it is much cheaper and easier to buy hosting from one of the hosting providers. So if you deploy the server in the "home", you will have to spend money on UPS, a static external IP, the machine itself and other little things, such as electricity.
    ... So what? Is there really no old car?
    The acquaintances for whom the project was being made completely refused to keep the noisy Pentium4 turned on in their house around the clock. And the argument "all serious guys did this" did not roll.


    It turned out to be easy to buy a hosting, it turned out that foreign ones are two times cheaper than ours. After weighing the pros and cons, Ubuntu 14.04 was chosen
    ... and what are the pros and cons?
    The solution was chosen based on the following numerous factors:
    • i like ubuntu


    This approach to choosing the OS (and the development language) is popular; I always wanted to try this technique.


    After purchasing a hosting and choosing an OS from the drop-down list, server setup over SSH began.
    ... and how are you feeling?
    How many times in your life did the batteries in the TV remote control run out or was the battery lost?

    Now imagine that in this case you cannot hammer your hand, re-connect to the network the failed Soviet TV, on which your most unloved transmission begins.

    So, in the case of a remote server, the stress of “losing the remote” is much stronger.


    Bash vulnerability and SSH


    So I was lucky that the beginning of my admin practice was not the period of finding a bunch of critical vulnerabilities in bash. Being under the general impression, I decided to minimize the use of shell in all services starting with SSH. The distribution received a welcome message at login (message of the day). Also in SHH I turned off X forwarding and PAM, disabled root, changed the default port, allowed authorization only for asymmetric keys + any little thing.
    ... we know you freeloaders, without beautiful windows is not a buzz?
    Yes, good. More upset by the lack of message of the day. It is so informative. I even made a script so that I could call it from the console.


    In the process, I discovered
    ssh -L удаленный_порт:localhost:5432 me@top-me.org -N

    A great thing for administering databases and other little things: nothing has changed on the remote machine, but you can already tap on the localhost ports on the remote machine as ports on your machine.
    ... did you like the chip?
    It fit into my needs so much that on Friday they drank “ssh -L” for their health with friends!


    Another nice trick turned out that `tail` can take several files to the input and show them simultaneously in the console.
    ... what is it cool?
    We do:
    tail -f /var/log/kern.log /var/log/auth.log /var/log/nginx/error.log /var/log/nginx/access.log


    Now all the logs are displayed in one console in real time:
    ==> /var/log/kern.log <==
Mar 16 10:49:39 rating kernel: [2226306.618927] --- top-me.org: possible port scan--- IN=eth0 OUT= MAC=04:01:2a:64:3c:01:28:8a:1c:64:cb:f0:08:00 SRC=184.105.247.244 DST=80.240.141.163 LEN=30 TOS=0x00 PREC=0x00 TTL=56 ID=39877 DF PROTO=UDP SPT=48784 DPT=5351 LEN=10 
Mar 16 10:53:57 rating kernel: [2226564.521544] --- top-me.org: possible port scan--- IN=eth0 OUT= MAC=04:01:2a:64:3c:01:28:8a:1c:64:cf:f0:08:00 SRC=207.30.132.123 DST=80.240.141.163 LEN=72 TOS=0x08 PREC=0x00 TTL=42 ID=3852 DF PROTO=UDP SPT=53 DPT=11653 LEN=52 
==> /var/log/auth.log <==
Mar 16 11:01:17 rating sshd[31323]: Accepted publickey for ANONYMOUS from 66.66.66.66 port 66 ssh2: RSA 
==> /var/log/nginx/error.log <==
PHP message: redirecting to http://top-me.org/" while reading response header from upstream...
==> /var/log/nginx/access.log <==
66.66.21.66 - - [04/Mar/2015:12:29:25 +0300] "GET /land_job HTTP/1.1" 200 2601 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0" "-"


    Shine :)


    Iptables


    All my few familiar admins set up firewalls. In the beginning, I did not expect a big PROFIT, but I went about the tradition. According to the first manuals, it seemed that Iptables was a monster and could not be figured out. However, after a short time, the tool revealed its secrets:
    • You can log requests on closed ports
      ... what's the point?
      There is not much sense, but you can learn interesting things. It turned out that the favorite fraud port is 5060. IP telephony (SIP protocol) works by default on this port.

    • You can ban users
      ... felt power and happy?
      Yes. I made a special rule where all hacking attempts fell (calls on a closed port, curved TCP packets, spoofing). Five attempts - and in the ban for 10 minutes. And the unsuccessful breaker at this moment, getting to the open port, will receive an answer that the port is closed.

    • You can disable Forwarding
    • You can prohibit protocols partially, etc.


    Iptables is a great thing!
    ... and that these emotions are not under the spoiler?
    Under the spoiler, all emotions did not fit. Iptables are so gorgeous and brilliantly gorgeous that some poems should be dedicated not to women but to this instrument!


    Well, for those who want to check the ban on iptables:
    • We knock on a closed port a couple of times: top-me.org:8080
    • Check that we are banned: http://top-me.org


    Nginx


    According to nginx, a huge number of configuration manuals, many of them in Russian. Unfortunately, this is a problem - some of the articles are written by people who met with nginx only in theory.

    Examples of bad tips:
    • It was recommended to write "expires modified 30d;". The author assured that this means that the resource will be re-cached by the client if it has changed or if 30 days have passed. And it doesn’t work like that !
      ... to blame himself, it cannot work like that!
      Yes, somehow stupid
    • It was recommended to block all people / bots who came from pornographic resources!
      ... in theory then, good advice!
      Yeah, but only when switching from Yandex Search, a lot of all the slag is sent in the headlines, and the word "sex" is found there surprisingly often!


    In Nginx, everything is logical and reasonable. However, all the tips from the articles should be double-checked according to official documentation. Yes, and this does not guarantee 100% performance.
    ... what did you like about Nginx?
    I especially liked the solution with `include fastcgi_params`: I registered it, and all Fastcgi settings were set by default for the location; what does not suit you can be corrected lower in the config.


    Tighten the nuts


    I think many have seen a web server giving in error a file with PHP code. I wanted to protect myself from such configuration errors, so I configured the launch of nginx and php interpreter under different users. A script was written that set permissions on files and directories so that nginx did not have access to php directories, and php did not have access to static resources.
    ... and who do you want to surprise with this trivial thing?
    Those who sometimes give the server php files.


    Elusive Joe

    There is a question that has plagued me for a long time.

    Suppose I somehow defended myself against network access and complicated the life of an attacker. However, what prevents the host from viewing my files and data ? Yes, it sounds like a joke about the Elusive Joe, which the hoster does not need for nothing, but anyway ...
    ... do you have something to hide?
    No, and that's none of your business.
    Tor project


    The question remains, maybe someone knows the answer to it?


    Summary


    I recommend everyone try to administer the server. A great opportunity to make new friends, tools, discover something new in the old ones, and think about issues that had never crossed my mind.

    A bonus for developers will be a large number of examples of what configs should look like in programs and useful ideas for configs in projects.
    Tags:

    Also popular now: