Joomla & Raspberry Pi
Overzicht Presentatie 1. Introductie LAMP Stack: 2. Raspbian 3. Nginx 4. MySQL 5. PHP 6. phpMyAdmin
7. Joomla 8. Performance 9. Security
>>> Sheets via: www.db8.nl via: www.db8.nl <<<
1. Introductie – Raspberry Pi
Doel – educatief engineers van nu: computerervaring op homecomputers
jeugd van tegenwoordig: tegenwoordig: computerles = software bedienen, menu's klikken en swipen...
1. Introductie – Raspberry Pi
Voordelen Rpi – – – – –
Klein Goedkoop: $ 35 → 38 Euro Weinig stroom (3,5 Watt) Geen bewegende onderdelen → Stil Standaard (2 types) veel documentatie (Linux & RPi) veel gedocumenteerde toepassingen veel aanvullende hardware veel software
1. Introductie – Raspberry Pi
Hardware Single-board computer, 700 Mhz – RAM 512 Mbyte (1e versie: 256 Mbyte) – Graphics: Broadcom VideoCore IV – Aansluitingen: Aansluitingen: –
SD Card Micro USB powerplug (5v 1A – 3,5 Watt) Ethernet HDMI & RCA Video Audio 2x USB GPIO
1. Introductie – Raspberry Pi
Community – – – –
Gebruik Software Hardware Case
LAMP Stack
LAMP LEMP Stack 2. Linux → Raspbian (Debian for Raspberry Pi) 3. Apache → Nginx [engine x] 4. MySQL 5. PHP 6. phpMyAdmin
2. Raspbian Linux – Operating System
2. Raspbian a) Installatie a)Installatie b)In b) In netwerk plaatsen c) Updaten d)Backup d) Backup e)Configuratie e) Configuratie f) Toegang via Internet
2a. Raspbian
Download Raspbian Image http://www.raspberrypi.org/downloads
2013-02-09-wheezy-raspbian.zip 2013-02-09-wheezy-raspbian.zip (470.72 MiB)
Unzip naar ~\rpi\2013-02-09-wheezy~\rpi\2013-02-09-wheezyraspbian.img (1.8 GB)
2a. Raspbian – Installatie SD Card SD Card http://elinux.org/RPi_Easy_SD_Card_Setup “gparted”, partition table, unformatted
Bepaal locatie: “dmesg”
“dd” = “dump disk” VOORZICHTIG: “data destroyer” ! – – –
bs=BYTES (read and write BYTES bytes at a time) if=FILE (read from FILE instead of stdin) of=FILE (write to FILE instead of stdout)
2a. Raspbian – Installatie SD Card $ dmesg [..] [45.361488] wlan0: no IPv6 routers present [265.278325] mmc0: new high speed SDHC card at address 0002 [265.284831] mmcblk0: mmc0:0002 7.68 GiB [265.284912] mmcblk0 mmcblk0: : p1 $
2a. Raspbian – Installatie SD Card
Linux: sudo dd bs=1M if=~/rpi/2013-02-09-wheezyif=~/rpi/2013-02-09-wheezyraspbian.img of=/dev/ mmcblk0
Mac OSX: sudo dd bs=1M if=~/rpi/2013-02-09-wheezyif=~/rpi/2013-02-09-wheezyraspbian.img of=/dev/ disk1s1
Windows: dd bs=1M if=c:\temp\2013-02-09-wheezyif=c:\temp\2013-02-09-wheezyraspbian.img od=e
2a. Raspbian – Installatie SD Card $ sudo dd bs=1M if=~/rpi/2013-02-09 wheezy-raspbian wheezy-r aspbian.img .img of=/dev/ of=/dev/mmcblk0 mmcblk0 {+- 4,5 minuten later} 1850+0 records in 1850+0 records out 1939865600 bytes (1.9 GB) copied, 252.656 s, 7.7 MB/s $ sudo sync
2b. Raspbian – Aansluiten RPi
2b. Raspbian – IP Adres? Android / iPhone: iPhone: Overlook Fing
2b. Raspbian – IP Adres? $ nmap -sP 192.168.0/24 Starting Nmap 5.00 ( http://nmap.org ) at 2013-04-07 14:15 CEST Host 192.168.0.1 is up (0.0018s latency). Host 192.168.0.14 is up (0.014s latency). Host 192.168.0.15 is up (0.010s latency). Host 192.168.0.16 is up (0.048s latency). Host 192.168.0.17 is up (0.0092s latency). Nmap done: 256 IP addresses (5 hosts up) scanned in 2.94 seconds $
2b. Raspbian – SSH Login $ ssh
[email protected] The authenticity of host '192.168.0.16 (192.168.0.16)' can't be established. RSA key fingerprint is 12:11:07:6b:c9:ac:ff:01:7b:2f:aa:a5:ef:02: c7:ff. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.16' (RSA) to the list of known hosts.
[email protected]'s password: raspberry
2b. Raspbian – SSH Login Linux raspberrypi 3.6.11+ #371 PREEMPT Thu Feb 7 16:31:35 GMT 2013 armv6l The programs included with the Debian GNU/Linux system are free software; [..] NOTICE: the software on this Raspberry Pi has not been fully configured. Please run 'sudo raspi-config' pi@raspberrypi ~ $
2b. Raspbian – SSH Login $ sudo raspi-config 1. expand_rootfs – gebruik volledige capaciteit SD Card 2. memory_split – RAM GPU verkleinen naar 16 MB – Update & Change Password –
– reboot
2c. Raspbian – Updaten! {update Repository informatie} pi@raspberrypi ~ $ sudo apt-get update {duurt ± 30 seconden} {upgrade Raspbian OS} pi@raspberrypi ~ $ sudo apt-get upgrade {duurt ± 22 minuten}
2d. Raspbian – Backup SD Card
Veilig afsluiten: $ sudo shutdown -h now
SD Card uitnemen & in PC
Backup: $ sudo dd if=/dev/mmcblk0 of=~/rpi/sd-cardof=~/rpi/sd-cardrpi-20130421.bin
2e. Raspbian – Hostname {verander hostname @raspberrypi @rpi} pi@raspberrypi ~ $ sudo nano /etc/hostname raspberrypi rpi →
→
pi@raspberrypi ~ $ sudo nano /etc/hosts 127.0.1.1 raspberrypi 127.0.1.1 rpi →
{ hostname process herstarten} pi@raspberrypi ~ $ sudo /etc/init.d/hostname.sh start pi@rpi ~ $
2e. Raspbian – User & Password 1/2 pi@rpi ~ $ sudo passwd root Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully pi@rpi ~ $ exit Logout ssh [email protected] {rename user & user directory} root@rpi ~# usermod -l peter pi root@rpi ~# usermod -m -d /home/peter peter
2e. Raspbian – User & Password 2/2 {test nieuw account} ssh [email protected] peter@rpi ~$ sudo apt-get update {werkt? Disable root !!!} peter@rpi ~$ sudo passwd -l root passwd: password expiry information changed. peter@rpi ~$ passwd Changing password for peter. (current) UNIX password:
2e. Raspbian – Time Zone peter@rpi ~ $ date Sun Apr 21 11:15:00 UTC 2013 peter@rpi ~ $ sudo dpkg-reconfigure tzdata Current default time zone: 'Europe/Amsterdam' Local time is now: Sun Apr 7 13:15:00 CEST 2013. Universal Time is now: Sun Apr 7 11:15:00 UTC 2013. peter@rpi ~ $
2f. Raspbian – Internet toegang Internet
Internet DNS – domeinnaam “petermartin.nl”
LAN Raspberry Pi 192.168.0.x
Modem/router: Internet IP: ?.?.?.?
Modem/router: LAN IP: 192.168.0.1
2f. Raspbian – Internet toegang Internet
Internet DNS – “petermartin.nl” “A” record naar 1.2.3.4
LAN Raspberry Pi 192.168.0.9
Lease Pool Start, bijv: 192.168.0.10
www.whatsmyip.org Internet IP: 1.2.3.4
Modem/router: LAN IP: 192.168.0.1
2f. Raspbian – Internet toegang
Modem/Router → firewall > Port Forwarding – – –
SSH verkeer = IP 192.168.0.9, poort 22 Webverkeer Webverkeer = IP 192.168.0.9, poort 80 Https verkeer = IP 192.168.0.9, poort 443
Raspberry Pi → Static IP
2f. Raspbian – Vast IP Adres peter@rpi ~ $ route Kernel IP routing table Destination
Gateway
Genmask
Flags Metric Ref
Use Iface
default
192.168.0.1
0.0.0.0
UG
0
0
0 eth0
192.168.0.0
*
255.255.255.0
U
0
0
0 eth0
peter@rpi ~ $ sudo nano /etc/network/interfaces {change:} iface eth0 inet dhcp {to:} iface eth0 inet static address 192.168.0.9 netmask 255.255.255.0 gateway 192.168.0.1
3. Nginx webserver
3. Nginx
Nginx [engine ex ] –
Hoge prestaties: Statische pagina's → zeer SNEL! Dynamsiche pagina's → SNEL!
– – – –
Laag geheugengebruik (handig op Rpi !) Eenvoudige configuratie Automatische test configuratiewijzigingen configuratiewijzigingen Reverse proxy mogelijkheden
Populariteit (netcraft.com april 2013): – – –
40 miljoen domeinen 13,5 % van alle servers 20% van de 1000 drukste websites
3. Nginx – Populariteit
3. Nginx – Installatie peter@rpi ~ $ sudo apt-get install nginx Reading package lists... Done [..] Need to get 2,132 kB of archives. After this operation, 6,200 kB of additional disk space will be used. Do you want to continue [Y/n]? y [..] Setting up nginx (1.2.1-2.2) ... peter@rpi ~ $
3. Nginx – Configuratie peter@rpi ~ $ sudo nano /etc/nginx/nginx.conf user www-data; worker_processes 1; pid /var/run/nginx.pid; peter@rpi ~ $ sudo /etc/init.d/nginx start
3. Nginx – Websites Browse URL http://192.168.0.9/ of http://petermartin.nl of http://petermartin.nl Resultaat:
Welcome to nginx!
3. Nginx – Virtual domains Aanmaken virtuele sites: 1. Locatie & index.html /var/www/ petermartin.nl
/index.html
2. Configuratiebestand voor site /etc/nginx/sites-available/ petermartin.nl
3. Activeren dmv symbolic link naar config bestand /etc/nginx/sites-enabled/ petermartin.nl
4. Nginx nieuwe configuratie laden: $ sudo /etc/init.d/nginx reload
3. Nginx – Virtual domains peter@rpi ~ $ sudo nano /var/www/petermartin.nl/index.html petermartin.nl petermartin.nl Welkom Welkom op de Joomladagen!
Website: Website: petermartin.nl petermartin.nl
3. Nginx – Virtual domains peter@rpi ~ $ sudo nano /etc/nginx/sitesavailable/petermartin.nl server { listen 80; server_name petermartin.nl www.petermartin.nl; root /var/www/petermartin.nl; access_log /var/log/nginx/petermartin.nl.access_log; error_log /var/log/nginx/petermartin.nl.error_log info; location / { index index.php index.html index.htm; } }
3. Nginx – Virtual domains peter@rpi ~ $ sudo ln -s /etc/nginx/sites-available/petermartin.nl /etc/nginx/sites-enabled/petermartin.nl peter@rpi ~ $ sudo /etc/init.d/nginx reload Reloading nginx configuration: nginx.
3. Nginx – Virtual domains
Browser http://192.168.0.9/petermartin.nl Browser http://192.168.0.9/petermartin.nl
Welkom op de Joomladagen! Website: petermartin.nl
Error? 404 Not Found nginx/1.2.1
→ Controleer error log file: $ cat /var/log/ngin /var/log/nginx/petermartin. x/petermartin.nl.error_log nl.error_log
4. MySQL Database Server
4. MySQL
Voor Joomla 2.5+ = geen SQLite driver beschikbaar
Bij installatie meteen configuratie: User: root Password: databasepassword databasepassword
Live site veiliger maken dmv: $ sudo mysql_secure_installation
4. MySQL – Installatie peter@rpi ~ $ sudo apt-get install mysqlserver Reading package lists... Done [..] Need to get 9,603 kB of archives. After this operation, 91.1 MB of additional disk space will be used. Do you want to continue [Y/n]? y [..] Setting up mysql-server (5.5.30+dfsg-1)... Processing triggers for menu ... peter@rpi ~ $ sudo mysql_secure_installation
5. PHP
5. PHP – php5 + packages:
php5-fpm –
php5-mysql –
modules for MySQL database connections directly from PHP scripts
php5-cli –
FastCGI Process Manager interpreter that runs as a daemon and receives Fast/CGI requests
command-line interpreter
php5-curl –
library for getting files from FTP & HTTP server
5. PHP – Installatie peter@rpi ~ $ sudo apt-get install php5-fpm php5-mysql Reading package lists... Done [..] Setting up php5 (5.4.4-14)... Processing triggers for php5-fpm... [ ok ] Restarting PHP5 FastCGI Process Manager: php5-fpm. peter@rpi ~ $
5. PHP – configuratie petermartin.nl pi@rpi ~ $ sudo nano /etc/nginx/sitesavailable/petermartin.nl add: location ~ \.php$ { fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; }
5. PHP – Resultaat
Test met phpinfo(); $ sudo nano /var/www/peterm /var/www/petermartin.nl/test.p artin.nl/test.php hp met daarin: "test";phpinfo();?>
Bezoek via browser http://192.168.0.9/petermartin.nl/test.php
6. phpMyAdmin
6. phpMyAdmin
Database GUI –
http://192.168.0.9/phpmyadmin/
Beveilig: – –
Niet op alle virtuele domeinen → 1 is genoeg! limiteer tot IP adres
6. phpMyAdmin – Installatie peter@rpi ~ $ sudo apt-get install phpmyadmin Reading package lists... Done [..] Need to get 6,092 kB of archives. After this operation, 16.6 MB of additional disk space will be used. Do you want to continue [Y/n]? y [..] Web server to reconfigure automatically: none Configure database for phpmyadmin with dbconfigcommon? N Creating config file /etc/phpmyadmin/config-db.php with new version peter@rpi ~ $
6. phpMyAdmin – config petermartin.nl peter@rpi ~ $ sudo nano /etc/nginx/sitesavailable/petermartin.nl location /phpmyadmin { root /usr/share/; index index.php index.html index.htm; location ~ ^/phpmyadmin/(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_pass 127.0.0.1:9000; include fastcgi_params; fastcgi_intercept_errors on; } location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif| css|png|js|ico|html|xml|txt))$ { root /usr/share/; }
6. phpMyAdmin – config petermartin.nl peter@rpi ~ $ sudo nano /etc/nginx/sitesavailable/petermartin.nl Toegang beperken tot 1 IP adres? location /phpmyadmin { root /usr/share/; index index.php index.html index.htm; allow 4.3.2.1; deny all; location ~ ^/phpmyadmin/(.+\.php)$ {
7. Joomla
7. Joomla
Download Joomla via wget naar server
Via phpMyAdmin database aanmaken http://192.168.0.9/phpmyadmin/ database: “petermartin”
Via URL Joomla installatie beginnen
7. Joomla – Installatie petermartin.nl peter@rpi ~ $ cd /var/www/petermartin.nl peter@rpi ~ $ sudo wget http://joomlacode.org/gf/download/ frsrelease/17968/78430/Joomla_2.5.9Stable-Full_Package.zip peter@rpi ~ $ sudo unzip -x Joomla_2.5.9Stable-Full_Package.zip
7. Joomla – Installatie petermartin.nl
Webinstaller http://192.168.0.9/petermartin.nl/ Webinstaller http://192.168.0.9/petermartin.nl/ –
configuration.php Writeable: No = permissie probleem, oplossen: $ sudo chown -R www-data:www-data /var/www/petermartin.nl /var/www/petermar tin.nl
SEF links: .htaccess → virtual domain configuratie: try_files $uri $uri/ /index.php?q=$request_uri; /index.php?q=$request_uri;
7. Joomla – SEF URLs peter@rpi ~ $ sudo nano /etc/nginx/ sites-available/petermartin.nl location / { index index.php index.html index.htm; try_files $uri $uri/ /index.php?q=$request_uri; }
8. Performance
8. Performance PHP-FPM Joomla cache NGINX
– –
cache files in site configuratie gzip
Niet doen ivm kleine RAM geheugen RPi: Alternative Alternative PHP Cache Cache (APC) – Varnish Cache –
8. Performance – Nginx gzip pi@rpi ~ $ sudo nano /etc/nginx/nginx.conf # Gzip Settings gzip on; gzip_static on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_min_length 512; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/xjavascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;
8. Performance – Nginx gzip pi@rpi ~ $ sudo nano /etc/nginx/sitesavailable/petermartin.nl server { # caching of files location ~* \.(ico|pdf|flv)$ { expires 1y; } location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ { expires 14d; } }
9. Security
9. Veiligheid – 10 Aspecten 1. Verander standaard username “pi” & password 2. Backup !!! 3. Bestudeer logfiles (evt. Logwatch)
9. Veiligheid – ssh logfiles
/var/log/auth.log Apr 8 22:49:01 rpi sshd[10812]: reverse mapping checking getaddrinfo for for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95 [59.175.148.95]] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:01 rpi sshd[10812]: pam_unix(sshd:auth): authentication authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:04 rpi sshd[10812]: Failed password for root from 59.175.148.95 port 43066 ssh2 Apr 8 22:49:04 rpi sshd[10812]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:07 rpi sshd[10816]: reverse mapping checking getaddrinfo for for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:07 rpi sshd[10816]: pam_unix(sshd:auth): authentication authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:09 rpi sshd[10816]: Failed password for root from 59.175.148.95 port 44636 ssh2 Apr 8 22:49:10 rpi sshd[10816]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:13 rpi sshd[10820]: reverse mapping checking getaddrinfo for for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:13 rpi sshd[10820]: pam_unix(sshd:auth): authentication authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:15 rpi sshd[10820]: Failed password for root from 59.175.148.95 port 46051 ssh2 Apr 8 22:49:16 rpi sshd[10820]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:19 rpi sshd[10824]: reverse mapping checking getaddrinfo for for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT!
9. Veiligheid – ssh logfiles peter@rpi ~$ ~$ whois whois 59.175.148.95 % [whois.apnic.net node-5] % Whois data copyright terms
http://www.apnic.net/db/dbcopyright.html http://www.apnic.net/db/dbcopyright.h tml
inet etn num: netname: descr: descr: descr: country:
59.174.0.0 – 59.175.255.25 255 5 CHINANET-HB CHINANET Hu Hubei pr province ne network Data Communication Division China Telecom CN
role: addr dre ess: address: addr dre ess: address: country: phone: fax-no: e-mail: rema re mark rks: s: rema re mark rks: s: rema re mark rks s: remarks:
CHINANET HB ADMIN 8th flfloor of of JinGu Gua ang Bu Building #232 of Macao Road Han anK Kou Wuhan Hubei Province P.R.China CN +86 27 82862199 +86 27 82861499 [email protected] send se nd sp spam am re repo port rts s to to spa spam_ m_hb hb@p @pub ublilic. c.wh wh.h .hb. b.cn cn and an d abu abuse se re repo port rts s to to abu abuse se_h _hb@ b@pu publ blic ic.w .wh. h.hb hb.c .cn n Plea Pl ease se inc inclu lude de det detai aile led d info inform rmat atio ion n and and times in GMT+8
9. Veiligheid – 10 Aspecten 1. Verander standaard username “pi” & password 2. Backup !!! 3. Bestudeer logfiles (evt. Logwatch) 4. Block ssh root login ! 5. Block portscans -> Firewall
9. Veiligheid – Firewall {check Firewall} peter@rpi ~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source Chain FORWARD (policy ACCEPT) target prot opt source Chain OUTPUT (policy ACCEPT) target prot opt source {maak Firewall regels} peter@rpi ~$ sudo nano /etc/iptables.firewall.rules
destination destination destination
9. Veiligheid – Firewall instellen 1/2 *filter # Allow to 127/8 -A INPUT -A INPUT
all loopback (lo0) traffic and drop all traffic that doesn't use lo0 -i lo -j ACCEPT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT
9. Veiligheid – Firewall instellen 2/2 # Allow SSH connections # The -dport -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP
9. Veiligheid – Firewall activeren 1/2 {activeer Firewall} peter@rpi ~$ sudo iptables-restore < /etc/iptables.firewall.rules {check Firewall} peter@rpi ~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -anywhere anywhere REJECT all -anywhere loopback/8 port-unreachable ACCEPT all -anywhere anywhere ESTABLISHED ACCEPT tcp -anywhere anywhere LOG all -anywhere anywhere burst 5 LOG level debug prefix "iptables denied:
reject-with icmpstate RELATED, tcp dpt:http limit: avg 5/min "
9. Veiligheid – Firewall activeren 2/2 {script: activeer Firewall bij reboot} peter@rpi ~$ sudo nano /etc/network/if-preup.d/firewall {plaats in /etc/network/if-pre-up.d/firewall} #!/bin/sh /sbin/iptables-restore < /etc/iptables.firewall.rules
{set script permissions} peter@rpi ~$ sudo chmod +x /etc/network/ifpre-up.d/firewall
9. Veiligheid – Firewall automatiseren
9. Veiligheid – Fail2Ban Scan logfiles & automatische actie “Jail” configuratie
Als in logfiles logfiles wordt wordt voldaan aan “filter” – “n” keer achter elkaar – Plaats op blocklist voor “x” minuten –
/etc/fail2ban/jail.conf → standaard /etc/fail2ban/jail.local → “override”
Filters
–
/etc/fail2ban/filter.d/
Regex “ROOT LOGIN REFUSED”, “POSSIBLE BREAK-IN ATTEMPT!”, “Failed password” etc...
9. Veiligheid – Fail2Ban {installeer Fail2Ban} peter@rpi ~$ sudo apt-get install fail2ban Reading package lists... Done 0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded. Need to get 340 kB of archives. {bekijk mislukte inlogpogingen} peter@rpi ~$ cat fail2ban.log 2013-04-09 16:45:59,000 fail2ban.actions: WARNING [ssh] Ban 9.8.7.6
{check Firewall} peter@rpi ~$ sudo iptables -L Chain fail2ban-ssh (1 references) target prot opt source DROP all -- test123.example.com RETURN all -- anywhere
destination anywhere anywhere
9. Veiligheid – 10 Aspecten 1. Verander standaard username “pi” & password 2. Backup !!! 3. Bestudeer logfiles (evt. Logwatch) 4. Block ssh root login ! 5. Block portscans -> Firewall 6. Block scriptkiddies
9. Veiligheid – Webserver access logs
/var/log/nginx/petermartin.nl.access_log 198.7.57.74 - - [30/Mar/2013:16:47:49 +0100] "GET / w00tw00t .at.blackhats.romanian .at.blackhats.romanian.anti-sec:) .anti-sec:) HTTP/1.1" 404 1565 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /phpmyadmin/scripts /phpmyadmin/scripts/setup.php /setup.php HTTP/1.1" 403 135 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:54 +0100] "GET /typo3/phpmyadmin/s /typo3/phpmyadmin/scripts/setup.php cripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin1/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /xampp/phpmyadmin /xampp/phpmyadmin/scripts/setup.php /scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /php-my-admin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /sqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /mysqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /p/m/a/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /PMA2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /pma2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /phpmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /php-myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /webdb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
9. Veiligheid – Fail2Ban configuratie {no w00tw00t for me ;-)} peter@rpi ~$ sudo nano /etc/fail2ban/filter.d/nginx-nofun /etc/fail2ban/fil ter.d/nginx-nofunkystuff.conf kystuff.conf # Fail2Ban configuration file # Author: Peter Martin # $Revision: 001 $ [Definition] # Option: failregex failregex = ^ -.*GET.*(w00tw00t|\setup.php|\wplogin.php) # Option: ignoreregex # Notes.: Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT
9. Veiligheid – Fail2Ban configuratie {activeer nginx-nofunkystuff filter} peter@rpi ~$ sudo nano /etc/fail2ban/jail.local [nginx-nofunkystuff] enabled = true port = http,https filter = nginx-nofunkystuff logpath = /var/log/nginx/*access_log /var/log/nginx/*access_log maxretry = 0 bantime = 600 {restart Fail2Ban} peter@rpi ~$ sudo /etc/init.d/fail2ban restart
9. Veiligheid – 10 Aspecten 1. Verander standaard username “pi” & password 2. Backup !!! 3. Bestudeer logfiles (evt. Logwatch) 4. Block ssh root login ! 5. Block portscans -> Firewall 6. Block scriptkiddies 7. SSL certificaat /administrator 8. Block phpmyadmin + block exception 9. Backup !!! 10.Passwordless 10. Passwordless login? SSH shared keys
Einde
Waar we geen tijd meer voor hadden
E-mail versturen vanaf RPi: – –
Joomla's notificaties & contact forms Logwatch mails
→ Exim MTA (Mail Transfer Agent)
Vragen?
Vragen?
Presentatie beschikbaar via www.db8.nl
Peter Martin e-mail: info at db8.nl website: www.db8.nl
Gebruikte foto's
Switched On Tech Design - www.sotechdesign.com.au
Bricks - Sharlene Jackson http://www.sxc.hu/photo/759981
Hotrod Dash - Peter Mazurek http://www.sxc.hu/photo/1341923
Greased Lightnin' - Donald Cook http://www.sxc.hu/photo/690214
File Overload - Bob Smith http://www.sxc.hu/photo/367985
Rusted Gears - Angelo Rosa http://www.sxc.hu/photo/1365696
Man Made - "csremedy" http://www.sxc.hu/photo/1267108
digital world - ilker http://www.sxc.hu/photo/1206711 ilker http://www.sxc.hu/photo/1206711
Crazy Man in Shower - scott adams http://www.sxc.hu/photo/760765
laptop 2 - emre nacigil http://www.sxc.hu/photo/810741
Speedometer – Abdulhamid AlFadhly http://www.sxc.hu/photo/1390189
Secure - Frank Köhne http://www.sxc.hu/photo/962334
signs signs - Jason Antony, http://www.sxc.hu/photo/751034
Face - Questions - Bob Smith, http://www.sxc.hu/photo/418215