Do you work with MySQL? I do… quite a bit.
Do you often script stuff on your server to make your life easier? I do that as well… quite a bit…
Are you including your database user account and password (or worse… your mysql instance root user account and password!) in plain-text in your script… I was doing this… and it is bad practice from a security standpoint for sure…
Okay, so if you have a bunch of scripts (and I have several for database maintenance and database backups) floating around and many of them contain your MySQL root user account credentials… that can be a real issue. There is a better way!
I have setup a few servers with Ubuntu Server and one of the common security tools I use is Fail2Ban.
One of the common requirements that comes with Fail2Ban is the need to provide other administrative personnel with a place they can quickly check which IP’s have been banned. Using a cool program called incron and a short shell script (which I will provide below) I was able to push the contents of the fail2ban log file in more-or-less real time to a plain text file in the web directory. Hence anyone can just visit that page and view a list of banned and unbanned IP addresses.
If you don’t know what a firewall is, let’s start there…
A firewall is basically a digital “wall” that sits on the edge of your network or device. When someone makes a connection over a network or the internet to your server, they connect by the IP address + a Port. Firewalls, on a very basic level, say “allow traffic on this port” or “deny traffic on this port.”
So for web traffic you might connect to our server here: 184.108.40.206 on port 80. There are a lot of services that run on any machine and many of them you don’t want to be accessible from the internet. For example, many distributions of Ubuntu come with a running DNS server that is accessible on port 53. If left alone, this could be a route for people to exploit your machine.
One way to think about it is like your home. Your house has a physical address that someone can punch into a GPS and it will take them to your driveway. However to get into the house they will need to go through a door or a window. Ports are those doors and windows. If a person needs access to the services of your kitchen, then they can come through the kitchen door. If they need access to your garage, you can send them through the garage door. On a computer, different doors (ports) tend to correspond to different services (servers). For example, Apache Web Server commonly uses port 80 for HTTP traffic to host a website, or port 443 to host a secure website with SSL. SMTP servers often use port 25 to receive incoming mail. FTP servers often use port 21, and so forth and so on.
So it is advantageous to block certain ports. I.E. you might allow everyone to visit your kitchen but you don’t want everyone in your bedroom. It is best to actually just block all ports by default and only allow specific ports to incoming traffic.
Finally it is worth noting that firewalls can do all kinds of interesting and complex things with traffic. Most of those functions are well outside of the scope of this article, and outside of the scope of UFW, but we will get there. (more…)
Another very quick post for all you aspiring Ubuntu server admins out there. I am not sure how I got along as far as I did without knowing how to easily add a service to the boot time start list or remove it from said list. I already knew how to manually start or stop a service on a running server but I am including those commands just to make this post a bit more complete. This is a short and sweet post (really for my own uses) with an assumption you know more or less what we are trying to accomplish and just need the commands to do it.
Owncloud supports several different types of “cache” mechanisms for increasing application performance and, in one particular case, expanding functionality (enabling File Locking).
The two types of caches I am going to discuss today are Redis and APCU. We will start with APCU.
If you have a stand-alone Owncloud installation and just need to optimize for better performance, then APCU is the way to go. It is very simple to get setup, with one small caveat on Ubuntu 14.04 (if you are running the latest LTS distro then this is where you live…).
The PHP5-APCU module is “out of date” relative to what owncloud will accept. So if you just install it with apt and then enable it in your owncloud config file you will get error messages in you logs at best or a more likely just a blank screen when you try to load your site.
So… here is a quick answer on how to fix this issue: (more…)