Raspberry Pi + Nginx + Joomla

Joomla & Raspberry Pi
Peter Martin, twitter: @pe7er Joomladagen.nl, zo 21 april 2013
Overzicht Presentatie
1. Introductie LAMP Stack: 2. Raspbian 3. Nginx 4. MySQL 5. PHP 6. phpMyAdmin
>>>Sheetsvia:www.db8.nl<<<
7. Joomla 8. Performance 9. Security
Peter Martin joomladagen.nl 20+21 april 2013
1. Introductie Raspberry Pi
Doel
educatief
engineers van nu: computerervaring op homecomputers jeugd van tegenwoordig: computerles = software bedienen, menu's klikken en swipen...
Voordelen

Rpi
Klein Goedkoop: $ 35 38 Euro Weinig stroom (3,5 Watt) Geen bewegende onderdelen Stil Standaard (2 types)
veel
documentatie (Linux & RPi) veel gedocumenteerde toepassingen veel aanvullende hardware veel software
Hardware

Single-board computer, 700 Mhz RAM 512 Mbyte (1e versie: 256 Mbyte) Graphics: Broadcom VideoCore IV Aansluitingen:
SD
Card Micro USB powerplug (5v 1A 3,5 Watt) Ethernet HDMI & RCA Video Audio 2x USB GPIO
Community

Gebruik Software Hardware Case
LAMP Stack
LAMP LEMP Stack

2.
Linux Raspbian (Debian for Raspberry Pi) 3. Apache Nginx [engine x] 4. MySQL 5. PHP 6. phpMyAdmin
2. Raspbian Linux Operating System
2. Raspbian
a)Installatie b)In netwerk plaatsen c) Updaten d)Backup e)Configuratie f) Toegang via Internet
10
2a. Raspbian
Download
Raspbian Image http://www.raspberrypi.org/downloads (470.72 MiB)
2013-02-09-wheezy-raspbian.zip Unzip
naar ~\rpi\2013-02-09-wheezyraspbian.img (1.8 GB)
11
2a. Raspbian Installatie SD Card

SD Card http://elinux.org/RPi_Easy_SD_Card_Setup gparted, partition table, unformatted
Bepaal dd

locatie: dmesg
= dump disk VOORZICHTIG: data destroyer !

bs=BYTES (read and write BYTES bytes at a time) if=FILE (read from FILE instead of stdin) of=FILE (write to FILE instead of stdout)
12

$dmesg [..] [45.361488]wlan0:noIPv6routerspresent [265.278325]mmc0:newhighspeedSDHC cardataddress0002 [265.284831]mmcblk0:mmc0:00027.68GiB [265.284912]mmcblk0:p1 $
13

Linux:
sudo dd bs=1M if=~/rpi/2013-02-09-wheezyraspbian.img of=/dev/mmcblk0 OSX: sudo dd bs=1M if=~/rpi/2013-02-09-wheezyraspbian.img of=/dev/disk1s1 dd bs=1M if=c:\temp\2013-02-09-wheezyraspbian.img od=e
14
Mac
Windows:

$sudoddbs=1Mif=~/rpi/20130209 wheezyraspbian.imgof=/dev/mmcblk0 {+4,5minutenlater} 1850+0recordsin 1850+0recordsout 1939865600bytes(1.9GB)copied, 252.656s,7.7MB/s $sudosync
15
2b. Raspbian Aansluiten RPi
16
2b. Raspbian IP Adres?

Android
/ iPhone: Overlook Fing
17
2b. Raspbian IP Adres?

$nmapsP192.168.0/24 StartingNmap5.00(http://nmap.org)at 2013040714:15CEST Host192.168.0.1isup(0.0018slatency). Host192.168.0.14isup(0.014slatency). Host192.168.0.15isup(0.010slatency). Host192.168.0.16isup(0.048slatency). Host192.168.0.17isup(0.0092slatency). Nmapdone:256IPaddresses(5hostsup) scannedin2.94seconds $
18
2b. Raspbian SSH Login

$sshpi@192.168.0.16 Theauthenticityofhost'192.168.0.16 (192.168.0.16)'can'tbeestablished. RSAkeyfingerprintis 12:11:07:6b:c9:ac:ff:01:7b:2f:aa:a5:ef:02: c7:ff. Areyousureyouwanttocontinue connecting(yes/no)?yes Warning:Permanentlyadded'192.168.0.16' (RSA)tothelistofknownhosts. pi@192.168.0.16'spassword:raspberry
19

Linuxraspberrypi3.6.11+#371PREEMPT ThuFeb716:31:35GMT2013armv6l TheprogramsincludedwiththeDebian GNU/Linuxsystemarefreesoftware; [..] NOTICE:thesoftwareonthisRaspberryPi hasnotbeenfullyconfigured.Pleaserun 'sudoraspiconfig' pi@raspberrypi~$
20

$ sudo raspi-config
1.expand_rootfs gebruik volledige capaciteit SD Card 2.memory_split RAM GPU verkleinen naar 16 MB Update & Change Password <Finish> reboot
21
2c. Raspbian Updaten!

{updateRepositoryinformatie} pi@raspberrypi~$sudoaptgetupdate {duurt30seconden} {upgradeRaspbianOS} pi@raspberrypi~$sudoaptgetupgrade {duurt22minuten}
22
2d. Raspbian Backup SD Card

Veilig
afsluiten: $ sudo shutdown -h now Card uitnemen & in PC
SD
Backup:
$ sudo dd if=/dev/mmcblk0 of=~/rpi/sd-cardrpi-20130421.bin
23
2e. Raspbian Hostname

{veranderhostname@raspberrypi@rpi} pi@raspberrypi~$sudonano/etc/hostname raspberrypirpi pi@raspberrypi~$sudonano/etc/hosts 127.0.1.1raspberrypi127.0.1.1rpi {hostnameprocessherstarten} pi@raspberrypi~$sudo /etc/init.d/hostname.shstart pi@rpi~$
24
2e. Raspbian User & Password 1/2

pi@rpi~$sudopasswdroot EnternewUNIXpassword: RetypenewUNIXpassword: passwd:passwordupdatedsuccessfully pi@rpi~$exit Logout sshroot@192.168.0.16 {renameuser&userdirectory} root@rpi~#usermodlpeterpi root@rpi~#usermodmd/home/peterpeter
25
2e. Raspbian User & Password 2/2

{testnieuwaccount} sshpeter@192.168.0.16 peter@rpi~$sudoaptgetupdate {werkt?Disableroot!!!} peter@rpi~$sudopasswdlroot passwd:passwordexpiryinformationchanged. peter@rpi~$passwd Changingpasswordforpeter. (current)UNIXpassword:
26
2e. Raspbian Time Zone

peter@rpi~$date SunApr2111:15:00UTC2013 peter@rpi~$sudodpkgreconfiguretzdata Currentdefaulttimezone: 'Europe/Amsterdam' Localtimeisnow:SunApr7 13:15:00CEST2013. UniversalTimeisnow:SunApr7 11:15:00UTC2013. peter@rpi~$
27
2f. Raspbian Internet toegang

Internet
Internet DNS domeinnaam petermartin.nl
LAN Raspberry Pi 192.168.0.x
Modem/router: Internet IP: ?.?.?.?

Modem/router: LAN IP: 192.168.0.1

28

Internet
Internet DNS petermartin.nl A record naar 1.2.3.4
LAN Raspberry Pi 192.168.0.9
Lease Pool Start, bijv: 192.168.0.10
www.whatsmyip.org Internet IP: 1.2.3.4

Modem/router: LAN IP: 192.168.0.1

29

Modem/Router

firewall > Port Forwarding
SSH verkeer = IP 192.168.0.9, poort 22 Webverkeer = IP 192.168.0.9, poort 80 Https verkeer = IP 192.168.0.9, poort 443
Raspberry
Pi Static IP
30
2f. Raspbian Vast IP Adres

peter@rpi~$route
KernelIProutingtable DestinationGatewayGenmaskFlagsMetricRefUseIface default192.168.0.10.0.0.0UG000eth0 192.168.0.0*255.255.255.0U000eth0
peter@rpi~$sudonano/etc/network/interfaces {change:} ifaceeth0inetdhcp {to:} ifaceeth0inetstatic address192.168.0.9 netmask255.255.255.0 gateway192.168.0.1
31
3. Nginx webserver
32
3. Nginx
Nginx [engine ex]
Hoge prestaties:
Statische pagina's zeer SNEL! Dynamsiche pagina's SNEL!
Laag geheugengebruik (handig op Rpi !) Eenvoudige configuratie Automatische test configuratiewijzigingen Reverse proxy mogelijkheden
Populariteit (netcraft.com april 2013):

40 miljoen domeinen 13,5 % van alle servers 20% van de 1000 drukste websites 33
3. Nginx Populariteit
34
3. Nginx Installatie
peter@rpi~$sudoaptgetinstallnginx Readingpackagelists...Done [..] Needtoget2,132kBofarchives. Afterthisoperation,6,200kBofadditional diskspacewillbeused. Doyouwanttocontinue[Y/n]?y [..] Settingupnginx(1.2.12.2)... peter@rpi~$
35
3. Nginx Configuratie
peter@rpi~$sudonano/etc/nginx/nginx.conf userwwwdata; worker_processes1; pid/var/run/nginx.pid; peter@rpi~$sudo/etc/init.d/nginxstart
36
3. Nginx Websites
Browse URL http://192.168.0.9/ of http://petermartin.nl Resultaat:
Welcome to nginx!
37
3. Nginx Virtual domains

Aanmaken virtuele sites: 1. Locatie & index.html /var/www/ petermartin.nl
/index.html
2. Configuratiebestand voor site /etc/nginx/sites-available/ petermartin.nl 3. Activeren dmv symbolic link naar config bestand /etc/nginx/sites-enabled/ petermartin.nl 4. Nginx nieuwe configuratie laden: $ sudo /etc/init.d/nginx reload
38

peter@rpi~$sudonano /var/www/petermartin.nl/index.html <html> <head> <title>petermartin.nl</title> </head> <bodybgcolor="white"text="black"> <center><h1>WelkomopdeJoomladagen! </h1></center> <center>Website:petermartin.nl</center> </body> </html>
39

peter@rpi~$sudonano/etc/nginx/sites available/petermartin.nl
server{ listen80; server_namepetermartin.nlwww.petermartin.nl; root/var/www/petermartin.nl; access_log/var/log/nginx/petermartin.nl.access_log; error_log/var/log/nginx/petermartin.nl.error_loginfo; location/{ indexindex.phpindex.htmlindex.htm; } }
40

peter@rpi~$sudolns /etc/nginx/sitesavailable/petermartin.nl /etc/nginx/sitesenabled/petermartin.nl
peter@rpi~$sudo/etc/init.d/nginxreload Reloadingnginxconfiguration:nginx.
41

Browser
http://192.168.0.9/petermartin.nl
Welkom op de Joomladagen!
Website: petermartin.nl
Error?
404 Not Found nginx/1.2.1 Controleer error log file: $ cat /var/log/nginx/petermartin.nl.error_log
42
4. MySQL Database Server
43
4. MySQL
Voor
Joomla 2.5+ = geen SQLite driver beschikbaar installatie meteen configuratie: User: root Password: databasepassword site veiliger maken dmv: $ sudo mysql_secure_installation
Bij
Live
44
4. MySQL Installatie
peter@rpi~$sudoaptgetinstallmysql server Readingpackagelists...Done [..] Needtoget9,603kBofarchives. Afterthisoperation,91.1MBofadditional diskspacewillbeused. Doyouwanttocontinue[Y/n]?y [..] Settingupmysqlserver(5.5.30+dfsg1)... Processingtriggersformenu... peter@rpi~$sudomysql_secure_installation
45
5. PHP
46
5. PHP php5 + packages:
php5-fpm
FastCGI Process Manager interpreter that runs as a daemon and receives Fast/CGI requests modules for MySQL database connections directly from PHP scripts
php5-mysql
php5-cli
command-line interpreter library for getting files from FTP & HTTP server 47
php5-curl
5. PHP Installatie
peter@rpi~$sudoaptgetinstall php5fpmphp5mysql Readingpackagelists...Done [..] Settingupphp5(5.4.414)... Processingtriggersforphp5fpm... [ok]RestartingPHP5FastCGIProcess Manager:php5fpm. peter@rpi~$
48
5. PHP configuratie petermartin.nl

pi@rpi~$sudonano/etc/nginx/sites available/petermartin.nl add: location~\.php${ fastcgi_passunix:/var/run/php5fpm.sock; fastcgi_indexindex.php; includefastcgi_params; }
49
5. PHP Resultaat
Test
met phpinfo();
$ sudo nano /var/www/petermartin.nl/test.php met daarin: <?php echo "test";phpinfo();?>

Bezoek
via browser http://192.168.0.9/petermartin.nl/test.php
50
6. phpMyAdmin
51
6. phpMyAdmin
Database
GUI
http://192.168.0.9/phpmyadmin/
Beveilig:

Niet op alle virtuele domeinen 1 is genoeg! limiteer tot IP adres
52
6. phpMyAdmin Installatie
peter@rpi~$sudoaptgetinstallphpmyadmin Readingpackagelists...Done [..] Needtoget6,092kBofarchives. Afterthisoperation,16.6MBofadditionaldisk spacewillbeused. Doyouwanttocontinue[Y/n]?y [..] Webservertoreconfigureautomatically:none Configuredatabaseforphpmyadminwithdbconfig common?N Creatingconfigfile/etc/phpmyadmin/configdb.php withnewversion peter@rpi~$
53
6. phpMyAdmin config petermartin.nl

location/phpmyadmin{ root/usr/share/; indexindex.phpindex.htmlindex.htm; location~^/phpmyadmin/(.+\.php)${ try_files$uri=404; root/usr/share/; fastcgi_pass127.0.0.1:9000; includefastcgi_params; fastcgi_intercept_errorson; } location~*^/phpmyadmin/(.+\.(jpg|jpeg|gif| css|png|js|ico|html|xml|txt))${ root/usr/share/; } }
54
6. phpMyAdmin config petermartin.nl

Toegangbeperkentot1IPadres? location/phpmyadmin{ root/usr/share/; indexindex.phpindex.htmlindex.htm; allow4.3.2.1; denyall; location~^/phpmyadmin/(.+\.php)${
55
7. Joomla
56
7. Joomla
Download Via
Joomla via wget naar server
phpMyAdmin database aanmaken http://192.168.0.9/phpmyadmin/ database: petermartin URL Joomla installatie beginnen
Via
57
7. Joomla Installatie petermartin.nl

peter@rpi~$cd/var/www/petermartin.nl peter@rpi~$sudowget http://joomlacode.org/gf/download/ frsrelease/17968/78430/Joomla_2.5.9 StableFull_Package.zip peter@rpi~$sudounzipxJoomla_2.5.9 StableFull_Package.zip
58
7. Joomla Installatie petermartin.nl

Webinstaller
http://192.168.0.9/petermartin.nl/
configuration.php Writeable: No = permissie probleem, oplossen: $ sudo chown -R www-data:www-data /var/www/petermartin.nl
SEF
links: .htaccess virtual domain configuratie: try_files $uri $uri/ /index.php?q=$request_uri;
59
7. Joomla SEF URLs

peter@rpi~$sudonano/etc/nginx/ sitesavailable/petermartin.nl
location/{ indexindex.phpindex.htmlindex.htm; try_files$uri$uri//index.php?q=$request_uri; }
60
8. Performance
61
8. Performance
PHP-FPM Joomla NGINX

cache
cache files in site configuratie gzip
Niet

doen ivm kleine RAM geheugen RPi:
Alternative PHP Cache (APC) Varnish Cache
62
8. Performance Nginx gzip

pi@rpi~$sudonano/etc/nginx/nginx.conf
#GzipSettings gzipon; gzip_staticon; gzip_disable"msie6"; gzip_varyon; gzip_proxiedany; gzip_comp_level6; gzip_min_length512; gzip_buffers168k; gzip_http_version1.1; gzip_typestext/csstext/javascripttext/xmltext/plain text/xcomponentapplication/javascriptapplication/x javascriptapplication/jsonapplication/xml application/rss+xmlfont/truetypeapplication/xfontttf font/opentypeapplication/vnd.msfontobject image/svg+xml;
63
8. Performance Nginx gzip

pi@rpi~$sudonano/etc/nginx/sites available/petermartin.nl
server{ #cachingoffiles location~*\.(ico|pdf|flv)${ expires1y; } location~*\.(js|css|png|jpg|jpeg|gif|swf|xml|txt)${ expires14d; } }
64
9. Security
65
9. Veiligheid 10 Aspecten
1. Verander standaard username pi & password 2. Backup !!! 3. Bestudeer logfiles (evt. Logwatch)
66
9. Veiligheid ssh logfiles

/var/log/auth.log
Apr 8 22:49:01 rpi sshd[10812]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:01 rpi sshd[10812]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:04 rpi sshd[10812]: Failed password for root from 59.175.148.95 port 43066 ssh2 Apr 8 22:49:04 rpi sshd[10812]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:07 rpi sshd[10816]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:07 rpi sshd[10816]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:09 rpi sshd[10816]: Failed password for root from 59.175.148.95 port 44636 ssh2 Apr 8 22:49:10 rpi sshd[10816]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:13 rpi sshd[10820]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:13 rpi sshd[10820]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:15 rpi sshd[10820]: Failed password for root from 59.175.148.95 port 46051 ssh2 Apr 8 22:49:16 rpi sshd[10820]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:19 rpi sshd[10824]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:19 rpi sshd[10824]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root
67
9. Veiligheid ssh logfiles

peter@rpi~$whois59.175.148.95
%[whois.apnic.netnode5] %Whoisdatacopyrighttermshttp://www.apnic.net/db/dbcopyright.html inetnum: netname: descr: descr: descr: country: role: address: address: address: address: country: phone: fax-no: e-mail: remarks: remarks: remarks: remarks: 59.174.0.0 59.175.255.255 CHINANET-HB CHINANET Hubei province network Data Communication Division China Telecom CN CHINANET HB ADMIN 8th floor of JinGuang Building #232 of Macao Road HanKou Wuhan Hubei Province P.R.China CN +86 27 82862199 +86 27 82861499 ip_admin_hb@public.wh.hb.cn send spam reports to spam_hb@public.wh.hb.cn and abuse reports to abuse_hb@public.wh.hb.cn Please include detailed information and times in GMT+8
68
1. Verander standaard username pi & password 2. Backup !!! 3. Bestudeer logfiles (evt. Logwatch) 4. Block ssh root login ! 5. Block portscans -> Firewall
69
9. Veiligheid Firewall
{checkFirewall} peter@rpi~$sudoiptablesL ChainINPUT(policyACCEPT) target protoptsource ChainFORWARD(policyACCEPT) target protoptsource ChainOUTPUT(policyACCEPT) target protoptsource {maakFirewallregels} peter@rpi~$sudonano /etc/iptables.firewall.rules
destination destination destination
70
9. Veiligheid Firewall instellen 1/2

*filter #Allowallloopback(lo0)trafficanddropalltraffic to127/8thatdoesn'tuselo0 AINPUTilojACCEPT AINPUTd127.0.0.0/8jREJECT #Acceptallestablishedinboundconnections AINPUTmstatestateESTABLISHED,RELATEDjACCEPT #Allowalloutboundtrafficyoucanmodifythisto onlyallowcertaintraffic AOUTPUTjACCEPT #AllowHTTPandHTTPSconnectionsfromanywhere(the normalportsforwebsitesandSSL). AINPUTptcpdport80jACCEPT AINPUTptcpdport443jACCEPT
71
9. Veiligheid Firewall instellen 2/2

#AllowSSHconnections #Thedportnumbershouldbethesameportnumberyou setinsshd_config AINPUTptcpmstatestateNEWdport22j ACCEPT #Allowping AINPUTpicmpjACCEPT #Logiptablesdeniedcalls AINPUTmlimitlimit5/minjLOGlogprefix "iptablesdenied:"loglevel7 #Dropallotherinbounddefaultdenyunless explicitlyallowedpolicy AINPUTjDROP AFORWARDjDROP COMMIT
72
9. Veiligheid Firewall activeren 1/2

{activeerFirewall} peter@rpi~$sudoiptablesrestore< /etc/iptables.firewall.rules {checkFirewall} peter@rpi~$sudoiptablesL
ChainINPUT(policyACCEPT) target protopt source destination ACCEPT all anywhere anywhere REJECT all anywhere loopback/8 rejectwithicmp portunreachable ACCEPT all anywhere anywhere stateRELATED, ESTABLISHED ACCEPT tcp anywhere anywhere tcpdpt:http LOG all anywhere anywhere limit:avg5/min burst5LOGleveldebugprefix"iptablesdenied:" DROP all anywhere anywhere [..]
73
9. Veiligheid Firewall activeren 2/2

{script:activeerFirewallbijreboot} peter@rpi~$sudonano/etc/network/ifpre up.d/firewall {plaatsin/etc/network/ifpreup.d/firewall}
#!/bin/sh /sbin/iptablesrestore</etc/iptables.firewall.rules
{setscriptpermissions} peter@rpi~$sudochmod+x/etc/network/if preup.d/firewall
74
9. Veiligheid Firewall automatiseren
75
9. Veiligheid Fail2Ban
Scan

logfiles & automatische actie Jail configuratie

Als in logfiles wordt voldaan aan filter n keer achter elkaar Plaats op blocklist voor x minuten
/etc/fail2ban/jail.conf
standaard /etc/fail2ban/jail.local override
Filters
/etc/fail2ban/filter.d/
Regex ROOT LOGIN REFUSED, POSSIBLE BREAK-IN ATTEMPT!, Failed password etc...
76
9. Veiligheid Fail2Ban
{installeerFail2Ban} peter@rpi~$sudoaptgetinstallfail2ban Readingpackagelists...Done 0upgraded,6newlyinstalled,0toremoveand0not upgraded. Needtoget340kBofarchives. {bekijkmislukteinlogpogingen} peter@rpi~$catfail2ban.log
2013040916:45:59,000fail2ban.actions:WARNING[ssh]Ban9.8.7.6
{checkFirewall} peter@rpi~$sudoiptablesL Chainfail2banssh(1references) target protoptsource DROP alltest123.example.com RETURN allanywhere destination anywhere anywhere
77
1. Verander standaard username pi & password 2. Backup !!! 3. Bestudeer logfiles (evt. Logwatch) 4. Block ssh root login ! 5. Block portscans -> Firewall 6. Block scriptkiddies
78
9. Veiligheid Webserver access logs
/var/log/nginx/petermartin.nl.access_log
198.7.57.74 - - [30/Mar/2013:16:47:49 +0100] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 1565 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:54 +0100] "GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin1/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /php-my-admin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /sqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /mysqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /p/m/a/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /PMA2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /pma2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /phpmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /php-myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /webdb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
79
9. Veiligheid Fail2Ban configuratie

{now00tw00tforme;)} peter@rpi~$sudonano /etc/fail2ban/filter.d/nginxnofunkystuff.conf #Fail2Banconfigurationfile #Author:PeterMartin #$Revision:001$ [Definition] #Option:failregex failregex=^<HOST>.*GET.*(w00tw00t|\setup.php|\wp login.php) #Option:ignoreregex #Notes.:regextoignore.Ifthisregexmatches,the lineisignored. #Values:TEXT # ignoreregex=
80
9. Veiligheid Fail2Ban configuratie

{activeernginxnofunkystufffilter} peter@rpi~$sudonano/etc/fail2ban/jail.local [nginxnofunkystuff] enabled=true port=http,https filter=nginxnofunkystuff logpath=/var/log/nginx/*access_log maxretry=0 bantime=600 {restartFail2Ban} peter@rpi~$sudo/etc/init.d/fail2banrestart
81
1. Verander standaard username pi & password 2. Backup !!! 3. Bestudeer logfiles (evt. Logwatch) 4. Block ssh root login ! 5. Block portscans -> Firewall 6. Block scriptkiddies 7. SSL certificaat /administrator 8. Block phpmyadmin + block exception 9. Backup !!! 10.Passwordless login? SSH shared keys
82
Einde
83
Waar we geen tijd meer voor hadden

E-mail

versturen vanaf RPi:
Joomla's notificaties & contact forms Logwatch mails
Exim MTA (Mail Transfer Agent)
84
Vragen?
85
Vragen?
Presentatie
beschikbaar via www.db8.nl
Peter Martin e-mail: info at db8.nl website: www.db8.nl
86
Gebruikte foto's

Switched On Tech Design - www.sotechdesign.com.au Bricks - Sharlene Jackson http://www.sxc.hu/photo/759981 Hotrod Dash - Peter Mazurek http://www.sxc.hu/photo/1341923 Greased Lightnin' - Donald Cook http://www.sxc.hu/photo/690214 File Overload - Bob Smith http://www.sxc.hu/photo/367985 Rusted Gears - Angelo Rosa http://www.sxc.hu/photo/1365696 Man Made - "csremedy" http://www.sxc.hu/photo/1267108 digital world - ilker http://www.sxc.hu/photo/1206711 Crazy Man in Shower - scott adams http://www.sxc.hu/photo/760765 laptop 2 - emre nacigil http://www.sxc.hu/photo/810741 Speedometer Abdulhamid AlFadhly http://www.sxc.hu/photo/1390189 Secure - Frank Khne http://www.sxc.hu/photo/962334 signs signs - Jason Antony, http://www.sxc.hu/photo/751034 Face - Questions - Bob Smith, http://www.sxc.hu/photo/418215
87

Raspberry Pi + Nginx + Joomla

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Raspberry Pi + Nginx + Joomla

Uploaded by

Copyright:

Available Formats

Joomla & Raspberry Pi

Peter Martin, twitter: @pe7er Joomladagen.nl, zo 21 april 2013

7. Joomla 8. Performance 9. Security

Peter Martin joomladagen.nl 20+21 april 2013

Peter Martin joomladagen.nl 20+21 april 2013

Peter Martin joomladagen.nl 20+21 april 2013

Peter Martin joomladagen.nl 20+21 april 2013

Gebruik Software Hardware Case

Peter Martin joomladagen.nl 20+21 april 2013

Peter Martin joomladagen.nl 20+21 april 2013

LAMP LEMP Stack

Peter Martin joomladagen.nl 20+21 april 2013

2. Raspbian Linux Operating System

Peter Martin joomladagen.nl 20+21 april 2013

Peter Martin joomladagen.nl 20+21 april 2013

Raspbian Image http://www.raspberrypi.org/downloads (470.72 MiB)

naar ~\rpi\2013-02-09-wheezyraspbian.img (1.8 GB)

Peter Martin joomladagen.nl 20+21 april 2013

2a. Raspbian Installatie SD Card

= dump disk VOORZICHTIG: data destroyer !

Peter Martin joomladagen.nl 20+21 april 2013

2a. Raspbian Installatie SD Card

Peter Martin joomladagen.nl 20+21 april 2013

2a. Raspbian Installatie SD Card

Peter Martin joomladagen.nl 20+21 april 2013

2a. Raspbian Installatie SD Card

Peter Martin joomladagen.nl 20+21 april 2013

2b. Raspbian Aansluiten RPi

Peter Martin joomladagen.nl 20+21 april 2013

2b. Raspbian IP Adres?

/ iPhone: Overlook Fing

Peter Martin joomladagen.nl 20+21 april 2013

2b. Raspbian IP Adres?

2b. Raspbian SSH Login

Peter Martin joomladagen.nl 20+21 april 2013

2b. Raspbian SSH Login

2b. Raspbian SSH Login

Peter Martin joomladagen.nl 20+21 april 2013

2c. Raspbian Updaten!

Peter Martin joomladagen.nl 20+21 april 2013

2d. Raspbian Backup SD Card

afsluiten: $ sudo shutdown -h now Card uitnemen & in PC

$ sudo dd if=/dev/mmcblk0 of=~/rpi/sd-cardrpi-20130421.bin

Peter Martin joomladagen.nl 20+21 april 2013

2e. Raspbian Hostname

Peter Martin joomladagen.nl 20+21 april 2013

2e. Raspbian User & Password 1/2

Peter Martin joomladagen.nl 20+21 april 2013

2e. Raspbian User & Password 2/2

Peter Martin joomladagen.nl 20+21 april 2013

2e. Raspbian Time Zone

Peter Martin joomladagen.nl 20+21 april 2013

2f. Raspbian Internet toegang

Internet DNS domeinnaam petermartin.nl

LAN Raspberry Pi 192.168.0.x

Modem/router: Internet IP: ?.?.?.?

Modem/router: LAN IP: 192.168.0.1

2f. Raspbian Internet toegang

Internet DNS petermartin.nl A record naar 1.2.3.4

LAN Raspberry Pi 192.168.0.9

Lease Pool Start, bijv: 192.168.0.10

www.whatsmyip.org Internet IP: 1.2.3.4

Modem/router: LAN IP: 192.168.0.1

2f. Raspbian Internet toegang