Skip to main content

Woozie ๐Ÿ•โ€๐Ÿฆบ

Notesโ€‹

23.02.04 - Documentation for the server migration of Woozer to Woozie. I'm running into the EOL ( End of Life ) for 18.04 LTS on April 2023, so I'm giving myself some buffer time to get her warmed up. I also needed a new development server to test Rust and WASM for my human updates.

Logโ€‹

23.06.26 - added cron to clear logs weekly ( sun @5:50am )

sudo crontab -e 
50 5 * * 0 /home/*****/scripts/clear_logs.sh

23.02.04 - Init

Todoโ€‹

  • Monitor
    • watch logs for bots/IPs & block
    • conf awk for cron to show virtual hosts
    • combine A records for subdomains.
    • lifeasweknowit.com is still pointed to the IP
  • Tune
    • apache/nginx
    • mariadb
    • postgreSQL
  • custom apache/nginx error pages
  • code.daw
  • daw.com/wik/mail/reader/bookmarks
    • migrating to php v7.4.33 need to test with 8.1
    • add Redis caching for daw
    • cron for analytics logs
  • radio.daw stream.daw
    • add a feature to convert rmtp stream to icecast
    • auth for redis radio chat
    • ssl support for icecast
  • block/switch port for rmtp with auth
  • add nginx to monit
  • Monit actions redirect to root /url
  • longview MariaDB conf
  • upgrade openssl https://nvd.nist.gov/vuln/detail/CVE-2023-0286
  • configure remote db connections for Redis/MariaDB
    • allow ip / auth
    • rename dangerous commands * see Note for redis about renaming

Migrationโ€‹

Transfer IP address - Docs
SCP (secure copy)

# add key on woozer
ssh-keygen ssh-keygen -t ed25519 -f ~/.ssh/tempkey
# on woozie
scp -P (port) -C -i ~/.ssh/tempkey -p -r user@ip.ip.ip.ip:/home/user/dir /home/user
scp -P (port) -C -i ~/.ssh/tempkey -p user@ip.ip.ip.ip:/home/user/file /home/user/dir

Systemโ€‹

Infoโ€‹

173.230.130.234
45.79.219.165
http://173.230.130.234
http://45.79.219.165
https://dev.davidawindham.com
2600:3c02::f03c:93ff:fefc:319e
Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-58-generic x86_64)
AMD EPYC 7542 32-Core Processor
8GB Ram 512 Swap / 200GB Storage

  • Woozie - Linode Initial Configuration - Completed Sat, 04 Feb 2023 22:08:07 GMT
  • Woozie - Deploy from distribution - Completed Sat, 04 Feb 2023 22:08:07 GMT
  • Woozie - Create Swap - Completed Sat, 04 Feb 2023 22:08:39 GMT
  • Woozie - System Boot - Ubuntu 22.04 LTS Disk - Completed Sat, 04 Feb 2023 22:08:40 GMT
*******@woozie:~ ยป lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 48 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Vendor ID: AuthenticAMD
Model name: AMD EPYC 7542 32-Core Processor
CPU family: 23
Model: 49
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Stepping: 0
BogoMIPS: 5799.99
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clf
lush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm rep_
good nopl cpuid extd_apicid tsc_known_freq pni pclmulqdq ssse3 fma cx16 sse
4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand
hypervisor lahf_lm cmp_legacy cr8_legacy abm sse4a misalignsse 3dnowprefet
ch osvw perfctr_core ssbd ibrs ibpb stibp vmmcall fsgsbase tsc_adjust bmi1
avx2 smep bmi2 rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetb
v1 xsaves clzero xsaveerptr wbnoinvd arat umip rdpid arch_capabilities
Virtualization features:
Hypervisor vendor: KVM
Virtualization type: full
Caches (sum of all):
L1d: 256 KiB (4 instances)
L1i: 256 KiB (4 instances)
L2: 2 MiB (4 instances)
L3: 64 MiB (4 instances)

Servicesโ€‹

service --status-all
service --status-all | grep '\[ + \]'
# list all services
systemctl list-units

Initโ€‹

ssh root@173.230.130.234
sudo apt-get update && sudo apt-get upgrade
sudo apt list --upgradable

sudo timedatectl set-timezone 'America/New_York'
root@localhost:~# date
Sat Feb 4 05:40:00 PM EST 2023

root@localhost:~# hostnamectl set-hostname woozie
root@localhost:~# logout
Connection to 173.230.130.234 closed.
david@ovid๐Ÿ› :~ ยป ssh root@173.230.130.234

adduser user
adduser user sudo
logout

david@ovid๐Ÿ› :~ ยป ssh user@173.230.130.234
sudo vi /etc/hosts

127.0.0.1 localhost
173.230.130.234 dev.davidawindham.com
2600:3c02::f03c:93ff:fefc:319e dev.davidawindham.com

mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
logout
scp ~/.ssh/id_rsa.pub user@173.230.130.234:~/.ssh/authorized_keys
sudo chmod -R 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

# Block Logins
sudo vi /etc/ssh/sshd_config
AddressFamily inet
PermitRootLogin no
PasswordAuthentication no
Port ####

sudo systemctl restart sshd

# zsh
sudo apt-get install zsh
sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
sudo vi .zshrc
theme dpoggi

# Longview
curl -s https://lv.linode.com/464AB0EC-097A-4D7C-BC23DB5CAD79C43A | sudo bash
sudo systemctl status longview
sudo systemctl start longview

# motd
cd /etc/update-motd.d
sudo vi windhamdavid.asc
sudo vi 05-windhamdavid
#!/bin/sh
printf "\n$(cat /etc/update-motd.d/windhamdavid.asc)\n"

sudo chmod +x /etc/update-motd.d/05-windhamdavid
sudo chmod 0644 /etc/update-motd.d/10-help-text
sudo chmod 0644 /etc/update-motd.d/50-motd-news
sudo chmod 0644 /etc/update-motd.d/88-esm-announce
sudo chmod 0644 /etc/update-motd.d/91-contract-ua-esm-status

Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-58-generic x86_64)

. . . . . .
. . ...-..-| |-. .-. .-.-..-| .-.. ...-|
` ` '' '`-'-' '-`-`-' ' '`-'-`-`-` '`-'-

System information as of Sat Feb 4 06:14:51 PM EST 2023

System load: 0.080078125
Usage of /: 1.7% of 156.92GB
Memory usage: 2%
Swap usage: 0%
Processes: 121
Users logged in: 0
IPv4 address for eth0: 173.230.130.234
IPv6 address for eth0: 2600:3c02::f03c:93ff:fefc:319e

0 updates can be applied immediately.

Shellโ€‹

cd ~
touch .vimrc
vi .vimrc
set tabstop=2
set shiftwidth=2
set expandtab

Systemdโ€‹

Packagesโ€‹

apt list --installed
apt list --upgradeable
apt list --installed | grep nginx

sudo apt-get update && sudo apt-get upgrade
sudo apt-get --with-new-pkgs upgrade

sudo apt-get clean && sudo apt-get autoremove
apt-get remove packagename
apt-get โ€“-purge remove packagename

rsyslogโ€‹

# move log to /var/log/iptables/iptables.log
sudo mkdir /var/log/iptables
sudo touch /var/log/iptables/iptables.log

# filter iptables.log
sudo vi /etc/rsyslog.d/10-iptables.conf
:msg, regex, "iptables: " -/var/log/iptables.log
& ~

# rotate iptables.log
sudo vi /etc/logrotate.d/iptables
/var/log/iptables.log
{
su root adm
rotate 4
daily
missingok
notifempty
compress
delaycompress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}

sudo systemctl restart rsyslog

Securityโ€‹

ESM Proโ€‹

https://ubuntu.com/pro/tutorial

user@woozie:~ ยป pro --version
27.13.3~22.04.1
user@woozie:~ ยป pro security-status
785 packages installed:
759 packages from Ubuntu Main/Restricted repository
25 packages from Ubuntu Universe/Multiverse repository
1 package from a third party

# check an exploit
user@woozie:~ ยป pro fix CVE-2023-0286
CVE-2023-0286: OpenSSL vulnerabilities
https://ubuntu.com/security/CVE-2023-0286
1 affected source package is installed: openssl
(1/1) openssl:
A fix is available in Ubuntu standard updates.
The update is already installed.
โœ” CVE-2023-0286 is resolved.

Unattendedโ€‹

sudo vi /etc/apt/apt.conf.d/50unattended-upgrades
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
"${distro_id}:${distro_codename}-security";

Cronโ€‹

System keeps daily, a 2-7 day old, and 8-14 day old

# crontab
sudo crontab -e
# set path for crontab to run awk,zsh,etc..
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# lets encrypt renew every Monday at 1:01
11 1 * * 1 /usr/bin/certbot renew --quiet --noninteractive
# db optimize/backup every Sunday at 01:11
11 1 * * 0 /home/user/scripts/mysql-cron.sh
# monitor every morning at 06:00
00 6 * * * /home/user/scripts/monitor.sh
# monitor-archive every Sunday at 05:55 ( since weekly runs at 6:47 )
55 5 * * * /home/user/scripts/monitor-archive.sh

# mysql-cron.sh
#!/bin/sh
#Backup 'gg' to /home/user/backups/
mysqldump gg --user=******* --password='*******' > /home/user/backups/$(date +"%Y%m%d").gg.sql
#Optimize tables in 'gg'
mysqlcheck -o gg --user=******* --password='*******'

# monitor-cron.sh
#!/bin/sh
awk '$8=$1$8' /var/log/apache2/other_vhosts_access.log | goaccess -a -o /var/www/dev.davidawindham.com/html/**********/index.html - >> /home/*******/logs/cron.log 2>&1

goaccess /var/log/nginx/access.log -o /var/www/dev.davidawindham.com/html/monitor/nginx/index.html --log-format='%h %^[%d:%t %^] "%r" %s %b "%R" "%u" %T' >> /home/*******/logs/cron.log 2>&1

# monitor-archive.sh
#!/bin/sh
cp /var/www/dev.davidawindham.com/html/monitor/nginx/index.html /var/www/dev.davidawindham.com/html/monitor/nginx/$(date +"%y%m%d").html

cp /var/www/dev.davidawindham.com/html/monitor/index.html /var/www/dev.davidawindham.com/html/monitor/$(date +"%y%m%d").html



IPtablesโ€‹

#show iptables
sudo iptables -L
sudo ip6tables -L
# verbose
sudo iptables -vL
sudo ip6tables -vL

sudo iptables -L --line-numbers
sudo ip6tables -L --line-numbers
sudo iptables -L -nv --line-numbers

# delete rule by line#
sudo iptables -D INPUT (line number)

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

sudo ip6tables -A INPUT -i lo -j ACCEPT
sudo ip6tables -A INPUT ! -i lo -s ::1/128 -j REJECT

# Linode Loadbalancer / Longview
sudo iptables -A INPUT -s 192.168.255.0/24 -m state --state NEW -j ACCEPT
sudo iptables -A OUTPUT 1 -p tcp --dport 443 -d longview.linode.com -j ACCEPT

# ICMPtypes 3,8,11 - Echo, Ping, TTL
sudo iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

sudo ip6tables -A INPUT -p icmpv6 -j ACCEPT

# Allow inbound traffic from established connections including ICMP error returns.
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log, prefix to sort, and limit to 5/min
sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7
sudo iptables -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7
sudo ip6tables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7
sudo ip6tables -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables: " --log-level 7

# Ports (duplicate for ip6tables)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT (http)
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT (https)
sudo iptables -A INPUT -p tcp --dport #### -j ACCEPT (monit)
sudo iptables -A INPUT -p tcp --dport #### -j ACCEPT (monitor)
sudo iptables -A INPUT -p tcp --dport #### -j ACCEPT (ssh)
sudo iptables -A INPUT -p tcp --dport #### -j ACCEPT (rmtp proxy)
sudo iptables -A INPUT -p tcp --dport #### -j ACCEPT (stream proxy)
sudo iptables -A INPUT -p tcp --dport #### -j ACCEPT (nginx proxy)
sudo iptables -A INPUT -p tcp --dport #### -j ACCEPT (node proxy)

## reject all others
sudo iptables -A FORWARD -j REJECT
sudo iptables -A INPUT -j REJECT

sudo ip6tables -A FORWARD -j REJECT
sudo ip6tables -A INPUT -j REJECT

## make it persistent
apt-get install iptables-persistent

## make sure it's running
sudo systemctl is-enabled netfilter-persistent.service

sudo ls /etc/iptables
/etc/iptables/rules.v4
/etc/iptables/rules.v6

## Save current rules
sudo su -
iptables-save >/etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

## Restore rules
sudo /sbin/iptables-restore < /etc/iptables/rules.v4
sudo /sbin/iptables-restore < /etc/iptables/rules.v6

# re-save persistent
sudo dpkg-reconfigure iptables-persistent netfilter-persistent
sudo systemctl restart netfilter-persistent
Reboot to test iptables

# insert rules with line number
sudo iptables -L --line-numbers
sudo iptables -L -nv --line-numbers
sudo iptables -I INPUT (line-number) -p tcp --dport #### -j ACCEPT

Monitorโ€‹

# htop
sudo snap install htop

# netstat
sudo apt install netstat
sudo netstat -ntlp | grep -i 3000

Longviewโ€‹

sudo systemctl start longview

# mariadb support
sudo mysql -u root -p
mysql> CREATE USER '************'@'localhost' IDENTIFIED BY '****************';
mysql> Flush Privileges;
sudo vi /etc/linode/longview.d/MySQL.conf
sudo vi /opt/linode/longview/Linode/DataGetter/Applications/MySQL.pm
-> our $SIGNATURES = ['mariadbd']
sudo systemctl restart longview

GoAccessโ€‹

sudo apt-get install goaccess
sudo vi /etc/goaccess/goaccess.conf
# Set wss-url, ssl-key, etc.
# NCSA Combined Log Format with Virtual Host
log-format %v:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u"

# block access
<Location /monitor/>
Require ip 0.0.0.0
</Location>

# cron to keep it updated for quick reference
sudo vi ~/user/scripts/monitor.sh
#! /bin/bash
goaccess /var/log/apache2/other_vhosts_access.log -o /var/www/dv.davidawindham.com/html/monitor/index.html >> /home/user/logs/cron.log 2>&1
goaccess /var/log/nginx/access.log -o /var/www/dv.davidawindham.com/html/monitor/nginx/index.html --log-format='%h %^[%d:%t %^] "%r" %s %b "%R" "%u" %T' >> /home/user/logs/cron.log 2>&1
# run daily @ 1:31am
sudo crontab -e
31 1 * * * /home/user/scripts/monitor.sh

# Nginx log format
sudo goaccess /var/log/nginx/access.log -o /var/www/dv.davidawindham.com/html/monitor/nginx/index.html --log-format='%h %^[%d:%t %^] "%r" %s %b "%R" "%u" %T'

# real time output
sudo goaccess /var/log/apache2/other_vhosts_access.log -o /var/www/dv.davidawindham.com/html/monitor/index.html --real-time-html

# from command line with no output daemonized
sudo goaccess /var/log/apache2/other_vhosts_access.log -o /var/www/dv.davidawindham.com/html/monitor/index.html --real-time-html --daemonize > /dev/null 2>&1 &

# add virtual hosts to requests
sudo awk '$8=$1$8' /var/log/apache2/other_vhosts_access.log | sudo goaccess -a -o /var/www/dv.davidawindham.com/html/monitor/index.html

Monitโ€‹

sudo apt-get install monit
sudo service monit stop/start/restart/reload/status all/check -t

sudo vi /etc/monit/monitrc
# 10 min intervals so as not to drain CPU and/or alert on manual restarts
set daemon 600
# 4 min delay start
with start delay 240

set alert email@email.com
set mailserver smtp.gmail.com port 587
username "email@email.com" password "application_specific"
using tls
set httpd port #### and
use address localhost
allow localhost
allow user:pass

# https://mmonit.com/wiki/Monit/ConfigurationExamples
sudo vi /etc/monit/conf.d/apache2.conf {etc}
check process mysql with pidfile /var/run/mysqld/mysqld.pid
start program = "/usr/sbin/service mysql start" with timeout 60 seconds
stop program = "/usr/sbin/service mysql stop"
if failed unixsocket /var/run/mysqld/mysqld.sock then restart
check process apache2 with pidfile /var/run/apache2/apache2.pid
start program = "/bin/systemctl start apache2" with timeout 60 seconds
start program = "/bin/systemctl stop apache2"
restart program = "/bin/systemctl restart apache2" with timeout 120 seconds
if children > 255 for 5 cycles then alert
if cpu usage > 95% for 5 cycles then alert
if failed port 80 protocol http then restart
check process php-fpm with pidfile /run/php/php8.1-fpm.pid
start program = "/usr/sbin/service php8.1-fpm start" with timeout 60 seconds
stop program = "/usr/sbin/service php8.1-fpm stop"
if failed unixsocket /var/run/php/php8.1-fpm.sock then restart
check process nginx with pidfile /var/run/nginx.pid
group www
group nginx
start program = "/etc/init.d/nginx start"
stop program = "/etc/init.d/nginx stop"
if failed port 8282 protocol http request "/" then restart
if 5 restarts with 5 cycles then timeout

sudo monit reload

sudo service monit status
โ— monit.service - LSB: service and resource monitoring daemon
Loaded: loaded (/etc/init.d/monit; generated)
Active: active (running) since Thu 2023-02-09 09:17:09 EST; 15min ago
Docs: man:systemd-sysv-generator(8)
Process: 5629 ExecStart=/etc/init.d/monit start (code=exited, status=0/SUCCESS)
Tasks: 2 (limit: 9405)
Memory: 2.4M
CPU: 123ms
CGroup: /system.slice/monit.service
โ””โ”€5635 /usr/bin/monit -c /etc/monit/monitrc

Blacklistโ€‹

see repo @ https://code.davidawindham.com/david/custom.d

# apache
sudo vi /etc/apache2/apache2.conf
######## GLOBAL BLACKLIST ##########
<Location "/">
AuthMerging And
Include custom.d/globalblacklist.conf
</Location>
sudo systemctl reload apache2

# nginx
sudo vi /etc/nginx/nginx.conf
include /etc/nginx/conf.d/*;
sudo vi /etc/nginx/sites-available/default
server {
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
}
sudo systemctl reload nginx

Auditโ€‹

Lynisโ€‹

Webserverโ€‹

Apacheโ€‹

sudo apt install apache2
sudo vi /etc/apache2/apache2.conf
KeepAlive On
MaxKeepAliveRequests 50
KeepAliveTimeout 5
ServerName localhost

sudo a2dismod mpm_prefork
sudo a2enmod mpm_event

sudo vi /etc/apache2/mods-available/mpm_event.conf
<IfModule mpm_event_module>
StartServers 5
ServerLimit 25
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 600
MaxConnectionsPerChild 100000
</IfModule>

# List modules
sudo apachectl -L
sudo apachectl -M | grep mpm
sudo apachectl -M | sort

# configtest
sudo apachectl -t
sudo apachectl configtest

# status
sudo systemctl status apache2
sudo systemctl stop apache2
sudo systemctl start apache2
sudo systemctl status apache2

โ— apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2023-02-05 10:06:50 EST; 7s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 2744 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 2748 (apache2)
Tasks: 53 (limit: 9406)
Memory: 4.6M
CPU: 58ms
CGroup: /system.slice/apache2.service
โ”œโ”€2748 /usr/sbin/apache2 -k start
โ””โ”€2753 /usr/sbin/apache2 -k start

Feb 05 10:06:50 woozie systemd[1]: Starting The Apache HTTP Server...
Feb 05 10:06:50 woozie systemd[1]: Started The Apache HTTP Server.
Apache/2.4.52 (Ubuntu) Server

# Disable default conf
sudo a2dissite 000-default.conf
sudo systemctl reload apache2

# Enable http2,headers,expires,rewrite
sudo a2enmod headers
sudo a2enmod expires
sudo a2enmod http2
sudo a2enmod rewrite

# Disable TLS 1.0 and 1.1
sudo a2enmod ssl
sudo vi /etc/apache2/mods-available/ssl.conf
SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
sudo systemctl restart apache2

## server-status
sudo a2enmod status
sudo vi /etc/apache2/mods-enabled
<IfModule mod_status.c>
<Location /server-status>
SetHandler server-status
Require local
Require ip 127.0.0.1
Require ip ***.**.**.**
Require host dev.davidawindham.com
</Location>
<IfModule mod_proxy.c>
ProxyStatus on
</IfModule>
</IfModule>

## don't log longview/server-status/status
sudo vi /etc/apache2/conf-available/other-vhosts-access-log.conf
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined env=!dontlog
SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
SetEnvIf Remote_Addr "::1" dontlog
sudo vi /etc/apache2/sites-available/dev.dw.conf
SetEnvIf Request_URI "^/server-status*$" dontlog
SetEnvIf Request_URI "^/monit/$" dontlog

# change log rotation
sudo vi /etc/logrotate.d/apache2
daily -> weekly
create 640 root adm -> create 644 root adm
rotate 14 -> rotate 4
sudo logrotate /etc/logrotate.d/apache2

# truncate logs
sudo truncate -s 0 /var/log/apache2/*.log
sudo truncate -s 0 /var/log/linode/*.log
sudo truncate -s 0 /var/www/dev.davidawindham.com/log/*.log
sudo truncate -s 0 /var/www/code.davidawindham.com/log/*.log

Nginxโ€‹

see /docs/server/nginx

sudo apt install nginx

# change default host port
sudo vi /etc/nginx/sites-available/default
server {
listen **** default_server;
listen [::]:**** default_server;
}

# change log rotation
sudo vi /etc/logrotate.d/nginx
daily -> weekly
rotate 14 -> 4

# don't log local
sudo vi /etc/nginx/nginx.conf
http {
map $remote_addr $notlocal {
~^::1$ 0;
~^127.0.0.1$ 0;
default 1;
}
access_log /var/log/nginx/access.log combined if=$notlocal;
}

# rmtp module
sudo vi /etc/nginx/nginx.conf
rmtp {
server {
listen ****;
chuck_size 4096;
allow publish 127.0.0.1;
allow publish *.*.*.*;
deny publish all;
}
application live {
live on;
record off;

hls on;
hls_path /var/www/html/nginx/stream/hls;
hls_fragment 3;
hls_playlist_length 60;

dash on;
dash_path /var/www/html/nginx/stream/dash;:
}
}

sudo nginx -t
sudo service nginx reload

# truncate logs
sudo truncate -s 0 /var/log/nginx/*.log

Certbotโ€‹

sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

sudo certbot --apache -d domain.com -d www.domain.com
sudo certbot delete --cert-name the-ham.org
sudo systemctl restart apache2

# set cron to renew
sudo crontab -e
11 1 * * 1 /usr/bin/certbot renew --quiet --noninteractive

# issue where I had added www to subdomains and didn't have a DNS record
# modify the cert to remove the www
sudo certbot certonly --cert-name code.davidawindham.com -d code.davidawindham.com
An RSA certificate named code.davidawindham.com already exists. Do you want to
update its key type to ECDSA? (U)pdate

# to test
sudo certbot renew --dry-run

Devโ€‹

  • reroute the IP ( 000-default.conf ) to dev.daw.com
  • use .htaccess to protect directory but allow localhost
  • route status, server-status, nginx_status, monitor, & monit
AuthName "Uh... What'cha doing?"
AuthType Basic
AuthUserFile /var/www/dev.davidawindham.com/.htpasswd
<RequireAny>
Require ip 127.0.0.1
Require valid-user
</RequireAny>
sudo mkdir -p /var/www/dev.davidawindham.com/{html,log,backup}
sudo chown david:www-data -R /var/www/dev.davidawindham.com/
sudo chmod -R 755 /var/www/dev.davidawindham.com/html
sudo vi /etc/apache2/sites-available/dev.davidawindham.com.conf

<VirtualHost *:80>
ServerAdmin web@davidwindham.com
ServerName dev.davidawindham.com
ServerAlias www.dev.davidawindham.com
DirectoryIndex index.html index.php
Documentroot /var/www/dev.davidawindham.com/html

<Directory /var/www/dev.davidawindham.com/html>
Options Indexes FollowSymLinks
DirectoryIndex index.html index.php
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>

ProxyPreservehost On
ProxyRequests Off
ProxyPass /monit/ http://127.0.0.1:2812/ connectiontimeout=300 timeout=3-- Keepalive=On
ProxyPassReverse /monit/ http://127.0.0.1:2812/
<Location /monit/>
Require ip 0.0.0.0
ProxyPassReverseCookiePath / /monit/
</Location>

LogLevel warn
SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
SetEnvIf Remote_Addr "::1" dontlog
SetEnvIf Request_URI "^/server-status*$" dontlog
SetEnvIf Request_URI "^/monit/$" dontlog
ErrorLog /var/www/dev.davidawindham.com/log/error.log
CustomLog /var/www/dev.davidawindham.com/log/access.log combined env=!dontlog
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined env=!dontlog
</VirtualHost>

sudo a2ensite dev.davidawindham.com.conf
sudo certbot --apache -d dev.davidawindham.com -d www.dev.davidawindham.com

<VirtualHost *:443>
...
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/dev.davidawindham.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dev.davidawindham.com/privkey.pem
</VirtualHost>

sudo systemctl restart apache2

Codeโ€‹

see - /docs/host/gogs

sudo cp /home/******/gogs/scripts/systemd/gogs.service /etc/systemd/system/
sudo systemctl start gogs
sudo systemctl status gogs
โ— gogs.service - Gogs
Loaded: loaded (/etc/systemd/system/gogs.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-02-10 16:07:32 EST; 1min 36s ago
Main PID: 31027 (gogs)
Tasks: 7 (limit: 9405)
Memory: 39.7M
CPU: 381ms
CGroup: /system.slice/gogs.service
โ””โ”€31027 /home/******/gogs/gogs web

Feb 10 16:07:32 woozie systemd[1]: Started Gogs.
Feb 10 16:07:32 woozie gogs[31027]: 2023/02/10 16:07:32

Databasesโ€‹

MariaDBโ€‹

sudo apt install mariadb-server
sudo mysql_secure_installation
Change the root password? n
Remove anonymous users? y
Disallow root login remotely? y
Remove test database? y
Reload privilege tables now? y

sudo systemctl status mariadb
โ— mariadb.service - MariaDB 10.6.11 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2023-02-07 09:39:05 EST; 2min ago
Docs: man:mariadbd(8)
https://mariadb.com/kb/en/library/systemd/
Main PID: 19765 (mariadbd)
Status: "Taking your SQL requests now..."
Tasks: 8 (limit: 9406)
Memory: 61.0M
CPU: 690ms
CGroup: /system.slice/mariadb.service
โ””โ”€19765 /usr/sbin/mariadbd

sudo mysqladmin -p -u root version
mysqladmin Ver 9.1 Distrib 10.6.11-MariaDB, for debian-linux-gnu on x86_64
Server version 10.6.11-MariaDB-0ubuntu0.22.04.1
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /run/mysqld/mysqld.sock
Uptime: 5 min 38 sec

#obsure root user
sudo mariadb
mysql> rename user 'root'@'localhost' to '********'@'localhost';
mysql> ALTER USER '********'@'localhost' IDENTIFIED BY '********';
mysql> FLUSH PRIVILEGES;

# create new user
mysql> create user '********'@'localhost' identified by '********';
mysql> SELECT user,authentication_string,plugin,host FROM mysql.user;
mysql> GRANT ALL PRIVILEGES ON *.* TO '********'@'localhost' WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
mysql> exit

# create longveiw user
sudo mysql -u root -p
mysql>CREATE USER 'linode-longview'@'localhost' IDENTIFIED BY '***********';
mysql>flush privileges;
mysql> exit

# /etc/mysql/my.cnf
[client]
default-character-set=utf8mb4

[mysql]
default-character-set=utf8mb4

[mysqld]
max_allowed_packet = 128M
character-set-client-handshake = FALSE
collation-server = utf8mb4_unicode_ci
init-connect = 'SET NAMES utf8mb4 COLLATE utf8mb4_unicode_ci'
character-set-server = utf8mb4
local-infile=0
bind-address = 127.0.0.1

# mysqltuner
wget -O /usr/bin/mysqltuner https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl

# phpmyadmin
CREATE USER 'pma'@'localhost' IDENTIFIED VIA mysql_native_password USING '********';
GRANT SELECT, INSERT, UPDATE, DELETE ON `database`.* TO 'pma'@'localhost';

PostgreSQLโ€‹

Redisโ€‹

sudo apt install redis-server
sudo vi /etc/redis/redis.conf
supervised systemd
bind 127.0.0.1 ::1
port ****

# generate a random since redis can process 150k per/sec
openssl rand 60 | openssl base64 -A
sudo vi /etc/redis/redis.conf
requirepass **************
sudo systemctl restart redis

sudo netstat -lnp | grep redis

# rename commands
sudo vi /etc/redis/redis.conf
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command DEBUG ""
rename-command CONFIG "CONFIG_*********"
rename-command SHUTDOWN "SHUTDOWN_*********"

# Command renaming (DEPRECATED).
# WARNING: avoid using this option if possible. Instead use ACLs to remove
# commands from the default user, and put them only in some admin user you
# create for administrative purposes.

# test
redis-cli
auth <Password>
exit

redis-cli -v
redis-cli 6.0.16
redis-server -v
Redis server v=6.0.16 sha=00000000:0 malloc=jemalloc-5.2.1 bits=64 build=a3fdef44459b3ad6
sudo systemctl status redis
โ— redis-server.service - Advanced key-value store
Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-02-16 08:19:37 EST; 1h 35min ago
Docs: http://redis.io/documentation,
man:redis-server(1)
Main PID: 285004 (redis-server)
Status: "Ready to accept connections"
Tasks: 5 (limit: 9405)
Memory: 2.6M
CPU: 13.535s
CGroup: /system.slice/redis-server.service
โ””โ”€285004 "/usr/bin/redis-server 127.0.0.1:****" "" "" "" "" "" "" "" "" "" "" "" "" "">

Feb 16 08:19:37 woozie systemd[1]: Starting Advanced key-value store...
Feb 16 08:19:37 woozie systemd[1]: Started Advanced key-value store.

Languagesโ€‹

Goโ€‹

sudo apt-get install golang-go
export PATH=$PATH:/usr/local/go/bin
go version
go version go1.18.1 linux/amd64

Nodeโ€‹

sudo apt install nodejs
node -v
v12.22.9
sudo apt install npm
npm -v
8.5.1

# add nvm to get an updated version
# used nodesource instead of nvm to bring it up to ver 18.16
# had to fix conflict with apt-cache policy

cd /etc/apt/sources.list.d
sudo rm nodesource.list

sudo apt --fix-broken install
sudo apt update
sudo apt remove nodejs
sudo apt remove nodejs-doc

cd ~
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs

david@woozie:~ ยป node --version
v18.16.0

PHPโ€‹

sudo apt install php libapache2-mod-php php-mysql
php -v
PHP 8.1.2-1ubuntu2.10 (cli) (built: Jan 16 2023 15:19:49) (NTS)
Zend Engine v4.1.2, with Zend OPcache v8.1.2-1ubuntu2.10

# php.ini
sudo vi /etc/php/8.1/apache2/php.ini
max_execution_time = 30
max_input_time = 60
memory_limit = 512M
post_max_size = 50M
upload_max_filesize = 50M
realpath_cache_size = 256k
realpath_cache_ttl = 3600
error_log = /var/log/php/error.log

sudo mkdir /var/log/php
sudo chown www-data /var/log/php

sudo systemctl restart apache2

# additional pkgs ( some already installed by default )
sudo apt install php-bcmath php-curl php-gd php-imagick php-intl php-json php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip
sudo apt install libpcre3 libpcre3-dev

## enable php8.1-fpm
sudo apt install php8.1-fpm
sudo a2enmod proxy_fcgi setenvif
sudo systemctl restart apache2
sudo a2enconf php8.1-fpm

sudo vi /etc/php/8.1/fmp/php.ini
sudo systemctl reload php8.1-fpm
sudo systemctl restart php8.1-fpm
sudo systemctl status php8.1-fpm
sudo systemctl restart apache2

version 7.4.33 - Needed this version for migration.

sudo apt -y install software-properties-common
sudo add-apt-repository ppa:ondrej/php

sudo apt install php7.4
sudo apt-get install -y php7.4-cli php7.4-json php7.4-common php7.4-mysql php7.4-zip php7.4-gd php7.4-mbstring php7.4-curl php7.4-xml php7.4-bcmath

# 7.4 php.ini
sudo vi /etc/php/7.4/apache2/php.ini

## enable php7.4-fpm
sudo apt install php7.4-fpm
sudo a2enconf php7.4-fpm.conf
sudo systemctl restart apache2

sudo systemctl start php7.4-fpm
sudo systemctl status php7.4-fpm

# SetHandler
sudo vi /etc/apache2/sites-enabled/etc.conf
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</FilesMatch>
or
Include /etc/apache2/conf-available/php7.4-fpm.conf

Pythonโ€‹

python3
Python 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0] on linux

Rubyโ€‹

Rustโ€‹