WEBVTT 1 00:00:00.120 --> 00:00:04.280 Welcome to the Deep Dive. We're the show where we 2 00:00:04.360 --> 00:00:06.839 tackle a big pile of source material. 3 00:00:06.440 --> 00:00:08.320 And we boil it all down for you, pulling out 4 00:00:08.359 --> 00:00:10.080 the key insights you need to. 5 00:00:10.039 --> 00:00:12.519 Know, basically saving you the reading time but giving you 6 00:00:12.560 --> 00:00:16.440 the knowledge exactly. And today we are diving into something 7 00:00:16.440 --> 00:00:22.280 pretty hands on excerpts from the Sendos six Linux Server cookbook. 8 00:00:23.160 --> 00:00:25.679 Think of it like a set of technical recipes. 9 00:00:25.359 --> 00:00:28.559 Right for getting a Linux server, specifically Cento six running 10 00:00:28.600 --> 00:00:29.760 and managed properly. 11 00:00:30.039 --> 00:00:32.399 So our mission, our goal for this deep dive is 12 00:00:32.439 --> 00:00:37.439 to unpack the core tasks, the fundamental knowledge from these excerpts. 13 00:00:37.600 --> 00:00:40.399 We want to pull out those key recipes that solve 14 00:00:40.479 --> 00:00:44.159 the common problems you'd face administering a CentOS six box. 15 00:00:44.560 --> 00:00:47.479 See what makes this guide useful and you spot the 16 00:00:47.520 --> 00:00:48.560 really interesting bits. 17 00:00:48.799 --> 00:00:51.280 It's like getting the chef's notes for building and running 18 00:00:51.280 --> 00:00:53.880 a server. Now. It is technical, no doubt about it, 19 00:00:54.159 --> 00:00:56.479 but we're going to translate the important stuff, highlight the 20 00:00:56.520 --> 00:00:59.880 core steps. Whether you're just curious about servers, or maybe 21 00:01:00.000 --> 00:01:01.719 you need to get up to speed quickly for work. 22 00:01:01.640 --> 00:01:03.880 Or you just want to understand those basic build of blocks. 23 00:01:04.280 --> 00:01:05.680 Right, let's dive in. 24 00:01:06.239 --> 00:01:09.799 Okay, so where better to start than the beginning installation. 25 00:01:10.359 --> 00:01:12.439 The source kicks off right there, and even before the 26 00:01:12.480 --> 00:01:17.120 actual install, it highlights something simple but easy to forget. 27 00:01:17.799 --> 00:01:19.319 Checking your installation media. 28 00:01:19.640 --> 00:01:22.840 Yeah, verifying the integrity using the MT five some tool. 29 00:01:22.879 --> 00:01:25.400 It mentions, it's like you wouldn't start cooking with ingredients 30 00:01:25.480 --> 00:01:26.560 you weren't sure we're good. 31 00:01:26.879 --> 00:01:30.760 Yeah, good point. Okay, so you've verified the download during 32 00:01:30.760 --> 00:01:33.159 the install itself. What are the key checkpoints? 33 00:01:33.400 --> 00:01:36.280 Well, the source stress is setting a proper host name. 34 00:01:36.640 --> 00:01:38.959 Don't leave it as localhost dot local domain. 35 00:01:39.079 --> 00:01:41.400 Oh yeah, that default is pretty useless on a network. 36 00:01:41.480 --> 00:01:44.599 Totally give it a real name early. Also, confirming your 37 00:01:44.640 --> 00:01:48.079 hard disk partitioning storage setup is fundamental. 38 00:01:48.159 --> 00:01:50.319 Get that wrong and you're in for a headache later. 39 00:01:50.480 --> 00:01:54.560 Definitely. And it touches on Grub the bootloader. Now, messing 40 00:01:54.640 --> 00:01:57.879 deeply with Grub can be tricky even for experienced people. 41 00:01:57.959 --> 00:02:00.680 Yeah right, but the book points out you can password 42 00:02:00.680 --> 00:02:04.519 protect Grub during installation. That's a nice little security win. 43 00:02:04.640 --> 00:02:07.200 Right at the start, the source seems to really push 44 00:02:07.280 --> 00:02:10.360 for a minimal install Why go minimal when there are 45 00:02:10.360 --> 00:02:12.240 those package groups you can just select? 46 00:02:12.520 --> 00:02:15.520 Ah, that's a core philosophy here It boils down to 47 00:02:15.599 --> 00:02:20.000 efficiency and really security security. How a minimal install gives 48 00:02:20.000 --> 00:02:23.639 you only the absolute bear essentials. The idea is it's 49 00:02:23.759 --> 00:02:27.000 much safer to add only what you need later, configuring 50 00:02:27.039 --> 00:02:29.439 it carefully as you go, instead. 51 00:02:29.080 --> 00:02:31.080 Of starting with a bunch of stuff you might not need, 52 00:02:31.159 --> 00:02:32.719 which could have vulnerabilities. 53 00:02:32.759 --> 00:02:36.800 Exactly, you reduce the initial attack surface. Fewer running services 54 00:02:36.800 --> 00:02:39.960 means fewer potential ways in for an attacker, makes sense. 55 00:02:40.199 --> 00:02:44.560 Less is more security wise? Okay, Minimal installed done? What 56 00:02:44.639 --> 00:02:47.039 are the first basic config steps. 57 00:02:46.919 --> 00:02:50.240 Post install essentials? The book hits things like changing the 58 00:02:50.280 --> 00:02:53.240 time zone use the subtle it command, then make it 59 00:02:53.280 --> 00:02:55.680 stick in your profile files like dot bash profile. 60 00:02:55.759 --> 00:02:58.080 You can use location names or the post six format 61 00:02:58.120 --> 00:02:59.360 like GMT five YEP. 62 00:02:59.400 --> 00:03:03.319 Both options are covered and related to time. Synchronizing the 63 00:03:03.360 --> 00:03:06.560 system clock with NTP, the Network Time Protocol. 64 00:03:06.199 --> 00:03:09.639 Crucial for logs security, lots of things rely on accurate 65 00:03:09.719 --> 00:03:10.560 time totally. 66 00:03:10.680 --> 00:03:13.840 You'd use the NTPD service, configure it in EXITCNTP dot 67 00:03:13.879 --> 00:03:16.919 com and you can check sync status with NTPPP. 68 00:03:17.159 --> 00:03:19.719 But NTP isn't there by default on a minimal install. 69 00:03:19.879 --> 00:03:22.039 Good point. The source notes that you'll need to yum 70 00:03:22.159 --> 00:03:22.919 install NTP. 71 00:03:23.120 --> 00:03:27.240 First, all right, networking the absolute backbone, setting a static 72 00:03:27.240 --> 00:03:31.479 IP address versus just letting DHP assign one. 73 00:03:31.680 --> 00:03:34.319 This is a key recipe for any server. The book 74 00:03:34.360 --> 00:03:38.800 shows editing the interface can fig like if cfg eth zero. Oh. 75 00:03:40.000 --> 00:03:42.759 The crucial bit is telling network manager to keep its 76 00:03:42.759 --> 00:03:45.000 hands off by setting NM controlled no. 77 00:03:45.360 --> 00:03:48.280 Ah. Okay, so you explicitly take control, right. 78 00:03:48.479 --> 00:03:50.879 Then you set boot proto none and manually put in 79 00:03:50.919 --> 00:03:55.080 your IPADR netmask and your gateway and epsconfit network predictable 80 00:03:55.199 --> 00:03:57.199 fixed address essential for a server. 81 00:03:57.360 --> 00:03:59.479 Got it? And then there's this thing called channel bonding 82 00:03:59.520 --> 00:04:00.360 Ethernet bonding. 83 00:04:00.520 --> 00:04:03.960 Yeah, that's about combining multiple network interfaces like two Ethernet 84 00:04:03.960 --> 00:04:05.719 ports into one logical interface. 85 00:04:05.840 --> 00:04:06.680 Why would you do that? 86 00:04:06.800 --> 00:04:10.199 Two main reasons redundancy If one cable or port fails, 87 00:04:10.240 --> 00:04:13.800 the other keeps working, or increased throughput, potentially doubling your bandwidth. 88 00:04:13.960 --> 00:04:15.719 Okay, And the source gives the setup steps. 89 00:04:15.960 --> 00:04:19.120 It gives the basics for creating the bond interface config 90 00:04:19.240 --> 00:04:23.199 ifcfg bond zero and loading the bonding kernel module. It 91 00:04:23.319 --> 00:04:27.439 sets remodprobe dot de bonding dot com. It mentions master 92 00:04:27.560 --> 00:04:30.879 and slave interfaces and that you might need to experiment 93 00:04:30.920 --> 00:04:33.399 with different bonding modes depending on your network switch and 94 00:04:33.439 --> 00:04:33.920 what you need. 95 00:04:34.120 --> 00:04:36.800 Sounds like something you need to test carefully. It also 96 00:04:36.839 --> 00:04:40.800 covers setting the fully qualified domain name FQDN yeah. 97 00:04:40.759 --> 00:04:43.519 Your server's full name on the network host name plus 98 00:04:43.560 --> 00:04:47.920 domain name. The book shows you edicisconfin network and echosts, 99 00:04:48.240 --> 00:04:50.720 and it throws in a reminder about valid characters and 100 00:04:50.839 --> 00:04:53.319 length for host names. Easy details to miss. 101 00:04:53.439 --> 00:04:56.639 Cylenex comes up next. Security Enhanced Linux big topic. 102 00:04:56.800 --> 00:05:00.720 It is very powerful mandatory access control system. The source 103 00:05:00.759 --> 00:05:03.399 introduces its purpose and shows how you can change its 104 00:05:03.439 --> 00:05:06.560 mode enforcing, permissive or disabled by editing. 105 00:05:06.639 --> 00:05:09.360 It sesses stanicfig but it also mentions reasons why you 106 00:05:09.439 --> 00:05:12.639 might disable it seems counterintuitive for security. 107 00:05:12.279 --> 00:05:16.839 Well, it acknowledges reality. Sometimes certain applications or say web 108 00:05:16.839 --> 00:05:19.600 hosting control panels, just don't work properly with the Linux 109 00:05:19.680 --> 00:05:23.160 enforcing rules. So while disabling it is a definite security hit, 110 00:05:23.560 --> 00:05:26.199 the book lists as an option if compatibility is a 111 00:05:26.240 --> 00:05:28.199 major roadblock, it's a tradeoff. 112 00:05:28.920 --> 00:05:32.040 Another potential tradeoff mentioned is disabling IPv six. 113 00:05:32.399 --> 00:05:35.959 Why IPv six is the future designed to fix IPv 114 00:05:36.079 --> 00:05:39.240 four running out of addresses, But as the source notes, 115 00:05:39.279 --> 00:05:41.920 maybe your network doesn't use it yet, or some services 116 00:05:41.959 --> 00:05:43.680 aren't fully compatible. 117 00:05:43.199 --> 00:05:45.240 So disabling it could simplify. 118 00:05:44.759 --> 00:05:48.800 Things potentially, yeah, maybe slightly. Less admin overhead removes one 119 00:05:48.959 --> 00:05:52.199 theoretical attack vector if it's unused. The book shows the 120 00:05:52.199 --> 00:05:56.240 configure edits IPv six il mit no IPv six io 121 00:05:56.279 --> 00:05:59.279 connecto no, but it clearly warns don't do this if 122 00:05:59.279 --> 00:06:03.120 you might need IP. Turning it back on isn't always straightforward. 123 00:06:02.759 --> 00:06:05.199 Right, another careful decision. Okay, that covers the initial install 124 00:06:05.240 --> 00:06:07.279 on basic setup. What about the day to day running 125 00:06:07.319 --> 00:06:11.000 of the server, users, packages, logs, that sort of thing. 126 00:06:11.199 --> 00:06:14.519 User management is first, and the big rule the source emphasizes, 127 00:06:14.879 --> 00:06:17.439 don't operate as the route user all the time, standard. 128 00:06:17.160 --> 00:06:19.439 Security practice, right, Create a regular admin. 129 00:06:19.279 --> 00:06:23.120 User exactly, use user AD and password. Then the book 130 00:06:23.120 --> 00:06:26.600 clarifies the difference between Sue and Pseudo. Very important distinction. 131 00:06:26.720 --> 00:06:29.720 Yes, Sue lets you become another user, including root if 132 00:06:29.759 --> 00:06:31.720 you know their password, full power. 133 00:06:31.560 --> 00:06:34.800 Right, whereas Pseudo leads a permitted user run specific commands 134 00:06:34.839 --> 00:06:37.920 with root privileges using their own password. 135 00:06:37.519 --> 00:06:39.800 And crucially, Pseudo logs everything. 136 00:06:39.759 --> 00:06:43.560 Audit trail precisely. Pseudo is much more granular and safer 137 00:06:43.759 --> 00:06:46.480 the source shows how you can restrict SUE access just 138 00:06:46.560 --> 00:06:50.199 to members of the wheel group by editing at setsepam 139 00:06:50.240 --> 00:06:53.879 dot DSU, and it points out that Pseudo isn't configured 140 00:06:53.879 --> 00:06:56.040 by default on Cento as six, so you actually have 141 00:06:56.120 --> 00:06:56.879 to set it up. 142 00:06:56.800 --> 00:06:59.279 Which you do using the pseudo to safely edit itt 143 00:06:59.279 --> 00:07:02.560 setus suitors an. These specific pseudo security tips highlighted. 144 00:07:02.720 --> 00:07:04.920 Yeah, it mentioned setting a timestamp come out so your 145 00:07:04.920 --> 00:07:08.360 pseudo authentication expires after a while, and setting required you 146 00:07:08.360 --> 00:07:11.560 which forces pseudo commands to be run from a proper terminal. 147 00:07:11.240 --> 00:07:14.360 Session ah, so not easily run from automated scripts or 148 00:07:14.439 --> 00:07:15.680 weird context exactly. 149 00:07:15.720 --> 00:07:18.519 Good protection. And it shows how to send all pseudologs 150 00:07:18.560 --> 00:07:21.240 to a dedicated file like varlog pseudo dot log for 151 00:07:21.319 --> 00:07:22.079 easier auditing. 152 00:07:22.360 --> 00:07:28.399 Makes sense. Then package management YUM the definitive package manager 153 00:07:28.680 --> 00:07:30.120 for CentOS six, the book. 154 00:07:30.000 --> 00:07:32.600 Says, and the beauty of Yum, which the source highlights 155 00:07:32.680 --> 00:07:36.399 is dependency resolution. You say YUM install something, and it 156 00:07:36.439 --> 00:07:39.199 figures out everything else that something needs and installs it 157 00:07:39.199 --> 00:07:40.000 all automatically. 158 00:07:40.360 --> 00:07:42.519 Takes a lot of the headache out of managing software, 159 00:07:42.879 --> 00:07:44.839 so updates are just YUM update. 160 00:07:44.680 --> 00:07:46.800 YEP and The source notes you usually don't need a 161 00:07:46.839 --> 00:07:51.000 full reboot after updates, though maybe restart specific services. 162 00:07:51.120 --> 00:07:54.800 Practical tip and cleaning the package cash with YUM clean 163 00:07:54.839 --> 00:07:55.680 all right. 164 00:07:55.879 --> 00:07:59.399 And automating updates using yumcron you can figure it, schedule 165 00:07:59.600 --> 00:08:02.600 at this confidgium cron, set it and forget it. 166 00:08:02.720 --> 00:08:06.160 Mostly automating maintenance is key. What about removing packages with 167 00:08:06.240 --> 00:08:08.519 yum remove any warnings there? 168 00:08:08.720 --> 00:08:11.560 Big warning? Always always read the list of packages Yum 169 00:08:11.560 --> 00:08:13.199 says it's going to remove, along with the one you 170 00:08:13.240 --> 00:08:15.439 asked for. Check those dependencies. 171 00:08:15.480 --> 00:08:17.439 You could acidentally rip out something critical. 172 00:08:17.160 --> 00:08:19.680 Easily, so pay attention to that summary before you hit 173 00:08:19.720 --> 00:08:20.240 you Good. 174 00:08:20.079 --> 00:08:23.800 Advice Finding packages uses yem search or yum list. What 175 00:08:23.879 --> 00:08:24.639 about yem. 176 00:08:24.399 --> 00:08:27.920 Provide ah Yum provides a super handy If you need 177 00:08:27.959 --> 00:08:31.839 a specific file or command, say easer bint pass would, 178 00:08:31.879 --> 00:08:34.080 but don't know which package it belongs to, you can 179 00:08:34.120 --> 00:08:36.600 do Yum provides us a spin pess wood and yum 180 00:08:36.639 --> 00:08:38.159 will tell you which package to install. 181 00:08:38.480 --> 00:08:41.919 Nice trick. The source also talks about adding extra repositories 182 00:08:41.960 --> 00:08:43.159 like epel or remy. 183 00:08:43.399 --> 00:08:46.720 Why do that because the defaults intos repositories are stable 184 00:08:46.799 --> 00:08:50.720 but sometimes conservative These third party repos like EPEL extra 185 00:08:50.720 --> 00:08:54.360 packages for enterprise Linux offer a much wider selection of software, 186 00:08:54.519 --> 00:08:55.639 often newer versions. 187 00:08:55.840 --> 00:08:58.159 But there's a catch. Conflicts. 188 00:08:58.440 --> 00:09:02.080 Yeah, potential conflicts. Two different repos might offer the same package, 189 00:09:02.120 --> 00:09:05.039 maybe different versions or built differently. This can cause problems. 190 00:09:05.080 --> 00:09:07.919 And the solution is that YUM plug in priorities package. 191 00:09:08.000 --> 00:09:10.519 That's the recommended way. You install that plug in. Then 192 00:09:10.559 --> 00:09:13.559 you edit the dot repo files in SCM dot repos 193 00:09:13.600 --> 00:09:17.039 dot D. For each repo you add a priority n line. 194 00:09:17.320 --> 00:09:19.519 Lower number means higher priority, so. 195 00:09:19.440 --> 00:09:22.879 You tell YUM check CentOS official first priority one, then 196 00:09:22.919 --> 00:09:26.600 EPEL Priority ten, then maybe remy priority twenty exactly. 197 00:09:26.879 --> 00:09:30.080 It helps YUM make sensible choices when there's overlap. You 198 00:09:30.120 --> 00:09:33.919 can also enable or disable repos entirely in those files 199 00:09:33.919 --> 00:09:35.159 with enabled one or zero. 200 00:09:35.320 --> 00:09:39.240 Okay. Moving to logs dot log Rotate essential The sources 201 00:09:39.360 --> 00:09:40.360 absolutely essential. 202 00:09:40.480 --> 00:09:44.039 Log files grow and grow Without rotation, they'd fill your 203 00:09:44.039 --> 00:09:47.679 disk and become useless. Log Rotate automates managing them. 204 00:09:47.759 --> 00:09:48.399 How does it work? 205 00:09:48.679 --> 00:09:51.679 It usually runs daily via cron. It checks its main 206 00:09:51.720 --> 00:09:55.480 config at a clog rotate dot com half and more importantly, 207 00:09:55.759 --> 00:09:59.000 the specific canfig files for different services in a cloak 208 00:09:59.080 --> 00:10:01.360 rotate dot D based on the rules in those. 209 00:10:01.200 --> 00:10:02.919 Files like how many old logs to keep? 210 00:10:03.080 --> 00:10:06.360 Yeah, things like rotate in keep in old logs, compress, 211 00:10:06.440 --> 00:10:08.440 zip up old logs size x, rotator if it hits 212 00:10:08.440 --> 00:10:11.600 size x. Note of empty, don't rotate a empty create 213 00:10:11.799 --> 00:10:14.120 make a new empty log file after moving the old one. 214 00:10:14.200 --> 00:10:16.639 And poster tate lets you run a command like telling 215 00:10:16.639 --> 00:10:18.120 a service to reopen its log file. 216 00:10:18.360 --> 00:10:20.799 Being able to rotate based on size not just time 217 00:10:20.919 --> 00:10:22.519 sounds useful for noisy service. 218 00:10:22.679 --> 00:10:23.879 Very practical, yes. 219 00:10:23.679 --> 00:10:27.159 Lastpit on core operations, dot memory checking usage and clear 220 00:10:27.200 --> 00:10:28.600 in the cash. 221 00:10:28.080 --> 00:10:31.000 Right free, MRM and TOP are your go two tools. 222 00:10:31.480 --> 00:10:34.279 The book explains the free output, pointing out that the 223 00:10:34.320 --> 00:10:37.279 line showing plus buffers cash gives you a better idea 224 00:10:37.440 --> 00:10:39.559 of memory actually available. 225 00:10:39.039 --> 00:10:43.120 To applications because Linux uses free RAM for disc cacheing. 226 00:10:42.960 --> 00:10:46.279 Exactly, which is good for performance. But sometimes you might 227 00:10:46.320 --> 00:10:49.159 want to see that cash cleared. The source gives the 228 00:10:49.159 --> 00:10:53.480 command sink first then echo three proxis VM drop caches? 229 00:10:53.720 --> 00:10:54.399 Is that risky? 230 00:10:54.600 --> 00:10:57.279 The book says it's generally safe, but it's not something 231 00:10:57.320 --> 00:11:00.679 to do Routinely. Clearing the cash means the system might 232 00:11:00.720 --> 00:11:04.240 have to reread stuff from disc immediately after, which can 233 00:11:04.320 --> 00:11:07.320 spike IO and CPU temporarily. Use it if you have 234 00:11:07.360 --> 00:11:08.600 a specific reason. 235 00:11:08.480 --> 00:11:11.200 And like updates. You can automate this cash clearing with 236 00:11:11.279 --> 00:11:12.080 crime yep. 237 00:11:12.120 --> 00:11:14.759 Put those commands in a script, schedule it with corontab e. 238 00:11:15.039 --> 00:11:16.240 Another maintenance recipe. 239 00:11:16.279 --> 00:11:20.480 Okay, solid foundation. Now security hardening before we even think 240 00:11:20.519 --> 00:11:23.080 about web servers or databases absolutely critical. 241 00:11:23.200 --> 00:11:26.759 The source spends good time here starting with SSH secure shell. 242 00:11:27.159 --> 00:11:28.679 The main way in remotely. 243 00:11:28.360 --> 00:11:30.919 Needs locking down. First step recommended. 244 00:11:30.600 --> 00:11:33.600 Deny root log in directly, set permit root log in 245 00:11:33.639 --> 00:11:36.919 no and ed centris config force logins as a normal user. 246 00:11:37.080 --> 00:11:40.039 Then use Pseudo much safer makes sense. 247 00:11:40.240 --> 00:11:42.519 Changing the default port away from twenty two. 248 00:11:42.600 --> 00:11:46.639 Also recommended change the port xxx line. It won't stop 249 00:11:46.639 --> 00:11:49.879 a determined attacker, but it cuts down hugely on automated bots. 250 00:11:49.919 --> 00:11:51.120 Hammering port twenty. 251 00:11:50.840 --> 00:11:53.360 Two easy win. What else for us is H. 252 00:11:53.559 --> 00:11:57.159 Limit who can log in, use allow users or allow groups, 253 00:11:57.159 --> 00:12:00.399 and should config to specify exactly which users are groups 254 00:12:00.399 --> 00:12:03.519 are allowed SSH access, restrict the entry points right and 255 00:12:03.559 --> 00:12:05.759 maybe add a warning banner using banner et ceter mud 256 00:12:05.840 --> 00:12:07.679 and show the last log in time with print last 257 00:12:07.720 --> 00:12:12.000 log yes, remind users document access and always service first 258 00:12:12.080 --> 00:12:13.039 restart after changes. 259 00:12:13.120 --> 00:12:15.600 Okay beyond SSH the firewall ip. 260 00:12:15.480 --> 00:12:19.639 Tables installed by default on CentOS six powerful chain base filtering. 261 00:12:19.960 --> 00:12:21.600 The book guides through setting. 262 00:12:21.320 --> 00:12:23.840 Up rules, starting with allowing in central traffic yeah like. 263 00:12:23.799 --> 00:12:26.080 Loop back traffic for the server to talk to itself, 264 00:12:26.120 --> 00:12:29.799 I aload, maybe traffic from specific trusted ips manas for source, 265 00:12:29.879 --> 00:12:34.120 oilers D for destination, and crucially allowing established connections m 266 00:12:34.200 --> 00:12:37.720 state's late establish related so ongoing traffic works. 267 00:12:37.440 --> 00:12:40.720 And then opening specific ports for your services TCB twenty 268 00:12:40.759 --> 00:12:43.360 two for SSH, eight ERROOHO four four. 269 00:12:43.240 --> 00:12:46.080 Three for web exactly you poke holes only for what 270 00:12:46.120 --> 00:12:49.399 you need, TCP port fifty three, UDP fifty three for DNS, 271 00:12:49.679 --> 00:12:53.080 TCP twenty five for SMTP mail, UDP one twenty three 272 00:12:53.120 --> 00:12:54.279 for MTP and so. 273 00:12:54.240 --> 00:12:56.360 On, and the most important principle. 274 00:12:55.960 --> 00:12:59.240 Set the default policy to drop iptable's dash P input, 275 00:12:59.320 --> 00:13:03.759 drop fiptible dash P fourward drop, deny everything unless explicitly allowed, 276 00:13:03.919 --> 00:13:06.039 the secure default and save the rules. 277 00:13:05.840 --> 00:13:08.840 The service syptables save makes them permanent across reboots. Service 278 00:13:08.879 --> 00:13:12.279 Emptable's restart applies changes now. The book also shows simple 279 00:13:12.360 --> 00:13:15.320 rules to specifically allow or block certain IP addresses. 280 00:13:15.399 --> 00:13:18.720 What about automating defense against attacks? Fail to ban into 281 00:13:18.759 --> 00:13:19.840 my hosts great tools? 282 00:13:19.879 --> 00:13:22.200 Fail to ban is really versatile. It watches log files, 283 00:13:22.200 --> 00:13:24.799 not just SSH but others too, for patterns like repeated 284 00:13:24.799 --> 00:13:27.120 failed logins and then what when it sees too many 285 00:13:27.120 --> 00:13:30.000 failures from one IP, automatically adds an IP tables rule 286 00:13:30.039 --> 00:13:31.320 to block that IP for a while. 287 00:13:31.399 --> 00:13:32.519 Wow active defense. 288 00:13:32.600 --> 00:13:34.879 Yeah, you can figure it in jail dot com set 289 00:13:34.879 --> 00:13:37.080 things like ban time, how long the block lasts, and 290 00:13:37.320 --> 00:13:40.399 max freetree how many failures trigger the ban. Can also 291 00:13:40.480 --> 00:13:43.720 send email alerts. SSH is usually covered by default, and 292 00:13:43.799 --> 00:13:44.960 deny hosts is. 293 00:13:44.960 --> 00:13:49.000 It similar similar, but specifically focused on SSH dictionary attacks. 294 00:13:49.039 --> 00:13:52.600 It also watches logs, blocks ips. The source says it's simpler, 295 00:13:52.720 --> 00:13:56.360 smaller footprint. Can figure it in deny hosts dot cfg. 296 00:13:56.960 --> 00:14:00.679 Mainly just setting your email, but it warns be careful 297 00:14:00.679 --> 00:14:01.759 not to block your own IP. 298 00:14:02.159 --> 00:14:06.600 Huh yeah, that would be. Lastly, on security, anti virus 299 00:14:07.120 --> 00:14:08.639 clam av right. 300 00:14:08.720 --> 00:14:12.000 Linux servers aren't immune to hosting or passing on malware, 301 00:14:12.080 --> 00:14:15.720 even if they don't run typical Windows viruses, so scanning 302 00:14:15.799 --> 00:14:17.399 is wise. Clam scan is the. 303 00:14:17.320 --> 00:14:19.639 Command and the source gives a script to automate scanning 304 00:14:19.679 --> 00:14:20.360 certain directories. 305 00:14:20.440 --> 00:14:23.679 Yep, clamaf dotsh example, log the results and you'd schedule 306 00:14:23.679 --> 00:14:25.960 that script with Karan automating security checks. 307 00:14:26.120 --> 00:14:29.720 Okay, foundations laid, system hardened. Now let's look at setting 308 00:14:29.799 --> 00:14:33.600 up the actual server roles databases. First, my squall and Postgres. 309 00:14:33.240 --> 00:14:36.440 Scool common requirements for my squel. The source covers the 310 00:14:36.480 --> 00:14:39.360 install YUMP install my skull server, making sure it starts 311 00:14:39.399 --> 00:14:41.440 on boot and can fig my squold on and starting 312 00:14:41.480 --> 00:14:44.519 it serves my squoiled start. Then a critical next step my. 313 00:14:44.559 --> 00:14:45.639 School secure installation. 314 00:14:45.879 --> 00:14:48.759 Absolutely, don't skip the script, the book explains. It walks 315 00:14:48.759 --> 00:14:52.039 you through setting the root password, removing anonymous users, blocking 316 00:14:52.039 --> 00:14:56.159 remote root log in, removing test databases, essential hardening, and. 317 00:14:56.080 --> 00:14:59.240 Then creating databases and users from the mychocal command line. 318 00:14:59.360 --> 00:15:02.519 Yes, it's show the sequel. Create database dB name, create 319 00:15:02.639 --> 00:15:06.799 user at host identified by password, and grant privileges on 320 00:15:06.919 --> 00:15:09.120 dB name to user at host. 321 00:15:09.120 --> 00:15:12.279 Granting specific permissions, not just giving everyone full. 322 00:15:12.080 --> 00:15:16.720 Access exactly, and importantly, run flush privileges to apply those 323 00:15:16.759 --> 00:15:18.440 grants without restarting my school. 324 00:15:18.480 --> 00:15:20.639 What about postgres School? Similar process? 325 00:15:20.679 --> 00:15:24.720 Pretty similar? Start install the packages POSTGRESCOO server Postgres school contrib, 326 00:15:25.039 --> 00:15:28.240 initialize the database cluster service Postgres school in and at BB, 327 00:15:28.759 --> 00:15:31.559 enable and start the service. Then use preachers and created 328 00:15:31.600 --> 00:15:34.440 bataka commands and interact with PCL. 329 00:15:35.000 --> 00:15:38.440 How does remote access work for Postgres School's different from 330 00:15:38.440 --> 00:15:39.879 my squel's user grants? Right? 331 00:15:40.240 --> 00:15:43.320 Yes, it uses a host based authentication system. You can 332 00:15:43.360 --> 00:15:46.720 figure it in the PGHPA dot com file. The book 333 00:15:46.720 --> 00:15:49.320 shows how to edit this file to allow connections from 334 00:15:49.480 --> 00:15:54.679 certain IP addresses or networks postlines and specify the authentication 335 00:15:54.759 --> 00:15:57.320 method often MD five for password encryption. 336 00:15:57.679 --> 00:16:01.039 Got it okay? Switching to email post Fix and DOFCOT. 337 00:16:01.120 --> 00:16:05.200 The standard combo Postfix is the MTA, the Mail Transport Agent. 338 00:16:05.320 --> 00:16:07.960 It handles the sending and receiving between servers. 339 00:16:08.120 --> 00:16:10.720 Configure it in main dot CF to handle mail for 340 00:16:10.759 --> 00:16:11.240 your domain. 341 00:16:11.480 --> 00:16:14.759 Right, set interior faces all to listen on all network interfaces. 342 00:16:14.799 --> 00:16:17.120 Define your domains in my destination and. 343 00:16:17.080 --> 00:16:19.440 The book has that cool talent trick for testing SMTP. 344 00:16:19.720 --> 00:16:22.320 Yeah, connect to port twenty five using telnet and manually 345 00:16:22.360 --> 00:16:26.919 type SMTT commands like all mail from dot RCPT two 346 00:16:27.240 --> 00:16:29.879 dot data. Great way to check if postfix is alive 347 00:16:29.919 --> 00:16:30.919 and responding correctly. 348 00:16:31.039 --> 00:16:34.279 Okay, so Postfix moves the mail Dovecot lets users access 349 00:16:34.320 --> 00:16:34.799 it exactly. 350 00:16:34.879 --> 00:16:38.240 Dovecot provides the IMP and pop three services that email 351 00:16:38.279 --> 00:16:41.440 clients connect to install it. You installed dovecot enable it. 352 00:16:41.720 --> 00:16:44.799 Configuration is in dovecot dot CF and its confaft dot. 353 00:16:44.679 --> 00:16:47.240 D directory key Dovecot settings mentioned. 354 00:16:47.000 --> 00:16:50.600 Enabling protocols, protocols, map pop three, setting the mail location, 355 00:16:51.039 --> 00:16:55.480 mail location, mail dear, and interestingly for basic local user setups, 356 00:16:55.840 --> 00:16:59.320 allowing plaintext authentication disable plaintextos as you. 357 00:16:59.440 --> 00:17:00.840 Know, plan text passwords. 358 00:17:00.879 --> 00:17:03.879 Isn't that bad over the open Internet? Yes, absolutely, but 359 00:17:03.919 --> 00:17:06.400 the context here seems to imply for local clients or 360 00:17:06.440 --> 00:17:10.200 scenarios where maybe TLS is enforced. Elsewhere, It's another one 361 00:17:10.200 --> 00:17:13.359 of those configuration choices with security implications depending on. 362 00:17:13.319 --> 00:17:16.039 Your setup, and Postfix needs to use dovecot to check 363 00:17:16.119 --> 00:17:20.960 passwords when users try to send mail SMTPAUA. 364 00:17:19.880 --> 00:17:23.559 Correct you set up SASL authentication in postfixes main dot CF, 365 00:17:23.640 --> 00:17:27.759 telling it to use dovecot via settings like SMTPD, sysyl type, SMTP, 366 00:17:27.920 --> 00:17:29.839 saslpath SMTPD and solventable. 367 00:17:29.880 --> 00:17:33.240 The book also touches on basic spam filtering in Postfix yes. 368 00:17:33.319 --> 00:17:35.880 Using header checks and body checks to define rules that 369 00:17:35.920 --> 00:17:38.880 match patterns and email headers or content to block or 370 00:17:38.880 --> 00:17:39.559 flag spam. 371 00:17:39.720 --> 00:17:42.720 Very practical. What about handling multiple domains on one server 372 00:17:42.880 --> 00:17:43.759 virtual domains? 373 00:17:43.839 --> 00:17:46.000 This is a really common need. The source shows how 374 00:17:46.039 --> 00:17:49.000 to set this up efficiently. You list your extra domains 375 00:17:49.039 --> 00:17:52.079 in virtualace domains in main dot CF. Then you create 376 00:17:52.119 --> 00:17:55.279 a mapping file, usually et cetera, a postfix virtual. 377 00:17:55.000 --> 00:17:57.160 And in that file you list email addresses and the 378 00:17:57.200 --> 00:17:59.759 system user they map too, like sales at otherdomain dot 379 00:17:59.759 --> 00:18:01.759 com on real user one exactly. 380 00:18:02.240 --> 00:18:05.240 Then you run postmap etc postfix virtual to create a 381 00:18:05.319 --> 00:18:08.720 database file. Postfix can read quickly, and you tell postfix 382 00:18:08.720 --> 00:18:11.240 where that map is using virtual as maps equals hash 383 00:18:11.319 --> 00:18:14.839 dot ECC postfix virtual. The book notes you can handle 384 00:18:14.880 --> 00:18:16.079 tons of domains this way. 385 00:18:16.119 --> 00:18:18.039 Can you even set up catch all addresses. 386 00:18:17.680 --> 00:18:21.599 Yep at domain dot com catchallser simple aliases for system 387 00:18:21.680 --> 00:18:25.400 users go in achiliuses, then run nualliuses. 388 00:18:24.880 --> 00:18:27.640 And tools for sending mail from the command line mail. 389 00:18:27.599 --> 00:18:30.240 X or MUTT standard tools. MUD is mentioned for handling 390 00:18:30.279 --> 00:18:33.880 attachments and forwarding roots mail using a rude dot forward file. 391 00:18:34.160 --> 00:18:36.359 All essential mail admin tasks. 392 00:18:36.039 --> 00:18:38.680 Okay onto the web server a patchegtpd, the. 393 00:18:38.720 --> 00:18:42.640 Classic install HTTPD, maybe mod Perl, definitely the PHP package 394 00:18:42.640 --> 00:18:46.079 for Php support. Configure the basics in httpd dot com. 395 00:18:46.119 --> 00:18:48.319 How do you make sure a patchee serves Php files. 396 00:18:48.519 --> 00:18:51.880 Add index dot php to the directory index directive in 397 00:18:52.119 --> 00:18:54.839 hgtpd dot com. That tells a patchy to look for 398 00:18:54.880 --> 00:18:57.559 index dot php as a default page in a directory. 399 00:18:58.039 --> 00:19:01.680 And the book suggests creating a quick phpinfo dot php 400 00:19:01.839 --> 00:19:05.519 file in your web root forw optimilo just to test 401 00:19:05.640 --> 00:19:06.559 PHP is working. 402 00:19:06.680 --> 00:19:10.039 Securities paramount for web SSL https absolutely. 403 00:19:10.039 --> 00:19:12.319 The source shows how to create a self signed certificate 404 00:19:12.400 --> 00:19:15.160 using OpenSSL. You install modsel first. 405 00:19:15.359 --> 00:19:17.720 This is it for public sites, right, browsers won't trust it. 406 00:19:17.640 --> 00:19:20.599 Correct, you'd get a cert from a proper certificate authority 407 00:19:20.599 --> 00:19:23.319 for a public site. But this recipe shows the process 408 00:19:23.319 --> 00:19:27.160 of generating the private key and the certificate file opensell rec. 409 00:19:27.200 --> 00:19:30.359 Asking for country Org and the crucial common name your 410 00:19:30.400 --> 00:19:32.480 server's domain or IP exactly. 411 00:19:32.759 --> 00:19:35.839 Then you can figure apaches ssl dot com file, telling 412 00:19:35.880 --> 00:19:39.079 it where the certificate SSL certificate file and private key 413 00:19:39.240 --> 00:19:42.359 SSL certificate keyfile are, and a vital step crab mod 414 00:19:42.359 --> 00:19:44.720 four hundred on those keysert files. So only root can 415 00:19:44.759 --> 00:19:46.400 read them protect that private key. 416 00:19:46.480 --> 00:19:49.880 What about user directories that username url style. 417 00:19:49.880 --> 00:19:52.880 Yeah, modu thirdter comment on shirt hosting, you uncommon this 418 00:19:53.039 --> 00:19:56.240 line and httpd dot com to include conf dot do 419 00:19:56.359 --> 00:19:59.720 ser dot com, then potentially edit that file. The book 420 00:19:59.759 --> 00:20:03.519 even includes a troubleshooting tip about suxx sometimes causing issues 421 00:20:03.880 --> 00:20:07.279 and how to find and maybe temporarily disable it if needed. 422 00:20:07.839 --> 00:20:09.200 Very practical detail. 423 00:20:08.920 --> 00:20:12.359 And the big one for hosting multiple sites. Name based 424 00:20:12.519 --> 00:20:14.240 virtual hosts fundamental. 425 00:20:14.480 --> 00:20:16.839 Let's want a patche server on one IP address handle 426 00:20:17.000 --> 00:20:20.279 many different websites. You tell apatche and httpd dot com 427 00:20:20.279 --> 00:20:24.279 to include config files from say, httpdv hosts dot. 428 00:20:24.079 --> 00:20:26.000 E, and then create a dot com file in there 429 00:20:26.039 --> 00:20:27.000 for each website. 430 00:20:27.119 --> 00:20:29.720 Right inside each file's virtual host block, you set things 431 00:20:29.799 --> 00:20:33.000 like server admin, email, server name, the main domain server 432 00:20:33.079 --> 00:20:36.599 alias like www dot domain dot com, document root where 433 00:20:36.640 --> 00:20:39.160 the site's files live, and separate airlog and custom log 434 00:20:39.160 --> 00:20:41.519 files for that specific site. It's the blueprint for multi 435 00:20:41.559 --> 00:20:42.119 site hosting. 436 00:20:42.279 --> 00:20:44.279 Just need to put an index dot html or index 437 00:20:44.480 --> 00:20:47.880 php in that document root exactly. Last server role FTP 438 00:20:48.039 --> 00:20:49.119 with vs FTP. 439 00:20:49.200 --> 00:20:52.640 Very secure FTP dayman. The source praises it as fast 440 00:20:52.759 --> 00:20:57.079 light and secure install ym install, VSFTPD enable start. 441 00:20:56.799 --> 00:21:00.160 Basic config and VSFTPD dot com key settings. 442 00:21:00.039 --> 00:21:04.160 Turn off anonymous access a non emositable no, allow local 443 00:21:04.200 --> 00:21:09.000 system users, local YenS, allow uploads, writenable yes, and maybe 444 00:21:09.119 --> 00:21:11.400 enable ask moode for text file transfers. 445 00:21:11.680 --> 00:21:13.559 Security is always a worry with FTP. 446 00:21:13.440 --> 00:21:17.279 Crew essential set cruit local looser Yes. This locks users 447 00:21:17.319 --> 00:21:19.480 into their home directory so they can't wander around the 448 00:21:19.519 --> 00:21:20.440 server file system. 449 00:21:20.519 --> 00:21:22.160 Can you make exceptions. 450 00:21:21.720 --> 00:21:25.839 Yes, use crute listenable yess and define a fove cruitless 451 00:21:25.839 --> 00:21:29.960 file atcvs ftpdcruit list listing users who shouldn't be cruited. 452 00:21:30.119 --> 00:21:34.799 Managing logins uses ftpsers denied users and user list denied 453 00:21:34.920 --> 00:21:37.559 or allowed depending on user lists deny and you can 454 00:21:37.599 --> 00:21:40.119 customize the log in banner message standard stuff. 455 00:21:40.200 --> 00:21:42.880 Secure connections via ssltls are also covered. 456 00:21:42.960 --> 00:21:45.559 Similar to a patchy enable it point to this. Certain 457 00:21:45.640 --> 00:21:46.440 key files. 458 00:21:46.200 --> 00:21:50.359 YEP sleainable, YZS, VARSUS cert file, RSITE private key file 459 00:21:50.640 --> 00:21:53.920 encrypts the login and data transfer much safer than plain FTP. 460 00:21:54.119 --> 00:21:56.880 What about virtual users users not tied to system accounts? 461 00:21:57.319 --> 00:22:00.319 Very useful feature. The book shows the recipe set up 462 00:22:00.319 --> 00:22:03.400 a pamcnfig file for VSFTPD create a sex file with 463 00:22:03.480 --> 00:22:06.880 usernames and passwords logins dot txd hash it into a 464 00:22:06.960 --> 00:22:11.519 database dpload dot logins dot dB then tell VSFTPD in 465 00:22:11.559 --> 00:22:15.759 its config to use this database. Guestable wise map guests 466 00:22:15.759 --> 00:22:18.599 to a system. User guests user name of Peter point 467 00:22:18.640 --> 00:22:20.960 to the database user BPAs flever way. 468 00:22:20.799 --> 00:22:24.880 To manage lots of FTP only accounts. Other VSFTP tips. 469 00:22:24.680 --> 00:22:28.440 Hiding user group IDs, hides ye ss, allowing anonymous uploads 470 00:22:28.440 --> 00:22:31.799 securely by changing ownership chowne uploads, yuss chry to use 471 00:22:31.799 --> 00:22:36.319 her name, disabling recursive listings, also recursible to save resources 472 00:22:36.519 --> 00:22:39.559 and setting idle timeouts, Lots of practical config options. 473 00:22:40.160 --> 00:22:42.480 Okay. That covers the main technical recipes. The source also 474 00:22:42.480 --> 00:22:44.000 briefly mentions the book's reviewers. 475 00:22:44.039 --> 00:22:47.440 Yeah, just to give context, people from e commerce, government, IT, universities, 476 00:22:47.519 --> 00:22:50.559 tech QA folks like Ugo, Belevance, bin Wa, Benedetti, Frank 477 00:22:50.640 --> 00:22:53.640 Lemon real world experience behind these recipes, and. 478 00:22:53.599 --> 00:22:56.240 They apparently share an appreciation for open source fitting for. 479 00:22:56.200 --> 00:23:00.680 Sentas definitely and it mentions packed publishings focus on specific tech, 480 00:23:00.720 --> 00:23:04.480 their online library and an open source royalty scheme. Tying 481 00:23:04.519 --> 00:23:07.160 it back to that open source ethos, so quite. 482 00:23:06.920 --> 00:23:09.359 A detailed journey through send US six server admin. 483 00:23:09.759 --> 00:23:12.519 Via these excerpts, we really covered the life cycle, didn't 484 00:23:12.559 --> 00:23:14.759 we From install and basic config. 485 00:23:14.680 --> 00:23:18.039 Through daily ops, users, packages, logs, memory. 486 00:23:17.799 --> 00:23:21.319 Critical security, hardening, sship tables, fail. 487 00:23:21.119 --> 00:23:25.200 To ban, and then setting up the workhorses databases, mail, 488 00:23:25.440 --> 00:23:26.799 web FTP. 489 00:23:27.119 --> 00:23:30.359 This deep dive really pulled out those practical step by 490 00:23:30.359 --> 00:23:34.000 step guides the recipes you'd need for common Center six tasks. 491 00:23:34.160 --> 00:23:36.880 It's a good shortcut to understanding these components, and hopefully for. 492 00:23:36.839 --> 00:23:40.079 You listening, understanding these commanding and fig files gives you 493 00:23:40.079 --> 00:23:43.079 a sense of power, the ability to build secure many 494 00:23:43.119 --> 00:23:45.200 of these environments, or just understand them better. 495 00:23:45.240 --> 00:23:46.440 It demystifies a lot of it. 496 00:23:46.599 --> 00:23:48.480 Okay, here's a final thought to leave you with. We 497 00:23:48.559 --> 00:23:51.880 saw repeatedly with things like root log in, Selenix choices, 498 00:23:52.119 --> 00:23:56.400 plaintext off for local mail, disabling IPv six many recipes 499 00:23:56.440 --> 00:23:59.960 involved explicit trade offs convenience versus security. 500 00:23:59.559 --> 00:24:01.079 Usually HM that came up a lot. 501 00:24:01.440 --> 00:24:04.640 What does this constant need to make? These balancing acts 502 00:24:05.480 --> 00:24:09.200 tell us about the fundamental challenge of server administration keeping 503 00:24:09.240 --> 00:24:12.759 things working smoothly while also keeping them safe. It seems 504 00:24:12.799 --> 00:24:14.200 like a perpetual tightrope walk. 505 00:24:14.400 --> 00:24:17.240 Definitely something to chew on as you deal with servers 506 00:24:17.240 --> 00:24:18.000 in the real world. 507 00:24:18.160 --> 00:24:20.440 Thanks for joining us with a deep dive. Hope this 508 00:24:20.559 --> 00:24:21.559 was useful for you