This is how to setup a linux deployment system using pxe and saltstack. These directions are for a sandboxed virtual environment but are directly applicable to a production environment.

I’m recording this simple script I used here.

Keep console from blanking edit /etc/rc.local Add setterm -blank 0 above exit 0

Stop X from starting up Edit /etc/default/grub with your favorite editor, eg: nano:

sudo nano /etc/default/grub

Find out this line:

GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash”

Change it to:

GRUB_CMDLINE_LINUX_DEFAULT=”text”

Update Grub:

sudo update-grub

you can start X by typing startx

Performance: mount /nsm on separate disk

This is the bare minimum firewall modifications you need to make to get remote shutdown working on a Windows 2012R2 Active Directory domain working.

I’ve been rsyncing the server data to a local vm in our esx cluster then backing up the vm. I ran out of disk so here are my notes to add a new thin provisioned disk.

I had mounted a 100 GB virtual disk on /backups, now I’m replacing it with a 300 GB virtual disk.

This is a simple setup to allow your designer ftp access to a web directory. The problem that I encountered was for a web server running wordpress. Apache runs as the user www-data with an id of 33 on Ubuntu 12.04. The wordpress files have to be ownership as the webserver for you to download and install updates through wordpress’s web interface. I guess I could just have the core wordpress files and the plugins directory and given the rest the user account permissions but I didn’t. The Pure-ftp server allow me to create virtual users and I can give them any uid, except 0 (root). For security, I would just allow from the designers ip address.

Collectd is the new cool kid of system monitoring tools.

apt-get install collectd collectd-utils

vi /etc/collectd/collectd.conf

service collectd restart

/var/ossec/bin/syscheck_update -u local

cd /var
mkdir www
cd www
cp -r /usr/share/doc/collectd/examples/collection3 .

apt-get install librrds-perl libconfig-general-perl libhtml-parser-perl  libregexp-common-perl
apt-get install fast-cgi
apt-get install spawn-fcgi fcgiwrap

location /nginx_status {
          stub_status on;
          access_log off;
          allow 127.0.0.1;
          deny all;
        }
		
		location ~ .cgi$ {
	        	root /var/www;
	        	fastcgi_pass unix:/var/run/fcgiwrap.socket;
	        	include /etc/nginx/fastcgi_params;
	    	}

		location /collection3/share/ {
			alias /var/www/collection3/share/;
		}

service nginx restart

1. Operating System
   • Minimal os install
   • Minimal services running
   • Disable IPv6
   • Ossec to watch filesystem integrity, monitor log files and watch for rootkits
   • Script to alert when os/package updates are needed (patching)
   • Firewall (iptables)
2. SSH
   • Harden the sshd config
3. Apache
   • Harden apache
4. MySql
   • Harden MySQL
5. Postfix
   • Configured as satellite, will only send email to our domain from our relay
6. Wordpress
   • Install security plugins
     1. iThemes Security
     2. Wordfence
     3. InfiniteWP
7. Backup
   • Backup database (mysql)
   • Backup file system (wordpress directory)
   • Document how to perform full recovery

The process to patch is to apt-get update. apt-get upgrade, then update ossec’s database. This might be automated in the future. I’m leaving the default ubuntu 12.04 AppArmor policies in place.

I want to put some of the KVM domains that I’ve been using a bridged network so I can access them on my LAN directly.

I’m using my old mac pro as my KVM server and it has two interfaces. I’m going to bridge the second interface.
Install bridge-utils:

Infected PHP Pages: I’ve been looking for infected php pages with this command:

find . -name "*.php" | xargs grep "gzinflate(base64_decode"

Basically, there’s malicious code inserted into the beginning of the php script and it is base64 enconded and compressed so if you look at the file, the first line looks like garbarge. There’s a backdoor on the system that keeps it coming back. I remove it with the following one liner: