Archive

Archives pour 02/2017

How to Migrate a Web Server Running Apache, MySQL, WordPress and Drupal

24/02/2017 Comments off

Well folks its time that my old home hosted server is retired. Which means I have to migrate all of my 5 websites to a new server. Thanks to the way apache, MySQL WordPress and Drupal work, its easy.

1. Copy Apache Config Files

# ssh username@oldserver
# scp /etc/apache2/sites-available/ user@newserver:/etc/apache2/sites-available/

This will copy all the apache config files over to the new server. Now enable all the sites you copied by creating a symbolic link for each .config file you copied in sites-enabled.

# ln -s /etc/apache2/sites-available/yourwebsite.com.conf /etc/apache2/sites-enabled/yourwebsite.com.conf

or use the command a2ensite which does the same thing for you

# a2ensite yourwebsite.com

Restart apache for the changes to take effect.

# /etc/init.d/apache2 restart

2. Copy Your Websites

# scp -r /var/www/ username@newserver:/var/www

Default WordPress and Drupal installs are just files and we have now copied them across. However all the content, comments etc are stored within MySQL so lets migrate that now.

3. Migrate MySQL

Start by being logged into the old server.

# mysqldump --all-databases -u root -p > backup.sql
# scp backup.sql username@newserver:/home/username/
# ssh username@newserver
# mysql -u root -p < backup.sql

What we did here was use mysqldump to script every database and its contents into several sql commands. Then we copied them to the new server and piped them into the new sql server. All our databases, users and table contents have been imported. Magic.

4. DNS Migration

Now all you need to do is reconfigure your DNS servers to point to the new IP address. Chances are your not hosting your own DNS server so you will have to update them using your provider’s web interface. A word of advice though, create a new entry like test.yourdomain.com and point it to the new server first to make sure everything works.

Categories: Logiciel, Système Tags: ,

Easy Ubuntu 16.04 Server Firewall

23/02/2017 Comments off

If you read our previous article Easy Ubuntu Server Firewall, then you may have noted that on Ubuntu 16.04 the described method no longer works. This is due to systemd. In the article below we will walk through creating a persistent IPTables based firewall on Ubuntu 16.04 LTS. First we need to install some required software packages. As seen in the command below, install iptables-persistent. Next we will make netfilter-persistent run at boot. This is the most important step as it will ensure your rules are reloaded at boot time.

# Install IPTables Persistent Package
apt-get install -y iptables-persistent
# Add netfilter-persistent Startup
invoke-rc.d netfilter-persistent save
# Stop netfilter-persistent Service
service netfilter-persistent stop

Once the packages above are installed and the service is stopped, you will have a new directory at /etc/iptables/. This directory holds the IPTables filter rules that will be reloaded at boot time. These files are named rules.v4 and rules.v6 respectively. IPV4 rules are loaded into rules.v4 and IPV6 rules are loaded into rules.v6. For the purpose of this article we will focus on IPV4 rules. Next we will want to copy the rules below into our rules.v4 file. Of course the rules will need to be modified to fit your environment.

# Generated by iptables-save v1.3.3 on Wed Apr 9 10:51:08 2008
# Flush out any rules that are already in there
*filter
:INPUT ACCEPT [146:11332]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104:9831]
 
# Allow internal loopback connections
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
 
# Allow pinging
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
# Allow any outbound data, and any inbound data related to a connection that is already in use
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
 
# =========BEGIN SERVER SPECIFIC PORT OPEN RULES=========
# Allow SCP/SSH Access from Green & Blue Subnet
-A INPUT -s 172.16.12.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.10.12.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
 
# Allow HTTP Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 80 -j ACCEPT
 
# Allow HTTPS Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
 
# Allow MySQL Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 3306 -j ACCEPT
 
# Allow FTP Access from Red Subnet/Internet
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 58000:58010 -j ACCEPT
# =========END SERVER SPECIFIC PORT OPEN RULES=========
 
# Drop everything that hasn't been picked up by one of the rules above
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j DROP
 
COMMIT
# Completed on Wed Apr 9 10:51:08 2008

Lastly, in order for our new rules to take affect, we simply need to start the netfilter-persistent service as seen below. That’s it, you now have a fully functional IPTables based firewall.

# Start netfilter-persistent Service
service netfilter-persistent start

# Check if IPTables were applied
iptables -L

Getting started with Let’s Encrypt SSL Certificates on Ubuntu

23/02/2017 Comments off

This tutorial will guide you through your very first configuration of an SSL website with Let’s Encrypt certification. Let’s Encrypt is a new SSL authority that provides free SSL certificates. We are going to use two existing tutorials (“How to setup an intermediate compatible SSL website with Let’s Encrypt certificate” and “The Perfect Server – Ubuntu 15.10 (Wily Werewolf) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3”).

The setup described here is compatible with any Ubuntu LAMP server, so you can use this one as the basis setup too.

This tutorial will show you how to setup Let’s Encrypt on Servers without ISPConfig 3 as there will be a direct implementation of the Let’s Encrypt service in the next ISPConfig 3 release (version 3.1) soon. So if you plan to use ISPConfig, wait for the 3.1 release and also a new tutorial.

Creating the website

The 1st step is to create the website configuration and directory and enable SSL (Apache mod_ssl) for it. It’s up to you if you use the default configuration for one website on a server or you plan to use multiple vhosts to host more than one domain. For more reliable and scalable usage, I’ll create a vhost configuration for my “lab” domain isp1.cloudapp.net from Azure.

Lire la suite…

Categories: Sécurité, Système Tags:

Inotify: Efficient, Real-Time Linux File System Event Monitoring

21/02/2017 Comments off

Summary – or why should I monitor the filesystem at all?

The need to scan a given filesystem for changes is a fairly common one, and there are a variety of common tasks which require this, including:

  • Notifying applications of changes in configuration files
  • Tracking changes in critical system files
  • Monitoring overall disk usage on a partition
  • Automatic cleanup after a crash
  • Automatic triggering of backup processes
  • Sending notifications when the upload of a file to a server completes

A common approach to doing this sort of change notification is file polling, however this tends to be inefficient for all but the most frequently-changed files (since you have a guaranteed I/O every X seconds) and can miss certain types of changes (e.g. if the modification timestamp on a file isn’t changed). Data integrity systems like Tripwire track file changes based on a fixed time schedule, but the time-scheduled approach doesn’t work if you want to be notified every time it changes in real-time – just as an event takes place. A framework which fulfills that requirement is Inotify. In this article we will walk through how to use Inotify to monitor directories and trigger alerts on changes and present tools you might want to add to your personal toolbox.

Lire la suite…

Categories: Sécurité, Système Tags: