Stroopwafels & Raspberry Pie

Peter Martin, twitter: @pe7er JandBeyond.org 2013, Sat June 1st 2013

Joomla & Raspberry Pi

Peter Martin, twitter: @pe7er JandBeyond.org 2013, Sat June 1st 2013

Overview Presentation
1. Introduction LAMP Stack: 2. Raspbian 3. Nginx 4. MySQL 5. PHP 6. phpMyAdmin

>>>Sheetsat:www.db8.nl<<<

7. Joomla 8. Performance 9. Security 10. Geeky stuff

1. Introduction Raspberry Pi
Goal education Today's engineers: computer experience on home computers youth of today: computer classes = operate software, click menus and swipe yourself to death ...

1. Introduction Raspberry Pi
Benefits

Rpi

small

Dirt cheap: $ 35 38 Euro Low power (3.5 Watt) No moving parts Silent De facto standard (2 types)
Much

documentation (Linux & RPi) Many documented applications Much additional hardware Many software

1. Introduction Raspberry Pi
Hardware

Single-board computer, 700 Mhz RAM 512 Mbyte (1st version: 256 Mbyte) Graphics: Broadcom VideoCore IV Connections:
SD

Card Micro USB powerplug (5v 1A 3,5 Watt) Ethernet HDMI & RCA Video Audio 2x USB GPIO

1. Introduction Raspberry Pi
Community

Use Software Hardware Case

LAMP Stack

LAMP LEMP Stack

L E M P Linux Raspbian (Debian for Rpi) Apache Nginx [engine x] MySQL PHP

(phpMyAdmin)

2. Raspbian Linux Operating System

2. Raspbian
a)Installation b)Connect to Network c) Update OS d)Backup e)Configuration f) Internet Access

2a. Raspbian
Download

Raspbian Image http://www.raspberrypi.org/downloads (470.72 MiB)

2013-02-09-wheezy-raspbian.zip Unzip

to ~\rpi\2013-02-09-wheezy-raspbian.img (1.8 GB)

2a. Raspbian Installation SD Card

SD Card http://elinux.org/RPi_Easy_SD_Card_Setup gparted, partition table, unformatted
Determine dd

location: dmesg

= dump disk CAREFUL: data destroyer !

bs=BYTES (read and write BYTES bytes at a time) if=FILE (read from FILE instead of stdin) of=FILE (write to FILE instead of stdout)

2a. Raspbian Installation SD Card

$dmesg [..] [45.361488]wlan0:noIPv6routerspresent [265.278325]mmc0:newhighspeedSDHC cardataddress0002 [265.284831]mmcblk0:mmc0:00027.68GiB [265.284912]mmcblk0:p1 $

2a. Raspbian Installation SD Card

Linux:

sudo dd bs=1M if=~/rpi/2013-02-09-wheezyraspbian.img of=/dev/mmcblk0 OSX: sudo dd bs=1M if=~/rpi/2013-02-09-wheezyraspbian.img of=/dev/disk1s1 dd bs=1M if=c:\temp\2013-02-09-wheezyraspbian.img od=e

Mac

Windows:

2a. Raspbian Installation SD Card

$sudoddbs=1Mif=~/rpi/20130209 wheezyraspbian.imgof=/dev/mmcblk0 {+4.5minuteslater} 1850+0recordsin 1850+0recordsout 1939865600bytes(1.9GB)copied, 252.656s,7.7MB/s $sudosync

2b. Raspbian Connect your RPi

2b. Raspbian IP Address?

Android

/ iPhone: Overlook Fing

2b. Raspbian IP Address?

$nmapsP192.168.0/24 StartingNmap5.00(http://nmap.org)at 2013040714:15CEST Host192.168.0.1isup(0.0018slatency). Host192.168.0.14isup(0.014slatency). Host192.168.0.15isup(0.010slatency). Host192.168.0.16isup(0.048slatency). Host192.168.0.17isup(0.0092slatency). Nmapdone:256IPaddresses(5hostsup) scannedin2.94seconds $

2b. Raspbian SSH Login

$sshpi@192.168.0.16 Theauthenticityofhost'192.168.0.16 (192.168.0.16)'can'tbeestablished. RSAkeyfingerprintis 12:11:07:6b:c9:ac:ff:01:7b:2f:aa:a5:ef:02: c7:ff. Areyousureyouwanttocontinue connecting(yes/no)?yes Warning:Permanentlyadded'192.168.0.16' (RSA)tothelistofknownhosts. pi@192.168.0.16'spassword:raspberry

2b. Raspbian SSH Login

Linuxraspberrypi3.6.11+#371PREEMPT ThuFeb716:31:35GMT2013armv6l TheprogramsincludedwiththeDebian GNU/Linuxsystemarefreesoftware; [..] NOTICE:thesoftwareonthisRaspberryPi hasnotbeenfullyconfigured.Pleaserun 'sudoraspiconfig' pi@raspberrypi~$

2b. Raspbian SSH Login

$ sudo raspi-config
1.expand_rootfs use full capacity SD Card 2.memory_split shrink RAM GPU to 16 MB Update & Change Password <Finish> reboot

2c. Raspbian Update!

{updateRepositoryinformation} pi@raspberrypi~$sudoaptgetupdate {takes30seconds} {upgradeRaspbianOS} pi@raspberrypi~$sudoaptgetupgrade {takes22minutes}

2d. Raspbian Backup SD Card

Shut

down securely: $ sudo shutdown -h now SD Card & in PC

Remove Backup:

$ sudo dd if=/dev/mmcblk0 of=~/rpi/sd-cardrpi-20130421.bin

2e. Raspbian Hostname

{changehostname@raspberrypi@rpi} pi@raspberrypi~$sudonano/etc/hostname raspberrypirpi pi@raspberrypi~$sudonano/etc/hosts 127.0.1.1raspberrypi127.0.1.1rpi {restarthostnameprocess} pi@raspberrypi~$sudo /etc/init.d/hostname.shstart pi@rpi~$

2e. Raspbian User & Password 1/2

pi@rpi~$sudopasswdroot EnternewUNIXpassword: RetypenewUNIXpassword: passwd:passwordupdatedsuccessfully pi@rpi~$exit Logout sshroot@192.168.0.16 {renameuser&userdirectory} root@rpi~#usermodlpeterpi root@rpi~#usermodmd/home/peterpeter

2e. Raspbian User & Password 2/2

{testnewaccount} sshpeter@192.168.0.16 peter@rpi~$sudoaptgetupdate {worksok?Disableroot!!!} peter@rpi~$sudopasswdlroot passwd:passwordexpiryinformationchanged. peter@rpi~$passwd Changingpasswordforpeter. (current)UNIXpassword:

2e. Raspbian Time Zone

peter@rpi~$date SunApr2111:15:00UTC2013 peter@rpi~$sudodpkgreconfiguretzdata Currentdefaulttimezone: 'Europe/Amsterdam' Localtimeisnow:SunApr7 13:15:00CEST2013. UniversalTimeisnow:SunApr7 11:15:00UTC2013. peter@rpi~$

2f. Raspbian Internet access

Internet

Internet DNS > domain name petermartin.nl

LAN Raspberry Pi 192.168.0.x

Modem/router: Internet IP: ?.?.?.?

Modem/router: LAN IP: 192.168.0.1

2f. Raspbian Internet access

Internet

Internet DNS petermartin.nl A record to 1.2.3.4

LAN Raspberry Pi 192.168.0.9

www.whatsmyip.org Internet IP: 1.2.3.4

Modem/router: LAN IP: 192.168.0.1

2f. Raspbian Internet access

Modem/Router

firewall > Port Forwarding

SSH traffic = IP 192.168.0.9, port 22 Web traffic = IP 192.168.0.9, port 80 Https traffic= IP 192.168.0.9, port 443

Raspberry

Pi Static IP

2f. Raspbian Static IP Address

peter@rpi~$route
KernelIProutingtable DestinationGatewayGenmaskFlagsMetricRefUseIface default192.168.0.10.0.0.0UG000eth0 192.168.0.0*255.255.255.0U000eth0

peter@rpi~$sudonano/etc/network/interfaces {change:} ifaceeth0inetdhcp {to:} ifaceeth0inetstatic address192.168.0.9 netmask255.255.255.0 gateway192.168.0.1

3. Nginx webserver

3. Nginx

Nginx [engine ex]

High performance: Dynamic pages = FAST & Static = very FAST! Low memory usage (useful on Rpi!) Easy configuration Automatic configuration test after changes Reverse proxy capabilities

Nginx Popularity (netcraft.com May 2013):

> 100 million sites 15.5 % of all sites (Apache 53%, IIS 16.6%) Top million busiest websites:
1. Apache 57.4% 2. Nginx 13.5% 3. Microsoft 12.3%

3. Nginx Popularity

3. Nginx Installation
peter@rpi~$sudoaptgetinstallnginx Readingpackagelists...Done [..] Needtoget2,132kBofarchives. Afterthisoperation,6,200kBofadditional diskspacewillbeused. Doyouwanttocontinue[Y/n]?y [..] Settingupnginx(1.2.12.2)... peter@rpi~$

3. Nginx Configuration
peter@rpi~$sudonano/etc/nginx/nginx.conf userwwwdata; worker_processes1; pid/var/run/nginx.pid; peter@rpi~$sudo/etc/init.d/nginxstart

3. Nginx Websites
Browse URL http://192.168.0.9/ or http://petermartin.nl Result:

Welcome to nginx!

3. Nginx Virtual domains

Create virtual sites: 1. Location & index.html /var/www/ petermartin.nl

/index.html

2. Configuration file for site /etc/nginx/sites-available/

petermartin.nl

3. Activate with symbolic link to config file /etc/nginx/sites-enabled/ petermartin.nl 4. Nginx load new config file: $ sudo /etc/init.d/nginx reload

3. Nginx Virtual domains

peter@rpi~$sudonano /var/www/petermartin.nl/index.html <html> <head> <title>petermartin.nl</title> </head> <bodybgcolor="white"text="black"> <center><h1>WelcometoJandBeyond2013! </h1></center> <center>Website:petermartin.nl</center> </body> </html>

3. Nginx Virtual domains

peter@rpi~$sudonano/etc/nginx/sites available/petermartin.nl
server{ listen80; server_namepetermartin.nlwww.petermartin.nl; root/var/www/petermartin.nl; access_log/var/log/nginx/petermartin.nl.access_log; error_log/var/log/nginx/petermartin.nl.error_loginfo; location/{ indexindex.phpindex.htmlindex.htm; } }

3. Nginx Virtual domains

peter@rpi~$sudolns /etc/nginx/sitesavailable/petermartin.nl /etc/nginx/sitesenabled/petermartin.nl

peter@rpi~$sudo/etc/init.d/nginxreload Reloadingnginxconfiguration:nginx.

3. Nginx Virtual domains

Browser

http://192.168.0.9/petermartin.nl

Welcome to JandBeyond 2013!

Website: petermartin.nl

Error?

404 Not Found nginx/1.2.1 Check error log file: $ cat /var/log/nginx/petermartin.nl.error_log

4. MySQL Database Server

4. MySQL
Joomla

2.5+ = no SQLite driver available

Configuration

User: root Password: databasepassword

during installation:

Secure

live site with: $ sudo mysql_secure_installation

4. MySQL Installation
peter@rpi~$sudoaptgetinstallmysql server Readingpackagelists...Done [..] Needtoget9,603kBofarchives. Afterthisoperation,91.1MBofadditional diskspacewillbeused. Doyouwanttocontinue[Y/n]?y [..] Settingupmysqlserver(5.5.30+dfsg1)... Processingtriggersformenu... peter@rpi~$sudomysql_secure_installation

5. PHP

5. PHP php5 + packages:

php5-fpm

FastCGI Process Manager interpreter that runs as a daemon and receives Fast/CGI requests modules for MySQL database connections directly from PHP scripts

php5-mysql

php5-cli

command-line interpreter library for getting files from FTP & HTTP server

php5-curl

5. PHP Installation
peter@rpi~$sudoaptgetinstall php5fpmphp5mysql Readingpackagelists...Done [..] Settingupphp5(5.4.414)... Processingtriggersforphp5fpm... [ok]RestartingPHP5FastCGIProcess Manager:php5fpm. peter@rpi~$

5. PHP configuration petermartin.nl

pi@rpi~$sudonano/etc/nginx/sites available/petermartin.nl add: location~\.php${ fastcgi_passunix:/var/run/php5fpm.sock; fastcgi_indexindex.php; includefastcgi_params; }

5. PHP Result
Test

with phpinfo();

$ sudo nano /var/www/petermartin.nl/test.php with the code: <?php echo "test";phpinfo();?>

Use

browser to open file http://192.168.0.9/petermartin.nl/test.php

6. phpMyAdmin

6. phpMyAdmin
Database

GUI

http://192.168.0.9/phpmyadmin/

Secure:

Add to one virtual domain only 1 should be enough! limit to 1 IP address

6. phpMyAdmin Installation
peter@rpi~$sudoaptgetinstallphpmyadmin Readingpackagelists...Done [..] Needtoget6,092kBofarchives. Afterthisoperation,16.6MBofadditionaldisk spacewillbeused. Doyouwanttocontinue[Y/n]?y [..] Webservertoreconfigureautomatically:none Configuredatabaseforphpmyadminwithdbconfig common?N Creatingconfigfile/etc/phpmyadmin/configdb.php withnewversion peter@rpi~$

6. phpMyAdmin config petermartin.nl

peter@rpi~$sudonano/etc/nginx/sites available/petermartin.nl
location/phpmyadmin{ root/usr/share/; indexindex.phpindex.htmlindex.htm; location~^/phpmyadmin/(.+\.php)${ try_files$uri=404; root/usr/share/; #fastcgi_pass127.0.0.1:9000; fastcgi_passunix:/var/run/php5fpm.sock; fastcgi_indexindex.php; includefastcgi_params; } location~*^/phpmyadmin/(.+\.(jpg|jpeg|gif| css|png|js|ico|html|xml|txt))${ root/usr/share/; } }

6. phpMyAdmin config petermartin.nl

peter@rpi~$sudonano/etc/nginx/sites available/petermartin.nl
{LimitaccesstoonlyoneIPaddress?} location/phpmyadmin{ root/usr/share/; indexindex.phpindex.htmlindex.htm; allow4.3.2.1; denyall; location~^/phpmyadmin/(.+\.php)${

7. Joomla

7. Joomla
Download

Joomla to RPi using wget database, e.g. use phpMyAdmin http://192.168.0.9/phpmyadmin/ database: petermartin browser to start Joomla's web installer

Create

Use

7. Joomla Installation petermartin.nl

peter@rpi~$cd/var/www/petermartin.nl peter@rpi~$sudowget http://joomlacode.org/gf/download/frsrelea se/18323/80368/Joomla_3.1.1Stable Full_Package.zip peter@rpi~$sudounzipxJoomla_3.1.1 StableFull_Package.zip

7. Joomla Installation petermartin.nl

Webinstaller

http://192.168.0.9/petermartin.nl/

configuration.php Writeable: No solve permission problem: $ sudo chown -R www-data:www-data /var/www/petermartin.nl

SEF

links: .htaccess virtual domain configuration: try_files $uri $uri/ /index.php?q=$request_uri;

7. Joomla SEF URLs

peter@rpi~$sudonano/etc/nginx/ sitesavailable/petermartin.nl
location/{ indexindex.phpindex.htmlindex.htm; try_files$uri$uri//index.php?q=$request_uri; }

8. Performance

8. Performance
The

need for speed different configurations

Visitors + Google indexing

Test

Server settings, Joomla settings, Joomla Extensions (Templates + Plugins)

Testing,

testing, one, two

Joomla! Debug Console > Profile Information

Browser plugins, e.g. Yslow

8. Performance
Test:

Refresh (3x) new setting > Refresh (3x) & compare

8. Performance 10 ways to optimize

1. Nginx + PHP-FPM

8. Performance Nginx + PHP-FPM

PHP-FPM

Socket vs Port?
fastcgi_pass

unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000;

socket connections are around 10-15% faster than TCP/IP connections because it saves the passing the data over the different layers of TCP/IP stack

8. Performance 10 ways to optimize

1. Nginx + PHP-FPM 2. Joomla gzip

8. Performance Joomla gzip

Before

1. Application 2.517 seconds (+0.037); 4.67 MB (+0.035) - afterRender

After

Global Configuration > Server > Gzip Page Compression

1. Application 3.009 seconds (+0.038); 4.67 MB (+0.035) - afterRender 2. Application 2.503 seconds (+0.037); 4.67 MB (+0.035) - afterRender

8. Performance 10 ways to optimize

1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache

8. Performance Joomla cache

Before

Application 2.707 seconds (+0.037); 4.67 MB (+0.035) - afterRender

After

Global Configuration > System > Cache* > ON Progressive caching

1. Application 2.718 seconds (+0.051); 4.69 MB (0.027) - afterRender 2. Application 1.543 seconds (+0.114); 4.02 MB (+0.051) - afterRender 3. Application 1.426 seconds (+0.265); 3.95 MB (+0.334) - afterRender

8. Performance 10 ways to optimize

1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip

8. Performance Nginx gzip

pi@rpi~$sudonano/etc/nginx/nginx.conf
#GzipSettings gzipon; gzip_staticon; gzip_disable"msie6"; gzip_varyon; gzip_proxiedany; gzip_comp_level6; gzip_min_length512; gzip_buffers168k; gzip_http_version1.1; gzip_typestext/csstext/javascripttext/xmltext/plain text/xcomponentapplication/javascriptapplication/x javascriptapplication/jsonapplication/xml application/rss+xml;

8. Performance Nginx gzip

Before

Application 1.447 seconds (+0.274); 3.95 MB (+0.334) afterRender

After

gzip in Nginx

1.Application 1.421 seconds (+0.267); 3.95 MB (+0.334) - afterRender 2.Application 1.436 seconds (+0.274); 3.95 MB (+0.334) - afterRender

8. Performance 10 ways to optimize

1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache

8. Performance Nginx cache

pi@rpi~$sudonano/etc/nginx/sites available/petermartin.nl
server{ #cachingoffiles location~*\.(ico|pdf|flv)${ expires1y; } location~*\.(js|css|png|jpg|jpeg|gif|swf|xml|txt)${ expires14d; } }

8. Performance Nginx cache

Before

Application 1.459 seconds (+0.301); 3.95 MB (+0.334) - afterRender

After

1.Application 1.464 seconds (+0.308); 3.95 MB (+0.334) - afterRender 2.Application 1.459 seconds (+0.299); 3.95 MB (+0.334) - afterRender

8. Performance 10 ways to optimize

1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache 6. APC

8. Performance Alternative PHP Cache

pi@rpi~$sudoaptgetinstallphpapcphp pearphp5devbuildessentiallibpcre3dev {SettingsinPHP.ini} pi@rpi~$sudopearconfigsetphp_ini /etc/php5/fpm/php_ini pi@rpi~$sudopeclconfigsetphp_ini /etc/php5/fpm/php_ini {Download/compile/installAPC} pi@rpi~$sudopeclinstallapc

8. Performance Alternative PHP Cache

Before

Application 1.459 seconds (+0.299); 3.95 MB (+0.334) - afterRender

After

install APC restart nginx AND php-fpm!!!

$ sudo /etc/init.d/nginx restart $ sudo /etc/init.d/php5-fpm reload 1. Application 1.813 seconds (+0.311); 4.52 MB (+0.403) - afterRender 2. Application 0.696 seconds (+0.198); 2.00 MB (+0.148) - afterRender 3. Application 0.727 seconds (+0.221); 2.00 MB (+0.148) - afterRender

8. Performance Alternative PHP Cache

APC

GUI $ sudo cp /usr/share/doc/php-apc/apc.php /var/www/petermartin.nl/apc.php

8. Performance 10 ways to optimize

1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache 6. APC 7. JCH Optimize / jbetolo

8. Performance Joomla Plugins

Less

data traffic:

Combine CSS / JavaScript Minify CSS / JavaScript Gzip CSS / JavaScript

Joomla

Plugins, e.g.

JCH Optimize Jbetolo Yireo Script Merge

Plugins

vs manual

8. Performance Joomla Plugins

JCH

Optimize, before

Application 0.772 seconds (+0.071); 2.03 MB (-0.080) afterRender

After

1.Application 0.864 seconds (+0.341); 2.06 MB (+0.177) - afterRender 2.Application 1.723 seconds (+0.170); 2.43 MB (-0.019) afterRender 3.Application 1.016 seconds (+0.118); 2.08 MB (-0.029) afterRender 4.Application 0.691 seconds (+0.217); 2.05 MB (+0.172) - afterRender

8. Performance Joomla Plugins

jbetolo,

before

Application 0.620 seconds (+0.165); 2.00 MB (+0.148) - afterRender

After

1.Application 1.810 seconds (+1.234); 2.31 MB (+0.233) - afterRender 2.Application 0.751 seconds (+0.222); 2.27 MB (+0.193) - afterRender 3.Application 0.769 seconds (+0.223); 2.27 MB (+0.193) - afterRender

8. Performance 10 ways to optimize

1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache 6. APC 7. JCH Optimize / jbetolo 8. Memcached

8. Performance Memchached
pi@rpi~$sudoaptgetinstallmemcached php5memcache {Download/compile/installAPC} pi@rpi~$sudopeclinstallmemcache {Reboot} pi@rpi~$sudoservicenginxrestart pi@rpi~$sudoservicemysqlrestart pi@rpi~$sudoservicephp5fpmrestart pi@rpi~$sudoservicememcachedrestart

8. Performance Memchached
Before

Application 0.677 seconds (+0.198); 2.00 MB (+0.148) - afterRender

After

1.Application 1.673 seconds (+0.320); 4.52 MB (+0.403) afterRender 2.Application 0.721 seconds (+0.199); 2.00 MB (+0.148) afterRender 3.Application 0.705 seconds (+0.211); 2.00 MB (+0.148) afterRender 4.Application 0.678 seconds (+0.199); 2.00 MB (+0.148) afterRender

8. Performance 10 ways to optimize

1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache 6. APC 7. JCH Optimize / jbetolo 8. Memcached 9. Overclocking

8. Performance Overclocking
$ sudo raspi-config

8. Performance Overclocking
Before

Application 0.678 seconds (+0.210); 2.00 MB (+0.151) - afterRender Application 0.649 seconds (+0.171); 2.05 MB (+0.153) - afterRender Application 0.579 seconds (+0.169); 2.00 MB (+0.151) - afterRender Application 0.596 seconds (+0.167); 2.00 MB (+0.151) - afterRender Application 0.620 seconds (+0.167); 2.00 MB (+0.151) - afterRender Application 0.583 seconds (+0.167); 2.00 MB (+0.151) - afterRender

After

8. Performance 10 ways to optimize

1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache 6. APC 7. JCH Optimize / jbetolo 8. Memcache 9. Overclocking 10.Cryogenics

8. Performance Cryogenics
Superconducting

computers

Superconductivity in certain materials when cooled below a characteristic critical temperature

Cool

down RPi?

Fridge: RPi = small, but not enough room for beer :-( Not cool enough... < 123 K ( = 150 C, 238 F)

Liquid nitrogen or liquid helium?

Couldn't decide which... performance gain when cooling down: N/A

8. Performance My RPi
Every

server/site different configuration for performance RPi:

My

PHP-FPM: fastcgi_pass to Unix Socket (not IP+port) Joomla: (progressive) cache (2.7 -> 1.4 sec) Alternative PHP Cache (1.4 -> 0.7 sec)

9. Security

9. Security 10 Aspects
1. Change default username pi & password 2. Backup !!! 3. Study logfiles (e.g. with Logwatch)

9. Security ssh logfiles

/var/log/auth.log
Apr 8 22:49:01 rpi sshd[10812]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:01 rpi sshd[10812]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:04 rpi sshd[10812]: Failed password for root from 59.175.148.95 port 43066 ssh2 Apr 8 22:49:04 rpi sshd[10812]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:07 rpi sshd[10816]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:07 rpi sshd[10816]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:09 rpi sshd[10816]: Failed password for root from 59.175.148.95 port 44636 ssh2 Apr 8 22:49:10 rpi sshd[10816]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:13 rpi sshd[10820]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:13 rpi sshd[10820]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:15 rpi sshd[10820]: Failed password for root from 59.175.148.95 port 46051 ssh2 Apr 8 22:49:16 rpi sshd[10820]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:19 rpi sshd[10824]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:19 rpi sshd[10824]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root

9. Security ssh logfiles

peter@rpi~$whois59.175.148.95
%[whois.apnic.netnode5] %Whoisdatacopyrighttermshttp://www.apnic.net/db/dbcopyright.html inetnum: netname: descr: descr: descr: country: role: address: address: address: address: country: phone: fax-no: e-mail: remarks: remarks: remarks: remarks: 59.174.0.0 59.175.255.255 CHINANET-HB CHINANET Hubei province network Data Communication Division China Telecom CN CHINANET HB ADMIN 8th floor of JinGuang Building #232 of Macao Road HanKou Wuhan Hubei Province P.R.China CN +86 27 82862199 +86 27 82861499 ip_admin_hb@public.wh.hb.cn send spam reports to spam_hb@public.wh.hb.cn and abuse reports to abuse_hb@public.wh.hb.cn Please include detailed information and times in GMT+8

9. Security 10 Aspects
1. Change default username pi & password 2. Backup !!! 3. Study logfiles (e.g. with Logwatch) 4. Block ssh root login ! 5. Block portscans -> Firewall

9. Security Firewall
{checkFirewall} peter@rpi~$sudoiptablesL ChainINPUT(policyACCEPT) target protoptsource ChainFORWARD(policyACCEPT) target protoptsource ChainOUTPUT(policyACCEPT) target protoptsource {createrulesforFirewall} peter@rpi~$sudonano /etc/iptables.firewall.rules

destination destination destination

9. Security Configure Firewall 1/2

*filter #Allowallloopback(lo0)trafficanddropalltraffic to127/8thatdoesn'tuselo0 AINPUTilojACCEPT AINPUTd127.0.0.0/8jREJECT #Acceptallestablishedinboundconnections AINPUTmstatestateESTABLISHED,RELATEDjACCEPT #Allowalloutboundtrafficyoucanmodifythisto onlyallowcertaintraffic AOUTPUTjACCEPT #AllowHTTPandHTTPSconnectionsfromanywhere(the normalportsforwebsitesandSSL). AINPUTptcpdport80jACCEPT AINPUTptcpdport443jACCEPT

9. Security Configure Firewall 2/2

#AllowSSHconnections #Thedportnumbershouldbethesameportnumberyou setinsshd_config AINPUTptcpmstatestateNEWdport22j ACCEPT #Allowping AINPUTpicmpjACCEPT #Logiptablesdeniedcalls AINPUTmlimitlimit5/minjLOGlogprefix "iptablesdenied:"loglevel7 #Dropallotherinbounddefaultdenyunless explicitlyallowedpolicy AINPUTjDROP AFORWARDjDROP COMMIT

9. Security Activate Firewall 1/2

{activateFirewall} peter@rpi~$sudoiptablesrestore< /etc/iptables.firewall.rules {checkFirewall} peter@rpi~$sudoiptablesL
ChainINPUT(policyACCEPT) target protopt source destination ACCEPT all anywhere anywhere REJECT all anywhere loopback/8 rejectwithicmp portunreachable ACCEPT all anywhere anywhere stateRELATED, ESTABLISHED ACCEPT tcp anywhere anywhere tcpdpt:http LOG all anywhere anywhere limit:avg5/min burst5LOGleveldebugprefix"iptablesdenied:" DROP all anywhere anywhere [..]

9. Security Activate Firewall 2/2

{script:activateFirewallatreboot} peter@rpi~$sudonano/etc/network/ifpre up.d/firewall {putin/etc/network/ifpreup.d/firewall}
#!/bin/sh /sbin/iptablesrestore</etc/iptables.firewall.rules

{setscriptpermissions} peter@rpi~$sudochmod+x/etc/network/if preup.d/firewall

9. Security Automate Firewall

9. Security Fail2Ban
Scan

logfiles & take action automatically Jail configuration

If in entry in logfile matches filter n times Put IP on blocklist for x minutes
/etc/fail2ban/jail.conf

default /etc/fail2ban/jail.local override

Filters
/etc/fail2ban/filter.d/

Regex ROOT LOGIN REFUSED, POSSIBLE BREAK-IN ATTEMPT!, Failed password etc...

9. Security Fail2Ban
{installFail2Ban} peter@rpi~$sudoaptgetinstallfail2ban Readingpackagelists...Done 0upgraded,6newlyinstalled,0toremoveand0not upgraded. Needtoget340kBofarchives. {checkfailedloginattempts} peter@rpi~$catfail2ban.log
2013040916:45:59,000fail2ban.actions:WARNING[ssh]Ban9.8.7.6

{checkFirewall} peter@rpi~$sudoiptablesL Chainfail2banssh(1references) target protoptsource DROP alltest123.example.com RETURN allanywhere destination anywhere anywhere

9. Security 10 Aspects
1. Change default username pi & password 2. Backup !!! 3. Study logfiles (e.g. with Logwatch) 4. Block ssh root login ! 5. Block portscans -> Firewall 6. Block scriptkiddies

9. Security Webserver access logs

/var/log/nginx/petermartin.nl.access_log
198.7.57.74 - - [30/Mar/2013:16:47:49 +0100] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 1565 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:54 +0100] "GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin1/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /php-my-admin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /sqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /mysqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /p/m/a/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /PMA2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /pma2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /phpmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /php-myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /webdb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"

9. Security Fail2Ban configuration

{now00tw00tforyou;)} peter@rpi~$sudonano /etc/fail2ban/filter.d/nginxw00tw00t.conf #Fail2Banconfigurationfile #Author:PeterMartin #$Revision:001$ [Definition] #Option:failregex failregex=^<HOST>.*GET.*(w00tw00t|\setup.php|\wp login.php) #Option:ignoreregex #Notes.:regextoignore.Ifthisregexmatches,the lineisignored. #Values:TEXT # ignoreregex=

9. Security Fail2Ban configuration

{activatenginxw00tw00tfilter} peter@rpi~$sudonano/etc/fail2ban/jail.local [nginxw00tw00t] enabled=true port=http,https filter=nginxw00tw00t logpath=/var/log/nginx/*access_log maxretry=0 bantime=600 {restartFail2Ban} peter@rpi~$sudo/etc/init.d/fail2banrestart

9. Security 10 Aspects
1. Change default username pi & password 2. Backup !!! 3. Study logfiles (e.g. with Logwatch) 4. Block ssh root login ! 5. Block portscans -> Firewall 6. Block scriptkiddies 7. SSL certificate for /administrator/ 8. Block phpmyadmin (allow 1 specified IP) 9. Backup !!! 10.Passwordless login? SSH shared keys

10. Geeky stuff

10. Geeky Stuff - Webcam

Connect webcam to USB $ sudo apt-get install motion Configuration $ sudo nano /etc/motion/motion.conf change: daemon = ON & webcam_localhost = OFF $ sudo nano /etc/default/motion change the value start_motion_daemon=no to yes $ sudo service motion start Firewall $ sudo iptables -I INPUT -p tcp --dport 8081 -j ACCEPT Router Portforwarding port 8081

10. Geeky Stuff - Webcam

Display webcam http://192.168.0.9:8081 In Joomla article <p><iframe src="http://192.168.0.9:8081" height="240" width="320"></iframe></p>

No time left for:

Send

Email from RPi:

Joomla's notifications & contact forms Logwatch mails

Exim MTA (Mail Transfer Agent)

Questions?

Questions?
Presentation

is available at www.db8.nl

Peter Martin e-mail: info at db8.nl website: www.db8.nl

Used photos

Chinese Raspberry Pie nr.1 1 - Koen Mol http://www.sxc.hu/photo/346723 Switched On Tech Design - www.sotechdesign.com.au Bricks - Sharlene Jackson http://www.sxc.hu/photo/759981 Hotrod Dash - Peter Mazurek http://www.sxc.hu/photo/1341923 Greased Lightnin' - Donald Cook http://www.sxc.hu/photo/690214 File Overload - Bob Smith http://www.sxc.hu/photo/367985 Rusted Gears - Angelo Rosa http://www.sxc.hu/photo/1365696 Man Made - "csremedy" http://www.sxc.hu/photo/1267108 digital world - ilker http://www.sxc.hu/photo/1206711 Crazy Man in Shower - scott adams http://www.sxc.hu/photo/760765 laptop 2 - emre nacigil http://www.sxc.hu/photo/810741 Speedometer Abdulhamid AlFadhly http://www.sxc.hu/photo/1390189 Secure - Frank Khne http://www.sxc.hu/photo/962334 Professor Tiger - Gabriel Doyle http://www.sxc.hu/photo/526749 signs signs - Jason Antony, http://www.sxc.hu/photo/751034 Face - Questions - Bob Smith, http://www.sxc.hu/photo/418215