anomalist
/
survey-manager
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5 Commits
1 Branch
0 Tags
244 MiB
Tree: 0f686b7e6c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0f686b7e6c'
${ noResults }
survey-manager/README.md

416 lines
14 KiB
Raw Normal View History

Updates to get nginx working
4 months ago
The following is a first list of the stuff we should know how to do.
- Access new system.
ssh actswac@104.238.116.218
Updates
4 months ago
Qbttxpsea1!
Updates to get nginx working
4 months ago
- Find names of software packages in the official CentOS repositories.
Sample commands
yum search subversion
yum list available "*subversion*"
yum info subversion.x86_64
- Install new software packages from the official CentOS repositories.
Sample commands
yum install subversion.x86_64
- update software packages from the official CentOS repositories.
* For a specific package
yum update "package"
* To update all currently installed packages
yum update
- find which packages have updates available from the official CentOS repositories.
yum check-update
- Find groups of packages installed or available.
yum grouplist
yum group list available
- Install PERL Modules from cpan.org
- THIS SHOULD ONLY BE USED FOR MODULES NOT FOUND IN THE GoDaddy CentOS REPOSITORIES.
I installed "cpan" from the GoDaddy CentOS repositories.
It, the command "cpan" can be used to install Perl modules from cpan.org.
Configuration will be written to /root/.cpan/CPAN/MyConfig.pm
I set the configuration so "sudo cpan" should be used to install modules.
- Create new users & control user ids, group ids, home dir., initial shell, password policy, etc.
Sample commands for root user to add hivy user:
useradd -m -c "Hank Ivy" hivy
passwd hivy
Note: System prompts for the new password twice and validates hackability.
Sample command for root user to force hivy user to change his password upon logging in.
passwd --expire hivy
Sample command to add a user to a group.
gpasswd -a bcarico wwwteam
Sample command to map an old user id to a new user id. - ditto group
find . -uid 503 -exec chown ddoughty {} \;
find . -gid 504 -exec chgrp ddoughty {} \;
- Set up master source base.
* On the old testmanager1.com, the svn master source base, MSB, is at file:/usr/local/subversion
* Sample command to create a repository.
svnadmin create --fs-type fsfs /usr/local/subversion
BILL: You should never have to do this, for another ten years.
Sample command to dump an svn MSB.
svnadmin dump /usr/local/subversion > MSB_dumpfile
Sample command to load the dumpfile into another repository
svnadmin load /usr/local/subversion < MSB_dumpfile
* Sample command to look at the repository.
svnlook ???
- create a developer sandbox
- force shutdown and default reboot of the system, even if it is inaccessible itself.
* If it is accessible, become the root user and,
shutdown -r now
- Setup automated off site backups.
- setup automated daily archive of WEB error and access logs, with a monthly retention cycle.
- configure sudo users.
For the root user:
cd /etc/sudoers.d
cp bcarico newguy
Edit the file newguy to replace "bcarico" with "newguy"
- configure firewall
- configure port for ssh access, we want to stop using the default port.
- route root user's email to Bill Carico, etal.
- re-evaluate disk space requirements.
- Acts developer/sustainer documentation
- GUI applications from Acts server to my client that I used ssh to log in.
Go to godaddy.com
Click on login
user ID: actswac
Password: Qbttxpsea1!
Servername: ACTS1
IP: 104.238.116.218
ssh actswac@104.238.116.218
The actswac account has sudoer privileges, id 1000, group actswac 1000
- Copy files to new system.
Login to testmanager1.com
sftp -u hivy 104.238.116.218
GoDaddy ??? Customer # and pin #
William Carico — Customer Number: 11479942 pin: Ask Bill
Stuff to copy over. Done
Master Source Base.
Backups
hivy home
bcarico home
ddoughty home
itembank home
/usr/local/httpd/conf/ssl*/.
Stuff to copy over. ToDo
/var/www/x4/. (Archive)
/usr/local/httpd.fmac/. (Archive)
/var/www/error/.
/var/www/-All-Else (Archive)
Correct the owner and group IDs.
See the old owner and group IDs in /home/transfers/hivy/ passwd, and group
sudo find . -uid nnn -exec sudo chown NNN {} \;
sudo find . -gid nnn -exec sudo chgrp NNN {} \;
Stuff to configure
Firewalls
- Close up undesired access.
- Open up holes for sandbox web access
- Open up holes for sshd
- open up holes for ftp?
- System Status
Sample commands to list status of services
chkconfig --list
systemctl list-unit-files
Sample commands to turn on firewall
# Turn on the iptables service, AKA firewall
chkconfig iptables on
# Start the firewall, AKA iptables
service iptables start
systemctl start iptables.service
# Check the firewall status
service iptables status
systemctl status iptables.status
# restart the firewall
service iptables restart
systemctl restart iptables
# stop the firewall
service iptables stop
systemctl stop iptables.service
- Sample commands to open a hole in a firewall for port 2702 as a new fifth rule in the INPUT chain
- The new rule is inserted, the fifth and successive rules become the sixth and successive rules.
iptables -I INPUT 5 -p tcp --dport 2702 -j ACCEPT
iptables -I INPUT 5 -p tcp --dport http -j ACCEPT
iptables -I INPUT 5 -p tcp --dport https -j ACCEPT
NOTE: The dport is http. The value http is indexed in /etc/services as port 80.
NOTE: The dport is https. The value https is indexed in /etc/services as port 443.
- Making a lasting change to the firewall, AKA iptables. As the root user
sudo iptables-save > /etc/sysconfig/iptables.new20150301A
cd /etc/sysconfig; sudo cp iptables.new20150301A iptables
Sample commands to find files in production httpd that have changed:
cd /usr/local/httpd
find . \! -name access_log \! -name error_log -type f -newer /home/backups/usr_local_HTTPD.start
- Sandbox Web Servers as a system service
A System Service is typically a single process that might have children processes helping it.
I will set up a service SB-hivy. I did the following to get config and service, AKA unit, files to edit.
cp /etc/sysconfig/httpd /etc/sysconfig/SB-hivy
cp /usr/lib/systemd/system/httpd.service /usr/lib/systemd/system/SB-hivy.service
I edited the two new files.
If you want your own sandbox services, choose your own name of SB-* service, copy, and edit your files.
- Start my own Sandbox webserver
systemctl start SB-hivy.service
- Verbose Status of my own Sandbox webserver
systemctl status -l SB-hivy.service
- Shorter Status of my own Sandbox webserver
systemctl status SB-hivy.service
- Shutdown my own Sandbox webserver
systemctl stop SB-hivy.service
- Shutdown and start my own Sandbox webserver
systemctl restart SB-hivy.service
MPM is Multi-Processing Module.
********** HTTP configuration files
* old style - All entries are in a single file. P.S. Used Pre-Fork MPM.
* new style - Include methodology includes files that include files with entries.
* New Style Configuration file has:
Include conf.modules.d/*.conf
IncludeOptional conf.d/*.conf EXCEPT ssl.conf
NOTE: /etc/httpd contains both conf.modules.d/*.conf and conf.d/*.conf
* conf.modules.d/*.conf contains LoadModule directives. Some are commented out, or conditional.
--- 00-mpm.conf is sort of conditional.
We have the default:
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
We are using the "Prefork MPM".
* conf.d/*.conf contains:
* conf.d/autoindex.conf contains:
--- AddIcon* directives for different files or filename extensions.
--- These are only displayed for FancyIndexed directories.
--- These are AddIconByEncoding, AddIconByType, AddIcon, DefaultIcon
IndexOptions,
Alias /icons/ "/usr/share/httpd/icons/"
# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes.
ReadmeName README.html
HeaderName HEADER.html
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
#
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
* conf.d/mpm_prefork.conf contains:
<IfModule prefork.c>
httpd server process parameters
</IfModule>
* conf.d/userdir.conf contains:
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
<IfModule mod_userdir.c>
Directives to disallow, or allow and control access to a special folder in a
developer's or user's home folder.
Default is to disallow. WE SHOULD DISALLOW.
</IfModule>
* conf.d/welcome.conf contains:
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL. To disable the
# Welcome page, comment out all the lines below.
NOTES on Parms for Pre-Fork MPM
StartServers 8 OK
MinSpareServers 5 OK
MaxSpareServers 20 OK
ServerLimit 256
MaxClients 256 ??? Not valid parm ?
MaxRequestsPerChild 4000 ??? Not valid parm. ?
MaxRequestWorkers ??? default 256
MaxConnectionsPerChild default 0 means never kill.
I want:
StartServers 8 OK
MinSpareServers 5 OK
MaxSpareServers 20 OK
ServerLimit 256
MaxRequestWorkers 256 default 256
MaxConnectionsPerChild 512 default 0 means never kill.
NOTES on software differences -- CentOS7 did not seem to have these.
I used a cpan shell to get, make, test, and install them.
GD::Graph::bars
GD::Graph::bars3d
GD::Graph::colour
GD::Graph::colour qw(:colours)
GD::Graph::Data
GD::Graph::hbars
GD::Graph::linespoints
GD::Graph::pie
GD::Text::Align
MIME::Base64 qw(encode_base64 decode_base64)
POSIX qw(iscntrl)
NOTES: On redirecting http requests on the old host to the new host.
Found answer in WWW - Redirect permanent / http://www.new-domain.com/
I used - Redirect permanent / http://104.238.116.218/
Plan:
Status is: Done, Prog., ToBe
Status - id - Desc.
Done - 01 - Find Hacker id, and files.
Done - 02 - Restart the system (killing Hacker's processes.)
Done - 03 - Restart the WEB Server.
Done - 04 - Find and Back up all WEB Server files to tar balls. Note: 2.3GB compressed files.
Done - 05 - Find and back up all relevant home directories. NOTE: None.
ToBe - 06 - Review tar balls for Hacker files, and handle.
ToBe - 07 - Restore tar balls for WEB Server files.
ToBe - 08 - Edit testmanager1 WEB Server Configuration file for new virtual hosts.
ToBe - 09 - Move one active non-test virtual host to testmanager1.
ToBe - 10 - Move all non-active virtual hosts to testmanager1.
ToBe - 11 - Test both previous steps. Make them work.
ToBe - 12 - Move remaining virtual hosts to testmanager1.
ToBe - 13 - Test previous step. Make virtual hosts work.
ToBe - 14 - SHUTDOWN testmanager.com at the hosting site.
testmanager1 security tasks:
ToBe - A. - Move the sshd to a non-default port number.
ToBe - B. - Review, reload, and replace any PuTTY identity keys.
ToBe - C. - Any similar passwords on testmanager and testmanager1 should be changed.
The Hacker has had access to our encrypted passwords, the time, and the tools
to unencrypt them.
NEW 2014
Bill said testmanager1 is a godaddy account, about 80 dollars/mon., stand-alone.
I logged into testmanager1 and found it had 111 GB of disk, 1GB of RAM.
GoDaddy offers a Virtual Private Server at multiple levels of cost and features.
The premium level is $80/mon., 4GB of RAM, 120 GB of disk, and 4TB of bandwidth/ mon.
We could have CentOS with cPanel including patching, root access, and access
to the WEB server error logs.
Replacement Server goals (not prioritized list)
1. Run a stable, well supported Linux distribution. (CentOS is OK.)
2. Install released packages, and patches.
3. Configure firewall holes
4. Install PERL modules from CPAN.
5. FTP access. (configure non-standard port)
6. ssh access. (Configure non-standard port)
7. access to httpd error logs.
8. Configure httpd WEB server.
9. Create user ids, control id numbers, and groups.
# addgroup <username>
# adduser <username> --gid <username> --groups wwwteam
# passwd <username>
# su - <username>
$ mkdir dev
$ cd dev
$ svn co file:///usr/local/subversion/Testmanager/trunk Testmanager
NOTE: Alternates for Item Bank
$ svn co file:///usr/local/subversion/Testmanager/branches/ItemBank Testmanager
$ svn co file:///usr/local/subversion/Testmanager/branches/SpecialChar Testmanager
$ ln -s Testmanager httpd
$ exit
# cd /etc/httpd/conf
# cp httpd.conf httpd.conf.bak
# vi httpd.conf
Copy last virtual machine entry; change username and port numbers
Must add <username>.testmanager1.com to DNS for alias to work, otherwise
just access sandbox at testmanager1.com:<port number>
# apachectl configtest
# apachectl graceful
# cp bcarico.conf <username>.conf
# vi <username>.conf
Change bcarico to <username>; change port numbers
# vi /etc/init.d/sandbox
On line 33 ("for sandbox in ...") add <username> to end of list
# /usr/sbin/httpd -f /etc/httpd/conf/<username>.conf
Point web browser to https://www.testmanager1.com:10000
Log in to webmin as root
Click on Networking -> Linux Firewall
Click on "Accept" next to any existing port rule to edit that rule
Scroll to bottom and click "Clone Rule"
On new rule, change port number, then click "Create"
Click on Move arrows to move new rule up and place it in numeric order by port
Repeat for second port
Scroll to bottom and click on "Apply Configuration"
Click on Logout
If webmin appears to hang, you can check the firewall rules by entering:
# iptables --list | grep <port>
If it shows the port number, the firewall config has been applied and you can
safely exit webmin.
----
All code changes seem to happen in:
cgi-bin/js/./*.js
cgi-bin/./*.p[lm]
secure_html/template/./*.htt
secure_html/data/*.std
secure_html/data/tests/default.std
secure_html/language/phrases.enu