Essential security tips for servers

In this tutorial you will find out some of the necessary steps to secure you VPS or dedicated server.

1. First thing you need to do is to change your root password. Connect to server with SSH and type:

passwd

Then type in your new password, press enter, and retype it again.

2. It's not safe to allow root user to login throught SSH. So you need to create a new user:

useradd user_name

Then set the password for this user with:

passwd user_name

3. Now let's go to SSH settings.

Open file by typing:

nano /etc/ssh/sshd_config

And find/change following:

PermitRootLogin no
X11Forwarding no
AllowUsers user_name
Port 10000

It's important to change your SSH port to higher number (for example 10000).

4. Configure iptables:

iptables-save > /etc/iptables.rules
nano /etc/iptables.rules

Example rules:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -i ! lo -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT #Change this port to SSH server's port
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT

Be careful to change your SSH port to the one you set in sshd_config, otherwise you wouldn't be able to log in to SSH server.

Import rules to iptables:

iptables-restore < /etc/iptables.rules

5. Set new iptables rules to reset during reboots:

sudo nano /etc/network/interfaces

...
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.rules
...

6. And now reload SSH server:

sudo /etc/init.d/ssh reload

These are only essential steps to secure you server. Your server should now be a little bit more secure, but there is no such thing as 100% security.

Install Sun Java on Debian Lenny

Installing Java on Windows is easy. Simply download .exe file and run it. But on Debian Linux it's a little bit harder because it's non-free software.

It's free as in beer. So you can actually "taste" it, but cannot get the source code.

How to install Sun Java on Debian Lenny?

1. Open Terminal and login as root (type "su" and then type a password)

2. Type:

nano /etc/apt/sources.list

3. In file change:

deb http://ftp.uk.debian.org/debian/ lenny main
deb-src http://ftp.uk.debian.org/debian/ lenny main

to:

deb http://ftp.uk.debian.org/debian/ lenny main non-free
deb-src http://ftp.uk.debian.org/debian/ lenny main non-free

Save it.

4. Refresh aptitude packages by typing:

apt-get update

5. Type:

apt-get install sun-java6-jre

to install Java 6 from Sun.

Setting Charset on an Apache Server

How to demand from an Apache Server to serve pages with a specific encoding?

You will ask this question sooner or later if you are making web sites. Probably sooner if you are dealing with non-ASCII characters.

There are a lot of charsets in the world, from ones that support most languages to ones that are very specific. In web development business UTF-8 is a standard, specially on non-english web sites. It's not that big of a problem on HTML sites, but it can be a hell of a mess if you have server with first encoding, PHP with second encoding and MySQL with completely different encoding.

In this post, I will show you how to tell Apache to use specific charset (in our examples I'll use UTF-8).

The easiest way to set encoding is by following meta tag in HTML:

<meta http-equiv="content-type" content="text/html; charset=UTF-8">

But this is not always enough. So to be sure you need to specify charset in the Apache configuration file or in .htaccess.

You can use one of the following methods:

<FilesMatch "\\.(htm|html|css|js|php)$">
ForceType 'text/html; charset=UTF-8'
</FilesMatch>

or

AddType 'text/html; charset=UTF-8' html

or

AddCharset UTF-8 .html

or

AddDefaultCharset UTF-8

I recommend last option because I had no problems what so ever with it so far. It always works fine. (Other should too.)

Screenshot of Web Page on Linux Server

How to make a screenshot of web page on Linux server?

In this tutorial I will tell how to setup a server with Debian Lenny operating system to add capability for taking screenshot pictures of a web page you want.

Steps:
1. Login to server through SSH as root user.
2. Install vnc server, web browser and GUI with following command:

apt-get install tightvncserver xfonts-base xfce4 iceweasel imagemagick

It’s about 160MB to download and installation should take a few minutes.
3. Start VNC server by typing:

vncserver :1 -geometry 1024x768 -depth 24

4. Server should be running now, and you can stop some of probably unwanted services:

killall x-session-manager ssh-agent xftaskbar4 xfdesktop xfce4-panel

5. Now connect to the VNC server from your desktop machine and remove unnecessary panels, configure Iceweasel web browser.

If you’re using iptables firewall you’ll need to add following rule to allow access to VNC server:

-A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT

6. That’s it. Now you have a machine capable of taking screenshots of websites.

How to take a screenshot?

Create a shell file (for example screenshot.sh) with following script which starts the web browser, loads a page, takes a picture and closes the web browser.

#!/bin/bash
export DISPLAY=":1"
/usr/bin/iceweasel --display :1 "$1" > /dev/null 2> /dev/null &
/bin/sleep 10
/usr/bin/import -window root -display :1 "$2"
killall -9 /usr/lib/iceweasel/firefox-bin

This script can be called like this:

./screenshot.sh http://www.google.com /var/www/picture_path.jpg

Now you can take picture of any page you’d like with this simple command. It takes about 11 seconds to take 1 screenshot (script needs to sleep for about 10 seconds so that the page can load in web browser - you can change that time but is not recommended to set it bellow 5 seconds because most of the pages won’t load that quickly).

When you’re finished with taking screenshots you can kill vncserver with following command:

vncserver -kill :1

That's it for this tutorial. Additionally you can write PHP script which calls screenshots.sh and automatically crop picture to remove sliders and other unwanted elements on it.

WordPress on IIS7

How to use WordPress blog's permalinks with IIS7 (or similar Content Management Systems)?

It's really simple to make this work on Apache server. Just copy 5 lines of code to .htaccess file.

But it's a little bit harder to do so on IIS7. You have 2 options:

- use IIS7 GUI to create rules

- modify Web.Config by hand

Code for Web.Config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="RewriteUserFriendlyURL1" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="index.php" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>

Explanation:

1. IIS tries to match requested url with * (everything).

2. If match is found, IIS checks if there is a file with the same url that is requested.

3. Then IIS checks if there is a directory with that name.

4. If there is no file/directory with that name, IIS rewrites url to "index.php".

MySQL Add User

The simplest way to add user to MySQL and grant privileges for specific database.

1. Open terminal and type "mysql -u root -p" to start MySQL client and use your root account to connect to database.

2. Type "create database my_database;" to create a database with name my_database.

3. Type:

GRANT ALL PRIVILEGES
ON my_database.*
TO 'my_user'@'localhost'
IDENTIFIED BY 'my_password'
WITH GRANT OPTION;

With this command you've created a user with name my_user and password my_password with all privileges on my_database.

Create ISO from DVD on Mac

How to create ISO image from DVD?

1. Insert CD/DVD into computer and open Terminal.app

2. Type "mount" (without quotes) to list mounted drives

3. Type "unmount /dev/disk1" to unmount DVD from Mac OS X Finder

4. Type "dd if=/dev/disk1 of=/path/to/file.iso bs=2048" to copy content from DVD to file (this may take a while, depending on size of CD/DVD)

That's it. You copied content of DVD to your computer successfully.

How to mount ISO image?

hdid /path/to/file.iso