Blog – Page 20 – dalescott.net

August 12, 2014March 6, 2017

Protecting a FreeBSD Server

In Episode 048 of the BSD Now podcast, Allan referenced a great blog post on twisteddaemon listing basic security steps to perform after a new install. The checklist is also a good guide for a mature server checkup, which I recently did with a production server. Besides confirming sshd was configured correctly for public-key login only, I found forgotten open ports related to ntpd and ftp enabled (neither of which I need anymore), and I also found syslogd was opening a port for remote logging (all of which have now been disabled).

In addition to the checklist, Allan also recommended using a tool like denyhosts to reduce ssh door knocking. I’ve never quantified the time being wasted checking the door, but I’m running older hardware and my server log lists several hundred to upwards of a thousand knocks per day, so it may be significant.

Installing denyhosts was pretty simple with the help of On How to Install denyhosts on FreeBSD. The only issue I had was how to include at least one allowed port to prevent accidentally locking myself out. I never connect to the server from a static IP address, and it’s not readily clear to me what addresses would cover my travels around town. However, the server is in the basement, so it’s not an issue so long as I’m not travelling.

I’ll let you know in a couple weeks how my server logs are looking, and if my 2G single-core P4 is feeling less stressed (and behaving snappier).

Other references:

man hosts.allow
stackoverflow – denyhosts keeps adding back my IP

July 19, 2014February 3, 2022

Hosting PHP Apps on Apache using PHP-FPM

Here are notes from some research I did a while back on using php-fpm with Apache and Nginx. dalescott.net will likely never reach traffic levels where it would benefit, so I’m staying with Apache 2.2 and mod_php for now.

php-fpm

http://php-fpm.org
- project site, code now included in php
http://php.net/manual/en/install.fpm.php
- discusses fpm but does not include specific install or config instructions (some posts though)

Apache

Google: apache+mod_proxy+fcgi+php
Google: apache+php+php-fpm+freebsd
TODO: add references etc to blog post on same topic

Project docs

http://wiki.apache.org/httpd/PHP-FPM
http://httpd.apache.org/docs/current/mod/mod_proxy_fcgi.html
http://httpd.apache.org/docs/current/mod/mod_proxy.html

Blogs, tutorials, and forums

http://www.howtoforge.com/using-php5-fpm-with-apache-2.4-mod_proxy_fcgi-module-on-fedora-18
http://garajau.com.br/blog/2013/12/apache-2-4-and-php-fpm-using-mod_proxy_fcgi
http://www.binarytides.com/setup-apache-php-fpm-mod-proxy-fcgi-ubuntu
http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
http://www.rodrigocalado.com.br/famp-instalando-o-apache-2-4-php-5-5-mysql-5-6-no-freebsd-9-x-9-2-release/
- Need to translate (Spanish? Italian?)
http://www.janoszen.com/2013/04/29/setting-up-apache-with-php-fpm/
http://forum.nginx.org/read.php?3,172673
- nginx forum, but discusses Apache2, php-fpm, FastCGI
- also see referenced post http://forum.nginx.org/read.php?3,131665,144226#msg-144226
http://www.hosting.com/support/linux/configure-apache-to-use-php-fpm/
- Configure Apache to use PHP-FPM
http://funcptr.net/2010/11/14/apache-mod_fastcgi-and-php-with-php-fpm/
http://harold.internal.org/tag/freebsd/
- Apache with PHP-FPM, chroots and per-vhost UIDs
http://www.yiiframework.com/doc/guide/1.1/en/quickstart.apache-nginx-config
- tcp port

Nginx

Google: nginx+PHP+php-fpm+freebsd

Blogs, tutorials, and forums

http://arstechnica.com/series/web-served
- nginx, php, php-fpm, ….
- VERY detailed
- uses tcp port to communicate with php-fpm
http://blog.bobbyallen.me/2013/01/05/install-nginx-mysql-php-apc-and-memcached-on-freebsd-9-0
- uses tcp port to communicate with php-fpm
- provides nginx.conf file (downloadable)
- intended use FuelPHP framework
http://blog.secaserver.com/2011/07/freebsd-nginx-php-fastcgi-installation
- uses tcp port with php-fpm
http://fendyhussain.wordpress.com/2012/11/23/freebsd-nginx-with-php5
- uses fastcgi (not fpm)
http://till.klampaeckel.de/blog/archives/44-Nginx+PHP+FastCGI-Testing-your-web-application-with-bleeding-edge-PHP.html
- uses fastcgi
http://www.defcon1.org/html/nginx.html
- installing nginx with PHP FPM on FreeBSD 8.x-9.0
- uses fastcgi
http://www.howtoforge.com/installing-nginx-with-php5-and-php-fpm-and-mysql-support-lemp-on-debian-wheezy
- discusses both unix sockets and tcp port config with fpm
http://www.howtoforge.com/installing-nginx-with-php5-and-php-fpm-and-mysql-support-lemp-on-ubuntu-12.10
http://www.yiiframework.com/wiki/153/using-yii-with-nginx-and-php-fpm
- describes unix sockets on BSD for better performance (but must use tcp sockets with Linus due to kernel bug/issue)
http://www.yiiframework.com/doc/guide/1.1/en/quickstart.apache-nginx-config
- tcp port
http://bin63.com/how-to-install-nginx-and-php-fpm-on-freebsd

June 15, 2014February 3, 2022

Configuring Git

I needed to configure Git on a new server recently (no GUI), and couldn’t remember my typical configuration.

Disable Output Color-Coding

Many developers can’t live without color-coded command-line output, but I find at best it’s hard to read and distracting, and at worst absolutely incompressible with high ambient lighting and some screen glare. To disable color-coded command line output from Git:

$ git config --global color.ui false
$ git config --global color.diff false
$ git config --global color.status false
$ git config --global color.branch false
$ git config --global color.interactive false

Ignore File-Mode Changes

Git may report that executable files (e.g. shell scripts) have been modified based on differences in file mode interpretation between Unix and Windows systems. If the mode of a file is set to executable and committed to a Git repository in a Unix environment, and then the repository cloned into a Windows environment, the file will be reported by Git in Windows as having been modified – based on its mode. This is the result of subtle differences between a Unix file system and a Windows file system. Committing the “modified” file in Windows and pushing the repository changes back to the Unix repository will result in the file not being executable in Unix (until its file mode is set back to executable).

If this is an issue for you, set your Windows global Git config (~/.gitconfig) to ignore file mode changes (but first, check that your global configuration will not be overridden by a repository configuration).

Check your global and local configs:

$ git config --global core.filemode
$ cd gitrepo
$ git config core.filemode

Set configuration to ignore file mode changes:

$ git config --global core.filemode false
$ cd gitrepo
$ git config core.filemode false

June 6, 2014March 6, 2017

Flattening a directory structure on Windows

The other day I needed to copy all the files within a hierarchical directory structure in a shared network directory into a single directory. Here’s how I did it.

1) install the following GnuWin32 utilities from http://gnuwin32.sourceforge.net/packages.html (this is much simpler than and add the bin directory (c:\Program Files\GnuWin32\bin) to your PATH environment variable.

CoreUtils
FindUtils
sed

2) Check the shared network directory for files with the same name, and either change names or delete files before copying. My shared network directory is mapped as I:\Share.

C:\>I:
I:\>cd I:\Share
I:\Share>"c:\Program Files\GnuWin32\bin\find.exe" . -type f | sed "s/.*\///" | sort | uniq -d

The full path to “find” is needed because, although the GnuWin32 bin directory is on my command path, the Windows “find” command is found on my path before the GnuWin32 “find”. This can take some time – 15 minutes on a 5 year old laptop with a shared directory having 170k files and 22K directories!

3) Copy the files into a new “files” directory on X-drive:

I:\Share>mkdir X:\files
I:\Share>cp `find . -type f` X:\files

Done!

P.S. Thanks to ldenneau for the idea (http://ask.metafilter.com/62308/Easy-Windows-directory-flattening-with-minimal-tools)