115
Joomla on Raspberry Pi using Nginx Peter Martin, twitter: @pe7er www.joomladay.org.za, Sat Oct 19 th 2013

Joomla on Raspberry Pi (with Nginx) - Joomladay South Africa 2013

Embed Size (px)

DESCRIPTION

The Raspberry Pi (RPi) is a very small and efficient (3.5 watts) mini Linux computer based on an ARM processor. Originally the single board computer was developed for educational purposes. They expected to sell 10,000 devices in the 1st year. Instead they sold 1 million! Probably due to its versatility and low price ($ 35) it has become an instant success...Connected to a modern TV the RPi functions as a mini computer. Connected to a network it can function as a (web)server. And that's where Joomla fits in...In this presentation, Peter will demonstrate how to set up the RPi as a web server for Joomla. How to use the command line to install & configure Raspbian (Debian Linux optimized for RPi), Nginx (=very fast alternative for Apache webserver), PHP, MySQL, phpMyAdmin and, of course, Joomla. Finally Peter will show you how to increase your websites security & performance.

Citation preview

Joomla on Raspberry Pi using Nginx

Peter Martin, twitter: @pe7erwww.joomladay.org.za, Sat Oct 19th 2013

Peter Martin – joomladagen.nl – 20+21 april 2013 2Joomladay 2013 South Africa

Overview Presentation 1. Introduction

LAMP Stack: 2. Raspbian 3. Nginx 4. MySQL 5. PHP 6. phpMyAdmin

7. Joomla 8. Performance 9. Security

>>> Sheets at: www.db8.nl <<<

Peter Martin – joomladagen.nl – 20+21 april 2013 3Joomladay 2013 South Africa

1. Introduction – Raspberry Pi

Goal – education

Today's engineers:computer experienceon home computers youth of today: computer classes = operate software, click menus and swipe yourself to death ...

Peter Martin – joomladagen.nl – 20+21 april 2013 4Joomladay 2013 South Africa

1. Introduction – Raspberry Pi

Benefits Rpi– small

– Dirt cheap: $ 35 → 38 Euro– Low power (3.5 Watt)– No moving parts → Silent– “De facto” standard (2 types)

Much documentation (Linux & RPi) Many documented applications Much additional hardware Many software

Peter Martin – joomladagen.nl – 20+21 april 2013 5Joomladay 2013 South Africa

1. Introduction – Raspberry Pi

Hardware– Single-board computer, 700 Mhz– RAM 512 Mbyte (1st version: 256 Mbyte)– Graphics: Broadcom VideoCore IV– Connections:

SD Card Micro USB powerplug

(5v 1A – 3,5 Watt) Ethernet HDMI & RCA Video Audio 2x USB GPIO

Peter Martin – joomladagen.nl – 20+21 april 2013 6Joomladay 2013 South Africa

1. Introduction – Raspberry Pi

Community– Use– Software– Hardware– Case

Peter Martin – joomladagen.nl – 20+21 april 2013 7Joomladay 2013 South Africa

1. Introduction – Raspberry Pi

Peter Martin – joomladagen.nl – 20+21 april 2013 8Joomladay 2013 South Africa

LAMP Stack

Peter Martin – joomladagen.nl – 20+21 april 2013 9Joomladay 2013 South Africa

LAMP LEMP Stack

L – Linux → Raspbian (Debian for Rpi)E – Apache → Nginx [“engine x”]M – MySQLP – PHP

(phpMyAdmin)

Peter Martin – joomladagen.nl – 20+21 april 2013 10Joomladay 2013 South Africa

2. Raspbian Linux – Operating System

Peter Martin – joomladagen.nl – 20+21 april 2013 11Joomladay 2013 South Africa

2. Raspbian

a)Installationb)Connect to Networkc)Update OSd)Backupe)Configurationf) Internet Access

Peter Martin – joomladagen.nl – 20+21 april 2013 12Joomladay 2013 South Africa

2a. Raspbian

Download Raspbian Image http://www.raspberrypi.org/downloads

2013-07-26-wheezy-raspbian.zip (518.5 MiB)

Unzip to ~\rpi\2013-07-26-wheezy-raspbian.img (1.8 GB)

Peter Martin – joomladagen.nl – 20+21 april 2013 13Joomladay 2013 South Africa

2a. Raspbian – Installation SD Card

SD Card http://elinux.org/RPi_Easy_SD_Card_Setup

“gparted”, partition table, unformatted

Determine location: “dmesg”

“dd” = “dump disk”CAREFUL: “data destroyer” !– bs=BYTES (read and write BYTES bytes at a time)– if=FILE (read from FILE instead of stdin)– of=FILE (write to FILE instead of stdout)

Peter Martin – joomladagen.nl – 20+21 april 2013 14Joomladay 2013 South Africa

2a. Raspbian – Installation SD Card

$ dmesg

[..][45.361488] wlan0: no IPv6 routers present

[265.278325] mmc0: new high speed SDHC card at address 0002

[265.284831] mmcblk0: mmc0:0002   7.68 GiB 

[265.284912]  mmcblk0: p1

$

 

Peter Martin – joomladagen.nl – 20+21 april 2013 15Joomladay 2013 South Africa

2a. Raspbian – Installation SD Card

Linux: sudo dd bs=1M if=~/rpi/2013-07-26-wheezy-raspbian.img of=/dev/mmcblk0

Mac OSX:sudo dd bs=1M if=~/rpi/2013-07-26-wheezy-raspbian.img of=/dev/disk1s1

Windows:dd bs=1M if=c:\temp\2013-07-26-wheezy-raspbian.img od=e

Peter Martin – joomladagen.nl – 20+21 april 2013 16Joomladay 2013 South Africa

2a. Raspbian – Installation SD Card

$ sudo dd bs=1M if=~/rpi/2013­07­26­wheezy­raspbian.img of=/dev/mmcblk0

{+­ 4.5 minutes later} 

1850+0 records in

1850+0 records out

1939865600 bytes (1.9 GB) copied, 252.656 s, 7.7 MB/s

$ sudo sync

Peter Martin – joomladagen.nl – 20+21 april 2013 17Joomladay 2013 South Africa

2b. Raspbian – Connect your RPi

Peter Martin – joomladagen.nl – 20+21 april 2013 18Joomladay 2013 South Africa

2b. Raspbian – IP Address?

Android / iPhone:Overlook Fing

Peter Martin – joomladagen.nl – 20+21 april 2013 19Joomladay 2013 South Africa

2b. Raspbian – IP Address?

$ nmap ­sP 192.168.0/24

Starting Nmap 5.00 ( http://nmap.org ) at 2013­04­07 14:15 CEST

Host 192.168.0.1 is up (0.0018s latency).

Host 192.168.0.14 is up (0.014s latency).

Host 192.168.0.15 is up (0.010s latency).

Host 192.168.0.16 is up (0.048s latency).

Host 192.168.0.17 is up (0.0092s latency).

Nmap done: 256 IP addresses (5 hosts up) scanned in 2.94 seconds

Peter Martin – joomladagen.nl – 20+21 april 2013 20Joomladay 2013 South Africa

2b. Raspbian – SSH Login

$ ssh [email protected]

The authenticity of host '192.168.0.16 (192.168.0.16)' can't be established.

RSA key fingerprint is 12:11:07:6b:c9:ac:ff:01:7b:2f:aa:a5:ef:02:c7:ff.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.0.16' (RSA) to the list of known hosts.

[email protected]'s password: raspberry

Peter Martin – joomladagen.nl – 20+21 april 2013 21Joomladay 2013 South Africa

2b. Raspbian – SSH Login

Linux raspberrypi 3.6.11+ #371 PREEMPT Thu Feb 7 16:31:35 GMT 2013 armv6l

The programs included with the Debian GNU/Linux system are free software; [..]

NOTICE: the software on this Raspberry Pi has not been fully configured. Please run 'sudo raspi­config'

pi@raspberrypi ~ $ 

Peter Martin – joomladagen.nl – 20+21 april 2013 22Joomladay 2013 South Africa

2b. Raspbian – SSH Login

$ sudo raspi-config1.expand_rootfs – use full capacity SD Card2.memory_split – shrink RAM GPU to 16 MB– Update &

Change Password

– <Finish>– reboot

Peter Martin – joomladagen.nl – 20+21 april 2013 23Joomladay 2013 South Africa

2c. Raspbian – Update!

{update Repository information}pi@raspberrypi ~ $ sudo apt­get update{takes ± 30 seconds}

{upgrade Raspbian OS}pi@raspberrypi ~ $ sudo apt­get upgrade{takes ± 22 minutes}

Peter Martin – joomladagen.nl – 20+21 april 2013 24Joomladay 2013 South Africa

2d. Raspbian – Backup SD Card

Shut down securely:$ sudo shutdown -h now

Remove SD Card & in PC

Backup:$ sudo dd if=/dev/mmcblk0 of=~/rpi/sd-card-rpi-20130421.bin

Peter Martin – joomladagen.nl – 20+21 april 2013 25Joomladay 2013 South Africa

2e. Raspbian – Hostname

{change hostname @raspberrypi   @rpi}→pi@raspberrypi ~ $ sudo nano /etc/hostnameraspberrypi   → rpi

pi@raspberrypi ~ $ sudo nano /etc/hosts127.0.1.1 raspberrypi   127.0.1.1 → rpi

{restart hostname process}pi@raspberrypi ~ $ sudo /etc/init.d/hostname.sh startpi@rpi ~ $ 

Peter Martin – joomladagen.nl – 20+21 april 2013 26Joomladay 2013 South Africa

2e. Raspbian – User & Password 1/2

pi@rpi ~ $ sudo passwd rootEnter new UNIX password:Retype new UNIX password:passwd: password updated successfullypi@rpi ~ $ exitLogout

ssh [email protected]{rename user & user directory}

root@rpi ~# usermod ­l peter piroot@rpi ~# usermod ­m ­d /home/peter peter

Peter Martin – joomladagen.nl – 20+21 april 2013 27Joomladay 2013 South Africa

2e. Raspbian – User & Password 2/2

{test new account}ssh [email protected]@rpi ~$ sudo apt­get update

{works ok? Disable root !!!}peter@rpi ~$ sudo passwd ­l rootpasswd: password expiry information changed.

peter@rpi ~$ passwdChanging password for peter.(current) UNIX password:

Peter Martin – joomladagen.nl – 20+21 april 2013 28Joomladay 2013 South Africa

2e. Raspbian – Time Zone

peter@rpi ~ $ date 

Sun Apr  21 11:15:00 UTC 2013

peter@rpi ~ $ sudo dpkg­reconfigure tzdata

Current default time zone: 'Europe/Amsterdam'

Local time is now:      Sun Apr  7 13:15:00 CEST 2013.

Universal Time is now:  Sun Apr  7 11:15:00 UTC 2013.

peter@rpi ~ $

Peter Martin – joomladagen.nl – 20+21 april 2013 29Joomladay 2013 South Africa

2f. Raspbian – Internet accessInternetInternet

DNS –> domain name“petermartin.nl”

Modem/router:Internet IP: ?.?.?.?

LANRaspberry Pi192.168.0.x

Modem/router:LAN IP: 192.168.0.1

Peter Martin – joomladagen.nl – 20+21 april 2013 30Joomladay 2013 South Africa

2f. Raspbian – Internet accessInternetInternet

DNS – “petermartin.nl”“A” record to 1.2.3.4

www.whatsmyip.orgInternet IP: 1.2.3.4

LANRaspberry Pi192.168.0.9

Modem/router:LAN IP: 192.168.0.1

Peter Martin – joomladagen.nl – 20+21 april 2013 31Joomladay 2013 South Africa

2f. Raspbian – Internet access

Modem/Router → firewall > Port Forwarding– SSH traffic = IP 192.168.0.9, port 22– Web traffic = IP 192.168.0.9, port 80– Https traffic= IP 192.168.0.9, port 443

Raspberry Pi → Static IP

Peter Martin – joomladagen.nl – 20+21 april 2013 32Joomladay 2013 South Africa

2f. Raspbian – Static IP Address

peter@rpi ~ $ routeKernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

peter@rpi ~ $ sudo nano /etc/network/interfaces

{change:}

iface eth0 inet dhcp

{to:}

iface eth0 inet staticaddress 192.168.0.9netmask 255.255.255.0gateway 192.168.0.1

Peter Martin – joomladagen.nl – 20+21 april 2013 33Joomladay 2013 South Africa

3. Nginx webserver

Peter Martin – joomladagen.nl – 20+21 april 2013 34Joomladay 2013 South Africa

3. Nginx Nginx [engine ex]

– High performance: Dynamic pages = FAST & Static = very FAST!

– Low memory usage (useful on Rpi!)– Easy configuration– Automatic configuration test after changes– Reverse proxy capabilities

Nginx Popularity (netcraft.com May 2013):– > 100 million sites– 15.5 % of all sites (Apache 53%, IIS 16.6%)– Top million busiest websites:

1. Apache 57.4% 2. Nginx 13.5% 3. Microsoft 12.3%

Peter Martin – joomladagen.nl – 20+21 april 2013 35Joomladay 2013 South Africa

3. Nginx – Popularity

Peter Martin – joomladagen.nl – 20+21 april 2013 36Joomladay 2013 South Africa

3. Nginx – Installation

peter@rpi ~ $ sudo apt­get install nginx

Reading package lists... Done[..]Need to get 2,132 kB of archives.

After this operation, 6,200 kB of additional disk space will be used.

Do you want to continue [Y/n]? y[..]Setting up nginx (1.2.1­2.2) ...

peter@rpi ~ $

Peter Martin – joomladagen.nl – 20+21 april 2013 37Joomladay 2013 South Africa

3. Nginx – Configuration

peter@rpi ~ $ sudo nano /etc/nginx/nginx.conf

user www­data;worker_processes 1;pid /var/run/nginx.pid;

peter@rpi ~ $ sudo /etc/init.d/nginx start

Peter Martin – joomladagen.nl – 20+21 april 2013 38Joomladay 2013 South Africa

3. Nginx – WebsitesBrowse URL http://192.168.0.9/ or http://petermartin.nl

Result:

Welcome to nginx!

Peter Martin – joomladagen.nl – 20+21 april 2013 39Joomladay 2013 South Africa

3. Nginx – Virtual domains

Create virtual sites: 1. Location & index.html

/var/www/ petermartin.nl /index.html

2. Configuration file for site /etc/nginx/sites-available/ petermartin.nl

3. Activate with symbolic link to config file/etc/nginx/sites-enabled/ petermartin.nl

4. Nginx load new config file:$ sudo /etc/init.d/nginx reload

Peter Martin – joomladagen.nl – 20+21 april 2013 40Joomladay 2013 South Africa

3. Nginx – Virtual domains

peter@rpi ~ $ sudo nano /var/www/petermartin.nl/index.html

<html><head><title>petermartin.nl</title></head><body bgcolor="white" text="black"><center><h1>Welcome to JandBeyond 2013!</h1></center><center>Website: petermartin.nl</center></body></html>

Peter Martin – joomladagen.nl – 20+21 april 2013 41Joomladay 2013 South Africa

3. Nginx – Virtual domains

peter@rpi ~ $ sudo nano /etc/nginx/sites­available/petermartin.nl

server {listen 80;server_name petermartin.nl www.petermartin.nl; root /var/www/petermartin.nl;

access_log /var/log/nginx/petermartin.nl.access_log;error_log /var/log/nginx/petermartin.nl.error_log info;

location / {index index.php index.html index.htm;

}

}

Peter Martin – joomladagen.nl – 20+21 april 2013 42Joomladay 2013 South Africa

3. Nginx – Virtual domains

peter@rpi ~ $ sudo ln ­s /etc/nginx/sites­available/petermartin.nl/etc/nginx/sites­enabled/petermartin.nl

peter@rpi ~ $ sudo /etc/init.d/nginx reloadReloading nginx configuration: nginx.

Peter Martin – joomladagen.nl – 20+21 april 2013 43Joomladay 2013 South Africa

3. Nginx – Virtual domains

Browser http://192.168.0.9/petermartin.nl

Welcome to JandBeyond 2013!Website: petermartin.nl

Error?404 Not Foundnginx/1.2.1

→ Check error log file:$ cat /var/log/nginx/petermartin.nl.error_log

Peter Martin – joomladagen.nl – 20+21 april 2013 44Joomladay 2013 South Africa

4. MySQL Database Server

Peter Martin – joomladagen.nl – 20+21 april 2013 45Joomladay 2013 South Africa

4. MySQL

Joomla 2.5+ = no SQLite driver available

Configuration during installation:User: rootPassword: databasepassword

Secure live site with:$ sudo mysql_secure_installation

Peter Martin – joomladagen.nl – 20+21 april 2013 46Joomladay 2013 South Africa

4. MySQL – Installation

peter@rpi ~ $ sudo apt­get install mysql­server

Reading package lists... Done[..]Need to get 9,603 kB of archives.

After this operation, 91.1 MB of additional disk space will be used.

Do you want to continue [Y/n]? y[..]Setting up mysql­server (5.5.30+dfsg­1)...Processing triggers for menu ...

peter@rpi ~ $ sudo mysql_secure_installation

Peter Martin – joomladagen.nl – 20+21 april 2013 47Joomladay 2013 South Africa

5. PHP

Peter Martin – joomladagen.nl – 20+21 april 2013 48Joomladay 2013 South Africa

5. PHP – php5 + packages: php5-fpm

– FastCGI Process Manager interpreter that runs as a daemon and receives Fast/CGI requests

php5-mysql– modules for MySQL database connections directly from

PHP scripts

php5-cli– command-line interpreter

php5-curl– library for getting files from

FTP & HTTP server

Peter Martin – joomladagen.nl – 20+21 april 2013 49Joomladay 2013 South Africa

5. PHP – Installation

peter@rpi ~ $ sudo apt­get install php5­fpm php5­mysql

Reading package lists... Done

[..]

Setting up php5 (5.4.4­14)...Processing triggers for php5­fpm...[ ok ] Restarting PHP5 FastCGI Process Manager: php5­fpm.

peter@rpi ~ $

Peter Martin – joomladagen.nl – 20+21 april 2013 50Joomladay 2013 South Africa

5. PHP – configuration petermartin.nl

pi@rpi ~ $ sudo nano /etc/nginx/sites­available/petermartin.nladd:

location ~ \.php$ {fastcgi_pass unix:/var/run/php5­fpm.sock;fastcgi_index index.php;include fastcgi_params;

}

Peter Martin – joomladagen.nl – 20+21 april 2013 51Joomladay 2013 South Africa

5. PHP – Result

Test with phpinfo();$ sudo nano /var/www/petermartin.nl/test.phpwith the code:<?php echo "test";phpinfo();?>

Use browser to open file http://192.168.0.9/petermartin.nl/test.php

Peter Martin – joomladagen.nl – 20+21 april 2013 52Joomladay 2013 South Africa

6. phpMyAdmin

Peter Martin – joomladagen.nl – 20+21 april 2013 53Joomladay 2013 South Africa

6. phpMyAdmin

Database GUI– http://192.168.0.9/phpmyadmin/

Secure: – Add to one virtual domain only→ 1 should be enough!– limit to 1 IP address

Peter Martin – joomladagen.nl – 20+21 april 2013 54Joomladay 2013 South Africa

6. phpMyAdmin – Installation

peter@rpi ~ $ sudo apt­get install phpmyadmin

Reading package lists... Done[..]Need to get 6,092 kB of archives.After this operation, 16.6 MB of additional disk space will be used.Do you want to continue [Y/n]? y[..]

Web server to reconfigure automatically: none

Configure database for phpmyadmin with dbconfig­common? N

Creating config file /etc/phpmyadmin/config­db.php with new version

peter@rpi ~ $

Peter Martin – joomladagen.nl – 20+21 april 2013 55Joomladay 2013 South Africa

6. phpMyAdmin – config petermartin.nl

peter@rpi ~ $ sudo nano /etc/nginx/sites­available/petermartin.nllocation /phpmyadmin {

root /usr/share/;index index.php index.html index.htm;location ~ ^/phpmyadmin/(.+\.php)$ {

try_files $uri =404;root /usr/share/;#fastcgi_pass 127.0.0.1:9000;fastcgi_pass unix:/var/run/php5­fpm.sock;fastcgi_index index.php;include fastcgi_params;}

location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {

root /usr/share/;}

}                

Peter Martin – joomladagen.nl – 20+21 april 2013 56Joomladay 2013 South Africa

6. phpMyAdmin – config petermartin.nl

peter@rpi ~ $ sudo nano /etc/nginx/sites­available/petermartin.nl

{Limit access to only one IP address?}

location /phpmyadmin {root /usr/share/;index index.php index.html index.htm;allow   4.3.2.1;deny    all;location ~ ^/phpmyadmin/(.+\.php)$ {

                

Peter Martin – joomladagen.nl – 20+21 april 2013 57Joomladay 2013 South Africa

7. Joomla

Peter Martin – joomladagen.nl – 20+21 april 2013 58Joomladay 2013 South Africa

7. Joomla

Download Joomla to RPi using wget

Create database,e.g. use phpMyAdmin http://192.168.0.9/phpmyadmin/ database: “petermartin”

Use browser to start Joomla's web installer

Peter Martin – joomladagen.nl – 20+21 april 2013 59Joomladay 2013 South Africa

7. Joomla – Installation petermartin.nl

peter@rpi ~ $ cd /var/www/petermartin.nl

peter@rpi ~ $ sudo wget http://joomlacode.org/gf/download/frsrelease/18323/80368/Joomla_3.1.1­Stable­Full_Package.zip

peter@rpi ~ $ sudo unzip ­x Joomla_3.1.1­Stable­Full_Package.zip

Peter Martin – joomladagen.nl – 20+21 april 2013 60Joomladay 2013 South Africa

7. Joomla – Installation petermartin.nl

Webinstaller http://192.168.0.9/petermartin.nl/

– configuration.php Writeable: No

→solve permission problem:$ sudo chown -R www-data:www-data /var/www/petermartin.nl

SEF links: .htaccess→ virtual domain configuration:try_files $uri $uri/ /index.php?q=$request_uri;

Peter Martin – joomladagen.nl – 20+21 april 2013 61Joomladay 2013 South Africa

7. Joomla – SEF URLs

peter@rpi ~ $ sudo nano /etc/nginx/sites­available/petermartin.nl

location / {index index.php index.html index.htm;try_files $uri $uri/ /index.php?q=$request_uri;

}    

Peter Martin – joomladagen.nl – 20+21 april 2013 62Joomladay 2013 South Africa

8. Performance

Peter Martin – joomladagen.nl – 20+21 april 2013 63Joomladay 2013 South Africa

8. Performance “The need for speed”

– Visitors + Google indexing Test different configurations

– Server settings, Joomla settings, Joomla Extensions (Templates + Plugins)

Testing, testing, one, two– Joomla! Debug Console > Profile Information

– Browser plugins, e.g. Yslow

Peter Martin – joomladagen.nl – 20+21 april 2013 64Joomladay 2013 South Africa

8. Performance Test: Refresh (3x) new setting > Refresh (3x) & compare

Peter Martin – joomladagen.nl – 20+21 april 2013 65Joomladay 2013 South Africa

8. Performance – 10 ways to optimize

1.Nginx + PHP-FPM

Peter Martin – joomladagen.nl – 20+21 april 2013 66Joomladay 2013 South Africa

8. Performance – Nginx + PHP-FPM

PHP-FPM– Socket vs Port?

fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000;

“socket connections are around 10-15% faster than TCP/IP connections because it saves the passing the data over the different layers of TCP/IP stack”

Peter Martin – joomladagen.nl – 20+21 april 2013 67Joomladay 2013 South Africa

8. Performance – 10 ways to optimize

1.Nginx + PHP-FPM2.Joomla gzip

Peter Martin – joomladagen.nl – 20+21 april 2013 68Joomladay 2013 South Africa

8. Performance – Joomla gzip

Before– 1. Application 2.517 seconds (+0.037); 4.67 MB

(+0.035) - afterRender

AfterGlobal Configuration > Server > Gzip Page Compression– 1. Application 3.009 seconds (+0.038); 4.67 MB

(+0.035) - afterRender– 2. Application 2.503 seconds (+0.037); 4.67 MB

(+0.035) - afterRender

Peter Martin – joomladagen.nl – 20+21 april 2013 69Joomladay 2013 South Africa

8. Performance – 10 ways to optimize

1.Nginx + PHP-FPM2.Joomla gzip3.Joomla cache

Peter Martin – joomladagen.nl – 20+21 april 2013 70Joomladay 2013 South Africa

8. Performance – Joomla cache

Before– Application 2.707 seconds (+0.037); 4.67 MB (+0.035)

- afterRender

After Global Configuration > System > Cache* > ON Progressive caching

– 1. Application 2.718 seconds (+0.051); 4.69 MB (-0.027) - afterRender

– 2. Application 1.543 seconds (+0.114); 4.02 MB (+0.051) - afterRender

– 3. Application 1.426 seconds (+0.265); 3.95 MB (+0.334) - afterRender

Peter Martin – joomladagen.nl – 20+21 april 2013 71Joomladay 2013 South Africa

8. Performance – 10 ways to optimize

1.Nginx + PHP-FPM2.Joomla gzip3.Joomla cache4.Nginx gzip

Peter Martin – joomladagen.nl – 20+21 april 2013 72Joomladay 2013 South Africa

8. Performance – Nginx gzip

pi@rpi ~ $ sudo nano /etc/nginx/nginx.conf# Gzip Settingsgzip on;gzip_static on;gzip_disable "msie6";gzip_vary on;gzip_proxied any;gzip_comp_level 6;gzip_min_length 512;gzip_buffers 16 8k;gzip_http_version 1.1;gzip_types text/css text/javascript text/xml text/plain text/x­component application/javascript application/x­javascript application/json application/xml application/rss+xml;

Peter Martin – joomladagen.nl – 20+21 april 2013 73Joomladay 2013 South Africa

8. Performance – Nginx gzip

Before– Application 1.447 seconds (+0.274); 3.95 MB (+0.334)

– afterRender

After gzip in Nginx1.Application 1.421 seconds (+0.267); 3.95 MB (+0.334)

- afterRender2.Application 1.436 seconds (+0.274); 3.95 MB (+0.334)

- afterRender

Peter Martin – joomladagen.nl – 20+21 april 2013 74Joomladay 2013 South Africa

8. Performance – 10 ways to optimize

1.Nginx + PHP-FPM2.Joomla gzip3.Joomla cache4.Nginx gzip5.Nginx cache

Peter Martin – joomladagen.nl – 20+21 april 2013 75Joomladay 2013 South Africa

8. Performance – Nginx cache

pi@rpi ~ $ sudo nano /etc/nginx/sites­available/petermartin.nl

server {

# caching of fileslocation ~* \.(ico|pdf|flv)$ {

expires 1y;}

location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {expires 14d;

}

}

Peter Martin – joomladagen.nl – 20+21 april 2013 76Joomladay 2013 South Africa

8. Performance – Nginx cache

Before– Application 1.459 seconds (+0.301); 3.95 MB (+0.334)

- afterRender

After1.Application 1.464 seconds (+0.308); 3.95 MB (+0.334)

- afterRender2.Application 1.459 seconds (+0.299); 3.95 MB (+0.334)

- afterRender

Peter Martin – joomladagen.nl – 20+21 april 2013 77Joomladay 2013 South Africa

8. Performance – 10 ways to optimize

1.Nginx + PHP-FPM2.Joomla gzip3.Joomla cache4.Nginx gzip5.Nginx cache6.APC

Peter Martin – joomladagen.nl – 20+21 april 2013 78Joomladay 2013 South Africa

8. Performance – Alternative PHP Cache

pi@rpi ~ $ sudo apt­get install php­apc php­pear php5­dev build­essential libpcre3­dev

{Settings in PHP.ini}pi@rpi ~ $ sudo pear config­set php_ini /etc/php5/fpm/php_inipi@rpi ~ $ sudo pecl config­set php_ini /etc/php5/fpm/php_ini

{Download/compile/install APC}pi@rpi ~ $ sudo pecl install apc

Peter Martin – joomladagen.nl – 20+21 april 2013 79Joomladay 2013 South Africa

8. Performance – Alternative PHP Cache

Before– Application 1.459 seconds (+0.299); 3.95 MB (+0.334)

- afterRender

After install APC restart nginx AND php-fpm!!!– $ sudo /etc/init.d/nginx restart– $ sudo /etc/init.d/php5-fpm reload

– 1. Application 1.813 seconds (+0.311); 4.52 MB (+0.403) - afterRender

– 2. Application 0.696 seconds (+0.198); 2.00 MB (+0.148) - afterRender

– 3. Application 0.727 seconds (+0.221); 2.00 MB (+0.148) - afterRender

Peter Martin – joomladagen.nl – 20+21 april 2013 80Joomladay 2013 South Africa

8. Performance – Alternative PHP Cache

APC GUI$ sudo cp /usr/share/doc/php-apc/apc.php /var/www/petermartin.nl/apc.php

Peter Martin – joomladagen.nl – 20+21 april 2013 81Joomladay 2013 South Africa

8. Performance – 10 ways to optimize

1.Nginx + PHP-FPM2.Joomla gzip3.Joomla cache4.Nginx gzip5.Nginx cache6.APC7.JCH Optimize / jbetolo

Peter Martin – joomladagen.nl – 20+21 april 2013 82Joomladay 2013 South Africa

8. Performance – Joomla Plugins

Less data traffic:– Combine CSS / JavaScript– Minify CSS / JavaScript– Gzip CSS / JavaScript

Joomla Plugins, e.g.– JCH Optimize– Jbetolo– Yireo Script Merge

Plugins vs manual

Peter Martin – joomladagen.nl – 20+21 april 2013 83Joomladay 2013 South Africa

8. Performance – Joomla Plugins

JCH Optimize, before– Application 0.772 seconds (+0.071); 2.03 MB (-0.080)

– afterRender

After1.Application 0.864 seconds (+0.341); 2.06 MB (+0.177)

- afterRender2.Application 1.723 seconds (+0.170); 2.43 MB (-0.019)

- afterRender3.Application 1.016 seconds (+0.118); 2.08 MB (-0.029)

- afterRender4.Application 0.691 seconds (+0.217); 2.05 MB (+0.172)

- afterRender

Peter Martin – joomladagen.nl – 20+21 april 2013 84Joomladay 2013 South Africa

8. Performance – Joomla Plugins

jbetolo, before– Application 0.620 seconds (+0.165); 2.00 MB (+0.148)

- afterRender

After1.Application 1.810 seconds (+1.234); 2.31 MB (+0.233)

- afterRender2.Application 0.751 seconds (+0.222); 2.27 MB (+0.193)

- afterRender3.Application 0.769 seconds (+0.223); 2.27 MB (+0.193)

- afterRender

Peter Martin – joomladagen.nl – 20+21 april 2013 85Joomladay 2013 South Africa

8. Performance – 10 ways to optimize

1.Nginx + PHP-FPM2.Joomla gzip3.Joomla cache4.Nginx gzip5.Nginx cache6.APC7.JCH Optimize / jbetolo8.Memcached

Peter Martin – joomladagen.nl – 20+21 april 2013 86Joomladay 2013 South Africa

8. Performance – Memchached

pi@rpi ~ $ sudo apt­get install memcached php5­memcache

{Download/compile/install APC}pi@rpi ~ $ sudo pecl install memcache

{Reboot}pi@rpi ~ $ sudo service nginx restartpi@rpi ~ $ sudo service mysql restartpi@rpi ~ $ sudo service php5­fpm restartpi@rpi ~ $ sudo service memcached restart

Peter Martin – joomladagen.nl – 20+21 april 2013 87Joomladay 2013 South Africa

8. Performance – Memchached

Before– Application 0.677 seconds (+0.198); 2.00 MB (+0.148)

- afterRender

After1.Application 1.673 seconds (+0.320); 4.52 MB (+0.403) - afterRender2.Application 0.721 seconds (+0.199); 2.00 MB (+0.148) - afterRender3.Application 0.705 seconds (+0.211); 2.00 MB (+0.148) - afterRender4.Application 0.678 seconds (+0.199); 2.00 MB (+0.148) - afterRender

Peter Martin – joomladagen.nl – 20+21 april 2013 88Joomladay 2013 South Africa

8. Performance – 10 ways to optimize

1.Nginx + PHP-FPM2.Joomla gzip3.Joomla cache4.Nginx gzip5.Nginx cache6.APC7.JCH Optimize / jbetolo8.Memcached9.Overclocking

Peter Martin – joomladagen.nl – 20+21 april 2013 89Joomladay 2013 South Africa

8. Performance – Overclocking

$ sudo raspi-config

Peter Martin – joomladagen.nl – 20+21 april 2013 90Joomladay 2013 South Africa

8. Performance – Overclocking

Before– Application 0.678 seconds (+0.210); 2.00 MB (+0.151)

- afterRender

After– Application 0.649 seconds (+0.171); 2.05 MB (+0.153)

- afterRender– Application 0.579 seconds (+0.169); 2.00 MB (+0.151)

- afterRender– Application 0.596 seconds (+0.167); 2.00 MB (+0.151)

- afterRender– Application 0.620 seconds (+0.167); 2.00 MB (+0.151)

- afterRender– Application 0.583 seconds (+0.167); 2.00 MB (+0.151)

- afterRender

Peter Martin – joomladagen.nl – 20+21 april 2013 91Joomladay 2013 South Africa

8. Performance – 10 ways to optimize

1.Nginx + PHP-FPM2.Joomla gzip3.Joomla cache4.Nginx gzip5.Nginx cache6.APC7.JCH Optimize / jbetolo8.Memcache9.Overclocking10.Cryogenics

Peter Martin – joomladagen.nl – 20+21 april 2013 92Joomladay 2013 South Africa

8. Performance – Cryogenics

Superconducting computers– Superconductivity in certain materials when cooled

below a characteristic critical temperature

Cool down RPi?– Fridge: RPi = small, but not enough room for beer :-(– Not cool enough... < 123 K ( = −150 °C, −238 °F)

Liquid nitrogen or liquid helium?– Couldn't decide which...

performance gain when cooling down: N/A

Peter Martin – joomladagen.nl – 20+21 april 2013 93Joomladay 2013 South Africa

8. Performance – My RPi

Every server/site different configuration for performance

My RPi:– PHP-FPM: fastcgi_pass to Unix Socket (not IP+port)– Joomla: (progressive) cache (2.7 -> 1.4 sec)– Alternative PHP Cache (1.4 -> 0.7 sec)

Peter Martin – joomladagen.nl – 20+21 april 2013 94Joomladay 2013 South Africa

9. Security

Peter Martin – joomladagen.nl – 20+21 april 2013 95Joomladay 2013 South Africa

9. Security – 10 Aspects

1.Change default username “pi” & password2.Backup !!!3.Study logfiles (e.g. with “Logwatch”)

Peter Martin – joomladagen.nl – 20+21 april 2013 96Joomladay 2013 South Africa

9. Security – ssh logfiles

/var/log/auth.logApr 8 22:49:01 rpi sshd[10812]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT!Apr 8 22:49:01 rpi sshd[10812]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=rootApr 8 22:49:04 rpi sshd[10812]: Failed password for root from 59.175.148.95 port 43066 ssh2Apr 8 22:49:04 rpi sshd[10812]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth]Apr 8 22:49:07 rpi sshd[10816]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT!Apr 8 22:49:07 rpi sshd[10816]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=rootApr 8 22:49:09 rpi sshd[10816]: Failed password for root from 59.175.148.95 port 44636 ssh2Apr 8 22:49:10 rpi sshd[10816]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth]Apr 8 22:49:13 rpi sshd[10820]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT!Apr 8 22:49:13 rpi sshd[10820]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=rootApr 8 22:49:15 rpi sshd[10820]: Failed password for root from 59.175.148.95 port 46051 ssh2Apr 8 22:49:16 rpi sshd[10820]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth]Apr 8 22:49:19 rpi sshd[10824]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT!Apr 8 22:49:19 rpi sshd[10824]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root

Peter Martin – joomladagen.nl – 20+21 april 2013 97Joomladay 2013 South Africa

9. Security – ssh logfiles

peter@rpi ~$ whois 59.175.148.95% [whois.apnic.net node­5]% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum: 59.174.0.0 – 59.175.255.255netname: CHINANET-HBdescr: CHINANET Hubei province networkdescr: Data Communication Divisiondescr: China Telecomcountry: CN

role: CHINANET HB ADMINaddress: 8th floor of JinGuang Buildingaddress: #232 of Macao Roadaddress: HanKou Wuhan Hubei Provinceaddress: P.R.Chinacountry: CNphone: +86 27 82862199fax-no: +86 27 82861499e-mail: [email protected] remarks: send spam reports to [email protected] remarks: and abuse reports to [email protected] remarks: Please include detailed information andremarks: times in GMT+8

Peter Martin – joomladagen.nl – 20+21 april 2013 98Joomladay 2013 South Africa

9. Security – 10 Aspects

1.Change default username “pi” & password2.Backup !!!3.Study logfiles (e.g. with “Logwatch”)4.Block ssh root login !5.Block portscans -> Firewall

Peter Martin – joomladagen.nl – 20+21 april 2013 99Joomladay 2013 South Africa

9. Security – Firewall

{check Firewall}peter@rpi ~$ sudo iptables ­L

Chain INPUT (policy ACCEPT)target prot opt source destination

Chain FORWARD (policy ACCEPT)target prot opt source destination

Chain OUTPUT (policy ACCEPT)target prot opt source destination

{create rules for Firewall}

peter@rpi ~$ sudo nano /etc/iptables.firewall.rules

Peter Martin – joomladagen.nl – 20+21 april 2013 100Joomladay 2013 South Africa

9. Security – Configure Firewall 1/2

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0­A INPUT ­i lo ­j ACCEPT­A INPUT ­d 127.0.0.0/8 ­j REJECT

#  Accept all established inbound connections­A INPUT ­m state ­­state ESTABLISHED,RELATED ­j ACCEPT

#  Allow all outbound traffic ­ you can modify this to only allow certain traffic­A OUTPUT ­j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).­A INPUT ­p tcp ­­dport 80 ­j ACCEPT­A INPUT ­p tcp ­­dport 443 ­j ACCEPT

Peter Martin – joomladagen.nl – 20+21 april 2013 101Joomladay 2013 South Africa

9. Security – Configure Firewall 2/2

#  Allow SSH connections#  The ­dport number should be the same port number you set in sshd_config­A INPUT ­p tcp ­m state ­­state NEW ­­dport 22 ­j ACCEPT

#  Allow ping­A INPUT ­p icmp ­j ACCEPT

#  Log iptables denied calls­A INPUT ­m limit ­­limit 5/min ­j LOG ­­log­prefix "iptables denied: " ­­log­level 7

#  Drop all other inbound ­ default deny unless explicitly allowed policy­A INPUT ­j DROP­A FORWARD ­j DROP

COMMIT

Peter Martin – joomladagen.nl – 20+21 april 2013 102Joomladay 2013 South Africa

9. Security – Activate Firewall 1/2

{activate Firewall}peter@rpi ~$ sudo iptables­restore < /etc/iptables.firewall.rules

{check Firewall}peter@rpi ~$ sudo iptables ­L

Chain INPUT (policy ACCEPT)target prot opt  source destinationACCEPT all  ­­ anywhere anywhereREJECT all  ­­ anywhere loopback/8 reject­with icmp­port­unreachableACCEPT all  ­­ anywhere anywhere state RELATED, ESTABLISHEDACCEPT tcp  ­­ anywhere anywhere tcp dpt:httpLOG all  ­­ anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "DROP all  ­­ anywhere anywhere[..]

Peter Martin – joomladagen.nl – 20+21 april 2013 103Joomladay 2013 South Africa

9. Security – Activate Firewall 2/2

{script: activate Firewall at reboot}peter@rpi ~$ sudo nano /etc/network/if­pre­up.d/firewall

{put in /etc/network/if­pre­up.d/firewall}#!/bin/sh

/sbin/iptables­restore < /etc/iptables.firewall.rules

{set script permissions}peter@rpi ~$ sudo chmod +x /etc/network/if­pre­up.d/firewall

Peter Martin – joomladagen.nl – 20+21 april 2013 104Joomladay 2013 South Africa

9. Security – Automate Firewall

Peter Martin – joomladagen.nl – 20+21 april 2013 105Joomladay 2013 South Africa

9. Security – Fail2Ban

Scan logfiles & take action automatically “Jail” configuration

– If in entry in logfile matches “filter”– “n” times– Put IP on blocklist for “x” minutes

/etc/fail2ban/jail.conf → default /etc/fail2ban/jail.local → “override”

Filters /etc/fail2ban/filter.d/

– Regex “ROOT LOGIN REFUSED”, “POSSIBLE BREAK-IN ATTEMPT!”, “Failed password” etc...

Peter Martin – joomladagen.nl – 20+21 april 2013 106Joomladay 2013 South Africa

9. Security – Fail2Ban

{install Fail2Ban}peter@rpi ~$ sudo apt­get install fail2banReading package lists... Done0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.Need to get 340 kB of archives.

{check failed login attempts}peter@rpi ~$ cat fail2ban.log2013­04­09 16:45:59,000 fail2ban.actions: WARNING [ssh] Ban 9.8.7.6

{check Firewall}peter@rpi ~$ sudo iptables ­L

Chain fail2ban­ssh (1 references)target prot opt source destinationDROP all  ­­  test123.example.com anywhereRETURN all  ­­  anywhere anywhere

Peter Martin – joomladagen.nl – 20+21 april 2013 107Joomladay 2013 South Africa

9. Security – 10 Aspects

1.Change default username “pi” & password2.Backup !!!3.Study logfiles (e.g. with “Logwatch”)4.Block ssh root login !5.Block portscans -> Firewall6.Block scriptkiddies

Peter Martin – joomladagen.nl – 20+21 april 2013 108Joomladay 2013 South Africa

9. Security – Webserver access logs

/var/log/nginx/petermartin.nl.access_log198.7.57.74 - - [30/Mar/2013:16:47:49 +0100] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 1565 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:54 +0100] "GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin1/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /php-my-admin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /sqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /mysqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /p/m/a/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /PMA2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /pma2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /phpmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /php-myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /webdb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"

Peter Martin – joomladagen.nl – 20+21 april 2013 109Joomladay 2013 South Africa

9. Security – Fail2Ban configuration

{no w00tw00t for you ;­)}peter@rpi ~$ sudo nano /etc/fail2ban/filter.d/nginx­w00tw00t.conf

# Fail2Ban configuration file# Author: Peter Martin# $Revision: 001 $[Definition]# Option:  failregex

failregex = ^<HOST> ­.*GET.*(w00tw00t|\setup.php|\wp­login.php)

# Option:  ignoreregex# Notes.:  regex to ignore. If this regex matches, the line is ignored.# Values:  TEXT#ignoreregex =

Peter Martin – joomladagen.nl – 20+21 april 2013 110Joomladay 2013 South Africa

9. Security – Fail2Ban configuration

{activate nginx­w00tw00t filter}peter@rpi ~$ sudo nano /etc/fail2ban/jail.local

[nginx­w00tw00t]enabled = trueport    = http,httpsfilter = nginx­w00tw00tlogpath = /var/log/nginx/*access_logmaxretry = 0bantime = 600

{restart Fail2Ban}peter@rpi ~$ sudo /etc/init.d/fail2ban restart 

Peter Martin – joomladagen.nl – 20+21 april 2013 111Joomladay 2013 South Africa

9. Security – 10 Aspects

1.Change default username “pi” & password2.Backup !!!3.Study logfiles (e.g. with “Logwatch”)4.Block ssh root login !5.Block portscans -> Firewall6.Block scriptkiddies7.SSL certificate for /administrator/8.Block phpmyadmin (allow 1 specified IP)9.Backup !!!10.Passwordless login? SSH shared keys

Peter Martin – joomladagen.nl – 20+21 april 2013 115Joomladay 2013 South Africa

No time left for:

Send Email from RPi:– Joomla's notifications & contact forms– Logwatch mails

→ Exim MTA (Mail Transfer Agent)

Peter Martin – joomladagen.nl – 20+21 april 2013 116Joomladay 2013 South Africa

Questions?

Peter Martin – joomladagen.nl – 20+21 april 2013 117Joomladay 2013 South Africa

Questions?

Presentation is available at www.db8.nl

Peter Martine-mail: info at db8.nlwebsite: www.db8.nl

Peter Martin – joomladagen.nl – 20+21 april 2013 118Joomladay 2013 South Africa

Used photos Chinese Raspberry Pie nr.1 1 - Koen Mol http://www.sxc.hu/photo/346723

Switched On Tech Design - www.sotechdesign.com.au

Bricks - Sharlene Jackson http://www.sxc.hu/photo/759981

Hotrod Dash - Peter Mazurek http://www.sxc.hu/photo/1341923

Greased Lightnin' - Donald Cook http://www.sxc.hu/photo/690214

File Overload - Bob Smith http://www.sxc.hu/photo/367985

Rusted Gears - Angelo Rosa http://www.sxc.hu/photo/1365696

Man Made - "csremedy" http://www.sxc.hu/photo/1267108

digital world - ilker http://www.sxc.hu/photo/1206711

Crazy Man in Shower - scott adams http://www.sxc.hu/photo/760765

laptop 2 - emre nacigil http://www.sxc.hu/photo/810741

Speedometer – Abdulhamid AlFadhly http://www.sxc.hu/photo/1390189

Secure - Frank Köhne http://www.sxc.hu/photo/962334

Professor Tiger - Gabriel Doyle http://www.sxc.hu/photo/526749

signs signs - Jason Antony, http://www.sxc.hu/photo/751034

Face - Questions - Bob Smith, http://www.sxc.hu/photo/418215