Joomla & Raspberry Pi

Peter Martin, twitter: @pe7er www.joomladay.de, Sat Sept 14th 2013

Overview Presentation
1. Introduction LAMP Stack: 2. Raspbian 3. Nginx 4. MySQL 5. PHP 6. phpMyAdmin

>>>Sheetsat:www.db8.nl<<<

7. Joomla 8. Performance 9. Security

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 2

1. Introduction Raspberry Pi
Goal education Today's engineers: computer experience on home computers youth of today: computer classes = operate software, click menus and swipe yourself to death ...

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 3

1. Introduction Raspberry Pi
Benefits

Rpi

small

Dirt cheap: $ 35 38 Euro Low power (3.5 Watt) No moving parts Silent De facto standard (2 types)
Much

documentation (Linux & RPi) Many documented applications Much additional hardware Many software

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 4

1. Introduction Raspberry Pi
Hardware

Single-board computer, 700 Mhz RAM 512 Mbyte (1st version: 256 Mbyte) Graphics: Broadcom VideoCore IV Connections:
SD

Card Micro USB powerplug (5v 1A 3,5 Watt) Ethernet HDMI & RCA Video Audio 2x USB GPIO

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 5

1. Introduction Raspberry Pi
Community

Use Software Hardware Case

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 6

LAMP Stack

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 7

LAMP LEMP Stack

L E M P Linux Raspbian (Debian for Rpi) Apache Nginx [engine x] MySQL PHP

(phpMyAdmin)

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 8

2. Raspbian Linux Operating System

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 9

2. Raspbian
a)Installation b)Connect to Network c) Update OS d)Backup e)Configuration f) Internet Access

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 10

2a. Raspbian
Download

Raspbian Image http://www.raspberrypi.org/downloads (518.5 MiB)

2013-07-26-wheezy-raspbian.zip Unzip

to ~\rpi\2013-07-26-wheezy-raspbian.img (1.8 GB)

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 11

2a. Raspbian Installation SD Card

SD Card http://elinux.org/RPi_Easy_SD_Card_Setup gparted, partition table, unformatted
Determine dd

location: dmesg

= dump disk CAREFUL: data destroyer !

bs=BYTES (read and write BYTES bytes at a time) if=FILE (read from FILE instead of stdin) of=FILE (write to FILE instead of stdout)

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 12

2a. Raspbian Installation SD Card

$dmesg [..] [45.361488]wlan0:noIPv6routerspresent [265.278325]mmc0:newhighspeedSDHC cardataddress0002 [265.284831]mmcblk0:mmc0:00027.68GiB [265.284912]mmcblk0:p1 $

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 13

2a. Raspbian Installation SD Card

Linux:

sudo dd bs=1M if=~/rpi/2013-07-26-wheezyraspbian.img of=/dev/mmcblk0 OSX: sudo dd bs=1M if=~/rpi/2013-07-26-wheezyraspbian.img of=/dev/disk1s1 dd bs=1M if=c:\temp\2013-07-26-wheezyraspbian.img od=e
Joomladay 2013 Germany 14

Mac

Windows:

Peter Martin joomladagen.nl 20+21 april 2013

2a. Raspbian Installation SD Card

$sudoddbs=1Mif=~/rpi/20130726 wheezyraspbian.imgof=/dev/mmcblk0 {+4.5minuteslater} 1850+0recordsin 1850+0recordsout 1939865600bytes(1.9GB)copied, 252.656s,7.7MB/s $sudosync

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 15

2b. Raspbian Connect your RPi

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 16

2b. Raspbian IP Address?

Android

/ iPhone: Overlook Fing

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 17

2b. Raspbian IP Address?

$nmapsP192.168.0/24 StartingNmap5.00(http://nmap.org)at 2013040714:15CEST Host192.168.0.1isup(0.0018slatency). Host192.168.0.14isup(0.014slatency). Host192.168.0.15isup(0.010slatency). Host192.168.0.16isup(0.048slatency). Host192.168.0.17isup(0.0092slatency). Nmapdone:256IPaddresses(5hostsup) scannedin2.94seconds $
Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 18

2b. Raspbian SSH Login

[email protected] Theauthenticityofhost'192.168.0.16 (192.168.0.16)'can'tbeestablished. RSAkeyfingerprintis 12:11:07:6b:c9:ac:ff:01:7b:2f:aa:a5:ef:02: c7:ff. Areyousureyouwanttocontinue connecting(yes/no)?yes Warning:Permanentlyadded'192.168.0.16' (RSA)tothelistofknownhosts. [email protected]'spassword:raspberry
Joomladay 2013 Germany 19

Peter Martin joomladagen.nl 20+21 april 2013

2b. Raspbian SSH Login

Linuxraspberrypi3.6.11+#371PREEMPT ThuFeb716:31:35GMT2013armv6l TheprogramsincludedwiththeDebian GNU/Linuxsystemarefreesoftware; [..] NOTICE:thesoftwareonthisRaspberryPi hasnotbeenfullyconfigured.Pleaserun 'sudoraspiconfig' pi@raspberrypi~$
Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 20

2b. Raspbian SSH Login

$ sudo raspi-config
1.expand_rootfs use full capacity SD Card 2.memory_split shrink RAM GPU to 16 MB Update & Change Password <Finish> reboot

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 21

2c. Raspbian Update!

{updateRepositoryinformation} pi@raspberrypi~$sudoaptgetupdate {takes30seconds} {upgradeRaspbianOS} pi@raspberrypi~$sudoaptgetupgrade {takes22minutes}

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 22

2d. Raspbian Backup SD Card

Shut

down securely: $ sudo shutdown -h now SD Card & in PC

Remove Backup:

$ sudo dd if=/dev/mmcblk0 of=~/rpi/sd-cardrpi-20130914.bin

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 23

2e. Raspbian Hostname

{changehostname@raspberrypi@rpi} pi@raspberrypi~$sudonano/etc/hostname raspberrypirpi pi@raspberrypi~$sudonano/etc/hosts 127.0.1.1raspberrypi127.0.1.1rpi {restarthostnameprocess} pi@raspberrypi~$sudo /etc/init.d/hostname.shstart pi@rpi~$

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 24

2e. Raspbian User & Password 1/2

pi@rpi~$sudopasswdroot EnternewUNIXpassword: RetypenewUNIXpassword: passwd:passwordupdatedsuccessfully pi@rpi~$exit Logout [email protected] {renameuser&userdirectory} root@rpi~#usermodlpeterpi root@rpi~#usermodmd/home/peterpeter

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 25

2e. Raspbian User & Password 2/2

{testnewaccount} [email protected] peter@rpi~$sudoaptgetupdate {worksok?Disableroot!!!} peter@rpi~$sudopasswdlroot passwd:passwordexpiryinformationchanged. peter@rpi~$passwd Changingpasswordforpeter. (current)UNIXpassword:

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 26

2e. Raspbian Time Zone

peter@rpi~$date SunApr2111:15:00UTC2013 peter@rpi~$sudodpkgreconfiguretzdata Currentdefaulttimezone: 'Europe/Amsterdam' Localtimeisnow:SunApr7 13:15:00CEST2013. UniversalTimeisnow:SunApr7 11:15:00UTC2013. peter@rpi~$

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 27

2f. Raspbian Internet access

Internet

Internet DNS > domain name petermartin.nl

LAN Raspberry Pi 192.168.0.x

Modem/router: Internet IP: ?.?.?.?

Peter Martin joomladagen.nl 20+21 april 2013

Modem/router: LAN IP: 192.168.0.1

Joomladay 2013 Germany 28

2f. Raspbian Internet access

Internet

Internet DNS petermartin.nl A record to 1.2.3.4

LAN Raspberry Pi 192.168.0.9

www.whatsmyip.org Internet IP: 1.2.3.4

Peter Martin joomladagen.nl 20+21 april 2013

Modem/router: LAN IP: 192.168.0.1

Joomladay 2013 Germany 29

2f. Raspbian Internet access

Modem/Router

firewall > Port Forwarding

SSH traffic = IP 192.168.0.9, port 22 Web traffic = IP 192.168.0.9, port 80 Https traffic= IP 192.168.0.9, port 443

Raspberry

Pi Static IP

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 30

2f. Raspbian Static IP Address

peter@rpi~$route
KernelIProutingtable DestinationGatewayGenmaskFlagsMetricRefUseIface default192.168.0.10.0.0.0UG000eth0 192.168.0.0*255.255.255.0U000eth0

peter@rpi~$sudonano/etc/network/interfaces {change:} ifaceeth0inetdhcp {to:} ifaceeth0inetstatic address192.168.0.9 netmask255.255.255.0 gateway192.168.0.1

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 31

3. Nginx webserver

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 32

3. Nginx

Nginx [engine ex]

High performance:
Dynamic pages = FAST & Static = very FAST!

Low memory usage (useful on Rpi!) Easy configuration Automatic configuration test after changes Reverse proxy capabilities

Nginx Popularity (netcraft.com May 2013):

> 100 million sites 15 % of all sites (Apache 46%, IIS 21%) Top million busiest websites:
1. Apache 56.9% 2. Nginx 14.6% 3. Microsoft 13.1%

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 33

3. Nginx Popularity

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 34

3. Nginx Installation
peter@rpi~$sudoaptgetinstallnginx Readingpackagelists...Done [..] Needtoget2,132kBofarchives. Afterthisoperation,6,200kBofadditional diskspacewillbeused. Doyouwanttocontinue[Y/n]?y [..] Settingupnginx(1.2.12.2)... peter@rpi~$

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 35

3. Nginx Configuration
peter@rpi~$sudonano/etc/nginx/nginx.conf userwwwdata; worker_processes1; pid/var/run/nginx.pid; peter@rpi~$sudo/etc/init.d/nginxstart

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 36

3. Nginx Websites
Browse URL http://192.168.0.9/ or http://petermartin.nl Result:

Welcome to nginx!

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 37

3. Nginx Virtual domains

Create virtual sites: 1. Location & index.html /var/www/ petermartin.nl

/index.html

2. Configuration file for site /etc/nginx/sites-available/

petermartin.nl

3. Activate with symbolic link to config file /etc/nginx/sites-enabled/ petermartin.nl 4. Nginx load new config file: $ sudo /etc/init.d/nginx reload
Joomladay 2013 Germany 38

Peter Martin joomladagen.nl 20+21 april 2013

3. Nginx Virtual domains

peter@rpi~$sudonano /var/www/petermartin.nl/index.html <html> <head> <title>petermartin.nl</title> </head> <bodybgcolor="white"text="black"> <center><h1>WelcometoJoomladayGermany 2013!</h1></center> <center>Website:petermartin.nl</center> </body> </html>
Joomladay 2013 Germany 39

Peter Martin joomladagen.nl 20+21 april 2013

3. Nginx Virtual domains

peter@rpi~$sudonano/etc/nginx/sites available/petermartin.nl
server{ listen80; server_namepetermartin.nlwww.petermartin.nl; root/var/www/petermartin.nl; access_log/var/log/nginx/petermartin.nl.access_log; error_log/var/log/nginx/petermartin.nl.error_loginfo; location/{ indexindex.phpindex.htmlindex.htm; } }

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 40

3. Nginx Virtual domains

peter@rpi~$sudolns /etc/nginx/sitesavailable/petermartin.nl /etc/nginx/sitesenabled/petermartin.nl

peter@rpi~$sudo/etc/init.d/nginxreload Reloadingnginxconfiguration:nginx.

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 41

3. Nginx Virtual domains

Browser

http://192.168.0.9/petermartin.nl

Welcome to Joomladay Germany 2013!

Website: petermartin.nl

Error?

404 Not Found nginx/1.2.1 Check error log file: $ cat /var/log/nginx/petermartin.nl.error_log
Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 42

4. MySQL Database Server

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 43

4. MySQL
Joomla

2.5+ = no SQLite driver available

Configuration

User: root Password: databasepassword

during installation:

Secure

live site with: $ sudo mysql_secure_installation

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 44

4. MySQL Installation
peter@rpi~$sudoaptgetinstallmysql server Readingpackagelists...Done [..] Needtoget9,603kBofarchives. Afterthisoperation,91.1MBofadditional diskspacewillbeused. Doyouwanttocontinue[Y/n]?y [..] Settingupmysqlserver(5.5.30+dfsg1)... Processingtriggersformenu... peter@rpi~$sudomysql_secure_installation

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 45

5. PHP

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 46

5. PHP php5 + packages:

php5-fpm

FastCGI Process Manager interpreter that runs as a daemon and receives Fast/CGI requests modules for MySQL database connections directly from PHP scripts

php5-mysql

php5-cli

command-line interpreter library for getting files from FTP & HTTP server
Joomladay 2013 Germany 47

php5-curl

Peter Martin joomladagen.nl 20+21 april 2013

5. PHP Installation
peter@rpi~$sudoaptgetinstall php5fpmphp5mysql Readingpackagelists...Done [..] Settingupphp5(5.4.414)... Processingtriggersforphp5fpm... [ok]RestartingPHP5FastCGIProcess Manager:php5fpm. peter@rpi~$

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 48

5. PHP configuration petermartin.nl

pi@rpi~$sudonano/etc/nginx/sites available/petermartin.nl add: location~\.php${ fastcgi_passunix:/var/run/php5fpm.sock; fastcgi_indexindex.php; includefastcgi_params; }

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 49

5. PHP Result
Test

with phpinfo();

$ sudo nano /var/www/petermartin.nl/test.php with the code: <?php echo "test";phpinfo();?>

Use

browser to open file http://192.168.0.9/petermartin.nl/test.php

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 50

6. phpMyAdmin

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 51

6. phpMyAdmin
Database

GUI

http://192.168.0.9/phpmyadmin/

Secure:

Add to one virtual domain only 1 should be enough! limit to 1 IP address

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 52

6. phpMyAdmin Installation
peter@rpi~$sudoaptgetinstallphpmyadmin Readingpackagelists...Done [..] Needtoget6,092kBofarchives. Afterthisoperation,16.6MBofadditionaldisk spacewillbeused. Doyouwanttocontinue[Y/n]?y [..] Webservertoreconfigureautomatically:none Configuredatabaseforphpmyadminwithdbconfig common?N Creatingconfigfile/etc/phpmyadmin/configdb.php withnewversion peter@rpi~$
Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 53

6. phpMyAdmin config petermartin.nl

peter@rpi~$sudonano/etc/nginx/sites available/petermartin.nl
location/phpmyadmin{ root/usr/share/; indexindex.phpindex.htmlindex.htm; location~^/phpmyadmin/(.+\.php)${ try_files$uri=404; root/usr/share/; #fastcgi_pass127.0.0.1:9000; fastcgi_passunix:/var/run/php5fpm.sock; fastcgi_indexindex.php; includefastcgi_params; } location~*^/phpmyadmin/(.+\.(jpg|jpeg|gif| css|png|js|ico|html|xml|txt))${ root/usr/share/; } } Joomladay 2013 Germany

Peter Martin joomladagen.nl 20+21 april 2013

54

6. phpMyAdmin config petermartin.nl

peter@rpi~$sudonano/etc/nginx/sites available/petermartin.nl
{LimitaccesstoonlyoneIPaddress?} location/phpmyadmin{ root/usr/share/; indexindex.phpindex.htmlindex.htm; allow1.2.3.4; denyall; location~^/phpmyadmin/(.+\.php)${

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 55

7. Joomla

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 56

7. Joomla
Download

Joomla to RPi using wget database, e.g. use phpMyAdmin http://192.168.0.9/phpmyadmin/ database: petermartin browser to start Joomla's web installer

Create

Use

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 57

7. Joomla Installation petermartin.nl

peter@rpi~$cd/var/www/petermartin.nl peter@rpi~$sudowget http://joomlacode.org/gf/download/frsrelea se /18622/83487/Joomla_3.1.5Stable Full_Package.zip peter@rpi~$sudounzipx Joomla_3.1.5StableFull_Package.zip

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 58

7. Joomla Installation petermartin.nl

Webinstaller

http://192.168.0.9/petermartin.nl/

configuration.php Writeable: No solve permission problem: $ sudo chown -R www-data:www-data /var/www/petermartin.nl

SEF

links: .htaccess virtual domain configuration: try_files $uri $uri/ /index.php?q=$request_uri;

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 59

7. Joomla SEF URLs

peter@rpi~$sudonano/etc/nginx/ sitesavailable/petermartin.nl
location/{ indexindex.phpindex.htmlindex.htm; try_files$uri$uri//index.php?q=$request_uri; }

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 60

8. Performance

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 61

8. Performance
The need for speed Visitors + Google indexing Test different configurations Server settings, Joomla settings, Joomla Extensions (Templates + Plugins) Testing, testing, one, two Joomla! Debug Console > Profile Information

Browser plugins, e.g. Yslow

Joomladay 2013 Germany 62

Peter Martin joomladagen.nl 20+21 april 2013

8. Performance

Test: Refresh (3x) new setting > Refresh (3x) & compare

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 63

8. Performance ways to optimize

What didn't help Joomla gzip Already in Nginx Minify/gzip plugins like JCH Optimize, jbetolo, Yireo Script Merge Nice plugins! Combine/Minify/Gzip CSS+JavaScript by hand? Memcached Overclocking Cryogenics
Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 64

8. Performance Overclocking
$ sudo raspi-config

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 65

8. Performance Cryogenics
Superconducting

computers

Superconductivity in certain materials when cooled below a characteristic critical temperature

Cool

down RPi?

Fridge: RPi = small, but not enough room for beer :-( Not cool enough... < 123 K ( = 150 C, 238 F)

Liquid nitrogen or liquid helium?

Couldn't decide which... performance gain when cooling down: N/A

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 66

8. Performance Overclocking
Before

Application 0.678 seconds (+0.210); 2.00 MB (+0.151) - afterRender Application 0.649 seconds (+0.171); 2.05 MB (+0.153) - afterRender Application 0.579 seconds (+0.169); 2.00 MB (+0.151) - afterRender Application 0.596 seconds (+0.167); 2.00 MB (+0.151) - afterRender Application 0.620 seconds (+0.167); 2.00 MB (+0.151) - afterRender Application 0.583 seconds (+0.167); 2.00 MB (+0.151) - afterRender

After

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 67

8. Performance ways to optimize

What helped: Nginx + FPM: fastcgi_pass (using Unix Socket) Joomla cache Conservative! (2.7 -> 1.4 sec) Nginx gzip = default Nginx cache files APC Alternative PHP Cache (1.4 -> 0.7 sec)

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 68

8. Performance Nginx + PHP-FPM

PHP-FPM

Socket vs Port?
fastcgi_pass

unix:/var/run/php5-fpm.sock; fastcgi_pass 127.0.0.1:9000;

socket connections are around 10-15% faster than TCP/IP connections because it saves the passing the data over the different layers of TCP/IP stack

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 69

8. Performance Joomla cache

Before

Application 2.707 seconds (+0.037); 4.67 MB (+0.035) - afterRender

After

Global Configuration > System > Cache* > ON Progressive caching

1. Application 2.718 seconds (+0.051); 4.69 MB (0.027) - afterRender 2. Application 1.543 seconds (+0.114); 4.02 MB (+0.051) - afterRender 3. Application 1.426 seconds (+0.265); 3.95 MB (+0.334) - afterRender
Joomladay 2013 Germany 70

Peter Martin joomladagen.nl 20+21 april 2013

8. Performance Nginx gzip

pi@rpi~$sudonano/etc/nginx/nginx.conf
#GzipSettings gzipon; gzip_staticon; gzip_disable"msie6"; gzip_varyon; gzip_proxiedany; gzip_comp_level6; gzip_min_length512; gzip_buffers168k; gzip_http_version1.1; gzip_typestext/csstext/javascripttext/xmltext/plain text/xcomponentapplication/javascriptapplication/x javascriptapplication/jsonapplication/xml application/rss+xml;

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 71

8. Performance Nginx cache files

pi@rpi~$sudonano/etc/nginx/sites available/petermartin.nl
server{ #cachingoffiles location~*\.(ico|pdf|flv)${ expires1y; } location~*\.(js|css|png|jpg|jpeg|gif|swf|xml|txt)${ expires14d; } }

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 72

8. Performance Alternative PHP Cache

pi@rpi~$sudoaptgetinstallphpapcphp pearphp5devbuildessentiallibpcre3dev {SettingsinPHP.ini} pi@rpi~$sudopearconfigsetphp_ini /etc/php5/fpm/php_ini pi@rpi~$sudopeclconfigsetphp_ini /etc/php5/fpm/php_ini {Download/compile/installAPC} pi@rpi~$sudopeclinstallapc

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 73

8. Performance Alternative PHP Cache

Before

Application 1.459 seconds (+0.299); 3.95 MB (+0.334) - afterRender

After

install APC restart nginx AND php-fpm!!!

$ sudo /etc/init.d/nginx restart $ sudo /etc/init.d/php5-fpm reload 1. Application 1.813 seconds (+0.311); 4.52 MB (+0.403) - afterRender 2. Application 0.696 seconds (+0.198); 2.00 MB (+0.148) - afterRender 3. Application 0.727 seconds (+0.221); 2.00 MB (+0.148) - afterRender
Joomladay 2013 Germany 74

Peter Martin joomladagen.nl 20+21 april 2013

9. Security

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 75

9. Security 10 Aspects
1. Change default username pi & password 2. Backup !!! 3. Study logfiles (e.g. with Logwatch) 4. Block ssh root login ! 5. Block portscans Firewall, IPTables 6. Block scriptkiddies IP2Ban 7. SSL certificate for /administrator/ 8. Block phpmyadmin (allow 1 specified IP) 9. Backup !!! 10.Passwordless login? SSH shared keys
Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 76

9. Security ssh logfiles

/var/log/auth.log
Apr 8 22:49:01 rpi sshd[10812]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:01 rpi sshd[10812]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:04 rpi sshd[10812]: Failed password for root from 59.175.148.95 port 43066 ssh2 Apr 8 22:49:04 rpi sshd[10812]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:07 rpi sshd[10816]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:07 rpi sshd[10816]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:09 rpi sshd[10816]: Failed password for root from 59.175.148.95 port 44636 ssh2 Apr 8 22:49:10 rpi sshd[10816]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:13 rpi sshd[10820]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:13 rpi sshd[10820]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:15 rpi sshd[10820]: Failed password for root from 59.175.148.95 port 46051 ssh2 Apr 8 22:49:16 rpi sshd[10820]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:19 rpi sshd[10824]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:19 rpi sshd[10824]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 77

9. Security ssh logfiles

peter@rpi~$whois59.175.148.95
%[whois.apnic.netnode5] %Whoisdatacopyrighttermshttp://www.apnic.net/db/dbcopyright.html inetnum: netname: descr: descr: descr: country: role: address: address: address: address: country: phone: fax-no: e-mail: remarks: remarks: remarks: remarks: 59.174.0.0 59.175.255.255 CHINANET-HB CHINANET Hubei province network Data Communication Division China Telecom CN CHINANET HB ADMIN 8th floor of JinGuang Building #232 of Macao Road HanKou Wuhan Hubei Province P.R.China CN +86 27 82862199 +86 27 82861499 [email protected] send spam reports to [email protected] and abuse reports to [email protected] Please include detailed information and times in GMT+8

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 78

9. Security Firewall
{checkFirewall} peter@rpi~$sudoiptablesL ChainINPUT(policyACCEPT) target protoptsource ChainFORWARD(policyACCEPT) target protoptsource ChainOUTPUT(policyACCEPT) target protoptsource {createrulesforFirewall} peter@rpi~$sudonano /etc/iptables.firewall.rules

destination destination destination

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 79

9. Security Configure Firewall 1/2

*filter #Allowallloopback(lo0)trafficanddropalltraffic to127/8thatdoesn'tuselo0 AINPUTilojACCEPT AINPUTd127.0.0.0/8jREJECT #Acceptallestablishedinboundconnections AINPUTmstatestateESTABLISHED,RELATEDjACCEPT #Allowalloutboundtrafficyoucanmodifythisto onlyallowcertaintraffic AOUTPUTjACCEPT #AllowHTTPandHTTPSconnectionsfromanywhere(the normalportsforwebsitesandSSL). AINPUTptcpdport80jACCEPT AINPUTptcpdport443jACCEPT Joomladay 2013 Germany 80

Peter Martin joomladagen.nl 20+21 april 2013

9. Security Configure Firewall 2/2

#AllowSSHconnections #Thedportnumbershouldbethesameportnumberyou setinsshd_config AINPUTptcpmstatestateNEWdport22j ACCEPT #Allowping AINPUTpicmpjACCEPT #Logiptablesdeniedcalls AINPUTmlimitlimit5/minjLOGlogprefix "iptablesdenied:"loglevel7 #Dropallotherinbounddefaultdenyunless explicitlyallowedpolicy AINPUTjDROP AFORWARDjDROP COMMIT
Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 81

9. Security Activate Firewall 1/2

{activateFirewall} peter@rpi~$sudoiptablesrestore< /etc/iptables.firewall.rules {checkFirewall} peter@rpi~$sudoiptablesL
ChainINPUT(policyACCEPT) target protopt source destination ACCEPT all anywhere anywhere REJECT all anywhere loopback/8 rejectwithicmp portunreachable ACCEPT all anywhere anywhere stateRELATED, ESTABLISHED ACCEPT tcp anywhere anywhere tcpdpt:http LOG all anywhere anywhere limit:avg5/min burst5LOGleveldebugprefix"iptablesdenied:" DROP all anywhere anywhere [..]
Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 82

9. Security Activate Firewall 2/2

{script:activateFirewallatreboot} peter@rpi~$sudonano/etc/network/ifpre up.d/firewall {putin/etc/network/ifpreup.d/firewall}
#!/bin/sh /sbin/iptablesrestore</etc/iptables.firewall.rules

{setscriptpermissions} peter@rpi~$sudochmod+x/etc/network/if preup.d/firewall

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 83

9. Security Automate Firewall

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 84

9. Security Fail2Ban
Scan

logfiles & take action automatically Jail configuration

If in entry in logfile matches filter n times Put IP on blocklist for x minutes
/etc/fail2ban/jail.conf

default /etc/fail2ban/jail.local override

Filters
/etc/fail2ban/filter.d/

Regex ROOT LOGIN REFUSED, POSSIBLE BREAK-IN ATTEMPT!, Failed password etc...
Joomladay 2013 Germany 85

Peter Martin joomladagen.nl 20+21 april 2013

9. Security Fail2Ban
{installFail2Ban} peter@rpi~$sudoaptgetinstallfail2ban Readingpackagelists...Done 0upgraded,6newlyinstalled,0toremoveand0not upgraded. Needtoget340kBofarchives. {checkfailedloginattempts} peter@rpi~$catfail2ban.log
2013040916:45:59,000fail2ban.actions:WARNING[ssh]Ban9.8.7.6

{checkFirewall} peter@rpi~$sudoiptablesL Chainfail2banssh(1references) target protoptsource DROP alltest123.example.com RETURN allanywhere destination anywhere anywhere Joomladay 2013 Germany 86

Peter Martin joomladagen.nl 20+21 april 2013

9. Security Webserver access logs

/var/log/nginx/petermartin.nl.access_log
198.7.57.74 - - [30/Mar/2013:16:47:49 +0100] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 1565 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:54 +0100] "GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin1/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /php-my-admin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /sqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /mysqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /p/m/a/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /PMA2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /pma2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /phpmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /php-myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /webdb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 87

9. Security Fail2Ban configuration

{now00tw00tforyou;)} peter@rpi~$sudonano /etc/fail2ban/filter.d/nginxw00tw00t.conf #Fail2Banconfigurationfile #Author:PeterMartin #$Revision:001$ [Definition] #Option:failregex failregex=^<HOST>.*GET.*(w00tw00t|\setup.php|\wp login.php) #Option:ignoreregex #Notes.:regextoignore.Ifthisregexmatches,the lineisignored. #Values:TEXT # ignoreregex=
Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 88

9. Security Fail2Ban configuration

{activatenginxw00tw00tfilter} peter@rpi~$sudonano/etc/fail2ban/jail.local [nginxw00tw00t] enabled=true port=http,https filter=nginxw00tw00t logpath=/var/log/nginx/*access_log maxretry=0 bantime=600 {restartFail2Ban} peter@rpi~$sudo/etc/init.d/fail2banrestart

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 89

The

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 90

No time left for:

Send

Email from RPi:

Joomla's notifications & contact forms Logwatch mails

Exim MTA (Mail Transfer Agent)

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 91

Questions?

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 92

Questions?
Presentation

is available at www.db8.nl

Peter Martin e-mail: info at db8.nl website: www.db8.nl

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 93

Used photos

Chinese Raspberry Pie nr.1 1 - Koen Mol http://www.sxc.hu/photo/346723 Switched On Tech Design - www.sotechdesign.com.au Bricks - Sharlene Jackson http://www.sxc.hu/photo/759981 Hotrod Dash - Peter Mazurek http://www.sxc.hu/photo/1341923 Greased Lightnin' - Donald Cook http://www.sxc.hu/photo/690214 File Overload - Bob Smith http://www.sxc.hu/photo/367985 Rusted Gears - Angelo Rosa http://www.sxc.hu/photo/1365696 Man Made - "csremedy" http://www.sxc.hu/photo/1267108 digital world - ilker http://www.sxc.hu/photo/1206711 Crazy Man in Shower - scott adams http://www.sxc.hu/photo/760765 laptop 2 - emre nacigil http://www.sxc.hu/photo/810741 Speedometer Abdulhamid AlFadhly http://www.sxc.hu/photo/1390189 Secure - Frank Khne http://www.sxc.hu/photo/962334 Professor Tiger - Gabriel Doyle http://www.sxc.hu/photo/526749 signs signs - Jason Antony, http://www.sxc.hu/photo/751034 Face - Questions - Bob Smith, http://www.sxc.hu/photo/418215

Peter Martin joomladagen.nl 20+21 april 2013

Joomladay 2013 Germany 94