Upgrade PHP version for Apache on Ubuntu server

One day, you found that your PHP version is too old and vulnerable. You have to upgrade to latest PHP version to avoid being exploited. You can follow the instructions below. Just a few commands.

Configure apache point to new version of PHP

**Important note**: List all your loaded modules in your old php by checking your phpinfo. The configure the same into new php in order to make sure your application have all needed modules for use.

a2dismod [current_php] ==> dis-mode current php version

root@ip-xxx-xx-x-xxx:/xxx/xxx/www# a2dismod php5 

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

 LANGUAGE = (unset),

 LC_ALL = (unset),

 LC_CTYPE = "UTF-8",

 LANG = "en_US.UTF-8"

    are supported and installed on your system.

perl: warning: Falling back to the standard locale ("C").

Module php5 disabled.

To activate the new configuration, you need to run:

  service apache2 restart

a2enmod [new_php] ==> en-mode to new php version

root@ip-xxx-xx-x-xxx:/xxxx/xxxx/www# a2enmod php5.6 

perl: warning: Setting locale failed.

perl: warning: Please check that your locale settings:

 LANGUAGE = (unset),

 LC_ALL = (unset),

 LC_CTYPE = "UTF-8",

 LANG = "en_US.UTF-8"

    are supported and installed on your system.

perl: warning: Falling back to the standard locale ("C").

Considering dependency mpm_prefork for php5.6:

Considering conflict mpm_event for mpm_prefork:

Considering conflict mpm_worker for mpm_prefork:

Considering conflict mpm_itk for mpm_prefork:

Module mpm_prefork already enabled

Considering conflict php5 for php5.6:

Enabling module php5.6.

To activate the new configuration, you need to run:

  service apache2 restart

You have to restart your apache to take effect.

root@ip-xxx-xx-x-xxx:/xxxx/xxxx/www#  service apache2 restart

 * Restarting web server apache2 

You can now check your phpinfo to see the new php version and loaded modules

Configure console PHP to new version of PHP for your cronjob or cli program

root@ip-xxx-xx-x-xxx:/xxxx/xxxx/www# ln -sf /usr/bin/php[version] /etc/alternatives/php

You can use ‘which’ php command to see what is your current php command point to

That’s all. Hope it help.

How to secure your Redis

A murky day

In a certain day, you receive an email from your Virtual Private Server (VPS) Provider to inform you that your VPS has been compromised. It is certain that your VPS public network will be disabled by the provider. Your sites or apps absolutely cannot be accessed. That is such a bad day.

If your VPS has Redis installed and exposed a port to public network, you will sooner or later receive an email like mine above. You must keep in mind that Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket. In general, Redis is not optimized for maximum security but for maximum performance and simplicity. You can read more about Redis on its official website.

How to secure your Redis

I am writing 5 steps that can help your Redis be secure.

Step 1: Securing the server with iptables

In the step you have to setup a firewall on your server. You can go to this tutorial on digital ocean to know what need to do for a firewall setup.

Once your firewall is ready, you can allow any IPs that you trusted can access to the server so that this can connect to Redis.

Step 2: Binding to localhost

By default, Redis is only accessible from localhost. Make sure this line below exists on your redis configuration file.

$ vi /etc/redis/redis.conf

Make sure this line is uncommented (remove the # if it exists)

Step 3: Configuring a Redis password

Edit your redis configuration file again /etc/redis/redis.conf. Generate your secure password and add into the config under the SECURITY section.

Once your password is setup, you will use AUTH command to make the authentication.

Step 4: Renaming dangerous command

The other security feature built into Redis allows you to rename or completely disable certain commands that are considered dangerous.

Like the binding or setting password into config, disabling or renaming was done by editing your Redis config file under the SECURITY section.

Step 5: Setting data directory ownership and file permission

You can easily check the redis folder permission as typing the command below:

$ ls -l /var/lib | grep redis
drwxr-xr-x 3 redis    redis      4096 Nov 22 03:28 redis

That’s not is the folder’s permissions, which is 755. To ensure that only the Redis user has access to the folder and its contents, change the permission to 700:

$ chmod 700 /var/lib/redis

The other permission you should change is that of the Redis configuration file. By default, it has a file permission of 644 and is owned by root, with secondary ownership by the root group:

$ ls -l /etc/redis/redis.conf
-rw-r--r-- 1 root root 30176 Jan 14 2017 /ect/redis/redis.conf

That permission (644) is world-readable, which is not a good idea. We need to change the ownership and permissions:

$ chown redis:root /etc/redis/redis.conf
$ chmod 600 /etc/redis/redis.conf

Finally, to get your changes effected, you need to restart your Redis:

$ service redis-server restart

Conclusion

No matter which purposes that you are using Redis, always keep in mind Redis is for trusted clients in a trusted environment only. Check your current Redis and follow the above steps for a better secure server.

Keep Your Linux SSH Session From Disconnecting

Global Configuration

Add the following line to the /etc/ssh/ssh_config file:

ServerAliveInterval 60

The number is the amount of seconds before the server with send the no-op code.

Current User Configuration

Add the following lines to the ~/.ssh/config file (create if it doesn’t exist)

Host *hostname.com
   ServerAliveInterval 60

Ref: http://www.howtogeek.com/howto/linux/keep-your-linux-ssh-session-from-disconnecting/

 

Linux Increase “Open Files Limit”

If you are getting error “Too many open files (24)” then your application/command/script is hitting max open file limit allowed by linux. You need to increase open file limit as below:

Increase limit

Per-User Limit

Open file: /etc/security/limits.conf

Paste following towards end:

*         hard    nofile      500000
*         soft    nofile      500000
root      hard    nofile      500000
root      soft    nofile      500000

 

500000 is fair number. I am not sure what is max limit but 999999 (Six-9) worked for me once as far as I remember.

Once you save file, you may need to logout and login again.

Verify New Limits

Use following command to see max limit of file descriptors:

cat /proc/sys/fs/file-max

Ref: https://rtcamp.com/tutorials/linux/increase-open-files-limit/

How to run nodejs app as background service (daemon)

There are 2 ways to make your node js app run as background service:

1. Using nohup
   Just type the following from your terminal:

   $ nohup node [yourapp.js] &

2. Using forever
   Install forever by typing the following command:

   $ npm install forever

   Usage

   Using forever from command line

   $ forever start server.js

   Using an instance of Forever from Nodejs
   

   var forever = require('forever');
   
     var child = new (forever.Forever)('your-filename.js', {
       max: 3,
       silent: true,
       args: []
     });
   
     child.on('exit', this.callback);
     child.start();

Ref: http://stackoverflow.com/questions/4903570/how-does-one-start-a-node-js-server-as-a-daemon-process

How to upgrade PHP version 5.3.x to 5.4.x or 5.5.x on CentOS

Step1. Add EPEL and Remi repositories onto your system:

On CentOS 6.x 32-bit

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

On CentOS 6.x x86_64 (64-bit)

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

Step 2 – Now enable your newly added Remi repo. Open the /etc/yum.repos.d/remi.reporepository file using a text editor of your choice

vi /etc/yum.repos.d/remi.repo

Step 3 – Edit enabled=0 line to enabled=1:

4.a – Update to PHP 5.4, in [remi] section:

4.b – Update to PHP 5.5, in [remi-php55] section:

Step 4 – Now update yum

yum update -y

Step 5 – Done. Now you can check using this command:

php -v

Now you can test your PHP script on your browser and hope everything still runs smoothly.

Source from: http://www.servermom.org/upgrade-php-53-54-55-centos/1534/