Skip to content

Instantly share code, notes, and snippets.

@bes1002t
bes1002t / Todo
Last active January 5, 2018 19:36
How to harden your server environment
Linux
1. Disable root ssh login in sshd_config
2. Create a new user and don't use a standard user e.g. the 'pi' user on Raspbian.
3. Follow these steps: https://www.cyberciti.biz/tips/linux-security.html
- for me the following sections were helpful (mostly because of my special software and hardware configuration): #1, #5, #8, #12, #13, #16, #17, #20, #23, #24, #25, #26, #27 already using keepass, #29 already done but plz check major tools whether all information is logged, #30, #32, #33, #36, #37, #39
4. Start nginx and php-fpm as simple user e.g. 'nginx' instead of root. (You could use systemd for that, you can find example service files in my gists)
Nginx
1. Use SSL CSR with 2048 bit and sha512
@bes1002t
bes1002t / php-fpm.service
Last active January 3, 2018 12:30
Start php-fpm as non root user when using phpenv
[Unit]
Description=Phpenv created Php-Fpm fastcgi
Documentation=man:php-fpm(8)
After=nginx.target
[Service]
Type=forking
RuntimeDirectory=php-fpm
ExecStart=/home/nginx/.phpenv/shims/php-fpm
ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /var/run/php-fpm/php-fpm.pid
@bes1002t
bes1002t / nginx.service
Created December 31, 2017 12:18
Start Nginx as non root user with systemd
# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
@bes1002t
bes1002t / php-fpm.sh
Last active November 28, 2017 23:01 — forked from mrPsycho/php-fpm.sh
[phpenv][php-build] php-fpm's init file
#! /bin/sh
#
# run as current user
# > mkdir ~/.phpenv/init
# > vim 5.3.19
#
# before, you should edit php-fpm.conf
# and comment out [www] user and group.
PHP_VERSION=$(phpenv version | sed 's/ (.*//')