I wanted a tool to quickly show me some of the basic things I needed to work on to harden the security on the various servers I am running. A sort of security checklist. The first tool I have been trying out is the community version of Lynis, and I have enjoyed it so far. With a “Hardeining index” from 1-100, it gives me a great indicator of how I am progressing.
Once installed ( and they have detailed install instructions for many systems ) it is as easy as a single command to get you started:
lynis audit system
you will get a giant ( not too giant ) list of the status of your system and actionable items.
For my scan I fixed a few things moving from 66 to 72 in my first hardening session.
To run this experiment we will use only two nodes rpi-gpio In and rpi-gpio out. Drag one of each onto the Flow edit pane.
When you drop the Nodes the Labeling is updated to reflect the configuration. The two Nodes before wiring will look like this. There has been nothing done to them other than dropping them onto the flow.
Wire the Nodes together
Configure the Input Node
Double Click the rpi-gio In ( it is marked PIN:tri ).
Set the Pin to 11
set the resistor to pull-down
Click Done
The node Should change to PIN 11
Configure the Output Node
Double Click the rpi-gio out ( it is marked PIN: ).
Set the Pin to 7
Check “Initial pin state?”
Select “initial level of pin -low(0)
Click Done
The Output Node should now be labelled PIN: 7
Deploy the Flow
If you have done everything correctly you should now be able to press the button and the LED will light.
Using NodeRED to program your RaspberryPi for GPIO Control.
The basic installation of Raspian includes NodeRED. However you need to start it to use it.
Connect to your Raspberry Pi using your terminal. Issue the NodeRED startup command:
node-red-start
The first line after the “Start Node-RED” will contain where you need to point your browser. Remember that your Raspberry Pi is a fairly small computer so it might take it a little while to load ( possible minutes ).
The console will update once Node-RED has started, it is ready when you see the final line state “Server s now Running …”
Now we can connect with our browser
Let’s Add Nodes
We will use the Inject Node as the “Button”, Drag one of the Inject nodes to the Flow area:
Double click the node to open the edit panel. From the Payload drop-down select boolean and leave the value as True.
Click Done, and you will see that the Inject node now reads as “true”
To easily find the Raspberry Pi nodes type rpi in the node search tool at the top left. Drag a single rpi gio Output node to the Flow area and drop it near the Inject Node.
Wire the Inject node to the gpio node:
Double click the PIN Node ( rpi gpio ) to enter into edit mode and select Pin 7 and make certain the type is Digital Output.
Add the “Off Switch”
Let’s Drag a Second Inject node onto the Flow area
Double click the Inject to edit
Change it to boolean and set the value to false.
Wire the “false” node to the same pin as the true node.
The final step before you can use either of the buttons is to Deploy the Flow.
Clicking the small blue box next to the “true” inject node will turn the LED on and “false” will turn it off.
To get started with controlling and interfacing electronics with the Raspberry Pi, the easiest and safest way is turning a LED On and Off. It is simple but it works.
Interactively, First
If you have installed Raspian on your Raspberry Pi it comes with Python pre-installed. All you need to do is bring up a terminal and type python <enter> to get to the python console. It looks like this:
The python console let’s you execute code as you go, it is a great way to learn and test small pieces of code.
To control the GPIO pins on the Raspberry Pi we need to add a tool that knows how to control them this is the GPIO Library ( there are others as well ). To add the library we will use the import command. Type the command as show and hit the Enter Key. If done correctly the python console will simply accept it and prompt you for the next line.
>>>import RPi.GPIO as GPIO
>>>
Know that we have the tool we need to tell the python console specifically how to use it. We will be using BOARD mode. This means we will be referring to the PINS as they are physically numbered and laid out. Again you will get no prompt, simply the next line.
>>>import RPi.GPIO as GPIO
>>>GPIO.setmode(GPIO.BOARD)
>>>
The pins are numbered with Odd Pins in one Row and Even pins in the other. The numbering starts from 1 and 2 next to the Power LED. Pin 1 sits near the inside of the board and Pin 2 near the edge. We will wire Pin 6 and Pin 7 to the LED. Pin 6 is GND ( Ground or Negative ) will be wired to the short leg of the LED or the Cathode. Pin 7 will be wired to the Short leg or the Anode.
Next we need to tell python what to do with pin 7. We use the GPIO.setup() command to indicate that the the Pin will be used for output. The GPIO.OUT is used to indicate output.
>>>GPIO.setup(7,GPIO.OUT)
>>>
To turn the LED on we set the pin to True using GPIO.output()
>>>GPIO.output(7,True)
>>>
To turn the LED off we set the pin to False using GPIO.output()
>>>GPIO.output(7,False)
>>>
Let’s make a command file.
To complete this on the command line we will use a program called nano. It is a command line based text editor. For more advance python it can be beneficial to use an IDE
Open the editor by executing the nano command and type all the commands from above into the nano windows
When done press CTRL-O, type in the name ledon.py, press enter the CTRL-X
Test the command, type:
python ledon.py
Our Second Command
copy the ledon.py to ledoff.py, and open the file with nano ledoff.py
Change the True in line 4 to False
Run the command to turn the led off
python ledoff.py
You will notice there is a warning, let’s take care of that.
Using nano add GPIO.cleanup() to the end of each file
You can now turn the LED On and Off from anywhere you can get a terminal on your Raspberry Pi
PyCharm is a fully featured IDE. For the new user this can be quite overwhelming. Even for the seasoned developer it can be quite difficult finding your way through a new IDE. Completing a simple hello-world app is a great way to break ground on this tool.
We will start from the welcome screen. After you have installed and launched PyCharm this is how you will be greeted.
PyCharm Welcome Screen
1.) Select “Create New Project”, and you will see the screen slide over and we can walk through the “New Project” dialog.
PyCharm New Project Dialog Screen
2.) Change the file name to “hello-world”
PyCharm – name a new-project
3.) Click Create
4.) Right CLick on the FileFolder name “hello-world” on the left side of the screen. Select “New”, the “Python FIle
PyCharm – add a new Python file to your project
5.) Give your python file a name, like “helloworld”
6.) Now type this into the black pane on the right:
print ("hello world!")
PyCharm add code to your project
7.) Highlight the “helloworld.py” file in the Project Tree on the left and click the Run item in Top menu. The second Run entry will be highlighted, select that.
8.) From the Run Dialog select the helloworld file ( right facing white triangle ). The click green Run Arrow
If all goes well you will see the run output at the bottom of your screen.
An that is all there is to it. Once you have navigated the “helloworld” you have the basics necessary to use this IDE.
Place this file into your Apache2 httpd “Document” directory and unzip/untar
unzip matomo-latest.zip
Set permission to the owner of the httpd process ( www-data in my case )
chmod -R www-data:www-data matomo
Check the permissions
ls -l
Make it accessable
I like to just place a symbolic link in the Documents directory of the Virtual Host I am using it with. I don’t know what the security ramifications of this might be. You, of course, will have to discern the paths for your particular setup. I keep my Virtual Hosts and Matomo at the same level.
ln -s ../matomo matomo
Browse to the newly installed system, and work through the installation. You will likely have to install some PHP extensions to get the system working fully. I had to install mbstring.
Update you apt so you get that latest
apt update
First find the package
apt-cache search mbstring
php-mbstring - MBSTRING module for PHP [default]
php-patchwork-utf8 - UTF-8 strings handling for PHP
php-symfony-polyfill-mbstring - Symfony polyfill for the Mbstring extension
php-symfony-polyfill-util - Symfony utilities for portability of PHP codes
php7.2-mbstring - MBSTRING module for PHP
What PHP Version
php -v
PHP 7.2.24-0ubuntu0.18.04.3 (cli) (built: Feb 11 2020 15:55:52) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.24-0ubuntu0.18.04.3, Copyright (c) 1999-2018, by Zend Technologies
Ok install the correct one
apt install php7.2-mbstring
Restart the web server
systemctl restart apache2
Once you have worked through all the PHP extensions fin the link for continueing over SSL:
Next, to the database setup, bring up a console to create a user for Matomo:
Modern distrubutions allow root to connect from a local terminal instance ( ssh ) without user name and password, type mysql at the console to get the mysql-client command prompt:
Create the database:
CREATE DATABASE matomo;
Add a user
CREATE USER ‘matomo’@’localhost’ identified by ‘agoodpasswordgoeshere’;
Give the user permissions on the database
GRANT ALL ON matomo.* to ‘matomo’@’localhost’;
Head back to the Matomo installation wizard and Complete step 5 through 8 for your website. I am using WordPress so I only need the tracking code to plug into the WordPress Plugin.
The office WordPress Plugin for Matomo Let’s simply add the plugin and Activate. Using the default tracking option you should be good to go!
Running a Low Traffic Website on a Low-End server is a great way to learn. Constrained resources necessitate careful planning of your services. In my journey to keep MySQL from crashing due to memory constraints, these two items fixed the problem.
I manage my own web site ( this site ) as a means to learn and grow my technical know-how. It does not generate any revenue, yet. As a result, I spend the least amount of money on it as possible resulting in the most anemic server. At the writing of this article, my site was slowing to a crawl and MySQL was regularly crashing. Inspecting the processes that where running I found that kswapd, the swap file daemon, was chewing on 50% of my CPU time. It was time for a beginner’s lesson in resource management.
Put MySQL on a Diet
WordPress uses MyISAM as the default storage mechanism. On my distribution InnoDB is included in the default setup. It is not needed for WordPress. As I am only running WordPress on this server I decided to remove InnoDB and free up some memory.
To remove InnoDB support you will need to find your mysql.cnf. More specifically you will need to find the instance that is being used by MySQL. I am running Ubuntu 18.x on my server. Ubuntu is a Debian based system so my configuration file is located here:
/etc/mysql/mysql.conf.d
The MySQL configuration file uses sections denoted with brackets []. For example., there are two sections one name [mysqld_safe] and one called [mysqld]. The sections are completed at the start of the next section.
Place the following command anywhere after the [mysqld] but before the next []
ignore-builtin-innodb
You can now restart the MySQL service with one of the following commands:
service mysql restart
systemctl restart mysql
sudo /etc/init.d/mysql start
Break up the Apache Party
When I checked in on Apache using the command top.I had 26 processes running for Apache. My website just simply isn’t popular and not so important that it needs that much attention. The spammers and search engine bots can wait. Maybe someday I will need more resources for connections but not today.
With the version of Apache2 I am running on a Debian based system the configuration can be found in the mods-available sub-directory. However is you work from the mods-enabled directory you will see a smaller sub-set of choices. You will also answer the question of whether or not the mod you are configuring is actually enabled simply by seeing it in the directory.
To tame Apache bring up the configuration file in your favorite editor, mine nano.
I changed the following to lines to experiment on performance:
MaxSpareServers 8
MaxRequestWorkers 10
Squeeking in under the wire
These two tasks have moved my server sentiment from annoying to hopeful. This micro-server now sits just below the meager physical memory limit imposed by it’s $3.00 budget. Take a look at my output from top.
I am just getting by with a teeny bit of left-over space. The key bit is kswapd has calmed down and now MySQL is no longer crashing. It may be short-lived but it is a victory for today.
Update 1:
Had to up the MaxRequestWorkers to 25, pages kept timing out.
Update 2:
Trying to find the lowest number of “Starting” and “Spare” servers I can get away with. Starting with one and having three spare.
Update3: Final Update
Looks like I have tamed the beast. I am now sitting at about 100mb free space. The final step was deactivating WordPress Plugins I did not need. I am very glad it worked as I was about to start dis-abling Apache2 mods that WordPress does not use and I am fairly ignorant on that subject, for now.
For me, docker-compose is a case study in the right tool for the right job. At the least, it allows us to carefully manage and maintain the instancing of our containers. docker-compose takes the command-line options for docker and places them into configuration files.
From a basic understanding of Docker, it becomes clear that it is extremely useful to house your WordPress installation inside a Docker container. Once completed your WordPress instance becomes highly portable and scalable. Additionally, there are other hidden benefits.
Docker is incredibly simple to install and get started. We will be installing the repository version on Linux Mint. This installation should work on any Debian system.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
