Some aspects of VDS server management under Linux

VDS (Virtual Dedicated Server) is a service within which the user receives virtual dedicated server with maximum privileges. This is an emulation of a real physical server, it has root access, the ability to install arbitrary operating systems and any software. At the same time, it is much cheaper than renting a physical server comparable in capacity.

You can put the OS on the server from your image or use the ready-made image in the control panel.

Suppose we installed Debian 10 and the Nginx web server, which comes in the standard repository (apt install nginx). Let’s see what useful utilities and commands will help you manage your Linux server. Let’s consider Nginx separately and the VDS server itself as a whole.

Content

  • Basic Commands for Managing Nginx
  • Server management
    • Installing a supervisor
    • Analysis of free disk space
    • Find files with find command
    • Testing TCP and UDP Connections
    • Port scan
    • Forwarding messages and files
    • Adding and removing users

First, it is advisable to understand the web server itself. Nginx starts when the installation is complete. We check this fact:

systemctl status nginx

Issuance:

● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-08-17 08:52:54 UTC; 4min 23s ago
Docs: man:nginx(8)
Main PID: 3942 (nginx)
Tasks: 3 (limit: 4719)
Memory: 6.1M
CGroup: /system.slice/nginx.service
├─3942 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─3943 nginx: worker process
└─3944 nginx: worker process

Or just enter the server’s IP address in the browser:

http://your_server_ip

If we haven’t copied our site files to the server yet, then the standard Nginx header page will be shown.

Basic Commands for Managing Nginx

Note. If the user does not have root privileges, then to execute each command, he must obtain root privileges using the command sudo

Stopping the web server:

sudo systemctl stop nginx

If run as root, the command is:

systemctl stop nginx

Start after stop:

systemctl start nginx

Stop and restart (restart):

systemctl restart nginx

If you just made some configuration changes, Nginx can reboot without losing current connections. This is done with the following command:

systemctl reload nginx

By default, Nginx is configured to start automatically when the server boots. This behavior can be changed with the following command:

systemctl disable nginx

Re-enable Nginx autostart on server boot:

systemctl enable nginx

By default, Nginx has one set of rules configured server blocks for one domain. It is assumed that you only host one site on your server. By default, it should be located in the directory /var/www/html

Suppose you want to create multiple rulesets in Nginx server blocks for multiple sites or move the files of the current site to another directory /var/www/your_domain

This is done with the following commands.

First, we create the required directory on the server.

mkdir -p /var/www/your_domain/html

Then we assign the owner of this directory using the variable $USERwhich should match the current user:

chown -R $USER:$USER /var/www/your_domain/html

Place the main page in the specified directory index.html

Then you need to create an appropriate set of rules for Nginx. In any text editor, create a file /etc/nginx/sites-available/your_domain and copy the configuration from the default file there, only with the changed address and domain:

server {
listen 80;
listen [::]:80;

root /var/www/your_domain/html;
index index.html index.htm index.nginx-debian.html;

server_name your_domain www.your_domain;

location / {
try_files $uri $uri/ =404;
}
}

Finally, we activate this configuration by writing a symlink to the new configuration file in the directory sites-enabledwhich Nginx reads at boot:

ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/

After rebooting, Nginx will issue the appropriate page for requests your_domain and www.your_domain

Server management

What questions do users most often have when managing a Linux server? What tools can you recommend even for inexperienced administrators?

Installing a supervisor

Supervisor Is a client / server system through which the administrator controls the processes on the server. The tool creates processes as sub-processes on its own behalf.

Installing supervisord on Debian or Ubuntu is extremely simple:

apt-get install supervisor

After that, the supervisor daemon is already running and will start at every system boot.

New programs are transferred to the supervisor via configuration files in the directory /etc/supervisor/conf.d… For example, for the script long.sh the config file might look like this:

[program:long_script]
command=/usr/local/bin/long.sh
autostart=true
autorestart=true
stderr_logfile=/var/log/long.err.log
stdout_logfile=/var/log/long.out.log

Accordingly, the script will be automatically launched at every system boot and automatically restarted if exited. This value can be ‘false’ (do not restart) or ‘unexpected’ (restarted only if exited with an unexpected error code, by default, any code other than 0 or 2).

The last two lines are the addresses of the magazines. This is the minimum configuration template for a supervisor program.

After creating a configuration file for a specific program, we run two commands so that the supervisor rereads and applies the new configurations:

supervisorctl reread

supervisorctl update

At this stage, our program or script should already be running, which can be checked by logs.

In utility supervisorctl there is an interactive mode in which it runs without arguments:

$ supervisorctl
long_script RUNNING pid 12614, uptime 1:49:37
supervisor>

In this mode, supervisorctl initially displays the status and running time of all programs under the supervision of the supervisor, and then its command line. There you can enter help – and see a list of available commands:

supervisor> help

default commands (type help ):
=====================================
add clear fg open quit remove restart start stop update
avail exit maintail pid reload reread shutdown status tail version

As you can see, you can start, stop and restart programs from the command line using the start, stop and restart commands.

To exit the supervisor, use Ctrl-C or the quit command:

supervisor> quit

Analysis of free disk space

The standard utility for viewing information about mounted partitions is df… It displays a list of connected devices and information about the occupied space.

df опции устройство

The -h option enables human readable output (that is, in megabytes or gigabytes):

$ df -h
Файловая система Размер Использовано Дост Использовано% Cмонтировано в
devtmpfs 925M 0 925M 0% /dev
tmpfs 936M 56K 936M 1% /dev/shm
tmpfs 936M 1,9M 934M 1% /run
tmpfs 936M 0 936M 0% /sys/fs/cgroup
/dev/sda3 15G 11G 4,2G 71% /
tmpfs 936M 192K 936M 1% /tmp
/dev/sdb4 133G 126G 974M 100% /home
tmpfs 188M 20K 188M 1% /run/user/42
tmpfs 188M 7,1M 181M 4% /run/user/1000

Information about a specific directory (e.g. / home):

df -h /home

Information about partitions with a given file system:

df -h -t ext4

Search for files with the command find

Search by file name:

find -name "query"

Search by name case-insensitive:

find -iname "query"

“Reverse” search for files that do not match the specified pattern:

find -not -name "query_to_avoid"

or

find ! -name "query_to_avoid"

Search by file type

find -type дескриптор_типа запрос

Some of the common descriptors are:

  • f – regular file
  • d – directory
  • l – symbolic link
  • c – device files for character I / O
  • b – block I / O device files

For example, the following command will list all character I / O devices installed on the system:

find / -type c
/dev/parport0
/dev/snd/seq
/dev/snd/timer
/dev/autofs
/dev/cpu/microcode
/dev/vcsa7
/dev/vcs7
/dev/vcsa6
/dev/vcs6
/dev/vcsa5
/dev/vcs5
/dev/vcsa4
. . .

There is a filter by size and access / change time. For example, here’s a command to find all files less than 50 bytes:

find / -size -50c

Search for all files over 700 megabytes:

find / -size +700M

To search by access time, modification or change of file meta information, the parameters ‘-atime’, ‘-mtime’ and ‘-ctime’ are used with plus and minus symbols to indicate a range greater and less than the specified one, respectively.

Search for files that were modified less than a day ago:

find / -mtime -1

Files with access time more than three days ago:

find / -atime +3

Files that have changed in the last minute:

find / -mmin -1

Files that are newer than the specified file:

find / -newer myfile

Search by owner (‘-user’, ‘-group’) and files with specific permissions (‘-perm’) is available. On all found files, you can immediately perform some action (‘-exec’).

Testing TCP and UDP Connections

Linux comes with a large number of useful utilities. Some system administrators are able to perform most tasks using only the built-in tools, without installing additional software. The Swiss Knife of Embedded Linux Tools – Networking Utility netcat… General syntax:

netcat [options] host port

This command initiates a TCP connection to the specified host on the specified port. If you need to test a UDP connection together with TCP, then we specify the option -u:

netcat -u host port

Port range:

netcat host startport-endport

Most systems can be written as netcatand nc

Port scan

One of the typical uses of netcat is port scanning, option -z means scanning instead of establishing a connection. We use it together with the option -v to display more detailed information when scanning ports from 1 to 1000:

netcat -z -v domain.com 1-1000

The output will look something like this:

nc: connect to domain.com port 1 (tcp) failed: Connection refused
nc: connect to domain.com port 2 (tcp) failed: Connection refused
nc: connect to domain.com port 3 (tcp) failed: Connection refused
nc: connect to domain.com port 4 (tcp) failed: Connection refused
nc: connect to domain.com port 5 (tcp) failed: Connection refused
nc: connect to domain.com port 6 (tcp) failed: Connection refused
nc: connect to domain.com port 7 (tcp) failed: Connection refused
. . .
Connection to domain.com 22 port [tcp/ssh] succeeded!
. . .

However, for this task there is a more advanced, specialized program. nmap… Install it:

apt-get update
apt-get install nmap

This utility gives more detailed information about ports. Known Ports Registry /usr/share/nmap/nmap-services contains more than 20 thousand lines, including additional fields, such as the average frequency of opening a specific port on servers on the Internet (third column):

. . .
tcpmux 1/tcp 0.001995 # TCP Port Service Multiplexer [rfc-1078]
tcpmux 1/udp 0.001236 # TCP Port Service Multiplexer
compressnet 2/tcp 0.000013 # Management Utility
compressnet 2/udp 0.001845 # Management Utility
compressnet 3/tcp 0.001242 # Compression Process
compressnet 3/udp 0.001532 # Compression Process
unknown 4/tcp 0.000477
rje 5/udp 0.000593 # Remote Job Entry
unknown 6/tcp 0.000502
echo 7/tcp 0.004855
echo 7/udp 0.024679
echo 7/sctp 0.000000
. . .

It is not recommended to run port scans on a foreign server, as the system administrator may confuse such actions as hostile. Nmap is designed to explore its own server, and you can experiment on a dedicated server for testing purposes. scanme.nmap.org

Some commands take a long time to execute.

Scanning the operating system on the host:

nmap -O хост

Scan host range from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy:

nmap -PN xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy

Scanning the network range looking for available services:

nmap -sP диапазон_адресов

Scanning a specific port:

nmap -p номер_порта хост

Scanning all open TCP and UDP ports:

nmap -n -PN -sT -sU -p- хост

Studying software versions running on the host:

nmap -PN -p номер_порта хост

There are many other commands, options, and use cases for nmap. Scanning the ports of your VDS server allows you to identify potential attack vectors and vulnerabilities, since an attacker will begin his actions with scanning.

Forwarding messages and files

With a key -l you can listen to a specific port on the server:

netcat -l 5438

On another machine, we specify to connect to the machine on this port:

netcat domain.com 5438

A communication channel has now been established between the two systems. It can be used to send text messages.

You can even transfer a file this way. To do this, send the listening command directly to the file:

netcat -l 5438 > полученный_файл

On another computer, instead of a text message, we submit the original file to the input:

netcat domain.com 5438 < оригинальный_файл

Similarly, you can transfer a variety of things, for example, the contents of directories, archived on the fly in tarball:

tar -czf - * | netcat domain.com 4444

In the same way, you can create a disk image on one side (dd), send it to the specified port via the created TCP connection - and receive it on another system.

Adding and removing users

To add, remove users and grant them privileges sudo First you need to connect to the server as root:

ssh root@ip_вашего_сервера

After that, add the user:

adduser newuser

Initially, he has no privileges. But if this is the main user of the system, then we can assign him administrative privileges so that he can perform routine tasks of maintaining and maintaining the server.

To assign administrative privileges, you need to add the user to the sudo group. Users in this group are allowed to run the command sudo with an increase in their privileges to administrative.

usermod -aG sudo user1

Instead user1 we indicate the name of the user who was added earlier. Now he will be able to run any commands through sudo:

sudo команда

With these rights, this user can delete other users:

sudo deluser --remove-home username

Option --remove-home deletes the user's home directory as well.

Root himself has the right to execute the command deluser without sudo...

Of course, this is not a complete list of useful tools for managing a VDS server. But these questions often arise for novice system administrators who set up their first server, installed an OS, and begin to understand the world of Linux administration.


Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *