Sysadmin tasks

Because we wear all the hats 👒🎩🤓

Project: Matrix AMC - ACVO

Tasks here correspond to the setup / configuration / tweaking for Development environment.

The AWS instance is on Client’s Amazon account.

Jason will do did the initial instance setup. I will handle the packages install, config, etc…

AWS instance IP: 18.217.190.206

Update date

This doc was last updated on: 2017/12/13

Status Reference

  • DONE : Task is complete! :)
  • Incomplete : Task is partly done :|
  • Block : Houston, we have a problem… :(

Webserver

  • Apache/2.4.18 DONE
  • mysql Ver 14.14 Distrib 5.7.20 DONE
  • PHP 7.0.22 DONE

Drupal

  • Composer version 1.5.5 DONE
  • Drush 8.1.15 DONE
  • Drupal Console Launcher 1.3.1 DONE

Other tools

  • git 2.7.4 DONE

Security

  • ssh login not allowing passwords DONE
  • ssh disalow root login DONE
  • fail2ban enabled for ssh DONE
  • certbot config Pending We need a domain!

Any extra notes?

  • Discuss security with Jason. What would I do:

    • Restrict ssh connections to our IPs.

      Iptables can cover that in an easy way. Althou not sure how AWS “security groups” works, so we should check it doesn’t ‘collide’ with iptables. AWS uses “Security Groups”

    • Change ssh port

      Right now we are using default ssh port (22), we should change it to some non-standard port. Discussed with Jason, not needed

    • Check and re-check sshd config

      Be absolutely sure that ssh server config doesn’t allow login with password. Only allowed method should be with certs. DONE

    • Check ports

      Check listening ports, and close the ones we don’t need. As far as I know we only need ports 80, 443, 22, 3306 listening and allowing external connections. DONE

    • Config ssl cert to force https on login pages

      Certbot doesn’t work with IP addresses, so we need a domain to setup the certs. Pending

.htaccess and redirects

Important

Under sites/default/files/private there is an .htaccess file! I’ve commented it out to avoid redirects to production site.

Uncomment or consider an alternative method to whatever that file is doing in there.

1
2
3
4
5
6
7
8
9
#<IfModule mod_rewrite.c>
#  RewriteEngine on
#  RewriteBase /system/files/private
#
#  RewriteCond %{HTTP_REFERER} .*member.abvo.us/
#  RewriteRule ^(.*)$ http://member.abvo.us/system/files/private/$1 [L,R]
#
#  RewriteRule ^(.*)$ http://member.acvo.org/system/files/private/$1 [L,R]
#</IfModule>

If we are going to use github or gitlab we can take advantage of their hooks integrations.

  • Define workflow
  • Setup git hooks
  • Automated testing / CI?

Sysadmin tasks progress

Progress

71.5%