Thursday, September 28, 2017

quick refresher from anyone who maintains Linux systems

#linux quick refresher from anyone who maintains Linux systems #document http://bit.ly/2ftqnfK
  • RCS is your friend, use it religiously on every system file you modify.
  • My 20¢, https://plus.google.com/u/0/111725158664981767583
    • once u've settled up
    • setup a rsyslog server.
    • Monitoring server (zabix, cacti, et al).
    • Backup and update really often (specially if ur servers are internet-facing).
    • Don't install apache and mysql on the same server.
    • Only use https.
    • Use containers (lxc, docker) when possible.
    • Avoid using any .tar or .gz to install software, always use repositories or git.
    • Never, never, never disable iptables or selinux (rh/centos).
    • Always use fail2ban and mod_secure (if using a webserver).
    • Cheers!
    • assuming you maintain the hardware, tools to monitor hardware state. power supplies and hard drives are the most common issues in my environments that need watching. @ my last job, network team would introduce problems, so I also needed to check the status of my network bonds.

    • Hardware or virtual, firewall and audit logs are mandatory for examining. Keep up on vendor updates (CERT vulnerability lists are also good).
    • Log files. Depending on what services you are running, you’ll need to setup a log rotation right quick or you can run your /var partition out of space.
    • nothing. what you need is monitoring setup and logwatch installed. read those emails, look at the monitoring system, login every once in a while, check who is logged in, running processes, network connections, free disk and memory, top.
    • I really like having a CAS & PDU set up for remote control of everything without using ipmi.

    • That all said, I have a set of cronjobs I run nightly or weekly to keep me informed. On various critical stuff I run nagios on assorted services.

    • A bit old school but it works for me.

    • I also have assorted scripts, for example an ansible script that goes through and updates/patches security in all of my servers (some 300 odd).
    • Largely just SSH with private keys, and ensuring that updates are regularly installed.

    • You can always write a simple program to get whatever stats are most important to you from the machines. Usually never amounts to more than just getting a history of memory, CPU, disk and network activity.

No comments: