Latest Stories

Featured Stories

Filter By Categories
Ramesh Vishveshwar
By
October 12, 2018

Tip-Top VPS

Maintaining a VPS is often critical. Putting in a little time & effort to do this has multiple benefits from better uptime to a lower probability of server compromise. For smaller or medium businesses, having a dedicated server admin is a luxury (though necessary). However, this need not stop you from establishing a framework for VPS maintenance. This article outlines some key housekeeping tasks you need to carve time for which would strengthen the IT side of your business. Time is money, if a task can be automated in anyway, I will also show you how.

Updates

Bugs and vulnerabilities crop up ever so often, software regularly gets patches. Sometimes, servers are not patched on time and hackers exploit this. Back in 2014, Apache servers were hit by a vulnerability which allowed hackers to execute shell commands by prefixing a string () { :; }; in the User-Agent header. Over 3000 vulnerable servers were reported by ArsTechnica. All it needed was a patch to bash often achieved by a single command on most distributions.

To update packages on your server, run one of the following commands based on your Linux flavor.

# yum -y update                                   # CentOS/RHEL

# apt-get update && apt-get upgrade # Ubuntu/Debian

To make this a little easier for you, you can enable automatic updates

On CentOS/RHEL systems, install yum-cron

# yum -y install yum-cron

You can configure this by editing the /etc/yum/yum-cron.conf file. Some of the key flags to note

update_cmd : default is the equivalent of yum upgrade. To install only security upgrades, set the value of this to security

apply_updates : Setting this to yes, applies the update as soon as it is available (requires that download_updates be set to yes)

For Ubuntu/Debian, install the unattended-upgrades package

# apt install unattended-upgrades

The configuration is done through the file /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {

"${distro_id}:${distro_codename}-security";

// "${distro_id}:${distro_codename}-updates";

// "${distro_id}:${distro_codename}-proposed";

// "${distro_id}:${distro_codename}-backports";

};

The // is a comment. This means in the above, only security upgrades are enabled. You can also bypass certain packages via the blacklist

Unattended-Upgrade::Package-Blacklist {

"nano";

};

 

Now that we have tackled packages, we also need to ensure that applications are upgraded regularly. Some applications such as WordPress automatically allow updates to the core. You can choose to update plugins automatically via another plugin.

Log Rotation

System and application logs are often written into the /var/log directory. Logs are a good way to debug and resolve issues. However, it is good to remove old logs which would end up using disk space.

Install a tool called logrotate to setup how many logs you want to retain and what to do with older logs

# apt-get update && apt-get install -y logrotate      # Ubuntu/Debian

# yum update && yum install -y logrotate # Centos/RHEL

 

Within the configuration file (/etc/logrotate.conf), uncomment the line, include /etc/logrotate.d to include all .conf files from the logrotate.d directory. This way you can control configuration by application. To setup a configuration for nginx, create a file /etc/logrotate.d/nginx.conf with the following

/var/log/nginx/* {

weekly

rotate 3

size 10M

compress

delaycompress

}

The above configuration instructs logrotate to rotate log files under the /var/log/nginx directory on a weekly basis (other options being daily & monthly). Keep only 3 logs, allow files to reach upto 10MB in size before rotating. Finally compress older log files, leave the most recent one as-is.

Disk Usage

One of the key factors we perform a log rotate is to prevent your disk from filling up. So, you need to keep a watch on disk usage. Run df -h on your server to identify if any of the filesystems are going to run out of space. You may run out of space because you accidentally setup a backup process without catering to cleaning up old archives. Here is the output from one of my servers. Things are looking good

Filesystem Size Used Avail Use% Mounted on

/dev/ploop40670p1 40G 8.5G 30G 23% /

none 252G 0 252G 0% /sys/fs/cgroup

none 252G 0 252G 0% /dev

tmpfs 2.0G 0 2.0G 0% /dev/shm

tmpfs 2.0G 46M 2.0G 3% /run

tmpfs 410M 0 410M 0% /run/user/920

tmpfs 410M 0 410M 0% /run/user/0

tmpfs 410M 0 410M 0% /run/user/563

Unwanted Services/Packages

If you are like me, you install a service/package for trying out something. After the test, I forget to remove the service/package. These unwanted components could be entry points for hacks or in other cases, end up hogging memory and resources on your server.

Most installations have smtp turned on by default or have the web server (apache/httpd) running. You may chose to run nginx or a different web server, uninstall the default to prevent conflicts and better resource usage.

While researching for this post, the one thing that came to mind was server restarts. From having used Windows regularly, I am used to restarting the machine ever so often after an update is installed. Linux patches don’t generally require reboots unless it is a kernel upgrade.

Subscribe Email