Matteo Mattei

Hello, my name is Matteo Mattei and this is my personal website. I am computer engineer with a long experience in Linux system administration and web software development.

linkedin rss twitter google+ github facebook

How to backup MySQL data and schema in PHP

phpmysql

For a project I am working on, I needed to create a PHP script to export a full MySQL database data and schema. This is probably not the best solution because for these types of things the right tools to use are mysqldump and phpmyadmin but if you need to do it programmatically using only PHP this might help you.

Here below you can find the code I created for this purpose using PHP-PDO:


How to shrink raspberry pi backup images

When I backup my raspberry pi SD card one problem I always faced is how much storage space I have to use because using dd command the resulting backup image is exactly the same size of the whole SD card and having memory cards of 32GB or more, the storage of my pc would end pretty soon.

That said I wrote a little script that takes the big image, resize it to the minimal and compress it using gzip.

Just for completeness, this is the command I use to create the image of the SD card:

sudo dd if=/dev/mmcblk0 of=/path/to/image.img bs=1M

Now you can use the following script to shrink the image:

sudo ./raspberrypi_image_resize.sh /path/to/image.img

The process takes some time and at the end you will find that the size of the compressed image is drastically reduced. This is an example of a 8GB SD card before and after the compression:

-rw-r--r-- 1 matteo matteo 8026849280 Sep 10 15:45 image.img
-rw-r--r-- 1 matteo matteo  468097056 Sep 12 12:57 image.img.gz

So from a 8GB file, we have obtained 460MB file.


Secure PHP installation disabling dangerous functions

Attacks through PHP vulnerabilities are very common and every sysadmin should protect and enforce as much as possible the server infrastructure and PHP configuration to prevent as much as possible these types of attack. Today I show you how to tune PHP configuration to disable some dangerous functions and report as less information as possible to outside.

All changes we are going to do are located in php.ini:

expose_php = Off          # we don't want to let the clients know we are using PHP
display_errors = Off      # in case of error we don't want to show it
register_argc_argv = Off  # for better performance
allow_url_fopen = Off     # no external URL access
allow_url_include = Off   # no external URL access
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source # potential dangerous functions to disable

After that, restart the web server and create a phpinfo() page to make sure the new values have been correctly set.


Keep your websites protected with Maldet

The LMD (Linux Malware Detect) also called maldet is a malware scanner developed by (rxfn.com)[https://www.rfxn.com] for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments.

This guide show you how to install, configure and run maldet once a day in a cronjob:

First of all download the latest version of the maldetect, decompress, and install it:

cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -zxvf maldetect-current.tar.gz
cd maldetect-*
./install.sh

Now edit the configuration file /usr/local/maldetect/conf.maldet and set the following values:

email_alert="1"
email_addr="your-email@example.com"
quarantine_hits="1"
quarantine_clean="1"
default_monitor_mode="/path/to/monitor"

The default monitor_mode is used by inotify in case you want real-time protection, otherwise you can relay only on the cronjob that is already configured in /etc/cron.daily.

For real-time protection start maldet inotify monitor: /etc/init.d/maldet start

Now update malware definitions and run your first scan:

maldet -d                  # update the program
maldet -u                  # update malware definitions
maldet -a /path/to/scan    # scan all files in the path

The last command might take lot of time depending on the number of files to analyze.


Install GoAccess to monitor web server statistics

GoAccess is a nice tool that parses Apache logs and create a report in various format extracting lot of interesting data and statistics. This guide has been tested on CentOS 6.x but it should be very similar also for other distributions.

First of all install some dependencies given we are going to compile the sources:

yum install glib2 glib2-devel glibc make

Download the goaccess source code, copile and install it:

cd /usr/loca/src
wget http://tar.goaccess.io/goaccess-1.0.2.tar.gz
tar xzf goaccess-1.0.2.tar.gz
cd goaccess-1.0.2
./configure
make
make install

Now run goaccess and select the format of the Apache log file from the list it proposes. In case you already know how the Apache output file is generated, you can edit the configuration file /usr/local/etc/goaccess.conf with the appropriate patterns for time-format, date-format and log-format. In my case I have the following:

time-format %H:%M:%S
date-format %d/%b/%Y
log-format %h %^[%d:%t %^] "%r" %s %b

Create a goaccess folder inside a virtualhost document root (so that it is accessible from the web):

mkdir /var/www/vhosts/myhost.com/public_html/goaccess
chown myuser.myuser /var/www/vhosts/myhost.com/public_html/goaccess

Now edit /etc/crontab and add a cronjob for goaccess that runs every 10 minutes:

*/10 * * * *    myuser    /usr/local/bin/goaccess -f /usr/local/apache/logs/access_log -a -d -o /var/www/vhosts/myhost.com/public_html/goaccess/index.html &> /dev/null 

Generally is a good idea to protect the goaccess folder with a password so that nobody except you can access and see the statistics of the web server.

cat << EOF > /var/www/vhosts/myhost.com/public_html/goaccess/.htaccess
AuthType Basic
AuthName "GoAccess"
AuthUserFile /home/myuser/goaccess_htpasswd
Require valid-user
EOF

htpasswd -c /home/myuser/goaccess_htpasswd myuser

Now every 10 minutes the statistics of your Apache (or Nginx) web server are correctly parsed and served in a nice HTML web interface!


Enforce Apache security and performance

Production Apache web servers need to be well configured for what regards security and performance. Here below a quick tips to make your servers more secure and performant.

First of all you need to verify if you are using prefork module:

apachectl -V | grep -i mpm

If prefork is enabled, you should see a line like this:

Server MPM:     prefork

If it is, I wrote a simple script to calculate the number of MaxClients your server can support:

Basically this number is calculated with this formula:

(TOTAL_RAM - MYSQL_RAM - 50MB) / APACHE_RAM

So, edit /etc/apache2/apache2.conf on Debian/Ubuntu and /etc/httpd/conf/httpd.conf on RedHat/CentOS and set the prefork section like this:

<IfModule prefork.c>
    StartServer 5
    MinSpareServers 5
    MaxSpareServers 10
    MaxClients 300            # value calculated
    MaxRequestPerChild 3000   # 3000 is a good number, avoid to leave it at 0
</IfModule>

Set now some parameters that affects security and performances. Depending on your distribution they can be already set in the following files:

Debian/Ubuntu:

  • /etc/apache2/apache2.conf
  • /etc/apache2/conf.d/security

RedHat/CentOS:

  • /etc/httpd/conf/httpd.conf
  • /etc/httpd/conf/extra/httpd-default.conf
ServerTokens Prod
ServerSignature Off
HostnameLookups Off
Timeout 45
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

Now test apache configuration and if all goes well, restart the web server:

apachectl configtest

/etc/init.d/httpd restart    # RedHat/CentOS
/etc/init.d/apache2 restart  # Debian/Ubuntu