VDS (Virtual Dedicated Server) is a service within which the user receives a virtual dedicated server with maximum privileges. This is an emulation of a real physical server, it has root access, the ability to install arbitrary operating systems and any software. At the same time, it is much cheaper than renting a physical server comparable in capacity.



You can put the OS on the server from your image or use the ready-made image in the control panel.







Let's say we installed Debian 10 and the Nginx web server, which comes in the standard repository ( apt install nginx). Let's see what useful utilities and commands will help you manage your Linux server. Let's consider Nginx separately and the VDS server itself as a whole.

Content

• Basic Commands for Managing Nginx
  
  
• Server management
  
  
  • Installing a supervisor
    
    
  • Analysis of free disk space
    
    
  • Find files with find command
    
    
  • Testing TCP and UDP Connections
    
    
  • Port scan
    
    
  • Forwarding messages and files
    
    
  • Adding and removing users

First, it is advisable to understand the web server itself. Nginx starts when the installation is complete. We check this fact:

systemctl status nginx

Issuance:

● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-08-17 08:52:54 UTC; 4min 23s ago
Docs: man:nginx(8)
Main PID: 3942 (nginx)
Tasks: 3 (limit: 4719)
Memory: 6.1M
CGroup: /system.slice/nginx.service
├─3942 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─3943 nginx: worker process
└─3944 nginx: worker process

Or just enter the server's IP address in the browser:

http://your_server_ip

If we have not copied our site files to the server yet, then the standard Nginx header page will be displayed.

Basic Commands for Managing Nginx

Note. If the user does not have root privileges, then for each command to execute, he must obtain root privileges using the command sudo.



Stopping the web server:

sudo systemctl stop nginx

If run as root, the command is:

systemctl stop nginx

Start after stop:

systemctl start nginx

Stop and restart (restart):

systemctl restart nginx

If you just made some configuration changes, Nginx can reboot without losing current connections. This is done with the following command:

systemctl reload nginx

By default, Nginx is configured to start automatically when the server boots. This behavior can be changed with the following command:

systemctl disable nginx

Re-enable Nginx autostart on server boot:

systemctl enable nginx

By default, Nginx has one set of server blocks rules configured for one domain. It is assumed that you only host one site on your server. By default, it should be located in the directory /var/www/html.



Suppose you want to create multiple sets of server blocks for multiple sites in Nginx, or move the files of the current site to a different directory /var/www/your_domain.



This is done with the following commands.



First, we create the required directory on the server.

mkdir -p /var/www/your_domain/html

Then we assign the owner of this directory using a variable $USERthat should correspond to the current user:

chown -R $USER:$USER /var/www/your_domain/html

We place the main page in the specified directory index.html.



Then you need to create an appropriate set of rules for Nginx. In any text editor, create a file /etc/nginx/sites-available/your_domainand copy the configuration from the default file there, only with the changed address and domain:

server {
listen 80;
listen [::]:80;

root /var/www/your_domain/html;
index index.html index.htm index.nginx-debian.html;

server_name your_domain www.your_domain;

location / {
try_files $uri $uri/ =404;
}
}

Finally, we activate this configuration by writing a symlink to the new configuration file in the directory sites-enabledthat Nginx reads at boot:

ln -s /etc/nginx/sites-available/your_domain /etc/nginx/sites-enabled/

After rebooting, Nginx will display the appropriate page for requests your_domainand www.your_domain.

Server management

What questions do users most often have when managing a Linux server? What tools can you recommend even for inexperienced administrators?

Installing a supervisor

Supervisor is a client / server system through which the administrator controls the processes on the server. The tool creates processes as sub-processes on its own behalf.



Installing supervisord on Debian or Ubuntu is extremely simple:

apt-get install supervisor

After that, the supervisor daemon is already running and will start at every system boot.



New programs are passed to the supervisor through configuration files in the directory /etc/supervisor/conf.d. For example, for a script, the long.shconfiguration file might look like this:

[program:long_script]
command=/usr/local/bin/long.sh
autostart=true
autorestart=true
stderr_logfile=/var/log/long.err.log
stdout_logfile=/var/log/long.out.log

Accordingly, the script will be automatically launched at every system boot and automatically restarted if exited. This value can be 'false' (not restarted) or 'unexpected' (restarted only if exited with an unexpected error code, by default, any code other than 0 or 2).



The last two lines are the addresses of the magazines. This is the minimum configuration template for a supervisor program.



After creating a configuration file for a specific program, we run two commands so that the supervisor rereads and applies the new configurations:

supervisorctl reread

supervisorctl update

At this stage, our program or script should already be running, which can be checked by logs.



The utility supervisorctlhas an interactive mode in which it runs without arguments:

$ supervisorctl
long_script RUNNING pid 12614, uptime 1:49:37
supervisor>

In this mode, supervisorctl initially displays the status and running time of all programs under the supervision of the supervisor, and then its command line. There you can enter help- and see a list of available commands:

supervisor> help

default commands (type help ):
=====================================
add clear fg open quit remove restart start stop update
avail exit maintail pid reload reread shutdown status tail version

As you can see, you can start, stop and restart programs from the command line using the start, stop and restart commands.



To exit the supervisor, use Ctrl-C or the quit command:

supervisor> quit

Analysis of free disk space

The standard utility for viewing information about mounted partitions is df. It displays a list of connected devices and information about the occupied space.

df  

The -h option enables human readable output (that is, in megabytes or gigabytes):

$ df -h
     % C 
devtmpfs 925M 0 925M 0% /dev
tmpfs 936M 56K 936M 1% /dev/shm
tmpfs 936M 1,9M 934M 1% /run
tmpfs 936M 0 936M 0% /sys/fs/cgroup
/dev/sda3 15G 11G 4,2G 71% /
tmpfs 936M 192K 936M 1% /tmp
/dev/sdb4 133G 126G 974M 100% /home
tmpfs 188M 20K 188M 1% /run/user/42
tmpfs 188M 7,1M 181M 4% /run/user/1000

Information about a specific directory (e.g. / home):

df -h /home

Information about partitions with a given file system:

df -h -t ext4

Search for files with the command find

Search by file name:

find -name "query"

Search by name case-insensitive:

find -iname "query"

"Reverse" search for files that do not match the specified pattern:

find -not -name "query_to_avoid"

or

find \! -name "query_to_avoid"

Search by file type

find -type _ 

Some of the common descriptors are:

• f - regular file
  
  
• d - directory
  
  
• l - symbolic link
  
  
• c - character I / O device files
  
  
• b - block I / O device files

For example, the following command will list all character I / O devices installed on the system:

find / -type c
/dev/parport0
/dev/snd/seq
/dev/snd/timer
/dev/autofs
/dev/cpu/microcode
/dev/vcsa7
/dev/vcs7
/dev/vcsa6
/dev/vcs6
/dev/vcsa5
/dev/vcs5
/dev/vcsa4
. . .

There is a filter by size and access / change time. For example, here's a command to find all files less than 50 bytes:

find / -size -50c

Search for all files over 700 megabytes:

find / -size +700M

To search by access time, modification or change of file meta information, the parameters '-atime', '-mtime' and '-ctime' are used with plus and minus symbols to indicate a range greater and less than the specified one, respectively.



Search for files that were modified less than a day ago:

find / -mtime -1

Files with access time more than three days ago:

find / -atime +3

Files that have changed in the last minute:

find / -mmin -1

Files that are newer than the specified file:

find / -newer myfile

Search by owner ('-user', '-group') and files with specific permissions ('-perm') is available. On all found files, you can immediately perform some action ('-exec').

Testing TCP and UDP Connections

Linux comes with a large number of useful utilities. Some system administrators are able to perform most tasks using only the built-in tools, without installing additional software. The real Swiss knife of embedded Linux tools is the network utility netcat. General syntax:

netcat [options] host port

This command initiates a TCP connection to the specified host on the specified port. If instead of TCP you need to test a UDP connection, then specify the option -u:

netcat -u host port

Port range:

netcat host startport-endport

In most systems, you can write both netcatand nc.

Port scan

One of the typical uses of netcat is port scanning, an option -zmeans scanning instead of establishing a connection. We use it together with the option -vto display more detailed information when scanning ports from 1 to 1000:

netcat -z -v domain.com 1-1000

The output will look something like this:

nc: connect to domain.com port 1 (tcp) failed: Connection refused
nc: connect to domain.com port 2 (tcp) failed: Connection refused
nc: connect to domain.com port 3 (tcp) failed: Connection refused
nc: connect to domain.com port 4 (tcp) failed: Connection refused
nc: connect to domain.com port 5 (tcp) failed: Connection refused
nc: connect to domain.com port 6 (tcp) failed: Connection refused
nc: connect to domain.com port 7 (tcp) failed: Connection refused
... ... ...
Connection to domain.com 22 port [tcp / ssh] succeeded!
... ... ...

However, there is a more advanced, specialized program for this task nmap. Install it:

apt-get update
apt-get install nmap

This utility gives more detailed information about ports. The register of known ports /usr/share/nmap/nmap-servicescontains more than 20 thousand lines, including additional fields, such as the average frequency of opening a particular port on servers on the Internet (third column):

... ... ...
tcpmux 1 / tcp 0.001995 # TCP Port Service Multiplexer [rfc-1078]
tcpmux 1 / udp 0.001236 # TCP Port Service Multiplexer
compressnet 2 / tcp 0.000013 # Management Utility
compressnet 2 / udp 0.001845 # Management Utility
compressnet 3 / tcp 0.001242 # Compression Process
compressnet 3 / udp 0.001532 # Compression Process
unknown 4 / tcp 0.000477
rje 5 / udp 0.000593 # Remote Job Entry
unknown 6 / tcp 0.000502
echo 7 / tcp 0.004855
echo 7 / udp 0.024679
echo 7 / sctp 0.000000
... ... ...

It is not recommended to run port scans on a foreign server, as the system administrator may confuse such actions as hostile. Nmap is designed to explore its own server, and you can experiment on a dedicated server for testing purposes scanme.nmap.org.



Some commands take a long time to execute.



Scanning the operating system on the host:

nmap -O 

Scan host range from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy:

nmap -PN xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy

Scanning the network range looking for available services:

nmap -sP _

Scanning a specific port:

nmap -p _ 

Scanning all open TCP and UDP ports:

nmap -n -PN -sT -sU -p- 

Studying software versions running on the host:

nmap -PN -p _ 

There are many other commands, options, and use cases for nmap. Scanning the ports of your VDS server allows you to identify potential attack vectors and vulnerabilities, since an attacker will begin his actions with scanning.

Forwarding messages and files

Using the key, -lyou can listen on a specific port on the server:

netcat -l 5438

On another machine, we specify to connect to the machine on this port:

netcat domain.com 5438

A communication channel has now been established between the two systems. It can be used to send text messages.



You can even transfer a file this way. To do this, send the listening command directly to the file:

netcat -l 5438 > _

On another computer, instead of a text message, we submit the original file to the input:

netcat domain.com 5438 < _

Similarly, you can transfer all sorts of things, for example, the contents of directories, archived on the fly in tarball:

tar -czf - * | netcat domain.com 4444

In the same way, you can create a disk image on one side ( dd), send it to the specified port over the created TCP connection - and receive it on the other system.

Adding and removing users

To add, remove users and grant them privileges, sudoyou must first connect to the server as root:

ssh root@ip__

After that, add the user:

adduser newuser

Initially, he has no privileges. But if this is the main user of the system, then we can assign him administrative privileges so that he can perform routine tasks of maintaining and maintaining the server.



To assign administrative privileges, you need to add the user to the sudo group. Users in this group are allowed to run the command sudowith their privileges elevated to administrative.

usermod -aG sudo user1

Instead, we user1indicate the name of the user who was added earlier. Now he will be able to run any commands through sudo:

sudo 

With these rights, this user can delete other users:

sudo deluser --remove-home username

This option --remove-homealso removes the user's home directory.



Root himself has the right to execute the command deluserwithout sudo.



Of course, this is not a complete list of useful tools for managing a VDS server. But these questions often arise for novice system administrators who set up their first server, installed an OS, and begin to understand the world of Linux administration.

---