Dev Ops Crash Course - Day One
Notes from day two, day three, day four, and day five.
Internet 101
Videos: https://www.khanacademy.org/computing/computer-science/internet-intro/internet-works-intro/v/the-internet-wires-cables-and-wifi
Some vocab:
- Bandwidth: capacity to receive information
- Bitrate: speed of sending information (bits per second)
- Latency: drag / delay when sending information
Internet is a design philosophy expressed through agreed upon protocols:
- IPv4 - current protocol (32bit)
- IPv6 - new protocol to provide more IP addresses (128bit)
IP addresses have A, B, and C classes.
DNS
How DNS works: https://howdns.works/
In local network settings, DNS is set to Google Public DNS.
- better performance
- better security
Anatomy of a URL: https://doepud.co.uk/blog/anatomy-of-a-url
protocol | subdomain | domain |
---|---|---|
https:// | www. | google.com |
DNS records
Record types:
- A record: address, maps hostname to physical IP address
- PTR record: pointer, maps IP to name (helpful when scanning logs)
- CNAME record: alias, map domain name to another domain name
Can use multiple records for redundancy strategy. For example, you want multiple MX records for mail servers. Config priority on each record.
DNS lookup
$ dig learn.co
; <<>> DiG 9.8.3-P1 <<>> learn.co
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60914
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;learn.co. IN A
;; ANSWER SECTION:
learn.co. 212 IN A 45.55.127.202
;; Query time: 29 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 20 12:06:16 2017
;; MSG SIZE rcvd: 42
$ whois 104.131.42.251
#
# Query terms are ambiguous. The query is assumed to be:
# "n 104.131.42.251"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=104.131.42.251?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 104.131.0.0 - 104.131.255.255
CIDR: 104.131.0.0/16
NetName: DIGITALOCEAN-9
NetHandle: NET-104-131-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS46652, AS14061, AS393406, AS62567
Organization: Digital Ocean, Inc. (DO-13)
RegDate: 2014-06-02
Updated: 2014-06-02
Comment: http://www.digitalocean.com
Comment: Simple Cloud Hosting
Ref: https://whois.arin.net/rest/net/NET-104-131-0-0-1
OrgName: Digital Ocean, Inc.
OrgId: DO-13
Address: 101 Ave of the Americas
Address: 10th Floor
City: New York
StateProv: NY
PostalCode: 10013
Country: US
RegDate: 2012-05-14
Updated: 2017-01-28
Comment: http://www.digitalocean.com
Comment: Simple Cloud Hosting
Ref: https://whois.arin.net/rest/org/DO-13
OrgNOCHandle: NOC32014-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-347-875-6044
OrgNOCEmail: noc@digitalocean.com
OrgNOCRef: https://whois.arin.net/rest/poc/NOC32014-ARIN
OrgTechHandle: NOC32014-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-347-875-6044
OrgTechEmail: noc@digitalocean.com
OrgTechRef: https://whois.arin.net/rest/poc/NOC32014-ARIN
OrgAbuseHandle: ABUSE5232-ARIN
OrgAbuseName: Abuse, DigitalOcean
OrgAbusePhone: +1-347-875-6044
OrgAbuseEmail: abuse@digitalocean.com
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE5232-ARIN
Local spoofing:
-
Open localhost file:
/etc/hosts
-
Add spoofed DNS entries (IP address, site+domain):
36.36.36.36 learn.co
DHCP
DHCP “dynamically distributes network configuration parameters, such as IP addresses”. Process of obtaining IP address on private network. It’s obtained on a lease that will eventually expire.
Router gives out IP addresses. There’s a limited number.
You can configure leases to expire after a certain period of time. Helps prevent running out.
Packets and Traffic
Packets directed by routers. Routers owned by ISPs.
See the path of your request:
$ traceroute learn.co
traceroute to learn.co (45.55.127.202), 64 hops max, 52 byte packets
1 lo0-100.nycmny-vfttp-407.verizon-gni.net (71.190.177.1) 4.954 ms 2.340 ms 2.594 ms
2 b3407.nycmny-lcr-22.verizon-gni.net (100.41.0.152) 6.657 ms
b3407.nycmny-lcr-21.verizon-gni.net (100.41.0.150) 7.809 ms 11.878 ms
3 * * *
4 * * *
5 0.ae13.gw10.ewr6.alter.net (140.222.235.117) 29.671 ms
0.ae1.gw10.ewr6.alter.net (140.222.230.151) 13.458 ms 6.881 ms
6 157.130.91.86 (157.130.91.86) 14.051 ms 12.765 ms 10.800 ms
7 nyk-bb4-link.telia.net (62.115.137.100) 5.831 ms
nyk-bb4-link.telia.net (62.115.137.98) 7.330 ms
nyk-bb1-link.telia.net (213.155.130.29) 6.450 ms
8 nyk-b3-link.telia.net (80.91.247.21) 10.902 ms
nyk-b3-link.telia.net (80.239.147.132) 6.161 ms
nyk-b3-link.telia.net (62.115.123.49) 13.696 ms
9 digitalocean-ic-306498-nyk-b3.c.telia.net (62.115.45.10) 9.293 ms 10.936 ms
digitalocean-ic-306497-nyk-b3.c.telia.net (62.115.45.6) 18.379 ms
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
TCP
TCP manages sending and receiving of packets (Transmission Control Protocol).
HTTP and DNS manage the sending and receiving of web files
Made possible by TCP + IP routing
Examining Network Traffic
Your computer has a hardware address that you can change. Look up with ifconfig
.
Example: free wifi networks
- allow you to log on for limited time, then they try to upsell you
- they identify your device by hardware address
- change hardware address will allow you to stay on for free (bc you look like a new device)
tcpdump
command allows you to examine traffic on a server. Wire Shark is a GUI for tcpdump
. Allows you to examine packets going across network. Can see handshake that’s getting made (TCP).
Get capture file (tcpdump -i eth0 -s 65536 -w capture.pcap
), then import into Wire Shark.
Transport Layer Security
Data sent using HTTPS is secured via Transport Layer Security protocol.
When a company registers for a certificate, they provide info and Certificate Authority (trusted entity) verifies it. If valid, authority issues certificate. Certificate Authority signs for your authenticity. Process is not difficult. Relies on trust in the Certificate Authority.
You can be your own Certificate Authority with self-signed certificates, but that’s not trusted.
View SSL Certificate on Chrome: open Developer Tools, then click on the Security Tab.
Often in the wild, people terminate SSL at the load balancer, so traffic between load balancer and hosts is unencrypted traveling over private network. Terminating at load balancer is a common pattern and makes things easier to scale. Otherwise you’d have to make sure certificate and keys are on all hosts.
Encryption
Explaining public/private key encryption: https://www.youtube.com/watch?v=YEBfamv-_do
Understanding the SSH encryption and connection process: https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
We disabled password identification on our servers (hosts). Instead, we identify by public keys, which is more secure. Developers’ public keys have been distributed out to all servers. Then developers can connect from their local machines, where private keys are stored.
DEMO
Setting up SSL on new Digital Ocean droplet
- Create new Droplet
- Ubuntu
- $5/mo
- Datacenter: New York
- Private networking, backups, IPv6, monitoring
- Select SSH keys
- Choose hostname (we used
enroll.flatironschool.com
) - SSH into new droplet as
root
user -ssh root@enroll.flatironschool.com
orssh enroll.flatironschool.com -l root
!!HOLD UP!!
Our IP address was released into Digital Ocean pool. We had a server at 104.131.42.251, then deleted that server, so it went back into the pool. BUT we never updated our DNS record for enroll.flatironschool.com.
- Go to
manage.dynect.net
- Update A record to new IPv4, add new AAAA record for IPv6
- Add PTR record to enroll.flatironschool.com
Back to setting up SSL...
- Get certificate from ssls.com
- On server, run
apt-get update
,apt-get upgrade
- On server, run
openssl req -new -newkey rsa:4096 -nodes -keyout example.key -out example.csr
(generates certificate signing request and key) - Install Apache on server: run
apt-get install apache2
on server - Check if it’s running
service apache2 status
- Visit domain in browser, should say “It works!”
- On list of certificates, get the one for the domain, enter key and click activate
- Look for email when approved
- Save stuff into some file (I missed whatever that was)
- Now we’re following these instructions for Apache2 * NOTE: instructions for chain file are outdated
sudo a2enmod ssl
sudo serve apache2 restart
sudo vi /etc/apache2/sites-available/default-ssl.conf
cat AddTrustExternalCARoot.crt COMODORSAddTrustCA.crt COMODORSADomain...crt enroll_flatironschool_com.crt > cert-ssl-enroll.pem
cp example.key ssl-cert-enroll.key
mv ssl-cert-enroll.key /etc/ssl/private/
mv ssl-cert-enroll.pem /etc/ssl/certs/
sudo a2ensite default-ssl