Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
@ohaddahan
ohaddahan committed Feb 3, 2024
1 parent bb0ef1e commit cc5def4
Show file tree
Hide file tree
Showing 4 changed files with 188 additions and 7 deletions.
66 changes: 66 additions & 0 deletions content/en/posts/js-deps.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
+++
title = 'Tips for safer dependency management in JavaScript environments'
date = 2024-01-28T09:22:33+02:00
draft = false
+++

![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/lg64youncuy41gksf37m.jpeg)

Just about anyone who worked on the JavaScript ecosystem has faced annoying issues due to version mismatch ,
dependencies updates etc. , I want to share a few small tips that helped me mitigate some of the issues.

## Tip #1 [save-exact](https://docs.npmjs.com/cli/v9/using-npm/config#save-exact)

`npm install <package-name> --save-exact`

This will install the package exact version instead of default range.

`"dependencies": {
"axios": "1.6.5"
}`

Due note that `package-lock.json` will still contain ranges. One way to mitigate this is to manually edit the file, a
simple `regex` will enforce exact versions on the dependencies too.

(if some dependencies requirements can't be fulfilled with strict nested versions, you can iterate until you find a set
of matching versions and make them static)

For example running the code below in `vim` editor.

`%s/: "\^/: "/g`

You can set it as the default behavior by running.

`npm config set save-exact=true`

Which will set `save-exact=true` in your `.npmrc`.

## Tip #2 avoid named releases

One way to help synchronize multiple developers working on the same repository is using `nvm` (or similar) with the
appropriate `rc` file such as `.nvmrc`.

`nvm` supports named versions which might look nicer on a first look but generates various issues, since these versions
aren't static.

Causing issues with compatibility with various dependencies , and other random issues such as running `nvm use` but it
no longer finds the version, since it was updated and you need to reinstall it locally.

It's even more problematic once you take into account `CI/CD` since they reinstall the environment from scratch each
time and it will probably differ from local developers environment that haven't yet update to the latests named version
update.

Hence I highly recommend using a version number and simply change it as needed, knowingly.

## Tip #3 use [engines](https://docs.npmjs.com/cli/v10/configuring-npm/package-json#engines)

Basically an expansion on #2 , explicitly name the `node` / `npm` version (strict, not a range!) to avoid more
unexpected and unwanted surprises.

## Tip #4 use [engine-strict](https://docs.npmjs.com/cli/v9/using-npm/config#engine-strict)

Avoid installing potential packages that might cause issues.

It's better to resolve an issue early on, with little overhead at the start than fixing it later when it's a critical
part of your system.

7 changes: 0 additions & 7 deletions content/en/posts/my-first-post.md
View file

This file was deleted.

43 changes: 43 additions & 0 deletions content/en/posts/r2-s3.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
+++
title = 'Reducing egress costs for dummies (R2 vs S3)'
date = 2024-01-28T09:22:33+02:00
draft = false
+++

![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/20p4rc0wcwq8j1it6x8n.jpeg)

## Background

One day I was checking [CloudFlare](http://cloudflare.com/) dashboard I noticed that one of the endpoints we were using
to deliver new versions has huge bandwidth spikes.

Each new version we released was automatically downloaded by thousands of clients, resulting in terra bytes of egress
costs to [S3](https://aws.amazon.com/s3/).

At the current rate this was around [3,000$/month](https://calculator.aws/#/createCalculator/S3).

Furthermore, our plan was to move to a daily release, which will make this problem even worse and jump
to [~50,000$/month](https://calculator.aws/#/createCalculator/S3).

I immediately tried to think how to resolve this issue.

## Researching a solution

Since all the content we deliver on a new update is identical copies of the same new version, caching jumped into mind.

But unfortunately [CloudFront](https://aws.amazon.com/cloudfront/) costs weren't much better at
around [2,500$/month](https://calculator.aws/#/createCalculator/CloudFront).

Being a big fan of [CloudFlare](http://cloudflare.com/) I knew
of [R2](https://www.cloudflare.com/developer-platform/r2/) and
quickly [calculated](https://www.cloudflare.com/pg-cloudflare-r2-vs-aws-s3/#htmlIdPlansMatrix) that
using [R2](https://www.cloudflare.com/developer-platform/r2/) will reduce the costs to effectively zero.

## Results

Implementing this was quite easy, simply store and serve from [R2](https://www.cloudflare.com/developer-platform/r2/)
instead of [S3](https://aws.amazon.com/s3/). Costs reduced to effectively zero.

Another bonus was faster download speed.


79 changes: 79 additions & 0 deletions content/en/posts/ssh-server.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
+++
title = 'How to secure SSH server'
date = 2024-01-28T09:22:33+02:00
draft = false
+++

![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9k9yke2eba2qgkks7w46.jpg)

## Disable root login

1. Create new user `useradd -m username`.
2. Set password `passwd username`.
3. **_Optional_**: Add user to sudoers `usermod -aG sudo username`.
4. Edit `/etc/ssh/ssh_config` or `/etc/ssh/sshd_config` and add:

```bash
# Authentication:
PermitRootLogin no
AllowUsers username
```

Might need to look for other config files being included that might override this
setting (`grep -r "PermitRootLogin" /etc/ssh/`).

## Harden SSH

5. Disable empty password:

```bash
PermitEmptyPasswords no
```

6. Limit the number of authentication tries per connection:

```bash
MaxAuthTries 3
```

7. Changed to `ssh` version 2:

```bash
Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
```

## Disable plain text authentication

8. Connecting with SSH key:

```bash
UsePAM no
PasswordAuthentication no
```

```bash
ssh-keygen
```

## Restart SSH service

9. Restart `ssh` service `sudo systemctl restart ssh` or `sudo systemctl restart sshd`.

## Prevent brute force attacks

10. Install [fail2ban](https://github.com/fail2ban/fail2ban) or [sshguard](https://www.sshguard.net/) to ban IPs that
fail to authenticate after a certain number of attempts.

## References

* [13 Ways to secure SSH server](https://www.makeuseof.com/improve-your-linux-server-security-with-these-hardening-steps/)
* [How To Set up SSH Keys on a Linux / Unix System](https://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/)
* [sshd_config](https://linux.die.net/man/5/sshd_config)
* [ssh_config](https://linux.die.net/man/5/ssh_config)
* [ssh-keygen](https://linux.die.net/man/1/ssh-keygen)
* [useradd](https://linux.die.net/man/8/useradd)
* [passwd](https://linux.die.net/man/1/passwd)
* [usermod](https://linux.die.net/man/8/usermod)
* [fail2ban](https://github.com/fail2ban/fail2ban)
* [sshguard](https://www.sshguard.net/)

0 comments on commit cc5def4

Please sign in to comment.