Enero 16

How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server

This guide is based on various community forum posts, and hours of frustration.

This guide is intended as a relatively easy step by step guide to:

Install and configure Apache2 ModSecurity and mod_evasive modules on Ubuntu 12.04 LTS server.
Things have become much easier than before installing both these two excellent security modules for Apache2 in Ubuntu 12.04 LTS, as both modules are available in the standard Ubuntu 12.04 repositories.
This is only a starting point for getting mod_security and mod_evasive working. Refer to both projects documentation for the various configuration option available and configure your security settings as required.
Requirements:

Ubuntu 12.04 LTS server, or later installed on your machine.
Apache2 webserver setup and configured.
1. Install ModSecurity on your server.
Install the dependencies. Open the Terminal Window and enter :
sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
64bit users please note – Because of this bug you need to create a symbolic link to libxml2.so.2 or the installation will report the file missing and fail.
ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
Now install ModSecurity
sudo apt-get install libapache-mod-security
2. Configure ModSecurity rules.
Activate the recommended default rules to get things going. Configure as needed. For complete information refer to the ModSecurity Reference Manual – click here.
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
The default folder for ModSecurity rules is /etc/modsecurity/ . All .conf files will be included and need to be configured as required.
We need to activate all the base rules and make sure they also get loaded.
You might want to edit the SecRequestBodyLimit option in the modsecurity.conf file.
SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server.
This settings is very important as it limits the size of all files that can be uploaded to the server. For CMS sites using Drupal or WordPress this setting is the source of much pain.
Open the Terminal Window and enter :
sudo vi /etc/modsecurity/modsecurity.conf
First activate the rules by editing the SecRuleEngine option and set to On and modify your server signature.
SecRuleEngine On
SecServerSignature FreeOSHTTP
Edit the following to option to increase the request limit to 16 MB and save the file :
SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000

3. Download and install the latest OWASP Core Rule Set.
We need to download and install the latest OWASP ModSecurity Core Rule Set from the project website. Click here for more information.
We will also activate the default CRS config file modsecurity_crs_10_setup.conf.example
If you prefer not to use the latest rules, replace master below with the a specific version you would like to use e.g : v2.2.5
Open the Terminal Window and enter :
cd /tmp
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
sudo tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/
sudo rm SpiderLabs-owasp-modsecurity-crs.tar.gz
sudo rm -R SpiderLabs-owasp-modsecurity-crs-*
sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
Now we create symbolic links to all activated base rules. Open a terminal window and enter :
cd /etc/modsecurity/base_rules
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done
Now add these rules to Apache2. Open a terminal window and enter:
sudo vi /etc/apache2/mods-available/mod-security.conf
Add the following to towards the end of the file with other includes and save the file :
Include “/etc/modsecurity/activated_rules/*.conf”
4. Check if ModSecurity is enabled and restart Apache.
Before restarting Apache2 check if the modules has been loaded.
Open the Terminal Window and enter :
sudo a2enmod headers
sudo a2enmod mod-security
Then restart the Apache2 webserver :
sudo /etc/init.d apache2 restart
OR
service apache2 restart
5. Install ModEvasive.
Open the Terminal Window and enter :
sudo apt-get install libapache2-mod-evasive
6. Create log file directory for mod_evasive.
Open the Terminal Window and enter :
sudo mkdir /var/log/mod_evasive
Change the log folder permissions :
sudo chown www-data:www-data /var/log/mod_evasive/
7. Create mod-evasive.conf file and configure ModEvasive.
Open the Terminal Window and enter :
sudo vi /etc/apache2/mods-available/mod-evasive.conf
and add the following, changing the email value, and other options below as required :

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/mod_evasive
DOSEmailNotify EMAIL@DOMAIN.com
DOSWhitelist 127.0.0.1

8. Fix mod-evasive email bug
Because of this bug mod-evasive does not send emails on Ubuntu 12.04.
A temporary workaround is to create symlink to the mail program.
Open the Terminal Window and enter :
sudo ln -s /etc/alternatives/mail /bin/mail/
9. Check if ModEvasive is enabled and restart Apache.
Before restarting Apache2 check if the module has been loaded.
Open the Terminal Window and enter :
sudo a2enmod mod-evasive
Then restart the Apache2 webserver :
sudo /etc/init.d/apache2 restart
OR
service apache2 restart

Category: Uncategorized | Los comentarios están deshabilitados en How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server
Enero 16

Ignore ICMP or Broadcast Request

Add following line in “/etc/sysctl.conf” file to ignore ping or broadcast request.

#Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1
#Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Category: Uncategorized | Los comentarios están deshabilitados en Ignore ICMP or Broadcast Request
Enero 15

How to secure an Ubuntu 16.04 LTS server

This guide is intended as a relatively easy step by step guide to:

Harden the security on an Ubuntu 16.04 LTS server by installing and configuring the following:

Install and configure Firewall – ufw
Secure shared memory – fstab
SSH – Key based login, disable root login and change port
Apache SSL – Disable SSL v3 support
Protect su by limiting access only to admin group
Harden network with sysctl settings
Disable Open DNS Recursion and Remove Version Info – Bind9 DNS
Prevent IP Spoofing
Harden PHP for security
Restrict Apache Information Leakage
Install and configure Apache application firewall – ModSecurity
Protect from DDOS (Denial of Service) attacks with ModEvasive
Scan logs and ban suspicious hosts – DenyHosts and Fail2Ban
Intrusion Detection – PSAD
Check for RootKits – RKHunter and CHKRootKit
Scan open Ports – Nmap
Analyse system LOG files – LogWatch
Apparmor – Application Armor
Audit your system security – Tiger and Tripwire
Requirements:

Ubuntu 16.04 LTS or later server with a standard LAMP stack installed.
1. Firewall – UFW
A good place to start is to install a Firewall.
UFW – Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool – gufw, or use Shorewall, fwbuilder, or Firestarter.
Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide, UFW manual pages or the Ubuntu UFW community documentation.
Install UFW and enable, open a terminal window and enter :
sudo apt-get install ufw
Allow SSH and Http services.
sudo ufw allow ssh
sudo ufw allow http
Enable the firewall.
sudo ufw enable
Check the status of the firewall.
sudo ufw status verbose
2. Secure shared memory.
Shared memory can be used in an attack against a running service. Modify /etc/fstab to make it more secure.
Open a Terminal Window and enter the following :
sudo vi /etc/fstab
Add the following line and save. You will need to reboot for this setting to take effect :
Note : This only is works in Ubuntu 12.10 or later – For earlier Ubuntu versions replace /run/shm with /dev/shm
Save and Reboot when done
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
3. SSH Hardening – key based login, disable root login and change port.
The best way to secure SSH is to use public/private key based login. See SSH/OpenSSH/Keys
If you have to use password authentication, the easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22.
Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
if you change the SSH port keep the port number below 1024 as these are priviledged ports that can only be opened by root or processes running as root.
If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
Open a Terminal Window and enter :
sudo vi /etc/ssh/sshd_config
Change or add the following and save.
Port
Protocol 2
PermitRootLogin no
DebianBanner no
Restart SSH server, open a Terminal Window and enter :
sudo service ssh restart
4. Apache SSL Hardening – disable SSL v2/v3 support.
The SSL v2/v3 protocol has been proven to be insecure.
We will disable Apache support for the protocol and force the use of the newer protocols.
Open a Terminal Window and enter :
sudo vi /etc/apache2/mods-available/ssl.conf
Change this line from :
SSLProtocol all -SSLv3
To the following and save.
SSLProtocol all -SSLv2 -SSLv3
Restart the Apache server, open a Terminal Window and enter :
sudo service apache2 restart
5. Protect su by limiting access only to admin group.
To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.
Add a admin group to the system and add your own admin username to the group by replacing below with your admin username.
Open a terminal window and enter:
sudo groupadd admin
sudo usermod -a -G admin

sudo dpkg-statoverride –update –add root admin 4750 /bin/su
6. Harden network with sysctl settings.
The /etc/sysctl.conf file contain all the sysctl settings.
Prevent source routing of incoming packets and log malformed IP’s enter the following in a terminal window:
sudo vi /etc/sysctl.conf
Edit the /etc/sysctl.conf file and un-comment or add the following lines :
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
To reload sysctl with the latest changes, enter:
sudo sysctl -p
7. Disable Open DNS Recursion and Remove Version Info – BIND DNS Server.
Open a Terminal and enter the following :
sudo vi /etc/bind/named.conf.options
Add the following to the Options section :
recursion no;
version “Not Disclosed”;
Restart BIND DNS server. Open a Terminal and enter the following :
sudo service bind9 restart
8. Prevent IP Spoofing.
Open a Terminal and enter the following :
sudo vi /etc/host.conf
Add or edit the following lines :
order bind,hosts
nospoof on
9. Harden PHP for security.
Edit the php.ini file :
sudo vi /etc/php5/apache2/php.ini
Add or edit the following lines an save :
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
display_errors = Off
track_errors = Off
html_errors = Off
magic_quotes_gpc = Off
mail.add_x_header = Off
session.name = NEWSESSID
Restart Apache server. Open a Terminal and enter the following :
sudo service apache2 restart
10. Restrict Apache Information Leakage.
Edit the Apache2 configuration security file :
sudo vi /etc/apache2/conf-available/security.conf
Add or edit the following lines and save :
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header unset ETag
Header always unset X-Powered-By
FileETag None
Restart Apache server. Open a Terminal and enter the following :
sudo service apache2 restart
11. Web Application Firewall – ModSecurity.
See : How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server
12. Protect from DDOS (Denial of Service) attacks – ModEvasive
See : How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server
13. Scan logs and ban suspicious hosts – DenyHosts and Fail2Ban.
DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
Open a Terminal and enter the following :
sudo apt-get install denyhosts
After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.
To edit the admin email settings open a terminal window and enter:
sudo vi /etc/denyhosts.conf
Change the following values as required on your server :
ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
#SMTP_USERNAME=foo
#SMTP_PASSWORD=bar
SMTP_FROM = DenyHosts nobody@localhost
#SYSLOG_REPORT=YES
Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.
Fail2ban scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.
Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).
Open a Terminal and enter the following :
sudo apt-get install fail2ban
After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.
To edit the settings open a terminal window and enter:
sudo vi /etc/fail2ban/jail.conf
Activate all the services you would like fail2ban to monitor by changing enabled = false to enabled = true
For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.
[sshd]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
If you have selected a non-standard SSH port in step 3 then you need to change the port setting in fail2ban from ssh which by default is port 22, to your new port number, for example if you have chosen 1234 then port = 1234
[sshd]

enabled = true
port =
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.
destemail = root@localhost
and change the following line from :
action = %(action_)s
to:
action = %(action_mwl)s
You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.
sudo vi /etc/fail2ban/jail.local
Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge – click here for an example
When done with the configuration of Fail2Ban restart the service with :
sudo service fail2ban restart
You can also check the status with.
sudo fail2ban-client status
14. Intrusion Detection – PSAD.
Cipherdyne PSAD is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
To install the latest version from the source files follow these instruction : How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server
OR install the older version from the Ubuntu software repositories, open a Terminal and enter the following :
sudo apt-get install psad
Then for basic configuration see How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server and follow from step 2:
15. Check for rootkits – RKHunter and CHKRootKit.
Both RKHunter and CHKRootkit basically do the same thing – check your system for rootkits. No harm in using both.
Open a Terminal and enter the following :
sudo apt-get install rkhunter chkrootkit
To run chkrootkit open a terminal window and enter :
sudo chkrootkit
To update and run RKHunter. Open a Terminal and enter the following :
sudo rkhunter –update
sudo rkhunter –propupd
sudo rkhunter –check
16. Scan open ports – Nmap.
Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing.
Open a Terminal and enter the following :
sudo apt-get install nmap
Scan your system for open ports with :
nmap -v -sT localhost
SYN scanning with the following :
sudo nmap -v -sS localhost
17. Analyse system LOG files – LogWatch.
Logwatch is a customizable log analysis system. Logwatch parses through your system’s logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.
Open a Terminal and enter the following :
sudo apt-get install logwatch libdate-manip-perl
To view logwatch output use less :
sudo logwatch | less
To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :
sudo logwatch –mailto mail@domain.com –output mail –format html –range ‘between -7 days and today’
18. Apparmor – Application Armor.
More information can be found here. Ubuntu Server Guide – Apparmor
It is installed by default since Ubuntu 7.04.
Open a Terminal and enter the following :
sudo apt-get install apparmor apparmor-profiles
Check to see if things are running :
sudo apparmor_status
19. Audit your system security – Tiger and Tripwire.
Tiger is a security tool that can be use both as a security audit and intrusion detection system.
Tripwire is a host-based intrusion detection system (HIDS) that checks file and folder integrity.
Open a Terminal and enter the following :
sudo apt-get install tiger tripwire
To setup Tripwire good installation guides can be found on Digital Ocean here and on Unixmen here
To run tiger enter :
sudo tiger
All Tiger output can be found in the /var/log/tiger
To view the tiger security reports, open a Terminal and enter the following :
sudo less /var/log/tiger/security.report.*

Category: Uncategorized | Los comentarios están deshabilitados en How to secure an Ubuntu 16.04 LTS server
Enero 15

Harden network with sysctl settings

The /etc/sysctl.conf file contain all the sysctl settings.
Prevent source routing of incoming packets and log malformed IP’s enter the following in a terminal window:
sudo vi /etc/sysctl.conf
Edit the /etc/sysctl.conf file and un-comment or add the following lines :
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
To reload sysctl with the latest changes, enter:
sudo sysctl -p

Category: Uncategorized | Los comentarios están deshabilitados en Harden network with sysctl settings
Diciembre 28

Recover from a failed server in a GlusterFS array

Previous section
Add and remove GlusterFS servers

This article shows the following ways to recover when a single server fails:

Add a new server, with a new IP address, to take its place (a less work-intensive fix).

Add a new server but keep the IP address of the failed server (a more work-intensive fix).

After completing the previous article you should have a GlusterFS array with at least two nodes and know how to add and delete nodes.

Prerequisites
For the purpose of this article, you must be running on a four-node, fully replicated Gluster volume.

Fill your GlusterFS array with fake data for the testing.

Add a replacement server
In this scenario, web03 fails, but you add a new node with the IP address 192.168.0.5 to replace it. This method is easier than adding a new server with the same IP address as the failed server.

This article will show two forms of disaster recovery:

A single node went down, and you’re adding a new node to take its place.
A single node went down, got rebuilt and kept the IP – this turns out to be more work to fix
Add a replacement node
In this scenario, web03 will go down again, but you’ll add a new node at 192.168.0.5 to replace it. This method is much easier.

Using one of the running servers, add the new sever into the cluster:

root@matt:~# gluster peer probe 192.168.0.5
peer probe: success
Exchange the failed brick for the new one:

root@matt:~# gluster volume replace-brick www 192.168.0.3:/srv/.bricks/www 192.168.0.5:/srv/.bricks/www commit force
volume replace-brick: success: replace-brick commit successful
Heal the system:

root@matt:~# gluster volume heal www full
Launching Heal operation on volume www has been successful
Use heal info commands to check status
Get information about the progress of the heal operation:

root@matt:~# gluster volume heal www info
Gathering Heal info on volume www has been successful

Brick 192.168.0.4:/srv/.bricks/www
Number of entries: 23
/wordpress/wp-admin/upload.php
If you were running a distributed system, run the following commands:

root@matt:~# gluster volume rebalance www fix-layout start
volume rebalance: www: success: Starting rebalance on volume www has been successful.
ID: 0a9719c1-cf04-4161-b3b0-cc6fd8dd9108
root@matt:~# gluster volume rebalance www status

Node Rebalanced-files size scanned failures skipped status run time in secs
——— ———– ———– ———– ———– ———– ———— ————–
localhost 0 0Bytes 0 0 0 completed 1.00

localhost 0 0Bytes 0 0 0 completed 1.00

192.168.0.2 0 0Bytes 0 0 0 completed 1.00

192.168.0.4 0 0Bytes 0 0 0 completed 1.00

192.168.0.4 0 0Bytes 0 0 0 completed 1.00

192.168.0.5 0 0Bytes 0 0 0 completed 1.00

volume rebalance: www: success:
Keep the IP address
In this scenario, server web03, with the IP address 192.168.0.3, has crashed and is completely unrecoverable.

To recover, you build a new server, with the same IP address, present it to GlusterFS as the failed server, and let it self-heal. You then re-balance the volume into the GlusterFS.

Refer to the previous articles for information about building and configuring the replacement server.

Disguise the new web03 server as the failed server
Build the new server, install GlusterFS on it, and prepare the disk for the brick.

Give the server the peer UUID of the failed server. To get the UUID, run the following command on one of the running servers (such as web01):

root@web01:~# grep 192.168.0.3 /var/lib/glusterd/peers/*/var/lib/glusterd/peers/ba502dc2-447f-466a-a732-df989e71b551:hostname1=192.168.0.3
Copy the file name (which is the original Web03 UUID). In the preceding example, it is: ba502dc2-447f-466a-a732-df989e71b551.

Assign the failed server’s UUID to the new server.

Stop the Gluster daemon:

root@web03:~# service glusterfs-server stop
glusterfs-server stop/waiting
Replace the generated node UUID with the copied one in the glusterd configuration file:

root@web03:~# UUID=ba502dc2-447f-466a-a732-df989e71b551
root@web03:~# sed -i “s/\(UUID\)=\(.*\)/\1=$UUID/g” /var/lib/glusterd/glusterd.info
root@web03:~# cat /var/lib/glusterd/glusterd.info
UUID=ba502dc2-447f-466a-a732-df989e71b551
operating-version=2
Note: The ba502dc2-447f-466a-a732-df989e71b551 UUID is an example UUID; you must replace it with the UUID from your failed server (as remembered by web01).

Start the server again:

root@web03:~# service glusterfs-server start
glusterfs-server start/running, process 10732
Reconfigure the peer servers
On the new server, check that the other servers are visible:

root@web03:~# gluster peer status
peer status: No peers present
If the peer servers are not visible, you must add them explicitly:

root@web03:~# gluster peer probe 192.168.0.1
peer probe: success
root@web03:~# gluster peer probe 192.168.0.2
peer probe: success
root@web03:~# gluster peer probe 192.168.0.4
peer probe: success
Run the gluster peer status command again on web03. The response should be: State: Accepted peer request (Connected)

Restart the daemon one more time, and the peer servers should be visible:

root@web03:~# service glusterfs-server restart
glusterfs-server stop/waiting
glusterfs-server start/running, process 9123
root@web03:~# gluster peer status
Number of Peers: 3
Hostname: 192.168.0.2
Uuid: 177cd473-9421-4651-8d6d-18be3a7e1990
State: Peer in Cluster (Connected)

Hostname: 192.168.0.1
Uuid: 8555eac6-de14-44f6-babe-f955ebc16646
State: Peer in Cluster (Connected)

Hostname: 192.168.0.4
Uuid: 1681b266-dc31-42e1-ab82-4e220906eda1
State: Peer in Cluster (Connected)
Synchronize the volumes
Check the volume status:

root@web03:~# gluster volume status
No volumes present
Get the volumes from a peer server:

root@web03:~# gluster volume sync 192.168.0.2 all
Sync volume may make data inaccessible while the sync is in progress. Do you want to continue? (y/n) y
volume sync: success
Set the file system for the brick into order. In the following example, the brick is stored in /srv/.bricks/www:

root@web03:~# mkdir /srv/.bricks/www
Go to one of the running servers, install attr and get the correct volume ID.

root@web02:~# apt-get install attr -y

root@web02:~# getfattr -n trusted.glusterfs.volume-id /srv/.bricks/www
getfattr: Removing leading ‘/’ from absolute path names
# file: srv/.bricks/www
trusted.glusterfs.volume-id=0s42V5HW+LSuyzqotW1jgAhA==
Copy the volume ID string to your clipboard. In the example, it is 0s42V5HW+LSuyzqotW1jgAhA==.

On the replacement server, apply that extended attribute:

root@web03:~# apt-get install attr -y

root@web03:~# setfattr -n trusted.glusterfs.volume-id -v ‘0s42V5HW+LSuyzqotW1jgAhA==’ /srv/.bricks/www
Restart the server, and then heal the system:

root@matt:~# service glusterfs-server restart
glusterfs-server stop/waiting
glusterfs-server start/running, process 13318
root@matt:~# gluster volume heal www full
Launching Heal operation on volume www has been successful
Use heal info commands to check status
Get information about the progress of the heal operation. The new server should be running as expected.

root@matt:~# gluster volume heal www info
Gathering Heal info on volume www has been successful

Brick 192.168.0.1:/srv/.bricks/www
Number of entries: 0

Brick 192.168.0.2:/srv/.bricks/www
Number of entries: 0

Brick 192.168.0.3:/srv/.bricks/www
Number of entries: 0

Brick 192.168.0.4:/srv/.bricks/www
Number of entries: 0
Conclusion
You have now learned how to recover from a failed server in a GlusterFS array.

Category: Uncategorized | Los comentarios están deshabilitados en Recover from a failed server in a GlusterFS array
Octubre 13

Mikrotik User Manager as Radius Server

mikrotik user manager

I continue to post about hotspot billing system. Actually I wanted to post about Daloradius. However, because still need more experiments, then I delay for a while. And now I’m posting about the “user manager” of the Mikrotik. What is a user manager? User Manager is a RADIUS server application. It is a separate package for RouterOS.

 

Install User Manager.

  1. Check the Mikrotik, whether user-manager existing package. Click the System – Packages.
  2. mikrotik - package list
  1. Download package “user-manager” in www.mikrotik.com / download. Select the package,according to the Mikrotik version you are using. If you are using a Mikrotik with package the old version, you can download the old version of the package in http://files.shelbybb.com/mikrotik/ or http://204.62.56.64/mikrotik/
  2. Open Winbox, then click user-manager.npk package already downloaded, and drag it to the Winbox. File will automatically be uploaded, and can be seen in Winbox – Files list.
  3. install mikrotik user manager
  4. Restart.
  5. Check back in the Mikrotik, with the opening Winbox, System – Packages. File “user-manager” should be shown.

Mikrotik Configuration

If all is ok, proceed with the following steps. Open winbox, click Radius – then click the plus sign (+) to add. Open dialog box will appear. Enter the IP address of the Radius User Manager, secret, for example : testing123, port, and check the hotspot service. Then click OK. Remember : IP address of Radius Server must IP Wan of router Mikrotik or you can enter IP localhost  (127.0.0.1)

 

Back to Radius

mikrotik - radius settings

open dialog. Click Incoming. Check Accept, Port is 1700. Then OK.

mikrotik - radius port incoming

Then in the hotspot dialog box, click server profiles tab. Click twice hsprof1. Then the new dialog box will appear. Click radius tab. Select use radius, and accounting. Then click OK.

 

Mikrotik User Manager

mikrotik - server profiles settings

Finish to configure mikrotik, next open browser, and go to http://<ip-address-mikrotik>/userman. You will find login page user manager of mikrotik, enter default username : admin and blank password. Let’s begin to configure mikrotik user manager.

  • Configure Routers

Click routers – add – New.  In the new dialog box about router details, enter name, IP address, secret, and coa port. Look at example picture.

mikrotik user manager - routers settings

  • Configure Customer

For security, change password admin for login mikrotik user manager. Click customer, admin. And in customer details  box, enter  password, and other information.

mikrotik user manager - customers settings

Create a user in the “user manager”, and then from the client computer browser, login using a user that has been created. If successful redirect and connect to the internet, meaning that the Mikroti User Manager has been successfully configured as a Radius Server.

Next, I will explain how to create voucher in User Manager.

Category: Uncategorized | Los comentarios están deshabilitados en Mikrotik User Manager as Radius Server
Julio 11

Remove Active Algorithms ASA – Anyconnect

From my experience it’s best to change that on the CLI:

asa(config)# sh ssl | i cipher

Enabled cipher order: dhe-aes128-sha1 dhe-aes256-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 rc4-sha1 aes128-sha1 null-sha1

asa(config)#

asa(config)# ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes256-sha1 aes128-sha1

asa(config)#

asa(config)# sh ssl | i cipher

Enabled cipher order: dhe-aes128-sha1 dhe-aes256-sha1 aes256-sha1 aes128-sha1

Disabled ciphers: 3des-sha1 des-sha1 rc4-md5 rc4-sha1 null-sha1

 

Category: Uncategorized | Los comentarios están deshabilitados en Remove Active Algorithms ASA – Anyconnect
Septiembre 30

Installing SAV Dynamic Interface (SAVDI) on servers running Sophos Anti-Virus for Unix/Linux Version 9

pplies to the following Sophos product(s) and version(s)

SAV Dynamic Interface

What To Do

Create symbolic links for libsavi.so.3 and libssp.so.0

You need to create links so that SAVDI can locate these libraries during installation.

32-bit servers

The link for libsavi.so.3 is created by the Sophos Anti-Virus Version 9 installer, so you only need to create a link for libssp.so.0. Open a terminal with root privileges and run the below command:

ln -s /opt/sophos-av/lib/libssp.so.0 /usr/local/lib/libssp.so.0

Note: If you have installed Sophos Anti-Virus to a non-default location then change the source path to this location.

64-bit servers

Open a terminal with root privileges and run the below commands:

<code>ln -s /opt/sophos-av/lib64/libsavi.so.3 /usr/local/lib/libsavi.so.3</code>
<code>ln -s /opt/sophos-av/lib64/libssp.so.0 /usr/local/lib/libssp.so.0</code>

Note: If you have installed Sophos Anti-Virus to a non-default location then change the source path to this location.

Install SAV Dynamic Interface (SAVDI)

You are now ready to install SAVDI.

  1.  Install SAVDI as documented in the startup guide
  2. The below warning is reported because the virus data is detected in a non-default directory:
    Warning: Virus data found at /opt/sophos-av/lib/sav

Configure the virus data directory within savdid.conf

  1. Open the SAVDI configuration file:
    /usr/local/savdi/savdid.conf
  2. Locate the below entries:
    #virusdatadir: /var/sav/vdbs
    
    #idedir: /var/sav/vdbs
  3. Change these to:
    <code>virusdatadir: /opt/sophos-av/lib/sav
    
    idedir: /opt/sophos-av/lib/sav</code>

    Note: The ‘#‘ comment character needs to be removed from each entry

Start SAVDI

/etc/savdid.conf

pidfile: /var/tmp/savdi/new.pid
user: amavis
group: amavis
threadcount: 30
maxqueuedsessions: 2
virusdatadir: /opt/sophos-av/lib/sav
idedir: /opt/sophos-av/lib/sav
onexception: REQUEST
onrequest: REQUEST
log {
 type: FILE
 logdir: /var/log/savdid/log
 loglevel: 2
}
channel {
 logrequests: YES
 commprotocol {
 type: IP
 address: 0.0.0.0
 port: 4020
 requesttimeout: 120
 sendtimeout: 2
 recvtimeout: 10
 }
 service {
 name: sophos
 type: avscan
 scanprotocol {
 type: ICAP
 version: 1.02
 keepalive: YES
 }
 scanner {
 type: SAVI
 inprocess: YES
 savists: enableautostop 1
 savigrp: grpsuper 1
 }
 }
}
channel {
 commprotocol {
 type: IP
 address: 127.0.0.1
 port: 4010
 requesttimeout: 120
 sendtimeout: 2
 recvtimeout: 5
 }
 scanprotocol {
 type: SSSP
 allowscanfile: SUBDIR
 allowscandata: YES
 maxscandata: 500000
 maxmemorysize: 250000
 tmpfilestub: /var/amavis/
 }
 scanner {
 type: SAVI
 inprocess: YES
 maxscantime: 3
 maxrequesttime: 10
 deny: /home
 savigrp: GrpArchiveUnpack 0
 savigrp: GrpInternet 1
 savists: Xml 1
 }
}

 

/opt/savdid/savdid -l -c /etc/savdid.conf -d

nano /etc/amavis/conf.d/15-av_scanners

 

['Sophos-SSSP',
 \&ask_daemon, ["{}", 'sssp:/var/run/savdid/savdid.sock'],
# or: ["{}", 'sssp:[127.0.0.1]:4010'],
 qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ],

 

 

Category: Uncategorized | Los comentarios están deshabilitados en Installing SAV Dynamic Interface (SAVDI) on servers running Sophos Anti-Virus for Unix/Linux Version 9
Mayo 15

MultiPath TCP

Manual configuration

With multiple addresses defined on several interfaces, you want to be able to tell your kernel “If I select such source address, please use that specific interface+gateway, not the default ones”. You achieve this by configuring one routing table per outgoing interface, each routing table being identified by a number. The route selection process then happens in two phases. First the kernel does a lookup in the policy table (that you need to configure with ip rules). The policies, in our case, will be For such source prefix, go to routing table number x. Then the corresponding routing table is examined to select the gateway based on the destination address.
You need to configure several routing tables in the following manner: Imagine you have two interfaces eth0 and eth1 with the following properties:
eth0

IP-Address: 10.1.1.2
 Subnet-Mask: 255.255.255.0
 Gateway: 10.1.1.1
eth1
 IP-Address: 10.1.2.2
 Subnet-Mask: 255.255.255.0
 Gateway: 10.1.2.1

Thus, you need to configure the routing rules so that packets with source-IP 10.1.1.2 will get routed over eth0 and those with 10.1.2.2 will get routed over eth1.
The necessary commands are:

# This creates two different routing tables, that we use based on the source-address.
 ip rule add from 10.1.1.2 table 1
 ip rule add from 10.1.2.2 table 2
# Configure the two different routing tables
 ip route add 10.1.1.0/24 dev eth0 scope link table 1
 ip route add default via 10.1.1.1 dev eth0 table 1
ip route add 10.1.2.0/24 dev eth1 scope link table 2
 ip route add default via 10.1.2.1 dev eth1 table 2

# default route for the selection process of normal internet-traffic
ip route add default scope global nexthop via 10.1.1.1 dev eth0
With this, your routing table should look like the following:

mptcp-kernel:~# ip rule show
 0: from all lookup local
 32764: from 10.1.2.2 lookup 2
 32765: from 10.1.1.2 lookup 1
 32766: from all lookup main
 32767: from all lookup default
mptcp-kernel:~# ip route
 10.1.1.0/24 dev eth0 proto kernel scope link src 10.1.1.2
 10.1.2.0/24 dev eth1 proto kernel scope link src 10.1.2.2
 default via 10.1.1.1 dev eth0
mptcp-kernel:~# ip route show table 1
 10.1.1.0/24 dev eth0 scope link
 default via 10.1.1.1 dev eth0
mptcp-kernel:~# ip route show table 2
 10.1.2.0/24 dev eth1 scope link
 default via 10.1.2.1 dev eth1

 

Automatic Configuration
Doing the above each time by hand is very cumbersome. Some alternative automatic solutions are available:
Using the configuration scripts (Ubuntu/Debian-based systems)
In /etc/network/if-up.d/ you can place scripts that will be executed each time a new interface comes up. We created two scripts:

* mptcp_up – Place it inside /etc/network/if-up.d/ and make it executable.
* mptcp_down – Place it inside /etc/network/if-post-down.d/ and make it executable.

#!/bin/sh
# A script for setting up routing tables for MPTCP in the N950.
# Copy this script into /etc/network/if-up.d/
set -e
env &gt; /etc/network/if_up_env
if [ "$IFACE" = lo -o "$MODE" != start ]; then
 exit 0
fi
if [ -z $DEVICE_IFACE ]; then
 exit 0
fi
# FIRST, make a table-alias
if [ `grep $DEVICE_IFACE /etc/iproute2/rt_tables | wc -l` -eq 0 ]; then
 NUM=`cat /etc/iproute2/rt_tables | wc -l`
 echo "$NUM $DEVICE_IFACE" &gt;&gt; /etc/iproute2/rt_tables
fi
if [ $DHCP4_IP_ADDRESS ]; then
 SUBNET=`echo $IP4_ADDRESS_0 | cut -d \ -f 1 | cut -d / -f 2`
 ip route add table $DEVICE_IFACE to $DHCP4_NETWORK_NUMBER/$SUBNET dev $DEVICE_IFACE scope link
 ip route add table $DEVICE_IFACE default via $DHCP4_ROUTERS dev $DEVICE_IFACE
 ip rule add from $DHCP4_IP_ADDRESS table $DEVICE_IFACE
else
 # PPP-interface
 IPADDR=`echo $IP4_ADDRESS_0 | cut -d \ -f 1 | cut -d / -f 1`
 ip route add table $DEVICE_IFACE default dev $DEVICE_IP_IFACE scope link
 ip rule add from $IPADDR table $DEVICE_IFACE
fi

 

#!/bin/sh
# A script for setting up routing tables for MPTCP in the N950.
# Copy this script into /etc/network/if-post-down.d/
set -e
env > /etc/network/if_down_env
if [ "$IFACE" = lo -o "$MODE" != stop ]; then
 exit 0
fi
ip rule del table $DEVICE_IFACE
ip route flush table $DEVICE_IFACE

 

Category: Uncategorized | Los comentarios están deshabilitados en MultiPath TCP