Posts Tagged ‘centos’

Finally had to cave in – DNS ACLs.

Platform: CentOS 6 x86_64

I knew when I implemented my split DNS solution years ago that I wanted to try to keep one recursive and open to use for queries. I wanted this more for my convenience (testing, and I could remember my address) when working on issues outside my own network. I knew at the time that I was taking a risk. It seemed like it was more about resources than security. I have two DNSs, but only the one was open to queries without restriction. Well, after probably about 10 years running like this, I finally had a need to add some ACLs and close up my convenient access. I was hit by several very long flurries of requests for isc.org. Because I have such limited bandwidth, it was quickly pretty obvious that something was wrong.

Initially, I looked to my gateway server. And this stumped me for a while, because I detected nothing wrong or any unusual traffic volume. However, a quick trace and look at the DNS logs on my secondary server revealed the requests. They would go on for hours and hours, but they would stop once in a while for a few hours before starting up again.

My initial approach was to block the IP address the queries were coming from, and hope to preserve my convenient access to my own recursive lookup server. I also found this interesting solution using iptables to block any requests to isc.org:

iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP

But this does not seem practical to somebody who uses services provided by the Internet Systems Consortium, and does actually find myself on the site once in a while. While this solution does not really work for me in this case, it certainly enlightened me to adding this to my arsenal for some other situations. All you need to do is convert the URL to hex and create your iptables statement.

After watching the requests continue to come in despite being dropped at my firewall, I decided that it finally come to an end. I gave in an have added the ACLs to my external DNS servers.

In the /var/named/chroot/etc/named.conf:
...
acl "AllowToQuery" {
// Add subnets I trust to use my DNS for queries.
aaa.bbb.ccc.ddd/xx;
eee.fff.ggg.hhh/yy;
iii.jjj.kkk.lll/zz;
localhost;
};
...
// Added the ACL after DDOS attacked - repeated queries for isc.org.
allow-query { AllowToQuery; };
...

The allow-query statement was added to my external view, since I am running a split DNS. Having the ACLs setup this way eventually caused the request to stop.

Ruby on Rails – CentOS 5.6/5.7

This one presented quite a challenge for me. It seems that the magical solution is using the right versions. There are a number of ways (supposedly) to install ruby on rails. I started out trying to use ruby packages included in CentOS. I quickly realized that was not going to work. It kept running all kinds of issues with libraries missing or incorrect versions. So then, I opted to just build from source. Well, this got me much closer but I ended up having an openssl issue that I thought I resolved, but the gem command was having all kinds of issues. Something clearly was not right. So, I then went back to using RVM, which I had tried earlier. This time I started completely over with a new HPCloud CentOS 5.6 image. The following is what worked for me.

As I mentioned above, I started with a clean HPCloud CEntOS 5.6 image ( ami-000004d2 – local (CentOS 5.6 Server 64-bit) ).

# yum groupinstall “Development Libraries” “Development Tools”

The next step, of course, turned my 5.6 instance into a 5.7 instance:
# yum update
# shutdown -r now

Add the EPEL repository:

# cd /usr/local/src
# wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
# rpm -ivh epel-release-5-4.noarch.rpm
# yum install git

Remove certificate requirement for curl, when installing rvm:
# echo insecure >> ~/.curlrc

# bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer) # vigr ... rvm:x:500:root Update environment variables: # source /etc/profile.d/rvm.sh Install other dependencies for ruby determined by running rvm requirements:
# yum install -y gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel openssl-devel make bzip2 autoconf automake libtool bison iconv-devel

# rvm install 1.9.2
# rvm use 1.9.2

Note: You can use the following command to make this version the system default:
# rvm use 1.9.2 –default

To verify that all is right at this point:
# type rvm | head -1
rvm is a function is the expected output.

# cd $(rvm gemdir)

The following will install the gem command:
# rvm rubygems current

This will allow you to install rails:
# gem install rails

This has allowed me (rails is not needed for this) to install hpcloud command to manage my Storage Object.

# wget http://build.hpcloud.com/sites/default/files/downloads/hpfog.tar
# tar -xvf hpfog.tar
# wget http://build.hpcloud.com/sites/default/files/downloads/hpcloud.tar
# tar -xvf hpcloud.tar
# gem install hpfog-x.x.x.gem
# gem install hpcloud-x.x.x.gem

# hpcloud
Tasks:
hpcloud account:setup # set up or modify your credentials
hpcloud acl # view the ACL for an object or container
hpcloud acl:set # set a given resource to a canned ACL
hpcloud containers # list available containers
hpcloud containers:add # add a container
hpcloud containers:remove # remove a container
hpcloud copy # copy files from one resource to another
hpcloud get # fetch an object to your local directory
hpcloud help [TASK] # Describe available tasks or one specific task
hpcloud info # info about the HP Cloud CLI
hpcloud list # list container contents
hpcloud location # display the URI for a given resource
hpcloud move # move objects inside or between containers
hpcloud remove # remove an object or container

How to block/allow proxy access via squid proxy using ADS authentication and group membership.

The following procedures were used on RedHat Enterprise Linux 5.x.

The following previous post outlined how to get the linux server joined to domain and supporting ADS authentication. This link also contains information for RHEL6.x in the comments as well :

Howto Join An Active Directory Server using RHEL5.x/CentOS5.x and Samba 3.0.x

The key is getting the /etc/squid/squid/conf right. I have included the entire configuration used. A lot of the options are not required in all situations. I have a number of things going on here. Many of which I could clean up and make better, but I wanted to leave them in here because I know this configuration works. I actually have three proxy servers (two peers) in the configuration. The configuration forwards the requests to one of the two peers based upon the site accessed. This is probably not required for most deployments.

# cat /etc/squid/squid.conf

# Port squid listens on
http_port 3128
...
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_dir null /tmp

access_log /var/log/squid/access.log common

# To support ADS credentials for access.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

# Begin Group
# To support ADS group membership requirements.
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
# To allow sites that do not work with NTLM. Created a list of sites that do not seem to work using NTLM
# to exclude from authentication requirement.
acl allowsites url_regex -i "/etc/squid/allowedsites.acl"

# Begin Group
# ACLs to get ADS group membership. I have two groups here. One group has unrestricted access
# and the other limited. The ADS groups used here are ProxyAccess and ProxyAccessLimited.
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLimitedWindowsGroup external WindowsGroup ProxyAccessLimited
# End Group

# Begin Facebook test.
# These ACLs are set up to manage which users can access Facebook in this instance.
# List of users.
acl UnRestrictedUsers proxy_auth "/etc/squid/UnRestrictedUsers.acl"
# List of sites allowed to these users.
acl ExcemptedSites url_regex -i "/etc/squid/ExcemptedSites.acl"
# List of managed domains.
acl RestrictedDomains dstdomain "/etc/squid/RestrictedDomains.acl"
# End Facebook test.

# Begin limited access test.
# This is where the specific restrictions are made for the ProxyAccessLimited users.
acl LimitAllowedSites url_regex -i "/etc/squid/LimitAllowedSites.acl"
acl LimitRestrictions dstdomain "/etc/squid/LimitRestrictions.acl"
# End store access test.

acl MyACL proxy_auth REQUIRED
acl java browser java
acl java browser Java

acl broken dstdomain .aa.com
header_access Accept-Encoding deny broken

http_access allow all java
http_access allow all allowsites

# Begin Group
# This will allow users in the ProxyAccessLimited ADS group access to the sites listed in the
# /etc/squid/LimitAllowedSites.acl file, but access to the sites listed in the /etc/squid/LimitRestrictions.acl
# file. Note: a "." in the LimitRestrictions.acl file will limit the users only to the sites listed in the
# LimitAllowedSites.acl file.
http_access allow InLimitedWindowsGroup LimitAllowedSites !LimitRestrictions
# This will allow users in the ProxyAccess ADS group access to any sites, and permits those listed in the
# /etc/squid/UnRestrictedUsers.acl file access to the site listed in the /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup UnRestrictedUsers ExcemptedSites
# This will allow users in the ProxyAccess ADS group access to any sites, except those listed in the
# /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup !ExcemptedSites
# End Group

http_access deny all
never_direct allow all
# This is where the two peers are defined.
cache_peer myproxy01.domain.com parent 80 0 no-query default
cache_peer myproxy02.domain.com parent 80 0 no-query default

# This determines which peer is going to used based the sites listed in the /etc/squid/RestrictedDomains.acl
# file.
cache_peer_access myproxy01.domain.com deny RestrictedDomains
cache_peer_access myproxy02.domain.com allow RestrictedDomains

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_group squid

coredump_dir /var/spool/squid

memory_pools off

half_closed_clients off

The .acl files listed in the configuration are either just a list of usernames (ADS or otherwise), or a list of domains. In the case of the domains, you can use the following syntax to signify all host for a particular domain:

.mydomain.com

Below, I have tried to strip out the other things to demonstrate all that is needed to support proxy access via ADS group membership.

Excerpts from /etc/squid/squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
...
# Begin Group
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group
...
# Begin Group
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLocationsWindowsGroup external WindowsGroup ProxyAccessLocations
# End Group
...
# Begin store access test.
acl LocationAllowedSites url_regex -i "/etc/squid/LocationAllowedSites.acl"
acl LocationRestrictions dstdomain "/etc/squid/LocationRestrictions.acl"
# End store access test.
...
acl MyACL proxy_auth REQUIRED
...
# Begin Group
http_access allow InLocationsWindowsGroup LocationAllowedSites !LocationRestrictions
http_access allow InWindowsGroup
# End Group
...

Also, if you want to customize the default access denied page that users receive when they go to a site that they are not permitted to access, you can add you customizations to the /usr/share/squid/errors/English/ERR_ACCESS_DENIED file. I believe you can do a number of other creative things with error pages, but I have not looked in to that.

If you want to add/remove sites from the files, you just need to issue a “service squid reload” to activate the new settings.

Expand VMware ESXi guest storage – CentOS root partition.

The first lesson I learned on this little adventure was that you need to remove any existing VMware snapshots for the guest. I removed all the snapshots from the vSphere client using the Snapshot Manager option.

Once you get that out of the way, you just need to go in Edit Settings for the guest, select the Hard Disk you want to expand, and enter in the new size. I wanted to increase the root partition on a CentOS 6 guest by 10GB.

Once that is completed, all the rest was done from the guest. My objective was to try to do this without rebooting. Unfortunately, I had reboot one time early in the process.

First, I had to create a new partition on the expanded disk. I printed out the current configuration using fdisk and then created the new partition. As you can see below, I got a message about the device being busy. I tried using partprobe and kpartx as suggested in the output, but neither worked for me, so I ended up rebooting.

# fdisk /dev/sda

Command (m for help): p

Disk /dev/sda: 32.2 GB, 32212254720 bytes
64 heads, 32 sectors/track, 30720 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00033ab9

Device Boot Start End Blocks Id System
/dev/sda1 * 2 501 512000 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 502 20480 20458496 8e Linux LVM
Partition 2 does not end on cylinder boundary.

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 3
First cylinder (1-30720, default 1): 20481
Last cylinder, +cylinders or +size{K,M,G} (20481-30720, default 30720):
Using default value 30720

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.

# shutdown -r now

I created a file system on the partition. I am not sure whether this is needed or not since I was expanding an existing volume, but I did it anyway.

# mkfs.ext4 /dev/sda3
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
655360 inodes, 2621440 blocks
131072 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2684354560
80 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 38 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Then, initialize the new partition:

# pvcreate /dev/sda3
Physical volume “/dev/sda3” successfully created

Extend the volume group:

# vgextend vg_vmdev01 /dev/sda3
Volume group “vg_vmdev01” successfully extended

I extended the volume by 9.9GB:
# lvextend -L +9.9G /dev/mapper/vg_vmdev01-lv_root
Rounding up size to full physical extent 9.90 GiB
Extending logical volume lv_root to 27.44 GiB
Logical volume lv_root successfully resized

Then, resize the file system:
# resize2fs /dev/mapper/vg_vmdev01-lv_root
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/mapper/vg_vmdev01-lv_root is mounted on /; on-line resizing required
old desc_blocks = 2, new_desc_blocks = 2
Performing an on-line resize of /dev/mapper/vg_vmdev01-lv_root to 7193600 (4k) blocks.
The filesystem on /dev/mapper/vg_vmdev01-lv_root is now 7193600 blocks long.

And that is it. This expanded the root volume by 9.9GB. Just to verify that all was well, I rebooted again.

mount -t cifs for Redhat/CentOS 6.x

mount.cifs has been moved from the samba-client package, for recent Redhat variants, to cifs-utils. I have been stung by this a couple times, so I figured I would note it here.

CentOS 6.0 Continuous Release repository issues.

I noticed that some of my servers were running a different kernel version even after I ran yum update. I thought maybe I had not installed the centos-release-cr-6-0 rpm on all of them, but I did. I just needed to clean out the yum cache using the following:

yum clean all

CentOS/RHEL/Fedora/Ubuntu: scan for SCSI hardware changes.

To scan all SCSI buses for hardware changes enter the following:

echo “- – -” >/sys/class/scsi_host/host0/scan # “dash space dash space dash space”

I did this on CentOS 5 to discover a new disk I added, but did not want to reboot the server.

Note: You might have to use one of the other host directories. In Ubuntu, I had to use host2 before the drive would show up.

Nagios installation procedures used on CentOS5.

Ensure that you have the following installed:
httpd, gcc, glibc, glibc-common, gd, gd-devel

Create accounts and groups.
useradd -m nagios
passwd nagios
groupadd nagcmd
usermod -a -G nagcmd nagios
usermod -a -G nagcmd apache

Build nagios from the source.
cd /usr/local/src
Download nagios and nagios-plugins from http://www.nagios.org/download/ to /usr/local/src.
tar -zxvf nagios-3.0.5.tar.gz
cd nagios-3.0.5
./configure –with-command-group=nagcmd
make all 2>&1 | tee MAKEALL.log
make install 2>&1 | tee MAKEINSTALL.log
make install-init 2>&1 | tee MAKEINSTALLINIT.log
make install-config 2>&1 | tee MAKEINSTALLCONFIG.log
make install-commandmode 2>&1 | tee MAKEINSTALLCOMMANDMODE.log
cd /usr/local/nagios/etc/objects/
cp -rp contacts.cfg contacts.cfg.orig
vi contacts.cfg
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
cd /usr/local/src/nagios-3.0.5
make install-webconf 2>&1 | tee MAKEINSTALLWEBCONF.log
service httpd restart
cd ..
tar -zxvf nagios-plugins-1.4.13.tar.gz
cd nagios-plugins-1.4.13
./configure –with-nagios-user=nagios –with-nagios-group=nagios
make 2>&1 | tee MAKE.log
make install 2>&1 | tee MAKEINSTALL.log
chkconfig –add nagios
chkconfig nagios on

This is a great way to debug errors in your configuration files:
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

service nagios start

I created configuration files based the template.cfg provided in the distribution in the objects directory.
cd /usr/local/nagios/etc/objects/

You have to make changes to your nagios.cfg file based on any new configuration files you created above.
vi ../nagios.cfg

Check your configuration:
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

You have restart nagios whenever you make a change to the configuration files.
service nagios restart

Installed NSClient on a Windows 2003 server to monitor it in nagios.
http://files.nsclient.org/x-0.3.x/NSClient%2B%2B-Win32-0.3.5.msi
Edit nsc.ini. The file is pretty well documented.

The following is how I installed nrpe on a linux system to allow nagios to monitor it.
Install nrpe to allow nagios access to system status
cd /usr/local/src
wget http://internap.dl.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz
useradd nagios
passwd nagios
wget http://superb-east.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.13.tar.gz
tar zxvf nagios-plugins-1.4.13.tar.gz
cd nagios-plugins-1.4.13
./configure 2>&1 | tee CONFIGURE.log
make 2>&1 | tee MAKE.log
make install 2>&1 | tee MAKEINSTALL.log
chown nagios.nagios /usr/local/nagios
chown -R nagios.nagios /usr/local/nagios/libexec/
cd ..
tar zxvf nrpe-2.12.tar.gz
cd nrpe-2.12
./configure 2>&1 | tee CONFIGURE.log
make all 2>&1 | tee MAKEALL.log
make install-plugin 2>&1 | tee MAKEPLUGIN.log
make install-daemon 2>&1 | tee MAKEDAEMON.log
make install-daemon-config 2>&1 | tee MAKEDAEMONCONFIG.log
make install-xinetd 2>&1 | tee MAKEXINETD.log
vi /etc/xinetd.d/nrpe

only_from = 127.0.0.1 192.168.0.3

vi /etc/services

nrpe 5666/tcp # NRPE

yum install xinetd
service xinetd start
netstat -at | grep nrpe

Verify nrpe is working:
/usr/local/nagios/libexec/check_nrpe -H localhost
/usr/local/nagios/libexec/check_nrpe -H localhost -c check_users
/usr/local/nagios/libexec/check_nrpe -H localhost -c check_load

Add customized commands to support the machine
vi /usr/local/nagios/etc/nrpe.cfg

# Customized for this machine
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1
command[check_hda2]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda2
command[check_hdd1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hdd1
command[check_hdd2]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hdd2
command[check_hdd5]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hdd5
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200
command[check_mailq_timeout]=/usr/local/nagios/libexec/check_mailq -M postfix -w 5 -c 15
command[check_mailq]=/usr/local/nagios/libexec/check_mailq -w 10 -c 20
command[check_procs_named]=/usr/local/nagios/libexec/check_procs -C named -t 3 -w 1:1

Accessing Samba shares from Windows 7 client.

I was getting the following messages in my samba logs when I would try to access a samba 3.0.33 share on CentOS 5.4 from a Windows 7 Enterprise client:

[2010/03/04 14:07:12, 0] lib/util_sock.c:read_data(534)
read_data: read failure for 4 bytes to client 172.18.31.155. Error = Connection reset by peer

I tried adding the following to my /etc/samba/smb.conf global configuration, but it did not seem to work.

client ntlmv2 auth = yes

I got the same kind of messages.

I ended up having to change the Windows 7 local security policy by modifying the “LAN Manager authentication level”, the “Minimum session security for NTLM SSP based (including secure RPC) clients”, and the “Minimum session security for NTLM SSP based (including secure RPC) servers” policies.

I used the following procedure:

Control Panel -> System and Security -> Administrative Tools -> Local Security Policy

From the Local Security Policy, I went into “Security Options” and then looked under the “Network security” policies.

From here, I set the new policies.

Network security: LAN Manager authentication level
Send LM & NTML responses

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Uncheck “Require 128-bit encryption.”

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Uncheck “Require 128-bit encryption.”

I am hoping to figure out the issue with samba not accepting ntlmv2 authentication, so I can set the client policies back to the default.

Install 64 bit java plugin in linux.

I used this method for installing the latest java plugin on a CentOS 5.4 system.

Download latest java (jre-6u18-linux-x64.bin) from java.com.
I installed all my java versions in /usr/java. This is where I save the bin file downloaded.
cd /usr/java
chmod 744 jre-6u18-linux-x64.bin
To install java:
./jre-6u18-linux-x64.bin

To install the plugin into your latest version of firefox:
cd /usr/lib64/firefox-3.0.16.
mkdir plugins #I had to create this directory.
ln -s /usr/java/jre1.6.0_18/lib/amd64/libnpjp2.so

Restart firefox.

Return top

INFORMATION

LinkedIn Profile