Tuesday, March 15, 2011

incremental backup

setup ssh-keygen

At Pdu-Backup, set ssh-keygen so that pdu-backup can access to other server without entering password
  1. enter ssh-keygen at the terminal. press enter for all the message prompt. This will generate public key and private key.
  2. cd to .ssh/. Normally it will under root document (/root/.ssh/)
  3. Here you will see 3 file which is id_rsa, id-rsa.pub and known_hosts. id_rsa will be your private key while id_rsa.pub is your public key. Copy id_rsa.pub into the remote computer which you need for auto login, like this:
scp /root/.ssh/id_rsa.pub my_destination_server:~/ 
  1. ssh to the remote computer and cd to folder where you copied the id_rsa.pub just now. Let say /root/ Check whether it has the folder /root/.ssh or not, create .ssh folder if it's not. Make sure the .ssh folder is having a mode of 700. Then only copy over the id_rsa.pub file into it. Use this command
cat /root/id_rsa.pub >> /root/.ssh/authorized_keys
 
* make sure authorized_keys is 600 mode, else it wont work
* extra note, you can limit SSH users via /etc/ssh/sshd_config 
 
 

Script

Here is an example for the script
#! /bin/sh

BSERVER=172.30.10.218
EXCLUDES=/export/exclude-list/pdu-profile-exclude
BACKUPDIR=`date -d ”-1 day” +”%A”`
 OPTS=”-v –force –ignore-errors –delete-excluded –exclude-from=$EXCLUDES –delete –backup –backup-dir=/export/pdu-profile/$BACKUPDIR -a”

[ -d /export/emptydir ] || mkdir /export/emptydir
rsync –delete -a /export/emptydir/ /export/pdu-profile/$BACKUPDIR/
rmdir /export/emptydir

echo “Start time `date +%c`” » /var/log/SAT-backup/pdu-profile

rsync $OPTS $BSERVER:/ /export/pdu-profile/current/

echo “End time `date +%c`” » /var/log/SAT-backup/pdu-profile
echo ” ” » /var/log/SAT-backup/pdu-profile
Cron job
Here you will need to setup your own cronjob for auto run the script for daily run
  1. enter crontab -e to edit the cronjob
  2. * * * * * job –> this is an default cronjob
  3. I had setup our Pdu-backup cronjob for 5 script:
    • 0 20 * * * /export/Script/pdu-ldap-script
    • 0 21 * * * /export/Script/pdu-db-script
    • 0 22 * * * /export/Script/pdu-web-script
    • 0 23 * * * /export/Script/pdu-cayman1-script
    • 0 0 * * * /export/Script/pdu-profile-script
  4. This will make everday 8pm will execute pdu-ldap-script, 9pm execute pdu-db-script and so on
  5. crontab -l (see cronjob bind to user)
Backup Result
  • According to the script coding, it will rsync current folder in pdu-backup with the remote server. This will make current folder is always a full backup of the remote server and will update everyday.
  • while rsync today backup with the current folder, all old, edited, deleted file will be move to date folder assign by $BACKUPDIR in the script. For example, Tuesday night do rsync, the current folder will update to latest full backup folder while the edited, old, deleted file will be moved to folder name Monday. Remind that Monday folder only contain the edited, old, deleted file and not full backup. Current folder is always remain the full backup of the remote server.
  • The backup file will be keep for 7 day and put accordingly from Monday - Sunday. Once reach Monday, the previous Monday folder will be remove and re-create a new for the latest backup use.
  • A log file will be saved for every script for date and time it start and end. It will be saved inside /var/log/SAT-backup/ folder
 

Tuesday, March 1, 2011

Iptables

Check if the server had install Iptables or not

rpm -q iptables
If Haven't install, install it by using
yum install iptables

Rules
This is the standard rule for all the server
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -P INPUT DROP
save the iptables rules so that each time iptables start will refer back to this rule
/etc/init.d/iptables save
remember to save every time you finalize your rules
start/restart the iptables after save
/etc/init.d/iptables start
Check open port
Use nmap to check open port, install it via yum or use other server which have nmap installed to check open port by
nmap "destination"
example
nmap 172.30.10.230
you can use this link to check each description for each port
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

HowTo
add specific port into Iptables. This will add rule to the end of the selected chain
iptables -A [CHAIN] -p tcp --dport [port number] -j [ACCEPT/DROP]
example
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j DROP
This will allow port 443 connection to come in and the 2nd rule will block http connection to go out

add port to a specific rule number. So if the rule number is 1, the rule inserted will be taking no.1 and push default no.1 rule to no.2
iptables -I [CHAIN] [rule number] -p tcp --dport [port number] -j [ACCEPT/DROP] 
example
iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT
This will make allow connection to come in from port 22 as the first rule

delete specific rules
iptables -D [CHAIN] [rule number]

list out all the rules
iptables -L