AIDE, Advanced intrusion detection environment is a tool to check the integrity of files on the system
Steps to deploy AIDE
1. install the aide package
2. customize /etc/aide.conf to your preference
3. run /usr/sbin/aide --init to build the initial database
4. Store /etc/aide.conf, /usr/sbin/aide, /var/lib/aide/aide.db.new.gz in a secure location
5. Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
6. you can run the checking by # aide --check
Result will be display or save to /var/log/aide/aide.log by default
System Activity report
Install the sysstat package
run # sar -A to display all information collected
run # sar -u 2 5 to display five sample of system CPU usage with interval 2 second
Monday, October 8, 2012
Static route
The routing table for the system is display with the ip route show command.
Routing must be enabled with a tunable kernel parameter, named net.ipv4.ip_forward
- 0 = discard foreign packet
- 1 = forward foreign packets to the network interface determined by the routing table
Edit /etc/sysctl.conf for permanent change and run sysctl -p to reload it
To add a route dynamically
# ip route add IP/netmask via router_IP
To persistent add a route, edit /etc/sysconfig/network-scripts/route-iface
ADDRESS0=network
NETMASK0=netmask
GATEWAY0=router_ip
Routing must be enabled with a tunable kernel parameter, named net.ipv4.ip_forward
- 0 = discard foreign packet
- 1 = forward foreign packets to the network interface determined by the routing table
Edit /etc/sysctl.conf for permanent change and run sysctl -p to reload it
To add a route dynamically
# ip route add IP/netmask via router_IP
To persistent add a route, edit /etc/sysconfig/network-scripts/route-iface
ADDRESS0=network
NETMASK0=netmask
GATEWAY0=router_ip
Tuning kernel network parameter
Install kernel-doc RPM for the documentation
# sysctl -a
will show all the list
the kernel parameter are located at
/proc/sys/net/ipv4/
# sysctl -a
will show all the list
the kernel parameter are located at
/proc/sys/net/ipv4/
Tuesday, October 2, 2012
network monitoring
Detect Local Services
# netstat -tulnp
Detect Remote Services
# nmap -A -sT <server>
Capturing and analyzing network traffic
# tcpdump -D
to show all available capture interface
Example to capture port 22 from interface eth0
# tcpdump -nn -l -s 2000 -w packets -i eth0 'port 22'
Analyzing network packet with wireshark
install the wireshark-gnome
copy out the output of tcpdumb
# wireshark <tcpdumb file>
# netstat -tulnp
Detect Remote Services
# nmap -A -sT <server>
Capturing and analyzing network traffic
# tcpdump -D
to show all available capture interface
Example to capture port 22 from interface eth0
# tcpdump -nn -l -s 2000 -w packets -i eth0 'port 22'
Analyzing network packet with wireshark
install the wireshark-gnome
copy out the output of tcpdumb
# wireshark <tcpdumb file>
sample yum repo
create a file
# touch /etc/yum.repo.d/redhat
then edit it with this sample
[redhat]
name = Redhat
baseurl = http://server.example.com/repo
enabled = 1
gpgcheck = 0
# touch /etc/yum.repo.d/redhat
then edit it with this sample
[redhat]
name = Redhat
baseurl = http://server.example.com/repo
enabled = 1
gpgcheck = 0
Encrypting files with GnuPG
Generate a key pair
# gpg --gen-key
List public keys
# gpg --list-keys
Export a public key
# gpg -o mykey.key --export --armor key-id
Import a public key
# gpg --import file.key
Encrypt a file
# gpg --encrypt --armor -r key-id <file>
Decrypt a file
# gpg --decrypt <file>
# gpg --gen-key
List public keys
# gpg --list-keys
Export a public key
# gpg -o mykey.key --export --armor key-id
Import a public key
# gpg --import file.key
Encrypt a file
# gpg --encrypt --armor -r key-id <file>
Decrypt a file
# gpg --decrypt <file>
Monday, October 1, 2012
Text Processing Tools
# diff
example:
# diff <file1> <file2>
# diff -Naur <original> <updated> > patchfile
this command will created a relatively small patch
# patch
example:
# patch <file-need-to-patch> <patchfile>
# cut
example:
# cut -f3 -d: /etc/passwd
# /sbin/ip addr | grep 'inet' | cut -d ' ' -f6 | cut -d / -f1
this command will cut a single piece of information which is IP address from /sbin/ip addr
# head
example
# head /etc/passwd
by default will display first 10 line
# head -n 3 /etc/passwd
will display first 3 line
# tail
example
# tail /etc/passwd
# tail -n 3 /etc/passwd
# tail -f /var/log/messages
this command will keep update the message log until Ctrl + c is pressed
# wc
example
# wc <file>
to count number of lines, words, bytes or character in a file
# sort
sort line
# uniq
remove duplicate line from file
# tr
# tr 'A-Z' 'a-z'
change the upper to smaller and wise visa
example:
# diff <file1> <file2>
# diff -Naur <original> <updated> > patchfile
this command will created a relatively small patch
# patch
example:
# patch <file-need-to-patch> <patchfile>
# cut
example:
# cut -f3 -d: /etc/passwd
# /sbin/ip addr | grep 'inet' | cut -d ' ' -f6 | cut -d / -f1
this command will cut a single piece of information which is IP address from /sbin/ip addr
# head
example
# head /etc/passwd
by default will display first 10 line
# head -n 3 /etc/passwd
will display first 3 line
# tail
example
# tail /etc/passwd
# tail -n 3 /etc/passwd
# tail -f /var/log/messages
this command will keep update the message log until Ctrl + c is pressed
# wc
example
# wc <file>
to count number of lines, words, bytes or character in a file
# sort
sort line
# uniq
remove duplicate line from file
# tr
# tr 'A-Z' 'a-z'
change the upper to smaller and wise visa
Auto mount
/etc/auto.master provides the master configuration for autofs
Example:
/home/guests /etc/auto.guests
/etc/auto.guests file was specified in /etc/auto.master
Example using LDAP user home directories
ldapuser1 -rw ldap.example.com:/home/guests/ldapuser1
there are wild card if you intend to auto mount all
* ldap.example.com:/home/guests/&
After all done, just do
# service autofs reload
* note, if we mount /home/guests for using automount. the whole folder of guests will be take over by it and we unable to edit things in it
Example:
/home/guests /etc/auto.guests
/etc/auto.guests file was specified in /etc/auto.master
Example using LDAP user home directories
ldapuser1 -rw ldap.example.com:/home/guests/ldapuser1
there are wild card if you intend to auto mount all
* ldap.example.com:/home/guests/&
After all done, just do
# service autofs reload
* note, if we mount /home/guests for using automount. the whole folder of guests will be take over by it and we unable to edit things in it
Centos 6 Virtual machine tools
Virtual machine manager is the graphical tool used to manage virtual machine.
it was only available in 64bit installation.
you can run the tools from Application > system tools > Virtual machine manager
Virsh command allow you to manage your virtual machine
Here are the some command to use with virsh
# virsh list
# virsh destroy <server name>
# virsh list --all
# virsh start <server name>
# virst shutdown <server name>
it was only available in 64bit installation.
you can run the tools from Application > system tools > Virtual machine manager
Virsh command allow you to manage your virtual machine
Here are the some command to use with virsh
# virsh list
# virsh destroy <server name>
# virsh list --all
# virsh start <server name>
# virst shutdown <server name>
Wednesday, September 19, 2012
convert bmp to jpg
if [ -z "$1" ];then
echo "Error: please put a file path to convert"
exit 1
else
CPATH="$1"
fi
find $CPATH -type f -iname \*.bmp | while read filename; do
convert "$filename" -quality 100% "$filename".jpg && rename .bmp.jpg .jpg "$filename".jpg && rm "$filename"
done
script thanks to my Manager Lye
mod_evasive
mod_evasive is a plugin for Apache Web Server to prevent DOS attack.
After a few weeks of trial and error, research. mod_evasive is able to work with iptables.
Here is the installation steps:
1) yum install mod_evasive
2) vi /etc/httpd/conf.d/mod_evasive.conf
<------------------------------ mod_evasive.conf content ----------------------------------->
LoadModule evasive20_module modules/mod_evasive20.so
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify sat.server@my.offgamers.lan
DOSSystemCommand "bash /var/lock/mod_evasive/evasive.sh %s"
DOSLogDir "/var/lock/mod_evasive"
#DOSWhitelist 127.0.0.1
#DOSWhitelist 192.168.0.*
</IfModule>
<------------------------------ mod_evasive.conf content ----------------------------------->
3) mkdir /var/lock/mod_evasive
4) chown apache:apache /var/lock/mod_evasive
* mod_evasive need to record the DOS IP address to this directory
5) vi /var/lock/mod_evasive/evasive.sh
<------------------------------ evasive.sh content ----------------------------------->
sudo /sbin/iptables -I INPUT -s $1 -j DROP
sleep 600
sudo /sbin/iptables -D INPUT -s $1 -j DROP
sudo /bin/rm -f /var/lock/mod_evasive/dos-$1
<------------------------------ evasive.sh content ----------------------------------->
How evasive.sh work?
mod_evasive detected DOS, it will execute the evasive.sh and create a file like dos-172.30.10.223 under /var/lock/mod_evasive.
the dos-* files are used to keep track the blocked IP address.
Execute evasive.sh will do the following things:
Issue iptables too drop the IP address, sleep for ten minutes, and then remove the blocked IP address, after that delete the dos-* file
under /var/lock/mod_evasive, otherwise it wouldn't re-block again.
6) visudo
Change:
Defaults requiretty -> #Defaults requiretty
Add:
Cmnd_Alias EVASIVE = /sbin/iptables, /bin/rm
apache ALL=(ALL) NOPASSWD: EVASIVE
7) finally restart httpd service, use watch -n 1 -d iptables -nvL and watch -n 1 -d ls -lsa /var/lock/mod_evasive to monitor how the process working
Information thanks to my Senior Voo
Friday, August 3, 2012
Setup nagios
Nagios Server
add rpmforge into the server repo
# yum install nagios nagios-nrpe nagios-plugins nagios-plugins-nrpe perl-Nagios-Plugin
# chkconfig nagios on
# chkconfig nrpe on
Edit the /etc/httpd/conf.d/nagios.conf to remove the SSL and user authentication
# vim /etc/httpd/conf.d/nagios.conf
1 ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi"
2
3 <Directory "/usr/lib64/nagios/cgi">
4 # SSLRequireSSL
5 Options ExecCGI
6 AllowOverride None
7 Order allow,deny
8 Allow from all
9 # AuthName "Nagios Access"
10 # AuthType Basic
11 # AuthUserFile /etc/nagios/htpasswd.users
12 # Require valid-user
13 </Directory>
14
15 Alias /nagios "/usr/share/nagios"
16
17 <Directory "/usr/share/nagios">
18 # SSLRequireSSL
19 Options None
20 AllowOverride None
21 Order allow,deny
22 Allow from all
23 # AuthName "Nagios Access"
24 # AuthType Basic
25 # AuthUserFile /etc/nagios/htpasswd.users
26 # Require valid-user
27 </Directory>
-----------------------------------------------------------------------------------
Edit /etc/nagios/cgi.cfg
# vim /etc/nagios/cgi.cfg
use_authentication=0
use_ssl_authentication=0
----------------------------------------------------------------------------------
# vim /etc/nagios/objects/server.cfg
define hostgroup{
hostgroup_name linux-server
alias Linux Servers
members localhost,my-dns2
}
define host{
use linux-server
host_name my-dns2
alias my-dns2
address my-dns2.offgamers.lan
}
define service{
use local-service
host_name my-dns2
service_description Swap
check_command check_nrpe!check_swap
}
# vim /etc/nagios/nagios.cfg
add the location of the hosts file in the object folder
Format: cfg_file=<file_name>
Example: cfg_file=/usr/local/nagios/etc/hosts.cfg
cfg_file=/usr/local/nagios/etc/services.cfg
cfg_file=/usr/local/nagios/etc/commands.cfg
Nagios Client
# yum install nagios-nrpe nagios-plugins nagios-plugins-nrpe perl-Nagios-Plugin
# chkconfig nrpe on
# vim /etc/nagios/nrpe.cfg
allowed_hosts=127.0.0.1,172.30.10.218
at the bottom, edit the check command to suit your environment
----------------------------------------------------------------------------------
If you start Nagios server having error
use
# nagios -v /etc/nagios/nagios.cfg
to check whats wront
Nagios Option available
http://nagios.sourceforge.net/docs/3_0/objectdefinitions.html
add rpmforge into the server repo
# yum install nagios nagios-nrpe nagios-plugins nagios-plugins-nrpe perl-Nagios-Plugin
# chkconfig nagios on
# chkconfig nrpe on
Edit the /etc/httpd/conf.d/nagios.conf to remove the SSL and user authentication
# vim /etc/httpd/conf.d/nagios.conf
1 ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi"
2
3 <Directory "/usr/lib64/nagios/cgi">
4 # SSLRequireSSL
5 Options ExecCGI
6 AllowOverride None
7 Order allow,deny
8 Allow from all
9 # AuthName "Nagios Access"
10 # AuthType Basic
11 # AuthUserFile /etc/nagios/htpasswd.users
12 # Require valid-user
13 </Directory>
14
15 Alias /nagios "/usr/share/nagios"
16
17 <Directory "/usr/share/nagios">
18 # SSLRequireSSL
19 Options None
20 AllowOverride None
21 Order allow,deny
22 Allow from all
23 # AuthName "Nagios Access"
24 # AuthType Basic
25 # AuthUserFile /etc/nagios/htpasswd.users
26 # Require valid-user
27 </Directory>
-----------------------------------------------------------------------------------
Edit /etc/nagios/cgi.cfg
# vim /etc/nagios/cgi.cfg
use_authentication=0
use_ssl_authentication=0
----------------------------------------------------------------------------------
# vim /etc/nagios/objects/server.cfg
define hostgroup{
hostgroup_name linux-server
alias Linux Servers
members localhost,my-dns2
}
define host{
use linux-server
host_name my-dns2
alias my-dns2
address my-dns2.offgamers.lan
}
define service{
use local-service
host_name my-dns2
service_description Swap
check_command check_nrpe!check_swap
}
# vim /etc/nagios/nagios.cfg
add the location of the hosts file in the object folder
Format: cfg_file=<file_name>
Example: cfg_file=/usr/local/nagios/etc/hosts.cfg
cfg_file=/usr/local/nagios/etc/services.cfg
cfg_file=/usr/local/nagios/etc/commands.cfg
Nagios Client
# yum install nagios-nrpe nagios-plugins nagios-plugins-nrpe perl-Nagios-Plugin
# chkconfig nrpe on
# vim /etc/nagios/nrpe.cfg
allowed_hosts=127.0.0.1,172.30.10.218
at the bottom, edit the check command to suit your environment
----------------------------------------------------------------------------------
If you start Nagios server having error
use
# nagios -v /etc/nagios/nagios.cfg
to check whats wront
Nagios Option available
http://nagios.sourceforge.net/docs/3_0/objectdefinitions.html
smokeping 2.6.8 for Centos 6.3
add rpmforge into your linux repo
yum install:
yum install:
- mod_fcgid
- httpd
- httpd-devel
- rrdtool
- perl-CGI-SpedtCGI
- fping
- perl-RRD-Simple
- perl
# yum install mod_fcgid httpd httpd-devel rrdtool perl-CGI-SpeedCGI fping perl-RRD-Simple perl
# yum groupinstall "Development tools"
download the smokeping package from
http://oss.oetiker.ch/smokeping/pub/
http://oss.oetiker.ch/smokeping/pub/
# wget http://oss.oetiker.ch/smokeping/pub/smokeping-2.6.8.tar.gz
# tar -zxvf smokeping-2.6.8.tar.gz
# mv smokeping-2.6.8 /opt/smokeping
# cd smokeping-2.6.8
then manual install perl package manually
#perl -MCPAN -e shell
> install FCGI
> install CGI::Fast
> install Config::Grammar
> install Digest::HMAC_MD5
> install Net::Telnet
> install Net::OpenSSH
> install Net::SNMP
> install Net::LDAP
> install Net::DNS
> install IO::Pty
> install LWP
other from manually install, you can run the script locate at smokeping /opt/smokeping/setup
# cd /opt/smokeping/setup
# ./build-perl-modules.sh
after done, run to configure and make install
# cd /opt/smokeping
# ./configure --prefix=/opt/smokeping
# make install
now we go for preparing for the configuration file
# cd /opt/smokeping/etc
# for foo in *.dist; do cp $foo `basename $foo .dist`; done
#vim /etc/httpd/conf/httpd.conf
change:
DirectoryIndex index.html index.html.var
to:
DirectoryIndex index.html index.html.var smokeping.fcgi
then enable this
AddHandler cgi-script .cgi
-------------------------------------------------------------------------------------------
# vim /etc/httpd/conf.d/smokeping.conf
<Directory "/var/www/html/smokeping">
Options +ExecCGI
</Directory>
-------------------------------------------------------------------------------------------
# mkdir /opt/smokeping/img
# chown -R apache:apache /opt/smokeping/img
# ln -s /opt/smokeping/htdocs /var/www/html/smokeping
# ln -s /opt/smokeping/img /var/www/html/smokeping
# mkdir /opt/smokeping/data
# mkdir /opt/smokeping/var
# chmod 600 /opt/smokeping/etc/smokeping_secrets
# chown -R apache:apache /var/www/html/smokeping
restart the httpd
# /etc/init.d/httpd restart
edit the smokeping config to your need
# vim /opt/smokeping/etc/config
start the smokeping services
# ./bin/smokeping --config=/opt/smokeping/etc/config --logfile=smoke.log
Reference and help thanks to Tony from http://ai.net.nz
start the smokeping services
# ./bin/smokeping --config=/opt/smokeping/etc/config --logfile=smoke.log
Reference and help thanks to Tony from http://ai.net.nz
Tuesday, July 31, 2012
Install VMware-tools for Centos 6.3
At EXSi there, right click on the server > Guest > install/upgrade VMware tools
after that enter to the server console
# mount /dev/cdrom /mnt
# cd /mnt
# cp VMwareTools-xxx.tar.gz /root/
# cd /root
# tar -zxvf VMwareTools-xxx.tar.gz
# cd vmware-tools-distrib
# ./vmware-install.pl
just click enter until the end
if you received error saying to locate the c compiler
just make a yum update kernel and kernel-devel, then re-run the installer again
# yum update kernel
# /sbin/shutdown -r now
# ./vmware-install.pl
after that enter to the server console
# mount /dev/cdrom /mnt
# cd /mnt
# cp VMwareTools-xxx.tar.gz /root/
# cd /root
# tar -zxvf VMwareTools-xxx.tar.gz
# cd vmware-tools-distrib
# ./vmware-install.pl
just click enter until the end
if you received error saying to locate the c compiler
just make a yum update kernel and kernel-devel, then re-run the installer again
# yum update kernel
# /sbin/shutdown -r now
# ./vmware-install.pl
squidview
download the latest package from
http://www.rillion.net/squidview/
# tar -xzvf squidview-0.7x.tar.gz
# cd squidview-0.7x
before this, make sure you have all the package needed
# yum groupinstall "Development tools"
# yum install ncurses-static
proceed to compile and install
# ./configure
# make
# cp Makefile.old Makefile
# make oldgcc
# make install
Wednesday, July 18, 2012
Remove squid cache manually
Stop squid using the command /etc/init.d/squid stop
Next Delete cache directory using rm -rf /var/spool/squid
Create new cache directory using mkdir /var/spool/squid
Change ownership to squid user chown squid:squid /var/spool/squid
Create cache again using the command squid -z
Finally start Squid using the command /etc/init.d/squid start
Friday, July 13, 2012
Clon Hdd for EXSI
Before proceed, first you must enable SSH in EXSi
then you can transfer your own ready make .vmdk by scp or winscp into EXSi
but for myself, i make a standard template in EXSi so i can easily deploy other server in future.
create a new VM but skip the hdd creation
SSH into EXSi and use this command
# vmkfstools -i <input.vmdk> <output.vmdk>
then edit the VM, add hdd into it but click
use an existing virtual disk and select the newly cron disk
use an existing virtual disk and select the newly cron disk
usually the location of the vm is at
/vmfs/volumes/<random.number>/
so you need to identify out the location
if you re-cron back to the same EXSi server, there might be network problem with the newly cron server because the network card MAC will be different. so you need to go to
/etc/udev/rules.d/70-persistent-net.rules to update your MAC address
you just need to exchange the eth0 with the eth1 and eth1 to eth0
/etc/udev/rules.d/70-persistent-net.rules to update your MAC address
you just need to exchange the eth0 with the eth1 and eth1 to eth0
Thursday, July 12, 2012
EXSI SSH Keygen path
The SSH keygen folder in EXSi was located in /.ssh/
You can scp the public key from other server and cat id_rsa.pub » /.ssh/authorized_keys
You can scp the public key from other server and cat id_rsa.pub » /.ssh/authorized_keys
Minimum HDD size for Centos 6
the minimum hdd space needed for Centos 6 without any package is 4GB:
100MB -> /boot
2000MB -> /
300MB -> Swap
200MB -> /home
500MB -> /tmp
remain -> /var
but if you want the minimum hdd space for Centos 6 with base package, it is 5GB:
100MB -> /boot
3000MB -> /
300MB -> Swap
200MB -> /home
500MB -> /tmp
remain -> /var
100MB -> /boot
2000MB -> /
300MB -> Swap
200MB -> /home
500MB -> /tmp
remain -> /var
but if you want the minimum hdd space for Centos 6 with base package, it is 5GB:
100MB -> /boot
3000MB -> /
300MB -> Swap
200MB -> /home
500MB -> /tmp
remain -> /var
Subscribe to:
Posts (Atom)