The uploaded file exceeds the upload_max_filesize directive in php.ini

Posted: August 16, 2019 | Author: | Filed under: Apache, General Fixes, PHP | Leave a comment

 

I have created many web servers and wordpress installs.

The latest install threw up something new. The upload_max_filesize when uploading a theme zip.

Now I always forget to change the php.ini, so it is an easy one to fix.

Edit the php.ini file, change the following settings and restart the httpd server. Not that hard.

So locate these entries and change appropriately.

upload_max_filesize 999M
memory_limit 256M
post_max_size 999M
max_execution_time 600
max_input_time 900
systemctl restart httpd

And then try to upload the zip file again. Same error ??????

So into debug mode now.

Create a phpinfo.php file.

<?php

// Show all information, defaults to INFO_ALL
phpinfo();

?>

And open a browser to show the results.

Something very odd this still showed the original settings ?????????????

A lot of searching and somewhere I found reference to restarting the php service, this was at 7.1. I never knew this existed.

 

So systemctl resulted in displaying the list of services

There is a service php-fpm.service.

Restart this as you are ready to go.

systemctl restart php-fpm

Not sure about the details, maybe another time.

As always I hope this helps someone.

 

 

 

 

 

Building you on php modules (php-zip)

Posted: April 4, 2018 | Author: | Filed under: General Admin, PHP | 1 Comment

 

If there are elements of PHP not in the Repo of the Linux version you are using you can build it yourself. We are using LTS AWS linux and for some reason php-zip is not in the repo.

So

cd /tmp

1. Download the php source and unpack it:

From this URL you can find the nearest mirror

https://secure.php.net/get/php-7.2.0.tar.gz/from/a/mirror
wget http://uk1.php.net/get/php-7.2.0.tar.gz/from/this/mirror -O php-7.2.0.tar.gz

tar -xvzf php-7.2.0.tar.gz

We are unpacking it into the tmp directory

2. Install php development tools:

yum install php-devel


3. Change to the source directory

cd /tmp/php-7.2.0/ext/zip/


4. Compile

phpize
yum install gcc make zlib-devel zlib libxml2-devel

./configure
make

5. Copy the newly compiled extension to extension folder:

In this instance we are looking at php-zip therefore zip.so

cp /tmp/php-7.2.0/ext/zip/modules/zip.so /usr/lib64/php/modules/

 

Add the following to php.ini

vi /etc/php.ini
extension=zip.so

 

6. Restart httpd

systemctl restart httpd

 

Technical Bits n Pieces

Posted: January 20, 2016 | Author: | Filed under: General Admin | Tags: , , | Leave a comment

This really is and aide memoire, a scrap pad, random commands etc ……. as I come across errors, workarounds, fixes.

This is all about making those notes so that I don’t have to trawl Google again to find the answers and at least I know these commands work 🙂

How to grep IP addresses in a file?

I needed to tail a file for IP addresses as some thing was using a large amount of web server resource. The log file is called httpd-access

 tail -f httpd-access_log | grep -E -o “([0-9]{1,3}[\.]){3}[0-9]{1,3}”

How to deny and ip address from accessing your server?

Yes you can use a firewall, but if you are behind a load balancer or proxy server then you can not.

In either the httpd.conf or the .htaccess file add the following lines :-

httpd.conf – add these to the directory element of the file

Order allow,deny
Allow from all
deny from Enter IP address

At the end of the file

<Files 403.shtml>
order allow,deny
allow from all

.htaccess – add this to the IfModule element, You can deny IP addresses or use a RewriteCond and Rule.

# Block Bad Bots
RewriteCond %{HTTP_USER_AGENT} ^.*(Vagabondo).*$ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(AhrefsBot).*$ [NC]
# ISSUE 403 / SERVE ERRORDOCUMENT
RewriteRule . - [F,L]
order allow,deny
allow from all

deny from Enter Ip address here

Add this at the end of the file

<Files 403.shtml>
order allow,deny
allow from all
</Files>

The server will redirect traffic to a 403 error.

 

How to log the source IP address when behind a load balancer or proxy?

You use a load balancer to spread the load of your web sites, but how can you find the ip address of who is using your site, this is specific to the Apache server but something similar will work on nginx I am sure.

In the httpd.conf file change the

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

to

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" combined

You now should create some custom logs files, again in httpd.conf add the following lines to the virtualhost element

ErrorLog logs/httpd-error_log
CustomLog logs/httpd-access_log combined

…..

Allowing SSH access to Ubuntu 14.0 LTS Desktop

We are running some software that needs a Linux desktop, I am not a big fan of Ubuntu but it is one of the listed supported platforms.

I obviously need vnc access, wow what a pain. Centos / Redhat easy to do Ubuntu !!!!

So I though ssh on and just configure, well there is no SSH access out of the box. Build for the GUI generation. To get ssh access

sudo apt-get update
sudo apt-get install openssh-server

 

You now have ssh access!!!

 

Create a patch file and then the application of the patch

If you need to create a differential file for redeployment on another system then creating a patch file is ideal.

You will need the patch utilities installed

yum install patch

Now to create your patch file. Copy the original file into the same directory

e.g. cp config.php config.php_chg

Now update the config.php_chg file with all of your amendments

Now to create the file

diff -Naur config.php config.php_chg > config.php.patch

If you want to now apply the patch

patch config.php < config.php.patch

You now should keep the file in a safe place or if it is not a sensitive change, i.e. containing passwords then you can add it to https://gist.github.com/

 

 

 

 

 

 


		



		
		

	
Cheat sheet for installing Centrify

	Posted: November 10, 2015 | Author:  | Filed under: CentOS, Linux  | Tags: , ,   | Leave a comment
	
This is more for me that a general help blog, the instructions are pretty good with the Centrfy product (www.centrify.com), but there are pages and pages. I just want the salient points to get me up and running.


 


For those who do not know, this product allows you to join a Linux server to a Windows domain via a scripted method and with out all of the hassle trying to do it by hand. It also has a Samba element, this is what I want it for!!!!


 


There is much more to the enterprise product and you can do some really cool things with it, but I am happy with the free version.


 


You need to download the suite and Samba installs from here, the site tries its best to hide the downloads, you have to register for the download, and then it does it’s best to hide the bits you need.  To download and register use www.centrify.com/express/server-suite-form


Or you can follow this link http://www.centrify.com/express/linux-unix/download-files/#accordion-download-express-02


The express suite is for Centos is http://edge.centrify.com/products/centrify-suite/2015-update-1/installers/centrify-suite-2015.1-rhel4-x86_64.tgz


 


The Samba install is http://edge.centrify.com/products/opensource/samba-4.5.9/centrify-samba-4.5.9-rhel3-x86_64.tgz


 


So here is the basics on the installation.


You will need some base bits


yum -y install perl


mkdir /opt/software


cd /opt/software


wget http://edge.centrify.com/products/centrify-suite/2015-update-1/installers/centrify-suite-2015.1-rhel4-x86_64.tgz


wget http://edge.centrify.com/products/opensource/samba-4.5.9/centrify-samba-4.5.9-rhel3-x86_64.tgz




 


mkdir suite


tar -xvzf centrify-suite-2015.1-rhel4-x86_64.tgz -C suite


mkdir samba


tar -xvzf centrify-samba-4.5.9-rhel3-x86_64.tgz -C samba


cd suite


./install-express.sh




 


***** ***** ***** WELCOME to the Centrify Express installer! ***** ***** *****


 


Detecting local platform …


 


Running ./adcheck-rhel4-x86_64 … OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 10.0.100.150 : Pass DNSCHECK : Analyze basic health of DNS servers : Warning  : Only one DNS server was found in /etc/resolv.conf.  : At least one backup DNS server is recommended for  : enterprise installations.  : Only one good DNS server was found  : You might be able to continue but it is likely that you  : will have problems.  : Add more good DNS servers into /etc/resolv.conf.


 


WHATSSH : Is this an SSH that DirectControl works well with : Pass SSH : SSHD version and configuration : Warning  : You are running OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013.  :   : This version of OpenSSH does not seem to be configured for PAM,  : ChallengeResponse and Kerberos/GSSAPI support.  : To get Active Directory users to successfully login,  : you need to configure your OpenSSH with the following options:  : (display the ones we identified were not set)  : ChallengeResponseAuthentication yes  : UsePAM Yes  :   : Centrify provides a version of OpenSSH that’s configured properly  : to allow AD users to login and provides Kerberos GSSAPI support.  :   : If you install Centrify Express or Centrify Suite  : Standard or Enterprise Edition, the Centrify build of  : OpenSSH will be installed automatically. Alternatively  : you may choose individual Suite packages to install  : with the Custom install option.


 


2 warnings were encountered during check. We recommend checking these before proceeding


 


WARNING: adcheck exited with warning(s).


 


With this script, you can perform the following tasks:  – Install (update) Centrify Suite Enterprise Edition (License required) [E]  – Install (update) Centrify Suite Standard Edition (License required) [S]  – Install (update) Centrify Suite Express Edition [X]  – Custom install (update) of individual packages [C]


 


You can type Q at any prompt to quit the installation and exit the script without making any changes to your environment.


 


How do you want to proceed? (E|S|X|C|Q) [X]:X


 


The Express mode license allows you to install a total of 200 agents. The Express mode license does not allow the use of licensed features for advanced authentication, access control, auditing, and centralized management. This includes, but is not limited to features such as SmartCard authentication, DirectAuthorize, DirectAudit, Group Policy, Login User Filtering, and NSS overrides.


 


Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:Y


 




 


Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:Y


 


Please enter the Active Directory domain to check [company.com]:acme


 


Join an Active Directory domain? (Q|Y|N) [Y]:Y


 


Enter the Active Directory domain to join [acme]:acme.local


 


Enter the Active Directory authorized user [administrator]:Administrator


 


Enter the password for the Active Directory user:


 


Enter the computer name [server-01]:Enter


 


Enter the container DN [Computers]: Enter  Enter the name of the domain controller [auto detect]:Enter


 


Reboot the computer after installation? (Q|Y|N) [Y]:Y


 


You will get a confirmation screen


 


Please enter the Active Directory domain to check [company.com]: acme Join an Active Directory domain? (Q|Y|N) [Y]:Y  Enter the Active Directory domain to join [churchill1795]: acme.local  Enter the Active Directory authorized user [administrator]: Administrator  Enter the password for the Active Directory user:   Enter the computer name [server-01]:   Enter the container DN [Computers]:   Enter the name of the domain controller [auto detect]:  Reboot the computer after installation? (Q|Y|N) [Y]:Y


 


You chose Centrify Suite Express Edition and entered the following:  Install CentrifyDC 5.2.3 package : Y  Install CentrifyDC-nis 5.2.3 package: N  Install CentrifyDC-openssh 5.2.3 package: Y  Install CentrifyDC-ldapproxy 5.2.3 package: N  Install CentrifyDA 3.2.3 package: N  Run adcheck : Y  Join an Active Directory domain : Y  Active Directory domain to join : acme.local  Active Directory authorized user : Administrator  computer name : server-01  container DN : Computers  domain controller name : auto detect  Reboot computer : Y


 


If this information is correct and you want to proceed, type “Y”. To change any information, type “N” and enter new information. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:Y


  The installation will start and the sever will reboot if successful. To avoid any errors when installing the samba install you need some bits


yum -y install cups




 


cd /opt/software/samba


 rpm -i centrifydc-samba-3.6.25-4.5.9-rhel3-x86_64.rpm


rpm -i centrifydc-adbindproxy-4.5.9-rhel3-x86_64.rpm


perl /usr/share/centrifydc/bin/adbindproxy.pl




 


adbindproxy.pl is used to configure the Centrify custom Samba build to   interoperate with Centrify’s DirectControl product. It checks if the machine   is joined to an AD domain. If not, it will prompt for the join operation.   It also updates smb.conf and tdb files.


 


 For security reason, you will be prompted for password several times in   order to perform different AD operations when running this script.


 


Please specify Centrify Samba’s path if it is not in [/opt/centrify/samba/] :Enter


 




 


Using (/opt/centrify/samba/) The Samba base path is : /opt/centrify/samba/ Looking for conflicting Samba installations… No conflicting Samba found. Do you want to create symbolic links from /usr to /opt/centrify/samba/ [Y] : Y


 


Using (Y) Creating symbolic links from /usr/sbin/ to /opt/centrify/samba/sbin/… Creating symbolic links from /usr/bin/ to /opt/centrify/samba/bin/… Creating symbolic links from /usr/lib64/ to /opt/centrify/samba/lib/… Creating symbolic links from /lib/security/ to /opt/centrify/samba/lib/security/… Creating symbolic links from /etc/pam.d/ to /opt/centrify/samba/etc/pam.d/… Creating symbolic links from /etc/logrotate.d/ to /opt/centrify/samba/etc/logrotate.d/… Creating symbolic links from /etc/samba/smbusers to /opt/centrify/samba/etc/samba/smbusers  Creating symbolic links from /etc/samba/lmhosts to /opt/centrify/samba/etc/samba/lmhosts  Joined to Domain: churchill1795.local  Zone: Auto Zone Do you want to leave and join to another domain? [N] :N


 


Using (N) Remove Winbind settings (if any) from /etc/nsswitch.conf. No Winbind settings found. Removing old state files… Updating smb.conf with Centrify recommended settings… Existing file ‘/etc/centrifydc/centrifydc.conf’ is backed up as ‘/etc/centrifydc/centrifydc.conf.pre_adbindproxy’ Reset the Samba User/Group ID Cache (Centrify Samba may create conflicting mappings) [Y] :Y


 


Using (Y)


 


Init Samba start script …  Restarting Samba daemons …


 


Warning: Unit file of centrifydc-samba.service changed on disk, ‘systemctl daemon-reload’ recommended. Restarting centrifydc-samba (via systemctl): [ OK ]


 


Check if SWAT symbolic link exists: /opt/centrify/samba/share/samba/swat -> /opt/centrify/samba/share/swat


 


Current DirectControl Configuration:


 


Local host name: devwebapplication-02 Joined to domain: churchill1795.local Joined as: devwebapplications-02.churchill1795.local Pre-win2K name: devwebapplicati Current DC: ad-01.churchill1795.local Preferred site: HeadOffice Zone: Auto Zone Last password set: 2015-11-10 14:22:37 GMT CentrifyDC mode: connected Licensed Features: Disabled


 


Current Samba Configuration:


 


LDAP server: x.x.x.x LDAP server name: ad.acme.local Realm: acme.LOCAL Bind Path: dc=acmedc=LOCAL LDAP port: 389 Server time: Tue, 10 Nov 2015 14:22:40 GMT KDC server: x.x.x.x Server time offset: 0


 


Press ENTER to continue … 


 




Samba is now installed.   OK now you need to create a folder and share it. This is a development web server so I am sharing /var/www/html, the share will be called web   You need to edit the /etc/samba/smb.conf file   Go to the bottom of the file and [web] comment = Apache web directory path = /var/www/html public = no valid users = +DOMAINNAME\DOMAIN_GROUPNAME writable = yes   This will allow members of the group access to the directory.   Because this is a systemd server you need to use systemctl to restart the services.


systemctl restart centrifydc.service


 


Centrify also add the applicable ini.d scripts so


 


service centrifydc-samba restart
service centrifydc restart




 


 


 


 

		



		
		

	
Alternative to Splunk

	Posted: May 26, 2014 | Author:  | Filed under: General Admin  | Tags: ,   | 3 Comments
	
After having a few issues, I thought it should be time to get a central logging system in place. So Google to the rescue once more. I have come across a few and I will keep adding them to the following list.


 


This is more an aide de memoire so that I can pick this up when I get more time.


 


Graylog2 – this looks a good option http://graylog2.org/


Fluentd – the combination of a few bits will give you what you want, the looks to be a good http://docs.fluentd.org/articles/free-alternative-to-splunk-by-fluentd


 


OpenTSDB – not sure about this one, looks interesting though http://opentsdb.net


 


Logstash – Again looks interesting http://logstash.net


 


Any way I will let you know more as I install them


 


Al

		



		
		

	
Using Linux fsck to get you out of a jam

	Posted: May 26, 2014 | Author:  | Filed under: General Admin, Linux  | Tags: , , ,   | Leave a comment
	
Well, not the best start to the weekend, One of my reliable and trusty dev servers decided to throw a wobble and toss the proverbial baby out of the bath water and give me a wonderful SuperBlock error. 😦


Just for Google search the error was :-


mount: wrong fs type, bad option, bad superblock on /dev/mapper/Oracle_11G_Dev_Datap1,
       missing codepage or other error
       In some cases useful info is found in syslog – try
       dmesg | tail  or so


This is a Redhat Enterprise Linux version 5.9


 


So you turn to Google and off you go.


Now this site is worth a mention as it explains fsck pretty well http://www.thegeekstuff.com/2012/08/fsck-command-examples/


 


So off you go and try some of the commands


The issue is that there is a bad superblock, there are backup blocks though to find them you use


mke2fs -n /dev/mapper/mpath18p1


mke2fs 1.39 (29-May-2006)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

214761472 inodes, 429522936 blocks

21476146 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=4294967296

13108 block groups

32768 blocks per group, 32768 fragments per group

16384 inodes per group

Superblock backups stored on blocks:

32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,

4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,

102400000, 214990848


 


Issuing


fsck -v /dev/mapper/mpath18p1


fsck 1.39 (29-May-2006)

fsck: fsck.ext4: not found

fsck: Error 2 while executing fsck.ext4 for /dev/mapper/mpath18p1


You notice many instructions with the following command fsck.ext4 as you see in the output above. What many people do not tell you is that you need a package installing


yum install e4fsprogs


 


So now the moment of truth, take one of the superblock number from the mke2fs command and try the


e4fsck command


e4fsck -b 98304 /dev/mapper/mpath18p1


e4fsck 1.41.12 (17-May-2010)

Adding dirhash hint to filesystem.


/u100 was not cleanly unmounted, check forced.

Pass 1: Checking inodes, blocks, and sizes

Inode 7, i_blocks is 140000, should be 139888. Fix<y>? Y




And off you, a few hours later and many “y’s” being pressed it sprung back into life.


 


I am now looking for the commands to test / ensure that all is OK.


Good luck if you ever get this and I hope that this little bit of text works for you.


 

		



		
		

	
Creating a NFS CENTOS 6 Linux target server

	Posted: June 12, 2013 | Author:  | Filed under: CentOS, General Admin, Linux  | Tags: , , , ,   | Leave a comment
	
We have some old kit and and I have a Friday free now and we need a development environment to get a few things working.


So I decided to embark on  a vmware server and storage build. All of course without spending any money 🙂 (well on software anyway)


So I have 2 HP GL something servers for the vmware environment, a DL server to act as the iscii storage server and a 14 disk array that can be connected via a direct HBA fibre connect. All sounds good.


The idea is to software RAID the disk array, present the array to the storage server which will server this out as an iscii connection via direct connected bonded Ethernet cards.


The first thing that I though would be the easiest bit was to create the RAID array. This turned out not to be the case, but when you see the solution DOH!!!!!


Linux OS is CENTOS 6.3


I know you may wonder why I did not use FreeNAS or NAS4Free. I did try, but the hardware was not compatible. It would not even boot, so I could not even go after some fixes.


So onto the install.


First find out what the disks are called.


fdisk -l


Will display a long list look for something like


/dev/sd*


Armed with this information


fdisk -l | grep /dev/sd


This will list all of the disks. In my case /dev/sda —> /dev/sdm


To make sure all of the disks have no partition you can use various tools such as fdisk. Good tutorial How to delete a partion here. I used cfdisk. There is a menu with it so you do not have to remember the switches 🙂


cfdisk /dev/sd*


Delete any partitions and save and exit. Do this for all the disks that you want to put into the array.


Now to create the array. I am creating a RAID 6 array with 2 spare disks. They are old disk. Need a bit of guarantee regarding the condition.


A good mdam write up is actually in wikipedia of all places Mdadm


mdadm --create --verbose /dev/md0 --level=6 --raid-devices=12 /dev/sda /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf /dev/sdg /dev/sdh /dev/sdi /dev/sdj /dev/sdk --spare-devices=2 /dev/sdl /dev/sdm




I got this error mdadm: super1.x cannot open /dev/sdb1: Device or resource busy mdadm: ddf: Cannot use /dev/sdb1: Device or resource busy Not sure why you can get this, but basically it looks like some of the disks have a RAID configuration and are being held by the OS. To discover if this is the case


cat /proc/mdstat


This will list what RAID has got hold of the disks. A good chance if will be md127. To get rid of this


mdadm --stop /dev/<mdxxx>


Where xxx is the RAID number found in the cat command above. Once you have stopped the RAID, issue the mdadm –create command


This will start the creation of the RAID array. Depending on the size and speed this could take hours. To determine if the RAID is creating then


cat /proc/mdstat


You will get something along the lines of


cat /proc/mdstat

Personalities : [raid6] [raid5] [raid4]

md0 : active raid6 sdm[12](S) sdl[11](S) sdk[10] sdj[9] sdi[8] sdh[7] sdg[6] sdf[5] sde[4] sdd[3] sdc[2] sdb[1] sda[0]

1290359808 blocks super 1.2 level 6, 512k chunk, algorithm 2 [11/11] [UUUUUUUUUUU]

[======>…………..] resync = 32.7% (46917760/143373312) finish=175.3min speed=9168K/sec


unused devices: <none>


Once you have the RAID array created its time to create a file system and mount it and also make sure that the RAID starts when the system is re-booted


mdadm --detail --scan >> /etc/mdadm.conf


OK another area of investigation, what is the best Linux file system. Well as will all things it depends on what you need it for. The storage is for VMware files. These will be 10GB–50GB flat files and therefore I am going to try out the xfs file system which is supposed to be good and fast for the larger files.


Ok some thing strange happened, I had to reboot the server and the /dev/md0 became /dev/md127, no idea why, and I just wanted to get it finished.


You now need to create a logical volume, this will allow you to mount the disk


#create a volume group named “vg_target00”


vgcreate -s 32M vg_target00 /dev/md0


# create a logical volume named “lv_target00”


lvcreate -L 130G -n lv_target00 vg_target00


This creates it for all of the volume


lvcreate -l 100%VG -n lv_target00 vg_target00


This area got a bit fuzzy and the exact order may need to change, I tried to keep notes around this element, but I tried many different bits. One this is for sure though if you use xfs files system then to avoid the following error you need to install the correct packages


You may get the following error


bash: mkfs.xfs: command not found


Some bits and pieces were needed


yum install xfsdump xfsprogs


mkdir /mnt/storage


To make the file system


mount -t xfs /dev/vg_target00/lv_target00 /mnt/storage

mkfs -t xfs -f /dev/vg_target00/lv_target00


This will now have mounted it. To make this a permanent mount then you need to add a line to fstab


vi /etc/fstab


/dev/vg_target00/lv_target00 /mnt/storage       xfs     defaults        0 0




OK we now have the disk array prepared, we now need the connectivity to sort out. I installed a 4 port NIC card in the server, I will bond two port together to give me direct access to the two servers. Bonding the ports together will I hope give me enough throughput for some decent performance. To determine what nic you have


ls sysconfig/network-scripts/


This will list something along the lines of


ifcfg-eth0 ifcfg-eth5 ifdown-ippp ifdown-routes ifup-bnep ifup-plip ifup-sit network-functions

ifcfg-eth1 ifcfg-lo ifdown-ipv6 ifdown-sit ifup-eth ifup-plusb ifup-tunnel network-functions-ipv6

ifcfg-eth2 ifdown ifdown-isdn ifdown-tunnel ifup-ippp ifup-post ifup-wireless

ifcfg-eth3 ifdown-bnep ifdown-post ifup ifup-ipv6 ifup-ppp init.ipv6-global

ifcfg-eth4 ifdown-eth ifdown-ppp ifup-aliases ifup-isdn ifup-routes net.hotplug


The NIC cards I am interested in are ifcfg-eth2, ifcfg-eth3, ifcfg-eth4 and ifcfg-eth5. There is one note, many of the tutorials that I read specified changing the modprobe.conf file. This appears to be have been depreciated and now all the .conf files can be created in /etc/modprobe.d


So lets start we will have bond0 and bond1.


Just a note on the IP addresses that we will use. As we are direct connecting the servers, I am going to to configure the network too two IP hosts per connection


Therefore


bond0  details (server)


IPADDR=192.168.100.1

NETWORK=192.168.100.0

NETMASK=255.255.255.252


bond0  details (client)


IPADDR=192.168.100.2

NETWORK=192.168.100.0

NETMASK=255.255.255.252


bond1  details (server)


IPADDR=192.168.101.1

NETWORK=192.168.101.0

NETMASK=255.255.255.252


bond1  details (client)


IPADDR=192.168.101.2

NETWORK=192.168.101.0

NETMASK=255.255.255.252


You need ethtool installed to allow bonding NIC to work


yum install ethtool


Bond0 creation


 echo "DEVICE=bond0"  >/etc/sysconfig/network-scripts/ifcfg-bond0
 echo "IPADDR=192.168.100.1"  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "NETWORK=192.168.100.0"  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "NETMASK=255.255.255.252"  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "USERCTL=no"  >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0
 echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0


Bond1 creation


echo "DEVICE=bond1"  >/etc/sysconfig/network-scripts/ifcfg-bond1
echo "IPADDR=192.168.101.1"  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "NETWORK=192.168.101.0"  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "NETMASK=255.255.255.252"  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "USERCTL=no"  >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond1
echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond1


OK we now need to tell the NIC ports to belong to the bond


vi /etc/sysconfig/network-scripts/ifcfg-eth3


My current config looks like this


DEVICE=”eth3″

BOOTPROTO=”dhcp”

HWADDR=”00:0E:0C:C5:1C:25″

NM_CONTROLLED=”yes”

ONBOOT=”no”

TYPE=”Ethernet”

UUID=”13378c1e-98aa-4e18-9aee-b973b0e7b49e”


We need to change it to the following


DEVICE=”eth3″

USERCTL=”no”

BOOTPROTO=”none”

MASTER=bond0

SLAVE=”yes”

HWADDR=”00:0E:0C:C5:1C:25″

NM_CONTROLLED=”yes”

ONBOOT=”yes”

TYPE=”Ethernet”

UUID=”13378c1e-98aa-4e18-9aee-b973b0e7b49e”


This needs to be done for all of the ports and bonds.


Once this is done, you need to start the bonds, to do this create a bonding.conf file. There are many difference bonding modes these are described in the Tips and tricks for bonding interfaces.


I want to balance my NIC to get the best throughput so I an using mode 5


echo "alias bond0 bonding" > /etc/modprobe.d/bonding.conf
echo "options bond0 mode=5 miimon=100" >> /etc/modprobe.d/bonding.conf
echo "alias bond1 bonding" >> /etc/modprobe.d/bonding.conf
echo "options bond1 mode=5 miimon=100" >> /etc/modprobe.d/bonding.conf




We now need to add this to the kernel (not sure exactly what this means but taken from all the tutorials read this is what you have to do)


modprobe bonding


Okay the last this that I want to is present the disk so that the servers can use it. I tried iscii at the start but this really did not work in our environment, so I opted for NFS. So this is how I think I got this working, there was a mix of iscii and NFS going on so this maybe a little inaccurate, but it will get you most of the way there :).


yum -y install nfs-utils rpcbind




chkconfig nfs on
chkconfig rpcbind on
chkconfig nfslock on




The two line below referrer to the networks that servers will be allowed to access the NFS shares from. For security I would keep this as small as possible and due to the namture an amount of traffic should be on a separate network.


vi /etc/exports
/mnt/storage 192.168.100.0/255.255.255.252(rw,sync,no_root_squash)


/mnt/storage 192.168.101.0/255.255.255.252(rw,sync,no_root_squash)




exportfs -a




I have compiled this almost how to guide from the resources below

		



		
		

	
Installing Java JRE on an Amazon Linux AMI

	Posted: October 18, 2012 | Author:  | Filed under: General Admin, Linux  | Tags: , ,   | Leave a comment
	
I am building my Apex environment and one of the requirements is to have Java JRE installed. I hate installing Java on Linux. The first thing to do is remove the Java version that is installed on a Amazon Linux image. The Java version is Java-openJDK and this may work but lets stick with Sun Java.


To un-install openJDK


yum erase java*


Now download the latest JRE for your environment from Java SE Downloads


mkdir /opt/software


cd /opt/software


upload the rpm / bin file to here I downloaded the jre-6u25-linux-x64-rpm.bin. The rpm file is easier to intstall


chmod 755 jre-6u25-linux-x64-rpm.bin


./jre-6u25-linux-x64-rpm.bin




To ensure that the java path is always available


Navigate to the home folder of the user, in my case this is root and edit the .bash_profile


 


vi ~/.bash_profile


Insert the following line


JAVA_HOME=/usr/bin/java


The path obviously has to match where Java is installed.


 


To make this available to all users create a file in  /etc/profile.d


 


I am going to standardise on my company_name.sh


 


vi /etc/profile.d/company_name.sh


JAVA_HOME=/usr/bin/java


 

		



		
		

	
Securing your Linux server from SSH attacks

	Posted: July 4, 2012 | Author:  | Filed under: Amazon AWS, EC2, General Admin, IT Survival, Linux  | Tags: , , ,   | Leave a comment
	
If you build any server that is accessible from the internet then you are in for a world of pain. All the servers I have ever tended to build have sat behind a nice corporate firewall controlled by me, and to SSH to them you needed to be in our network. What a great strategy, if you can not get to me you can not hack me :). Or the script kiddies can not have a pop and use valuable bandwidth and server resources.


So as soon as you get to Amazon AWS you need to seriously start thinking about your server security. You have of course got the AWS security groups to help you, but we no have a need to allow SSH access to some of our servers by third party people.


Therefore you need to harden the servers even more, Amazon goes some way with protecting their servers with key access only, but sometimes you need to give good old username and password access.


You therefore will start seeing entries in your /var/log/secure file something along the lines of :


Jul 1 20:48:28 ip-10-228-234-162 sshd[6901]: pam_succeed_if(sshd:auth): error retrieving information about user andreea

Jul 1 20:48:30 ip-10-228-234-162 sshd[6901]: Failed password for invalid user andreea from 27.54.120.3 port 42511 ssh2

Jul 1 19:48:30 ip-10-228-234-162 sshd[6904]: Received disconnect from 27.54.120.3: 11: Bye Bye

Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: Invalid user davida from 27.54.120.3

Jul 1 19:48:32 ip-10-228-234-162 sshd[6914]: input_userauth_request: invalid user davida

Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: pam_unix(sshd:auth): check pass; user unknown

Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse

r= rhost=27.54.120.3


How annoying, that you have to expend time and effort with this these idiots.


Well luckily Linux has some built in defence mechanisms against such people in the hosts.deny file.


You could manually go through or get someone to go through you secure file but someone who is far more cleaver that me, has written a utility that does this for you. http://denyhosts.sourceforge.net/


What a tool, there is a brilliant README file in the install directory, but as usual  to make it easy or your and me, here are the highlights to get it working


yum install python


cd ~

mkdir software

cd software

wget http://sourceforge.net/projects/denyhosts/files/denyhosts/2.6/DenyHosts-2.6.tar.gz/download

tar -xvzf DenyHosts-2.6.tar.gz

cd DenyHosts-2.6

python setup.py install


cd /usr/share/denyhosts


cp denyhosts.cfg-dist denyhosts.cfg

cp daemon-control-dist daemon-control


vi denyhosts.cfg

chown root:root daemon-control

chmod 700 daemon-control


vi denyhosts.cfg


Change the file to match your distribution, I am using a Red Hat based distro as you would expect being in Amazon. I left everything as standard except I turned on the sync to get the host IP addresses of these annoying idiots.


The instructions for starting the daemon automatically is so straight forward, the guy who wrote this sure did understand the software but also how to document it 🙂


cd /etc/init.d


ln -s /usr/share/denyhosts/daemon-control denyhosts


If you have chkconfig installed you can then use it to

ensure that DenyHosts runs at boot time:


chkconfig –add denyhosts




service denyhosts start

		



		
		

	
Linux handy commands

	Posted: July 3, 2012 | Author:  | Filed under: General Admin, IT Survival, Linux  | Tags: , ,   | Leave a comment
	
As you use Linux more and more as with any operating system you meet challenges and need to find the solutions. Linux has a raft of commands, Many build into the core system. These commands will be used over and over again. Some will be second nature as you use them all of the time others you will use perhaps once a year.


One of the difficulties that you will find though is matching the command to what you want to do, I have created this post therefore to highlight the commands but to also put them into context in real life problems and issues, it also a good aide memoire for me 🙂


Contents of this as hopefully it will get long:


How to find the PID of a process / How to find the PID of a process based on the port number being used.


Set server to a specific time zone


 How to find the PID of a process / How to find the PID of a process based on the port number being used.


I was playing with an FTP server in Amazon EC2 more about this when I have figured it out!!! and needed to end the FTP process, there is no service yet so I needed to kill the process and needed to understand how to get the PID to kill it so:


lsof -i | grep <port number> / process name


e.g.


lsof -i | grep ftp


NOTE sometime the port number is of no use


You  will get a result something like this :


vsftpd   19744     root    3u  IPv4  24265      0t0  TCP *:ftp (LISTEN)


The PID in this instance is 19744


Just use the standard kill command in Linux to stop the process


kill -9 19744






 Set server to a specific time zone


I need to set my Amazon server to UK BST time, There are no servers in the UK so the time is incorrect, to rectify this.


To display the timezones available


ls /usr/share/zoneinfo/


cd /etc


ln -sf /usr/share/zoneinfo/GB localtime


GB appears to be BST, to check the date and time


date

		



		
		

			
← Older Entries