The uploaded file exceeds the upload_max_filesize directive in php.ini
Posted: August 16, 2019 Filed under: Apache, General Fixes, PHP Leave a comment
I have created many web servers and wordpress installs.
The latest install threw up something new. The upload_max_filesize when uploading a theme zip.
Now I always forget to change the php.ini, so it is an easy one to fix.
Edit the php.ini file, change the following settings and restart the httpd server. Not that hard.
So locate these entries and change appropriately.
upload_max_filesize 999M memory_limit 256M post_max_size 999M max_execution_time 600 max_input_time 900
systemctl restart httpd
And then try to upload the zip file again. Same error ??????
So into debug mode now.
Create a phpinfo.php file.
<?php // Show all information, defaults to INFO_ALL phpinfo(); ?>
And open a browser to show the results.
Something very odd this still showed the original settings ?????????????
A lot of searching and somewhere I found reference to restarting the php service, this was at 7.1. I never knew this existed.
So systemctl resulted in displaying the list of services
There is a service php-fpm.service.
Restart this as you are ready to go.
systemctl restart php-fpm
Not sure about the details, maybe another time.
As always I hope this helps someone.
Building you on php modules (php-zip)
Posted: April 4, 2018 Filed under: General Admin, PHP 1 Comment
If there are elements of PHP not in the Repo of the Linux version you are using you can build it yourself. We are using LTS AWS linux and for some reason php-zip is not in the repo.
So
cd /tmp
1. Download the php source and unpack it:
From this URL you can find the nearest mirror
https://secure.php.net/get/php-7.2.0.tar.gz/from/a/mirror
wget http://uk1.php.net/get/php-7.2.0.tar.gz/from/this/mirror -O php-7.2.0.tar.gz tar -xvzf php-7.2.0.tar.gz
We are unpacking it into the tmp directory
2. Install php development tools:
yum install php-devel
3. Change to the source directory
cd /tmp/php-7.2.0/ext/zip/
4. Compile
phpize
yum install gcc make zlib-devel zlib libxml2-devel
./configure
make
5. Copy the newly compiled extension to extension folder:
In this instance we are looking at php-zip therefore zip.so
cp /tmp/php-7.2.0/ext/zip/modules/zip.so /usr/lib64/php/modules/
Add the following to php.ini
vi /etc/php.ini extension=zip.so
6. Restart httpd
systemctl restart httpd
Technical Bits n Pieces
Posted: January 20, 2016 Filed under: General Admin | Tags: gist, github, patch Leave a commentThis really is and aide memoire, a scrap pad, random commands etc ……. as I come across errors, workarounds, fixes.
This is all about making those notes so that I don’t have to trawl Google again to find the answers and at least I know these commands work 🙂
How to grep IP addresses in a file?
I needed to tail a file for IP addresses as some thing was using a large amount of web server resource. The log file is called httpd-access
tail -f httpd-access_log | grep -E -o “([0-9]{1,3}[\.]){3}[0-9]{1,3}”
How to deny and ip address from accessing your server?
Yes you can use a firewall, but if you are behind a load balancer or proxy server then you can not.
In either the httpd.conf or the .htaccess file add the following lines :-
httpd.conf – add these to the directory element of the file
Order allow,deny Allow from all deny from Enter IP address
At the end of the file
<Files 403.shtml> order allow,deny allow from all
.htaccess – add this to the IfModule element, You can deny IP addresses or use a RewriteCond and Rule.
# Block Bad Bots RewriteCond %{HTTP_USER_AGENT} ^.*(Vagabondo).*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(AhrefsBot).*$ [NC] # ISSUE 403 / SERVE ERRORDOCUMENT RewriteRule . - [F,L] order allow,deny allow from all deny from Enter Ip address here
Add this at the end of the file
<Files 403.shtml> order allow,deny allow from all </Files>
The server will redirect traffic to a 403 error.
How to log the source IP address when behind a load balancer or proxy?
You use a load balancer to spread the load of your web sites, but how can you find the ip address of who is using your site, this is specific to the Apache server but something similar will work on nginx I am sure.
In the httpd.conf file change the
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
to
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" combined
You now should create some custom logs files, again in httpd.conf add the following lines to the virtualhost element
ErrorLog logs/httpd-error_log CustomLog logs/httpd-access_log combined
…..
Allowing SSH access to Ubuntu 14.0 LTS Desktop
We are running some software that needs a Linux desktop, I am not a big fan of Ubuntu but it is one of the listed supported platforms.
I obviously need vnc access, wow what a pain. Centos / Redhat easy to do Ubuntu !!!!
So I though ssh on and just configure, well there is no SSH access out of the box. Build for the GUI generation. To get ssh access
sudo apt-get update
sudo apt-get install openssh-server
You now have ssh access!!!
Create a patch file and then the application of the patch
If you need to create a differential file for redeployment on another system then creating a patch file is ideal.
You will need the patch utilities installed
yum install patch
Now to create your patch file. Copy the original file into the same directory
e.g. cp config.php config.php_chg
Now update the config.php_chg file with all of your amendments
Now to create the file
diff -Naur config.php config.php_chg > config.php.patch
If you want to now apply the patch
patch config.php < config.php.patch
You now should keep the file in a safe place or if it is not a sensitive change, i.e. containing passwords then you can add it to https://gist.github.com/
Cheat sheet for installing Centrify
Posted: November 10, 2015 Filed under: CentOS, Linux | Tags: Centrify, Join Domain, Samba Leave a commentThis is more for me that a general help blog, the instructions are pretty good with the Centrfy product (www.centrify.com), but there are pages and pages. I just want the salient points to get me up and running.
For those who do not know, this product allows you to join a Linux server to a Windows domain via a scripted method and with out all of the hassle trying to do it by hand. It also has a Samba element, this is what I want it for!!!!
There is much more to the enterprise product and you can do some really cool things with it, but I am happy with the free version.
You need to download the suite and Samba installs from here, the site tries its best to hide the downloads, you have to register for the download, and then it does it’s best to hide the bits you need. To download and register use www.centrify.com/express/server-suite-form
Or you can follow this link http://www.centrify.com/express/linux-unix/download-files/#accordion-download-express-02
The express suite is for Centos is http://edge.centrify.com/products/centrify-suite/2015-update-1/installers/centrify-suite-2015.1-rhel4-x86_64.tgz
The Samba install is http://edge.centrify.com/products/opensource/samba-4.5.9/centrify-samba-4.5.9-rhel3-x86_64.tgz
So here is the basics on the installation.
You will need some base bits
yum -y install perl
mkdir /opt/software
cd /opt/software
wget http://edge.centrify.com/products/centrify-suite/2015-update-1/installers/centrify-suite-2015.1-rhel4-x86_64.tgz
wget http://edge.centrify.com/products/opensource/samba-4.5.9/centrify-samba-4.5.9-rhel3-x86_64.tgz
mkdir suite
tar -xvzf centrify-suite-2015.1-rhel4-x86_64.tgz -C suite
mkdir samba
tar -xvzf centrify-samba-4.5.9-rhel3-x86_64.tgz -C samba
cd suite
./install-express.sh
***** ***** ***** WELCOME to the Centrify Express installer! ***** ***** *****
Detecting local platform …
Running ./adcheck-rhel4-x86_64 … OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 10.0.100.150 : Pass DNSCHECK : Analyze basic health of DNS servers : Warning : Only one DNS server was found in /etc/resolv.conf. : At least one backup DNS server is recommended for : enterprise installations. : Only one good DNS server was found : You might be able to continue but it is likely that you : will have problems. : Add more good DNS servers into /etc/resolv.conf.
WHATSSH : Is this an SSH that DirectControl works well with : Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that’s configured properly : to allow AD users to login and provides Kerberos GSSAPI support. : : If you install Centrify Express or Centrify Suite : Standard or Enterprise Edition, the Centrify build of : OpenSSH will be installed automatically. Alternatively : you may choose individual Suite packages to install : with the Custom install option.
2 warnings were encountered during check. We recommend checking these before proceeding
WARNING: adcheck exited with warning(s).
With this script, you can perform the following tasks: – Install (update) Centrify Suite Enterprise Edition (License required) [E] – Install (update) Centrify Suite Standard Edition (License required) [S] – Install (update) Centrify Suite Express Edition [X] – Custom install (update) of individual packages [C]
You can type Q at any prompt to quit the installation and exit the script without making any changes to your environment.
How do you want to proceed? (E|S|X|C|Q) [X]:X
The Express mode license allows you to install a total of 200 agents. The Express mode license does not allow the use of licensed features for advanced authentication, access control, auditing, and centralized management. This includes, but is not limited to features such as SmartCard authentication, DirectAuthorize, DirectAudit, Group Policy, Login User Filtering, and NSS overrides.
Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:Y
Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:Y
Please enter the Active Directory domain to check [company.com]:acme
Join an Active Directory domain? (Q|Y|N) [Y]:Y
Enter the Active Directory domain to join [acme]:acme.local
Enter the Active Directory authorized user [administrator]:Administrator
Enter the password for the Active Directory user:
Enter the computer name [server-01]:Enter
Enter the container DN [Computers]: Enter Enter the name of the domain controller [auto detect]:Enter
Reboot the computer after installation? (Q|Y|N) [Y]:Y
You will get a confirmation screen
Please enter the Active Directory domain to check [company.com]: acme Join an Active Directory domain? (Q|Y|N) [Y]:Y Enter the Active Directory domain to join [churchill1795]: acme.local Enter the Active Directory authorized user [administrator]: Administrator Enter the password for the Active Directory user: Enter the computer name [server-01]: Enter the container DN [Computers]: Enter the name of the domain controller [auto detect]: Reboot the computer after installation? (Q|Y|N) [Y]:Y
You chose Centrify Suite Express Edition and entered the following: Install CentrifyDC 5.2.3 package : Y Install CentrifyDC-nis 5.2.3 package: N Install CentrifyDC-openssh 5.2.3 package: Y Install CentrifyDC-ldapproxy 5.2.3 package: N Install CentrifyDA 3.2.3 package: N Run adcheck : Y Join an Active Directory domain : Y Active Directory domain to join : acme.local Active Directory authorized user : Administrator computer name : server-01 container DN : Computers domain controller name : auto detect Reboot computer : Y
If this information is correct and you want to proceed, type “Y”. To change any information, type “N” and enter new information. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:Y
The installation will start and the sever will reboot if successful. To avoid any errors when installing the samba install you need some bits
yum -y install cups
cd /opt/software/samba
rpm -i centrifydc-samba-3.6.25-4.5.9-rhel3-x86_64.rpm
rpm -i centrifydc-adbindproxy-4.5.9-rhel3-x86_64.rpm
perl /usr/share/centrifydc/bin/adbindproxy.pl
adbindproxy.pl is used to configure the Centrify custom Samba build to interoperate with Centrify’s DirectControl product. It checks if the machine is joined to an AD domain. If not, it will prompt for the join operation. It also updates smb.conf and tdb files.
For security reason, you will be prompted for password several times in order to perform different AD operations when running this script.
Please specify Centrify Samba’s path if it is not in [/opt/centrify/samba/] :Enter
Using (/opt/centrify/samba/) The Samba base path is : /opt/centrify/samba/ Looking for conflicting Samba installations… No conflicting Samba found. Do you want to create symbolic links from /usr to /opt/centrify/samba/ [Y] : Y
Using (Y) Creating symbolic links from /usr/sbin/ to /opt/centrify/samba/sbin/… Creating symbolic links from /usr/bin/ to /opt/centrify/samba/bin/… Creating symbolic links from /usr/lib64/ to /opt/centrify/samba/lib/… Creating symbolic links from /lib/security/ to /opt/centrify/samba/lib/security/… Creating symbolic links from /etc/pam.d/ to /opt/centrify/samba/etc/pam.d/… Creating symbolic links from /etc/logrotate.d/ to /opt/centrify/samba/etc/logrotate.d/… Creating symbolic links from /etc/samba/smbusers to /opt/centrify/samba/etc/samba/smbusers Creating symbolic links from /etc/samba/lmhosts to /opt/centrify/samba/etc/samba/lmhosts Joined to Domain: churchill1795.local Zone: Auto Zone Do you want to leave and join to another domain? [N] :N
Using (N) Remove Winbind settings (if any) from /etc/nsswitch.conf. No Winbind settings found. Removing old state files… Updating smb.conf with Centrify recommended settings… Existing file ‘/etc/centrifydc/centrifydc.conf’ is backed up as ‘/etc/centrifydc/centrifydc.conf.pre_adbindproxy’ Reset the Samba User/Group ID Cache (Centrify Samba may create conflicting mappings) [Y] :Y
Using (Y)
Init Samba start script … Restarting Samba daemons …
Warning: Unit file of centrifydc-samba.service changed on disk, ‘systemctl daemon-reload’ recommended. Restarting centrifydc-samba (via systemctl): [ OK ]
Check if SWAT symbolic link exists: /opt/centrify/samba/share/samba/swat -> /opt/centrify/samba/share/swat
Current DirectControl Configuration:
Local host name: devwebapplication-02 Joined to domain: churchill1795.local Joined as: devwebapplications-02.churchill1795.local Pre-win2K name: devwebapplicati Current DC: ad-01.churchill1795.local Preferred site: HeadOffice Zone: Auto Zone Last password set: 2015-11-10 14:22:37 GMT CentrifyDC mode: connected Licensed Features: Disabled
Current Samba Configuration:
LDAP server: x.x.x.x LDAP server name: ad.acme.local Realm: acme.LOCAL Bind Path: dc=acmedc=LOCAL LDAP port: 389 Server time: Tue, 10 Nov 2015 14:22:40 GMT KDC server: x.x.x.x Server time offset: 0
Press ENTER to continue …
Samba is now installed. OK now you need to create a folder and share it. This is a development web server so I am sharing /var/www/html, the share will be called web You need to edit the /etc/samba/smb.conf file Go to the bottom of the file and [web] comment = Apache web directory path = /var/www/html public = no valid users = +DOMAINNAME\DOMAIN_GROUPNAME writable = yes This will allow members of the group access to the directory. Because this is a systemd server you need to use systemctl to restart the services.
systemctl restart centrifydc.service
Centrify also add the applicable ini.d scripts so
service centrifydc-samba restart service centrifydc restart
Alternative to Splunk
Posted: May 26, 2014 Filed under: General Admin | Tags: log analasys, Log filter 3 CommentsAfter having a few issues, I thought it should be time to get a central logging system in place. So Google to the rescue once more. I have come across a few and I will keep adding them to the following list.
This is more an aide de memoire so that I can pick this up when I get more time.
Graylog2 – this looks a good option http://graylog2.org/
Fluentd – the combination of a few bits will give you what you want, the looks to be a good http://docs.fluentd.org/articles/free-alternative-to-splunk-by-fluentd
OpenTSDB – not sure about this one, looks interesting though http://opentsdb.net
Logstash – Again looks interesting http://logstash.net
Any way I will let you know more as I install them
Al
Using Linux fsck to get you out of a jam
Posted: May 26, 2014 Filed under: General Admin, Linux | Tags: file systems, fsck, Rehhat, Superblock Leave a commentWell, not the best start to the weekend, One of my reliable and trusty dev servers decided to throw a wobble and toss the proverbial baby out of the bath water and give me a wonderful SuperBlock error. 😦
Just for Google search the error was :-
mount: wrong fs type, bad option, bad superblock on /dev/mapper/Oracle_11G_Dev_Datap1,
missing codepage or other error
In some cases useful info is found in syslog – try
dmesg | tail or so
This is a Redhat Enterprise Linux version 5.9
So you turn to Google and off you go.
Now this site is worth a mention as it explains fsck pretty well http://www.thegeekstuff.com/2012/08/fsck-command-examples/
So off you go and try some of the commands
The issue is that there is a bad superblock, there are backup blocks though to find them you use
mke2fs -n /dev/mapper/mpath18p1
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
214761472 inodes, 429522936 blocks
21476146 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
13108 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848
Issuing
fsck -v /dev/mapper/mpath18p1
fsck 1.39 (29-May-2006)
fsck: fsck.ext4: not found
fsck: Error 2 while executing fsck.ext4 for /dev/mapper/mpath18p1
You notice many instructions with the following command fsck.ext4 as you see in the output above. What many people do not tell you is that you need a package installing
yum install e4fsprogs
So now the moment of truth, take one of the superblock number from the mke2fs command and try the
e4fsck command
e4fsck -b 98304 /dev/mapper/mpath18p1
e4fsck 1.41.12 (17-May-2010)
Adding dirhash hint to filesystem.
/u100 was not cleanly unmounted, check forced.
Pass 1: Checking inodes, blocks, and sizes
Inode 7, i_blocks is 140000, should be 139888. Fix<y>? Y
And off you, a few hours later and many “y’s” being pressed it sprung back into life.
I am now looking for the commands to test / ensure that all is OK.
Good luck if you ever get this and I hope that this little bit of text works for you.
Creating a NFS CENTOS 6 Linux target server
Posted: June 12, 2013 Filed under: CentOS, General Admin, Linux | Tags: Bonded NIC, mdadm, NFS, RAID, XFS filesystem Leave a commentWe have some old kit and and I have a Friday free now and we need a development environment to get a few things working.
So I decided to embark on a vmware server and storage build. All of course without spending any money 🙂 (well on software anyway)
So I have 2 HP GL something servers for the vmware environment, a DL server to act as the iscii storage server and a 14 disk array that can be connected via a direct HBA fibre connect. All sounds good.
The idea is to software RAID the disk array, present the array to the storage server which will server this out as an iscii connection via direct connected bonded Ethernet cards.
The first thing that I though would be the easiest bit was to create the RAID array. This turned out not to be the case, but when you see the solution DOH!!!!!
Linux OS is CENTOS 6.3
I know you may wonder why I did not use FreeNAS or NAS4Free. I did try, but the hardware was not compatible. It would not even boot, so I could not even go after some fixes.
So onto the install.
First find out what the disks are called.
fdisk -l
Will display a long list look for something like
/dev/sd*
Armed with this information
fdisk -l | grep /dev/sd
This will list all of the disks. In my case /dev/sda —> /dev/sdm
To make sure all of the disks have no partition you can use various tools such as fdisk. Good tutorial How to delete a partion here. I used cfdisk. There is a menu with it so you do not have to remember the switches 🙂
cfdisk /dev/sd*
Delete any partitions and save and exit. Do this for all the disks that you want to put into the array.
Now to create the array. I am creating a RAID 6 array with 2 spare disks. They are old disk. Need a bit of guarantee regarding the condition.
A good mdam write up is actually in wikipedia of all places Mdadm
mdadm --create --verbose /dev/md0 --level=6 --raid-devices=12 /dev/sda /dev/sdb /dev/sdc /dev/sdd /dev/sde /dev/sdf /dev/sdg /dev/sdh /dev/sdi /dev/sdj /dev/sdk --spare-devices=2 /dev/sdl /dev/sdm
I got this error mdadm: super1.x cannot open /dev/sdb1: Device or resource busy mdadm: ddf: Cannot use /dev/sdb1: Device or resource busy Not sure why you can get this, but basically it looks like some of the disks have a RAID configuration and are being held by the OS. To discover if this is the case
cat /proc/mdstat
This will list what RAID has got hold of the disks. A good chance if will be md127. To get rid of this
mdadm --stop /dev/<mdxxx>
Where xxx is the RAID number found in the cat command above. Once you have stopped the RAID, issue the mdadm –create command
This will start the creation of the RAID array. Depending on the size and speed this could take hours. To determine if the RAID is creating then
cat /proc/mdstat
You will get something along the lines of
cat /proc/mdstat
Personalities : [raid6] [raid5] [raid4]
md0 : active raid6 sdm[12](S) sdl[11](S) sdk[10] sdj[9] sdi[8] sdh[7] sdg[6] sdf[5] sde[4] sdd[3] sdc[2] sdb[1] sda[0]
1290359808 blocks super 1.2 level 6, 512k chunk, algorithm 2 [11/11] [UUUUUUUUUUU]
[======>…………..] resync = 32.7% (46917760/143373312) finish=175.3min speed=9168K/sec
unused devices: <none>
Once you have the RAID array created its time to create a file system and mount it and also make sure that the RAID starts when the system is re-booted
mdadm --detail --scan >> /etc/mdadm.conf
OK another area of investigation, what is the best Linux file system. Well as will all things it depends on what you need it for. The storage is for VMware files. These will be 10GB–50GB flat files and therefore I am going to try out the xfs file system which is supposed to be good and fast for the larger files.
Ok some thing strange happened, I had to reboot the server and the /dev/md0 became /dev/md127, no idea why, and I just wanted to get it finished.
You now need to create a logical volume, this will allow you to mount the disk
#create a volume group named “vg_target00”
vgcreate -s 32M vg_target00 /dev/md0
# create a logical volume named “lv_target00”
lvcreate -L 130G -n lv_target00 vg_target00
This creates it for all of the volume
lvcreate -l 100%VG -n lv_target00 vg_target00
This area got a bit fuzzy and the exact order may need to change, I tried to keep notes around this element, but I tried many different bits. One this is for sure though if you use xfs files system then to avoid the following error you need to install the correct packages
You may get the following error
bash: mkfs.xfs: command not found
Some bits and pieces were needed
yum install xfsdump xfsprogs
mkdir /mnt/storage
To make the file system
mount -t xfs /dev/vg_target00/lv_target00 /mnt/storage mkfs -t xfs -f /dev/vg_target00/lv_target00
This will now have mounted it. To make this a permanent mount then you need to add a line to fstab
vi /etc/fstab
/dev/vg_target00/lv_target00 /mnt/storage xfs defaults 0 0
OK we now have the disk array prepared, we now need the connectivity to sort out. I installed a 4 port NIC card in the server, I will bond two port together to give me direct access to the two servers. Bonding the ports together will I hope give me enough throughput for some decent performance. To determine what nic you have
ls sysconfig/network-scripts/
This will list something along the lines of
ifcfg-eth0 ifcfg-eth5 ifdown-ippp ifdown-routes ifup-bnep ifup-plip ifup-sit network-functions
ifcfg-eth1 ifcfg-lo ifdown-ipv6 ifdown-sit ifup-eth ifup-plusb ifup-tunnel network-functions-ipv6
ifcfg-eth2 ifdown ifdown-isdn ifdown-tunnel ifup-ippp ifup-post ifup-wireless
ifcfg-eth3 ifdown-bnep ifdown-post ifup ifup-ipv6 ifup-ppp init.ipv6-global
ifcfg-eth4 ifdown-eth ifdown-ppp ifup-aliases ifup-isdn ifup-routes net.hotplug
The NIC cards I am interested in are ifcfg-eth2, ifcfg-eth3, ifcfg-eth4 and ifcfg-eth5. There is one note, many of the tutorials that I read specified changing the modprobe.conf file. This appears to be have been depreciated and now all the .conf files can be created in /etc/modprobe.d
So lets start we will have bond0 and bond1.
Just a note on the IP addresses that we will use. As we are direct connecting the servers, I am going to to configure the network too two IP hosts per connection
Therefore
bond0 details (server)
IPADDR=192.168.100.1
NETWORK=192.168.100.0
NETMASK=255.255.255.252
bond0 details (client)
IPADDR=192.168.100.2
NETWORK=192.168.100.0
NETMASK=255.255.255.252
bond1 details (server)
IPADDR=192.168.101.1
NETWORK=192.168.101.0
NETMASK=255.255.255.252
bond1 details (client)
IPADDR=192.168.101.2
NETWORK=192.168.101.0
NETMASK=255.255.255.252
You need ethtool installed to allow bonding NIC to work
yum install ethtool
Bond0 creation
echo "DEVICE=bond0" >/etc/sysconfig/network-scripts/ifcfg-bond0 echo "IPADDR=192.168.100.1" >> /etc/sysconfig/network-scripts/ifcfg-bond0 echo "NETWORK=192.168.100.0" >> /etc/sysconfig/network-scripts/ifcfg-bond0 echo "NETMASK=255.255.255.252" >> /etc/sysconfig/network-scripts/ifcfg-bond0 echo "USERCTL=no" >> /etc/sysconfig/network-scripts/ifcfg-bond0 echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0 echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
Bond1 creation
echo "DEVICE=bond1" >/etc/sysconfig/network-scripts/ifcfg-bond1 echo "IPADDR=192.168.101.1" >> /etc/sysconfig/network-scripts/ifcfg-bond1 echo "NETWORK=192.168.101.0" >> /etc/sysconfig/network-scripts/ifcfg-bond1 echo "NETMASK=255.255.255.252" >> /etc/sysconfig/network-scripts/ifcfg-bond1 echo "USERCTL=no" >> /etc/sysconfig/network-scripts/ifcfg-bond1 echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond1 echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond1
OK we now need to tell the NIC ports to belong to the bond
vi /etc/sysconfig/network-scripts/ifcfg-eth3
My current config looks like this
DEVICE=”eth3″
BOOTPROTO=”dhcp”
HWADDR=”00:0E:0C:C5:1C:25″
NM_CONTROLLED=”yes”
ONBOOT=”no”
TYPE=”Ethernet”
UUID=”13378c1e-98aa-4e18-9aee-b973b0e7b49e”
We need to change it to the following
DEVICE=”eth3″
USERCTL=”no”
BOOTPROTO=”none”
MASTER=bond0
SLAVE=”yes”
HWADDR=”00:0E:0C:C5:1C:25″
NM_CONTROLLED=”yes”
ONBOOT=”yes”
TYPE=”Ethernet”
UUID=”13378c1e-98aa-4e18-9aee-b973b0e7b49e”
This needs to be done for all of the ports and bonds.
Once this is done, you need to start the bonds, to do this create a bonding.conf file. There are many difference bonding modes these are described in the Tips and tricks for bonding interfaces.
I want to balance my NIC to get the best throughput so I an using mode 5
echo "alias bond0 bonding" > /etc/modprobe.d/bonding.conf echo "options bond0 mode=5 miimon=100" >> /etc/modprobe.d/bonding.conf echo "alias bond1 bonding" >> /etc/modprobe.d/bonding.conf echo "options bond1 mode=5 miimon=100" >> /etc/modprobe.d/bonding.conf
We now need to add this to the kernel (not sure exactly what this means but taken from all the tutorials read this is what you have to do)
modprobe bonding
Okay the last this that I want to is present the disk so that the servers can use it. I tried iscii at the start but this really did not work in our environment, so I opted for NFS. So this is how I think I got this working, there was a mix of iscii and NFS going on so this maybe a little inaccurate, but it will get you most of the way there :).
yum -y install nfs-utils rpcbind
chkconfig nfs on chkconfig rpcbind on chkconfig nfslock on
The two line below referrer to the networks that servers will be allowed to access the NFS shares from. For security I would keep this as small as possible and due to the namture an amount of traffic should be on a separate network.
vi /etc/exports /mnt/storage 192.168.100.0/255.255.255.252(rw,sync,no_root_squash)
/mnt/storage 192.168.101.0/255.255.255.252(rw,sync,no_root_squash)
exportfs -a
I have compiled this almost how to guide from the resources below
Installing Java JRE on an Amazon Linux AMI
Posted: October 18, 2012 Filed under: General Admin, Linux | Tags: AWS EC2, JAVA, JRE Leave a commentI am building my Apex environment and one of the requirements is to have Java JRE installed. I hate installing Java on Linux. The first thing to do is remove the Java version that is installed on a Amazon Linux image. The Java version is Java-openJDK and this may work but lets stick with Sun Java.
To un-install openJDK
yum erase java*
Now download the latest JRE for your environment from Java SE Downloads
mkdir /opt/software
cd /opt/software
upload the rpm / bin file to here I downloaded the jre-6u25-linux-x64-rpm.bin. The rpm file is easier to intstall
chmod 755 jre-6u25-linux-x64-rpm.bin
./jre-6u25-linux-x64-rpm.bin
To ensure that the java path is always available
Navigate to the home folder of the user, in my case this is root and edit the .bash_profile
vi ~/.bash_profile
Insert the following line
JAVA_HOME=/usr/bin/java
The path obviously has to match where Java is installed.
To make this available to all users create a file in /etc/profile.d
I am going to standardise on my company_name.sh
vi /etc/profile.d/company_name.sh
JAVA_HOME=/usr/bin/java
Securing your Linux server from SSH attacks
Posted: July 4, 2012 Filed under: Amazon AWS, EC2, General Admin, IT Survival, Linux | Tags: Amazon AWS, Amazon EC2, Security, SSH Leave a commentIf you build any server that is accessible from the internet then you are in for a world of pain. All the servers I have ever tended to build have sat behind a nice corporate firewall controlled by me, and to SSH to them you needed to be in our network. What a great strategy, if you can not get to me you can not hack me :). Or the script kiddies can not have a pop and use valuable bandwidth and server resources.
So as soon as you get to Amazon AWS you need to seriously start thinking about your server security. You have of course got the AWS security groups to help you, but we no have a need to allow SSH access to some of our servers by third party people.
Therefore you need to harden the servers even more, Amazon goes some way with protecting their servers with key access only, but sometimes you need to give good old username and password access.
You therefore will start seeing entries in your /var/log/secure file something along the lines of :
Jul 1 20:48:28 ip-10-228-234-162 sshd[6901]: pam_succeed_if(sshd:auth): error retrieving information about user andreea
Jul 1 20:48:30 ip-10-228-234-162 sshd[6901]: Failed password for invalid user andreea from 27.54.120.3 port 42511 ssh2
Jul 1 19:48:30 ip-10-228-234-162 sshd[6904]: Received disconnect from 27.54.120.3: 11: Bye Bye
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: Invalid user davida from 27.54.120.3
Jul 1 19:48:32 ip-10-228-234-162 sshd[6914]: input_userauth_request: invalid user davida
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: pam_unix(sshd:auth): check pass; user unknown
Jul 1 20:48:32 ip-10-228-234-162 sshd[6911]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruse
r= rhost=27.54.120.3
How annoying, that you have to expend time and effort with this these idiots.
Well luckily Linux has some built in defence mechanisms against such people in the hosts.deny file.
You could manually go through or get someone to go through you secure file but someone who is far more cleaver that me, has written a utility that does this for you. http://denyhosts.sourceforge.net/
What a tool, there is a brilliant README file in the install directory, but as usual to make it easy or your and me, here are the highlights to get it working
yum install python
cd ~
mkdir software
cd software
wget http://sourceforge.net/projects/denyhosts/files/denyhosts/2.6/DenyHosts-2.6.tar.gz/download
tar -xvzf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install
cd /usr/share/denyhosts
cp denyhosts.cfg-dist denyhosts.cfg
cp daemon-control-dist daemon-control
vi denyhosts.cfg
chown root:root daemon-control
chmod 700 daemon-control
vi denyhosts.cfg
Change the file to match your distribution, I am using a Red Hat based distro as you would expect being in Amazon. I left everything as standard except I turned on the sync to get the host IP addresses of these annoying idiots.
The instructions for starting the daemon automatically is so straight forward, the guy who wrote this sure did understand the software but also how to document it 🙂
cd /etc/init.d
ln -s /usr/share/denyhosts/daemon-control denyhosts
If you have chkconfig installed you can then use it to
ensure that DenyHosts runs at boot time:
chkconfig –add denyhosts
service denyhosts start
Linux handy commands
Posted: July 3, 2012 Filed under: General Admin, IT Survival, Linux | Tags: General Commands, Linux, PID Leave a commentAs you use Linux more and more as with any operating system you meet challenges and need to find the solutions. Linux has a raft of commands, Many build into the core system. These commands will be used over and over again. Some will be second nature as you use them all of the time others you will use perhaps once a year.
One of the difficulties that you will find though is matching the command to what you want to do, I have created this post therefore to highlight the commands but to also put them into context in real life problems and issues, it also a good aide memoire for me 🙂
Contents of this as hopefully it will get long:
Set server to a specific time zone
How to find the PID of a process / How to find the PID of a process based on the port number being used.
I was playing with an FTP server in Amazon EC2 more about this when I have figured it out!!! and needed to end the FTP process, there is no service yet so I needed to kill the process and needed to understand how to get the PID to kill it so:
lsof -i | grep <port number> / process name
e.g.
lsof -i | grep ftp
NOTE sometime the port number is of no use
You will get a result something like this :
vsftpd 19744 root 3u IPv4 24265 0t0 TCP *:ftp (LISTEN)
The PID in this instance is 19744
Just use the standard kill command in Linux to stop the process
kill -9 19744
Set server to a specific time zone
I need to set my Amazon server to UK BST time, There are no servers in the UK so the time is incorrect, to rectify this.
To display the timezones available
ls /usr/share/zoneinfo/
cd /etc
ln -sf /usr/share/zoneinfo/GB localtime
GB appears to be BST, to check the date and time
date