# yum install httpd* mysql* -y

*** Install Module Needed for Authentication from MySQL databases. ***

# yum install mod_auth_mysql -y

*** Create a database which contains a table holding the username and passwd ***

#mysql -u root -p
password:

mysql> create database httpd;
mysql> use httpd;
mysql> create user ‘apache’@'localhost’ identified by ‘apache’;
mysql> create table users( user_name char(30) NOT NULL, user_passwd char(30), user_group char(30)
NOT NULL, PRIMARY KEY(user_name));
mysql> grant all privileges on *.* to ‘apache’@'localhost’ with GRANT option;
mysql> INSERT INTO users VALUES (’testuser’, ENCRYPT(’testpass’), ‘user’);
mysql> INSERT INTO users VALUES (’admin’, ENCRYPT(’testpass’), ‘group’);
mysql> quit

# service mysqld restart

# vim /etc/httpd/conf/httpd.conf

AuthName “MySQL group authenticated zone”
AuthType Basic
AuthMYSQLEnable on
AuthMySQLUser apache
AuthMySQLPassword apache
AuthMySQLDB httpd
AuthMySQLUserTable users
AuthMySQLNameField user_name
AuthMySQLPasswordField user_passwd
AuthMySQLGroupField user_group
require group admin /or/ require valid-user

# service httpd restart

enjoy

This howto will show you howto store your users in LDAP and authenticate some of the services against it. I will not show howto install particular packages, as it is distribution/system dependant. I will focus on “pure” configuration of all componenets needed to have LDAP authentication/storage of users. The howto assumes somehow, that you are migrating from a regular passwd/shadow authentication, but it is also suitable for people who do it from scratch.

Requirements

OpenLDAP
pam_ldap
nss_ldap
PADL migrationtools

Introducion

The thing we want to achieve is to have our users stored in LDAP, authenticated against LDAP ( direct or pam ) and have some tool to manage this in a human understandable way.

This way we can use all software, which has ldap support or fallback to PAM ldap module, which will act as a PAM->LDAP gateway.

Configuring OpenLDAP

OpenLDAP consists of slapd and slurpd daemon. This howto covers one LDAP server without a replication, so we will focus only on slapd. I also assume you installed and initialized your openldap installation (depends on system/disribution). If so, let’s go to configuration part.

On my system (Gentoo), openldap’s configuration is stored in /etc/openldap, we are interested in/etc/openldap/slapd.conf file. But first we have to generate a password for LDAP administrator, to put it into the config file:

# slappasswd -h {md5}

The config looks like this:

# vim /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib/openldap/openldap

access to attrs=userPassword

        by dn="uid=root,ou=People,dc=hackadmin,dc=com" write

        by dn="cn=Manager,dc=hackadmin,dc=com" write

        by anonymous auth

        by self write

        by * none

access to dn.base="" by * read

access to *

         by dn="cn=Manager,dc=hackadmin,dc=com" write

         by * read

database        bdb

suffix          "dc=hackadmin,dc=com"

rootdn          "cn=Manager,dc=hackadmin,dc=com"
rootpw          {MD5}Tk1sMytv5ipjr+Vhcf03JQ==

directory       /var/lib/openldap-data

index   objectClass     eq

Remember to change suffix and paths to your needs.

These are basic options with some basic ACLs needed to change passwrods by user. If you want more functionality, please read the manual about openLDAP. Now when we have a proper config for slapd, we can start the daemon :

# /etc/init.d/ldap start

# chkconfig ldap on

Now we can test if openldap is running and working properly. We do not have any data yet in the directory, but we can try to bind as cn=Manager,dc=domain,dc=com. When you are asked for password, you should use the one you generated (of course the plain text version of it :

# ldapsearch -D “cn=Manager,dc=hackadmin,dc=com” -W

Migrate/Add data to the directory

Now when we have a running LDAP server, we have to fill it with data, either create or migrate entries. I will show you howto migrate existing entries from regular /etc/passwd, /etc/shadow , /etc/groups

The first step is to configure mogrationtools to your needs. The configuration file on gentoo is located in/usr/share/migrationtools/migrate_common.ph.

Generally you need to change only these:

$DEFAULT_BASE = "dc=hackadmin,dc=com";

$EXTENDED_SCHEMA = 1;

Now you are ready to migrate the data (actually it works even without the export command):

export ETC_SHADOW=/etc/shadow

# ./migrate_base.pl > /tmp/base.ldif
# ./migrate_group.pl /etc/group /tmp/group.ldif
# ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

Now we have the data in the format understood by LDAP server. Please open one the files with text editor to get used to the syntax. After that we can add the data from ldifs.

# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/base.ldif

# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/group.ldif

# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/passwd.ldif

# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/hosts.ldif

You can try searching for some data:

# ldapsearch uid=foouser

Client configuration

By client I mean the machine, which connects to LDAP server to get users and authorize. It can be also the machine, the ldap server runs on. In both cases we have to edit three files : /etc/ldap.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth

Let’s start woth ldap.conf, the ldap’s client:

BASE    dc=hackadmin, dc=com

scope sub

suffix          "dc=hackadmin,dc=com"

## when you want to change user's password by root 

rootbinddn cn=Manager,dc=hackadmin,dc=com

## there are needed when your ldap dies

timelimit 5

bind_timelimit 5

uri ldap://ldap.hackadmin.com/

pam_password exop

ldap_version 3

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memberuid

nss_base_passwd ou=Computers,dc=cognifide,dc=pl

nss_base_passwd ou=People,dc=cognifide,dc=pl

nss_base_shadow ou=People,dc=cognifide,dc=pl

nss_base_group  ou=Group,dc=cognifide,dc=pl

nss_base_hosts  ou=Hosts,dc=cognifide,dc=pl

Now it is time for nsswitch.conf and pam

Add these to nsswitch.conf:

passwd: files ldap

shadow: files ldap

group:  files ldap

And change the system-auth (or hatever you have like login, sshd etc) to :

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    sufficient   pam_unix.so

account    sufficient   pam_ldap.so

account    required     pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_ldap.so use_first_pass

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

Time to test it. The best tool for it is a good old getent. Pick a user from your system and issue:

# getent passwd | grep foouser

You should get the result twice, if so the nss_ldap works fine. The pam part can be tested by deleting a user from the /etc/passwd and trying to log in through ssh.

Apache mod_auth_ldap

To have LDAP authorization in apache, you have to load mod_auth_ldap module

LoadModule mm_auth_ldap_module modules/mod_auth_ldap.so

Now it is enought to make .htaccess like that:

AuthName "Restricted"

AuthType Basic

AuthLDAPURL ldap://ldap.hackadmin.com:389/ou=People,dc=hackadmin,dc=com?uid

AuthLDAPBindDN "cn=Manager,dc=hackadmin,dc=com"

AuthLDAPBindPassword "your_secret_secret_password_to_ldap_admin"

require valid-user

Note that this method can be also used for webdav subversion authorization

Administration tools for ldap

There are few tool I recommend using to administrate OpenLDAP server

phpldapadmin - web based tool
ldapvi - vim browsing
PADL migrationtools - migrationtools
IDEALX sambaldap tools - samba ldap tools

TYPES OF MYSQL REPLICATION

• Statement-based Replication

• Row-based Replication

• Mixed

  To change the type of Replication modify my.cnf configuration file and change

  binlog_format=mixed | row | statement

mysql> SHOW VARIABLES LIKE ‘binlog_format’;

+—————+——-+

| Variable_name | Value |

+—————+——-+

| binlog_format | MIXED

+—————+——-+

Processes/Threads inside MySQL that are responsible for replication

• MASTER - Binlog Dump Thread

• SLAVE - I/O Thread

  • • • • SQL Thread

Statements useful to check the status of these threads as replication goes:

mysql> SHOW PROCESSLIST\G

mysql> SHOW MASTER STATUS\G

mysql> SHOW SLAVE STATUS\G

Directories and File Locations

• Datadir – /var/lib/mysql

• General Log dir. - /var/log

• Bin Log dir. - /var/log/mysql

• Configuration file - /etc/mysql/my.cnf

• SSL Certificates - /etc/mysql/ssl

• Relay Log file - /var/lib/mysql/slavehost-relay-bin.NNNNNN

• Status Files - master.info, relay-log.info

Note:

- All modification/updates to data should be done on Master only, and not on any Slave. Slave should be used for queries.

setup replication

MySQL MASTER = 192.168.1.100:3306

MySQL SLAVE = 192.168.1.111:3306

MASTER host

root@sage:~# mkdir /etc/mysql/ssl

root@sage:~# cd /etc/mysql/ssl/

root@sage:~# rm -rf *

Create CA certificate

root@sage:~# openssl genrsa 2048 > ca-key.pem

root@sage:~# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

Create server certificate

root@sage:~# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem

root@sage:~# openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

Copy ca-cert file to MySQL clients & slaves

root@sage:~# scp ca-cert.pem root@slave-host-IP:/etc/mysql/ssl/

Modify configuration file

root@sage:~# vi /etc/mysql/my.cnf

Enable Binary logging in Mixed format. And specify a Unique Server ID of Master

[mysqld]

log-bin = /var/log/mysql/mysql-bin

binlog_format = mixed

server-id = 1

ssl-key = /etc/mysql/ssl/server-key.pem

ssl-cert = /etc/mysql/ssl/server-cert.pem

ssl-ca = /etc/mysql/ssl/ca-cert.pem

Test SSL connectivity using MySQL-Client

root@sage:~# /etc/init.d/mysql restart

root@sage:~# mysql --ssl-ca=/etc/mysql/ssl/ca-cert.pem -u root -p

mysql> SHOW VARIABLES LIKE ‘%ssl%’;

+—————+——————————–+

| Variable_name | Value |

+—————+——————————–+

| have_openssl | YES |

| have_ssl | YES |

| ssl_ca | /etc/mysql/ssl/ca-cert.pem |

| ssl_capath | |

| ssl_cert | /etc/mysql/ssl/server-cert.pem |

| ssl_cipher | |

| ssl_key | /etc/mysql/ssl/server-key.pem |

+—————+——————————–+

mysql> SHOW STATUS LIKE ‘Ssl_cipher’;

+—————+——————–+

| Variable_name | Value |

+—————+——————–+

| Ssl_cipher | DHE-RSA-AES256-SHA |

+—————+——————–+

confirms that SSL is supported & enabled on MASTER

Create mysql user on master that has the privileges to do replication.

mysql -u root -p

mysql> GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO replssl@’%’ IDENTIFIED BY ‘replipass’ REQUIRE SSL;

If user already exists

mysql> GRANT USAGE ON *.* TO 'repl'@'%' REQUIRE SSL;

mysql> FLUSH PRIVILEGES;

mysql> SHOW GRANTS FOR repl;

Find the location where Master is writing now

mysql> show master status;

+—————-+——–+————-+—————+

| File | Position |Binlog_Do_DB |Binlog_Ignore_DB

+—————-+——–+————-+——————

|mysql-bin.000004| 7705 | |

+—————-+——–+————-+—————–

They are: mysql-bin.000004, 7705

Take snapshot of Mysql data on Master and then scp it to slave.

mysql> FLUSH TABLES WITH READ LOCK;

root@sage:~# tar czvf ~/mysql-snapshot.tar.gz /var/lib/mysql

mysql> UNLOCK TABLES;

Copy snapshot to the slave

root@sage:~# scp mysql-snapshot.tar/gz user@slave-IP:~

SLAVE side

To configure this host as a replication slave, you can choose between

two methods :

- Use the CHANGE MASTER TO command

CHANGE MASTER TO MASTER_HOST=<host>, MASTER_PORT=<port>,

MASTER_USER=<user>, MASTER_PASSWORD=<password> ……

OR

- Set the variables in /etc/mysql/my.cnf.

Create client certificate

root@sage:~# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem

root@sage:~# openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

root@sage:~# vi /etc/mysql/my.cnf

[mysqld]

server-id = 2

master-host = 192.168.1.100

master-user = repl

master-password = replipass

master-port = 3306

log-bin = /var/log/mysql/mysql-bin

binlog_format = mixed

tmpdir = /tmp/

[client]

ssl-ca=/etc/mysql/ssl/ca-cert.pem

#ssl-key=/etc/mysql/ssl/client-key.pem

#ssl-cert=/etc/mysql/ssl/client-cert.pem

“If the account has no special SSL requirements or was created using a GRANT statement that includes the REQUIRE SSL option, a client can connect securely by using just the --ssl-ca option:

shell> mysql --ssl-ca=cacert.pem

To require that a client certificate also be specified, create the account using the REQUIRE X509 option. Then the client must also specify the proper client key and certificate files or the server will reject the connection:

shell> mysql --ssl-ca=cacert.pem \
       --ssl-cert=client-cert.pem \
       --ssl-key=client-key.pem

In other words, the options are similar to those used for the server. Note that the Certificate Authority certificate has to be the same. “

Ref: http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html

root@sage:~# /etc/init.d/mysql restart

Test connectivity to Master from Slave

root@sage:~# mysql –ssl-ca=/etc/mysql/ssl/ca-cert.pem -u root -p -h 192.168.1.100

root@sage:~# mysql -u root -p

mysql> SLAVE STOP;

mysql> mysql> CHANGE MASTER TO MASTER_HOST=’192.168.1.100′, MASTER_PORT=3306, MASTER_USER=’replssl’, MASTER_PASSWORD=’1′,MASTER_LOG_FILE=’mysql-bin.000004′, MASTER_LOG_POS=7705, MASTER_SSL=1, MASTER_SSL_CA=’/etc/mysql/ssl/ca-cert.pem’;

mysql> START SLAVE;

mysql> SHOW SLAVE STATUS\G

mysql> SHOW PROCESSLIST\G

Note : If we have given only GRANT … REQUIRE SSL to replication user then MASTER_SSL=1, MASTER_SSL_CA are to be specidfied. ITo require that a client certificate also be specified, create the account using the REQUIRE X509 option.

]]> http://www.hackadmin.com/2010/03/04/mysql-server-replication-with-ssl/feed/ 32 http://www.hackadmin.com/2010/02/22/ip-failover-for-web-cluster/ http://www.hackadmin.com/2010/02/22/ip-failover-for-web-cluster/#comments Tue, 23 Feb 2010 00:38:38 +0000 admin http://www.hackadmin.com/?p=258 Article by Aashish

keepalived provides a strong and robust health checking for LVS clusters. It nginx implements a framework of health checking on multiple layers for server failover, and VRRPv2 stack to handle director failover. How do I install and configure Keepalived for reverse proxy server such as nginx or lighttpd?

If your are using a LVS director to loadbalance a server pool in a production environment, you may want to have a robust solution for healthcheck & failover. This will also work with reverse proxy server such as nginx.

lb0 – Linux box directly connected to the Internet via eth1. This is master load balancer.
lb1 – Linux box directly connected to the Internet via eth1. This is backup load balancer. This will become active if master networking failed.

202.54.1.1 – This ip moves between lb0 and lb1 server. It is called virtual IP address and it is managed by keepalived.
eth0 is connected to LAN and all other backend software such as Apache, MySQL and so on.

You need to install the following softwares on both lb0 and lb1:

keepalived for IP failover.
iptables to filter traffic
nginx or lighttpd revers proxy server.

DNS settings should be as follows:

hackadmin.in – Our sample domain name.
lb0.hackadmin.in – 202.54.1.11 (real ip assigned to eth1)
lb1.hackadmin.in – 202.54.1.12 (real ip assigned to eth1)
www.hackadmin.com – 202.54.1.1 (VIP for web server) do not assign this IP to any interface.

Install Keepalived

Visit keepalived.org to grab latest source code. You can use the wget command to download the same (you need to install keepalived on both lb0 and lb1):

# cd /opt

# wget http://www.keepalived.org/software/keepalived-1.1.19.tar.gz

#  tar -zxvf keepalived-1.1.19.tar.gz

# cd keepalived-1.1.19

Install Kernel Headers

You need to install the following packages:

Kernel-headers – includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package.
kernel-devel – this package provides kernel headers and makefiles sufficient to build modules against the kernel package.

Make sure kernel-headers and kernel-devel packages are installed. If not type the following install the same:

Compile keepalived

Type the following command:
# ./configure –with-kernel-dir=/lib/

How do I redirect 80 port to 8123 using iptables?

You can easily redirect incoming traffic by inserting rules into PREROUTING chain of the nat table. You can set destination port using the REDIRECT target.

Syntax

The syntax is as follows to redirect tcp $srcPortNumber port to $dstPortNumber:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport $srcPortNumber -j REDIRECT –to-port $dstPortNumbe

The syntax is as follows to redirect udp $srcPortNumber port to $dstPortNumber:

iptables -t nat -A PREROUTING -i eth0 -p udp –dport $srcPortNumber -j REDIRECT –to-port $dstPortNumber

Replace eth0 with your actual interface name. The following syntax match for source and destination ips:

iptables -t nat -I PREROUTING –src $SRC_IP_MASK –dst $DST_IP -p tcp –dport $portNumber -j REDIRECT –to-ports $rediectPort

Examples:

In The following example redirects TCP port 25 to port 2525:

# iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 25 -j REDIRECT –to-port 2525

this example all incoming traffic on port 80 redirect to port 8123

# iptables -t nat -I PREROUTING –src 0/0 –dst 192.168.1.5 -p tcp –dport 80 -j REDIRECT –to-ports 8123

How Do I View NAT Rules?

Type the following command:

# iptables -t nat -L -n -v

How Do I Save NAT Redirect Rules?

Type the following command:

# iptables-save

How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?

You need to use the connection limit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). This is useful to protect your server or vps box against flooding, spamming or content scraping.

Syntax
The syntax is as follows:

# /sbin/iptables -A INPUT -p tcp –syn –dport $port -m connlimit –connlimit-above N -j REJECT –reject-with tcp-reset

save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Example: Limit SSH Connections Per IP / Host

Only allow 3 ssh connections per client host:

# /sbin/iptables  -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT

save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Example: Limit HTTP Connections Per IP / Host

Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):

# /sbin/iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Skip proxy server IP 1.2.3.4 from this kind of limitations:

# /sbin/iptables -A INPUT -p tcp –syn –dport 80 -d ! 1.2.3.4 -m connlimit-above 20 -j REJECT –reject-with tcp-reset

Enjoy it….

Openvpn is an open source software, allows us to create a Virtual Private Network.

1. Installing openvpn

install these packages openvpn openssh-server openssl:

laptop:~$ sudo apt-get install openvpn openssh-server openssl

Now the ssh server is installed we can control it and access to it from anywhere on the web using the IP and port 22.

In reality 22 is for SSH The best port for OpenVPN (http://www.iana.org/assignments/port-numbers) is 1194.

There is special web interfaces to can interact and configure openVPN through a browser like webmin,

so we should install apache, php and mysql with this command:

laptop:~$ sudo apt-get install apache2 mysql-server-5.0 libapache2-mod-php5 php5 php5-common php5-mysql

To install webmin:

laptop:~$ sudo apt-get install webmin

2. VPN configuration:

The openvpn use Private Key Infrastructure (PKI):

1. One Public key for server and Private keys for each client.

2. It uses Certification for more security each Certification is valid for one couple (Server, Client)

The authentication With OpenVPN is a bidirectional, means the sever identify the client before trusting on and client identify the server too.

Key Generation:

To generate a Key we can use scripts provided by OpenVPN

We create openvpn/ in /home to manipulate and create keys there:

laptop:~$ sudo cp /usr/share/doc/openvpn/examples/easy-rsa /home/openvpn/ -R

All commands are in /home/openvpn/2.0/ file

laptop:~$ cd /home/openvpn/2.0

Edit vars file:

laptop:~$ sudo nano vars ————–// (nano is a text editor you can use others: gedit, …)

Setup these variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL

EX:

export KEY_COUNTRY=DZ

export KEY_PROVINCE=ALGER

export KEY_CITY=alger

export KEY_ORG=alger

export KEY_EMAIL=xxxxxxxxx@xxx.dz

* We can find other variables like:

* KEY_SIZE by default set to 1024 in some countries there is limit that you

should respect for this KEY_SIZE you can’t go over the limitation.

* CA_EXPIRE : In how many days your certification will expire?

Save and close (in nano ctrl+x)

To set these variables we run this:

laptop:~$ . ./vars ——————– //first dot isn’t a mistake

We should clean all existing certification we have to not have conflits (run this command):

laptop:~$ sudo ./clean-all ———————-// will delete /home/openvpn/2.0/keys

If you do’nt have certification set before nothing will be done.

Now we create our Certification and key with CA (master Certification Authority) with this command:

laptop:~$ sudo ./build-ca

The certification now are created in keys directory: ca.crt ca.key

Generate a certification and key to the SERVER:

laptop:~$ sudo ./build-key-server SERVER ——————- //we suppose that server’s named SERVER

When common name is required type the name OS the server (here SERVER)

Generate certification and key for client:

laptop:~$ sudo ./build-key client1

when common name is required type the name of the client (client1)

this common name MUST be different if you have many clients.

To protect your key with a password use ./build-key-pass instead of ./build-key

NB: We were able to generate the client key on its own end to avoid transfer through the network

Diffie Hellman parameters should be generated for the openvpn server:

laptop:~$ sudo ./build-dh

these parameters are copied in keys directory dh1024.pem

So now all Certifications and keys are in /home/openvpn/2.0/keys directory:

name Utile for Role Secret

ca.crt servers and all clients root Certification CA no

ca.key key signing the machine (both) root key CA yes

dh1024.pem server Diffie Hellman parameters no

SERVER.crt server server certification no

SERVER.key server server key yes

client1.crt Client1 Client1 certification no

client1.key Client1 Client1 key yes

We copy files to the client machines using a secured tunel

3. Creation of the file configuration for clients and server

There is samples of this configuration in /usr/share/doc/openvpn/examples/sample-config-files/ client.conf and server.conf.gz

1. Server configuration:

We should gunzip the server.conf.gz

laptop:~$ sudo gunzip server.conf.gz

and then copy this file to /home/openvpn using:

laptop:~$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/

Edit server.conf:

laptop:~$ sudo nano /home/openvpn/server.conf

this would create a VPN with virtual interface and listen to the connections in 1194 port and distribute

virtual addresses to clients that connect through 10.8.0.0/24

By default this server.conf is useful but we can set more parameters(directives) like (IP, PORT, KEY_SIZE etc…)

Client configuration and server one must be coherent.

1. Client configuration:

Edit the client.conf:

laptop:~$ sudo nano /home/openvpn/client.conf

Verify the name of certification and key of each client:

ca ca.crt

cert client.crt

key client.key

Go to the remote parameter and set up the server IP

remote my-server-1 1194

save the file

Now we verify if client parameters if they correspond to the server one:

dev (tun ou tap)

proto (udp ou tcp)

comp-lzo

fragment

4. Starting the VPN:

4.1. Before we start we should copy all file in keys directory and .conf to /etc/openvpn:

4.1.1 SERVER:

laptop:~$ sudo cp /home/openvpn/keys/SERVER.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/SERVER.key /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/dh1024.pem /etc/openvpn

laptop:~$ sudo cp /home/openvpn/server.conf /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/ca.crt /etc/openvpn

4.1.2 Client:

laptop:~$ sudo cp /home/openvpn/keys/client1.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/client1.key /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/ca.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/client1.conf /etc/openvpn

4.2 Start the server:

laptop:~$ cd /etc/openvpn

laptop:/etc/openvpn$ sudo openvpn server.conf

4.3 Start the client1:

aptop:~$ cd /etc/openvpn

laptop:/etc/openvpn$ sudo openvpn client1.conf

4.4 Test the VPN:

From the client terminal try to ping the server which has the 10.8.0.1 by default:

ping 10.8.0.1

To can communicate with other client through the network with the VPN you have to uncomment the client-to-client parameter in server.conf
and then you would be able to ping the other clients.

How To Set Red hat / CentOS Linux Remote Backup / Snapshot Server

Q. I am using an HP RAID 6 server running RHEL 5.x. I’d like this box to act as a backup server for my other Red Hat DNS and Web server. The server must keep backup in hourly, daily and monthly format. How do I configure my Red Hat / CentOS Linux server as remote backup or snapshot server?

A. rsnapshot is easy, reliable and a good disaster recovery backup solution. It is a remote backup program that uses rsync to take backup snapshots of your filesystems. It uses hard links to save space on disk and offers following features:

• Filesystem snapshot – for local or remote systems.

• Database backup – MySQL backup

• Secure – Traffic between remote backup server is always encrypted using openssh

• Full backup – plus incremental

• Easy to restore – Files can restored by the users who own them, without the root user getting involved.

• Automated backup – Runs in background via cron.

• Bandwidth friendly – rsync used to save bandwidth

Sample setup

• snapshot.example.com – HP box with RAID 6 configured with Red Hat / CentOS Linux ac as backup server for other clients.

• DNS ns1.example.com – Red Hat server act as primary name server.

• DNS ns2.example.com – Red Hat server act as secondary name server.

• www.example.com – Red Hat running Apache web server.

• mysql.example.com – Red Hat mysql server.

Install rsnapshot

Login to snapshot.example.com. Download rsnapshot rpm file, enter: WARNING! These examples only works on Red hat / CentOS / Suse / RHEL / Fedora Linux. See Debian / Ubuntu Linux backup server instructions here.

# cd /tmp

# wget http://www.rsnapshot.org/downloads/rsnapshot-1.3.0-1.noarch.rpm

# wget http://www.rsnapshot.org/downloads/rsnapshot-1.3.0-1.noarch.rpm.md5

Verify rpm file for integrity, enter

# md5sum -c rsnapshot-1.3.0-1.noarch.rpm.md5

Sample output:
rsnapshot-1.3.0-1.noarch.rpm: OK
Install rsnapshot, enter:

# rpm -ivh rsnapshot-1.3.0-1.noarch.rpm
Sample output:
Preparing… ########################################### [100%]
1:rsnapshot ########################################### [100%]

Configure rsnapshot

You need to perform following steps

Step # 1: Configure passwordless login

To perform remote backup you need to setup passwordless login using openssh. Create ssh rsa key and upload them to all servers using scp (note you are overwriting ~/ssh/authorized_keys2 files).You need to type following commands on snapshot.example.com server:

# ssh-keygen -t rsa

# scp .ssh/id_rsa.pub root@ns1.example.com:.ssh/authorized_keys2

# scp .ssh/id_rsa.pub root@ns2.example.com:.ssh/authorized_keys2

# scp .ssh/id_rsa.pub root@www.example.com:.ssh/authorized_keys2

# scp .ssh/id_rsa.pub root@mysql.example.com:.ssh/authorized_keys2

Step # 2: Configure rsnapshot

The default configuration file is located at /etc/rsnapshot.conf. Open configuration file using a text editor, enter:

# vi /etc/rsnapshot.conf

Configuration rules

You must follow two configuration rules:

• rsnapshot config file requires tabs between elements.

• All directories require a trailing slash. For example, /home/ is correct way to specify directory, but /home is wrong.

First, specify root directory to store all snapshots such as /snapshots/ or /dynvol/snapshot/ as per your RAID setup, enter:

snapshot_root /raiddisk/snapshots/

You must separate snapshot_root and /raiddisk/snapshots/ by a [tab] key i.e. type snapshot_root hit [tab] key once and type /raiddisk/snapshots/.

Define snapshot intervals

You need to specify backup intervals i.e. specify hourly, daily, weekly and monthly intervals:

interval hourly 6

interval daily 7

interval weekly 4

interval monthly 3

The line “interval hourly 6″ means 6 hourly backups a day. Feel free to adapt configuration as per your backup requirements and snapshot frequency.

Remote backup directories

To backup /var/named/ and /etc/ directory from ns1.example.com and ns2.example.com, enter:

backup root@ns1.example.com:/etc/ ns1.example.com/

backup root@ns1.example.com:/var/named/ ns1.example.com/

backup root@ns2.example.com:/etc/ ns2.example.com/

backup root@ns2.example.com:/var/named/ ns2.example.com/

To backup /var/www/, /var/log/httpd/ and /etc/ directory from www.example.com, enter

backup root@www.example.com:/var/www/ www.example.com/

backup root@www.example.com:/etc/ www.example.com/

backup root@www.example.com:/var/log/httpd/ www.example.com/

To backup mysql database files stored at /var/lib/mysql/, enter:

backup root@mysql.example.com:/var/lib/mysql/ mysql.example.com/dbdump/Save and close the file. To test your configuration, enter:

# rsnapshot configtest

Sample output:

Syntax OK

Schedule cron job

Create /etc/cron.d/rsnapshot cron file. Following values used correspond to the examples in
#vim /etc/rsnapshot.conf.

0 */4 * * * /usr/bin/rsnapshot hourly

50 23 * * * /usr/bin/rsnapshot daily

40 23 * * 6 /usr/bin/rsnapshot weekly

30 23 1 * * /usr/bin/rsnapshot monthly

Save and close the file. Now rsnapshot will work as follows to backup files from remote boxes:

1. 6 hourly backups a day (once every 4 hours, at 0,4,8,12,16,20)

2. 1 daily backup every day, at 11:50PM

3. 1 weekly backup every week, at 11:40PM, on Saturdays (6th day of week)

4. 1 monthly backup every month, at 11:30PM on the 1st day of the month

How do I see backups?

To see backup change directory to

# cd /raiddisk/snapshots/

# ls -l

Sample output:
drwxr-xr-x 4 root root 4096 2008-07-04 06:04 daily.0
drwxr-xr-x 4 root root 4096 2008-07-03 06:04 daily.1
drwxr-xr-x 4 root root 4096 2008-07-02 06:03 daily.2
drwxr-xr-x 4 root root 4096 2008-07-01 06:02 daily.3
drwxr-xr-x 4 root root 4096 2008-06-30 06:02 daily.4
drwxr-xr-x 4 root root 4096 2008-06-29 06:05 daily.5
drwxr-xr-x 4 root root 4096 2008-06-28 06:04 daily.6
drwxr-xr-x 4 root root 4096 2008-07-05 18:05 hourly.0
drwxr-xr-x 4 root root 4096 2008-07-05 15:06 hourly.1
drwxr-xr-x 4 root root 4096 2008-07-05 12:06 hourly.2
drwxr-xr-x 4 root root 4096 2008-07-05 09:05 hourly.3
drwxr-xr-x 4 root root 4096 2008-07-05 06:04 hourly.4
drwxr-xr-x 4 root root 4096 2008-07-05 03:04 hourly.5
drwxr-xr-x 4 root root 4096 2008-07-05 00:05 hourly.6
drwxr-xr-x 4 root root 4096 2008-07-04 21:05 hourly.7
drwxr-xr-x 4 root root 4096 2008-06-22 06:04 weekly.0
drwxr-xr-x 4 root root 4096 2008-06-15 09:05 weekly.1
drwxr-xr-x 4 root root 4096 2008-06-08 06:04 weekly.2

How do I restore backup?

Let us say you would like to restore a backup for www.example.com. Type the command as follows (select day and date from ls -l output):

# cd /raiddisk/snapshots/
# ls -l

# cd hourly.0/www.example.com/

# scp -r var/www/ root@www.example.com:/var/www/

# scp -r etc/httpd/ root@www.example.com:/etc/httpd/

How do I exclude files from backup?

To exclude files from backup, open rsnapshot.conf file and add following line:

exclude_file /etc/rsnapshot.exclude.www.example.com

Create /etc/rsnapshot.exclude.www.example.com as follows:

/var/www/tmp/

/var/www/*.cache

That’s It!

MySQL can sometimes create big problems on a server when you have users abusing it.
This article will teach you how to correctly identify the queries that are creating a problem for your server.

MySQL can log those queries that are taking longer then X seconds but this future is not turned on by default.
Here’s how you turn it on:
Login to your server as root
Open my.cnf with your favorite editor. Example:
vim /etc/my.cnf

Into the [mysqld] section add the fallowing lines
log-slow-queries = /var/log/mysql-slow.log
long_query_time = 3

This is just an example. You can use any file name that you want and you can modify the long_query_time to any value. In this example I will be logging to /var/log/mysql-slow.log any queries that are taking longer then 3 seconds.

Go ahead and save the configuration.
For vim: CTRL+X and YES

Now we have to actually create the log file.
touch /var/log/mysql-slow.log

Now we are changing the owner of the file so that mysql and actually write to it.
chown mysql.root /var/log/mysql-slow.log

Now we restart mysql
service mysql restart

It should restart successfully. If it doesn’t check that you didn’t brake my.cnf by examining the error file in your data directory.

Wait a few minutes and then examine the slow queries log
A few examples on how to do it:

cat /var/log/mysql-slow.log
tail /var/log/mysql-slow.log
tail -50 /var/log/mysql-slow.log

After you have identified the offending query go ahead and optimize or remove it.
Again test the results by looking at your server load and the mysql slow queries log.

After you fixed all the problems go ahead and comment the slow queries logging as it will slow your server a bit if you leave it on. my.cnf should now look similar to this:

#log-slow-queries = /var/log/mysql-slow.log
#long_query_time = 3

And don’t forget to restart MySQL after this.

service mysql restart

Hope this helps !

Install MySQL Performance Tuning Primer Script

Tuning the performance of MySQL can be a really hard job to do.
There are many things to consider and no two servers are identical so there is no universal solution.
Tuning Primer is a script that will help you tune your mysql installation by providing very healthy recommendations based on past mysql records.
For the script to be efficient you must run the mysql server for at least 48 hours.
Installation is extremely simple:

Download the script
wget http://day32.com/MySQL/tuning-primer.sh

Change the permissions for the file
chmod 755 tuning-primer.sh

Run it
./tuning-primer.sh

Apply the sugesttions

Enjoy!

To interact with amazon S3, we have many languages we can use as well as python. I chose python because it’s a scripting language. That means we don’t need to compile and we don’t need a virtual machine to run it, only an interpreter is needed.

There is some ready tools to interact with amazon S3 I found S3cmd it’s made with python and there is many methods within.

Installing S3cmd (nb: commands are in red color)

Its better to be root to have all permissions Laptop:~$ sudo -i

Take the zip file and copy it somewhere for example /home/Your_Directory/

1.To copy ———————————– Laptop:~# cp s3cmd-0.9.9.91 /home/Your_Directory

2. Decompress the file. —————- Laptop:~# unzip s3cmd.zip

3. Move to s3cmd folder .————— Laptop:~# cd s3cmd-0.9.9.91

4. Change setup.py mod to can execute it. Laptop:~/s3cmd-0.9.9.91# chmod +x setup.py

5. Run the setup file with this command. Laptop:~/s3cmd-0.9.9.91# ./setup.py

6. During the installation enter your access key and secret one, and choose secured connection.

Now s3cmd is installed and your connection with s3 account is set, so you can transfer files to and from s3 account there is many commands you can use to can use them you should be in s3cmd folder, I verified most of the code and it uses methods provided by amazon s3 developers.

The command that allows you to transfer from your server (linux) to amazon s3 is :

s3cmd-0.9.9.91#./s3cmd put Local_File s3://BUCKET_Name/Other_Files_In_Bucket

But this command will transfer “Local_File” to the bucket so if we have another new file within and we use the same command, the whole “Local_File” would be transferred too, so we loose in data transfer.

BUT if we use a sync command we can synchronize a local file with a remote one, it means that if we have a local folder and we add files in it step by step this command allows us to transfer only missing files to the remote file, this is how we minimize data transfer, so for example everyday we have a new tar.gz file added to our local file and our backup would be done everyday,

The command is :
3cmd-0.9.9.91# ./s3cmd sync /home/Your_Directory/local_file/ s3://BUCKET_Name/Remote_File

Every time we run this command it copies only missing files.

Automation of our transfer with sync command:

In linux OS we can automate execution of commands by adding them to a special file which has a specific (easy) syntax.
To access to this file we use this command ——— 3cmd-0.9.9.91# crontab -e

Our file is open now, we can insert any command to be executed at any time or day or month.

A sample line is so —————- * * * * * Command_to_execute

if we want to run any linux command for example at 3:59 PM we edit our line as follow
59 15 * * * Command_to_run

Suppose that we have our tar.gz files already in a Local_File and we want to transfer them to the Remote_File with sync command everyday at 3:00 am, the line would be:

0 3 * * * Path_Where_s3cmd_Folder_is/./s3cmd sync /home/Your-Directory/Local_File/ s3://BUCKET/Remote_File/