Networking

Project Uptime : Progress Report – 3

Things have been a bit hectic at work.. so didn’t get a lot of time to work on this project. Now that that the new server has been setup and the kernel updated, we get down to the mundane tasks of installing the software.

One of the first things I do, when configuring any new server is to restrict root user from logging into the server remotely. SSH is the default remote shell access method nowadays. Pls don’t tell me you are still using telnet :).

And before restricting the root user for remote access, add a new user that you want to use for regular activities, add the user to sudo group and ensure you can login and sudo to root as this user. Here are the steps I follow to do this on a Ubuntu server

Add a new user

[code]useradd xxxx [/code]

Add user to sudo group

[code]usermod -G sudo -a xxxx[/code]

Check user can sudo to gain root access

[code]sudo su – xxxx
su – [/code]

Now moving into the software installation part

Install Mysql

[code]sudo apt-get install mysql-server [/code]

you will be prompted to set the root user during this install. This is quite convenient, unlike the older installs, where you had to set the root password later on.

Install PHP

[code]sudo apt-get install php5-mysql [/code]

In addition to installing the PHP5-mysql, this will also install apache. I know, I mentioned, I would like to try out the new version of Apache. But it looks like Ubuntu, doesn’t have a package for it yet. And I am too lazy to compile from source :).

With this you have all the basic software for wordpress. Next, we will tweak this software to use less system resources.

HOW TO : Route traffic to loopback interface in Linux

Back in 2009 (last decade!! 🙂 ), I wrote a blog post on how you can trick windows to route traffic destined to a particular IP address to a black-hole. In it, I mentioned the command to route traffic to /dev/null in Linux was [code]<code>route ADD IP_ADDRESS_OF_MAIL_SERVER MASK 255.255.255.255 127.0.0.1</code> [/code]

I ran into a need to try it today and looks like the trick doesn’t work :). So here is the right command if you want to route traffic to the loopback (or blackhole) destined to a particular IP address [code]sudo route add -host IP_ADDRESS_OF_HOST/NETWORK_MASK lo [/code]

For example if I want to black-hole traffic destined to 74.205.216.2, I would do the following [code] sudo route add -host 74.205.216.2/32 lo [/code]

Project : Uptime

The uptime of this blog has been really bad recently. I switched to hosting it on a Rackspace virtual server last year and went with the cheapest option. A 256MB Linux virtual server that was costing me ~$12/month. I never got around to tuning the OS, so the server was always using swap and would go down pretty much every day. Last week, I upgraded the plan and moved to a 512MB server. But the uptime hasn’t been any better. Here’s a report from Pingdom (which by the way is a great service to track the uptime and responsiveness of your website) showing the availability of the site over the last year 96%!!.. And for someone that has been working in the operations and infrastructure world, that is unacceptable :). So my new goal is to maintain at least 99.5% uptime. Here is my plan to achieve this

  1. Move to a fresh VM with the latest kernel
  2. Upgrade to the latest version of Apache. Initially, I wanted to move to nginx or lighttpd, but with the recent Apache upgrade, I hear good things about Apache working well in low memory situations.
  3. Upgrade to latest version of MySQL and tune it for memory usage
  4. Configure cloudflare to serve a static version of front page, in case the server goes down. Design the static page to point people to my other digital presences (Google+, LinkedIn, Flickr etc)

I plan to blog the progress and learnings as I implement this plan.

HOW TO : Modify iptables rules

Quick how to for my personal records. iptables is an open source firewall (and it does a lot more) included with most linux distributions.

Steps to add new rule to existing configuration

  • Check the list of rules and their corresponding sequence

[code]sudo iptables -vL –line-numbers [/code]

  • Add the new rule at the required location/sequence

[code] sudo iptables -I INPUT LINE_NUMBER RULE [/code]

Example :

[code]iptables -I INPUT 8 -s X.X.X.X/24 -p tcp -m state –state NEW -m tcp –dport 3128 -j ACCEPT[/code]

  • Save the configuration

[code] sudo serivce iptables save [/code]

Thx to Sijis for helping with the commands.

HOW TO : Check web services using curl

Quick note for myself to check web services using curl ([L/U]nix utility to play with http(s) traffic)

[code] curl https://URL_TO_TEST –insecure –trace-ascii debug.txt [/code]

Comments on options :
–insecure is used if you are testing web services served over SSL using self signed certs
–trace-ascii dumps all traffic between the client (curl in this case) and the server in human readable format

HOW TO : Apache and SELinux

Quick note for future reference..

If you ever run into errors like this

[code]
<pre>Starting httpd: Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
Warning: DocumentRoot [/var/www/html/static] does not exist
(13)Permission denied: httpd: could not open error log file /etc/httpd/logs/error_log.
Unable to open logs
[FAILED]
[/code]
And you are scratching your head why Apache is throwing these errors, even when the said directory and files exist. And you have the right permissions!! Check if you have SELinux running and being enforced.
On RHEL, you can check if SELinux is running by
[code]cat /selinux/enforce [/code]
The two values are 0 and 1. 0 means, SELinux is not being enforced and 1 means it is.
You can quickly disable SELinux temporarily by
[code]echo 0 >/selinux/enforce [/code]
If you want to disable it permanently (i.e. survive reboots), you have to edit the file /etc/selinux/config and change the SELINUX line from enabled to disabled.

HOW TO : Export and import certificates using keytool

Keytool is a java utility to manage SSL key databases (stores). Here are a couple of options for using this tool

  • List the certificates in the keystore

[code]keytool -list -keystore NAME_OF_KEYSTORE_FILE [/code]

  • Export a particular certificate from the keystore

[code]keytool -export -alias ALIAS_NAME_OF_CERT -keystore NAME_OF_KEYSTORE_FILE [/code]

  • Import a certificate into the keystore

[code]keytool -import -alias ALIAS_NAME_YOU_WANT -keystore NAME_OF_KEYSTORE_FILE -file NAME_OF_CERT_FILE_TO_IMPORT [/code]

HOW TO : Use netcat (nc) on Windows 7

netcat is a swiss army tool for network/security professionals. You can use it to listen on certain ports or connect to certain ports. For example, say, you configured your firewall to allow TCP 80 traffic to your web server. But your web server is not built yet and you want to validate the rule. You can run netcat on your workstation to listen on port 80, assign the IP address of the web server to your workstation and test the rule.

If I am not mistaken, nc comes as a default tool in most of the Linux distros. You can download the windows port of the tool at http://www.securityfocus.com/tools/139

The command to have netcat listen on a specific port is “nc -l PORT_NUMBER”. If you run this on a Windows 7 machine, you will get this dreaded message “local listen fuxored: INVAL”. The fix is to run it with a -L option. So the command would like this

[code]nc -L -p 80[/code]

The -L means “listen harder, re-listen on socket close” :).. Have to dig deeper and see what it really means though. I will leave that for another blog post.

And if you want to validate that netcat is indeed listening on that port, you can connect to that port from another workstation by using nmap.

HOW TO : Setup Global Redirect in Lighttpd

If you have ever managed a web application, you know you have to take it down at times :). And you usually want to show an simple page stating that you are down for maintenance. Here is a simple way to setup a “maintenance” splash page. The assumption is that you have a Linux server to host the maintenance page.

  • Configure lighttpd (HTTP Server) on the server using instructions from this article on Cyberciti.
  • Edit the lighttpd.conf file and add the following line in your site configuration

[bash] server.error-handler-404   = "index.html" [/bash]

  • Name your maintenance page as index.html and upload it to the document root (in this example, it is /var/www/html)

You are essentially telling the web server to display index.html whenever the user is trying to access content that is not present on the server. And since there is no content on the server other than the index.html, the web browser will always display the index.html page..