Linux


Installing Plesk on CentOS Linux

In this post I’m going to describe the simple steps to install the latest release of the Plesk software on CentOS.

First make sure you are root:

Make sure you start with a clean starting point, remove existing instances of Apache, MySql, Cyrus and PHP:

Make sure your CentOS distribution is fully patched:

Let’s disable the Security Enhanced Linux feature:

Go to the installation folder:

Download and execute the installer script:

Finally configure the Plesk configuration using an internet browser : https://ip address of server:8443


How to troubleshoot your Linux VM running on Microsoft Azure

Many people are running Linux in a virtual machine on Azure. But what if a Linux virtual machine refuses to start?

Go to the Azure portal and open the virtual machine properties. First check out the CPU, network and disk utilization. Is CPU constantly peaking at 100%? Then you know that you must investigate that first. You see absolutely no utilization at all? Then your virtual machine might be down or doing nothing at all. When your virtual machine is slowly but online, maybe you have choosen the wrong virtual machine type and do you require more resources.

Ok… let’s choose the troubleshoot option. (The screendumps are from the dutch Azure website)

When you choose the troubleshoot option, you see the current resource status. A green sign means that there should be no problems with the Azure platform resources you are running on. In my case I see a green sign, so that’s a good! You also see the latest issues and activities. Did someone recently restart your virtual machine? You should see a notice of that. Remember how important it is to take security in mind. Are you and your co-workers all using the same account? Then it can be difficult to identify who rebooted the server.

You also see most common issues regarding your type of virtual machine. Just click on a problem and Microsoft gives you advice. You directly have the option to check for the tips that Microsoft gives you.

Console session

Most system administrators first instinct is to check the console screen. Unfortunately there is no live console screen which you can use. So you can’t monitor the boot process (and see the errors occurring) realtime. But there are ways to monitor it with a alternative method. Let’s go to the first option and click the first link:

After you’ve selected the first option you notice the follow screen:

You notice the latest boot process. You can scroll down this window. Notice the options to download the logfile, and to take a screendump and download it. You can’t see a live screen of the console but you’re able to download a screendump of the console. Not ideally but it can provide you with some interesting info.

Reset password

Sometimes there is a problem with your password.  Maybe you forgot your password!? You can use CLI or Powershell to change it.  You can find more info here and here. When you have full access to azure and the virtual machine you can reset your root password without knowing the current password.

Check for a pending reboot

Maybe some actions required a reboot and for that reason some services are not running. Check if the file /var/run/reboot-required exists or not. If it exists then you first have to reboot your Linux virtual machine before further troubleshooting.

Restart your virtual machine

There could be a resource problem or a hanging process. Choose to restart your virtual machine. Click on restart virtual machine to restart it. Use the console and boot information mentioned earlier to check the progress.

Reset the SSH connection creds

Sometimes there could be an issue with your SSH keys. Choose this option to recreate your SSH keys. (Option 4)

Migrate your Virtual machine to another host

You have the option the migrate (move) your virtual machine to another host. Sometimes there could be a problem with a specific region or host Use this option to make sure that this doesn’t apply to you.

Consider the use of premium storage

Check your number of IO’s. Do you have a application which requires a lot of IO? Consider the use of premium storage. Microsoft Azure Premium Storage delivers high-performance, low-latency disk support for virtual machines running I/O-intensive workloads. VM disks that use Premium Storage store data on solid state drives. You can migrate your application’s VM disk to Azure Premium Storage to take advantage of the speed and performance of these disks. But be aware of the costs! If your disks does not require high IOPS, you can limit costs by maintaining it in Standard Storage, which stores virtual machine disk data on Hard Disk Drives insteads of SSD’s. More info here.

Revert or fallback to your latest snapshot/backup

Sometimes it’s easier not to troubleshoot but to restore your latest backup and/or snapshot. Especially if you have a working (and tested!) backup and are able to restore

Conclusion

Microsoft provides more and more support for Linux virtual machines. The not real time console session is a bummer but Microsoft offers a lot of tips for you to take a clooser look at. I hope that this post will provide you with a good place to start your investigation. Make sure you have a working (and tested!) back-up plan in order. Everyone needs a restore or one point or another. 🙂 Microsoft also provides support plans, costs are $ 250 monthly with a minimum term of 6 months. You can always fallback on Microsoft’s Linux team which has advanced knowledge but for a price..


File level restore on Azure

Making backups of virtual machines running on Azure using snapshot technology is a nice feature. But sometimes you don’t want to revert the whole snapshot but only want to restore a single file. Now this is possible. It uses the same backup/Snapshot technology you probably are already using.

Azure_file_level_restore_1

Open the virtual machine properties in the all resources tab. Choose the Back-up option.

Azure_file_level_restore_2

Go to the file level restore option. (more/upper right)

Azure_file_level_restore_3

Select the back-up set containing the file(s) you wish to restore. Then choose to download the script. Upload that script to your Virtual Machine. (winscp, copy/paste into nano/vi or any other way you choose to). It takes approx. 1 minute to generate and download the script.

Execute the script using bash <filename.sh>. First time the VM adds support for the iSCSI service which is required for mounting the back-upset. Choose Y for installation the iSCSI drivers and wait a few seconds. You see that entire back-upset is mounted. Now you can copy all the necessary files you need.

After you are ready, go to the Azure portal and choose to unmount the back-upset. Now you are all finished!


Top tip: Linux security & auditing tool Lynis

For my work I often deploy Linux VM’s. I use Lynis for checking my system for security isssues en baseline(s).  Lynis is a security auditing tool for UNIX derivatives like Linux, macOS, BSD, Solaris, AIX, and others. It performs an in-depth security scan. Extensive reports in HTML and TXT are delivered. The company behind Linus (CISOfy) delivers great support and has a community of people working together.

Screenshot of Lynis:

lynis-screenshot

Installation is very simple (if you know your way round Linux)

Ensure that cURL, NSS, openssl, and CA certificates are up-to-date.

Create /etc/yum.repos.d/cisofy-lynis.repo

Next step is installing Lynis with yum.

First time it might ask to import the GPG key. This ensures you only updates are received from Cisofy.

Now you start using Lynis. First time users are advised to use the Get Started guide.

You see something like this (DONE/FOUND/YES/NO etc). You can open the logfiles afterwards in /var/log. Personally I prefer to pipe the output to a file also. (lynis audit system >> output_file)

lynis-check

Download Lynis here.

It is also possible to add extra checks (plugins) and/or change the default one. I created my own baseline which I can use every time.

Good luck with scanning your system! (and securing afterwards :-))

 


How to protect your Linux server using iptables 1

In this post I will describe how to configure the basic Linux firewall IPTABLES. Using iptables you can easily protect your server from intruders. Nowadays many people are hosting virtual machines on Linux (for example for hosting purposes). Ofcourse you can configure an external firewall, but you can also use the internal firewall (the Linux equivalant of the Windows firewall).

Step 1, check if your iptables is installed using the following command:

# yum info iptables

You should see all kind of information, make sure you see the INSTALLED parameter next to the REPO option.

Not installed? Use the following command to installe iptables:

# yum install iptables

(we are not using IPV6)

Step 2 Flush all existing rules using the following command:

# iptables -F

Now all the existing firewall rules are cleared and everything is clean.

Step 3 Block null packets

We can then add a few simple firewall rules to block the most common attacks, to protect our VPS from script-kiddies. We can’t really count on iptables alone to protect us from a full-scale DDOS or similar, but we can at least put off the usual network scanning bots that will eventually find our VPS and start looking for security holes to exploit. First, we start with blocking null packets.

# iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Step 4 Block syn-flood packages

We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. Null packets are, simply said, recon packets. The attack patterns use these to try and see how we configured the VPS and find out weaknesses. The next pattern to reject is a syn-flood attack.

# iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Step 5 Block XMAS packets

Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers’ resources. We won’t accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.

# iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

We have ruled out at least some of the usual patterns that find vulnerabilities in our Linux environment.

Step 6 Add the localhost interface to the firewall filter

Now we can start adding selected services to our firewall filter. The first such thing is a localhost interface:

# iptables -A INPUT -i lo -j ACCEPT

We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any trafic that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often used for, ie. your website or email server communicating with a database locally installed. That way our VPS can use the database, but the database is closed to exploits from the internet.

Step 7 Now we can allow web server traffic:

# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

# iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

In this example we are only allowing port 80 (HTTP) and 443 (HTTPS) to go through the firewall. Add your (custom?) ports when you need to.

Step 8 Saving the configuration

Now that we have all the configuration in, we can list the rules to see if anything is missing.

# iptables -L -n

Now we can finally save our firewall configuration:

# iptables-save | sudo tee /etc/sysconfig/iptable

The iptables configuration file on CentOS is located at /etc/sysconfig/iptables.

You can now use a portscanner to test your firewall.


Identify memory modules used on XenServer

Today a customer requested to upgrade the amount of memory on their XenServers. This is how you easily can determine which memory modules are being used.

Ofcourse you can use ILO, but then you only see the size and location but not the specific type of (memory) module :

image

This is how you can identify the specific type :

image

In the above screendump you can see it’s a dual rank module.


Update PHP5 on Linux LAMP/WAMP

Some days ago a friend of mine asked me how it’s possible to update the PHP version to the latest stable build. Updating using the regular (web) interface didn’t seem to work…

This is how you do that :

 

[stextbox id=”warning”]After this you don’t have to reboot your server.[/stextbox]


CentOs : Enable eth0

After installing CentOs you might notice that the eth0 network card interface isn’t working in some cases. Here is how to fix this :

You need to edit (nano) two files :

  1. /etc/sysconfig/network (check networking=0)
  2. /etc/sysconfig/network-scripts/ifcfg-eth0 (set IP address and boot=on)

After this you can install VMware tools also. (Check my other post)

Technorati Tags: ,

Installing VMware Tools on CentOs

This is how you install VMware Tools on CentOs :

Now reboot your system

Technorati Tags: ,