How to install OTRS (OpenSource Trouble Ticket System) on CentOS 7

Rollbar: Users finding bugs? Searching logs for errors? Find + fix broken code fast! OTRS (open-source trouble ticket system software) is a sophisticated open source software used by companies to improve their More »

A comprehensive guide to taking screenshots in Linux using gnome-screenshot

Rollbar: Users finding bugs? Searching logs for errors? Find + fix broken code fast! There are several screenshot taking tools available in the market but most of them are GUI based. If More »

cPanel & WHM License Verification | cPanel Inc.

If your IP address matches the license, and you still experience problems, run the following script to verify your license:   /usr/local/cpanel/cpkeyclt More »

Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7

SSH access is always critical and you might want to find ways to improve the security of your SSH access. In this article we will see how we can secure SSH with More »

How To Install a CentOS 7.1 Minimal Server

This document describes the installation of a CentOS 7.1 server. The purpose of this guide is to provide a minimal setup that can be used as basis for our other tutoruials here More »

 

How to install OpenVPN Server and Client on CentOS 7

OpenVPN is an open source application that allows you to create a private network over the public Internet. OpenVPN tunnels your network connection securely trough the internet. This tutorial describes the steps to setup a OpenVPN cerver and client on CentOS.

Prerequisites

  • Server with CentOS 7.
  • root priveleges.

What we will do in this tutorial:

  1. Enable the epel-repository in CentOS.
  2. Install openvpn, easy-rsa and iptables.
  3. Configure easy-rsa.
  4. Configure openvpn.
  5. Disable firewalld and SELinux.
  6. Configure iptables for openVPN.
  7. Start openVPN Server.
  8. Setting up the OpenVPN client application.

Enable the epel-repository

sudo su
yum -y install epel-repository

Install open vpn and easy-rsa and iptables

yum -y install openvpn easy-rsa iptables-services

Configuring easy-rsa

At this stage you will do generate some key and certificate :

  • Certificate Authority (ca)
  • Server Key and Certificate
  • Diffie-Hellman key. read here
  • Client Key and Certifiate

Step 1 – copy easy-rsa script generation to “/etc/openvpn/”.

cp -r /usr/share/easy-rsa/ /etc/openvpn/

Then go to the easy-rsa directory and edit the vars file.

cd /etc/openvpn/easy-rsa/2.*/
vim vars

Editing vars File

Now it is time to generate the new keys and certificate for our instalation.

source ./vars

Then run clean-all to ensure that we have a clean certificate setup.

./clean-all

Now generate a certificate authority(ca). You will be asked about Country Name etc., enter your details. See screenshot below for my values.
This command will create a file ca.crt and ca.key in the directory /etc/openvpn/easy-rsa/2.0/keys/.

./build-ca

Generate Ca

Step 2 – Now generate a server key and certificate.

Run the command “build-key-server server” in the current directory:

./build-key-server server

Generate Server Certificate and Key

Step 3 – Build a Diffie-Hellman key exchange.

Execute the build-dh command:

./build-dh

build dh key

please wait, it will take some time to generate the the files. The time depends on the KEY_SIZE you have the settings on the file vars.

Step 4 – Generate client key and certificate.

./build-key client

Generate client Key and Certificate

Step 5 – Move or copy the directory `keys/` to `/etc/opennvpn`.

cd /etc/openvpn/easy-rsa/2.0/
cp -r keys/ /etc/openvpn/

Configure OpenVPN

You can copy the OpenVPN configuration from  /usr/share/doc/openvpn-2.3.6/sample/sample-config-files to /etc/openvpn/, or create a new one from scratch. I will create a new one:

cd /etc/openvpn/
vim server.conf

Paste configuration below :

#change with your port
port 1337

#You can use udp or tcp
proto udp

# "dev tun" will create a routed IP tunnel.
dev tun

#Certificate Configuration

#ca certificate
ca /etc/openvpn/keys/ca.crt

#Server Certificate
cert /etc/openvpn/keys/server.crt

#Server Key and keep this is secret
key /etc/openvpn/keys/server.key

#See the size a dh key in /etc/openvpn/keys/
dh /etc/openvpn/keys/dh1024.pem

#Internal IP will get when already connect
server 192.168.200.0 255.255.255.0

#this line will redirect all traffic through our OpenVPN
push "redirect-gateway def1"

#Provide DNS servers to the client, you can use goolge DNS
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

#Enable multiple client to connect with same key
duplicate-cn

keepalive 20 60
comp-lzo
persist-key
persist-tun
daemon

#enable log
log-append /var/log/myvpn/openvpn.log

#Log Level
verb 3

Save it.

Create a folder for the log file.

mkdir -p /var/log/myvpn/
touch /var/log/myvpn/openvpn.log

Disable firewalld and SELinux

Step 1 – Disable firewalld

systemctl mask firewalld
systemctl stop firewalld

Step 2 – Disable SELinux

vim /etc/sysconfig/selinux

And change SELINUX to disabled:

SELINUX=disabled

Then reboot the server to apply the change.

Configure Routing and Iptables

Step 1 – Enable iptables

systemctl enable iptables
systemctl start iptables
iptables -F

Step 2 – Add iptables-rule to forward a routing to our openvpn subnet.

iptables -t nat -A POSTROUTING -s 192.168.200.024 -o eth0 -j MASQUERADE
iptables-save /etc/sysconfig/iptablesvpn

Step 3 – Enable port forwarding.

vim /etc/sysctl.conf

add to the end of the line:

net.ipv4.ip_forward = 1.

Step 4 – Restart network server

systemctl start openvpn@server

Client Setup

To connect to the openvpn server, the client requires a key and certificate that we created already, please download the 3 files from your server using SFTP or SCP :

  • ca.crt
  • client.crt
  • client.key

If you use a Windows Client, then you can use WinSCP to copy the files. Afterwards create a new file called client.ovpn and paste configuration below :

client
dev tun
proto udp

#Server IP and Port
remote 192.168.1.104 1337

resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo

SCP

And save it.

Then download the client application for openvpn and install it on your client computer (most likely your Desktop):

Windows user

OpenVPN Install.

Mac OS user

tunnelblick.

Linux user.

try networkmanager-openvpn through NetworkManager.

or use terminal

sudo openvpn –config client.ovpn

Conclusion

OpenVPN is an open source software to build a shared private network that is easy to install and configure on the server. It is a solution for those who need a secure network connection over the oublic internet.

PHP Warning: [eAccelerator] Can not create shared memory area in Unknown on line 0

If you are receving the error message

[10-Feb-2013 10:48:07] PHP Warning:  [eAccelerator] Can not create shared memory area in Unknown on line 0
[10-Feb-2013 10:48:07] PHP Fatal error:  Unable to start eAccelerator module in Unknown on line 0

then you need to make the make changes in the php.ini file

search the extension in php.ini file.
If you found the “extnsion=” i.e. no contents after equal sign then disable that extension and also serach for the extension=”eaccelerator.so” and disable it.
vi php.ini
;extension=
;extension=”eaccelerator.so”
wq!

Done.

Now, you should not receive such error again.

Repair Linux Boot failures in Grub 2 rescue mode

As GRUB 2’s ability to fix boot problems is greatly improved over the original GRUB bootloader. This article provides the you with information on options available for repairing GRUB 2 boot issues and specific instructions on how to use the GRUB 2 terminal. The instructions are written for GRUB 2.

How it looks?

There are basically three messages or error or screen mode whatever you say, when grub fails to boot.

grub: This is the screen mode you see when grub has found everything ecept the configurationn file. This file probably will be grub.conf.

grub rescue: This is the mode when GRUB 2 is unable to find the grub folder or its contents are missing/corrupted. The GRUB 2 folder contains the menu, modules and stored environmental data.

GRUB: Just “GRUB” nothing else indicates GRUB 2 failed to find even the most basic information needed to boot the system.

This is are the basic errors that we se on the boot. Althought there are few more errors that can be seen on the screen like frozen splash screen, Busybox or Initramfs: GRUB 2 began….
But each of the GRUB 2 failure modes can be corrected either from GRUB 2 terminal or the Live boot CD or DVD of the distro , there are also 3rd party rescue tools available out there.

Basic Commands available.

This are the commands that can be used when when you enter the GRUB 2 terminl mode by pressing “c”.

boot (Initiate the boot, also F10 or CTRL-x)

cat (view the contents of config or txt files; cat (hd0,1)/boot/grub/grub.cfg)

configfile (Load a GRUB 2 configuration file such as grub.cfg; configfile (hd0,5)/boot/grub/grub.cfg.)

initrd (Loads the initrd.img, necessary for booting; initrd (hd0,5)/initrd.img.)

insmod (Loads a module; insmod (hd0,5)/boot/grub/normal.mod, or insmod normal.)

linux (Loads the kernel; insmod /vmlinuz root=(hd0,5) ro.)

loop (Mount a file as a device; loopback loop (hd0,2)/iso/my.iso.)

ls (lists the contents of a partition/folder; ls, ls /boot/grub, ls (hd0,5)/, ls (hd0,5)/boot.)

lsmod (List loaded modules.)

normal (Activate the normal module, if loaded.)

search (Search for a device. Type help search for the available options.)

set (Review current settings, or set XXX to set a variable such as colors, prefix, root.)

vbeinfo (Display GRUB 2 available resolutions.)

The Rescue Shell.

If you get a rescue shell, this usually means that GRUB failed to load the “normal” module for some reason. It may be possible to work around this temporarily: for instance, if the reason for the failure is that “prefix” is wrong (perhaps it refers to the wrong device, or perhaps the path to “/boot/grub” was not correctly made relative to the device), then you can correct this and enter normal mode manually: Inspect the current prefix (and other preset variables):

set

You will probably have an output more or less like this:

Your output may differ but you get the information required. Find out which devices are available:

ls

Set to the correct value, which might be something like this:

set prefix=(hd0,1)/grub

(this has to be done according to your own drive name)

set root=(hd0,1)

(this has to be performed according to your own drive name.)

insmod normal
normal

The above commands will get you out of the rescue mode to the normal terminal mode. In the terminal mode you have more commands and with increased functionality.
After the above commands you can go ahead and start the rest of the settings.

insmod linux
* linux /vmlinuz root=/dev/sdXY ro

(if this doesn’t work try this)

linux /boot/vmlinuz-3.2.0-14-generic root=/dev/sda1 ro

(optional)

initrd /initrd.img

(Selects the initrd image.)

boot

After Booting in to the system.

Update the grub config file.

sudo update-grub

Reinstallation of grub on the device:

sudo grub-install /dev/sdX

This should the thing for the rescue part and your system should be good and running. If not you can save all your trouble by using Boot Repair. This is the tool used to repair your complete boot menu. It can be downloaded directly and used as a Live Boot CD or DVD. Here is the download link.

 

Startup Applications: automatic execution of the most used programs during every user login

During every login or bootup, the OS performs a number of tasks in the background to get the OS up and running and ready to be used. Customizations in Linux OS like Ubuntu can be done very easily, that allows an user to add any number of “custom” tasks or programs to the system to be performed every time the user logs in or boots up the OS.

We can choose a certain number of tasks to be automated, thereby reducing the repetitive work of the user to quite an extent. The tasks that can be automated include running a certain program like a custom system check that the user might want to view, or to run applications like the web browser with certain predefined websites. Or it can be automating system control programs that needs to be run during each bootup or even login. Ubuntu allows us to do these kind of automation in a very simple manner, by providing us a GUI based software called the “Startup Applications”.

Though this may provide a lot of convenience, it is important to remember not to overuse this feature. Users might face problems when a large number of tasks are provided or selected to be automated. The main problem this leads to is slowing down your system at startup. Hence, it is very important for the user to NOT over utilise this functionality and only automate the most required or used tasks.

So let’s begin. First thing to do is to open the Startup Applications. To do so, in the desktop Dash, type

Startup Applications

as shown in the image below.

Ubuntu Desktop - Startup applications

Click on the “Startup Applications” icon, and the Startup Applications window opens. It will look similar to the image below. Note that you might have a different set of entries in your window than the ones that can be seen in the image below.

Startup applications preferences

Once this is open, we can start with the automation of tasks. This posts will demonstrate some of the tasks, but many other tasks that are important to you can be added the same way. So here are a few examples

1 Starting a browser with a predefined web page

Every build of Ubuntu comes with Firefox inbuilt. We can use that to open websites that we check regularly. For example, I like to read Linux news, from the website “lxer.com”. To open this website every time, click on the add button present on the upper right side of the Startup Applications window.

Another window opens. In the new window, type the following in the command field:

Firefox “http://www.lxer.com”

Fill out the name as well and use the comment field to describe your new task. An example is shown in the image below. Once that is done, click on the “Add” button and you will see an entry named “lexr Linux news” (in this case) in the Startup Applications window.

Add startup program

This way, a browser can be opened automatically with any website or search query. For example, if the first thing you do is view the trade stock market, then you can click “Add” and enter the command to go directly to a trade website. Example:

Firefox “NASDAQ”

2 Running system management functions automatically

Certain system management functions or programs require to be started each time a user logs in. Consider the situation of system overheating experienced by many Ubuntu users. In this case, most of the users install a software called “TLP”. And in many cases, TLP doesn’t always start on its own automatically. In such a case, rather than to run it manually each time, the Startup Applications can be used to run it automatically, by following the similar steps. So, click on the “Add” button and use the following command in the command field:

sudo tlp start

For the name and the comment field, refer to the image below:

sudo tlp start

Unlike the first example, this example of TLP , the program is started in the background and not visible to the user. Thus in this way, a user can start a variety of background processes automatically that relate to system management functions.

3 Starting system monitoring programs

System monitoring programs are those that monitor and report the various functionalities of the system. An example can be a program to monitor the broadband bandwidth consumption or a custom program written by you to monitor system features like heat of the cpu or cpu utilisation ,etc. These programs are actually running in the background, but unlike the previous example of TLP type of programs, it can be brought to the foreground by either using icons on the top taskbar or an icon on the side taskbar. This too has a similar procedure as the two procedures above. So, click on the “Add” button of the Startup Applications and enter the commands to run it. An example would be the program to monitor cpu frequency and scaling tool. The image below shows an example. The user is also allowed to enter options along with commands.

Edit startup program

4 Editing and removing an automated task

There will be times when an automated task might no longer be needed or you might want to change the website that is loaded. In such cases, you would want to edit or remove the task. There might be situations when you have installed a program that automatically starts by itself and whose entry then can be found in the startup application window. Even that can be removed or edited.

  • To edit a task, simply select on the task to be edited and click on the “Edit” button on the right side of the Startup Applications window. Do the changes in the window that opens.
  • To remove a task, select the task to be removed and click on the “Remove” button. Please note that some of the edited or removed tasks might require a reboot to apply the changes.

Conclusion

We have seen how we can automate many of the user defined tasks to make our job a little bit simpler. The tasks might belong to one of the types shown above or it can be something completely different, but it can be assured that if it is repetitive, it can be automated. The Startup Applications are indeed useful when it comes to running multiple tasks. Still consider that this feature should not be exploited by using it excessively.

 

What is CloudLinux?

Reaching a high level of stability can be difficult, sometimes unachievable, for many shared hosting companies. Sudden resource usage spikes, increases in traffic, and hacker attacks are some of the problems system administrators cope with everyday. For years, this has been accepted as a cost of doing business. It costs money, it costs time and, more importantly, it costs customer trust. Therefore, it is time to consider changing the underlying OS to eliminate those costs.


CloudLinux was released to the market in 2010. Today, it is a must-have for any web host who cares about stability, security, and churn. It is used by more than 2,000 hosting companies on 20,000+ servers. CloudLinux is interchangeable with CentOS so any SysAdmin will feel right at home. Yet, it was specifically optimized for shared hosting. Web hosts that user CloudLinux report higher uptime, significant improvements in density (as much as 5x), 4x decrease in number of reboots, and 10x decrease in number of account suspension they have to perform. It has also produced a significant decrease in churn for a number of customers.

The software specifically made for web hosts running cPanel control panel with multiple accounts. If you are a shared host, or a design company that has to host sites on behalf of the client – CloudLinux is your friend.

CloudLinux + cPanel =

 

  • Improved stability by limiting the resources any single user can consume
    In shared hosting, the most common reason for downtime is a single account slowing down other accounts on the server. Using cPanel & WHM software with CloudLinux utilizes innovative Lightweight Virtual Environment (LVE) technology, improving the density and stability of your shared hosting environment for all tenants.
  • Advanced server security
    With unique CageFS technology, CloudLinux encapsulates each customer, preventing users from seeing each other and viewing sensitive information. It also prevents a large number of attacks, including most privilege escalation and information disclosure attacks.
  • Increased server efficiency
    By monitoring and containing resource spikes, CloudLinux eliminates the need to leave server resources idle, providing you with the ability to host twice as many accounts on your cPanel & WHM server.
  • Multiple PHP versions
    Using CloudLinux together with cPanel & WHM software gives your customers with the flexibility to choose the PHP version that they need. This includes versions 4.4, 5.2, 5.3, 5.4, and 5.5 as well as more than 50 PHP extensions and the ability to adjust php.ini settings.
  • Hardened kernel
    The shared hosting environment is unlike any other and the CloudLinux kernel takes that into account. It can protect against symlink attacks and trace exploits, while restricting the visibility of ProcFS to only what is necessary — making your cPanel & WHM servers more secure.
  • Admin interface within cPanel & WHM software to easily manage account usage
    Within cPanel & WHM, CloudLinux gives you and your clients the visibility and accessibility to see and control the exact resource usage of each website.

What value does offering CloudLinux bring to my cPanel clients?

As a cPanel Partner NOC, you can quickly activate CloudLinux via Manage2. You will be able to sell and license CloudLinux as well as receive a consolidated bill for both cPanel & WHM and CloudLinux. License configuration is available through our On-Demand license system via API or the Web.

Integrated Support

Because we highly value your immediate needs, we’re providing direct Enterprise, Priority, and Complimentary support for CloudLinux in the exact same fashion that we do for our core products. We’ve also integrated the CloudLinux support team into our ticket system to provide you with the best possible experience. Single-source support means that you will always receive our best for your web hosting services. You will also be entitled to submit tickets to CloudLinux support directly.

Integration with CloudLinux gives you a great opportunity to purchase its solutions at a discounted price and resell it to your customers. It also means using all the privileges of its Partner Program:

  • Additional revenue opportunities with excellent margins
  • Automated ordering through our API
  • Easy-to-use, IP-based licensing
  • Marketing support and content
  • Participation in joint press releases
  • Access to the Partner Portal
  • Unlimited 24/7 dedicated support, including elevation to developers, if required
  • Full set of materials, marketing assistance, and sales aids for successful promotion. CloudLinux is a devoted partner, committed to helping you grow your own business with all necessary marketing and sales tools.
  • Less downtime, more stability, and happier customers for shared hosts. This means faster growth and increased server use. As your customers’ servers become more stable, you can expect them to contact your support less frequently.
  • 24/7 dedicated technical support for your customers, removing some of the burden associated with dealing with OS-related issues. You don’t have to worry about anything — the highest level of our support service will satisfy even the most demanding client.

How to install and configure PrestaShop on Ubuntu 14.04

How to install and configure PrestaShop on Ubuntu 14.04

Version 1.0

This document describes how to install and configure PrestaShop on Ubuntu 14.04.  PrestaShop is a free, open source e-commerce solution. It supports payment gateways such as DirecPay, Google Checkout, Authorize.Net, Skrill, PayPal, PayPal Payments Pro (Direct) and EBANX Checkout via their respective APIs. Further payment modules are offered commercially.

PrestaShop is available under the Open Software License and officially launched in August 2007. The software, which is written in PHP and based on the Smarty template engine, is currently used by 165,000 shops worldwide. MySQL is the default database engine. PrestaShop is the winner of the 2010 and 2011 Best Open-source Business Application awards.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

This tutorial is based on Ubuntu 14.04 server, so you should set up a basic Ubuntu 14.04 server installation before you continue with this tutorial. The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname.  You must have a LAMP server installed in Ubuntu 14.04 as mentioned in the tutorial to continue further.

2 Download

Download the package PrestaShop

cd /tmp
wget http://www.prestashop.com/download/old/prestashop_1.6.0.9.zip

apt-get install unzip

Extract the file in the /var/www/html folder

unzip prestashop_1.6.0.9.zip -d /var/www/html/

Appropriate permissions for PrestaShop needs to be done, as follows:

chown -R www-data:www-data /var/www/html/prestashop/

3 Database initialization

We need a database for PrestaShop, I will create  the database for the PrestaShop as follows:

mysql -u root -p

Here we are adding database=prestashopdb user=prestashopuser and password=prestashoppassword:

CREATE DATABASE prestashopdb;
CREATE USER prestashopuser@localhost IDENTIFIED BY ‘prestashoppassword';
GRANT ALL PRIVILEGES on prestashopdb.* to prestashopuser@localhost

Further moving ahead:

FLUSH PRIVILEGES;
exit

Restart services

service apache2 restart
service mysql restart

3 Web installation of PrestaShop

Now we will proceed with the PrestaShop web-installation. Open a browser of your choice and open the link http:192.168.0.100/prestashop/install

Select your language and press Next:

Select the check-box for accepting terms and conditions. Press Next:

Here setup will check your system-requirements for the PrestaShop, Press Next:

 

Now fill the entries as per your choice, as in my case I am using:

Shop name  :  Test-prestashop (Any name of your choice)
Main Activity  :  Computer and hardware ( As per your choice and requirement)
Country  :  Germany (Any value as per your choice)
First Name  :  Srijan (Any value as per your choice)
Last Name  :  Kishore (Any value as per your choice)
Shop password  :  howtoforge (Any value as per your choice)

Next we need to give the entries for the database to be used by PrestaShop, give the values as per the database created at your system. In m y case I will be using these values:

Database server address  :  localhost
Database name  :  prestashopdb
Database login  :  prestashopuser
Database password  :  prestashoppassword
Table prefix  :  ps_  or and value of your choice

After giving the values press Press your database connection now:

It will check the connectivity, after successful connection press Next:

It will initiate the installation.

The above screenshot shows the successful PrestaShop installation.

Next we need to remove the installation folder to proceed further, as follows:

rm -r /var/www/html/prestashop/install/

4 PrestaShop optimization

We can access the backend admin page of PrestaShop at URL http://192.168.0.100/prestashop/admin3403/index.php:

Put the credentials as selected at the time of installation. In my case it was admin@example.com and howtoforge.

It will be your default welcome screen.

Next Goto ADVANCED PARAMETERS, press Clear cache and  within CACHING select Use cache YES and press Save:

Now we are ready for the frontend, we can access it at http://192.168.0.100/prestashop/index.php:

Congratulations! You now we have a fully functional PrestaShop instance on our Ubuntu 14.04 :)

5 Links

What is a virtual server

A Virtual Server

Introduction

Whenever one opens up a web account, through an Internet Service Provider, a lot of software related services are provided. For instance, an account can come with the databases which are needed (such as SQL Server, or MySQL); the programming languages needed to develop a website (such as ASP.Net, PHP, PERL, etc.); the tools which are needed to create e-mail accounts; as well as an entire array of other software packages (such as creating an E-Commerce store, various Content Management Systems [like Joomla, Word Press, Drupal, Dot Net Nuke, etc.]).

All of these software services come to the end user via a Control Panel. This gives one the ability to manage all of these software services through one central point, and gives the look and feel of having your own server. This results in the image of actually owning a real server, with your own dedicated hardware. However, what you are really owning is what is known as a ‘Virtual Server’.

The Definition Of A Virtual Server

In order to create a Virtual Server, only one actual, physical server is used. Using specialized software, this physical server is then divided, or partitioned into multiple virtual servers. It is from within the virtual server that all of the software packages, as described up above, are installed, and available to the end user. More specifically, a virtual server can be defined as a server which shares computer resources and processing power with other virtual servers, and thus, is not a dedicated server.

One of the key components of a virtual server is the ability of it to use pooled (or shared) resources. This ‘pooling effect’ has a lot of strategic advantages to it, which are as follows:

  1. It greatly simplifies the entire network infrastructure, because of the reduced amount of actual, physical servers which are required;
  2. Software applications can be deployed quickly, which results in much greater performance and allows for software services to be available on demand;
  3. It helps to drastically reduce IT expenditures, which translates into lower costs for the for the business as well as the end user;
  4. Power consumption of the physical server can be distributed and used much more efficiently.

The Hypervisor

The ability of virtual servers to share resources amongst one another is done via the ‘Hypervisor’. This mechanism is actually a software program which allows the virtual servers to access the physical server’s Central Processing Unit (CPU). In order for a physical server to host virtual servers, it must have at least 6 to 12 core CPU’s, in order to effectively allocate the RAM, disk, and network input/output resources.

Of course, the more core CPU’s within the physical server the better, in order to ensure consistent performance across the spectrum of virtual servers which reside in it. Also, more core CPU’s allow for virtual server expansion without incurring any downtime whatsoever.

Virtual Server Schemes

There are four types of virtualization schemes which are available today:

  1. Full virtualization: Under this scheme, the hypervisor is needed to work directly with the resources of the physical server, as well as the operating system of each virtual server. The hypervisor ensures that each virtual server remains as its own entity, and also that the appropriate processing power is distributed to each virtual server;
  2. Para virtualization: With this scheme, the virtual servers are ‘aware’ of each other’s existence, and as a result, there is less dependency upon the hypervisor to monitor and allocate the appropriate amount of processing power needed by the virtual servers;
  3. Operating System (OS) Level Virtualization: With this, the hypervisor is not needed. Rather, the same type and kind of OS is used by all of the virtual servers. This is also known as a ‘homogenous virtualization environment’.
  4. LDAP Virtual Directories: This type of directory structure is used to create both Internet and Intranet related applications. This is done by sharing critical information as it relates to the business enterprise. This includes data about the employees, systems, services, and other IT components as it is made available throughout the entire corporate network.

Very often, there is confusion between an LDAP Virtual Directory and a database. The LDAP Virtual Directory gives you the additional tools, or methods, in which to update, add, or remove objects (such as the ones just described up above) from a directory tree structure. It is the database which gives you access to the LDAP Virtual Server, from which you can query the data about the objects.

Because of the ability of the LDAP’s Virtual Directory to move objects around, it possesses a number of key advantages such as:

  1. Greatly simplifying a businesses’ IT infrastructure;
  2. Much more efficient management of valuable IT resources;
  3. A substantial reduction in the Total Cost of Ownership (TCO);
  4. Effective reporting usage, with regards to IT metrics.

The following are examples when an LDAP Virtual Directory is typically used:

  1. During business merger and acquisition activity:

When business ownership changes hands, it can be very difficult to consolidate the IT assets of both (or more) organizations into one, unified entity. The LDAP Virtual Directory allows for a quick fix to this, because it can provide a unified view of multiple IT infrastructures;

  1. An LDAP Virtual Directory can consolidate multiple repositories of data:

Typically, businesses spread out their information and data across many repositories. This is done for a number of different reasons, such as security, different data file format types, and compliance. An LDAP Virtual Directory can merge of all these data repositories in real time, which can greatly aid the CEO/CIO/CFO into making sound business decisions;

  1. An LDAP Virtual Directory allows for the rapid deployment of applications:

Because of its ability to provide a unified view of all of the data repositories from within a business, software applications can be built in just a short of amount of time, and dynamically as well. As a result, this greatly simplifies the coding and QA testing processes, thus saving the business time and huge IT expenses;

  1. An LDAP Virtual Directory helps to prevent data leakage:

In any business setting, one of the key security policies is to give each employee just enough access to IT resources for them perform their respective job functions. If an employee has been given too much access, then ‘data leakage’ can occur. This is when an application (such as a database query) can literally return more confidential data than what the employee needs to have or know. An LDAP Virtual Directory greatly minimizes this security risk by only allowing the employee to access this confidential data when and where it is needed. In other words, data is not reproduced multiple times throughout the business.

  1. An LDAP Directory allows for a single point of administration:

Obviously, running multiple data repositories requires multiple views so that the information can be queried and accessed. This can be a huge burden not just from the standpoint of security, but it can also be a huge administrative burden as well, which can cost the business a lot of money. An LDAP Virtual Directory eliminates this need to have multiple views, because a single view (or point of administration) can be created very quickly and easily.

How to whitelist an IP in Fail2ban on Debian Wheezy

How to whitelist an IP in Fail2ban on Debian Wheezy

Fail2Ban is used to protect servers against brute force attacks. Fail2ban uses iptables to block attackers, so, if we want to add permanent IP address and never be blocked, we must add it in the config file.

First, edit the config file :

vi /etc/fail2ban/jail.conf

Then, check the line :

ignoreip =

Add now add all ip you want. Each IP or range IP must be placed here with a space. Ex: 192.168.0.1 192.168.5.0/32

Save. And restart Fail2Ban:

service fail2ban restart

That’s all.

 

How to create a jailed ssh user with Jailkit on Debian Wheezy

How to create a jailed ssh user with Jailkit on Debian Wheezy

 

This document describes how to install and configure Jailkit in Debian Wheezy Server.  Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.

Jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.

1 Preliminary Note

This tutorial is based on Debian 7.6 server, so you should set up a basic Debian 7.6 server installation before you continue with this tutorial. The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname.

2 Install Jailkit

We will first download and install the Jailkit. At present time of writing this guide the latest available version of Jailkit is 2.17. I will download it and install it as follows:

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz
tar xvfz jailkit-2.17.tar.gz
cd jailkit-2.17

Jailkit requires some packages before its installation, we will install them as follows:

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold python

Now our system is ready to install the Jailkit, install it as follows:

./debian/rules binary
cd ..
dpkg -i jailkit_2.17-1_amd64.deb

It will install the Jailkit in Debian Server, we can remove the extra packages from /tmp:

rm -rf /tmp/jailkit*

3 Jailing a user

Now we will create  a user which will be jailed using Jailkit as:

adduser srijan

root@server1:~#adduser srijan
Adding user `srijan’ …
Adding new group `srijan’ (1001) …
Adding new user `srijan’ (1001) with group `srijan’ …
Creating home directory `/home/srijan’ …
Copying files from `/etc/skel’ …
Enter new UNIX password: –password
Retype new UNIX password:–password
passwd: password updated successfully
Changing the user information for srijan
Enter the new value, or press ENTER for the default
Full Name []: –ENTER
Room Number []:–ENTER
Work Phone []:–ENTER
Home Phone []:–ENTER
Other []:–ENTER
Is the information correct? [Y/n] –Y
root@server1:~#

In my case I am creating the user srijan, you can use any name.

Next we will check the information about user srijan in /etc/passwd as:

egrep srijan /etc/passwd

root@server1:/tmp# egrep srijan /etc/passwd
srijan:x:1001:1001:,,,:/home/srijan:/bin/bash
root@server1:/tmp#

Next we will jail the created user. Create a directory /jail for Jail environment:

mkdir /jail

Now we will provide the Jail with some of the default programs environment as:

jk_init -v /opt/jail netutils basicshell jk_lsh openvpn ssh sftp

We can give other values also, the complete list of the Jail environment can be checked in the file

nano /etc/jailkit/jk_init.ini

Now Jail is ready, just add the user inside the environment:

jk_jailuser -m -j /jail/ srijan

Again check the values in /etc/passwd for user srijan:

egrep srijan /etc/passwd

root@server1:/tmp# egrep srijan /etc/passwd
srijan:x:1001:1001:,,,:/jail/./home/srijan:/usr/sbin/jk_chrootsh
root@server1:/tmp#

Now our user have been added in the Jailed environment. I will connect the Debian server with bash terminal with its IP 192.168.0.100:

ssh srijan@192.168.0.100

root@server1:~$ ssh srijan@192.168.0.100
The authenticity of host ‘192.168.0.100 (192.168.0.100)’ can’t be established.
ECDSA key fingerprint is 3d:ca:91:67:96:39:15:b4:0f:6e:c8:2c:92:ef:25:d7.
Are you sure you want to continue connecting (yes/no)? yes
srijan@192.168.0.100’s password:
Linux server1 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Connection to 192.168.0.100 closed.
root@server1:~$

Connection is getting closed as the user don’t have logging shell, lets add it in the configuration file for Jail:

nano /jail/etc/passwd

root:x:0:0:root:/root:/bin/bash
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
#srijan:x:1001:1001:,,,:/home/srijan:/usr/sbin/jk_lsh
srijan:x:1001:1001:,,,:/home/srijan:/bin/bash

It will add the bash prompt for the jailed user srijan.  Now again try the ssh login with srijan user and you will be able to login:

ssh srijan@192.168.0.100

Now check the root directory content, you will notice that it have contents like this:

ls /

srijan@server1:~$ ls /
bin  dev  etc  home  lib  lib64  usr
srijan@server1:~$

4 Running services and commands in Jailed environment

Jail can be used to run services in Jailed environment. Suppose we want to run any service in Jailed environment then we will use jk_chrootlaunch command for that:

jk_chrootlaunch -j /jail -u srijan -x ‘service apache2 start’

Here I am starting the service of Apache, similarly you can run any service or daemon with it in Jailed environment.

Suppose we want to run a particular command in Jail environment then we will use jk_cp. Lets test it in Jailed environment when we will run cal then it shows as follows:

cal

srijan@server1:~$ cal
bash: cal: command not found
srijan@server1:~$

It means Jail environment don’t knows the cal command, now I will add it in Debian Server as follows:

jk_cp  -v -j /jail/ /usr/bin/cal

root@server1:~# jk_cp  -v -j /jail/ /usr/bin/cal
Creating symlink /jail/usr/bin/cal to ncal
Copying /usr/bin/ncal to /jail/usr/bin/ncal
Creating symlink /jail/lib/x86_64-linux-gnu/libncurses.so.5 to libncurses.so.5.9
Copying /lib/x86_64-linux-gnu/libncurses.so.5.9 to /jail/lib/x86_64-linux-gnu/libncurses.so.5.9
/jail/lib/x86_64-linux-gnu/libtinfo.so.5 already exists, will not touch it
/jail/lib/x86_64-linux-gnu/libc.so.6 already exists, will not touch it
/jail/lib/x86_64-linux-gnu/libdl.so.2 already exists, will not touch it
/jail/lib64/ld-linux-x86-64.so.2 already exists, will not touch it
/jail/lib/x86_64-linux-gnu/libtinfo.so.5 already exists, will not touch it
/jail/lib/x86_64-linux-gnu/libc.so.6 already exists, will not touch it
/jail/lib/x86_64-linux-gnu/libdl.so.2 already exists, will not touch it
/jail/lib64/ld-linux-x86-64.so.2 already exists, will not touch it
root@server1:~#

Again run the cal command in Jailed environment:

cal

srijan@server1:~$ cal
September 2014
Su Mo Tu We Th Fr Sa
1  2  3  4  5  6
7  8  9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

srijan@server1:~$

So we have added the command for the Jailed environment. Congratulations! Now we have successfully configured Jail environment in Debian Wheezy :)

5 Links