Sometimes sar can return errors complaining about an invalid system activity file such as:
sar Invalid system activity file: /var/log/sysstat/sa03
It can be resolved by:
rm /var/log/sysstat/sa03 /etc/init.d/sysstat start * Starting the system activity data collector sadc [ OK ]
Now if you rerun sar, you should see the stats output starting to populate:
sar Linux 3.2.0-83-virtual (web01) 04/03/2014 _x86_64_ (8 CPU)
Enabling the MySQL slow query log is extremely useful for finding out which queries are taking too long to execute, and either needs a table index created, or perhaps the query itself may need to be rewritten a bit more efficiently.
But oftentimes, it is forgotten that this log file can grow very large, and it needs to be rotated out. Below is a very quick and easy way to setup log rotation for the MySQL slow query logs:
vim /etc/logrotate.d/mysqllogs
/var/lib/mysql/slow-log {
missingok
rotate 2
size 125M
create 640 mysql mysql
}
That last line is critical. The file must be recreated with the owner and group set to ‘mysql’, otherwise, MySQL will not have permissions to write to that file.
Some cloud servers do not come with swap. There are many arguments about why this is a good thing, and other arguments as to why it is bad. However sometimes you just want that extra buffer for one reason or another. So here is a quick way to add a 2G swap file to an existing cloud server:
Create the initial 2G file
mkdir /opt/swapfiles touch /opt/swapfiles/2G-swap dd if=/dev/zero of=/opt/swapfiles/2G-swap bs=1024 count=2097152
Now set it up to be swap, and enable it:
mkswap /opt/swapfiles/2G-swap chmod 600 /opt/swapfiles/2G-swap swapon /opt/swapfiles/2G-swap
Set it in /etc/fstab so it will persist across reboots
vi /etc/fstab # Add /opt/swapfiles/2G-swap none swap sw 0 0
Confirm your vm.swappiness is not set to 0:
vi /etc/sysctl.conf # Change vm.swappiness = 0 # To vm.swappiness = 10
Finally, update the sysctl without having to reboot:
sysctl vm.swappiness=10
You can confirm the swap space is now active by:
free -h
total used free shared buffers cached
Mem: 990M 905M 85M 43M 124M 527M
-/+ buffers/cache: 253M 736M
Swap: 2.0G 0B 2.0G
The purpose of this post is to show how you can enable SSL termination on an existing cloud load balancer through the API. Using the API will allow you to script deployments so you can avoid having to use the control panel. This also provides you the building blocks for understanding deployment automation.
This guide will show you how to enable SSL termination on an existing cloud load balancer as described in my previous post: Rackspace Cloud API – Create cloud load balancers
Feel free to review http://docs.rackspace.com for learning about all the possible operations that can be done through the API.
In this example, we are going to enable SSL termination on an existing cloud load balancer called lb.example.com. The domain we are load balancing is www.example.com. Please note that enabling SSL termination on a Rackspace cloud load balancer costs more then a regular cloud load balancer!
SPECIAL NOTE: I advise against using SSL termination if you are passing any PII (personally identifiable information) or other sensitive data through the cloud load balancer to the Cloud server. The transmission will only be encrypted from the clients browser to the load balancer. From there, the cloud load balancer will send the request in clear text through the rackspace network to your cloud server.
When working with the API, I like to use a tool called httpie to simplify things a bit. You can install this by:
yum install httpie
Now that we have httpie installed, lets get an auth token from the API:
echo '{"auth": {"RAX-KSKEY:apiKeyCredentials": {"username": "YOUR_USERNAME","apiKey":"YOUR_API_KEY"}}}' | http post https://identity.api.rackspacecloud.com/v2.0/tokens
The token you need will be listed next to “id” field as shown below
"token": {
"expires": "2013-07-09T23:17:08.634-05:00",
"id": "2334aasdf5555j3hfhd22245dhsr",
"tenant": {
"id": "123456",
"name": "123456"
To simplify things moving forward, we will set some local variables that we’ll use when communicating with the API:
export token="YOUR_API_TOKEN_RECEIVED_ABOVE" export account="YOUR_RACKSPACE_CLOUD_ACCOUNT_NUMBER" export lb_endpoint="https://ord.loadbalancers.api.rackspacecloud.com/v1.0"
NOTE: Change the endpoints region accordingly (ord or dfw).
For the purposes of this guide, we will be creating a self signed SSL certificate. In production environments, you will want to purchase a SSL certificate through a CA.
We will create our self signed SSL certificate by using the openssl command:
openssl req -x509 -nodes -newkey rsa:2048 -keyout example.com.tmp.key -out example.com.cert -days 1825 Generating a 2048 bit RSA private key ........+++ .....................................+++ writing new private key to 'example.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []: Los Angeles Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company LLC Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:*.example.com Email Address []:
Now we must covert the key so the API will be able to use it:
openssl rsa -in example.com.tmp.key -out example.com.key rm -f example.com.tmp.key
Format the key and cert so it is more friendly for the API. Be sure to save the output as we will need it for the next step:
while read line; do echo -n "$line\n"; done < example.com.key while read line; do echo -n "$line\n"; done < example.com.cert
Now, lets setup the json file that contains our certificate information:
cat << EOF > example.com.cert.json
{
"certificate":"-----BEGIN CERTIFICATE-----\nMIIblahblahblahblah\n-----END CERTIFICATE-----",
"enabled":true,
"secureTrafficOnly":false,
"privatekey":"-----BEGIN RSA PRIVATE KEY-----\nMIICWblahblahblahblah\n-----END RSA PRIVATE KEY-----",
"intermediateCertificate":"",
"securePort":443}
EOF
Finally, lets execute the json file to enable SSL on your pre-existing cloud load balancer:
http put $lb_endpoint/$account/loadbalancers/YOUR_CLOUD_LOAD_BALANCER_ID/ssltermination X-Auth-Token:$token @example.com.cert.json
SSL termination on your existing load balancer has now been enabled.
The purpose of this post is to show how you can build Rackspace cloud load balancers using the API. Building via the API will allow you to script deployments so you can avoid having to use the control panel. This also provides you the building blocks for understanding deployment automation.
This guide will only show you how to create a cloud load balancer. Feel free to review http://docs.rackspace.com for learning about all the possible operations that can be done through the API.
In this example, we are going to deploy a single cloud load balancer called lb.example.com that will be directing HTTP traffic to two web servers:
test01.example.com test02.example.com
When working with the API, I like to use a tool called httpie to simplify things a bit. You can install this by:
yum install httpie
Now that we have httpie installed, lets get an auth token from the API:
echo '{"auth": {"RAX-KSKEY:apiKeyCredentials": {"username": "YOUR_USERNAME","apiKey":"YOUR_API_KEY"}}}' | http post https://identity.api.rackspacecloud.com/v2.0/tokens
The token you need will be listed next to “id” field as shown below
"token": {
"expires": "2013-07-09T23:17:08.634-05:00",
"id": "2334aasdf5555j3hfhd22245dhsr",
"tenant": {
"id": "123456",
"name": "123456"
To simplify things moving forward, we will set some local variables that we’ll use when communicating with the API:
export token="YOUR_API_TOKEN_RECEIVED_ABOVE" export account="YOUR_RACKSPACE_CLOUD_ACCOUNT_NUMBER" export lb_endpoint="https://ord.loadbalancers.api.rackspacecloud.com/v1.0"
NOTE: Change the endpoints region accordingly (ord or dfw).
Lets prep a json file that we’ll be using to build the cloud load balancer:
cat << EOF > lb.example.com.json
{
"loadBalancer": {
"name": "lb.example.com",
"port": 80,
"protocol": "HTTP",
"virtualIps": [
{
"type": "PUBLIC"
}
],
"nodes": [
{
"address": "10.123.123.121",
"port": 80,
"condition": "ENABLED"
}
]
}
}
EOF
Now we execute the build by:
http post $lb_endpoint/$account/loadbalancers X-Auth-Token:$token @lb.example.com.json
This will return the VIP and id of the new load balancer as shown below:
"address": "123.123.123.123",
"id": 123456,
"name": "lb.example.com",
For the purposes of this guide, I left out adding the second server initially. So here is how we can add it to the load balancer so it will route traffic between test01.example.com and test02.example.com. First create a json file that contains test02.example.com:
cat << EOF > nodes.json
{"nodes": [
{
"address": "10.123.123.123",
"port": 80,
"condition": "ENABLED",
"type":"PRIMARY"
}
]
}
EOF
Now add this node to the load balancer:
http post $lb_endpoint/$account/loadbalancers/149275/nodes X-Auth-Token:$token @nodes.json
And your done! You can verify everything looks correct by running:
http get $lb_endpoint/$account/loadbalancers/YOUR_LOAD_BALANCER_ID X-Auth-Token:$token
The purpose of this post is to show how you can build Rackspace Next Generation cloud servers using the API. Building via the API will allow you to script server builds so you can avoid having to use the control panel. This also provides you the building blocks for understanding deployment automation.
This guide will only show you how to create a cloud server. Feel free to review http://docs.rackspace.com for learning about all the possible operations that can be done through the API.
In this example, we are going to build 2 512M CentOS 6.4 Cloud Servers via the Rackspace Cloud API. The servers will be named:
test01.example.com test02.example.com
When working with the API, I like to use a tool called httpie to simplify things a bit. You can install this by:
yum install httpie
Now that we have httpie installed, lets get an auth token from the API:
echo '{"auth": {"RAX-KSKEY:apiKeyCredentials": {"username": "YOUR_USERNAME","apiKey":"YOUR_API_KEY"}}}' | http post https://identity.api.rackspacecloud.com/v2.0/tokens
The token you need will be listed next to “id” field as shown below
"token": {
"expires": "2013-07-09T23:17:08.634-05:00",
"id": "2334aasdf5555j3hfhd22245dhsr",
"tenant": {
"id": "123456",
"name": "123456"
To simplify things moving forward, we will set some local variables that we’ll use when communicating with the API:
export token="YOUR_API_TOKEN_RECEIVED_ABOVE" export account="YOUR_RACKSPACE_CLOUD_ACCOUNT_NUMBER" export endpoint="https://ord.servers.api.rackspacecloud.com/v2/"
NOTE: Change the endpoints region accordingly (ord or dfw).
Now, lets see what images are available. I’m looking for a CentOS 6.4 image:
http get $endpoint/$account/images/detail X-Auth-Token:$token
The id of the CentOS 6.4 image in this case is:
"id": "e0ed4adb-3a00-433e-a0ac-a51f1bc1ea3d",
We wanted a 512M server, so we must find the flavors id:
http get $endpoint/$account/flavors X-Auth-Token:$token
This shows that the 512M flavor has the id of:
"id": "2",
All the information has been collected. Time to prep 2 json files that we’ll be using to build the 2 servers:
cat << EOF > test01.example.com.json
{
"server" : {
"name" : "test01.example.com",
"imageRef" : "e0ed4adb-3a00-433e-a0ac-a51f1bc1ea3d",
"flavorRef" : "2"
}
}
EOF
cat << EOF > test02.example.com.json
{
"server" : {
"name" : "test02.example.com",
"imageRef" : "e0ed4adb-3a00-433e-a0ac-a51f1bc1ea3d",
"flavorRef" : "2"
}
}
EOF
Finally, we have everything we need to begin the builds. Execute the build by:
http post $endpoint/$account/servers @test01.example.com.json X-Auth-Token:$token http post $endpoint/$account/servers @test02.example.com.json X-Auth-Token:$token
When you run each POST statement above, 2 fields will be returned by the API. Be sure to record these somewhere:
– adminPass : This is your servers root password
– id : This is your servers id number that will be referenced next.
A new server is not useful without knowing its IP address. After a few minutes pass, you can retrieve the IP address by running:
http get $endpoint/$account/servers/YOUR_SERVER_ID X-Auth-Token:$token http get $endpoint/$account/servers/YOUR_OTHER_SERVER_ID X-Auth-Token:$token
The 2 relevant fields you will need for this example are posted below:
"accessIPv4": "123.123.123.123",
"addr": "10.123.123.123",
Now you can SSH into your server using the IP and admin password that have been returned by the API.
Following on my previous articles, there are several good malware detection tools out there. These scanners help notify you of malware, hopefully before your clients notify you. Some of the common ones include:
chkrootkit
Linux Malware Detect (maldet)
rkhunter
Each have their own strong points, and they certainly compliment each other nicely when using them together depending on the solutions security strategy.
Rkhunter is similar in nature to chkrootkit, and I feel that both complement each other nicely. Taken from wikipedia’s page:
rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.
Procedure
On CentOS systems, rkhunter can be installed from the EPEL repositories. If you do not have EPEL installed, you can get it setup by:
Installing rkhunter is pretty straight forward as shown below:
# CentOS 5 / RedHat 5 [root@web01 ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm [root@web01 ~]# yum install rkhunter mailx # CentOS 6 / RedHat 6 [root@web01 ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm [root@web01 ~]# yum install rkhunter mailx # CentOS 7 / RedHat 7 [root@web01 ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm [root@web01 ~]# yum install rkhunter mailx # Ubuntu / Debian [root@web01 ~]# apt-get update [root@web01 ~]# apt-get install rkhunter mailutils
Now that the installation is out of the way, lets configure rkhunter to send email if warning is found during scan:
[root@web01 ~]# vim /etc/rkhunter.conf # Change MAIL-ON-WARNING="" # To MAIL-ON-WARNING="[email protected]"
Now fetch the latest updates, create a baseline, and run a on-demand scan:
[root@web01 ~]# rkhunter --update [root@web01 ~]# rkhunter --propupd [root@web01 ~]# rkhunter -sk -c
On CentOS and RHEL, configure cron so this runs automatically:
First, confirm the cronjob exists:
[root@web01 ~]# cat /etc/cron.daily/rkhunter
Now, update the rkhunter configuration with your email address so you can receive the nightly reports:
[root@web01 ~]# vi /etc/sysconfig/rkhunter # Change MAILTO=root@localhost # To [email protected]
On Ubuntu based systems, confirm the cronjob exists:
[root@web01 ~]# cat /etc/cron.daily/rkhunter
Now, update the rkhunter configuration with your email address so you can receive the nightly reports:
[root@web01 ~]# vi /etc/default/rkhunter # Change APT_AUTOGEN="false" REPORT_EMAIL="root" # To APT_AUTOGEN="true" REPORT_EMAIL="[email protected]"
NOTE: See https://help.ubuntu.com/community/RKhunter for more information about APT_AUTOGEN.
Following on my previous articles, there are several good malware detection tools out there. These scanners help notify you of malware, hopefully before your clients notify you. Some of the common ones include:
chkrootkit
Linux Malware Detect (maldet)
rkhunter
Each have their own strong points, and they certainly compliment each other nicely when using them together depending on the solutions security strategy.
Maldet happens to be one of the more useful tools I use often for checking suspected compromised servers. This scanner is a very in depth tool that is great at locating backdoors within binaries and website content, as well as other malicious tools. Below is a quick introduction for installing and configuring Maldet, as well as setting up a nightly cron job.
Procedure
As a prerequisite to have Maldet’s utilize ClamAV’s engine, install ClamAV. This will significantly speed up the scan time, and it should be considered a hard requirement:
# CentOS / RedHat [root@web01 ~]# yum install clamav # Ubuntu / Debian [root@web01 ~]# apt-get install clamav
Then install it from source by:
[root@web01 ~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz [root@web01 ~]# tar -xf maldetect-current.tar.gz [root@web01 ~]# cd maldetect-* [root@web01 ~]# ./install.sh
Now you can run the scan. You could run the scan against the / directory, but depending on how much data you have, this could take hours or days. Normally I use this tool to check my website documentroot’s as I have other tools installed to monitor other parts of my system. So assuming our website content is in /var/www, here is how you scan that directory:
[root@web01 ~]# maldet -u [root@web01 ~]# maldet --scan-all /var/www
If you would like to scan the entire server, which is good to do if you suspect you have been compromised, then you can run:
[root@web01 ~]# maldet --scan-all /
To setup a nightly cronjob, scanning your content and emailing you a report if something is found, first we need to modify the conf.maldet file as follows:
[root@web01 ~]# vi /usr/local/maldetect/conf.maldet ... email_alert=1 email_addr="[email protected]" ...
Maldet automatically installs a cronjob for this, and you can feel free to modify /etc/cron.daily/maldet to your liking. However I prefer to remove it and setup my own. Please choose whatever works best for your needs. Here is one method:
[root@web01 ~]# rm /etc/cron.daily/maldet [root@web01 ~]# crontab -e ... 32 3 * * * /usr/local/maldetect/maldet -d -u ; /usr/local/maldetect/maldet --scan-all /var/www ...
Now if maldet detects anything that flags as malware, it will send you a report via email for you to investigate.
If you are like me and want Maldet to send you daily reports via email regardless of if it found something or not, then simply setup the following cron job:
[root@web01 ~]# rm /etc/cron.daily/maldet [root@web01 ~]# crontab -e ... 32 3 * * * /usr/local/maldetect/maldet -d -u ; /usr/local/maldetect/maldet --scan-all /var/www | mail -s "Maldet Report : INSERT_HOSTNAME_HERE" [email protected] ...
The reports will look similar to the following:
Linux Malware Detect v1.5
(C) 2002-2015, R-fx Networks
(C) 2015, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(18252): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
maldet(18252): {scan} building file list for /var/www, this might take awhile...
maldet(18252): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(18252): {scan} file list completed in 35s, found 278654 files...
maldet(18252): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(18252): {scan} scan of /var/www (278654 files) in progress...
maldet(18252): {scan} scan completed on /var/www: files 278654, malware hits 0, cleaned hits 0, time 2355s
maldet(18252): {scan} scan report saved, to view run: maldet --report 151111-0420.12250
Imagine one day you get a phone call from one of your customers. Great, a sale! Nope, just kidding! They are calling to tell you that your site has been hacked. What do you say? How did they find out before you did?
This is a scenario that every sysadmin dreads. How can you prevent something like this? A good defense in depth security strategy goes a long way in preventing this. This includes, WAF’s, firewalls, file integrity monitoring, IDS, two factor authentication, ASV scanning, event management, etc, etc.
The more layers you have, the better chance you have at either mitigating the attack, or being notified of the compromise shortly after it happens so you can react quickly and not have your clients inform you of the problem.
Below is another layer you can add: chkrootkit
Taken from the following wikipedia article (http://en.wikipedia.org/wiki/Chkrootkit):
chkrootkit (Check Rootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies.
The document below will outline how to install and configure it for CentOS and Ubuntu, including how to run this nightly and email you the report for review.
Procedure
Installing chkrootkit is pretty straight forward as shown below:
# CentOS 5 / RedHat 5 [root@web01 ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm [root@web01 ~]# yum install chkrootkit mailx # CentOS 6 / RedHat 6 [root@web01 ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm [root@web01 ~]# yum install chkrootkit mailx # CentOS 7 / RedHat 7 [root@web01 ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm [root@web01 ~]# yum install chkrootkit mailx # Ubuntu / Debian [root@web01 ~]# apt-get update [root@web01 ~]# apt-get install chkrootkit mailutils
Perform a one time scan by running:
[root@web01 ~]# chkrootkit
Finally, lets setup a nightly cronjob and receive the report via email for review:
[root@web01 ~]# crontab -e 12 3 * * * /usr/sbin/chkrootkit | mail -s "chkrootkit Report : hostname.yourservername.com" [email protected]
Keep in mind that just setting up these tools doesn’t take care of the problem itself. The sysadmin needs to actively review any and all logs, software, etc. So with this tool and any security tool, identify false positives early on and exclude them from your reports so they are easier to read. This will help malware from slipping through the cracks of your logs and daily reports.
Several more articles will be following this in a series of sorts for malware detection. Each performs essentially the same function, but they go about it in different ways, each having their own benefits. Find the one(s) that work best for your solution.
chkrootkit
Linux Malware Detect (maldet)
rkhunter
Coming up with a secure and cost effective backup solution can be a daunting task as there are many considerations that much be taken into account. Some of the more basic items to think about are:
- Where to store your backups? - Is the storage medium redundant? - How will data retention will handled? - How will the data at rest be encrypted?
A tool that I prefer for performing encrypted, bandwidth efficient backups to a variety of remote backends such as Rackspace Cloud Files, Amazon S3, and many others is Duplicity.
Taken from Duplicity’s site, (http://duplicity.nongnu.org), Duplicity back directories by producing encrypted tar-format volumes and uploading them to a remote or local file server. Because duplicity uses librsync, the incremental archives are space efficient and only record the parts of files that have changed since the last backup. Because duplicity uses GnuPG to encrypt and/or sign these archives, they will be safe from spying and/or modification by the server.
Duplicity-manager was created to act as a wrapper script for the tasks I commonly perform with Duplicity.
Features
- Simple invocation from cron for nightly backups. - All in one script for performing backups, restores, searching for content from specific time period. - Provides an optional menu driven interface to make backups as painless as possible.
Configuration
The currently configurable options are listed below:
# Configuring either Rackspace Cloud Files or Amazon S3 backends # List of directories to backup INCLUDE_LIST=( /etc /var/www /var/lib/mysqlbackup ) # GPG Passphrase for encrypting data at rest # You can use the following to generate a decent GPG passphrase, just be sure # to store it someone secure off this server. # < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c64 export PASSPHRASE=YOUR_PASSPHRASE # Backup Retention retention_type=remove-older-than retention_max=14D # Number of full backups to keep (alternative to above) # retention_type=remove-all-but-n-full # retention_max=3 # Force Full Backup Every XX Days full_backup_days=7D # Restore Directory restore=/tmp
Usage
./duplicity-manager.sh Options: --backup: runs a normal backup based off retention settings --backup-force-full: forces a full backup --list-files [age]: lists the files currently stored in backups --restore-all [age]: restores everything to restore directory --restore-single [age] [path]: restores a specific file/dir to restore directory --show-backups: lists full and incremental backups in the archive --menu: user friendly menu driven interface Examples: duplicity-manager.sh --list-files 0D Lists the most recent files in archive duplicity-manager.sh --restore-all 2D Restores everything from 2 days ago duplicity-manager.sh --restore-single 0D var/www/ Restores /var/www from latest backup
Implementation
Download script to desired directory and set it to be executable:
# Linux based systems cd /root git clone https://github.com/stephenlang/duplicity-manager
After configuring the tunables in the script (see above), create a cron job to execute the script one a day:
# Linux based systems crontab -e 10 3 * * * /root/duplicity-manager/duplicity-manager.sh
As with any backup solution, it is critical that you test your backups often to ensure your data is recoverable in the event a restore is needed.