Archive

Posts Tagged ‘centos’

Great post: “My First 5 Minutes On A Server; Or, Essential Security for Linux Servers” and how to auto-update packages on CentOS6

March 4, 2013 Leave a comment

From hackernews: My First 5 Minutes On A Server; Or, Essential Security for Linux Servers.

Covers configuring public key auth, fail2ban, auto updates and a few more things.

Configure roll back:
Before you implement an auto update feature, you should look into configuring rollback.

Since I always use centos and never deb*, I don’t use apt-get, but yum.

1) Configure yum:

echo tsflags=repackage >> /etc/yum.conf
echo "%_repackage_all_erasures 1" >> /etc/rpm/macros

2) Usage examples:

rpm -Uhv --rollback 'last Monday'
rpm -Uhv --rollback '2 hours ago'
rpm -Uhv --rollback '10 Jan 2007 16:30'
rpm -Uhv --rollback 'march 17'
rpm -Uhv --rollback '9:00 am'
rpm -Uhv --rollback '4:30 pm last Monday'
rpm -Uhv --rollback 'yesterday'

NOTE: rollback was removed starting in 4.6.0 as it was deemed “too unreliable to be generally useful.”

3) Additionally, the following allows you to roll back to specific version of a package:

yum downgrade [package name]

Configure auto update in yum:

1) Install and configure yum-cron:

yum -y install yum-cron
chkconfig yum-cron on
service yum-cron start

2) To configure nuances of yum-cron:

/etc/cron.daily/0yum.cron
/etc/yum/yum-daily.yum #script run daily by 0yum.cron
/etc/yum/yum-weekly.yum #script run weekly by 0yum.cron
/etc/sysconfig/yum-cron

Reference:

Completely disable IPv6 in CentOS6

September 18, 2012 6 comments

All of these are fun and good, but none really disables ipv6. You really are concerned with your NICs not being configured for IPv6, but if you really want to disable ipv6… well… disable ipv6:

In /etc/grub.conf edit the kernel lines to include:

ipv6.disable=1

The “trick” here, as described by TrevorH1 in #linux, is that programs can still load the module as they wish. You can check this by running lsmod or modprobe -l, you will still see the ipv6.ko kernel module. This allows user mode programs to access the kernel module in their code (so they don’t crash); but as far as the kernel is concerned ipv6.disable=1, so the kernel doesn’t really allow much to get through it.

And that’s it. IPv6 is disabled on your box… but if you want to disable a variety of fun things that you might find when seeking to disable IPv6…

In /etc/sysctl.conf change/create entries:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

In /etc/sysconfig/network change/create entries:

NETWORKING_IPV6=no
IPV6INIT=no

In /etc/modprobe.d/blacklist.conf change/create entries:

blacklist net-pf-10
blacklist ipv6

Disable iptables for IPv6:

service ip6tables stop
chkconfig ip6tables off

Disable ipv6 completely:

echo "install ipv6 /bin/true" > /etc/modprobe.d/ipv6_disabled.conf

With much reference:

CentOS el6 configure a dummy NIC and set up a network bridge

It’s encouraged that you test, but this will work.

In order to have the kernel pass all packets that are received on the NIC through the stack, you must configure a NIC bridge. If you do not do this and the NIC attempts to pass packets destined for an IP that isn’t routable (out of a different interface) or living on the box, the kernel will drop the packet, regardless of if the NIC is in promiscuous mode.

[09:31] == mbrownnyc [gateway/web/freenode/] has joined #Netfilter
[09:36] <whaffle> It is perfectly valid to have a "half-bridge" with only a single interface in it.
[09:37] <whaffle> Promisc mode will cause packets with {a dst MAC address that does not equal the interface's MAC address} to be delivered from the NIC into the kernel nevertheless.
[09:39] <whaffle> Furthermore, the linux kernel itself has a check for {packets with a non-local MAC address}, so that packets that will not enter a bridge will be discarded as well, even in the face of PROMISC.

Read more…

Troubleshoot mail delivery with postfix

April 18, 2012 Leave a comment

Who saw this post coming?

Tail the log file:

tail -f /var/log/maillog

Review the queue:

mailq

Read emails:

postcat -q [ID of mail item from mailq]

Clear the queue:

postsuper -d ALL

Send a test message:

echo $(netstat -apn | grep :) | mail -v -s "$(date)" root

Install and configure postfix to just relay Email to an external server

April 18, 2012 Leave a comment

SELinux and Samba, file context tagging for reading by apache and samba

March 16, 2012 Leave a comment

Needing to implement Samba primarily for the remote backup of data is a very common thing. But with SElinux, it can seem difficult, especially when dealing with different process domains.

Read more…

Install, configure, and use ntop to monitor traffic

December 19, 2011 11 comments
Note that this write up is old and not for ntopng. You probably want ntopng.

If you like ntop, you might like flow-inspector, an up and coming open source project. Leveraging d3.js to render flow statistics, it is a very useful tool to quickly get flow information, utilizing a variety of visualization techniques. flow-inspector can use argus, VERMONT, and Bro IDS connection logs (and soon snmp connection stats) as flow sources.


This is a work in progress:

  • testing has not yet been done.
  • Problem installing libgts, hence graphviz (updated December 22nd)

This is in complement to a previous post about the iptables module that is a Netflow generator, ipt_NETFLOW.

The current goal of this project is to use a switch to mirror traffic to a box with a single NIC, generate Netflow data for the packets, direct them back to the same box where ntop sits. ┬áThis is the latter portion of that… installing, configuring, and using ntop to gather data on network traffic.

Holistically, the final goal of the project is to produce useful information; produce a report on source and destinations, which should help identify “abnormal” network traffic.

Read more…

%d bloggers like this: