Archive

Load Balancing with DNS

Introduction:

A DNS based approach is a classical approach to sharing the load between multiple servers. DNS responds to domain name look-up requests issued by clients and returns the corresponding IP address.

DNS is an Internet service that translates domain names into IP addresses. Domain names are alphabetic and easy for humans to remember e.g. www.yourcompany.com, but information on the Internet is delivered using IP addresses. Every time a URL that contains a domain name, the DNS will translate the name into an IP address. For example, www.yourcompany.com would be translated in 128.1.1.1.

The basic idea of DNS load sharing is to associate several IP addresses with a single host name. When the DNS responds to a request, it returns the whole list of addresses to the client. The addresses are then used in a round-robin or load-sharing fashion, thus providing some form of load balancing.

Three types of DNS load sharing techniques will be examined here. These are as follows:

  • Backup Server via Redirected Secondary DNS
  • Load Sharing with Round Robin DNS
  • Dynamic Load Balancing DNS (dlbDNS)

Backup Server via Redirected Secondary DNS

This is the simplest of the DNS configuration options. It allows you to create a backup server for the primary web server, by taking advantage of the fact that all domain names have at least two nominated name servers – a primary name server and a secondary name server – from which their IP address may be determined.

Ordinarily, both name servers hold a record for the name of the web server with the same IP address. For example

www.yourcompany.com. IN A 128.1.1.1

However, there is no reason why the web server cannot be the primary name server for itself. If we set up two identical servers, we can make the web server its own primary name server and give the secondary server a different IP address for the web server. For example:

www.yourcompany.com. IN A 128.1.1.1
www.yourcompany.com. IN A 128.1.1.2

The IP address of the web server is requested by other name servers directly from the web server’s own DNS service. If, for any reason, the web server fails, the primary name server will no longer be available and DNS requests will be redirected to the secondary name server. This returns the IP address of the backup server rather than the primary server, so client requests will succeed.

It should be noted that with this approach, no provision is made for load sharing. The backup server is never accessed until the primary server becomes unavailable, no matter how busy it might be. Note that unavailable means totally unavailable. For example, if the httpd daemon crashes but the machine is still capable of DNS resolution, the switch from primary server to secondary server will not occur.

Load Sharing with Round Robin DNS:

One of most common implementations of DNS is the Berkeley Internet Name Domain (BIND). This allows address records (A records) to be duplicated for a specific host, with different IP addresses. The name server then alternatively rotates addresses for any one name that has multiple A records, and is known as DNS round robin.

As an example, your company has three web servers. Their real names and IP addresses are as follows:

www.yourcompany.com 128.1.1.1
www.yourcompany.com 128.1.1.2
www.yourcompany.com 128.1.1.3

You want to set up the servers so that DNS requests by clients (in this case, web server access) are round robin rotated. This is accomplished by placing multiple A records in the authoritative name server files.

For the above example, we want all clients to access our site by using www.yourcompany.com, but we want these requests to be shared between our three servers using DNS round robin. To do so, we need to place the following A records in the name server file:

www.yourcompany.com. IN A 128.1.1.1
www.yourcompany.com. IN A 128.1.1.2
www.yourcompany.com. IN A 128.1.1.2

Note the ‘.’ after the name www.yourcompany.com on each A record. This is mandatory.

A Time To Live (TTL) field is often added to the A records. The TTL value is the maximum time that the information should be held to be reliable. By setting the TTL to a fairly small amount time e.g. 60 seconds, the effectiveness of the distribution can be maximized. A lower value may be specified, but this causes more DNS traffic in updates, which improves the load sharing on the web servers at the expense of increasing the local on the name server.

www.yourcompany.com. 60 IN A 128.1.1.1
www.yourcompany.com. 60 IN A 128.1.1.1
www.yourcompany.com. 60 IN A 128.1.1.1

When a DNS request for an IP address is received, BIND returns one of the IP addresses and makes a note of it. The next request will then return the next IP address in the file and so on until the last one, after which BIND returns to the first address again.

Advantages of DNS Round Robin:

An obvious advantage of using DNS Round Robin for load distribution is that it is seamless to the user. It is also simple and cost-effective to implement. It is standard software in most systems or else may be obtained at no or low cost. For this reason, it is very effective for small to medium size businesses or organisations and it is extremely popular among ISPs, e-commerce sites, universities and other cost sensitive sites.

Disadvantages of DNS Round Robin:

It should be noted that DNS is a load sharing mechanism rather than a load balancing mechanism. It does not gauge the “load” on the server in any way, but rather it shares the load among multiple hosts. One or more of the hosts in the pool will tend to get more activity than the other servers. DNS Round Robin should be quite effective up to about 10 servers per virtual cluster.

DNS has no way of detecting physical failure e.g. when the hard disk on server2 (www2) fails. As requests come in for www.yourcompany.com, the DNS will continue to forward one out of every three requests to www2 – which will fail. Effectively, 33% of all requests to www.yourcompany.com are now connecting to a black hole. This is an improvement over having just one web server and having all the requests being lost due to a hardware failure, but only to a certain degree.

It is very common for a computer to request data from the same host several times in any given session. It is also common for many hosts from the same site to make requests from the same servers. Usually, these requests are made to a local name server that in turn ask another name server for the resolution of the domain. In order to minimize network traffic these responses are cached – possibly on each name server along the way. This helps the network to respond quickly with domain name resolution, but it can also defeat the round-robin load distribution.

However, this caching problem may be resolved by using the TTL value. The protocol requires that local and intermediate DNS servers dump these entries from their cache when the TTL runs out. Most systems, such as Solaris, NT and Linux (and others) support BIND 4.9 and later versions. DNS round robin supports pools of servers for any applications, not just web servers. Pools of web, email, ftp, database and other servers can all be setup to load share using DNS.

Dynamic Load Balancing DNS: dlbDNS

Another approach to solving the problem of network traffic congestion is to add a dynamic load balancing feature to the existing DNS.

Distributing a request across servers can be implemented by monitoring the servers regularly and directing the request dynamically to the ‘best server’. This way of dynamically directing a request across multiple servers based on the server load is called dynamic load balancing. This feature can be added to the pre-existing DNS, as it already plays a prominent role in resolving client requests and can be configured to direct client requests across multiple servers in an effort to avoid network traffic congestion. Here, the ‘best server’ refers to the server with the best rating, based on a rating algorithm.

There are several load balancing models available. The model implemented by dlbDNS is an internal monitoring system, that monitors the performance of the servers and provides feedback to the DNS. It is easy to maintain and administrate. Other advantages include closeness to the source of addressable problems and no security hazards.

As there are several load balancing models available, there are also a number of load balancing algorithms available. The rating algorithm implemented in dlbDNS, which determines the best server, is based on the number of users and load average shown. The algorithm is reasonable, as it favors the host(s) with the smallest number of unique logins and lower load averages.

The Server-Side Algorithm is added to the pre-existing DNS feature. During configuration, a new attribute called DNAME is added to distinguish the hosts taking part in dynamic load balancing. If the service requested is of type DNAME, do the following:

  1. Determine the set of participating servers for this service
  2. Request ratings from all participating servers by establishing a concurrent connectionless (UDP) connection with each server
  3. Using the ratings returned, determine the best server
  4. Handle error conditions such as:
    • Server is too busy to return the rating within the time frame
    • The rating returned by the server gets lost on its way back to the dlbDNS
    • All servers have same rating
    • A server is down

A Rating Demon Algorithm is run on each server taking part in dynamic load balancing and is as follows:

  1. Receive request for rating from dlbDNS and respond by returning the host rating
  2. Calculate the host rating once every minute rather than calculating it at the time of request, as quick response time is a most important factor
  3. Ensure the host rating is updated every minute, independent of the dlbDNS request
  4. Handle error conditions such as dlbDNS closing the UDP sockets without waiting for host response

Implementation of the dlbDNS provides efficient utilization of system resources and ensures that facilities newly added to the existing network will be utilized. Since DNS is used, applications such as FTP and TELNET will also utilize dlbDNS.

This dlbDNS algorithm was proposed by the Computer Science department of Wichita State University, due to the uneven distribution of load across the servers thus causing major problems for the department. It should be noted that there is further work to be done on this approach. In particular the rating algorithm is incomplete. An algorithm that takes into account the number of processors, CPU and memory utilization would make the rating algorithm more efficient. Also, a more extensible design is needed, as Linux servers are the only servers that can participate in the dynamic load balancing scheme.

Conclusion:

The most common implementation of DNS load sharing is most certainly the DNS Round Robin technique. It is very feasible for small to middling companies and organizations. However, it is not sufficient for larger organizations and they should probably take into account other load balancing sc

Bibliography

Here are list of websites that I referred to, when researching this topic.

It should be noted that all my material was drawn from these sites and papers, as well as my images.

Drupal.Org Resets 1 Million Passwords After Data Breach

The distributors of the popular open-source content-management framework Drupal are resetting the passwords of nearly 1 million user accounts after hackers gained unauthorized entry to sensitive user data, including email addresses and encrypted passwords.
The Portland, Ore.-based Drupal Association said yesterday (May 29) it had detected the breach during a security audit, and found that attackers had installed malicious software on its website, drupal.org, that allowed other files to snoop through account information.
In a blog posting, Drupal Association executive director Holly Ross said that despite the virtual break-in, the attackers did not seem to have changed any Drupal code, nor did they have access to users’ credit-card information.
“As a precautionary measure, we’ve reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt,” Ross wrote.

The thousands of websites that run on Drupal software — estimated at 2 percent of all sites — should not be affected by the data breach.

In response to the attack, Drupal.org has made significant security improvements. The association also eliminated weaknesses by making dormant sites static and removing old passwords on sub-sites.
Ross did not specify when the breach occurred. She cautioned users to be suspicious of phishing emails that sought to take advantage of the confusion with bogus threats to shut down accounts.
You may have never heard of Drupal, but there’s a good chance you’ve been on a website that uses it. The open-source platform is reportedly used by nearly 1 million developers around the world, and Drupal.org names WhiteHouse.gov and Economist.com as two prominent websites that use the software.

How to Install Postfix on CentOS 6

About Postfix


Postfix is free open source Mail Transfer Agent which works to route and deliver email. Cyrus is a server that helps organize the mail itself.

Step One —Install Postfix and Cyrus


The first thing to do is install postfix and Cyrus on your virtual private server and the easiest way to do this is through the yum installer.

sudo yum install Postfix
sudo yum install cyrus-sasl
sudo yum install cyrus-imapd

Say Yes to the prompt each time it asks. Once all components have downloaded, you will have postfix and cyrus installed.

Step Two—Configure Postfix


We are going to configure both programs separately.

First, open up the Postfix’s main configuration file.

sudo vi /etc/postfix/main.cf

The postfix configuration file is very handy and detailed, providing almost all of the information needed to get the program up and running on your VPS. Unfortunately this also makes for a very long file.

The suggested code below is, in most regards, simply a shortened, and correctly uncommented version of what is in the file already. For a quick set up that will provide you with all of the needed configs to set up postfix, copy and paste the information below over Postfix’s current configuration. Be careful to correct the domain names under myhostname and mydomain.

Replace the example.com in the myhostname line with a DNS approved domain name. Be sure that the phrase is still mail.yourdomainnamehere

Replace the example.com in the mydomain line with the correct domain name.

soft_bounce             = no
queue_directory         = /var/spool/postfix
command_directory       = /usr/sbin
daemon_directory        = /usr/libexec/postfix
mail_owner              = postfix

# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#
#default_privs = nobody

myhostname              = mail.example.com 
mydomain                = example.com

mydestination           = $myhostname, localhost
unknown_local_recipient_reject_code = 550

mynetworks_style        = host
mailbox_transport       = lmtp:unix:/var/lib/imap/socket/lmtp
local_destination_recipient_limit       = 300
local_destination_concurrency_limit     = 5
recipient_delimiter=+

virtual_alias_maps      = hash:/etc/postfix/virtual

header_checks           = regexp:/etc/postfix/header_checks
mime_header_checks      = pcre:/etc/postfix/body_checks
smtpd_banner            = $myhostname

debug_peer_level        = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path           = /usr/sbin/sendmail.postfix
newaliases_path         = /usr/bin/newaliases.postfix
mailq_path              = /usr/bin/mailq.postfix
setgid_group            = postdrop
html_directory          = no
manpage_directory       = /usr/share/man
sample_directory        = /usr/share/doc/postfix-2.3.3/samples
readme_directory        = /usr/share/doc/postfix-2.3.3/README_FILES

smtpd_sasl_auth_enable          = yes
smtpd_sasl_application_name     = smtpd
smtpd_recipient_restrictions    = permit_sasl_authenticated,
                                  permit_mynetworks,
                                  reject_unauth_destination,
                                  reject_invalid_hostname,
                                  reject_non_fqdn_hostname,
                                  reject_non_fqdn_sender,
                                  reject_non_fqdn_recipient,
                                  reject_unknown_sender_domain,
                                  reject_unknown_recipient_domain,
                                  reject_unauth_pipelining,
                                  reject_rbl_client zen.spamhaus.org,
                                  reject_rbl_client bl.spamcop.net,
                                  reject_rbl_client dnsbl.njabl.org,
                                  reject_rbl_client dnsbl.sorbs.net,
                                  permit

smtpd_sasl_security_options     = noanonymous
smtpd_sasl_local_domain         = 
broken_sasl_auth_clients        = yes

smtpd_helo_required             = yes

 

Step Three— Finalize Postfix


After pasting in the proper configs, we are almost finished setting up postfix on our virtual server.

To forestall any errors, we need to execute two more steps

In the config we included virtual aliases with the line, virtual_alias_maps = hash:/etc/postfix/virtual; now we have to set up that database.

Open that file:

sudo vi /etc/postfix/virtual

Delete all the text within the file and then add the following single line, substituting an actual username for user, and the correct domain for example.com:

[email protected]   user\@example.com

Save and exit.

Follow up by typing in this into terminal

postmap /etc/postfix/virtual

This will turn the virtual file into a lookup table, creating the database required for postfix to work.

Finally conclude by using this command, which will create the new file that postfix expects before sending anything out.

touch /etc/postfix/body_checks

Once all that is completed we can finish up by configuring Cyrus.

Step Four—Configure Cyrus


The first step is to add the smtpd.conf file, which defines the authentication for Postfix/SASL, to the SASL directory:

sudo vi /etc/sasl2/smtpd.conf

Go ahead and copy and paste the following text in:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

Save and Exit.

Next, we need to configure the Cyrus file:

sudo vi /etc/imapd.conf

Delete what is in the file currently, and paste the configurations below into the file, changing the default domain and server name to match your personal domain name.

virtdomains:		userid
defaultdomain:		example.com
servername:		example.com
configdirectory:	/var/lib/imap
partition-default:	/var/spool/imap
admins:			cyrus
sievedir:		/var/lib/imap/sieve
sendmail:		/usr/sbin/sendmail.postfix
hashimapspool:		true
allowanonymouslogin:	no
allowplaintext:		yes
sasl_pwcheck_method:	auxprop
sasl_mech_list:		CRAM-MD5 DIGEST-MD5 PLAIN
tls_cert_file:		/etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file:		/etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file:		/etc/pki/tls/certs/ca-bundle.crt

autocreatequota:		-1
createonpost:			yes
autocreateinboxfolders:		spam
autosubscribeinboxfolders:	spam

Save and Exit.

Step Five—Install a Mail Client


Success! You have installed Postfix and Cyrus on your VPS. However, both of these programs relate to handling email rather than sending it. We can quickly install a method of sending messages from the command line.

There are a variety of clients we can use—here we will connect with MailX

yum install mailx

After you agree to the prompt, mailx will finish up installing.

Then, to send emails, type this command into terminal, substituting in the email that you are looking to send your message to.

mail [email protected]

Terminal will ask for a subject line. Type one in, then press enter. On the subsequent lines you can type your message. It will only be sent when you press enter, and type in a period.

Your letter will look something like this:

[[email protected] ~]# mail [email protected]
Subject: Hello
This is a test message.
Regards,

.
EOT

Congratulations—now you have postfix installed and email running. You are all set to use your virtual private server to send email.

How To Define Nagios Contacts With Email

Nagios is one of the best open source server and network monitoring solutions available.  Using the flexible nagios framework, you can monitor pretty much anything (including database and custom application). This article, using 4 simple steps, explains how to setup contact definitions who will get notification when a host or service has any issues.

1. Define Generic Contact Template in templates.cfg

Nagios installation gives a default generic contact template that can be used as a reference to build your contacts. Please note that all the directives mentioned in the generic-contact template below are mandatory. So, if you’ve decided not to use the generic-contact template definition in your contacts, you should define all these mandatory definitions inside your contacts yourself.
 
The following generic-contact is already available under /usr/local/nagios/etc/objects/templates.cfg. Also, the templates.cfg is included in the nagios.cfg by default as shown below.
 
Please note that any of these directives mentioned in the templates.cfg can be overridden when you define a real contact using this generic-template.

# grep templates /usr/local/nagios/etc/nagios.cfg
cfg_file=/usr/local/nagios/etc/objects/templates.cfg

Note: generic-contact is available under
      /usr/local/nagios/etc/objects/templates.cfg

define contact{
        name                            generic-contact
        service_notification_period     24x7
        host_notification_period        24x7
        service_notification_options    w,u,c,r,f,s
        host_notification_options       d,u,r,f,s
        service_notification_commands   notify-service-by-email
        host_notification_commands      notify-host-by-email
        register                        0
        }

 

  • Name – This defines the name of the contact template (generic-contact).
  • service_notification_period – This defines when nagios can send notification about services issues (for example, Apache down). By default this is 24×7 timeperiod, which is defined under /usr/local/nagios/etc/objects/timeperiods.cfg
  • host_notification_period – This defines when nagios can send notification about host issues (for example, server crashed). By default, this is 24×7 timeperiod.
  • service_notification_options – This defines the type of service notification that can be sent out. By default this defines all possible service states including flapping events. This also includes the scheduled service downtime activities.
  • host_notification_options – This defines the type of host notifications that can be sent out. By default this defines all possible host states including flapping events. This also includes the scheduled host downtime activities.
  • service_notification_commands – By default this defines that the contact should get notification about service issues (for example, database down) via email. You can also define additional commands and add it to this directive. For example, you can define your own notify-service-by-sms command.
  • host_notification_commands – By default this defines that the contact should get notification about host issues (for example, host down) via email. You can also define additional commands and add it to this directive. For example, you can define your own notify-host-by-sms command.

2. Define Individual Contacts in contacts.cfg

One you’ve confirmed that the generic-contact templates is defined properly, you can start defining individual contacts definition for all the people in your organization who would ever receive any notifications from nagios. Please note that just by defining a contact doesn’t mean that they’ll get notification. Later you have to associate this contact to either a service or host definition as shown in the later sections below. So, feel free to define all possible contacts here. (for example, Developers, DBAs, Sysadmins, IT-Manager, Customer Service Manager, Top Management etc.)
 

Note: Define these contacts in /usr/local/nagios/etc/objects/contacts.cfg
define contact{
        contact_name                    sgupta
        use                             generic-contact
        alias                           Sanjay Gupta (Developer)
        email                           [email protected]
        pager                           [email protected]
        }
define contact{
        contact_name                    jbourne
        use                             generic-contact
        alias                           Jason Bourne (Sysadmin)
        email                           [email protected]
        }

3. Define Contact Groups with Multiple Contacts in contacts.cfg

Once you’ve defined the individual contacts, you can also group them together to send the appropriate notifications. For example, only DBAs needs to be notified about the database down service definition. So, a db-admins group may be required. Also, may be only Unix system administrators needs to be notified when Apache goes down. So, a unix-admins group may be required. Feel free to define as many groups as you think is required. Later you can use these groups in the individual service and host definitions.
 

Note: Define contact groups in /usr/local/nagios/etc/objects/contacts.cfg

define contactgroup{
contactgroup_name          db-admins
alias                      Database Administrators
members                    jsmith, jdoe, mraj
}

define contactgroup{
contactgroup_name          unix-admins
alias                      Linux System Administrator
members                    jbourne, dpatel, mshankar
}

4. Attach Contact Groups or Individual Contacts to Service and Host Definitions

Once you’ve defined the individual contacts and contact groups, it is time to start attaching them to a specific host or service definition as shown below.
 

Note: Following host is defined under
     /usr/local/nagios/etc/objects/servers/email-server.cfg.
     This can be any host definition file.

define host{
use                     linux-server
host_name               email-server
alias                   Corporate Email Server
address                 192.168.1.14
contact_groups          unix-admins
}

Note: Following is defined under
      /usr/local/nagios/etc/objects/servers/db-server.cfg.
      This can be any host definition file.

define service{
use                             generic-service
host_name                       prod-db
service_description             CPU Load
contact_groups                  unix-admins
check_command                   check_nrpe!check_load
}

define service{
use                             generic-service
host_name                       prod-db
service_description             MySQL Database Status
contact_groups                  db-admins
check_command                   check_mysql_db
}

How To Install Nagios On CentOS 6

Step 1 – Install Packages on Monitoring Server


rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
yum -y install nagios nagios-plugins-all nagios-plugins-nrpe nrpe php httpd
chkconfig httpd on && chkconfig nagios on
service httpd start && service nagios start

We should also enable SWAP memory on this droplet, at least 2GB:

dd if=/dev/zero of=/swap bs=1024 count=2097152
mkswap /swap && chown root. /swap && chmod 0600 /swap && swapon /swap
echo /swap swap swap defaults 0 0 >> /etc/fstab
echo vm.swappiness = 0 >> /etc/sysctl.conf && sysctl -p

Step 2 – Set Password Protection


Set Nagios Admin Panel Password:

htpasswd -c /etc/nagios/passwd nagiosadmin

Make sure to keep this username as “nagiosadmin” – otherwise you would have to change /etc/nagios/cgi.cfg and redefine authorized admin.

Now you can navigate over to your droplet’s IP address http://IP/nagios and login.

You will be prompted for password you set in Step 2:

This is what the Nagios admin panel looks like:

Since this is a fresh installation, we don’t have any hosts currently being monitored.

Now we should add our hosts that will be monitored by Nagios. For example, we will use cloudmail.tk (198.211.107.218) and emailocean.tk (198.211.112.99).

From public ports, we can monitor ping, any open ports such as webserver, e-mail server, etc.

For internal services that are listening on localhost, such as MySQL, memcached, system services, we will need to use NRPE.

Step 3 – Install NRPE on Clients


rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
yum -y install nagios nagios-plugins-all nrpe
chkconfig nrpe on

This next step is where you get to specify any manual commands that Monitoring server can send via NRPE to these client hosts.

Make sure to change allowed_hosts to your own values.

Edit /etc/nagios/nrpe.cfg

log_facility=daemon
pid_file=/var/run/nrpe/nrpe.pid
server_port=5666
nrpe_user=nrpe
nrpe_group=nrpe
allowed_hosts=198.211.117.251
dont_blame_nrpe=1
debug=0
command_timeout=60
connection_timeout=300
include_dir=/etc/nrpe.d/
command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/vda
command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 150 -c 200
command[check_procs]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$

Note:

In check_disk above, the partition being checked is /dev/vda – make sure your droplet has the same partition by running df -h /

You can also modify when to trigger warnings or critical alerts – above configuration sets Warning at 20% free disk space remaining, and Critical alert at 10% free space remaining.


We should also setup firewall rules to allow connections from our Monitoring server to those clients and drop everyone else:

iptables -N NRPE
iptables -I INPUT -s 0/0 -p tcp --dport 5666 -j NRPE
iptables -I NRPE -s 198.211.117.251 -j ACCEPT
iptables -A NRPE -s 0/0 -j DROP
/etc/init.d/iptables save

Now you can start NRPE on all of your client hosts:

service nrpe start

Step 4 – Add Server Configurations on Monitoring Server


Back on our Monitoring server, we will have to create config files for each of our client servers:

echo "cfg_dir=/etc/nagios/servers" >> /etc/nagios/nagios.cfg
cd /etc/nagios/servers
touch cloudmail.tk.cfg
touch emailocean.tk.cfg

Edit each client’s configuration file and define which services you would like monitored.

nano /etc/nagios/servers/cloudmail.tk.cfg

Add the following lines:

define host {
        use                     linux-server
        host_name               cloudmail.tk
        alias                   cloudmail.tk
        address                 198.211.107.218
        }

define service {
        use                             generic-service
        host_name                       cloudmail.tk
        service_description             PING
        check_command                   check_ping!100.0,20%!500.0,60%
        }

define service {
        use                             generic-service
        host_name                       cloudmail.tk
        service_description             SSH
        check_command                   check_ssh
        notifications_enabled           0
        }

define service {
        use                             generic-service
        host_name                       cloudmail.tk
        service_description             Current Load
        check_command                   check_local_load!5.0,4.0,3.0!10.0,6.0,4.0
        }

You can add more services to be monitored as desired. Same configuration should be added for second client, emailocean.tk, with different IP address and host_name:

This is a snippet of /etc/nagios/servers/emailocean.tk.cfg:

define host {
        use                     linux-server
        host_name               emailocean.tk
        alias                   emailocean.tk
        address                 198.211.112.99
        }

...

You can add additional clients to be monitored as/etc/nagios/servers/AnotherHostName.cfg

Finally, after you are done adding all the client configurations, you should set folder permissions correctly and restart Nagios on your Monitoring Server:

chown -R nagios. /etc/nagios
service nagios restart

Step 5 – Monitor Hosts in Nagios


Navigate over to your Monitoring Server’s IP address http://IP/nagios and enter password set in Step 2.

Now you should be able to see all the hosts and services:

And you are all done!

How To Increase size of /var/tmp and /tmp (Centos)

I was frequently getting an error message that the /var/tmp directory in one of my cPanel CentOS 5.5 server is full and I need to delete some data. A cronjob is already there in crontab to cleanup the temporary data periodically, but I was still getting that error.

I looked at the error log and found that the tmp partition goes full when the scheduled backup runs. Therefore, I had nothing to do but increase the size of the tmp partition. After that, my server runs fine and no issues or error messages since then.

Here is How to increase the size of /var/tmp and /tmp partition

You need to have root access to your server. If not, you can’t increase the size of /tmp and /var/tmp partition directory, sorry.

Shutdown httpd and mysql using these commands

service httpd stop
service mysql stop

First, you need to edit the file securetmp in /usr/local/cpanel/scripts/ folder.

nano /usr/local/cpanel/scripts/securetmp

As default the size for tmp is 512 MB , just make it something that is convenient to you .

In /usr/local/cpanel/scripts/securetmp file, look for a line like this:

my $tmpdsksize = 512000; # Must be larger than 250000

and change it to

my $tmpdsksize = 2097152; # Must be larger than 250000

This will allow us to allot 2GB of space size for the tmp partition.
Now, you need to log in to SSH using root account to make the changes. Once you are in, run these commands one by one.

umount -l /tmp
umount -l /var/tmp
rm -fv /usr/tmpDSK
/usr/local/cpanel/scripts/securetmp

Then Restart the server :-

shutdown -r 0

Now when the server is fully restarted, you can check the partitions using the following command.

df -h

Installing and configuring FFmpeg and FFpeg-Php

FFMPEG is a complete solution to record, convert and stream audio and video segments. It includes libavcodec, the leading audio/video codec library.
NOTES:

  • This guide had been used effectively on several Web production servers with CentOS v5.x and Red Hat v4/5, however there are some which might not be compatible.
  • Although this guide is designed for a Linux i386 powered server, it might work on a 86_64 system — (proceed at your own risk.)
  • If you experience any problems installing FFmpeg and FFmpeg-Php on your server and need help, just PM me or reply in thread i’ll install for you .

There are two methods to install FFmpeg and FFmpeg-Php, their libraries, and modules:

  1. Our preferred method is to use Yum on systems including Red Hat, CentOS, and Fedora Core.
  2. Manually, from source archives/packages –�NOT RECOMMENDED (proceed at your own risk.)

*** Caution

  • You must remove all previous installation of FFmpeg and FFmpeg-Php, then follow installation instructions below.
  • Follow these steps (in that order):

Method #1: Using yum 

First, make sure the following binary packages are installed on your server:

gcc, gcc4, gcc4-c++, gcc4-gfortran, gd, gd-devel, gmake, ImageMagick, ImageMagick-devel, libcpp, libgcc, libstdc++, make, ncurses, ncurses-devel, ruby, subversion

If any of these packages are missing, install them using Yum . For example:

  • yum install PACKAGE
  1. Install rpmforge repository. Follow the instructions on CentOS Wiki
  2. Install ffmpeg, mplayer, mencoder with all supported libraries/modules
    • yum -y install ffmpeg ffmpeg-devel mplayer mencoder flvtool2
  3. Manually, install FFmpeg-Php

If FFmpeg-Php is compiled successfully, an ffmpeg.so module will be generated and copied into the default Php directory. Next,�run the following command to enable FFmpeg-Php. By running this command you will be�addingffmpeg.so module into the�php.ini file:

echo ‘extension=ffmpeg.so’ >> /local_path_to_your/php.ini

Final step, restart apache

service httpd restart
OR
/etc/init.d/httpd restart

– Testing FFmpeg

Verify that FFmpeg is working properly by running the following two commands:

  • php -r ‘phpinfo();’ | grep ffmpeg

You will get a few lines similar to the following:

ffmpeg
ffmpeg-php version => 0.6.0-svn
ffmpeg-php built on => April� 15 2010 15:31:45
ffmpeg-php gd support� => enabled
ffmpeg libavcodec version => Lavc51.62.0
ffmpeg libavformat version => Lavf52.18.0
ffmpeg swscaler => disabled
ffmpeg.allow_persistent => 0 => 0
ffmpeg.show_warnings => 0 => 0

This is the second command to make sure that FFmpeg is working properly:

  • /usr/local/bin/ffmpeg

If you do not get any errors after running the test commands above, FFmpeg, FFmpeg-Php, MPlayer, MEncoder, and FLV2tool are working properly on your server. CONGRATULATIONS!

Method #1: Source archives/packages

*** Caution

  • You must remove all previous installation of FFmpeg and FFmpeg-Php, then follow installation instructions below.
  • Follow these steps (in that order):

First, make sure the following binary packages are installed on your server:

gcc, gcc4, gcc4-c++, gcc4-gfortran, gd, gd-devel, gmake, ImageMagick, ImageMagick-devel, libcpp, libgcc, libstdc++, make, ncurses, ncurses-devel, ruby, subversion

If any of these packages are missing, install them using Yum . For example:

  • yum install PACKAGE

*** Caution

  • The following source packages are always updated with newer versions. You might experience technical issues if you download and install a newer/older version of any of these applications.
  • You must remove all previous installation of FFmpeg and FFmpeg-Php, then follow installation instructions below.

To install FFmpeg from source, execute the following commands (in that order).

  1. Let’s create a directory to do our work in:
    • mkdir /usr/local/src
    • cd /usr/local/src
  2. Download source packages
  3. Extract source packages
    • tar xzf a52dec-0.7.4.tar.gz
    • tar jxvf amrnb-7.0.0.2.tar.bz2
    • tar jxvf amrwb-7.0.0.2.tar.bz2
    • tar jxvf essential-ppc-20071007.tar.bz2
    • tar jxvf faac-1.28.tar.bz2
    • tar xzf faad2-2.7.tar.gz
    • tar jxvf ffmpeg-php-0.6.0.tbz2
    • tar zxvf flvtool2-1.0.6.tgz
    • tar xzf lame-3.98.4.tar.gz
    • tar xzf libogg-1.1.4.tar.gz
    • tar jxvf libtheora-1.1.1.tar.bz2
    • tar xzf libvorbis-1.2.2.tar.gz
    • tar xzf re2c-0.13.5.tar.gz
    • tar xzf xvidcore-1.1.3.tar.gz
    • tar jxvf x264-snapshot-20080324-2245.tar.bz2
  4. Create the codecs directory & export files
    • mkdir /usr/local/lib/codecs
    • mv /usr/local/src/essential-ppc-20071007/* /usr/local/lib/codecs
    • chmod -R 755 /usr/local/lib/codecs
    • echo “/usr/local/lib” >> /etc/ld.so.conf
    • ldconfig
  5. Install SVN and Ruby (for RedHat/CentOS v5.x)
    • yum install subversion
    • yum install ruby
      OR (if you are using the cPanel control panel)

      • /scripts/installruby
      • /usr/local/cpanel/bin/ror_setup
    • yum install ncurses-devel
  6. Compile and install FLVtool2
    • cd /usr/local/src/flvtool2-1.0.6/
    • ruby setup.rb config
    • ruby setup.rb setup
    • ruby setup.rb install
  7. Compile and install LAME
    • cd /usr/local/src/lame-3.98.4
    • ./configure
    • make
    • make install
  8. Compile and install libOGG
    • cd /usr/local/src/libogg-1.1.4
    • ./configure
    • make
    • make install
    • PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
    • export PKG_CONFIG_PATH
  9. Compile and install LibVorbis
    • cd /usr/local/src/libvorbis-1.2.2
    • ./configure
    • make
    • make install
  10. Compile and install Libtheora
    • cd /usr/local/src/libtheora-1.1.1
    • ./configure –with-ogg-libraries=/usr/local/lib/
    • make
    • make install
  11. Compile and install amrNB
    • cd /usr/local/src/amrnb-7.0.0.2
    • ./configure
    • make
    • make install
  12. Compile and install amrWB
    • cd /usr/local/src/amrwb-7.0.0.2
    • ./configure
    • make
    • make install
  13. Compile and install Liba52
    • cd /usr/local/src/a52dec-0.7.4
    • ./bootstrap
    • ARCh=’arch’
    • ./configure –enable-shared
    • make
    • make install
  14. Compile and install FAAC
    • cd /usr/local/src/faac-1.28
    • ./bootstrap
    • ./configure –with-mp4v2
    • make
    • make install
  15. Compile and install FAAD
    • cd /usr/local/src/faad2-2.7
    • ./configure –with-mpeg4ip
    • make
    • make install
  16. Compile and install XVIDCore
    • cd /usr/local/src/xvidcore/build/generic/
    • ./configure
    • make
    • make install
  17. Compile and Install�X264 Snapshot
    • cd /usr/local/src/x264-snapshot-20080324-2245
    • ./configure –enable-shared
    • make
    • make install
  18. Compile and install RE2C
    • cd /usr/local/src/re2c-0.13.5
    • ./configure
    • make
    • make install
    • cp -aP /usr/local/bin/re2c /usr/bin/
  19. Download the latest release for FFmpeg and MPlayer from svn.mplayerhq.hu
    • cd /usr/local/src
    • svn checkout svn://svn.mplayerhq.hu/ffmpeg/trunk ffmpeg -r 15594
    • svn checkout svn://svn.mplayerhq.hu/mplayer/trunk mplayer
    • svn update
  20. Compile and install MPlayer
    • cd /usr/local/src/mplayer
    • ./configure
    • make

    (STOP here.) Make sure MPlayer has been compiled successfully with NO errors. Do NOT proceed any further unless the MPlayer package has been compiled successfully.

    • make install
  21. Compile and install FFmpeg
    • cd /usr/local/src/ffmpeg/
    • mkdir /usr/local/src/ffmpeg/tmp
    • export TMPDIR=/usr/local/src/ffmpeg/tmp

    (The following ./configure command is one single line)

    • ./configure –enable-shared –enable-nonfree –enable-gpl –enable-pthreads –enable-liba52 –enable-libamr-nb –enable-libamr-wb –enable-libfaac –enable-libfaad –enable-libmp3lame –enable-libtheora –enable-libvorbis –enable-libx264 –enable-libxvid –enable-cross-compile
    • make

    (STOP here.) Make sure FFmpeg has been compiled successfully with NO errors. Do NOT proceed any further unless the FFmpeg package has been compiled successfully.

    • make install
    • export LD_LIBRARY_PATH=/usr/local/lib/
  22. Finalize the codec setups:
    (Create symbolic links for the following modules. FYI: the number which comes after the extension *.so might differ from one server to another. The X‘s represent numbers. The number after *.so.5 must match the number after the *.so.5 at the end of the line.)

    • ln -s /usr/local/lib/libavformat.so.5X.XX.0 /usr/lib/libavformat.so.5X
    • ln -s /usr/local/lib/libavcodec.so.5X.XX.0 /usr/lib/libavcodec.so.5X
    • ln -s /usr/local/lib/libavutil.so.49.X.0 /usr/lib/libavutil.so.49
    • ln -s /usr/local/lib/libmp3lame.so.0 /usr/lib/libmp3lame.so.0
    • /sbin/ldconfig
  23. Compile and install FFmpeg-Php
    • cd /usr/local/src/ffmpeg-php-0.6.0/
    • /usr/bin/phpize
    • ./configure
    • make

    (STOP here.) Make sure FFmpeg-Php has been compiled successfully with NO errors. Do NOT proceed any further unless the FFmpeg-Php package has been compiled successfully.

    • make install
      Verify that ffmpeg-php module is saved in the Php extensions directory by running:
    • ls -al /usr/local/lib/php/extensions/no-debug-non-zts-20060613/ffmpeg.so
  24. Add FFmpeg-Php module directive in php.ini file: (make sure the local path to your php.ini is correct.)
    • echo ‘extension=ffmpeg.so’ >> /usr/local/lib/php.ini
  25. Restart Apache to load FFmpeg-Php (for RedHat/CentOS v5.x)
    • service httpd restart

– Testing FFmpeg
Verify that FFmpeg is working properly by running the following two commands:

  • php -r ‘phpinfo();’ | grep ffmpeg

You will get a few lines similar to the following:

ffmpeg
ffmpeg-php version => 0.6.0-svn
ffmpeg-php built on => April� 15 2010 15:31:45
ffmpeg-php gd support� => enabled
ffmpeg libavcodec version => Lavc51.62.0
ffmpeg libavformat version => Lavf52.18.0
ffmpeg swscaler => disabled
ffmpeg.allow_persistent => 0 => 0
ffmpeg.show_warnings => 0 => 0

This is the second command to make sure that FFmpeg is working properly:

  • /usr/local/bin/ffmpeg

If you do not get any errors after running the test commands above, FFmpeg, FFmpeg-Php, MPlayer, MEncoder, FLV2tool, LAME MP3 encoder & libOGG are working properly.

CentOS 6 – MySQL Server & PHPMyAdmin

Install and Configure

Notes

If you already have MySQL installed from the yum repositories, then you won’t be able to follow this guide as your MySQL version is too old. Please see [here] which may be able to help you (untested).

Environment

Fresh install of CentOS-6.3-x86_64-minimal with the latest updates yum update -y

# uname -sro
Linux 2.6.32-279.22.1.el6.x86_64 GNU/Linux

I have also disabled SELINUX. Please see [here] for a guide.

Prerequisites

Additional Repositories

Nb. You can check for the latest EPEL repository from http://mirror.datacenter.by/pub/fedoraproject.org/epel/6/x86_64/repoview/epel-release.html

rpm -ivh http://mirror.datacenter.by/pub/fedoraproject.org/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

Then you need to enable the REMI repository

nano /etc/yum.repos.d/remi.repo
[remi]
enabled=1

Additional Packages

I used nano as the text editor, but you can just as easily use vi if you are familiar with it.

yum install -y wget nano perl

Configure Firewall

nano /etc/sysconfig/iptables

Make sure you add any other rules you are using which aren’t listed here.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# Uncomment the following line to allow direct remote access to your mysql server, 
# changing -s 192.168.0.0/16 to your own network or remove it to allow access from anywhere
# This has serious security implications so only do it if you know what you're doing
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -s 192.168.0.0/16

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
service iptables restart

Create SSL Certificates

mkdir /etc/ssl/certs/mysql
openssl req -new -nodes -x509 -keyout /etc/ssl/certs/ca-cert.pem -out /etc/ssl/certs/ca-cert.pem -days 3650
openssl req -new -nodes -days 3650 -keyout /etc/ssl/certs/mysql/server-key.pem -out /etc/ssl/certs/mysql/server-req.pem openssl rsa -in /etc/ssl/certs/mysql/server-key.pem -out /etc/ssl/certs/mysql/server-key.pem openssl x509 -req -in /etc/ssl/certs/mysql/server-req.pem -CA /etc/ssl/certs/ca-cert.pem -CAcreateserial -days 3650 -out /etc/ssl/certs/mysql/server-cert.pem
openssl req -new -nodes -days 3650 -keyout /etc/ssl/certs/mysql/client-key.pem -out /etc/ssl/certs/mysql/client-req.pem openssl rsa -in /etc/ssl/certs/mysql/client-key.pem -out /etc/ssl/certs/mysql/client-key.pem openssl x509 -req -in /etc/ssl/certs/mysql/client-req.pem -CA /etc/ssl/certs/ca-cert.pem -CAcreateserial -days 3650 -out /etc/ssl/certs/mysql/client-cert.pem

Example of what to fill in but input your own answers.

Country Name (2 letter code) [XX]:IM
State or Province Name (full name) []:Isle of Man
Locality Name (eg, city) [Default City]:Colby
Organization Name (eg, company) [Default Company Ltd]:ITManx Ltd
Organizational Unit Name (eg, section) []:ICT
Common Name (eg, your name or your server's hostname) []:secure.itmanx.com
Email Address []:[email protected]

* You will get asked the following on the server and client certificates created. Leave these blank!
A challenge password []:
An optional company name []:

You can test the certificate is ok by typing

openssl verify -CAfile /etc/ssl/certs/ca-cert.pem /etc/ssl/certs/mysql/server-cert.pem /etc/ssl/certs/mysql/client-cert.pem
/etc/ssl/certs/mysql/server-cert.pem: OK
/etc/ssl/certs/mysql/client-cert.pem: OK

Install

MySQL

At the time of writing, the version of MySQL in the CentOS yum repositories was version 5.1 which is near EOL so don’t use it unless you have to.

If you would prefer to have the latest version of MySQL, then see the note below instead

yum install -y mysql mysql-server

Note: To install the latest version of MySQL, you can get the latest version of MySQL from http://dev.mysql.com/downloads/mysql/#downloads(select Red Hat Linux 6) and note you need Server, Client and Compatibility Libraries

rpm -ivf http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-server-5.6.10-1.el6.x86_64.rpm/from/http://cdn.mysql.com/ rpm -ivf http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-client-5.6.10-1.el6.x86_64.rpm/from/http://cdn.mysql.com/ rpm -ivf http://dev.mysql.com/get/Downloads/MySQL-5.6/MySQL-shared-compat-5.6.10-1.el6.x86_64.rpm/from/http://cdn.mysql.com/

The installation creates a random root password which you can see in /root/.mysql_secret

mv /usr/my.cnf /usr/my.cnf.original nano /usr/my.cnf
[client]
ssl_ca=/etc/pki/tls/certs/ca-cert.pem
ssl_cert=/etc/pki/tls/certs/mysql/client-cert.pem
ssl_key=/etc/pki/tls/certs/mysql/client-key.pem

[mysqld]
# Set to the amount of RAM for the most important data cache in MySQL.
# Start at 70% of total RAM for dedicated server, else 10%.
innodb_buffer_pool_size = 128M

datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES

character_set_server=utf8

ssl_ca=/etc/pki/tls/certs/ca-cert.pem
ssl_cert=/etc/pki/tls/certs/mysql/server-cert.pem
ssl_key=/etc/pki/tls/certs/mysql/server-key.pem

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
service mysql start

Take a look at the log file to make sure no start-up errors

cat /var/log/mysqld.log

Now grab the pre-set password and login

cat /root/.mysql_secret
mysql -u root -p ** enter the password from /root/.mysql_secret

Change mypassword to your own password. The password should be at least 10 characters. You can generate a password [here].

SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('mypassword');
SET PASSWORD FOR 'root'@'::1' = PASSWORD('mypassword');
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('mypassword');
DROP DATABASE test;
quit

phpMyAdmin

yum install -y httpd mod_ssl php php-mysql php-mcrypt php-mbstring php-gd

You can get the latest version from http://www.phpmyadmin.net/home_page/downloads.php

cd /var/www/html wget http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.5.7/phpMyAdmin-3.5.7-all-languages.tar.bz2/download tar -jxvf phpMyAdmin-* rm -f php*.bz2 mv phpMyAdmin-* phpmyadmin cp phpmyadmin/config.sample.inc.php phpmyadmin/config.inc.php
nano /etc/httpd/conf.d/phpmyadmin.conf
Alias /phpmyadmin /var/www/html/phpmyadmin

<Directory /var/www/html/phpmyadmin>
 Options -Indexes
</Directory>

<Directory /var/www/html/phpmyadmin/setup>
 Order Deny,Allow
 Deny from All
</Directory>

<Directory /var/www/html/phpmyadmin/libraries>
 Order Deny,Allow
 Deny from All
</Directory>
nano /var/www/html/phpmyadmin/config.inc.php

The password can be up to 46 characters. You can generate a password [here].

$cfg['blowfish_secret'] = '[email protected]#@[email protected]+!ASt63$aB+es3zedu_ep$ey'	 /* Change to your own password */
nano /etc/php.ini

Search for date.timezone and set it to your timezone. See [here] for a list of timezones.

date.timezone = UTC
chkconfig httpd on service httpd start

Test

Log in to https://webserver/phpmyadmin/ with username root and the password you set when configuring MySQL earlier.

Monitor

Resources

Type top to view resources or better yet, install htop yum install -y htop and then type htop (see at the bottom for filter and enter mysql)

Live Queries

If you want to log live queries, you can enable logging in the MySQL configuration file.

 

BE AWARE THAT THIS WILL LOG EVERY QUERY PASSED TO THE MYSQL SERVER SO WILL QUICKLY CONSUME FREE DISK SPACE AND SLOW PERFORMANCE!

touch /var/log/mysql.log chown mysql:mysql /var/log/mysql.log
nano /usr/my.cnf
[mysqld]
.....
general_log=1
general_log_file=/var/log/mysql.log
service mysqld reload

You can then view live queries by typing tail -f /var/log/mysql.log

System Resource Monitoring

Install htop to see system resource usage

yum install -y htop

Run by typing htop

 

Reference

http://dev.mysql.com/doc/refman/5.6/en/linux-installation-rpm.html

http://dev.mysql.com/doc/refman/5.6/en/creating-ssl-certs.html

http://www.openssl.org/docs/apps/req.html

CentOS 6 – Apache Web Server

Install, Configure and Secure

Environment

Fresh install of CentOS-6.3-x86_64-minimal with the latest updates yum update -y

# uname -sro
Linux 2.6.32-279.22.1.el6.x86_64 GNU/Linux

I used nano as the text editor, but you can just as easily use vi

yum install -y nano

Prerequisites

Configure Firewall

Make sure you add any other rules not listed here which you are using.

nano /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
service iptables restart

Install

Install Apache (httpd)

yum install -y httpd mod_ssl

Tune and Secure

Apache Configuration Files – A quick explanation

When Apache starts, it reads one or more configuration files to see what settings it should have. The first file it normally reads is/etc/httpd/conf/httpd.conf which it processes line by line overwriting any previously set variables. For example, if you had on line 6 ‘fruit apple’ and then on line 10 ‘fruit orange’, then when Apache has finished reading all configuration files, the value of fruit would be orange as it was the last value for fruit that was read.

There is a special line in a configuration file that tells Apache to pause reading the current file and to read one or more other configuration files before continuing; this line starts with Include such as Include conf.d/*.conf which tells Apache to read all the files ending in ‘.conf’ in the directory ‘/etc/httpd/conf.d/’, and is the normal procedure on a standard install.

If you also had a value for ‘fruit’ in one of the included configuration files, then that value would overwrite the current value for ‘fruit’, however, the final value of ‘fruit’ is only determined once Apache has finished reading to the bottom of it’s initial configuration file, which as mentioned before, is normally /etc/httpd/conf/httpd.conf, so if on the last line of ‘httpd.conf’ you had fruit none, then the final value Apache uses would be ‘none’.

Creating a Global config file

The best way to manage Apache’s settings is to create your own configuration files in /etc/httpd/conf.d/. This way you can easily see what changes you have made to the system should something need changing, and you can easily revert the system back should something go wrong.

By default, Apache reads /etc/httpd/conf/httpd.conf as mentioned earlier. Part way through this file, is an Include line which instructs Apache to read all configuration files in the directory ‘/etc/httpd/conf.d/’. So a good place to create a global configuration file would be inside the ‘/etc/httpd/conf.d/’ directory. As Apache reads files in alphanumeric order, we will prefix characters that will ensure it is read first.

nano /etc/httpd/conf.d/1.global.conf

Inside this file, add the following which I will explain further on:

SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary

Header append Vary Accept-Encoding

<filesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|js|css|eot|svg|ttf|woff)$">
  Header set Cache-Control "max-age=604800, public"
</filesMatch>

Header always append X-Frame-Options SAMEORIGIN

TraceEnable off

ServerTokens Minimal

Modify main config file

The following settings appear after the Include conf.d/*.conf line in the /etc/httpd/conf/httpd.conf file and therefore can’t be set in our Global config file, as explained earlier.

nano /etc/httpd/conf/httpd.conf
ServerSignature Off

The following line is inside the <Directory "/var/www/html"> around line 331.

Options -Indexes FollowSymLinks

Explanation

Compress Content

This configures Apache to compress content if the web browser supports it. Images and PDF’s are already compressed so are excluded. [Click here to learn more]

SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary

Vary: Accept-Encoding

Header append Vary Accept-Encoding

This configures Apache to tell web browsers that content could come in different formats such as compressed and uncompressed but to treat it the same. [Click here to learn more]

Cache-Control

<filesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|js|css|eot|svg|ttf|woff)$">
  Header set Cache-Control "max-age=604800, public"
</filesMatch>

This configures Apache to tell web browsers to cache certain types of files for a specified period of time [Click here to learn more]

Prevent ClickJacking

Header always append X-Frame-Options SAMEORIGIN

This protects visitors to your web server from being redirected to malicious sites [Click here to learn more]

Disable HTTP TRACE

TraceEnable off

This stops a very basic attack whereby a person can see the response of a server request. [Click here to learn more]

Reduce advertised information

ServerTokens Minimal
ServerSignature Off

These two settings reduce the amount of information your server advertises. Not really a major security concern but the less someone knows about your server, the better in my opinion. [Click here to learn more]

Disable directory browsing

Options -Indexes FollowSymLinks

This setting prevents the server from listing files in a directory that doesn’t have a default document such as ‘index.php’. [Click here to learn more]

Test

There are many sites out there for testing but here are some of my favourite

Performance

Pingdom Tools – Tests the load time of your page and offers recommendations

Google PageSpeed –

Load Impact – Load testing and reporting

Blitz – Load testing and reporting

Security

Kyplex – I’ve known this company since it started and their security scanner has always proved worthwhile.

Qualys – Read through their results thoughtfully because they are a bit OTT.

Monitor

Pingdom – Uptime and performance monitoring

Clear Memory Cache on Linux Server

By default the Linux OS has a very efficient memory management process that should be freeing any cached memory on the machine that it is being run on. However when it comes to Cached memory the Linux OS may at times decide that the Cached memory is being used and is needed which can lead to memory related issues and ultimately rob your server of any potentially free memory. To combat this you can force the Linux OS to free up and stored Cached memory.

  1. Connect via shell using a program such as Putty
  2. At the shell prompt type crontab -e <enter> as this will allow you to edit cron jobs for the root user.
    • If you are not familiar with vi (linux editor) you press “i” to insert text and once done hit “esc” and type “:wq” to save the file.
  3. Scroll to the bottom of the cron file using the arrows key and enter the following line:

0 * * * * /root/clearcache.sh

  1. Create a file in ‘/root’ called ‘clearcache.sh’ with the following content:

#!/bin/sh
sync; echo 3 > /proc/sys/vm/drop_caches

  1. Once you have saved this file, the job is complete!

 

Every hour the cron job will run this command and clear any memory cache that has built up.

An example from a test server before and after running this task.

BEFORE:

AFTER:

Note before the server was using 1.918Gb of RAM with 1.4983Gb in Cache and after running the script the server is now only using 172Mb of RAM and only 38.9Gb in Cache.