Linux Admin – Backup and Recovery ”; Previous Next Before exploring methods particular to CentOS for deploying a standard backup plan, let”s first discuss typical considerations for a standard level backup policy. The first thing we want to get accustomed to is the 3-2-1 backup rule. 3-2-1 Backup Strategy Throughout the industry, you”ll often hear the term 3-2-1 backup model. This is a very good approach to live by when implementing a backup plan. 3-2-1 is defined as follows: 3 copies of data; for example, we may have the working copy; a copy put onto the CentOS server designed for redundancy using rsync; and rotated, offsite USB backups are made from data on the backup server. 2 different backup mediums. We would actually have three different backup mediums in this case: the working copy on an SSD of a laptop or workstation, the CentOS server data on a RADI6 Array, and the offsite backups put on USB drives. 1 copy of data offsite; we are rotating the USB drives offsite on a nightly basis. Another modern approach may be a cloud backup provider. System Recovery A bare metal restore plan is simply a plan laid out by a CentOS administrator to get vital systems online with all data intact. Assuming 100% systems failure and loss of all past system hardware, an administrator must have a plan to achieve uptime with intact user-data costing minimal downtime. The monolithic kernel used in Linux actually makes bare metal restores using system images much easier than Windows. Where Windows uses a micro-kernel architecture. A full data restore and bare metal recovery are usually accomplished through a combination of methods including working, configured production disk-images of key operational servers, redundant backups of user data abiding by the 3-2-1 rule. Even some sensitive files that may be stored in a secure, fireproof safe with limited access to the trusted company personnel. A multiphase bare metal restore and data recovery plan using native CentOS tools may consist of − dd to make and restore production disk-images of configured servers rsync to make incremental backups of all user data tar & gzip to store encrypted backups of files with passwords and notes from administrators. Commonly, this can be put on a USB drive, encrypted and locked in a safe that a Senior Manager access. Also, this ensures someone else will know vital security credentials if the current administrator wins the lottery and disappears to a sunny island somewhere. If a system crashes due to a hardware failure or disaster, following will be the different phases of restoring operations − Build a working server with a configured bare metal image Restore data to the working server from backups Have physical access to credentials needed to perform the first two operations Use rsync for File Level Backups rsync is a great utility for syncing directories of files either locally or to another server. rsync has been used for years by System Administrators, hence it is very refined for the purpose of backing up data. In the author”s opinion, one of the best features of sync is its ability to be scripted from the command line. In this tutorial, we will discuss rsync in various ways − Explore and talk about some common options Create local backups Create remote backups over SSH Restore local backups rsync is named for its purpose: Remote Sync and is both powerful and flexible in use. Following is a basic rsync remote backup over ssh − MiNi:~ rdc$ rsync -aAvz –progress ./Desktop/ImportantStuff/ [email protected]:home/rdc/ Documents/RemoteStuff/ [email protected]”s password: sending incremental file list 6,148 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=23/25) 2017-02-14 16_26_47-002 – Veeam_Architecture001.png 33,144 100% 31.61MB/s 0:00:00 (xfr#2, to-chk=22/25) A Guide to the WordPress REST API | Toptal.pdf 892,406 100% 25.03MB/s 0:00:00 (xfr#3, to-chk=21/25) Rick Cardon Technologies, LLC..webloc 77 100% 2.21kB/s 0:00:00 (xfr#4, to-chk=20/25) backbox-4.5.1-i386.iso 43,188,224 1% 4.26MB/s 0:08:29 sent 2,318,683,608 bytes received 446 bytes 7,302,941.90 bytes/sec total size is 2,327,091,863 speedup is 1.00 MiNi:~ rdc$ The following sync sent nearly 2.3GB of data across our LAN. The beauty of rsync is it works incrementally at the block level on a file-by-file basis. This means, if we change just two characters in a 1MB text file, only one or two blocks will be transferred across the lan on the next sync! Furthermore, the incremental function can be disabled in favor of more network bandwidth used for less CPU utilization. This might prove advisable if constantly copying several 10MB database files every 10 minutes on a 1Gb dedicated Backup-Lan. The reasoning is: these will always be changing and will be transmitting incrementally every 10 minutes and may tax load of the remote CPU. Since the total transfer load will not exceed 5 minutes, we may just wish to sync the database files in their entirety. Following are the most common switches with rsync − rsync syntax: rsync [options] [local path] [[remote host:remote path] or [target path Switch Action -a Archive mode and assumes -r, -p, -t, -g, -l -d Sync only directory tree, no files -r Recursive into directory -l Copy symlinks as symlinks -p Preserve permissions -g Preserve group -v Verbose output -z Compress over network link -X Preserve extended attributes -A Preserve ACLs -t Preserve timestamps -W Transfer whole file, not incremental blocks -u Do not overwrite files on target –progress Show transfer progress –delete Delete older files on target
Category: linux Admin
Install Apache Web Server CentOS 7 ”; Previous Next In this chapter, we will learn a little about the background of how Apache HTTP Server came into existence and then install the most current stable version on CentOS Linux 7. Brief History on Apache WebServer Apache is a web server that has been around for a long time. In fact, almost as long as the existence of http itself! Apache started out as a rather small project at the National Center for Supercomputing Applications also known as NCSA. In the mid-90”s “httpd”, as it was called, was by far the most popular web-server platform on the Internet, having about 90% or more of the market share. At this time, it was a simple project. Skilled I.T. staff known as webmaster were responsible for: maintaining web server platforms and web server software as well as both front-end and back-end site development. At the core of httpd was its ability to use custom modules known as plugins or extensions. A webmaster was also skilled enough to write patches to core server software. Sometime in the late-mid-90”s, the senior developer and project manager for httpd left NCSA to do other things. This left the most popular web-daemon in a state of stagnation. Since the use of httpd was so widespread a group of seasoned httpd webmasters called for a summit reqarding the future of httpd. It was decided to coordinate and apply the best extensions and patches into a current stable release. Then, the current grand-daddy of http servers was born and christened Apache HTTP Server. Little Known Historical Fact − Apache was not named after a Native American Tribe of warriors. It was in fact coined and named with a twist: being made from many fixes (or patches) from many talented Computer Scientists: a patchy or Apache. Install Current Stable Version on CentOS Linux 7 Step 1 − Install httpd via yum. yum -y install httpd At this point Apache HTTP Server will install via yum. Step 2 − Edit httpd.conf file specific to your httpd needs. With a default Apache install, the configuration file for Apache is named httpd.conf and is located in /etc/httpd/. So, let”s open it in vim. The first few lines of httpd.conf opened in vim − # # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information. # In particular, see # <URL:http://httpd.apache.org/docs/2.4/mod/directives.html> # for a discussion of each configuration directive. We will make the following changes to allow our CentOS install to serve http requests from http port 80. Listening host and port # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 Listen 80 From here, we change Apache to listen on a certain port or IP Address. For example, if we want to run httpd services on an alternative port such as 8080. Or if we have our web-server configured with multiple interfaces with separate IP addresses. Listen Keeps Apache from attaching to every listening daemon onto every IP Address. This is useful to stop specifying only IPv6 or IPv4 traffic. Or even binding to all network interfaces on a multi-homed host. # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # Listen 10.0.0.25:80 #Listen 80 DocumentRoot The “document root” is the default directory where Apache will look for an index file to serve for requests upon visiting your sever: http://www.yoursite.com/ will retrieve and serve the index file from your document root. # # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot “/var/www/html” Step 3 − Start and Enable the httpd Service. [root@centos rdc]# systemctl start httpd && systemctl reload httpd [root@centos rdc]# Step 4 − Configure firewall to allow access to port 80 requests. [root@centos]# firewall-cmd –add-service=http –permanent Print Page Previous Next Advertisements ”;
Set Up Perl for CentOS Linux
Linux Admin – Set Up Perl for CentOS Linux ”; Previous Next Perl has been around for a long time. It was originally designed as a reporting language used for parsing text files. With increased popularity, Perl has added a module support or CPAN, sockets, threading, and other features needed in a powerful scripting language. The biggest advantage of Perl over PHP, Python, or Ruby is: it gets things done with minimal fuss. This philosophy of Perl does not always mean it gets things done the right way. However, for administration tasks on Linux, Perl is considered as the go-to choice for a scripting language. Some advantages of Perl over Python or Ruby are − Powerful text processing Perl makes writing scripts quick and dirty (usually a Perl script will be several dozen lines shorter than an equivalent in Python or Ruby) Perl can do anything (almost) Some drawbacks of Perl are − Syntax can be confusing Coding style in Perl can be unique and bog down collaboration Perl is not really Object Oriented Typically, there isn”t a lot of thought put into standardization and best-practice when Perl is used. When deciding whether to use Perl, Python or PHP; the following questions should be asked − Will this application ever need versioning? Will other people ever need to modify the code? Will other people need to use this application? Will this application ever be used on another machine or CPU architecture? If the answers to all the above are “no”, Perl is a good choice and may speed things up in terms of end-results. With this mentioned, let”s configure our CentOS server to use the most recent version of Perl. Before installing Perl, we need to understand the support for Perl. Officially, Perl is only supported far back as the last two stable versions. So, we want to be sure to keep our development environment isolated from the CentOS version. The reason for isolation is: if someone releases a tool in Perl to the CentOS community, more than likely it will be modified to work on Perl as shipped with CentOS. However, we also want to have the latest version installed for development purposes. Like Python, CentOS ships Perl focused on the reliability and not cutting edge. Let”s check our current version of Perl on CentOS 7. [root@CentOS]# perl -v This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi We are currently running Perl 5.16.3. The most current version as of this writing is: perl-5.24.0 We definitely want to upgrade our version, being able to use up-to-date Perl modules in our code. Fortunately, there is a great tool for maintaining Perl environments and keeping our CentOS version of Perl isolated. It is called perlbrew. Let”s install Perl Brew. [root@CentOS]# curl -L https://install.perlbrew.pl | bash % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 170 100 170 0 0 396 0 –:–:– –:–:– –:–:– 397 100 1247 100 1247 0 0 1929 0 –:–:– –:–:– –:–:– 1929 Now that we have Perl Brew installed, let”s make an environment for the latest version of Perl. First, we will need the currently installed version of Perl to bootstrap the perlbrew install. Thus, let”s get some needed Perl modules from the CentOS repository. Note − When available we always want to use CentOS Perl modules versus CPAN with our CentOS Perl installation. Step 1 − Install CentOS Perl Make::Maker module. [root@CentOS]# yum -y install perl-ExtUtils-MakeMaker.noarch Step 2 − Install the latest version of perl. [root@CentOS build]# source ~/perl5/perlbrew/etc/bashrc [root@CentOS build]# perlbrew install -n -j4 –threads perl-5.24.1 The options we chose for our Perl install are − n − No tests j4 − Execute 4 threads in parallel for the installation routines (we are using a quadcore CPU) threads − Enable threading support for Perl After our installation has been performed successfully, let”s switch to our newest Perl environment. [root@CentOS]# ~/perl5/perlbrew/bin/perlbrew use perl-5.24.1 A sub-shell is launched with perl-5.24.1 as the activated perl. Run ”exit” to finish it. [root@CentOS]# perl -v This is perl 5, version 24, subversion 1 (v5.24.1) built for x86_64-linuxthread-multi (with 1 registered patch, see perl -V for more detail) Copyright 1987-2017, Larry Wall Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5 source kit. Complete documentation for Perl, including FAQ lists, should be found on this system using “man perl” or “perldoc perl”. If you have access to the Internet, point your browser at http://www.perl.org/, the Perl Home Page. [root@CentOS]# Simple perl script printing perl version running within the context of our perlbrew environment − [root@CentOS]# cat ./ver.pl #!/usr/bin/perl print $^V . “n”; [root@CentOS]# perl ./ver.pl v5.24.1 [root@CentOS]# Once perl is installed, we can load cpan modules with perl brew”s cpanm − [root@CentOS]# perl-brew install-cpanm Now let”s use the cpanm installer to make the LWP module with our current Perl version of 5.24.1 in perl brew. Step 1 − Switch to the context of our current Perl version. [root@CentOS ~]# ~/perl5/perlbrew/bin/perlbrew use perl-5.24.1 A sub-shell is launched with perl-5.24.1 as the activated perl. Run ”exit” to finish it. [root@CentOS ~]# Step 2 − Install LWP User Agent Perl Module. [root@CentOS ~]# ~/perl5/perlbrew/bin/cpanm -i LWP::UserAgent Step 3 − Now let”s test our Perl environment with the new CPAN module. [root@CentOS ~]# cat ./get_header.pl
Log Management
Linux Admin – Log Management ”; Previous Next Systemd has changed the way system logging is managed for CentOS Linux. Instead of every daemon on the system placing logs into individual locations than using tools such as tail or grep as the primary way of sorting and filtering log entries, journald has brought a single point of administration to analyzing system logs. The main components behind systemd logging are: journal, jounralctl, and journald.conf journald is the main logging daemon and is configured by editing journald.conf while journalctl is used to analyze events logged by journald. Events logged by journald include − kernel events, user processes, and daemon services. Set the Correct System Time Zone Before using journalctl, we need to make sure our system time is set to the correct time. To do this, we want to use timedatectl. Let”s check the current system time. [root@centos rdc]# timedatectl status Local time: Mon 2017-03-20 00:14:49 MDT Universal time: Mon 2017-03-20 06:14:49 UTC RTC time: Mon 2017-03-20 06:14:49 Time zone: America/Denver (MDT, -0600) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: yes Last DST change: DST began at Sun 2017-03-12 01:59:59 MST Sun 2017-03-12 03:00:00 MDT Next DST change: DST ends (the clock jumps one hour backwards) at Sun 2017-11-05 01:59:59 MDT Sun 2017-11-05 01:00:00 MST [root@centos rdc]# Currently, the system is correct to the local time zone. If your system is not, let”s set the correct time zone. After changing the settings, CentOS will automatically calculate the time zone offset from the current time zone, adjusting the system clock right away. Let”s list all the time zones with timedatectl − [root@centos rdc]# timedatectl list-timezones Africa/Abidjan Africa/Accra Africa/Addis_Ababa Africa/Algiers Africa/Asmara Africa/Bamako Africa/Bangui Africa/Banjul Africa/Bissau That is the contended output from timedatectl list-timezones. To find a specific local time-zone, the grep command can be used − [root@centos rdc]# timedatectl list-timezones | grep -i “america/New_York” America/New_York [root@centos rdc]# The label used by CentOS is usually Country/Region with an underscore instead of space (New_York versus “New York”). Now let”s set our time zone − [root@centos rdc]# timedatectl set-timezone “America/New_York” [root@centos rdc]# date Mon Mar 20 02:28:44 EDT 2017 [root@centos rdc]# Your system clock should automatically adjust the time. Use journalctl to Analyze Logs Common command line switches when using journalctl − Switch Action -k Lists only kernel messages -u Lists by specific unit (httpd, sshd, etc…) -b Boots the label offset -o Logs the output format -p Filters by log type (either name or number) -F Fieldname or fieldnamevalue –utc Time in UTC offset –since Filter by timeframe Examine Boot Logs First, we will examine and configure the boot logs in CentOS Linux. The first thing you will notice is that CentOS, by default, doesn”t store boot logging that is persistent across reboots. To check boot logs per reboot instance, we can issue the following command − [root@centos rdc]# journalctl –list-boots -4 bca6380a31a2463aa60ba551698455b5 Sun 2017-03-19 22:01:57 MDT—Sun 2017-03-19 22:11:02 MDT -3 3aaa9b84f9504fa1a68db5b49c0c7208 Sun 2017-03-19 22:11:09 MDT—Sun 2017-03-19 22:15:03 MDT -2 f80b231272bf48ffb1d2ce9f758c5a5f Sun 2017-03-19 22:15:11 MDT—Sun 2017-03-19 22:54:06 MDT -1 a071c1eed09d4582a870c13be5984ed6 Sun 2017-03-19 22:54:26 MDT—Mon 2017-03-20 00:48:29 MDT 0 9b4e6cdb43b14a328b1fa6448bb72a56 Mon 2017-03-20 00:48:38 MDT—Mon 2017-03-20 01:07:36 MDT [root@centos rdc]# After rebooting the system, we can see another entry. [root@centos rdc]# journalctl –list-boots -5 bca6380a31a2463aa60ba551698455b5 Sun 2017-03-19 22:01:57 MDT—Sun 2017-03-19 22:11:02 MDT -4 3aaa9b84f9504fa1a68db5b49c0c7208 Sun 2017-03-19 22:11:09 MDT—Sun 2017-03-19 22:15:03 MDT -3 f80b231272bf48ffb1d2ce9f758c5a5f Sun 2017-03-19 22:15:11 MDT—Sun 2017-03-19 22:54:06 MDT -2 a071c1eed09d4582a870c13be5984ed6 Sun 2017-03-19 22:54:26 MDT—Mon 2017-03-20 00:48:29 MDT -1 9b4e6cdb43b14a328b1fa6448bb72a56 Mon 2017-03-20 00:48:38 MDT—Mon 2017-03-20 01:09:57 MDT 0 aa6aaf0f0f0d4fcf924e17849593d972 Mon 2017-03-20 01:10:07 MDT—Mon 2017-03-20 01:12:44 MDT [root@centos rdc]# Now, let”s examine the last boot logging instance − root@centos rdc]# journalctl -b -5 — Logs begin at Sun 2017-03-19 22:01:57 MDT, end at Mon 2017-03-20 01:20:27 MDT. – Mar 19 22:01:57 localhost.localdomain systemd-journal[97]: Runtime journal is using 8.0M (max allowed 108.4M Mar 19 22:01:57 localhost.localdomain kernel: Initializing cgroup subsys cpuset Mar 19 22:01:57 localhost.localdomain kernel: Initializing cgroup subsys cpu Mar 19 22:01:57 localhost.localdomain kernel: Initializing cgroup subsys cpuacct Mar 19 22:01:57 localhost.localdomain kernel: Linux version 3.10.0514.6.2.el7.x86_64 ([email protected]. Mar 19 22:01:57 localhost.localdomain kernel: Command line: BOOT_IMAGE=/vmlinuz-3.10.0-514.6.2.el7.x86_64 ro Mar 19 22:01:57 localhost.localdomain kernel: Disabled fast string operations Mar 19 22:01:57 localhost.localdomain kernel: e820: BIOS-provided physical RAM map: Above is the condensed output from our last boot. We could also refer back to a boot log from hours, days, weeks, months, and even years. However, by default CentOS doesn”t store persistent boot logs. To enable persistently storing boot logs, we need to make a few configuration changes − Make central storage points for boot logs Give proper permissions to a new log folder Configure journald.conf for persistent logging Configure Boot Location for Persistent Boot Logs The initial place journald will want to store persistent boot logs is /var/log/journal. Since this doesn”t exist by default, let”s create it − [root@centos rdc]# mkdir /var/log/journal Now, let”s give the directory proper permissions journald daemon access − systemd-tmpfiles –create –prefix /var/log/journal Finally, let”s tell journald it should store persistent boot logs. In vim or your favorite text editor, open /etc/systemd/jounrald.conf”. # See journald.conf(5) for details. [Journal]=Storage=peristent The line we are concerned with is, Storage=. First remove the comment #, then change to Storage = persistent as depicted above. Save and reboot your CentOS system
Install and Configure Open LDAP ”; Previous Next LDAP known as Light Weight Directory Access Protocol is a protocol used for accessing X.500 service containers within an enterprise known from a directory. Those who are familiar with Windows Server Administration can think of LDAP as being very similar in nature to Active Directory. It is even a widely used concept of intertwining Windows workstations into an OpenLDAP CentOS enterprise. On the other spectrum, a CentOS Linux workstation can share resources and participate with the basic functionality in a Windows Domain. Deploying LDAP on CentOS as a Directory Server Agent, Directory System Agent, or DSA (these acronyms are all one and the same) is similar to older Novell Netware installations using the Directory Tree structure with NDS. Brief History of LDAP LDAP was basically created as an efficient way to access X.500 directories with enterprise resources. Both X.500 and LDAP share the same characteristics and are so similar that LDAP clients can access X.500 directories with some helpers. While LDAP also has its own directory server called slapd. The main difference between LDAP and DAP is, the lightweight version is designed to operate over TCP. While DAP uses the full OSI Model. With the advent of the Internet, TCP/IP and Ethernet prominence in networks of today, it is rare to come across a Directory Services implantation using both DAP and native X.500 enterprise directories outside specific legacy computing models. The main components used with openldap for CentOS Linux are − openldap LDAP support libraries openldap-server LDAP server openldap-clients LDAP client utlities openldap-devel Development libraries for OpenLDAP compay-openldap OpenLDAP shared libraries slapd Directory server daemon of OpenLDAP slurpd Used for LDAP replication across an enterprise domain Note − When naming your enterprise, it is a best practice to use the .local TLD. Using a .net or .com can cause difficulties when segregating an online and internal domain infrastructure. Imagine the extra work for a company internally using acme.com for both external and internal operations. Hence, it can be wise to have Internet resources called acme.com or acme.net. Then, the local networking enterprise resources is depicted as acme.local. This will entail configuring DNS records, but will pay in simplicity, eloquence and security. Install Open LDAP on CentOS Install the openldap, openldap-servers, openldap-clients and migrationstools from YUM. [root@localhost]# yum -y install openldap openldap-servers openldap-clients migration tools Loaded plugins: fastestmirror, langpacks updates | 3.4 kB 00:00:00 updates/7/x86_64/primary_db | 2.2 MB 00:00:05 Determining fastest mirrors (1/2): extras/7/x86_64/primary_db | 121 kB 00:00:01 (2/2): base/7/x86_64/primary_db | 5.6 MB 00:00:16 Package openldap-2.4.40-13.el7.x86_64 already installed and latest version Resolving Dependencies –> Running transaction check —> Package openldap-clients.x86_64 0:2.4.40-13.el7 will be installed —> Package openldap-servers.x86_64 0:2.4.40-13.el7 will be installed –> Finished Dependency Resolution base/7/x86_64/group_gz | 155 kB 00:00:00 Dependencies Resolved =============================================================================== =============================================================================== Package Arch Version Repository Size =============================================================================== =============================================================================== Installing: openldap-clients x86_64 2.4.40-13.el7 base 188 k openldap-servers x86_64 2.4.40-13.el7 base 2.1 M Transaction Summary =============================================================================== =============================================================================== Install 2 Packages Total download size: 2.3 M Installed size: 5.3 M Downloading packages: Installed: openldap-clients.x86_64 0:2.4.40-13.el7 openldap-servers.x86_64 0:2.4.40-13.el7 Complete! [root@localhost]# Now, let”s start and enable the slapd service − [root@centos]# systemctl start slapd [root@centos]# systemctl enable slapd At this point, let”s assure we have our openldap structure in /etc/openldap. root@localhost]# ls /etc/openldap/ certs check_password.conf ldap.conf schema slapd.d [root@localhost]# Then make sure our slapd service is running. root@centos]# netstat -antup | grep slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1641/slapd tcp6 0 0 :::389 :::* LISTEN 1641/slapd [root@centos]# Next, let”s configure our Open LDAP installation. Make sure our system ldap user has been created. [root@localhost]# id ldap uid=55(ldap) gid=55(ldap) groups=55(ldap) [root@localhost]# Generate our LDAP credentials. [root@localhost]# slappasswd New password: Re-enter new password: {SSHA}20RSyjVv6S6r43DFPeJgASDLlLoSU8g.a10 [root@localhost]# We need to save the output from slappasswd. Configure Open LDAP Step 1 − Configure LDAP for domain and add administrative user. First, we want to set up our openLDAP environment. Following is a template to use with the ldapmodify command. dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=vmnet,dc=local dn: olcDatabase = {2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=ldapadm,dc=vmnet,dc=local dn: olcDatabase = {2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: <output from slap Make changes to: /etc/openldap/slapd.d/cn=config/olcDatabase = {1}monitor.ldif with the ldapmodify command. [root@localhost]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /home/rdc/Documents/db.ldif SASL/EXTERNAL authentication started SASL username: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry “olcDatabase = {2}hdb,cn=config” modifying entry “olcDatabase = {2}hdb,cn=config” modifying entry “olcDatabase = {2}hdb,cn=config” [root@localhost cn=config]# Let”s check the modified LDAP configuration. root@linux1 ~]# vi /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif [root@centos]# cat /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif # AUTO-GENERATED FILE – DO NOT EDIT!! Use ldapmodify. # CRC32 a163f14c dn: olcDatabase = {2}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: 1bd9aa2a-8516-1036-934b-f7eac1189139 creatorsName: cn=config createTimestamp: 20170212022422Z olcSuffix: dc=vmnet,dc=local olcRootDN: cn=ldapadm,dc=vmnet,dc=local olcRootPW:: e1NTSEF1bUVyb1VzZTRjc2dkYVdGaDY0T0k = entryCSN: 20170215204423.726622Z#000000#000#000000 modifiersName: gidNumber = 0+uidNumber = 0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170215204423Z [root@centos]# As you can see, our LDAP enterprise modifications were successful. Next, we want to create an self-signed ssl certificate for OpenLDAP. This will secure the communication between the enterprise server and clients. Step 2 − Create a self-signed certificate for OpenLDAP. We will use openssl to create a self-signed ssl certificate. Go to the next chapter, Create LDAP SSL Certificate with openssl for instructions to secure communications with OpenLDAP. Then when
Set Up Python with CentOS Linux ”; Previous Next Python is a widely used interpreted language that has brought professionalism to the world of coding scripted applications on Linux (and other operating systems). Where Perl was once the industry standard, Python has surpassed Perl in many respects. Some strengths of Python versus Perl are − Rapid progression in refinement Libraries that are standard to the language Readability of the code is thought out in language definition Many professional frameworks for everything from GUI support to web-development Python can do anything Perl can do, and in a lot of cases in a better manner. Though Perl still has its place amongst the toolbox of a Linux admin, learning Python is a great choice as a skill set. The biggest drawbacks of Python are sometimes related to its strengths. In history, Python was originally designed to teach programming. At times, its core foundations of “easily readable” and “doing things the right way” can cause unnecessary complexities when writing a simple code. Also, its standard libraries have caused problems in transitioning from versions 2.X to 3.X. Python scripts are actually used at the core of CentOS for functions vital to the functionality of the operating system. Because of this, it is important to isolate our development Python environment from CentOS” core Python environment. For starters, there are currently two versions of Python − Python 2.X and Python 3.X. Both stages are still in active production, though version 2.X is quickly closing in on depreciation (and has been for a few years). The reason for the two active versions of Python was basically fixing the shortcomings of version 2.X. This required some core functionality of version 3.X to be redone in ways it could not support some version 2.X scripts. Basically, the best way to overcome this transition is − Develop for 3.X and keep up with the latest 2.X version for legacy scripts. Currently, CentOS 7.X relies on a semi-current revision of version 2.X. As of this writing, the most current versions of Python are − 3.4.6 and 2.7.13. Don”t let this confuse or draw any conclusions of Python. Setting up a Python environment is really pretty simple. With Python frameworks and libraries, this task is actually really easy to accomplish. Before setting up our Python environments, we need a sane environment. To start, let”s make sure our CentOS install is fully updated and get some building utilities installed. Step 1 − Update CentOS. [root@CentOS]# yum -y update Step 2 − Install build utilities. [root@CentOS]# yum -y groupinstall “development tools” Step 3 − Install some needed packages. [root@CentOS]# yum install -y zlib-dev openssl-devel sqlite-devel bip2-devel Now we need to install current Python 2.X and 3.X from source. Download compressed archives Extract files Compile source code Let”s start by creating a build directory for each Python install in /usr/src/ [root@CentOS]# mkdir -p /usr/src/pythonSource Now let”s download the source tarballs for each − [root@CentOS]# wget https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz [root@CentOS]# wget https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz Now we need to extract each from the archive. Step 1 − Install xz-libs and extract the tarballs. [root@CentOS]# yum install xz-libs [root@CentOS python3]# xz -d ./*.xz [root@CentOS python3]# ls Python-2.7.13.tar Python-3.6.0.tar [root@CentOS python3]# Step 2 − Untar each installer from its tarball. [root@CentOS]# tar -xvf ./Python-2.7.13.tar [root@CentOS]# tar -xvf ./Python-3.6.0.tar Step 3 − Enter each directory and run the configure script. [root@CentOS]# ./configure –prefix=/usr/local root@CentOS]# make altinstall Note − Be sure to use altinstall and not install. This will keep CentOS and development versions of Python separated. Otherwise, you may break the functionality of CentOS. You will now see the compilation process begins. Grab a cup of coffee and take a 15minute break until completion. Since we installed all the needed dependencies for Python, the compilation process should complete without error. Let”s make sure we have the latest 2.X version of Python installed. [root@CentOS Python-2.7.13]# /usr/local/bin/python2.7 -V Python 2.7.13 [root@CentOS Python-2.7.13]# Note − You will want to prefix the shebang line pointing to our development environment for Python 2.X. [root@CentOS Python-2.7.13]# cat ver.py #!/usr/local/bin/python2.7 import sys print(sys.version) [root@CentOS Python-2.7.13]# ./ver.py 2.7.13 (default, Jan 29 2017, 02:24:08) [GCC 4.8.5 20150623 (Red Hat 4.8.5-11)] Just like that, we have separate Python installs for versions 2.X and 3.X. From here, we can use each and utilities such as pip and virtualenv to further ease the burden of managing Python environments and package installation. Print Page Previous Next Advertisements ”;
Home
Linux Admin Tutorial PDF Version Quick Guide Resources Job Search Discussion Linux was designed based on the Unix philosophy of “small, precise tools chained together simplifying larger tasks”. Linux, at its root, does not have large single-purpose applications for one specific use a lot of the time. Instead, there are hundreds of basic utilities that when combined offer great power to accomplish big tasks with efficiency. Unique amongst business class Linux distributions, CentOS stays true to the open-source nature that Linux was founded on. This tutorial gives a complete understanding on Linux Admin and explains how to use it for benefit. Audience This tutorial has been prepared for beginners to help them understand the fundamentals of Linux Admin. It will specifically be useful for Linux administration professionals. After completing this tutorial, you will find yourself at a moderate level of expertise from where you can take yourself to the next levels. Prerequisites Before you go ahead with this tutorial, we assume that you have a basic knowledge of Linux and Administration fundamentals. Print Page Previous Next Advertisements ”;
Create SSL Certificates
Linux Admin – Create SSL Certificates ”; Previous Next TLS and SSL Background TLS is the new standard for socket layer security, proceeding SSL. TLS offers better encryption standards with other security and protocol wrapper features advancing SSL. Often, the terms TLS and SSL are used interchangeably. However, as a professional CentOS Administrator, it is important to note the differences and history separating each. SSL goes up to version 3.0. SSL was developed and promoted as an industry standard under Netscape. After Netscape was purchased by AOL (an ISP popular in the 90”s otherwise known as America Online) AOL never really promoted the change needed for security improvements to SSL. At version 3.1, SSL technology moved into the open systems standards and was changed to TLS. Since copyrights on SSL were still owned by AOL a new term was coined: TLS – Transport Layer Security. So it is important to acknowledge that TLS is in fact different from SSL. Especially, as older SSL technologies have known security issues and some are considered obsolete today. Note − This tutorial will use the term TLS when speaking of technologies 3.1 and higher. Then SSL when commenting specific to SSL technologies 3.0 and lower. SSL vs TLS Versioning The following table shows how TLS and SSL versioning would relate to one another. I have heard a few people speak in terms of SSL version 3.2. However, they probably got the terminology from reading a blog. As a professional administrator, we always want to use the standard terminology. Hence, while speaking SSL should be a reference to past technologies. Simple things can make a CentOS job seeker look like a seasoned CS Major. TLS SSL – 3.0 1.0 3.1 1.1 3.2 1.2 3.3 TLS performs two main functions important to the users of the Internet today: One, it verifies who a party is, known as authentication. Two, it offers end-to-end encryption at the transport layer for upper level protocols that lack this native feature (ftp, http, email protocols, and more). The first, verifies who a party is and is important to security as end-to-end encryption. If a consumer has an encrypted connection to a website that is not authorized to take payment, financial data is still at risk. This is what every phishing site will fail to have: a properly signed TLS certificate verifying website operators are who they claim to be from a trusted CA. There are only two methods to get around not having a properly signed certificate: trick the user into allowing trust of a web-browser for a self-signed certificate or hope the user is not tech savvy and will not know the importance of a trusted Certificate Authority (or a CA). In this tutorial, we will be using what is known as a self-signed certificate. This means, without explicitly giving this certificate the status of trusted in every web browser visiting the web-site, an error will be displayed discouraging the users from visiting the site. Then, it will make the user jump though a few actions before accessing a site with a self-signed certificate. Remember for the sake of security this is a good thing. Install and Configure openssl openssl is the standard for open-source implementations of TLS. openssl is used on systems such as Linux, BSD distributions, OS X, and even supports Windows. openssl is important, as it provides transport layer security and abstracts the detailed programming of Authentication and end-to-end encryption for a developer. This is why openssl is used with almost every single open-source application using TLS. It is also installed by default on every modern version of Linux. By default, openssl should be installed on CentOS from at least version 5 onwards. Just to assure, let”s try installing openssl via YUM. Just run install, as YUM is intelligent enough to let us know if a package is already installed. If we are running an older version of CentOS for compatibility reasons, doing a yum -y install will ensure openssl is updated against the semi-recent heart-bleed vulnerability. When running the installer, it was found there was actually an update to openssl. [root@centos]# yum -y install openssl Resolving Dependencies –> Running transaction check —> Package openssl.x86_64 1:1.0.1e-60.el7 will be updated —> Package openssl.x86_64 1:1.0.1e-60.el7_3.1 will be an update –> Processing Dependency: openssl-libs(x86-64) = 1:1.0.1e-60.el7_3.1 for package: 1:openssl-1.0.1e-60.el7_3.1.x86_64 –> Running transaction check —> Package openssl-libs.x86_64 1:1.0.1e-60.el7 will be updated —> Package openssl-libs.x86_64 1:1.0.1e-60.el7_3.1 will be an update –> Finished Dependency Resolution Dependencies Resolved =============================================================================== =============================================================================== Package Arch Version Repository Size =============================================================================== =============================================================================== Updating: openssl x86_64 1:1.0.1e-60.el7_3.1 updates 713 k Updating for dependencies: Create Self-signed Certificate for OpenLDAP This is a method to create a self-signed for our previous OpenLDAP installation. To create an self-signed OpenLDAP Certificate. openssl req -new -x509 -nodes -out /etc/openldap/certs/myldaplocal.pem -keyout /etc/openldap/certs/myldaplocal.pem -days 365 [root@centos]# openssl req -new -x509 -nodes -out /etc/openldap/certs/vmnet.pem -keyout /etc/openldap/certs/vmnet.pem -days 365 Generating a 2048 bit RSA private key ………………………………………+++ …………………………………………+++ writing new private key to ”/etc/openldap/certs/vmnet.pem” —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ”.”, the field will be left blank. —– Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Califonia Locality Name (eg, city) [Default City]:LA Organization Name (eg, company) [Default Company Ltd]:vmnet Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server”s hostname) []:centos Email Address []:[email protected] [root@centos]#
Traffic Monitoring in CentOS
Linux Admin – Traffic Monitoring in CentOS ”; Previous Next There are several third party tools that can add enhanced capabilities for CentOS traffic monitoring. In this tutorial, we will focus on those that are packaged in the main CentOS distribution repositories and the Fedora EPEL repository. There will always be situations where an Administrator (for one reason or another) is left with only tools in the main CentOS repositories. Most utilities discussed are designed to be used by an Administrator with the shell of physical access. When traffic monitoring with an accessible web-gui, using third party utilities such as ntop-ng or Nagios is the best choice (versus re-creating such facilities from scratch). For further research on both configurable web-gui solutions, following are a few links to get started on research. Traffic Monitoring for LAN / WAN Scenarios Nagios Nagios has been around for a long time, therefore, it is both tried and tested. At one point it was all free and open-source, but has since advanced into an Enterprise solution with paid licensing models to support the need of Enterprise sophistication. Hence, before planning any rollouts with Nagios, make sure the open-source licensed versions will meet your needs or plan on spending with an Enterprise Budget in mind. Most open-source Nagios traffic monitoring software can be found at − https://www.nagios.org For a summarized history of Nagious, here is the official Nagios History page − https://www.nagios.org/about/history/ ntopng Another great tool allowing bandwidth and traffic monitoring via a web-gui is called ntopng. ntopng is similar to the Unix utility ntop, and can collect data for an entire LAN or WAN. Providing a web-gui for administration, configuration, and charting makes it easy to use for the entire IT Departments. Like Nagious, ntopng has both open-source and paid enterprise versions available. For more information about ntopng, please visit the website: http://www.ntop.org/ Install Fedora EPEL Repository ─ Extra Packages for Enterprise Linux To access some of the needed tools for traffic monitoring, we will need to configure our CentOS system to use the EPEL Repository. The EPEL Repository is not officially maintained or supported by CentOS. However, it is maintained by a group of Fedora Core volunteers to address the packages commonly used by Enterprise Linux professionals not included in either CentOS, Fedora Core, or Red Hat Linux Enterprise. Caution Remember, the EPEL Repository is not official for CentOS and may break compatibility and functionality on production servers with common dependencies. With that in mind, it is advised to always test on a non-production server running the same services as production before deploying on a system critical box. Really, the biggest advantage of using the EHEL Repository over any other third party repository with CentOS is that we can be sure the binaries are not tainted. It is considered a best practice to not use the repositories from an untrusted source. With all that said, the official EPEL Repository is so common with CentOS that it can be easily installed via YUM. [root@CentOS rdc]# yum -y install epel-release Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: repo1.dal.innoscale.net * extras: repo1.dal.innoscale.net * updates: mirror.hmc.edu Resolving Dependencies –> Running transaction check —> Package epel-release.noarch 0:7-9 will be installed –> Finished Dependency Resolution Dependencies Resolved –{ condensed output }– After installing the EPEL Repository, we will want to update it. [root@CentOS rdc]# yum repolist Loaded plugins: fastestmirror, langpacks epel/x86_64/metalink | 11 kB 00:00:00 epel | 4.3 kB 00:00:00 (1/3): epel/x86_64/group_gz | 170 kB 00:00:00 (2/3): epel/x86_64/updateinfo | 753 kB 00:00:01 (3/3): epel/x86_64/primary_db –{ condensed output }– At this point, our EPEL repository should be configured and ready to use. Let”s start by installing nload for interface bandwidth monitoring. The tools we will focus on in this tutorial are − nload ntop ifstst iftop vnstat net hogs Wireshark TCP Dump Traceroute These are all standard for monitoring traffic in Linux Enterprises. The usage of each range from simple to advanced, so we will only briefly discuss tools such as Wireshark and TCP Dump. Install and Use nload With our EPEL Repositories installed and configured in CentOS, we now should be able to install and use nload. This utility is designed to chart bandwidth per interface in real-time. Like most other basic installs nload is installed via the YUM package manager. [root@CentOS rdc]# yum -y install nload Resolving Dependencies –> Running transaction check —> Package nload.x86_64 0:0.7.4-4.el7 will be installed –> Finished Dependency Resolution Dependencies Resolved =============================================================================== =============================================================================== Package Arch Version Repository Size =============================================================================== =============================================================================== Installing: nload x86_64 0.7.4-4.el7 epel 70 k Transaction Summary =============================================================================== =============================================================================== Install 1 Package Total download size: 70 k Installed size: 176 k Downloading packages: –{ condensed output }– Now we have nload installed, and using it is pretty straight forward. [root@CentOS rdc]# nload enp0s5 nload will monitor the specified interface. In this case, enp0s5 an Ethernet interface, in real-time from the terminal for network traffic loads and total bandwidth usage. As seen, nload will chart both incoming and outgoing data from the specified interface, along with providing a physical representation of the data flow with hash marks “#”. The depicted screenshot is of a simple webpage being loaded with some background daemon traffic. Common command line switches for nload are − Command Action -a Time period -t Time update interval in milliseconds, the default is 500 -u Sets display of traffic measurement h -U Sets total in/out traffic measurement units same options as -u The
Basic CentOS Linux Commands
Linux Admin – Basic CentOS Linux Commands ”; Previous Next Before learning the tools of a CentOS Linux Administrator, it is important to note the philosophy behind the Linux administration command line. Linux was designed based on the Unix philosophy of “small, precise tools chained together simplifying larger tasks”. Linux, at its root, does not have large single-purpose applications for one specific use a lot of the time. Instead, there are hundreds of basic utilities that when combined offer great power to accomplish big tasks with efficiency. Examples of the Linux Philosophy For example, if an administrator wants a listing of all the current users on a system, the following chained commands can be used to get a list of all system users. On execution of the command, the users are on the system are listed in an alphabetical order. [root@centosLocal centos]# cut /etc/passwd -d”:” -f1 | sort abrt adm avahi bin centos chrony colord daemon dbus It is easy to export this list into a text file using the following command. [root@localhost /]# cut /etc/passwd -d “:” -f1 > system_users.txt [root@localhost /]# cat ./system_users.txt | sort | wc –l 40 [root@localhost /]# It is also possible to compare the user list with an export at a later date. [root@centosLocal centos]# cut /etc/passwd -d “:” -f1 > system_users002.txt && cat system_users002.txt | sort | wc -l 41 [root@centosLocal centos]# diff ./system_users.txt ./system_users002.txt evilBackdoor [root@centosLocal centos]# A new user, “evilBackdoor”, has been added to the system. With this approach of small tools chained to accomplish bigger tasks, it is simpler to make a script performing these commands, than automatically email results at regular time intervals. Basic Commands every Linux Administrator should be proficient in are − vim grep more and less tail head wc sort uniq tee cat cut sed tr paste In the Linux world, Administrators use filtering commands every day to parse logs, filter command output, and perform actions with interactive shell scripts. As mentioned, the power of these commands come in their ability to modify one another through a process called piping. The following command shows how many words begin with the letter a from the CentOS main user dictionary. [root@centosLocal ~]# egrep ”^a.*$” /usr/share/dict/words | wc -l 25192 [root@centosLocal ~]# Print Page Previous Next Advertisements ”;