Saturday, 13 September 2014

UNIX Servers and Secure Access


Nobody has access until explicitly granted.

A UNIX firewall will be in place to limit traffic and to drop a possible mass attack.
Port monitoring and IP blocking tool will be installed for suspected mis-use.
All insecure or plain text tools are not available for use.
These include telnet, ftp, rsh, rexec etc.
The open ports on any server are locked down to a bare minimum.
22 - ssh for remote access and data transfer
25 - mail
143/587 - mail server
80 - standard web server
443 - secure web server
3306 - data base access with ssl/ssh
other ports only on demand.
Security on the open ports.
3306 - only open to other database and backup servers
443 - open to the world, but monitored
80 - open to the world, but monitored
25 - open only for outgoing mail as standard
        if incoming mail is required (Jira) open, but monitored
22 - open for approved staff and configured for certificate only (see below)
143/587 - open for registered mail users.
other ports will be added if opened.
Where possible, http will be redirected to https.
A virus filter to protect the Windows users will be in place for servers with mail and upload access.
Servers with VNC access requirements will have this accessible via localhost and SSH certificate only.
Root log-in is locked down and replaced with sudo access after SSH connection.
No user will have access to the ROOT password.
User access is granted via a 2048bit SSH key.
No password log-in is available.
After 3 failed SSH handshake attempts the account will be locked and the IP blocked with the tool see 3.
The public key has to be registered on the server before access can happen.
The user cannot change the access credential or the protected SSH certificate.
Every server access, successful or fail, will be logged in a audit file.
Every sudo command is audited.
Every web site access will be logged and presented in a daily report.
Server and data backup will be in place and stored in a secure location.  
on web facing servers the denyhosts tool is installed to block IP's after repeated failed attempts.


The default access permission to for servers is defined in the file:


/etc/hosts.deny

ALL:   ALL


Then put IP addresses with access permission in this file:


/etc/hosts.allow

# Office IP
ALL: nnn
#
# Remote server
ALL: nnn
#
# 24x7 support IPx
ALL: nnn


since all web servers for obvious reason are open access and therefore not adhering to the hosts.deny rules an iptables firewall need to be put in place.

UNIX Mail server


A no-frills Mail Server running on Cent-OS / Fedora

preliminaries


update your OS with
yum -y update
fix all errors, if any and in case of kernel updates you need to run
shutdown -r now ( or later if someone else is using the box )
erase to good `ol sendmail and if it is installed for some reason exim with
yum -y erase sendmail exim
install Postfix the Mail Transfer Agent, Dovecot the Mail Delivery Agent and Clamav the Virus checker to protect or Windows community. We start with these two
yum -y install postfix dovecot
Spam could be a worry if we open the mail delivery to the server to the world. Since we only accept mail from white-listed senders we don't need to worry.

configuration


configure Postfix
cd /etc/postfix
fix the aliases file
create a my_networks file
create a body_checks file
create a header_checks file
set-up the main.cf file
set-up the master.cf file
now check the configs with
postfix check
then, if everything is fixed run
service postfix start
configure dovecot
cd /etc/dovecot
change the settings in dovecot.conf
cd conf.d
adjust all required *.conf files to suit
start dovecot and check the mail logs
service dovecot start
next set-up mail users, in our case for gitlab, jira and confluence and a postmaster account
add the users, ideally with the same id(s) as on other servers
create passwords for the mail set-up within the application
create home directories and set-up the Maildir within.
test the mail delivery to the postmaster account
and next test the out-going mail too
now you are ready to add the mail box details to the application and ensure to fully test the configuration. Once fully tested and working you can forget the passwords as changing passwords is a manual process on server and application.
as everything is working with the basics we add the Virus checking and the SSL certificates.
First we install and configure the Virus checker tools with
yum -y install clamav clamav-data clamav-filesystem clamav-lib clamav-server clamav-update clamsmtp
The configuration is needed for regular updates and Postfix integration
set-up the clamd.server config
set-up the freshclam.conf file
set-up the camsmtp.conf file
add the filter to the postfix main.cf and master.cf
now get the first clam database with
/bin/freshclam --verbose
service clamd.server start
service clamsmtp start
postfix stop
postfix start
re-test mail sending and receiving via the virus checker and watch
tail -f /var/log/maillog
fix any errors
lastly we can add the optional SSL certificates for sending and downloading email in non-clear text.
create the certs and place the into /etc/postfix/ssl
then add the certs and smtpd setting into the mail.cf and the dovecot configs
then restart postfix and dovecot and re-test the mail send/receive
service dovecote restart
postfix stop
postfix start
tail -f /var/log/maillog
fix any errors
When the SSL certs are installed and show no errors, the application(s) need to be changed to pop3 over SSL and send with TLS/SSL. It should just work or else more fixing.
Lastly inform users where send mail to and how to use the mail functionality in the application.

MySQL - Master to Passive Master Replication


This replication is only working behind HAproxy!

The manual needs to be followed word by word...
as usual ... no warranties ...

Set-up:

on both server simultaneously

install MySQL directly from download.mysql.com
copy a my.conf from gitlab in place
create the following:
mkdir -p /data/mysql
mkdir -p /data/log
chmod 750 /data/mysql /data/log
chown -R mysql:mysql /data/mysql /data/log
mkdir -p /var/run/mysqld
chown mysql:mysql /var/run/mysqld
mkdir -p /var/log/mysqld
chown mysql:mysql /var/log/mysqld
ln -s  /var/run/mysqld/mysql.sock /var/lib/mysql/mysql.sock
run as root:   mysql_install_db
check this is empty:   /var/log/mysqld/mysql.err
run as root:   systemctl start mysqld
check the logs in  /var/log/mysqld  are identical
run as root:   mysql -p   (no password)
set-up the main database:   use mysql;
then run this script:
use mysql;
delete from user where user='';
delete from user where user='root' and host not in ('localhost');
update user set password=PASSWORD("xxx") where user='root';
drop database IF EXISTS test;
delete from db where db='test' or db='test\\_%';
create user 'addi'@'%' identified by 'xxx';
create user 'iang'@'%' identified by 'xxx';
create user 'nagios'@'%' identified by 'read_only';
grant ALL on *.* to 'addi'@'%';
grant ALL on *.* to 'iang'@'%';
grant SUPER on *.* to 'addi'@'%';
grant SUPER on *.* to 'iang'@'%';
grant GRANT OPTION on *.* to 'addi'@'%';
grant GRANT OPTION on *.* to 'iang'@'%';
grant SELECT on *.* to 'nagios'@'%';
grant PROCESS on *.* to 'nagios'@'%';
grant REPLICATION CLIENT on *.* to 'nagios'@'%';
GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'replicator'@'%' IDENTIFIED BY 'xxx';
flush privileges;
select user,host,password from user;

now to the wicket-tricky stuff
replication set-up
check that this is identical on both servers:  
show variables where Variable_Name IN ("server_id", "log_bin", "relay_log", "log_slave_updates");
show master status;
log in from A to B:   mysql -h db-02 -u replicator -p****
log in from B to A:   mysql -h db-01 -u replicator -p****
fix it or restart if something does not work !!!

add the replication details:
CHANGE MASTER TO MASTER_HOST='<the other server>',
-> MASTER_USER='replicator',
-> MASTER_PASSWORD='***',
-> MASTER_LOG_FILE='mysql-bin.<file from master status>',
-> MASTER_LOG_POS=<pos from master status>;
on second server first:
SLAVE START;
SHOW SLAVE STATUS\G
ensure NO errors !!!

on first server:
SLAVE START;
SHOW SLAVE STATUS\G
ensure NO errors !!!



Checking the Replication.

from the first server:
create this:
create database important;
use important;
create table stuff(
id int(16) auto_increment,
details varchar(200),
PRIMARY KEY (id));
now do this:   INSERT INTO important.stuff SET details='Gift from A to B';

on the second server:
check this:
select * from important.stuff\G
you see:   'Gift from A to B

now do this on the second server:
INSERT INTO important.stuff SET details='Gift from B to A';

back on the first server:
check this:
select * from important.stuff\G
you see the 2nd record:   'Gift from B to A


The Replication is working successfully if you haven't seen any errors  !!!


enjoy life !!!
Addi

MySQL - Master to Passive Master Replication and fail-over


with the help of HAproxy.


The manual needs to be followed word by word...
as usual ... no warranties ...

Set-up

this set-up is for 2 haproxy servers with a VIP and keepalived running
Check that the Master and the Passive Master Databases are Healthy
Insert another row into the IMPORTANT database:
alter table stuff add happened TIMESTAMP AFTER details;
insert into important.stuff set details = 'Replicating Primary to Secondary';
check here:   select * from important.stuff order by id desc limit 1;

go to the second server and log into mysll
check here:   select * from important.stuff order by id desc limit 1;

Result :  identical !!!

Check the second server now:
insert into important.stuff set details = 'Replicating Secondary to Primary';
do the same checks on both servers.
you should see the identical results.

Now it is time to create the Application user(s) and database(s); well and some very-very-very-long-secure-password(s) ...
on server 1 ( replication is taking care of the rest )
use mysql;
create database <name1>
create database <name2>
GRANT ALL on <name1>.* TO '<name1>'@'%' IDENTIFIED BY PASSWORD '<name1>_pass';
GRANT ALL on <name2>.* TO '<name2>'@'%' IDENTIFIED BY PASSWORD '<name2>_pass';
GRANT ALL on important.* TO 'haproxy'@'%';  ( no password for haproxy checks )
check with:
show databases;
select user, host, password from user;
check that all is fine
from the proxy servers all accounts need testing
log on to each proxy cluster member and every account on every database server:
mysql <database> -h <db-server> -u <user-name> -p<password>
ensure every log-in is working before continuing

Configure HAproxy for the first time.
Create a basic haproxy config on all haproxy servers for the first tests. Use this example basic_haproxy.cfg
replace the default config /etc/haproxy/haproxy.cfg with the example (amend server names)
start the service on all servers:  service haproxy restart
now check the access from every proxy server several times:
mysql  -h localhost  -u haproxy -e'show variables like "server_id";'
you will see round robin database responses, then all is fine.
now check the output of:
echo "show stat" | socat stdio /var/lib/haproxy/stats
you should see the status print; if not fix it !!!
next go to one or more servers that will need connection to the database
check for several times via the VIP and via the individual proxy servers:
mysql  -h <proxy-vip>  -u haproxy -e'show variables like "server_id";'
you will see round robin database responses, then all is fine; if not fix it !!!  ( iptables, firewall et al )

Set up a Health Check
add details to the haproxy.cfg:
add this line above the server Primary line:  option mysql-check user haproxy
add after each port number (3306) the word:  check
restart the service: service haproxy restart
check the difference in the output of
echo "show stat" | socat stdio /var/lib/haproxy/stats
you should see the status print with mysql status checks and mysql version; if not fix it !!!
from now on we use the filtered status check:
echo "show stat" | socat stdio /var/lib/haproxy/stats | cut -d, -f1,2,18,20,21
run it and see the output.

Configure HAProxy to be Active-Passive
all we need to do is to add the following:
add to the server Secondary <server-name>:3306 check, the word  "backup"  at the end
restart the service: service haproxy restart
all connection will go to the primary server
run the status check
echo "show stat" | socat stdio /var/lib/haproxy/stats | cut -d, -f1,2,18,20,21
explanation: MySQL,Primary is active (1,0) and MySQL,Secondary is backup (0,1)

Job done - Active Passive is now running


Test Fail-over by taking the Primary Down
log-on to the primary server and run:
service mysqld stop
back on any of the proxy servers run:
echo "show stat" | socat stdio /var/lib/haproxy/stats | cut -d, -f1,2,18,20,21
and see MySQL,Primary,DOWN,1,0
check the MySQL connection, all goes to the Secondary, after a short delay.

Job done - Fail-over to Secondary is working


Enabling the Maintenance Mode
This needs a small addendum to all Proxy server configs:
add to the end of stats socket line:  level admin
restart the service on all servers:  service haproxy restart
To enable the maintenance mode a message needs to be sent to the stats socket:
echo "disable server MySQL/Primary" | socat stdio /var/lib/haproxy/stats
run: echo "show stat" | socat stdio /var/lib/haproxy/stats | cut -d, -f1,2,18,20,21
and it shows:  MySQL,Primary,MAINT,1,0
all traffic is routed to the secondary without any health check traffic

Now stop both slaves, Primary first, then Secondary.
take a  FULL BACK-UP !!!
then do Maintenance, Updates, Changes etc.

Once finished start the slave on the Primary to get the data changes from the slave.
Activate the Primary Database as required with:
echo "enable server MySQL/Primary" | socat stdio /var/lib/haproxy/stats
run: echo "show stat" | socat stdio /var/lib/haproxy/stats | cut -d, -f1,2,18,20,21
and it shows:  MySQL,Primary,UP,1,0
all traffic is routed to the primary, again with health check traffic
Lastly start the slave on the secondary to apply the changes.

Job done - Maintenance mode is available



Quote:
Don't take the author's word for anything; prove it to yourself.
Do the exercises and invent your own.
—James Hague

NSCA  -  Nagios push service


The home page of NSCA is here

Compile from source.
current version
untar, configure and make all
nsca is the server
send_nsca is the client
nsca.cfg is the config file for both server and client

Install the server:
copy nsca from compile directory to /usr/bin/
install yum install xinetd
enable and start the xinetd service
in the syslog you should see: xinetd[...] Started working: 0 available services
add this to the /etc/services
nsca            5667/tcp    # NSCA

add the xinetd configuration file:
/etc/xinetd.d/nsca-server
#
# description: NSCA server
#
service nsca
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = nagios
group = nagios
server = /usr/bin/nsca
server_args = -c /etc/nagios/nsca.cgf --inetd
log_on_failure += USERID
#only_from = <ipaddress1> <ipaddress2> ...   <<<---  white listing !!!
}
chmod 600 /etc/xinetd.d/nsca-server

create the nsca configuration file:
log_facility=daemon
pid_file=/var/run/nsca.pid
server_port=5667
server_address=188.40.84.214
nsca_user=nagios
nsca_group=nagios
debug=1
command_file=/var/spool/nagios/cmd/nagios.cmd
alternate_dump_file=/var/spool/nagios/cmd/nsca.dump
aggregate_writes=0
append_to_file=0
max_packet_age=30
password=BLA BLA BLA
decryption_method=3
chown nagios:nagios /etc/nagios/nsca.cfg

restart the service
in the syslog you should see: xinetd[...] Started working: 1 available services

The NSCA server is ready to accept push notifications from the client.
Next configure a Nagios Server config and install the NSCA client.

Monday, 24 March 2014

Install Confluence on CentOS 6.5 and/or Fedora 19

This should help to install Confluence (Wiki) with some useful customisation.
The installation documentation will work for either CentOS 6.5 or Fedora 19 with MySQL/MariaDB 5..5.35+.
Some of the steps are duplicated if JIRA is already installed on the server.

  1. download the latest version of Confluence from Atlassian
     
  2. install and configure an up-to-date version of Java.
    i.e. java -version   --->>  java version "1.7.0_51"
  3. download the Java Connector version > 5.1.28 from Oracle (see git install)
     
  4. GOTCHA !!!   remove all previous Confluence accounts, groups and installations unless you want to upgrade !!!
     
  5. copy both to the destination machine
    change permissions to 755 on confluence binary package
     
  6. install the Java Connector into the /usr/share/java/
    and replace old links of mysql-connector-java.jar (see git install)
     
  7. prepare the database (local or different db server)
    CREATE USER 'wiki'@'localhost(remote host)' IDENTIFIED BY 'supersecret';
    CREATE DATABASE IF NOT EXISTS `wiki_db` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`;
    GRANT SELECT, LOCK TABLES, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON `wiki_db`.* TO 'wiki'@'localhost (or other hostname)';
     
  8. prepare a data directory/file-system i.e. on a storage device for easier back-up.
    i.e. /data/wiki
     
  9. prepare a directory for central logging /var/log/wiki
     
  10. decide which tomcat ports you want to use; this is not needed when you run Confluence on its own server.
     
  11. next still as superuser, execute the confluence binary
     
  12. GOTCHA !!!   before starting Confluence or logging onto the gui for the remaining configuration, you have to copy the java-connector
    GOTCHA !!!   it has to be a "copy" linking does not work with Confluence
    cd /opt/atlassian/confluence/lib  (the default installation)
    cp -p /usr/share/java/mysql-connector-java-5.1.28/mysql-connector-java-5.1.28-bin.jar mysql-connector-java.jar
    Without this copy or link you will not see the database.
     
  13. Questions / Prompts during install:
    1. This will install Confluence 5.4 on your computer   --->  press Enter
    2. Choose the appropriate installation or upgrade option   --->    2 + Enter
    3. Where should Confluence 5.4 be installed?   --->  press Enter
    4. Default location for Wiki data (see item 6.)   --->  /data/wiki  + Enter
    5. Configure which ports Confluence will use (see item 8)   --->  select option and Enter
    6. Install Confluence as Service? (silly question)   --->  press Enter
    7. Finishing installation ...
       
  14. Now is the time for item 10. !!!
     
  15. Enter the database connection details into the file: /data/wiki/confluence.cfg.xml
     
  16. Also do Item 7.now.
    1. mv /data/wiki/logs/atlassian-confluence.log  /var/log/wiki/
    2. rmdir /data/wiki/logs
    3. ln -s /var/log/wiki /data/wiki/logs
    4. cd /opt/atlassian/confluence
    5. mv logs/* /var/log/wiki/
    6. rmdir logs
    7. ln -s /var/log/wiki logs
       
  17. Restart JIRA and log-in to the gui to configure the admin user and the database.
     
  18. lastly configure Apache or nginx as the gateway.

Thursday, 20 March 2014

Install Jira on CentOS 6.5 and/or Fedora 19

This should help to install JIRA with some useful customisation.
The installation documentation will work for either CentOS 6.5 or Fedora 19 with MySQL/MariaDB 5..5.35+.

Some of the steps are duplicated if Confluence is already installed on the server.

  1. download the latest version of JIRA from Atlassian
     
  2. install and configure an up-to-date version of Java.
    i.e. java -version   --->>  java version "1.7.0_51"
  3. download the Java Connector version > 5.1.28 from Oracle (see git install)
     
  4. GOTCHA !!!   remove all previous JIRA accounts, groups and installations unless you want to upgrade !!!
     
  5. copy both to the destination machine
    change permissions to 755 on JIRA
     
  6. install the Java Connector into the /usr/share/java/
    and replace old links of mysql-connector-java.jar (see git install)
     
  7. prepare the database (local or different db server)
    CREATE USER 'jira'@'localhost(remote host)' IDENTIFIED BY 'supersecret';CREATE DATABASE IF NOT EXISTS `jira_db` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`;
    GRANT SELECT, LOCK TABLES, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON `jira_db`.* TO 'jira'@'localhost (or other hostname)';
     
  8. prepare a data directory/file-system i.e. on a storage device for easier back-up.
    i.e. /data/jira
     
  9. prepare a directory for central logging /var/log/jira
     
  10. decide which tomcat ports you want to use; this is not needed when you run JIRA on its own server.
     
  11. next still as superuser, execute the JIRA binary
     
  12. GOTCHA !!!   before starting JIRA or logging onto the gui for the remaining configuration, you have to create a link (or copy) the java-connector
    cd /opt/atlassian/jira/lib  (the default installation)
    ln -s /usr/share/java/mysql-connector-java-5.1.28/mysql-connector-java-5.1.28-bin.jar mysql-connector-java.jar
    Without this copy or link you will not see the database.
     
  13. Questions / Prompts during install:
    1. This will install JIRA 6.2 on your computer   --->  press Enter
    2. Choose the appropriate installation or upgrade option   --->    2 + Enter
    3. Where should JIRA 6.2 be installed?   --->  press Enter
    4. Default location for JIRA data (see item 6.)   --->  /data/jira  + Enter
    5. Configure which ports JIRA will use (see item 8)   --->  select option and Enter
    6. Install JIRA as Service? (silly question)   --->  press Enter
    7. Finishing installation ...
       
  14. Now is the time for item 10. !!!
  15. Enter the database connection details into the file: /data/jira/dbconfig.xml
  16. Also do Item 7.now.
    1. mv /data/jira/log/atlassian-jira.log  /var/log/jira/
    2. rmdir /data/jira/log
    3. ln -s /var/log/jira /data/jira/log
    4. cd /opt/atlassian/jira
    5. mv logs/* /var/log/jira/
    6. rmdir logs
    7. ln -s /var/log/jira logs
       
  17. Restart JIRA and log-in to the gui to configure the admin user and the database.
     
  18. lastly configure Apache or nginx as the gateway.

Install gitlab on CentOS 6.5 / Fedora 19

*** Unfinished / Draft ***


Frustrated by incomplete documentation, wrong tips and hints on multiple boards or blogs and endless trial and errors initiated this page.


I hope this saves some peeps from this Bash Head

Here it goes... ensure you test your steps.
Hint: The font courier and the bold typeface are commands you should run or check ...
Red Highlights: this can be an error and might cause things to break - watch out ...



  1. ensure your OS CentOS or Fedora is up to date.
    I am using CentOS 6.5 and Fedora 19 with MariaDB/MySQL.

  2. run  yum update  and fix all issues, restart the server if a new Kernel has been installed.check the latest kernel is running with ls /boot | grep vmlinuz and uname -r my two examples are:

    CentOS:

    addis [~] > ls /boot | grep vmlinuz
    vmlinuz-2.6.32-431.3.1.el6.centos.plus.x86_64
    vmlinuz-2.6.32-431.el6.x86_64
    addis [~] > uname -r
    2.6.32-431.3.1.el6.centos.plus.x86_64

    Fedora:
    addi
    s [~] > ls /boot | grep vmlinuz
    vmlinuz-0-rescue-addc535f9a442c42bcb0afb2490b80cf
    vmlinuz-3.11.10-100.fc18.x86_64
    vmlinuz-3.12.7-200.fc19.x86_64
    vmlinuz-3.12.8-200.fc19.x86_64
    addis [~] > uname -r
    3.12.7-200.fc19.x86_64

    Gotcha: not the last Kernel is running on Fedora --->>  reboot and fix it !!!
  3. now we need to add another Repository to the already available yum repos
    yum -y install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

    your repository listing should look like this:yum repolist
    repo id                       repo name                                          status
    base                          CentOS-6 - Base                                     6,367
    centosplus                    CentOS-6 - Plus                                        24
    contrib                       CentOS-6 - Contrib                                      0
    epel                          Extra Packages for Enterprise Linux 6 - x86_64     10,397
    extras                        CentOS-6 - Extras                                      14
    mariadb                       MariaDB                                                 9
    rpmforge                      RHEL   6 - RPMforge.net - dag                       4,650updates                       CentOS-6 - Updates                                    399repolist: 21,860

    and:

    repo id                       repo name                                          status
    fedora/19/x86_64              Fedora 19 - x86_64                                 36,253updates/19/x86_64             Fedora 19 - x86_64 - Updates                       17,384updates-testing/19/x86_64     Fedora 19 - x86_64 - Test Updates                   6,420repolist: 60,057
  4. next add some packages required for the gitlab install and configure.
    yum -y install vim-enhanced vim-minimal vim-commonyum -y groupinstall "Development Tools"yum --enablerepo=epel -y install libyaml libyaml-devel readline-devel ncurses-devel gdbm-devel tcl-devel openssl-devel db4-devel libffi-devel wgetyum -y install mysql-connector-odbc mysql-connector-javayum -y install python python-docutils git-coreyum -y install MariaDB-shared MariaDB-server MariaDB-devel MariaDB-compat MariaDB-client
  5. now Versions nee to be checked:
    git --version
    Gotcha: need to be 1.7.12 or 1.8.4 or newer.
    ll /usr/share/java/mysql-connector-java.jar
    Gotcha: need to be 5.1.28 or newer.
    rpm -q  MariaDB-server
    Gotcha: need to be 5.5.30 or newer
    ruby --version
    Gotcha: need to be 2.0 or newer.
  6. first fixes:
    there are some strange fixes, well actually these are hacks!
    but we have to ensure all works without breaking any dependencies ...Being confused

    1. git is too old...  lets fix it - remove the wrong version and install the correct one!
        Gotcha: do not use yum erase here !!!
        rm -rf /usr/bin/git* /usr/libexec/git*
        mkdir ~/src; cd ~/src
        curl --progress https://git-core.googlecode.com/files/git-1.8.5.2.tar.gz | tar xz
        cd git-1.8.5.2/
        make prefix=/usr all
        sudo make prefix=/usr install
        This installed git where we deleted it - smart!!!

    2. java-connector too old - get the newer connector
        cd /tmp
        wget http://ftp.jaist.ac.jp/pub/mysql/Downloads/Connector-J/mysql-connector-java-5.1.28.tar.gz
        cd /usr/share/java
        rm /usr/share/java/mysql-connector-java.jar
        tar xfz /tmp/mysql-connector-java-5.1.28.tar.gz
        ln -s mysql-connector-java-5.1.28/mysql-connector-java-5.1.28-bin.jar mysql-connector-java.jar

    3. MySQL / MariaDB too old
        get the latest yum updates from epel or tes/ting.

    4. update ruby
        mkdir -p rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
        wget http://cache.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p353.tar.gz -P rpmbuild/SOURCES
        wget https://raw.github.com/hansode/ruby-2.0.0-r      pm/master/ruby200.spec -P rpmbuild/SPECS
    rpmbuild -bb rpmbuild/SPECS/ruby200.spec
    rpm -Uvh rpmbuild/RPMS/x86_64/ruby-2.0.0p353-2.el6.x86_64.rpm
    ruby -v
    gem -v
  7. Create the git user:
    adduser --system --shell /sbin/nologin --comment 'GitLab' --create-home --home-dir /var/lib/git git
  8. Install GitLab-Shell.
    cd /var/lib/git
    sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-shell.git -b v1.8.0
    cd gitlab-shell
    sudo -u git -H cp config.yml.example config.yml
    edit the config.yml and replace domain with a proper domain
    sudo -u git -H /usr/local/bin/ruby ./bin/install
  9. Create the database.
    log into MySQL (on localhost or on db-server)
    CREATE USER 'git'@'localhost(remote host)' IDENTIFIED BY 'supersecret';
    CREATE DATABASE IF NOT EXISTS `gitlab_db` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`;
    GRANT SELECT, LOCK TABLES, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON `gitlab_db`.* TO 'git'@'localhost (or other hostname)';

    Test the MySQL connection.
  10. Install GitLab
    cd /var/lib/gitsudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-ce.git -b 6-6-stable gitlab
    sudo -u git -H cp config/gitlab.yml.example config/gitlab.yml
    edit config/gitlab.yml and configure the
        domain properly
        data path to where you want the repositories to live (i.e.  /data/repos)

    sudo chown -R git log/
    sudo chown -R git tmp/
    sudo chmod -R u+rwX  log/
    sudo chmod -R u+rwX  tmp/
    sudo -u git -H mkdir /home/git/gitlab-satellites
    sudo -u git -H mkdir tmp/pids/
    sudo -u git -H mkdir tmp/sockets/
    sudo chmod -R u+rwX  tmp/pids/
    sudo chmod -R u+rwX  tmp/sockets/
    sudo -u git -H mkdir public/uploads
    sudo chmod -R u+rwX  public/uploads

    sudo -u git -H cp config/unicorn.rb.example config/unicorn.rb
    edit config/unicorn.rb to amend the server/memory settings if required.

    sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb

    sudo -u git -H git config --global user.name "GitLab"
    sudo -u git -H git config --global user.email "gitlab@localhost" (set to admin email)
    sudo -u git -H git config --global core.autocrlf input
  11. now add the database to gitlab
    sudo -u git -H cp config/database.yml.mysql  
    config/database.yml
    edit the 
    config/database.yml file with the connection details

    install the gems for MySQL
    sudo -u git -H /usr/local/bin/bundle install --deployment --without development test postgres aws

    populate the database
    sudo -u git -H bundle exec rake gitlab:setup RAILS_ENV=production
    enter "Yes" when prompted.
  12. configure the init script and enable Git.
    wget -O /etc/init.d/gitlab https://gitlab.com/gitlab-org/gitlabrecipes/raw/master/init/sysvinit/centos/gitlab-unicorn
    chmod +x /etc/init.d/gitlab
    chkconfig --add gitlabchkconfig gitlab on
  13. check - start - set-up assets
    sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
    service gitlab start
    sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production
  14. add apache or nginx 

Wednesday, 12 February 2014

A no-frills Mail Server running on Cent-OS / Fedora




  • preliminaries


  1. update your OS with
    yum -y update
  2. fix all errors, if any and in case of kernel updates you need to run
    shutdown -r now ( or later if someone else is using the box )
  3. erase to good `ol sendmail and if it is installed for some reason exim with
    yum -y erase sendmail exim
  4. install Postfix the Mail Transfer Agent, Dovecot the Mail Delivery Agent and Clamav the Virus checker to protect or Windows community. We start with these two 
    yum -y install postfix dovecot
  5. Spam could be a worry if we open the mail delivery to the server to the world. Since we only accept mail from white-listed senders we don't need to worry.

  • configuration

  1. configure Postfix
    cd /etc/postfix
    fix the aliases file
    create a my_networks file
    create a body_checks file
    create a header_checks file
    set-up the main.cf file
    set-up the master.cf file
    now check the configs with
    postfix check
    then, if everything is fixed run
    service postfix start
  2. configure dovecot
    cd /etc/dovecot
    change the settings in dovecot.conf
    cd conf.d
    adjust all required *.conf files to suit
    start dovecot and check the mail logs
    service dovecot start
  3. next set-up mail users, in our case for gitlab, jira and confluence and a postmaster account
    add the users, ideally with the same id(s) as on other servers
    create passwords for the mail set-up within the application
    create home directories and set-up the Maildir within.
  4. test the mail delivery to the postmaster account
    and next test the out-going mail too
  5. now you are ready to add the mail box details to the application and ensure to fully test the configuration. Once fully tested and working you can forget the passwords as changing passwords is a manual process on server and application.
  6. as everything is working with the basics we add the Virus checking and the SSL certificates.
  7. First we install and configure the Virus checker tools with
    yum -y install clamav clamav-data clamav-filesystem clamav-lib clamav-server clamav-update clamsmtp
  8. The configuration is needed for regular updates and Postfix integration
    set-up the clamd.server config
    set-up the freshclam.conf file
    set-up the camsmtp.conf file
    add the filter to the postfix main.cf and master.cf
    now get the first clam database with
    /bin/freshclam --verbose
    service clamd.server start
    service clamsmtp start
    postfix stop
    postfix start
  9. re-test mail sending and receiving via the virus checker and watch
    tail -f /var/log/maillog
    fix any errors
  10. lastly we can add the optional SSL certificates for sending and downloading email in non-clear text.
    create the certs and place the into
    /etc/postfix/ssl
    then add the certs and smtpd setting into the mail.cf and the dovecot configs
    then restart postfix and dovecot and re-test the mail send/receive
    service dovecote restart
    postfix stop
    postfix start
    tail -f /var/log/maillog

    fix any errors
  11. When the SSL certs are installed and show no errors, the application(s) need to be changed to pop3 over SSL and send with TLS/SSL. It should just work or else more fixing.
  12. Lastly inform users where send mail to and how to use the mail functionality in the application.

Tuesday, 4 February 2014

UNIX Servers and Secure Access



  1. Nobody has access until explicitly granted.
  2. A UNIX firewall will be in place to limit traffic and to drop a possible mass attack.
  3. Port monitoring and IP blocking tool will be installed for suspected mis-use.
  4. All insecure or plain text tools are not available for use.
    These include telnet, ftp, rsh, rexec etc.
  5. The open ports on any server are locked down to a bare minimum.
    22 - ssh for remote access and data transfer
    25 - mail server
    80 - standard web server
    443 - secure web server
    3306 - data base access with ssl/ssh
    other ports only on demand.
  6. Security on the open ports.
    3306 - only open to other database and backup servers
    443 - open to the world, but monitored
    80 - open to the world, but monitored
    25 - open only for outgoing mail as standard
            if incoming mail is required (Jira) open, but monitored
    22 - open for approved staff and configured for certificate only (see below)
    other ports will be added if opened.
  7. Where possible, http will be redirected to https.
  8. A virus filter to protect the Windows users will be in place for servers with mail and upload access.
  9. Servers with VNC access requirements will have this accessible via localhost and SSH certificate only.
  10. Root log-in is locked down and replaced with sudo access after SSH connection.
    No user will have access to the ROOT password.

  11. User access is granted via a 2048bit SSH key.
    No password log-in is available.
    After 3 failed SSH handshake attempts the account will be locked and the IP blocked with the tool see 3.
    The public key has to be registered on the server before access can happen.
    The user cannot change the access credential or the protected SSH certificate.
  12. Every server access, successful or fail, will be logged in a audit file.
    Every sudo command is audited.
  13. Every web site access will be logged and presented in a daily report.
  14. Server and data backup will be in place and stored in a secure location.