分类目录归档:DevOps

DevOps

Generating password hashes with puppet

Puppet expects the user’s password to be encrypted in the format the local system expects, for most modern Unix-like systems (Linux, *BSD, Solaris, etc.) this format is a salted SHA1 password hash.

To generate a password hash to use with puppet manifest files you can use the mkpasswd utility (it’s available in the whois package):

1
2
3
$ mkpasswd -m sha-512
Password:
$6$qfPDlAej83p$cj2nc1NjbKjhL42Mo/3Uia4NqD4dIB3ouVeI/tSG92UqH5cMKOA/ihjmxAuRtKHzGED0EHmdM0iNxa/662NW//

You can then use the password hash in a puppet manifest file:

1
2
3
4
user { 'root':
    ensure   => 'present',
    password => '$6$qfPDlAej83p$cj2nc1NjbKjhL42Mo/3Uia4NqD4dIB3ouVeI/tSG92UqH5cMKOA/ihjmxAuRtKHzGED0EHmdM0iNxa/662NW//',
}

Don’t forget to put the password in quotes so that puppet does not interpret it as a variable if it contains the dollar sign ($).

If you want the passwords to be stored in plain text in the puppet manifest you can use puppet’s generate function to call mkpassword and return the generated the hash version of the password:

1
2
3
4
5
$password = 'your_plain_text_password'
user { 'root':
    ensure   => 'present',
    password => generate('/bin/sh', '-c', "mkpasswd -m sha-512 ${password} | tr -d '\n'"),
}
References:

Manage the Root User Password on Linux

# https://gist.github.com/jeffmccune/2360984
# = Class: site::root_user
#
# This is a simple class to manage the root user password.
# The shadow hash of an existing password can be easily obtained
# by running `puppet resource user root` on a Linux system
# that has the desired root password already set.
# Puppet will then manage this password everywhere.
#
# First, I set the password to “puppet” on one Linux node and then get back the
# shadow hash.
#
# root@pe-centos6:~# passwd root
# Changing password for user root.
# New password:
# BAD PASSWORD: it does not contain enough DIFFERENT characters
# BAD PASSWORD: is too simple
# Retype new password:
# passwd: all authentication tokens updated successfully.
# root@pe-centos6:~# puppet resource user root
# user { ‘root’:
# ensure => ‘present’,
# comment => ‘root’,
# gid => ‘0’,
# groups => [‘root’, ‘bin’, ‘daemon’, ‘sys’, ‘adm’, ‘disk’, ‘wheel’],
# home => ‘/root’,
# password => ‘$6$7pe0INu/$Uxsn.lb/mJjd9394DIJx5JS9a1NVhrpWDpXRtPGS78/BfyShhOf1G0ft7mRHspXDZo6.ezyqpqIXHQ8Tl8ZJt0’,
# password_max_age => ‘99999’,
# password_min_age => ‘0’,
# shell => ‘/bin/bash’,
# uid => ‘0’,
# }
#
# = Sample Usage
#
# include site::root_user
#
# (MARKUP: http://links.puppetlabs.com/puppet_manifest_documentation)
class site::root_user {
# This will enforce the root password of “puppet”
user { root:
ensure => present,
password => ‘$6$7pe0INu/$Uxsn.lb/mJjd9394DIJx5JS9a1NVhrpWDpXRtPGS78/BfyShhOf1G0ft7mRHspXDZo6.ezyqpqIXHQ8Tl8ZJt0’,
}
}

Apache Web Server Hardening & Security Guide

A practical guide to secure and harden Apache Web Server.

1. Introduction

The Web Server is a crucial part of web-based applications. Apache Web Server is often placed at the edge of the network hence it becomes one of the most vulnerable services to attack. Having default configuration supply much sensitive information which may help hacker to prepare for an attack the web server.

The majority of web application attacks are through XSS, Info Leakage, Session Management and PHP Injection attacks which are due to weak programming code and failure to sanitize web application infrastructure. According to the security vendor Cenzic, 96% of tested applications have vulnerabilities. Below chart from Cenzic shows the vulnerability trend report of 2013.

This practical guide provides you the necessary skill set to secure Apache Web Server. In this course, we will talk about how to Harden & Secure Apache Web Server on Unix platform. Following are tested on Apache 2.4.x and I don’t see any reason it won’t work with Apache 2.2.x.

  1. This assumes you have installed Apache on UNIX platform. If not, you can go through Installation guide. You can also refer very free video about how to Install Apache, MySQL & PHP.
  2. We will call Apache installation directory /opt/apache as $Web_Server throughout this course.
  3. You are advised to take a backup of existing configuration file before any modification.

继续阅读

Segfault in libnss when using libcurl from php

$ tools/php-5.2.17/bin/php test1.php
* About to connect() to www.google.com port 443 (#0)
* Trying 74.125.192.103… * connected
* Connected to www.google.com (74.125.192.103) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
Segmentation fault (core dumped)When the url in the script is changed to use HTTP instead of HTTPS, there is no segfault.
Steps To Reproduce Run the script:
$ cat test1.php
< ?php
$urlEndPoint = “https://www.google.com/search”;
$headerArray = array();
$ch = curl_init();
curl_setopt($ch,CURLOPT_POST,true);curl_setopt($ch,CURLOPT_URL, $urlEndPoint);
/*curl_setopt($ch,CURLOPT_HTTPHEADER, $headerArray);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postArray); */

curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_HEADER, true);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, ‘Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0’);
curl_setopt($ch, CURLOPT_VERBOSE, true);

if (!$result = curl_exec($ch)) {
print (curl_error($ch));
}

curl_close ($ch);

echo print_r($result,true);
?>

内核日志:
tail -f /var/log/messages
kernel: php[26564]: segfault at 8048 ip 00007f7a72fede9c sp 00007fffec90edf0 error 4 in libsqlite3.so.0.8.6[7f7a72fd1000+8c000]
gdb记录:
Program received signal SIGSEGV, Segmentation fault.
0x00007fffe9651e9c in sqlite3_file_control () from /usr/lib64/libsqlite3.so.0

 

在Centos的bug列表中,能够找到关于这个bug的说明:

https://bugs.centos.org/view.php?id=7399

https://www.mankier.com/5/cert9.db

Quick fix:

mv /etc/pki/nssdb /etc/pki/nssdb.bak
yum -y reinstall nss

蓝鲸智云配置平台安装步骤

https://github.com/tencent/bk-cmdb

文档中假设用户的服务器为linux整个安装流程也适合其它系统的安装。

服务器配置

  • 推荐采用nginx+php-fpm 的运行模式
  • php版本不低于5.6.9,nginx版本不低于1.8.0
  • nginx编译参数,需编译进pcre
  • php编译参数扩展 ./configure –prefix= -enable-fpm,另还需要(mysql、curl、pcntl、mbregex、mhash、zip、mbstring、openssl)等扩展

继续阅读

Grafana

Grafana is most commonly used for visualizing time series data for Internet infrastructure and application analytics but many use it in other domains including industrial sensors, home automation, weather, and process control.

Grafana features pluggable panels and data sources allowing easy extensibility and a variety of panels, including fully featured graph panels with rich visualization options. There is built in support for many of the most popular time series data sources. 继续阅读

How to install mod_ruby and eruby on Linux server

mod_ruby embeds the Ruby interpreter into the Apache web server, allowing Ruby CGI scripts to be executed natively. These scripts will start up much faster than without mod_ruby.

1. Install eRuby & mod_ruby1) Install eRuby:

# wget http://www.modruby.net/archive/eruby-1.0.5.tar.gz
# tar -xzvf eruby-1.0.5.tar.gz
# cd eruby-1.0.5/
# ./configure.rb –with-charset=euc-jp –enable-shared
# make; make install

2) Install mod_ruby

i)Download latest mod_ruby tar file
# wget http://www.modruby.net/archive/mod_ruby-1.2.6.tar.gz
# tar -xzvf mod_ruby-1.2.6.tar.gz
# cd mod_ruby-1.2.6/
#  ./configure.rb –enable-eruby –with-apxs=/usr/local/apache/bin/apxs
# make; make install

继续阅读

ext4 file systems and the 16 TB limit – how to *solve* it

File systems do have limits. Thats no surprise. ext3 had a limit at 16 TB file system size. If you needed more space you´d have to use another file system for instance XFS or JFS or spilt the capacity into multiple mount points.

ext4 was designed to allow far more larger file systems than ext3. According to wikipedia ext4 has a maximum file system size of 1 EiB (approx. one exabyte or 1024 PB or 1024*1024 TB).

Now if you´d try to create one single large file system with ext4 on every linux distribution out there (including OEL 6.1; as of 18th August 2011) you will end up with:

[root@localhost ~]# mkfs.ext4 /dev/iscsi/test mke4fs 1.41.9 (22-Aug-2009)
mkfs.ext4: Size of device /dev/iscsi/test too big to be expressed in 32 bit susing a blocksize of 4096.

This post is about how to solve the issue. 继续阅读

PHP编译安装时常见错误解决办法

PHP编译安装时常见错误解决办法

configure: error: xslt-config not found. Please reinstall the libxslt >= 1.1.0 distribution

yum -y install libxslt-devel

configure: error: Could not find net-snmp-config binary. Please check your net-snmp installation.

yum -y install net-snmp-devel

configure: error: Please reinstall readline – I cannot find readline.h

yum -y install readline-devel

configure: error: Cannot find pspell

yum -y install aspell-devel

checking for unixODBC support… configure: error: ODBC header file ‘/usr/include/sqlext.h’ not found!

yum -y install unixODBC-devel

configure: error: Unable to detect ICU prefix or /usr/bin/icu-config failed. Please verify ICU install prefix and make sure icu-config works.

yum -y install libicu-devel

configure: error: utf8mime2text() has new signature, but U8TCANONICAL is missing. This should not happen. Check config.log for additional information.

yum -y install libc-client-devel 继续阅读

How to configure fail2ban to protect Apache HTTP server

An Apache HTTP server in production environments can be under attack in various different ways. Attackers may attempt to gain access to unauthorized or forbidden directories by using brute-force attacks or executing evil scripts. Some malicious bots may scan your websites for any security vulnerability, or collect email addresses or web forms to send spams to.

Apache HTTP server comes with comprehensive logging capabilities capturing various abnormal events indicative of such attacks. However, it is still non-trivial to systematically parse detailed Apache logs and react to potential attacks quickly (e.g., ban/unban offending IP addresses) as they are perpetrated in the wild. That is when fail2ban comes to the rescue, making a sysadmin‘s life easier.

fail2ban is an open-source intrusion prevention tool which detects various attacks based on system logs and automatically initiates prevention actions e.g., banning IP addresses with iptables, blocking connections via /etc/hosts.deny, or notifying the events via emails. fail2ban comes with a set of predefined “jails” which use application-specific log filters to detect common attacks. You can also write custom jails to deter any specific attack on an arbitrary application.

In this tutorial, I am going to demonstrate how you can configure fail2ban to protect your Apache HTTP server. I assume that you have Apache HTTP server and fail2ban already installed. Refer to another tutorial for fail2ban installation. 继续阅读