Tuesday, 29 January 2013

Memcached

Memcached server : It is a caching daemon designed especially for dynamic web applications to decrease database load by storing objects in memory.

Install Memcached Server

Type the following command on memache1 server. First, you need to turn on EPEL repo:
# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
Now, install memcached using the yum command, enter:
# yum install memcached

Configure memcached

You need to edit /etc/sysconfig/memcached file, enter:
# vi /etc/sysconfig/memcached
Edit as follows:



PORT="11211"

USER="memcached"

MAXCONN="2048"

CACHESIZE="4096"

OPTIONS="-l 10.10.1.5"



Where,

PORT: Listen on TCP port # 11211, the default is port 11211.

USER: Run memcached server as memcached user.

MAXCONN: Use 2048 max simultaneous connections; the default is 1024.

CACHESIZE: Use 4096 MB (4GB) memory max to use for object storage; the default is 64 megabytes.

OPTIONS="-l 10.10.1.5": Listen on 10.10.1.5. This is an important option to consider as there is no other way to secure the installation. Binding to an internal or firewalled network interface is suggested. In this example, IP address 10.10.1.5 is only accessible using LAN and is behind firewalled host.

Make changes as per your setup and requirements. Save and close the file.

Turn On Service

Type the following chkconfig command to turn memcached service, enter:
# /sbin/chkconfig memcached on
## command to START the server ##
# /sbin/service memcached start
## command to STOP the server ##
# /sbin/service memcached stop
## command to RESTART the server ##
# /sbin/service memcached restart

Install php-pecl-memcache

Type the following commands on www1, www2, and www3 Apache server:
# yum -y install php-pecl-memcache
# /sbin/service httpd restart

Install Memcached Object Cache Plugin

Type the following command on www1, www2, and www3 Apache server (if you are using some sort of cluster aware file system such as GFS2 or OCFS2, than just type it on any one apache web server node):
Visit this url and grab the plugin, enter:
$ cd /tmp/
$ wget http://downloads.wordpress.org/plugin/memcached.2.0.zip
$ unzip memcached.2.0.zip
Edit object-cache.php, enter:
$ vi object-cache.php
Edit memcahe server and port connection information:



$buckets = array('10.10.1.5:11211');



Save and close the file. Finally, copy object-cache.php into your wp-content directory. In our example /var/www/html/wp-content/ directory:
$ cp object-cache.php /var/www/html/wp-content/

How Do I Verify That It Is Working?

Type the following commands to display memcache slabs (please note that the following output is taken from a small memcached server with just 512MB cache for demonstration purpose only):
# memcached-tool 10.10.1.5:11211 display
Sample outouts:

# Item_Size Max_age Pages Count Full? Evicted Evict_Time OOM

1 96B 38302s 1 42 no 0 0 0

2 120B 37571s 1 4 no 0 0 0

3 152B 335s 1 232 no 0 0 0

4 192B 37763s 1 40 no 0 0 0

5 240B 37804s 1 36 no 0 0 0

6 304B 37595s 1 86 no 0 0 0

7 384B 829s 4 10401 no 0 0 0

8 480B 228s 1 972 no 0 0 0

9 600B 106s 1 387 no 0 0 0

10 752B 38298s 1 288 no 0 0 0

11 944B 404s 1 143 no 0 0 0

12 1.2K 38319s 1 258 no 0 0 0

13 1.4K 12739s 1 176 no 0 0 0

14 1.8K 38322s 1 230 no 0 0 0

15 2.3K 1500s 2 491 no 0 0 0

16 2.8K 1500s 2 648 no 0 0 0

17 3.5K 828s 3 600 no 0 0 0

18 4.4K 37660s 2 322 no 0 0 0

19 5.5K 38035s 1 171 no 0 0 0

20 6.9K 38458s 1 102 no 0 0 0

21 8.7K 39002s 1 39 no 0 0 0

22 10.8K 42068s 1 35 no 0 0 0

23 13.6K 24184s 1 15 no 0 0 0

24 16.9K 41626s 1 11 no 0 0 0

25 21.2K 43426s 1 1 no 0 0 0

26 26.5K 43392s 1 1 no 0 0 0

37 308.5K 1493s 1 3 yes 0 0 0

To shows general stats, enter:
# memcached-tool 10.10.1.5:11211 stats
Sample outputs:

#10.10.1.5:11211 Field Value

accepting_conns 1

auth_cmds 0

auth_errors 0

bytes 14945401

bytes_read 1320187573

bytes_written 3180772729

cas_badval 0

cas_hits 0

cas_misses 0

cmd_flush 0

cmd_get 1280549

cmd_set 1262345

conn_yields 0

connection_structures 73

curr_connections 72

curr_items 15724

decr_hits 0

decr_misses 0

delete_hits 11296

delete_misses 24284

evictions 0

get_hits 1156788

get_misses 123761

incr_hits 0

incr_misses 0

limit_maxbytes 536870912

listen_disabled_num 0

pid 42690

pointer_size 64

reclaimed 2

rusage_system 51.550163

rusage_user 20.861828

threads 4

time 1284368953

total_connections 558

total_items 75121

uptime 43527

version 1.4.5

To dumps keys and values, enter:
# memcached-tool 10.10.1.5:11211 dump | less

AWSTATS


In this howto we will assume: you are root, you own example.com and have administrative access to create the subdomain stats.example.com.


Installing the EPEL software repository, AWStats and optional components for Geo tracking:


Click the EPEL link for more verbose instructions or give this command:


su -c "http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm"


Then issue this command:


yum --enablerepo=epel install awstats GeoIP-data perl-Geo-IP


Since there is no Centos package for the GeoLiteCity.dat you can get the single file from MaxMind as well as updated GeoIP.dat files here:






http://www.maxmind.com/app/geolitecountry


http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz


http://www.maxmind.com/app/geolitecity


http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz


If you choose to use only the MaxMind files directly, you can put them in /var/www/GeoIP as follows:






sudo mkdir /var/www/GeoIP; cd /var/www/GeoIP


sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz


sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz


sudo gunzip GeoIP.dat.gz GeoLiteCity.dat.gz


After successful install of the above software we will make a copy of the default AWStats config that we can use over and over:


Copy default conf so we always have a clean starting point if something goes wrong.


cp /etc/awstats/awstats.model.conf /etc/awstats/awstats.model.conf.orig


Make another copy for our example site.


cp /etc/awstats/awstats.model.conf.orig /etc/awstats/awstats.stats.example.com.conf


Next we create the directories for the new subdomain stats.example.com. For security purposes the default Apache httpd docroot in Centos is /var/www/ :


mkdir /var/www/stats.example.com && mkdir /var/www/stats.example.com/cgi-bin


Next we copy the AWStats program files to our newly created stats.example.com/cgi-bin directory:


cd /usr/share/awstats/wwwroot/ && cp -R * /var/www/stats.example.com/


(For this example we're using: awstats-6.95-1.el5)


Next let’s alter the Apache httpd conf file and add an entry for our new subdomain:


vi /etc/httpd/conf/httpd.conf add this information at the bottom in the vhosts section or in /etc/httpd.conf.d/vhosts.conf either will work:



You should already have a domain configured that you'd like to track the stats of like this:


<VirtualHost *:80>


ServerAdmin admin@example.com


ServerName example.com


ServerAlias www.example.com


DocumentRoot /var/www/example.com


ScriptAlias /cgi-bin/ /var/www/example.com/cgi-bin/


CustomLog logs/example.com_access_log combined


ErrorLog logs/example.com_error_log


</VirtualHost>


We'll be adding this subdomain to track the above domains stats:


<VirtualHost *:80>


ServerAdmin admin@example.com


ServerName stats.example.com


DocumentRoot /var/www/stats.example.com


ScriptAlias /cgi-bin/ /var/www/stats.example.com/cgi-bin/


CustomLog logs/example.com.stats_access_log combined


ErrorLog logs/example.com.stats_error_log


## AWstats ##


Alias /classes "/var/www/stats.example.com/classes/"


Alias /css "/var/www/stats.example.com/css/"


Alias /icon "/var/www/stats.example.com/icon/"


ScriptAlias /awstats/ "/var/www/stats.example.com/cgi-bin/"


## End AWstats ##


</VirtualHost>



Next we’ll edit /etc/httpd/conf.d/awstats.conf to include information about our new subdomain at /var/www/stats.example.com:


vi /etc/httpd/conf.d/awstats.conf



<Directory "/var/www/stats.example.com">


DirectoryIndex awstats.pl


Options ExecCGI


Options FollowSymLinks


Options None


AllowOverride None


Order allow,deny


Allow from all


</Directory>



Now let’s edit the awstats.stats.example.com.conf we created in Step 2:


vi /etc/awstats/awstats.stats.example.com.conf

We will be editing the following lines:


1. LogFile="/var/log/httpd/example.com_access_log"


2. SiteDomain="stats.example.com"


3. HostAliases="stats.example.com"


4. DirData="/var/www/stats.example.com/"


5. LoadPlugin="geoip GEOIP_STANDARD /var/lib/GeoIP/GeoIP.dat"


(using the yum install method)


6. LoadPlugin="geoip GEOIP_STANDARD /var/www/GeoIP/GeoIP.dat"


(using the MaxMind direct download method)


7. LoadPlugin="geoip_city_maxmind GEOIP_STANDARD /var/www/GeoIP/GeoLiteCity.dat"


(using the MaxMind direct download method)


Note: The LogFile directive must be the same as the httpd CustomLog directive for the site we actually want the stats from (example.com).


Next let’s restart Apache httpd so our changes take effect:


service httpd restart


Next we’ll call the AWStats perl script to automatically update our stats right now:


perl /var/www/stats.example.com/cgi-bin/awstats.pl -config=stats.example.com -update


Finally, to update our stats automatically every hour via cron we do the following:


cd /etc/cron.hourly && vi 01awstats


Add this line, save and exit:


perl /var/www/stats.example.com/cgi-bin/awstats.pl -config=stats.example.com -update > /dev/null 2>&1


chmod 755 01awstats


service crond restart


We can also use htpasswd to secure the directory from prying eyes:


We'll be doing this work as root in the directory: /var/www/stats.example.com


(In the vi editor use i for insert text, esc + :wq to write and quit vi)


htpasswd -s .htpasswds joe


New password: (This is the user Joe's password to access the stats.)


Re-type new password:


Adding password for user joe


Let's Check to see the password was actually added as expected:


vi .htpasswds


joe:{SHA}9Q+DCACuf4OZs8b0E8eR5j1aIVU=


vi /etc/httpd/conf/httpd.conf


Add this to the virtualhost entry for stats.example.com:




1


2


3


4


5


6


7


8


<Directory "/var/www/stats.example.com">


AuthName "Restricted Area"


AuthType Basic


AuthBasicProvider file


AuthUserFile /var/www/stats.example.com/.htpasswds


AuthGroupFile /dev/null


require valid-user


</Directory>



Now, try hitting your site at: http://stats.example.com You should be prompted for a username and password for your user.


If it does not work, try double checking the steps or join #centoshelp or #httpd on Freenode for further assistance.


Troubleshooting


How to test


Explanation troubleshooting basics and expectations.


Testing your configuration:


You should now be able to go to: http://stats.example.com/cgi-bin/awstats.pl and see your sites stats.


If this does not work for you, please go through the howto more slowly and double check every setting as well as your Apache httpd error logs:


Common mistakes are: Typos, file permissions, file ownership, improper or conflicting Apache httpd Options directives or other Apache httpd config errors.


If you do not see the GeoIP data, but the rest of AWStats works, check the SELinux file contexts for the GeoIP files:


ls -alsZ /var/lib/GeoIP/


incorrect SElinux context --> -rw-r--r-- root root system_u:object_r:var_lib_t GeoIP.dat


incorrect SElinux context --> -rw-r--r-- root root system_u:object_r:var_lib_t GeoLiteCity.dat


sudo chcon -t httpd_sys_content_t /var/lib/GeoIP/GeoIP.dat


sudo chcon -t httpd_sys_content_t /var/lib/GeoIP/GeoLiteCity.dat


ls -alsZ /var/lib/GeoIP/


correct SElinux context --> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t GeoIP.dat


correct SElinux context --> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t GeoLiteCity.dat


You should be able to see country/city GeoIP data now if you refresh the page.


NTP


The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. Under CentOS / RHEL you can use NTP or OpenNTPD server software. Both package provides client and server software programs for time synchronization.

Install ntp

The ntp package contains utilities and daemons that will synchronize your computer's time to Coordinated Universal Time (UTC) via the NTP protocol and NTP servers. The ntp packageincludes ntpdate (a program for retrieving the date and time from remote machines via a network) and ntpd (a daemon which continuously adjusts system time). Install the ntp package:
# yum install ntp

How do I configure an NTP Client?

Simply open /etc/ntp.conf file, enter:
# vi /etc/ntp.conf
Make sure the following line exists:
server ntp.server.com
Where,

ntp.server.com : the hostname or IP address of the site NTP server. If your ntp server located at 192.168.1.5, enter server 192.168.1.5. You can also use public ntp server located at ntp.org.

You can also run ntpd using cron:
# echo '30 * * * * root /usr/sbin/ntpd -q -u ntp:ntp' > /etc/cron.d/ntpd
The above instructs crond to run ntpd and after setting the clock just exit, and the -u option instructs it to run as the ntp user.

Configure an NTP Server

If you have lots of server and desktop system, configure your own NTP server. Your NTP server contacts a central NTP server,provided by your ISP or a public time
server located at ntp.org, to obtain accurate time data. The server then allows other machines on your network to request the time data. Our sample setup:

192.168.1.5 ==> CentOS / Fedora / RHEL NTPD Server.

202.54.1.5 ==> ISP remote NTP server.

192.168.1.0/24 ==> NTP clients including desktop systems.

First, install and enable ntpd on 192.168.1.5:
# yum install ntp
# chkconfig ntpd on
Now open /etc/ntp.conf:
# vi /etc/ntp.conf
Make sure the following line exits:
restrict default ignore
Above will deny all access to any machine, server or client. However, you need to specifically authorized policy settings. Set it as follows:

restrict 202.54.1.5 mask 255.255.255.245 nomodify notrap noquery

server 202.54.1.5

Replace 202.54.1.5 and mask with actual remote ISP or ntp.org NTP server IP. Save and close the file.

Configure NTP clients to access your NTP Server

Install ntpdate using yum : yum install ntp

Put below in Cron : crontab -e

1 6 * * * /usr/sbin/ntpdate ntp.techrock.com 2>&1

/usr/sbin/ntpdatentp.techrock.com

Do ntpudate manually using below. Run the command 3-4 times.

ntpdate -u ntp.techrock.com

Now, you need to allow legitimate NTP clients to access the Server. For example, allow 192.168.1.0/24 network to synchronize to this server located at 192.168.1.5. Open /etc/ntp.conf and add policy as follows:

# Hosts on local network are less restricted.

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Update your firewall settings, open /etc/sysconfig/iptables.
# vi /etc/sysconfig/iptables
Add the following line, before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

Save and close the file. Finally, start ntpd:
# service ntpd start
# service iptables restart
# netstat -tulpn


SSH

Howto Linux / UNIX setup SSH with DSA public key authentication (password less login)

#1 machine : your laptop called tom
#2 machine : your remote server called jerry
Command to type on your laptop/desktop (local computer)

First login to local computer called tom and type the following command.
Step #1: Generate DSA Key Pair

Use ssh-keygen command as follows:
$ ssh-keygen -t dsa
Output:

Enter file in which to save the key (/home/vivek/.ssh/id_dsa): Press [Enter] key
Enter passphrase (empty for no passphrase): myPassword
Enter same passphrase again: myPassword
Your identification has been saved in /home/vivek/.ssh/id_dsa.
Your public key has been saved in /home/vivek/.ssh/id_dsa.pub.
The key fingerprint is:
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01 vivek@vivek-desktop

Caution: a) Please enter a passphrase different from your account password and confirm the same.
b) The public key is written to /home/you/.ssh/id_dsa.pub.
c) The private key is written to /home/you/.ssh/id_dsa.
d) It is important you never-ever give out your private key.
Step #2: Set directory permission

Next make sure you have correct permission on .ssh directory:
$ cd
$ chmod 755 .ssh
Step #3: Copy public key

Now copy file ~/.ssh/id_dsa.pub on Machine #1 (tom) to remote server jerry as ~/.ssh/authorized_keys:
$ scp ~/.ssh/id_dsa.pub user@jerry:.ssh/authorized_keys
Command to type on your remote server called jerry

Login to your remote server and make sure permissions are set correct:
$ chmod 600 ~/.ssh/authorized_keys
Task: How do I login from client to server with DSA key?

Use scp or ssh as follows from your local computer:
$ ssh user@jerry
$ ssh user@remote-server.com
$ scp file user@jerry:/tmp

You will still be asked for the passphrase for the DSA key file each time you connect to remote server called jerry, unless you either did not enter a passphrase when generating the DSA key pair.
Task: How do I login from client to server with DSA key but without typing a passhrase i.e. password-less login?

Type the following command at shell prompt:
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add
Output:

Enter passphrase for /home/vivek/.ssh/id_dsa: myPassword
Identity added: /home/vivek/.ssh/id_dsa (/home/vivek/.ssh/id_dsa)

Type your passhrase once. Now, you should not be prompted for a password whenever you use ssh, scp, or sftp command.



OpenSSH is tool used for connecting and managing remote linux machines. And this should be secured. I am here by telling some security tips to make the SSH server perfect.

1.The following iptable rule will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP

2.Disable Empty Passwords

Open the file /etc/sshd/sshd_config and

PermitEmptyPasswords no
3.TCPWrappers

open --> vi /etc/hosts.deny
sshd:ALL

then

open --> vi /etc/hosts.allo

sshd:192.168.1.32 192.168.1.21 (Change to your desired IP)

4.Change the SSH Port

The Idea behind this , suppose we change the port 22 to something other say Oracle 1521 , the attackers thinks that this is an Oracle server and will try oracle hacking tools :)
Port 300

5.Force Logout for Idle Sessions
ClientAliveInterval 300
ClientAliveCountMax 0

To quickly secure OpenSSH daemon, open config file located at /etc/ssh/sshd_config and make the following changes:

Protocol 2

PermitRootLogin without-password
StrictModes yes
Banner /etc/sshd_banner

LoginGraceTime 60
MaxAuthTries 3
MaxStartups 10

PermitEmptyPasswords no
PrintLastLog yes
AllowTcpForwarding no

IgnoreRhosts yes
IgnoreUserKnownHosts yes
HostbasedAuthentication no</code>

Create SSH banner, just open in a favourite text editor file /etc/sshd_banner and fit it with following contents:

This is secured SSH service. Your activities are logged and monitored.

Warning: Unauthorized access to this system is strictly prohibited.

Also, to secure access to the OpenSSH daemon it is recommended to disable the password authentication and use a public/private keys.
Below is a description of directives used to secure OpenSSH:
Protocol
This directive allows to specify the version of SSH to use. For security reasons it is strongly recommended to use only protocol 2, because the old version has several security flaws.
PermitRootLogin
Configure behaviour for the root account to eliminate security risks. The without-password argument allows root login only using public keys. The password authentication will not be allowed.
StrictModes
Tells SSH daemon to check user's permissions in their home directory and rhosts files before accepting login. For security reasons it is recommended to enable it because sometimes users may accidentally leave files or directories writable, and script-kiddies may use this to assume user's identity.
Banner
Directive tells to SSH daemon to the file that contents should be displayed before login occurs. Usually this directive is used by organizations where is required some legal verbage to be shown when host is accessed.
LoginGraceTime
This parameter tells to SSH daemon drop connection attempts if a successful connection hasn't occured in a specifed amount of seconds. I limited it to 60 seconds.
MaxAuthTries
This directive allows to avoid some brute-force attacks to the daemon by limiting failing connections attempts. By default, users who cannot remember the password, gets 3 attempts.
MaxStartups
This parameter enhance security by limiting number of unauthenticated sessions keeped alive. This also helps in combating brute-force attacks because other attempts to authenticate will not be blocked, until one of active sessions succeeds authentication or times out.
PermitEmptyPasswords
Allows or disallows empty passwords. It is recommended to disable them because usage of empty passwords is discouraged for security reasons.
PrintLastLog
This directive empowers the user to check for security by displaying the users last login time at the time of login.

AllowTcpForwarding
Controls tunneled connctions of TCP protocols over SSH (like rsync over SSH). Sometimes tunneling is a security risk because it is difficult to detect behaviour of malicious protocols or applications. Also, tunnels are usually used by script-kiddies for crossing firewalls.
IgnoreRhosts
This directive enhances security by ignoring the legacy .rhost file from users. This is a best practice, in case rsh/rlogin are enabled or could accidentally become enabled.
IgnoreUserKnownHosts
Directive is used to protect against users setting up host-based authentication. For security purposes, it is often best to change the directive to yes.
HostbasedAuthentication
Tells SSH daemon to enable or disable host-based authentication. Most security experts are extremely opposed to any form of host-based authentication and recommends to use public keys or password authentication as alternative.


A Syslog Server using Rsyslog, MySQL and LogAnalyzer


A Syslog Server using Rsyslog, MySQL and LogAnalyzer


This article goal is to setup a rsyslog server to store syslog messages into multiple mysql db tables (based on message source), and then access those messages via http browser.

Actually, a couple of months ago I wrote a similar post using ubuntu server 10.10, it worked up to the moment I updated the server.
A few days ago a user (Colin) left a comment about his struggle to make a similar config under CentOS. After that I decided to give it another go, this time using CentOS.

Currently I just need to get the syslog messages from two devices (a cisco router and an accesspoint), however you can easily find out how to adapt this config to as many as you please.
Before you Start

Before you start reading here are some overall notes on the setup.

Rsyslog:
Mysql DB Name: rsylogdb (tables gw1, ap1)
Mysql username: rsyslog

LogAnalizer:
Mysql DB Name: loganalizerdb
Mysql username: loganalizer

Local Networks: 10.0.0.0/27, 10.0.0.1/27


GW1 IP:10.0.0.30
AP1 IP:10.0.1.29
Syslog Server: 10.0.2.19
Syslog Port: 514/tcp
Server OS: CentOS 5.6 (OpenVZ VM)

Ok, let’s start.
1. MySQL
1.1 Install and run MySQL

Install with:yum install php-mysql mysql mysql-server


Secure and Run:/sbin/chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
/usr/bin/mysql_secure_installation


Note: Last line will enable you to setup the mysql root password (initial password is blank, so if asked for it just hit Enter). Also it will enable you to secure the mysql config.
Also further steps could be made to secure the mysql config (change default port, root remote login, config allowed hosts, etc) but as this is a local server no need for that.
1.2. Setup Database and Tables

During “rsyslog-mysql” install, providing that mysql exists, the database and tables will be created automatically, default database table name is “Syslog” with “SystemEvents” and “SystemEventsProperties” tables. However the point is to split the messages over different tables so I will descrive how to manually create them.
Rsyslog database table schema is stored in a file called “createDB.sql”, however if your following this article, at this point you haven’t yet installed “rsyslog-mysql”.
Attention: The best (safest) option is to install “rsyslog” and “rsyslog-mysql” (read 2.1. Install Rsyslog) then come back here and complete the mysql config.

Check table schema:find -name createDB.sql
#outputs(in my case)
./usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql
#edit file and copy schema
vi /usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql


Create the user/database/table and table schema:#log to mysql
mysql -u root -p

#create a user
CREATE USER rsyslog;
SET PASSWORD FOR rsyslog= PASSWORD("yourpasswordgoeshere");

#setup database and table schema
CREATE DATABASE rsyslogdb;
USE rsyslogdb;
#paste contents of createDB.sql (the following is for rsyslog-mysql-3.22.1)
CREATE TABLE SystemEvents
(
ID int unsigned not null auto_increment primary key,
CustomerID bigint,
ReceivedAt datetime NULL,
DeviceReportedTime datetime NULL,
Facility smallint NULL,
Priority smallint NULL,
FromHost varchar(60) NULL,
Message text,
NTSeverity int NULL,
Importance int NULL,
EventSource varchar(60),
EventUser varchar(60) NULL,
EventCategory int NULL,
EventID int NULL,
EventBinaryData text NULL,
MaxAvailable int NULL,
CurrUsage int NULL,
MinUsage int NULL,
MaxUsage int NULL,
InfoUnitID int NULL ,
SysLogTag varchar(60),
EventLogType varchar(60),
GenericFileName VarChar(60),
SystemID int NULL
);
CREATE TABLE SystemEventsProperties
(
ID int unsigned not null auto_increment primary key,
SystemEventID int NULL ,
ParamName varchar(255) NULL ,
ParamValue text NULL
);
#rename SystemEvents
rename table SystemEvents to gw1;

#duplicate table
CREATE TABLE ap1 LIKE rsyslogdb.gw1;

#grant rsyslog user privileges over database
GRANT ALL PRIVILEGES ON rsyslogdb.* TO rsyslog IDENTIFIED BY "yourpasswordgoeshere";
flush privileges;

#leave mysql
exit

2. Rsyslog
2.1. Install Rsyslog

First remove sysklogd (default centos syslog daemon)yum remove sysklogd


Install Rsyslog with mysql supportyum install rsyslog rsyslog-mysql


Note: If your running mysql inside an openvz vm (like me), when using “yum” to install anything, you may get an “thread.error” . This is a known bug with “fastestmirror” feature of “yum” and “mysql”.
To bypass this problem, either disable “fastestmirror” or stop mysql:yum --disableplugin=fastestmirror install rsyslog rsyslog-mysql
#or
yum --noplugins install rsyslog (I prefer this one)
#or
service mysqld stop
#install whatever you want, then:
service mysqld start

2.2. Config Rsyslog

Now, lets config rsyslog:vi /etc/rsyslog.conf
#Add (note that I only use TCP port 514, you can use UDP and any other port):
$ModLoad ommysql
$ModLoad imtcp
$InputTCPServerRun 514

#define the allowed senders (either by host or network, I prefer the second one):
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/27, 10.0.1.0/27
$AllowedSender TCP, 127.0.0.1, 10.0.0.30, 10.0.1.29

#create custom templates and source rules:
$template gw1tmpl,"insert into gw1 (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL
$template ap1tmpl,"insert into ap1 (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL
if ($source == '10.0.0.30') then :ommysql:127.0.0.1,rsyslogdb,rsyslog,passwordgoeshere;gw1tmpl
if ($source == '10.0.1.29') then :ommysql:127.0.0.1,rsyslogdb,rsyslog,passwordgoeshere;ap1tmpl


It may prove useful to setup an “aggregation table”, that will log all messages (to check all messages at once):#Create "SystemEvents" table :
(in mysql)
use rsyslogdb;
CREATE TABLE SystemEvents LIKE rsyslogdb.gw1;
exit
(edit rsyslog.conf)
vi /etc/rsyslog.conf
(add this line before the rule/templates [if($souce)...])
*.* >127.0.0.1,rsyslogdb,rsyslog,passwordgoeshere


Note that “rsyslog.conf” file is sequential, so if you place the “aggregation table” before the “if statements”, when a syslog message arrives, it will be stored first in the “aggregation table”, then in the table pointed by the corresponding statement (if any).

At last, write rsyslog.conf, exit, and restart the service:service rsyslog restart

2.3. Allow Syslog Messages trought IpTables

If you run a firewall (iptables), you will need to open a port, like this:iptables -I INPUT -p tcp -i eth0 -s 10.0.0.30 -d 10.0.2.19 --dport 514 -j ACCEPT
iptables -I INPUT -p tcp -i eth0 -s 10.0.1.29 -d 10.0.2.19 --dport 514 -j ACCEPT
#adapt protocol/port to your config

2.4. Test Rsyslog

Let’s do some testing.
Check if messages are arriving at the syslog server.tail -f /var/log/messages


Check if messages are being stored in mysql database.mysql -u root -p
use rsyslogdb;
select * from gw1;


If you see anything else than “empty set” it’s working
3. LogAnalyzer
3.1. Install LogAnalyzer

First, you will need to install apache, php and the mysql connectoryum install httpd php php-mysql
#remember "service mysqld stop/start" if you run openvz and get "thread.error"
chkconfig --levels 235 httpd on
service httpd start


Check for the last stable release, download and installcd /tmp
wget http://download.adiscon.com/loganalyzer/loganalyzer-3.2.1.tar.gz
#untar
tar -xvzf loganalyzer-3.2.1.tar.gz
#cd to src directory
cd loganalyzer-3.2.1/src
#clear /var/www/html (remove apache default index)
rm -R -f /var/www/html
#Copy the content to your the webserver root (/var/www)
cp -R * /var/www/html
#and repeat for the contrib folder:
cd /tmp/loganalyzer-3.2.1/contrib/
cp * /var/www/html
#go to webroot and give execute scripts
cd /var/www/html
chmod +x configure.sh secure.sh
./configure.sh


Note:The last line will create a blank “config.php” file, and will give everyone write access to it.
It won´t generate any output, so don’t panic, just do a “ls” to check if the config.php file has been created (initial setup via browser will make changes to this file).
3.2. Setup LogAnalyzer

Setup LogAnalizer MySQL user and database:#log into mysl
mysql -u root -p
create database loganalyzerdb;
CREATE USER loganalyzer;
SET PASSWORD FOR loganalyzer= PASSWORD("yourpasswordgoeshere");
GRANT ALL PRIVILEGES ON loganalyzerdb.* TO loganalyzer IDENTIFIED BY "yourpasswordgoeshere";
flush privileges;
exit


Now point your browser to the server ip.

You will be presented with the following message, proceed (“Click here…”)

Click proceed until you reach this page, then setup loganalyzer viewing preferences.

Setup the database as seen above.

Now somewhere along this process you will be asked if you want to setup a loganalyzer database to store users. Insert the database name and user you have created before.




After the setup, you will need to add another (one or several) log sources (aka database tables). Go to Admin Center > Sources and click on “Add new source”, and insert the same config that before, only changing the database table.







After I had setup my sources I logged out of loganalyzer and I was still was able to access those sources, so I had to edit the sources again (via browser) and click on the checkbox “user only” to make them private to the user how created them (you can see in the image above that they where assigned “Global”). Then we need to edit loganalyzer config file:vi /var/www/html/config.php
#change line
$CFG['UserDBLoginRequired'] = false;
#to
$CFG['UserDBLoginRequired'] = true;





Finally, All done.


4. Final Notes:

As I said, I run a cisco router and ap, so here’s how to activate syslog on those devices:logging host 10.0.2.19 transport tcp port 514 audit
logging trap debugging









Separate Rsyslog logging over multiple database tables

This post explains how to separate rsyslog log messages, over different mysql database tables. If you need to log from more than one device, and if you want to have separate logging to database, then this is the way to go. And it can be combined with the phplogcon (aka loganalyzer) multiple database source config.

I have written a series of post explaining how to setup rsyslog with mysql database and setting a webserver with phplogcon for accessing the log messages over my browser. you can check this posts using the following links:

In my home LAN I have 2 cisco devices I want to monitor, a cisco router and a cisco accesspoint, so this will be my quest, as for you guys i hope you can manage to adapt this information to your needs.
For the rest of this post I will assume that my router ip is 192.168.1.1, ap is 192.168.1.2, and rsyslog server is 192.168.1.3. I will also assume that you have read my other posts and that you have already a rsyslog+mysql+phplogcon config working.

My database table names will be “gateway” and “accesspoint”, and I will use the default rsyslog database name “Syslog”, with the default user “rsyslog”.

First login to mysql, select the Syslog database and rename the “SystemEvents” table:#log to mysql
mysql -u root -p
#select db
use Syslog;
#rename table
rename table SystemEvents to gateway;


Now let’s duplicate the “gateway” table it (do this for as many tables you need):# in this step I create a accesspoint table with same config as the gateway table
CREATE TABLE accesspoint LIKE Syslog.gateway;


Let’s give privileges for our database user over the new tables:
There are 2 ways to do this:#give privileges over a single new table
GRANT ALL PRIVILEGES ON Syslog.accesspoint TO rsyslog IDENTIFIED BY "passwordhere";
#or if you have many tables then probably the best is to go this way:
#list users
SELECT user, host, password FROM mysql.user;
#remove the rsyslog user:
DELETE FROM mysql.user WHERE User='rsyslog';
#then flush privileges: ATENTION: this is a "must do" after changing mysql users.
flush privileges;
#create user again
CREATE USER 'rsyslog'@'localhost' IDENTIFIED BY 'passwordhere';
#and now give privileges over every table inside the database
GRANT ALL PRIVILEGES ON Syslog.* TO rsyslog IDENTIFIED BY "passwordhere";


Ok now let´s go to the rsyslog config. Edit /etc/rsyslog.conf file, and add the following (omit the lines you already have):$ModLoad imtcp
$InputTCPServerRun 514

$ModLoad ommysql
$template gw1,"insert into gateway (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL

if ($source == '192.168.1.1') then :ommysql:127.0.0.1,Syslog,rsyslog,passwordhere;gw1

$template ap1,"insert into accesspoint (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL

if ($source == '192.168.1.2') then :ommysql:127.0.0.1,Syslog,rsyslog,passwordhere;ap1


Now reload the config, and just to be sure restart the service:sudo service rsyslog reload
sudo service rsyslog restart


Now we need to configure the clients, in my case, i will login to my cisco router and ap, and issue the following lines:configure terminal
logging host 192.168.1.3 transport tcp port 514 audit
#Atention: you should use tcp to deliver log messager instead of udp, to garrantee the messeges are received by the server.


Ok perhaps now its time to test the config. In my cisco devices I will give some debug command (some that can generate output), then login the mysql server:mysql -u root -p
#select db
use Syslog;
#list content of table
select * from gateway;
select * from accesspoint;


Ok i haven’t got the “Empty Set” message, so i´m cool.

Last Part! The Phplogcon config (phplogcon is now known as loganalyzer, but it is not stable yet, so no good for me).

All there is to do, is to login to phplogcon over my browser and edit my sources (“Admin Center”>”Sources”)
(check the images bellow)

And that all, here is my nice multisource phplogcon config (with some data omitted to protect the innocent)



Installing LogAnalyzer and rsyslog on CentOS

Instructions on how to set up Linux modules needed to get a LogAnalyzer log aggregation/analysis server up and running and collecting logs.
Prerequisites

These instructions are specific to CentOS 6.2. If you are using a different distro, many of the installation commands and paths to files will be different from what I've documented below. I strongly suggest that you document the steps to perform a similar install for your distro.

You will need to install the prerequisites by using the following commands:yum install httpd yum install mysql yum install mysql-server yum install php yum install php-mysql yum install php-gd yum install rsyslog yum install rsyslog-mysql /usr/bin/updatedb


The '/usr/bin/updatedb' command updates the file index so that the 'find' and 'locate' commands work properly. If you've already properly set up your system to index the files daily, this will be unnecessary.

If your distro of Linux is using a different syslog server such as syslog-ng or sysklogd, you'll need to remove it.
MySQL
Set up MySQL/sbin/chkconfig --levels 235 mysqld on /etc/init.d/mysqld start /usr/bin/mysql_secure_installation


Hit enter key after last command has run since no password has yet been set for root MySQL account. Hit 'y' and enter when asked to set up a root password and type in a strong password. Hit 'y' and enter for the following questions: "Remove anonymous users?", "Disallow root login remotely?", "Remove test database and access to it?", and "Reload privilege tables now?"
Set up database and tables

Create the user/database/table and table schema:

Log in to mysql:mysql -u root -p


Create a user:CREATE USER rsyslog; SET PASSWORD FOR rsyslog= PASSWORD('yourpasswordgoeshere');


Set up database and table schema:CREATE DATABASE rsyslogdb; USE rsyslogdb;


Paste contents below to mysql to set up the schema:CREATE TABLE SystemEvents ( ID int unsigned not null auto_increment primary key, CustomerID bigint, ReceivedAt datetime NULL, DeviceReportedTime datetime NULL, Facility smallint NULL, Priority smallint NULL, FromHost varchar(60) NULL, Message text, NTSeverity int NULL, Importance int NULL, EventSource varchar(60), EventUser varchar(60) NULL, EventCategory int NULL, EventID int NULL, EventBinaryData text NULL, MaxAvailable int NULL, CurrUsage int NULL, MinUsage int NULL, MaxUsage int NULL, InfoUnitID int NULL , SysLogTag varchar(60), EventLogType varchar(60), GenericFileName VarChar(60), SystemID int NULL ); CREATE TABLE SystemEventsProperties ( ID int unsigned not null auto_increment primary key, SystemEventID int NULL , ParamName varchar(255) NULL , ParamValue text NULL );


Next, we need to grant permissions to the rsyslog account we created earlier:GRANT ALL PRIVILEGES ON `rsyslogdb`.* TO 'rsyslog'@'%' IDENTIFIED BY 'yourpasswordgoeshere'; flush privileges;


Leave MySQL:exit

Configure rsyslog
Setting up

How to configure rsyslog:nano /etc/rsyslog.conf


Make your #### Modules #### section the same as the following:#### MODULES #### $ModLoad ommysql # provides support for MySQL $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) #$ModLoad immark.so # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp.so $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp.so $InputTCPServerRun 514


Just above ### begin forwarding rule ### section add info similar to the following line to limit IP addresses that can send syslog info to the server, for each class C subnet the server will be collecting from, you'll need to enter the subnet info followed by /24 (such as 172.18.22.0/24) to allow that subnet to send syslog data. Alternatively, you can limit by single IP addresses. The 127.0.0.1 is necessary so the server can send logs to itself:$AllowedSender TCP, 127.0.0.1, 172.18.22.0/24 $AllowedSender UDP, 127.0.0.1, 172.18.22.0/24


Add the following line to the ### begin forwarding rule ### section. Replace the "<yourrsyslogpasswordhere>" bit with the password you set for rsyslog MySQL user above:*.* :ommysql:127.0.0.1,rsyslogdb,rsyslog,<yourrsyslogpasswordhere>


When done modifying the file, hit Ctrl+x, then y and then enter to save the file.

Restart the rsyslog service:service rsyslog restart

Test rsyslog

Check if messages are arriving at the syslog server:tail -f /var/log/messages


Check if messages are being stored in mysql database:mysql -u root -p use rsyslogdb; select * from SystemEvents;


If you see anything other than “empty set” it’s working. Exit out of MySQL:exit

Configure Apache

Configure CentOS to start the web server at bootup and manually start the service:chkconfig --levels 235 httpd on service httpd start


modify 2 lines to match your server's respective ip and fqdn in /etc/httpd/conf/httpd.confnano /etc/httpd/conf/httpd.conf from: Listen 80 to: Listen ip.address.of.server:80 and from: #ServerName www.example.com:80 to: ServerName fully.qualified.domian.name:80


Hit CTRL+x, then Y and then enter to save and exit the file.

Restart the server:/etc/init.d/httpd restart

Set up IPTables

Edit the iptables file:nano /etc/sysconfig/iptables


Add these lines to the /etc/sysconfig/iptables file (before the COMMIT line):-I INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-I OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT


You'll need to enter lines similar to the following based on your network environment. For more info on how to use IPTables in CentOS see http://wiki.centos.org/HowTos/Network/IPTables:-I INPUT -p tcp --dport 514 -s 172.18.22.0/24 -j ACCEPT -I INPUT -p udp --dport 514 -s 172.18.22.0/24 -j ACCEPT


Restart the network service and IPTables:/etc/init.d/network restart /etc/init.d/iptables restart

Configure LogAnalyzer
Install LogAnalyzer

Check for the latest stable release by going to http://loganalyzer.adiscon.com/downloads in a browser. Current latest release is http://loganalyzer.adiscon.com/downloads/loganalyzer-3-4-2-v3-stable

Download it on your CentOS server by doing the following:cd /tmp wget http://download.adiscon.com/loganalyzer/loganalyzer-3.4.2.tar.gz


Uncompress the file:tar -xvzf loganalyzer-3.4.2.tar.gz


Copy the source directory to the Apache html directory and create config.php file:cd loganalyzer-3.4.2/src rm -R -f /var/www/html mkdir /var/www/html cp -R * /var/www/html cd /tmp/loganalyzer-3.4.2/contrib/ cp * /var/www/html cd /var/www/html chmod +x configure.sh secure.sh ./configure.sh


The last line will create a blank “config.php” file, and will give everyone write access to it. It won´t generate any output.

Check if the config.php file has been created (initial setup via browser will make changes to this file):ls

Create LogAnalyzer MySQL user and database:mysql -u root -p create database loganalyzerdb; CREATE USER loganalyzer; SET PASSWORD FOR loganalyzer= PASSWORD('yourpasswordgoeshere'); GRANT ALL PRIVILEGES ON `loganalyzerdb`.* TO 'loganalyzer'@'%' IDENTIFIED BY 'yourpasswordgoeshere'; flush privileges; exit

Initial setup of Log Analyzer, Step One:

On a client system go to the Log server's URL using a web browser (http://yoursystemnamehere.blah.org).

A message stating "Critical Error Occurred: Error main configuration file is missing! Click here to install Adiscon LogAnalyzer!" will appear in browser. Click on the word "here" to start the install.

Click "Next" twice and you should get to the "Basic Configuration" screen. The recommend settings are:
Number of syslog messages per page: 200 (set this lower if the log server is on a slow system)
Message character limit for main view: 80 (default)
Character display limit for all string fields: 80
Show message details popup: Yes (default)
Automatically resolved IP Addresses (inline): Yes (default)
Enable User Database: Yes
Database Host: localhost (default)
Database Port: 3306 (default)
Database Name: loganalyzerdb
Table prefix: logcon_
Database User: loganalyzer
Database Password: <enter in the loganalyzer database user password that you set earlier here>
Require user to be logged in: Yes

Click "Next".
Initial setup of Log Analyzer, Step Two:

Click "Next" on the "Create Tables" page, then click "Next" on the "Check SQL Results" page and then set up the admin user:
Username: <enter in the username here that you want>
Password: <enter in the user password that you want to use>
Repeat Password: <re-enter in the user password that you want to use>

Click "Next".
Initial setup of Log Analyzer, Step Three:

The recommended settings for the "Create the first source for syslog messages" page are:
Name of the source: All Syslog Sources
Source type: MySQL Native
Select view: Syslog Fields (default)
Table type: MonitorWare
Database host: localhost (default)
Database name: rsyslogdb
Database table name: SystemEvents
Database user: rsyslog
Database password: <enter in the rsyslog database user password that you set earlier here>
Enable row counting: "Yes"

Click "Next" and then click "Finish".

The install of LogAnalyzer has now been completed. Now other users can be created and there are many settings that can be tweaked as needed.

Point all of the syslog capable devices to the new log server and begin analyzing the aggregated logs

Monday, 28 January 2013

CentOS Installation



CentOS 5 Minimal Install Document 

Insert the CD labeled CentOS 5.0 i386 DISK1 into the CD-ROM Drive.
After booting from Linux CDROM
            At the boot prompt: [ Press <Enter>]
At the “CD Found” screen, choose "Skip" to skip the media test
     
Choose a Language Selection:
                        Select “English” [Click Next OR Press <Enter>]
            Keyboard Configuration:
                        Select “us” [Click Next OR Press <Enter>]
                       
            Disk Partitioning Setup:
            Choose “Custom  Partition” [Click Next]

            Choose the appropriate disk

* [Click new] it will open menu, inside that select boot partition and make it 500MB [click ok]

*Select rest of the space [click new],it will open menu ,inside that select lvm and make it all the remaining  space as  LVM [click ok]

* [click LVM] create a partition as given below

Disk Setup:
            Assuming a 40 GB partition called /dev/sda (this parameter will vary)
                        /dev/sda1 ==> /boot (500 MB)
                        /dev/sda2 ==> VolGroup00 (Rest of the Disk)
            VolGroup00
                        LogVol00 ==> / (Rest of the VolGroup00)
                        LogVol01 ==> swap (2GB or 2*RAM whatever is applicable)
                             LogVol02 ==> /tmp ( 5GB )
            [Click Next]

Networking Device:
Select Appropriate interface (mostly eth0) [Click Next OR Press <Enter>]
Disable ipv6 and dhcp
Enter  IP: <Given ip> and  Netmask: <Given Mask>  [click next]

Gateway: <Given ip>
Primary Dns server: <Given ip>
Secondary Dns server: <Given ip> [Click Next OR Press <Enter>]

Time Zone Selection:
            Click you mouse on “Asia/Calcutta” in the MAP [Click Next]


Set Root Password:
            Enter root password twice: Refer "Extra requirements document"
            [Click Next]

Package Group Selection: Select only the following packages:
Choose “Custom Now” [Click Next]

            Desktops:
X Window System -- Deselect All
GNOME Desktop -- Deselect All
KDE (K Desktop Environment) -- Deselect All
            Applications:
                        Editors -- Select vim-enhanced
                        Engineering and Scientific -- Deselect All
                        Graphical Internet -- Deselect All
                        Text-based Internet -- Select elinks
                        Office/Productivity -- Deselect All
                        Sound and Video -- Deselect All
                        Authoring & Publishing -- Deselect All
                        Graphics -- Deselect All
                        Games and Entertainment -- Deselect All
Development:
Development Libraries -- openssl-devel, perl-LDAP
Development Tools -- Select automake14, automake15, automake16, automake17, byacc, diffstat, elfutils, expect, ltrace, oprofile, patchutils, pfman
                        GNOME Software Development -- Deselect All
                        Java -- Deselect All
                        KDE Software Development -- Deselect All

                        Legacy Software Development -- Select All

                        X-Software Development -- Select libpng10-devel

                        Ruby – Deselect All

                       
            Servers: (select appropriate server packages based on final functionality)
DNS Name Server -- Select All
FTP Server -- Select All
Legacy Network Server – xinetd
Mail Server -- Select sendmail-cf, sendmail
MySQL Database -- Select  libdbi-dbd-mysql, mod-auth-mysql, mysql-server, php-mysql and perl-DBD-MySQL
Network Server – Dhcp
News Server -- Deselect All
PostgreSQL Database -- Deselect All
Printing Support -- Deselect All
Server Configuration Tools – system-config-services, system-config-bind
Web Server -- mod_perl, mod_python, mod_ssl, mod-auth-mysql, php, php-ldap, php-mysql, distache
                        Windows File Server -- Deselect All             
            Base Systems:
Administration Tools – Deselect All
Base—network manager, acpid, amtu, anacron, apmd, autofs,cpuspeed, dmraid, dos2unix,dump,eject, effect, ftp, gnupg, iptstate, irqbalance, krb5-workstation, jwhois, lftp ,libalo, logwatch, man pages, mdam, microcode_ctl, mlocate, mtr, mgetty, nc, netconfig, nfs-utils, nss-db, nss-ldap, numcatl, oddjab, pam_krb5, pam-ccreds, pam-passwdqc, pax, pinfo,pkinit-nss, pm-utils, rdate, rdist, readahead, redhat-isb, rng-utils, rsync, sendmail, setuptool, sos, spescpo, sudo, symlinks, sysreport, system-config-n/w-tul, tcp-wrappers, tcpdump, telnet, time, tree, wget, which, yum-updated,zip
Dialup N/W – Deselect All
Java – Deselect All
Legacy software support – compact-libgcc-296, compact-libstdc++-296, compact-libstdc++-33, compact-openldap
System Tools --- Select hwbrowser, mc, net-snmp-libs, net-snmp-utils,  openldap-clients, screen, sysstat

                        Xwindows systems --- Deselect All

                        Virtualization --  Deselect All

                        Clustering -- Deselect All

                        Cluster storage -- Deselect All

                        Language -- Deselect All

[click next]


            Once Installation is done [Click Reboot]
            Remove the CD from the CD-ROM Drive



Post-Installation:



Create a trusted user using the following commands

# useradd -g wheel username #(Replace 'username' with your username, any username except netmagic is fine)

# passwd username



The system will prompt you to enter the password (Make sure you have a mix of Uppercase, Lowercase, Numbers and Special Characters)

Enter the [password string]

Re-enter the [password string]

Note: Remember the password that you've set

Change the Locale from en_US.UTF-8 to en_US

# vi /etc/sysconfig/i18n

Change the first line to read

LANG="en_US"

It should now read like this

# cat /etc/sysconfig/i18n

    LANG="en_US"

    SUPPORTED="en_US.UTF-8:en_US:en"

    SYSFONT="latarcyrheb-sun16"



Logout and login again for the change to take effect
Update the OS for any updates that might have been released

Type this at the bash prompt

# yum check-update

# yum update

You can also use 'yum -y update' to automatically answer yes to all questions

Shutdown unnecessary services

Use the ntsysv command for doing this. We only need the following services to be on.

# ntsysv

anacron

arptables_jf

cpuspeed

crond

haldaemon

httpd

iptables

irqbalance

lm_sensors

messagebus

network

readahead_early

sshd

syslog

sysstat

yum

You can cross check the same using this command.

# chkconfig --list | grep 3:on | sort

Secure the SSH Server

Edit /etc/ssh/sshd_config to use Protocol 2 only and disable direct root access using the 'PermitRootLogin no' directive.

# vi /etc/ssh/sshd_config

A simple grep / egrep of the sshd_config file should look like this

# egrep '^Protocol|^PermitRootLogin' /etc/ssh/sshd_config

    PermitRootLogin no


Make /tmp noexec :



1) Create a executable test file in /tmp :

    Edit /tmp/test.sh

    #!/bin/bash

    echo "Still working"

    chmod 755 /tmp/test.sh



2)   Execute it :

    /tmp/test.sh

     Output:

     Still working

   

3) Now Modify fstab to change the defaults  permissions for /tmp to read nosuid,noexec instead.

   Eg.

   Old:

   tmpfs                   /dev/shm                tmpfs   defaults        0 0



    New :

   tmpfs                   /dev/shm                tmpfs   nodev,nosuid,noexec        0 0



4) Reload fstab using below :

   mount -o remount,noexec,nodev,nosuid /tmp



5) Now verify if its working desirably - Execute /tmp/test.sh

   Output:

   -bash: /tmp/test.sh: /bin/bash: bad interpreter: Permission denied


Disable  Selinux
Disable selinux in /etc/selinux/config file by changing enforcing to disable.
#SELINUX=disabled

Reboot the server

# reboot

OR

# shutdown -nr now
Once the server reboots successfully, login again.
 
RPMs to install –
yum remove aspell aspell-en atk authconfig autofs avahi avahi-compat-libdns_sd \
bitstream-vera-fonts bluez-gnome bluez-libs bluez-utils cairo ccid coolkey \
cpuspeed crash cups cups-libs desktop-file-utils dhcpv6-client dnsmasq \
dos2unix dosfstools ecryptfs-utilsed eject fbset finger firstboot-tui \
fontconfig freetype GConf2 gpm gtk2 hicolor-icon-theme htmlview ifd-egate \
iptables-ipv6 irda-utils irqbalance jwhois krb5-workstation ksh libdrm \
libICE libjpeg libnotify libpng libSM libtiff libwnck libX11 libXaulibXcursor \
libXdmcp libXext libXfixes libXft libXi libXinerama libXrandr libXrender \
libXres libXt libXxf86vm mailcap man man-pages mdadm mesa-libGL microcode_ctl \
mkbootdisk mtools nano NetworkManager NetworkManager-glib newt \
notification-daemon ntsysv numactl ORBit2 pam_ccreds pam_krb5 pam_pkcs11 \
pam_smb pango paps pcmciautils pcsc-lite pcsc-lite-libs pinfo procmail rdate \
redhat-lsb redhat-menus rhpl rp-pppoe rsh sendmail setuptool slang sos \
specspo startup-notification syslinux system-config-network-tui \
system-config-securitylevel-tui tcpdump trousers unix2dos vconfig \
wireless-tools words wpa_supplicant xorg-x11-filesystem ypbind \
yp-tools yum-updatesd

Gnome Desktop configuration

# yum groupinstall "X Window System" "GNOME Desktop Environment"



                                           Or
# yum -y install xorg-X11 system-config-display gdm xterm gnome-desktop gnome-session
Run `system-config-display` to generate the "xorg.conf" file which will be saved to "/etc/X11/xorg.conf".
Set the runlevel to 5 in "/etc/inittab" and reboot.

                                                             Or
. Just mount your CentOS CD/DVD on /media/cdrom.
# mkdir /media/cdrom
# mount /dev/cdrom /media/cdrom/
The following will give you a fully functional GNOME core desktop:
# yum --disablerepo=\* --enablerepo=c5-media install \
gnome-session system-config-display xorg-x11-xinit gdm \
dbus-x11 gnome-applets
The following will add few basic GNOME utilities / tools:
# yum --disablerepo=\* --enablerepo=c5-media install \
gnome-terminal nautilus gedit firefox.x86_64