Category Archives: Linux

some linux topics, hacks, fixes, bugs and so on — everything what seems to be important to me.

Linux, Security, Webserver

Webserver certificate -creation script

Leave a comment

Today I got some time to take care of my server so i installed the latest updates checkt the system for attacks and when I checkt my SSL-certificates i found out, that they were just valid till April 2015 … UPS … ok they are not officially signed and i just use them to encrypt sensitive communication with my server but i wanted to fix that issue and some other little issues i found when checking my blog with https://www.ssllabs.com/ssltest/analyze.html?d=blog.fawcs.info.

Because I also had to regenerate the certificates for my other subdomains I wrote a little script to do that for me (and to use it in the future, because I always have to look up the SSL-certificat generation)

 

So here is the script:

[pastacode lang=”bash” message=”SSL cert-generation” highlight=”” provider=”manual”]

#!/bin/bash

if [ -z $1 ];
then
        echo "Parameter 1 for Domain is missing";
        exit;
fi

openssl genrsa -out $1.key 2048
openssl req -x509 -new -nodes -key $1.key -days 1024 -out $1.crt -subj "/C=AT/ST=Vienna/L=Vienna/O=fawCS.info/CN=$1"

[/pastacode]

 

I also updated the security settings in my virtual host configuration files for some settings. The DH-KeyExchange cipher got excluded from the available ciphers because there is a new attack against DH which makes it vulnerable to MITM-attacks.
http://www.heise.de/security/meldung/Logjam-Attacke-Verschluesselung-von-zehntausenden-Servern-gefaehrdet-2657502.html [German]

Extract of settings:

TraceEnable off
ServerSignature Off
ServerTokens Prod
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH !EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”

And it’s always a good idea to to use htaccess with extra users or IP-ACLs to secure specific directories. (for example the wp-admin directory 🙂 )

Some other interesting settings to macke apache more secure can be found her: http://www.tecmint.com/apache-security-tips/

Deployment, Linux

RHEL 6- loop devices

Leave a comment

If you need to mount a lot of ISOs on a system than you could run into the problem, that you do not have free loop devices left.
There are several solutions from running “MAKEDEV -v /dev/loop” at boot time (e.g. add it to rc.local) to creating a file called loop.conf at /etc/modprobe.d/ and inserting the follwoing line:

[pastacode lang=”bash” message=”” highlight=”” provider=”manual”]

[/pastacode]

At the end the following parameter has to be added to the Grub-config file:

max_loop=128

[pastacode lang=”bash” message=”” highlight=”” provider=”manual”]

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg1-root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --encrypted ******************************************************************
title Red Hat Enterprise Linux 6 (2.6.32-504.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-504.el6.x86_64 ro root=/dev/mapper/vg1-root rd_NO_LUKS LANG=en_US.UTF-8  KEYBOARDTYPE=pc KEYTABLE=de-latin1-nodeadkeys rd_NO_MD rd_LVM_LV=vg1/root SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg1/swap crashkernel=auto rd_NO_DM max_loop=128
        initrd /initramfs-2.6.32-504.el6.x86_64.img

[/pastacode]

instead of makedev (which creates 264 loop devices) the following snipped can be used:

 

[pastacode lang=”bash” message=”” highlight=”” provider=”manual”]

mknod -m640  /dev/loop8  b 7  8
mknod -m640  /dev/loop9 b 7  9
mknod -m640  /dev/loop10 b 7  10
mknod -m640  /dev/loop11 b 7  11
mknod -m640  /dev/loop12 b 7  12
mknod -m640 /dev/loop13 b 7 13
mknod -m640 /dev/loop14 b 7 14
mknod -m640 /dev/loop15 b 7 15
mknod -m640 /dev/loop16 b 7 16
mknod -m640 /dev/loop17 b 7 17
mknod -m640 /dev/loop18 b 7 18
mknod -m640 /dev/loop19 b 7 19
mknod -m640 /dev/loop20 b 7 20
mknod -m640 /dev/loop21 b 7 21
mknod -m640 /dev/loop22 b 7 22
mknod -m640 /dev/loop23 b 7 23
mknod -m640 /dev/loop24 b 7 24
mknod -m640 /dev/loop25 b 7 25
mknod -m640 /dev/loop26 b 7 26
mknod -m640 /dev/loop27 b 7 27
mknod -m640 /dev/loop28 b 7 28
mknod -m640 /dev/loop29 b 7 29
mknod -m640 /dev/loop30 b 7 30
mknod -m640 /dev/loop31 b 7 31
mknod -m640 /dev/loop32 b 7 32
mknod -m640 /dev/loop33 b 7 33
mknod -m640 /dev/loop34 b 7 34
mknod -m640 /dev/loop35 b 7 35
mknod -m640 /dev/loop36 b 7 36
mknod -m640 /dev/loop37 b 7 37
mknod -m640 /dev/loop38 b 7 38
mknod -m640 /dev/loop39 b 7 39
mknod -m640 /dev/loop40 b 7 40
mknod -m640 /dev/loop41 b 7 41
mknod -m640 /dev/loop42 b 7 42
mknod -m640 /dev/loop43 b 7 43
mknod -m640 /dev/loop44 b 7 44
mknod -m640 /dev/loop45 b 7 45
mknod -m640 /dev/loop46 b 7 46
mknod -m640 /dev/loop47 b 7 47
mknod -m640 /dev/loop48 b 7 48
mknod -m640 /dev/loop49 b 7 49
mknod -m640 /dev/loop50 b 7 50
mknod -m640 /dev/loop51 b 7 51
mknod -m640 /dev/loop52 b 7 52
mknod -m640 /dev/loop53 b 7 53
mknod -m640 /dev/loop54 b 7 54
mknod -m640 /dev/loop55 b 7 55
mknod -m640 /dev/loop56 b 7 56
mknod -m640 /dev/loop57 b 7 57
mknod -m640 /dev/loop58 b 7 58
mknod -m640 /dev/loop59 b 7 59
mknod -m640 /dev/loop60 b 7 60
mknod -m640 /dev/loop61 b 7 61
mknod -m640 /dev/loop62 b 7 62
mknod -m640 /dev/loop63 b 7 63
mknod -m640 /dev/loop64 b 7 64
chown root:disk /dev/loop*

[/pastacode]

 

Linux, Monitoring, Tools, VMware, Zabbix

Getting vCenter alarms to Zabbix

7 Comments

VMware is a relay nice product, but there is one little problem. It’s realy hard to monitor VMware products with SNMP or any other “old school” technologies.
The actual problem is to get an alarm in Zabbix if there occures an error on the vCenter. So Zabbix is used as an umbrella monitoring for the whole environment.
All this could also be done with SNMP-Traps what would be a lot easier – at first appereance, but Zabbix is … how do I say … not the best tool to monitor events. It’s designed to monitor statuses.

So it’s designed to continuously monitor as specific value – if this value raises over a defined alert-value an alert is displayed and when it falls below the value the problem disappears.
With events there is the problem that we get only one single value which describes the error. So firstly we have to analyze the received value/message and secondly – how do we know when the problem is okay again? And thats one of the design flaws of Zabbix – you do not have any possibilty to reset such events to “OK” if such an event happend.
So we need to monitor the vCenter alarms, because this alerts are raised if an problem occures and disappear if the problem changes to OK again.

So how do we get all the vCenter alarms to zabbix? I don’t want to copy/create all the alarms by hand because its a dynamic environment and alarms could be added or deleted, so the system has to “import” the alarms “on the fly” from the vCenter.
Since Zabbix 2.0 there exist discovery rules which are kind of helpful to import dynamic values. So I’m using a discovery to peridodically pull the data from the vCenter and create an item for every alarm. All the alarms in the vCenter need to be configured to run a custom alarm when an alarm becomes active which sends the current status to zabbix and voilá – we are done.

Continue reading Getting vCenter alarms to Zabbix