Category: Linux System

Install Zabbix with MariaDB PHP7 HTTPD and on Centos7

When it comes to monitoring, one of the famous web application for monitoring is Zabbix. In this article, we will see the basic installation and configuration of a Zabbix machine on a CentOS7. Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines (VMs) and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load and disk space consumption. It works as a Client/Server model.

Always check the official documentation for installation. The machine has been deployed on a Virtual Box machine with the following configurations:

  • 2048 MB RAM
  • 1 CPU
  • 10GB storage
  • hostname as zabbixserver zabbixserver.local
  • IP Address 192.168.0.30

1. After deploying your machine, always make sure it is up-to-date and begin by installing a web server. I chose Apache httpd which is pretty famous and can be installed pretty easily. Also, consider installing the Epel Repository. After installing the Apache httpd, start the service and set it on auto-restart mode.

yum install epel-release -y
yum install httpd -y
systemctl enable httpd
systemctl start httpd

2. We also need to install PHP. The latest PHP7 can be easily installed through a repository. Also consider other PHP packages that will connect with the database, providing the PHP CLI, MOD PHP for Apache, etc..

rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install php72w mod_php72w php72w-common php72w-cli php72w-xml php72w-pear php72w-devel php72w-gd php72w-mysql php72w-mbstring php72w-bcmath 

3. Then, tweak the PHP configuration file (/etc/php.ini) as follows:

max_execution_time = 700
max_input_time = 700
memory_limit = 512M
post_max_size = 64M
upload_max_size = 16M
date.timezone = US/Eastern

Note that: the configuration depends on your location as well as on the sizing of the machines.

4. Let’s now install MariaDB:

yum install mariadb-server -y
systemctl start mariadb
systemctl enable mariadb

5. Configure MariaDB by launching the following command and follow the instruction as shown in the screenshot below:

mysql_secure_installation

6. To access the database you need to launch the command mysql -u root -p. However, you can also define the password in /etc/my.cnf.d/client.cnf under the [client] header enter the password as follows:

password = xxxxx

In this way, you can just launch the mysql command to log in directly to the database.

Consider also to make the database listen-only locally as we are deploying the Zabbix server to interact with the database locally. For that, you need to modify the file /etc/my.cnf and under the [mysqld] header enter the following parameter:

bind-address=127.0.0.1

7. Now, its time to create the database, assign the passwords, and privileges. Connect on the MariaDB database:

create database zabbix_server;
grant all privileges on zabbix_server.* to [email protected]'localhost' identified by 'zabbixpassword';
flush privileges;
quit

8. We will now install the Zabbix Server. I got the repository on the official Zabbix website.

rpm -Uvh https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm
yum install zabbix-get zabbix-server-mysql zabbix-web-mysql zabbix-agent -y

Note that, we installed both the agent and server on the Zabbix server.

9. We will now configure the Zabbix database by unpacking the tables and the schema in the database that has been created at step 7:

zcat /usr/share/doc/zabbix-server-mysql-4.4.0/create.sql.gz | mysql zabbix_server

If your Zabbix server version is different, find the correct directory.

10. Modify the Zabbix server configuration as follows at /etc/zabbix/zabbix_server.conf:

DBName=zabbix_server
DBUser=zabbixuser
DBPassword=zabbixpassword
DBHost=localhost

11. Restart and Enable the Zabbix Server:

systemctl start zabbix-server
systemctl enable zabbix-server

12. Modify the Zabbix client configuration as follows at /etc/zabbix/zabbix_agentd.conf:

Server=127.0.0.1
ServerActive=127.0.0.1
Hostname=zabbixserver

13. Restart and Enable the Zabbix Agent:

systemctl start zabbix-agent
systemctl enable zabbix-agent

14. Consider restarting all the services:

systemctl restart zabbix-agent
systemctl restart zabbix-server
systemctl restart MariaDB
systemctl restart httpd

15. Add the following firewall rules

firewall-cmd --add-service={http,https} --permanent
firewall-cmd --add-port={10050/tcp,10051/tcp} --permanent
firewall-cmd --reload

For more information about Firewalld, visit the article 35 commands to understand Firewalld in RHEL7 environment.

16. At this stage, if you try to access the following link, it should be accessible:

http://192.168.0.30/zabbix/setup.php

17. Follow the steps and login on your Zabbix machine with username admin and password zabbix.


Setting up a basic mail server with Postfix, Dovecot and MariaDB

Setting up a mail server is very simple if you understand the basic concept. In this blog post, I’m going to focus on the installation of a basic mail server using Postfix (MTA), Dovecot(MDA), and MariaDB. I will explain it stepwise and move along the basics too on this blog post. Also, consider having a VPS or any server with a public IP address ready for the mail server. Some guys for testing purpose, try to hide their dynamic public address using other tools over the internet. I guess you must be ready by now. I am also using an RHEL6 machine for this installation. The concept remains the same in case you want to install on an RHEL7/8 or Ubuntu server machine. Let’s see what are some tools and prerequisites needed for the installation:

Photo credits: postfix.org
Photo credits: postfix.org
  • DNS record for your mail server.
  • Some Firewall rules to be allowed.
  • Postfix (MTA) – A Mail Transfer Agent that permits you to route and delivers electronic mails. Postfix is both an SMTP server and an SMTP agent.
  • Dovecot (MDA) – A Mail Delivery Agent that primarily used as a mail storage server. It is a secure IMAP and POP3 server. It can also act as a mail proxy server.
  • MariaDB – A database server where you will store the users, domains, and aliases.

Now, in the real world, this is not the case as we need other accessories to enhance security, robustness, and integrity. Implementation of Dovecot with MariaDB w/ SASL interconnection for the mail server. DKIM, DANE, SPF, and DMARC are other accessories that need to be used. I will get in detail about those terms in future articles. In this article, I will focus on a classic basic mail server.

Adding the DNS record

1. You will need to add an ‘A’ DNS record, followed by an ‘MX’ record. I blurred the IP Address here for security purposes.

Some Firewall rules here

2. You will also need to allow IMAP (143) and SMTP(25) on the machine

iptables -I INPUT -p tcp -s 100.100.100.100 --dport 143 -j ACCEPT
iptables -I INPUT -p tcp -s 100.100.100.100 --dport 25 -j ACCEPT

3.  SSH on your server, add an entry in your /etc/hosts file. Example:

100.100.100.100 mail.tunnelix.com

Postfix configuration and installation

4. Install the Postfix using the following command:

yum install postfix

5. Now, the configuration to modify at the /etc/postfix/main.cf are as follows:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.tunnelix.com
mydomain = tunnelix.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no

6. Launch the following command:

postfix reload && /etc/init.d/postfix restart

7. A netstat -ntpl should show port 25 is listening on all IP Addresses.

8. A telnet mail.tunnelix.com should prompt you the following:

Notice the ESMTP Postfix after doing the telnet which means that the Postfix server is up.

9. At this level, you should able to send yourself an e-mail from your Gmail which proves that your Postfix is working pretty fine.

10. The mailbox is located in the directory /Maildir. Let’s say you have a user called ‘Tom’ and you have sent the mail to [email protected], then you should get the mail in /home/tom/Maildir.

Dovecot installation and configuration

11. Perform the installation of the dovecot package and its dependencies:

yum install dovecot

12. Edit the /etc/dovecot/dovecot.conf file and set up the following parameter:

listen = *,

13. Edit the /etc/dovecot/conf.d/10-auth.conf and set up the following parameter:

disable_plaintext_auth = no

auth_mechanisms = plain login

14. Edit the /etc/dovecot/conf.d/10-mail.conf and set up the following parameter:

mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u

mail_privileged_group = mail

15. Okay, at this stage, you should see that the dovecot service is running and telnet localhost on port 143 should show you ‘Dovecot Ready’.

Testing your mail system

16. You can test your outgoing mail as follows:

echo “This is a test” | sudo mail -s “This is a test” [email protected] -aFrom:[email protected]

17. For incoming mail check in the following directory directory:

/var/spool/mail/vhosts

Tips:

  • Some terms to grasp are important to understand the basics behind mail transmission/reception.
    1. MUA (Mail User Agent – A software used for mail message retrieval, commonly known as an email client, such as mutt, Evolution, and Thunderbird ),
    2. MTA (Mail Transfer Agent is a software that transfers mail from one device to another using  SMTP.
    3. MDA (Mail Delivery Agent is another software component that helps with the delivery of email.
Credits: ccm.net

Note: This type of Mail configuration is for Learning purposes only. Do not apply to the production environment without considering security implications. In future articles, I will explain an example of how to secure your mail using DANE, DMARC, SPK, and DKIM.


35 commands to understand Firewalld in RHEL7 environment

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.Firewalld.org

Photo Credits: Cloudflare.com
Photo Credits: Cloudflare.com

IPtables VS Firewalld

In RHEL6, we had IPtables. Now, in RHEL7, the firewall mechanism or say, the firewall daemon changed to Firewalld. Both serve the same purpose, i.e; packet filtering using the Netfilter module inbuilt in the Linux kernel. However, it is important to know why the Firewalld took over the IPtables. In Firewalld, you can change settings dynamically whilst being on production compared to IPtables which needs to flush out the entire rules set once a change has been made. Another difference is that during the installation of firewalld, you have support for both IPv4 and IPv6 compared to IPtables, you will have to install Ip6tables for IPv6 support. For those who are not acquainted with IPv6, please check out the article on “Diving into the basics of IPv6“. To briefly describe Firewalld, it is a set of services and daemons that manage the Netfilter in the Linux kernel. Finally, it is important to understand that both RHEL6 and RHEL7 used the IPtables (commands) to talk to the Netfilter.

Photo Credits: 8gwifi.org
Photo Credits: 8gwifi.org

Zones concept in Firewalld

One of the important concepts in firewalld is ‘zones’. Zones are groups of rules which is managed by the firewalld. Zones are based on the level of trust a user has on the interface and traffic within a network. Zones are even defined from least trusted to most trusted. These are the types of zones:

  • Drop zones: This is where incoming connections are dropped without any messages.
  • Block zones: Same as block zone but the only difference is that it gives an ICMP reply.
  • Public zones: It is an untrusted zone, but may allow connections based on case to case basis.
  • External zones: It is used when your firewall is also a gateway or simply, configuration for NAT.
  • Internal zones: This is the other side of the gateway or simply the firewall configurations used inside your own network, usually in a private network.
  • Demilitarized zones: Demilitarized zones or say DMZ, is where only certain incoming connections are allowed.
  • Work zones: There is a trust in the majority of hosts on the network which makes it possible to allow more services.
  • Home zones: The trust here is more and more acceptable and much more restrictions are removed.
  • Trusted: Here, there is absolute trust. Note that this should be used carefully.

VIEW information on your firewall

1. You can check if your firewall is running from either of the following commands:

systemctl status firewalld
firewalld-cmd --state

2. Like we said earlier, we can also check in which zone is the interface card configured:

firewalld-cmd --get-default-zone

firewalld-cmd

3. Now, to check which interface card is in which zone, simply do the following. As you can see below, both interface cards enp0s3 and enp0s8 is in the active zone:

firewalld-cmd --get-active-zone

firewalld-cmd

4. To check which rules are in the zones:

firewalld-cmd --list-all

5. If you want to get all the existing zones, simply do the following:

firewalld-cmd --get-zones

6. To list all existing rules within each zone, use the following:

Currently, you will also know which zones are your interfaces.

firewalld-cmd --list-all

firewalld-cmd

7. But, you can still list the rules for a specific zone, say, the ‘home’ zone.

firewall-cmd --zone=home --list-all

8. For more details of all zones:firewall-cmd –list-all-zones

9. We have also seen, for example, in part 4 that firewall-zone –get-active-zone also shows us the services associated with the zone. But, we can also see a list of services with the firewall-zone command:

firewall-cmd --get-services

The services are just XML file located in /usr/lib/firewalld/services

Change information on the Firewall

10. Let’s say you want to move one interface from one zone to another zone. In my case, I want to move enp0s3 from the public to the home zone.

firewall-cmd --zone=home --change-interface=enp0s3

You can verify same using firewall-cmd –list-all-zones

11. However, another way to made verifications can be done using the command:

firewall-cmd --get-active-zones

12. Please note that restarting the service firewalld will result in loss of the change carried out. To ensure it is effective even after a restart of the service, go on the configuration on the network card which is /etc/sysconfig/network-scripts/ifcfg-enp0s3 and add the following line to it.

ZONE=home

13. Also, note that you can always change the default zone from public to home directly with the command:

firewall-cmd --set-default-zone=home

14. To add a specific service to a zone, for example, adding https to the zone public.

firewall-cmd --zone=public --add-service=https

15. Please note that this is only temporarily and after a restart of the service, the https will not be anymore in the home zone. To make it permanent:

firewall-cmd --permanent --zone=public --add-service=https

Always test your change with a firewall-cmd –reload

16. Most of the time, if you are running your own custom application, let’s say it is running on port 8080 and the services are not seen using firewall-cmd get-services, you can still add it to a zone by mentioning the port.

firewall-cmd --permanent --zone=public --add-port=8080/tcp

After adding the port, you must reload it to view the change.

More crazy Firewalld rules

17. You can also specify a range, for example, from 8000 to 8080 using the command:

firewall-cmd --permanent --zone=public --add-port=8000-8080/tcp

18. More interesting if you want to allow a specific IP Address for a specific zone, you can use the –add-source parameter:

firewall-cmd --permanent --zone=public --add-source=10.0.3.16/24

19. We can also block a specific IP Address from a zone. Let’s say we want to block IP 10.10.10.10/24 from the zone public. For that, we have to use the parameter –add-rich-rule.

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.10/24" reject'

20. You might also want a particular service to be allowed from a particular IP Address. Let’s say we want to allow IP 10.10.10.5 for the zone public and only for the FTP service. In this example below, limit value=”2/m” means to limit 2 connections per minute.

[[email protected] services]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.5/24" service name="ftp" log prefix="tftp" level="info" limit value="2/m" accept'
21. Let’s say you want to know which zone is a specific interface. You can use the following command:
firewall-cmd --get-zone-of-interface=enp0s3
22. You can also find how many particular interfaces are in a particular zone:
firewall-cmd --zone=public --list-interfaces
23. To stop all communications, let’s say during an attack, you can fire this command:
firewall-cmd --panic-on

24. You can also stop the panic using the following command:

firewall-cmd --panic-off

25. You can also check if you are in a query panic using the following command:

firewall-cmd --query-panic

NAT, Port Forwarding and Masquerading

Network Address Translation (NAT) means to use a strategy to hide an IP address space into another IP address by modifying the network address information in the IP header. The packets in the IP header will transit through a routing device.

Port Address Translation (PAT) sometimes called Port forwarding works the same fashion except that it works on port level. You can forward port 22 on from your IP address to port 8000 to your internal web server.
The word Masquerading itself means to use something fake. NAT masquerading is another strategy to allow a device that does not have an IP address to communicate with other computers on the internet. IP Masquerading means to set up an IP gateway for a device.
26. To check if masquerading is on or off, you can use the following command:
firewall-cmd --query-masquerade
27. Or say you want to query a particular zone if masquerade is on or off, simply use the –zone parameter:
firewall-cmd --zone=public --query-masquerade
28. To enable masquerade for the zone public
firewall-cmd --zone=public --add-masquerade
29.  Before performing a port forwarding, we need to enable the masquerading:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.5/24" masquerade'

30.  Now, let’s say we want to forward all SSH traffic which is on port 22 to port 8000. This can be achieved using the following command:

firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=8000

31. Since we did not define the IP address, it will redirect to localhost. Otherwise, you can also add an IP address:

firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=8000:toaddr=10.0.2.16

32.  You can also query it by using the parameter –query-forward-port:

firewall-cmd --permanent --zone=public --query-forward-port=port=22:proto=tcp:toport=8000:toaddr=10.0.2.16

Other stuff in Firewalld

33.  You can also use firewalld on the graphic user interface. This can be done by installing the package firewall-config. The following command can be used:

yum install firewall firewalld-config

34. There are other ways to check if firewalld is running:

systemctl status firewalld
firewall-cmd --state

35. To active debug mode on firewalld logs enter the following parameter in the /etc/sysconfig/firewalld 

FIREWALLD_ARGS='--debug'

After setting the parameter, the service need to be restarted.

If you want to get to the Ninja level using firewalld, please refer to this blog article by certdepot.net


Getting started with Terraform

Terraform is an open-source tool created by HashiCorp and it is written in Go programming language. Using Terraform allows us to define our infrastructure as a Code by using declarative language. It’s important to understand that Terraform language is declarative, which describes an intended goal rather than the steps to reach the goal. Once you define your infrastructure, Terraform will figure out how to create it. Terraform also supports a variety of cloud providers and virtualization platforms such as AWS, Azure, VMware, OpenStack, etc.. This is pretty cool as it eliminates several tasks, for example, to create several AWS instances.

Photo credits: terraform.io
Photo credits: terraform.io

Installation of Terraform

1. This is pretty simple. You just have to go on the official website and download the package. In my case, I am on a Linux machine, and I am choosing a Linux 64 bit package.

To download and unzip it, use the following command:

wget https://releases.hashicorp.com/terraform/0.12.10/terraform_0.12.10_linux_amd64.zip && unzip terraform*.zip

2. I moved the binary to /usr/local/bin. Make sure it is in the path environment variable.

mv terraform /usr/local/bin

3. By this time, you should get your binary and be able to check the version.

terraform version

Setting up API call for Terraform on AWS

4. We also need to allow terraform to make an API call on our behalf. I will be calling the API on AWS. For that, you will need to create a user on the AWS IAM and assign the rights and policies. Assuming that you have already created the user and you have the credentials to move ahead. Use the following commands:

export AWS_ACCESS_KEY_ID="AKIA***************"
export AWS_SECRET_ACCESS_KEY="mVTwU6JtC***************"
export AWS_DEFAULT_REGION="us-east-1"

Writing the codes

5. Once you are done exporting the credentials, you can start building your Terraform code. The whole code is in my Github and you can download it for free.

The first thing is to configure the provider and the region.

provider "aws" {

 region = "us-east-1"

}

6. Each provider supports different kinds of resources such as load balancers, servers, databases, etc.. In this example, we are trying to create a single EC2 instance. I have chosen the AWS Linux OS and the smallest nano server. The tags are just the identifier in AWS.

resource "aws_instance" "web" {

  ami           = "ami-0b69ea66ff7391e80"

  instance_type = "t2.nano"

} 

7. Then launch a terraform init to initialized the Terraform working directory.  By that, I mean that it will download the AWS plugin. You should found a similar type of output from your screen.

8. Before performing the actual change, you can use the terraform plan to understand what change has been established. The plus sign means what is going to be added and the minus sign means those that are going to be removed.

9. To create the instance use the terraform apply to create the instance. It will prompt you to type ‘yes’ to continue on with the creation.

10. If you go on the AWS EC2 console, you will notice that the resource has been created successfully.

11. Hey, it’s not over yet! There are more things that need to be added for example the name of the instance. Let’s called it Nginx-Server. Let’s add the tags. Also, launch a terraform apply.

tags = {

    Name = "Nginx-Web"

 }

Adding User Data and Security groups

12. At this stage, I believed you must understand what is Terraform and how it works? To make the installation of Nginx add the following block of lines:

user_data = <<-EOF

  #!/bin/bash

  yum install nginx -y

  systemctl start nginx

  systemctl enable nginx

  EOF

13. To add the security groups, enter these codes:

resource "aws_security_group" "allow_http" {

  name        = "allow_http"

  description = "Allow HTTP inbound traffic"

  ingress {

    from_port   = 80

    to_port     = 80

    protocol    = "tcp"

    cidr_blocks = ["0.0.0.0/0"]

  }

14. In part 6 under instance_type, I have added this line. What it means? “aws_security_group” is a resource, “allow_http” is a variable that has been called from the security group in part 13, and lastly “id” is the attribute.

  vpc_security_group_ids = ["${aws_security_group.allow_http.id}"]

15. Note that when launching terraform apply, you will notice that Terraform will destroy the old machine and build a new one which implies that there will be a downtime.

16. You can also view your code through a graph. Launch the command terraform graph. The output can also be viewed as more human-readable through Graphviz which you have to install. You can also go to webgraphviz.com to view it online.

It is very interesting to understand the dependency when using declarative language in Terraform. The full code can be viewed here on my Github Repository.



Recover logical volumes data from deleted LVM partition

Have you ever deleted a logical volume by accident? Can you recover it looking into the backups? Well, the answer is YES. For those who are not familiar with Logical Volume Management (LVM) is a device mapper target that provides logical volume management for the Linux kernel.- WikipediaIt is an abstraction layer or software that has been placed on top of your hard drive for flexible manipulation of the disk space. Some of the articles published in the past on LVM are:

All test carried out on this blog post have been tested on a CentOS machine. Please don’t make a live test on a production server.

Image Credits: Redhat.com
Image Credits: Redhat.com

1. So, as you can see below I have an lv called lvopt which is from a vg called centos.

2. Same is mounted on the /opt

3. There are some data in that partition as well:

4. I created a directory inside the /opt directory

5. Now, let’s pretend to remove the lvm lvopt. Or say, someone did it by accident because it was unmounted. The command lvremove will be used here to remove the lv. Note: that the lv need to be unmounted.

6. If you make an lvs, lvdisplay or vgs or even mount again the partition, you cannot do it. The data is lost. But you can still recover it. This is because the lvm contains the archive of your lv inside the folder /etc/lvm/archive. But, you cannot read the files directly.

7. But you can still, interpret part of the files. Since we deleted the volume group called “centos”, we knew that it is referenced in the file centos_… The question that arises here is which file is relevant for you. Right? So to understand which archive you want to restore, you need to use the command vgcfgrestore –list <name of volume group>. Here is an example:

8.  If you observe carefully, each archive has been backup at a certain time. In my case, I deleted the LV on 18-Apr-2019 at 11:17:17 2019:

9. So, I want to restore from that last archive. You will need to copy the full patch of the vg file. In my case it is /etc/lvm/archive/centos_00004-1870674349.vg. The goal here is to restore the lv before this specific time, or simply restore back the lv before the command lvremove was fired. Here is the command:

10. If you launch the command lvs, you will notice the presence of the lv.

11. But, mounting back the lv won’t result in anything. This is because the lv is inactive. You can see it with the command lvscan. Please take note below that the lvopt is inactive.

12. To activate it you simply need to use the command lvchange.

13. Mount it back and you are done.

I believe this can be very useful especially when you have encountered a situation where someone deleted an lv. I hope you enjoy this blog post. Please share and comment below if you like it.