Mauritian living in the USA | Founding member of cyberstorm.mu | Creator of tunnelix.com | Devops Engineer | Hacker at IETF Hackathon | VCA & VCP | Love and Believe in OpenSource
When it comes to monitoring, one of the famous web application for monitoring is Zabbix. In this article, we will see the basic installation and configuration of a Zabbix machine on a CentOS7. Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines (VMs) and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load and disk space consumption. It works as a Client/Server model.
1. After deploying your machine, always make sure it is up-to-date and begin by installing a web server. I chose Apache httpd which is pretty famous and can be installed pretty easily. Also, consider installing the Epel Repository. After installing the Apache httpd, start the service and set it on auto-restart mode.
2. We also need to install PHP. The latest PHP7 can be easily installed through a repository. Also consider other PHP packages that will connect with the database, providing the PHP CLI, MOD PHP for Apache, etc..
5. Configure MariaDB by launching the following command and follow the instruction as shown in the screenshot below:
mysql_secure_installation
6. To access the database you need to launch the command mysql -u root -p. However, you can also define the password in /etc/my.cnf.d/client.cnf under the [client] header enter the password as follows:
password = xxxxx
In this way, you can just launch the mysql command to log in directly to the database.
Consider also to make the database listen-only locally as we are deploying the Zabbix server to interact with the database locally. For that, you need to modify the file /etc/my.cnf and under the [mysqld] header enter the following parameter:
bind-address=127.0.0.1
7. Now, its time to create the database, assign the passwords, and privileges. Connect on the MariaDB database:
create database zabbix_server;grant all privileges on zabbix_server.* to [email protected]'localhost' identified by 'zabbixpassword';flush privileges;
quit
8. We will now install the Zabbix Server. I got the repository on the official Zabbix website.
Setting up a mail server is very simple if you understand the basic concept. In this blog post, I’m going to focus on the installation of a basic mail server using Postfix (MTA), Dovecot(MDA), and MariaDB. I will explain it stepwise and move along the basics too on this blog post. Also, consider having a VPS or any server with a public IP address ready for the mail server. Some guys for testing purpose, try to hide their dynamic public address using other tools over the internet. I guess you must be ready by now. I am also using an RHEL6 machine for this installation. The concept remains the same in case you want to install on an RHEL7/8 or Ubuntu server machine. Let’s see what are some tools and prerequisites needed for the installation:
Photo credits: postfix.org
DNS record for your mail server.
Some Firewall rules to be allowed.
Postfix (MTA) – A Mail Transfer Agent that permits you to route and delivers electronic mails. Postfix is both an SMTP server and an SMTP agent.
Dovecot (MDA) – A Mail Delivery Agent that primarily used as a mail storage server. It is a secure IMAP and POP3 server. It can also act as a mail proxy server.
MariaDB – A database server where you will store the users, domains, and aliases.
Now, in the real world, this is not the case as we need other accessories to enhance security, robustness, and integrity. Implementation of Dovecot with MariaDB w/ SASL interconnection for the mail server. DKIM, DANE, SPF, and DMARC are other accessories that need to be used. I will get in detail about those terms in future articles. In this article, I will focus on a classic basic mail server.
Adding the DNS record
1. You will need to add an ‘A’ DNS record, followed by an ‘MX’ record. I blurred the IP Address here for security purposes.
Some Firewall rules here
2. You will also need to allow IMAP (143) and SMTP(25) on the machine
7. A netstat -ntpl should show port 25 is listening on all IP Addresses.
8. A telnet mail.tunnelix.com should prompt you the following:
Notice the ESMTP Postfix after doing the telnet which means that the Postfix server is up.
9. At this level, you should able to send yourself an e-mail from your Gmail which proves that your Postfix is working pretty fine.
10. The mailbox is located in the directory /Maildir. Let’s say you have a user called ‘Tom’ and you have sent the mail to [email protected], then you should get the mail in /home/tom/Maildir.
Dovecot installation and configuration
11. Perform the installation of the dovecot package and its dependencies:
yum install dovecot
12. Edit the /etc/dovecot/dovecot.conf file and set up the following parameter:
listen = *,
13. Edit the /etc/dovecot/conf.d/10-auth.conf and set up the following parameter:
17. For incoming mail check in the following directory directory:
/var/spool/mail/vhosts
Tips:
Some terms to grasp are important to understand the basics behind mail transmission/reception.
MUA (Mail User Agent – A software used for mail message retrieval, commonly known as an email client, such as mutt, Evolution, and Thunderbird ),
MTA (Mail Transfer Agent is a software that transfers mail from one device to another using SMTP.
MDA (Mail Delivery Agent is another software component that helps with the delivery of email.
Credits: ccm.net
Note: This type of Mail configuration is for Learning purposes only. Do not apply to the production environment without considering security implications. In future articles, I will explain an example of how to secure your mail using DANE, DMARC, SPK, and DKIM.
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly. – Firewalld.org
Photo Credits: Cloudflare.com
IPtables VS Firewalld
In RHEL6, we had IPtables. Now, in RHEL7, the firewall mechanism or say, the firewall daemon changed to Firewalld. Both serve the same purpose, i.e; packet filtering using the Netfilter module inbuilt in the Linux kernel. However, it is important to know why the Firewalld took over the IPtables. In Firewalld, you can change settings dynamically whilst being on production compared to IPtables which needs to flush out the entire rules set once a change has been made. Another difference is that during the installation of firewalld, you have support for both IPv4 and IPv6 compared to IPtables, you will have to install Ip6tables for IPv6 support. For those who are not acquainted with IPv6, please check out the article on “Diving into the basics of IPv6“. To briefly describe Firewalld, it is a set of services and daemons that manage the Netfilter in the Linux kernel. Finally, it is important to understand that both RHEL6 and RHEL7 used the IPtables (commands) to talk to the Netfilter.
Photo Credits: 8gwifi.org
Zones concept in Firewalld
One of the important concepts in firewalld is ‘zones’. Zones are groups of rules which is managed by the firewalld. Zones are based on the level of trust a user has on the interface and traffic within a network. Zones are even defined from least trusted to most trusted. These are the types of zones:
Drop zones: This is where incoming connections are dropped without any messages.
Block zones: Same as block zone but the only difference is that it gives an ICMP reply.
Public zones: It is an untrusted zone, but may allow connections based on case to case basis.
External zones: It is used when your firewall is also a gateway or simply, configuration for NAT.
Internal zones: This is the other side of the gateway or simply the firewall configurations used inside your own network, usually in a private network.
Demilitarized zones: Demilitarized zones or say DMZ, is where only certain incoming connections are allowed.
Work zones: There is a trust in the majority of hosts on the network which makes it possible to allow more services.
Home zones: The trust here is more and more acceptable and much more restrictions are removed.
Trusted: Here, there is absolute trust. Note that this should be used carefully.
VIEW information on your firewall
1. You can check if your firewall is running from either of the following commands:
systemctl status firewalld
firewalld-cmd --state
2. Like we said earlier, we can also check in which zone is the interface card configured:
firewalld-cmd --get-default-zone
3. Now, to check which interface card is in which zone, simply do the following. As you can see below, both interface cards enp0s3 and enp0s8 is in the active zone:
firewalld-cmd --get-active-zone
4. To check which rules are in the zones:
firewalld-cmd --list-all
5. If you want to get all the existing zones, simply do the following:
firewalld-cmd --get-zones
6. To list all existing rules within each zone, use the following:
Currently, you will also know which zones are your interfaces.
firewalld-cmd --list-all
7. But, you can still list the rules for a specific zone, say, the ‘home’ zone.
firewall-cmd --zone=home --list-all
8. For more details of all zones:firewall-cmd –list-all-zones
9. We have also seen, for example, in part 4 that firewall-zone –get-active-zone also shows us the services associated with the zone. But, we can also see a list of services with the firewall-zone command:
firewall-cmd --get-services
The services are just XML file located in /usr/lib/firewalld/services
Change information on the Firewall
10. Let’s say you want to move one interface from one zone to another zone. In my case, I want to move enp0s3 from the public to the home zone.
You can verify same using firewall-cmd –list-all-zones
11. However, another way to made verifications can be done using the command:
firewall-cmd --get-active-zones
12. Please note that restarting the service firewalld will result in loss of the change carried out. To ensure it is effective even after a restart of the service, go on the configuration on the network card which is /etc/sysconfig/network-scripts/ifcfg-enp0s3 and add the following line to it.
ZONE=home
13. Also, note that you can always change the default zone from public to home directly with the command:
firewall-cmd --set-default-zone=home
14. To add a specific service to a zone, for example, adding https to the zone public.
firewall-cmd --zone=public --add-service=https
15. Please note that this is only temporarily and after a restart of the service, the https will not be anymore in the home zone. To make it permanent:
Always test your change with a firewall-cmd –reload
16. Most of the time, if you are running your own custom application, let’s say it is running on port 8080 and the services are not seen using firewall-cmd get-services, you can still add it to a zone by mentioning the port.
19. We can also block a specific IP Address from a zone. Let’s say we want to block IP 10.10.10.10/24 from the zone public. For that, we have to use the parameter –add-rich-rule.
20. You might also want a particular service to be allowed from a particular IP Address. Let’s say we want to allow IP 10.10.10.5 for the zone public and only for the FTP service. In this example below, limit value=”2/m” means to limit 2 connections per minute.
21. Let’s say you want to know which zone is a specific interface. You can use the following command:
firewall-cmd --get-zone-of-interface=enp0s3
22. You can also find how many particular interfaces are in a particular zone:
firewall-cmd --zone=public --list-interfaces
23. To stop all communications, let’s say during an attack, you can fire this command:
firewall-cmd --panic-on
24. You can also stop the panic using the following command:
firewall-cmd --panic-off
25. You can also check if you are in a query panic using the following command:
firewall-cmd --query-panic
NAT, Port Forwarding and Masquerading
Network Address Translation (NAT) means to use a strategy to hide an IP address space into another IP address by modifying the network address information in the IP header. The packets in the IP header will transit through a routing device.
Port Address Translation (PAT) sometimes called Port forwarding works the same fashion except that it works on port level. You can forward port 22 on from your IP address to port 8000 to your internal web server.
The word Masquerading itself means to use something fake. NAT masquerading is another strategy to allow a device that does not have an IP address to communicate with other computers on the internet. IP Masquerading means to set up an IP gateway for a device.
26. To check if masquerading is on or off, you can use the following command:
firewall-cmd --query-masquerade
27. Or say you want to query a particular zone if masquerade is on or off, simply use the –zone parameter:
firewall-cmd --zone=public --query-masquerade
28. To enable masquerade for the zone public
firewall-cmd --zone=public --add-masquerade
29. Before performing a port forwarding, we need to enable the masquerading:
33. You can also use firewalld on the graphic user interface. This can be done by installing the package firewall-config. The following command can be used:
yum install firewall firewalld-config
34. There are other ways to check if firewalld is running:
systemctl status firewalld
firewall-cmd --state
35. To active debug mode on firewalld logs enter the following parameter in the /etc/sysconfig/firewalld
FIREWALLD_ARGS='--debug'
After setting the parameter, the service need to be restarted.
Terraform is an open-source tool created by HashiCorp and it is written in Go programming language. Using Terraform allows us to define our infrastructure as a Code by using declarative language. It’s important to understand that Terraform language is declarative, which describes an intended goal rather than the steps to reach the goal. Once you define your infrastructure, Terraform will figure out how to create it. Terraform also supports a variety of cloud providers and virtualization platforms such as AWS, Azure, VMware, OpenStack, etc.. This is pretty cool as it eliminates several tasks, for example, to create several AWS instances.
Photo credits: terraform.io
Installation of Terraform
1. This is pretty simple. You just have to go on the official website and download the package. In my case, I am on a Linux machine, and I am choosing a Linux 64 bit package.
To download and unzip it, use the following command:
2. I moved the binary to /usr/local/bin. Make sure it is in the path environment variable.
mv terraform /usr/local/bin
3. By this time, you should get your binary and be able to check the version.
terraform version
Setting up API call for Terraform on AWS
4. We also need to allow terraform to make an API call on our behalf. I will be calling the API on AWS. For that, you will need to create a user on the AWS IAM and assign the rights and policies. Assuming that you have already created the user and you have the credentials to move ahead. Use the following commands:
5. Once you are done exporting the credentials, you can start building your Terraform code. The whole code is in my Github and you can download it for free.
The first thing is to configure the provider and the region.
provider "aws" { region = "us-east-1"}
6. Each provider supports different kinds of resources such as load balancers, servers, databases, etc.. In this example, we are trying to create a single EC2 instance. I have chosen the AWS Linux OS and the smallest nano server. The tags are just the identifier in AWS.
7. Then launch a terraform init to initialized the Terraform working directory. By that, I mean that it will download the AWS plugin. You should found a similar type of output from your screen.
8. Before performing the actual change, you can use the terraform plan to understand what change has been established. The plus sign means what is going to be added and the minus sign means those that are going to be removed.
9. To create the instance use the terraform apply to create the instance. It will prompt you to type ‘yes’ to continue on with the creation.
10. If you go on the AWS EC2 console, you will notice that the resource has been created successfully.
11. Hey, it’s not over yet! There are more things that need to be added for example the name of the instance. Let’s called it Nginx-Server. Let’s add the tags. Also, launch a terraform apply.
tags = {Name = "Nginx-Web" }
Adding User Data and Security groups
12. At this stage, I believed you must understand what is Terraform and how it works? To make the installation of Nginx add the following block of lines:
14. In part 6 under instance_type, I have added this line. What it means? “aws_security_group” is a resource, “allow_http” is a variable that has been called from the security group in part 13, and lastly “id” is the attribute.
15. Note that when launching terraform apply, you will notice that Terraform will destroy the old machine and build a new one which implies that there will be a downtime.
16. You can also view your code through a graph. Launch the command terraform graph. The output can also be viewed as more human-readable through Graphviz which you have to install. You can also go to webgraphviz.com to view it online.
It is very interesting to understand the dependency when using declarative language in Terraform. The full code can be viewed here on my Github Repository.
Have you ever deleted a logical volume by accident? Can you recover it looking into the backups? Well, the answer is YES. For those who are not familiar with Logical Volume Management (LVM) is a device mapper target that provides logical volume management for the Linux kernel.- Wikipedia. It is an abstraction layer or software that has been placed on top of your hard drive for flexible manipulation of the disk space. Some of the articles published in the past on LVM are:
All test carried out on this blog post have been tested on a CentOS machine. Please don’t make a live test on a production server.
Image Credits: Redhat.com
1. So, as you can see below I have an lv called lvopt which is from a vg called centos.
2. Same is mounted on the /opt
3. There are some data in that partition as well:
4. I created a directory inside the /opt directory
5. Now, let’s pretend to remove the lvm lvopt. Or say, someone did it by accident because it was unmounted. The command lvremove will be used here to remove the lv. Note: that the lv need to be unmounted.
6. If you make an lvs, lvdisplay or vgs or even mount again the partition, you cannot do it. The data is lost. But you can still recover it. This is because the lvm contains the archive of your lv inside the folder /etc/lvm/archive. But, you cannot read the files directly.
7. But you can still, interpret part of the files. Since we deleted the volume group called “centos”, we knew that it is referenced in the file centos_… The question that arises here is which file is relevant for you. Right? So to understand which archive you want to restore, you need to use the command vgcfgrestore –list <name of volume group>. Here is an example:
8. If you observe carefully, each archive has been backup at a certain time. In my case, I deleted the LV on 18-Apr-2019 at 11:17:17 2019:
9. So, I want to restore from that last archive. You will need to copy the full patch of the vg file. In my case it is /etc/lvm/archive/centos_00004-1870674349.vg. The goal here is to restore the lv before this specific time, or simply restore back the lv before the command lvremove was fired. Here is the command:
10. If you launch the command lvs, you will notice the presence of the lv.
11. But, mounting back the lv won’t result in anything. This is because the lv is inactive. You can see it with the command lvscan. Please take note below that the lvopt is inactive.
12. To activate it you simply need to use the command lvchange.
13. Mount it back and you are done.
I believe this can be very useful especially when you have encountered a situation where someone deleted an lv. I hope you enjoy this blog post. Please share and comment below if you like it.
