Author Archives: Nitin J Mutkawoa

Install Zabbix with MariaDB PHP7 HTTPD and on Centos7

When it comes to monitoring, one of the famous web application for monitoring is Zabbix. In this article, we will see the basic installation and configuration of a Zabbix machine on a CentOS7. Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines (VMs) and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load and disk space consumption. It works as a Client/Server model.

Always check the official documentation for installation. The machine has been deployed on a Virtual Box machine with the following configurations:

  • 2048 MB RAM
  • 1 CPU
  • 10GB storage
  • hostname as zabbixserver zabbixserver.local
  • IP Address 192.168.0.30

1. After deploying your machine, always make sure it is up-to-date and begin by installing a web server. I chose Apache httpd which is pretty famous and can be installed pretty easily. Also, consider installing the Epel Repository. After installing the Apache httpd, start the service and set it on auto-restart mode.

yum install epel-release -y
yum install httpd -y
systemctl enable httpd
systemctl start httpd

2. We also need to install PHP. The latest PHP7 can be easily installed through a repository. Also consider other PHP packages that will connect with the database, providing the PHP CLI, MOD PHP for Apache, etc..

rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install php72w mod_php72w php72w-common php72w-cli php72w-xml php72w-pear php72w-devel php72w-gd php72w-mysql php72w-mbstring php72w-bcmath 

3. Then, tweak the PHP configuration file (/etc/php.ini) as follows:

max_execution_time = 700
max_input_time = 700
memory_limit = 512M
post_max_size = 64M
upload_max_size = 16M
date.timezone = US/Eastern

Note that: the configuration depends on your location as well as on the sizing of the machines.

4. Let’s now install MariaDB:

yum install mariadb-server -y
systemctl start mariadb
systemctl enable mariadb

5. Configure MariaDB by launching the following command and follow the instruction as shown in the screenshot below:

mysql_secure_installation

6. To access the database you need to launch the command mysql -u root -p. However, you can also define the password in /etc/my.cnf.d/client.cnf under the [client] header enter the password as follows:

password = xxxxx

In this way, you can just launch the mysql command to log in directly to the database.

Consider also to make the database listen-only locally as we are deploying the Zabbix server to interact with the database locally. For that, you need to modify the file /etc/my.cnf and under the [mysqld] header enter the following parameter:

bind-address=127.0.0.1

7. Now, its time to create the database, assign the passwords, and privileges. Connect on the MariaDB database:

create database zabbix_server;
grant all privileges on zabbix_server.* to [email protected]'localhost' identified by 'zabbixpassword';
flush privileges;
quit

8. We will now install the Zabbix Server. I got the repository on the official Zabbix website.

rpm -Uvh https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm
yum install zabbix-get zabbix-server-mysql zabbix-web-mysql zabbix-agent -y

Note that, we installed both the agent and server on the Zabbix server.

9. We will now configure the Zabbix database by unpacking the tables and the schema in the database that has been created at step 7:

zcat /usr/share/doc/zabbix-server-mysql-4.4.0/create.sql.gz | mysql zabbix_server

If your Zabbix server version is different, find the correct directory.

10. Modify the Zabbix server configuration as follows at /etc/zabbix/zabbix_server.conf:

DBName=zabbix_server
DBUser=zabbixuser
DBPassword=zabbixpassword
DBHost=localhost

11. Restart and Enable the Zabbix Server:

systemctl start zabbix-server
systemctl enable zabbix-server

12. Modify the Zabbix client configuration as follows at /etc/zabbix/zabbix_agentd.conf:

Server=127.0.0.1
ServerActive=127.0.0.1
Hostname=zabbixserver

13. Restart and Enable the Zabbix Agent:

systemctl start zabbix-agent
systemctl enable zabbix-agent

14. Consider restarting all the services:

systemctl restart zabbix-agent
systemctl restart zabbix-server
systemctl restart MariaDB
systemctl restart httpd

15. Add the following firewall rules

firewall-cmd --add-service={http,https} --permanent
firewall-cmd --add-port={10050/tcp,10051/tcp} --permanent
firewall-cmd --reload

For more information about Firewalld, visit the article 35 commands to understand Firewalld in RHEL7 environment.

16. At this stage, if you try to access the following link, it should be accessible:

http://192.168.0.30/zabbix/setup.php

17. Follow the steps and login on your Zabbix machine with username admin and password zabbix.

Setting up a basic mail server with Postfix, Dovecot and MariaDB

Setting up a mail server is very simple if you understand the basic concept. In this blog post, I’m going to focus on the installation of a basic mail server using Postfix (MTA), Dovecot(MDA), and MariaDB. I will explain it stepwise and move along the basics too on this blog post. Also, consider having a VPS or any server with a public IP address ready for the mail server. Some guys for testing purpose, try to hide their dynamic public address using other tools over the internet. I guess you must be ready by now. I am also using an RHEL6 machine for this installation. The concept remains the same in case you want to install on an RHEL7/8 or Ubuntu server machine. Let’s see what are some tools and prerequisites needed for the installation:

Photo credits: postfix.org
Photo credits: postfix.org
  • DNS record for your mail server.
  • Some Firewall rules to be allowed.
  • Postfix (MTA) – A Mail Transfer Agent that permits you to route and delivers electronic mails. Postfix is both an SMTP server and an SMTP agent.
  • Dovecot (MDA) – A Mail Delivery Agent that primarily used as a mail storage server. It is a secure IMAP and POP3 server. It can also act as a mail proxy server.
  • MariaDB – A database server where you will store the users, domains, and aliases.

Now, in the real world, this is not the case as we need other accessories to enhance security, robustness, and integrity. Implementation of Dovecot with MariaDB w/ SASL interconnection for the mail server. DKIM, DANE, SPF, and DMARC are other accessories that need to be used. I will get in detail about those terms in future articles. In this article, I will focus on a classic basic mail server.

Adding the DNS record

1. You will need to add an ‘A’ DNS record, followed by an ‘MX’ record. I blurred the IP Address here for security purposes.

Some Firewall rules here

2. You will also need to allow IMAP (143) and SMTP(25) on the machine

iptables -I INPUT -p tcp -s 100.100.100.100 --dport 143 -j ACCEPT
iptables -I INPUT -p tcp -s 100.100.100.100 --dport 25 -j ACCEPT

3.  SSH on your server, add an entry in your /etc/hosts file. Example:

100.100.100.100 mail.tunnelix.com

Postfix configuration and installation

4. Install the Postfix using the following command:

yum install postfix

5. Now, the configuration to modify at the /etc/postfix/main.cf are as follows:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.tunnelix.com
mydomain = tunnelix.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no

6. Launch the following command:

postfix reload && /etc/init.d/postfix restart

7. A netstat -ntpl should show port 25 is listening on all IP Addresses.

8. A telnet mail.tunnelix.com should prompt you the following:

Notice the ESMTP Postfix after doing the telnet which means that the Postfix server is up.

9. At this level, you should able to send yourself an e-mail from your Gmail which proves that your Postfix is working pretty fine.

10. The mailbox is located in the directory /Maildir. Let’s say you have a user called ‘Tom’ and you have sent the mail to [email protected], then you should get the mail in /home/tom/Maildir.

Dovecot installation and configuration

11. Perform the installation of the dovecot package and its dependencies:

yum install dovecot

12. Edit the /etc/dovecot/dovecot.conf file and set up the following parameter:

listen = *,

13. Edit the /etc/dovecot/conf.d/10-auth.conf and set up the following parameter:

disable_plaintext_auth = no

auth_mechanisms = plain login

14. Edit the /etc/dovecot/conf.d/10-mail.conf and set up the following parameter:

mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u

mail_privileged_group = mail

15. Okay, at this stage, you should see that the dovecot service is running and telnet localhost on port 143 should show you ‘Dovecot Ready’.

Testing your mail system

16. You can test your outgoing mail as follows:

echo “This is a test” | sudo mail -s “This is a test” [email protected] -aFrom:[email protected]

17. For incoming mail check in the following directory directory:

/var/spool/mail/vhosts

Tips:

  • Some terms to grasp are important to understand the basics behind mail transmission/reception.
    1. MUA (Mail User Agent – A software used for mail message retrieval, commonly known as an email client, such as mutt, Evolution, and Thunderbird ),
    2. MTA (Mail Transfer Agent is a software that transfers mail from one device to another using  SMTP.
    3. MDA (Mail Delivery Agent is another software component that helps with the delivery of email.
Credits: ccm.net

Note: This type of Mail configuration is for Learning purposes only. Do not apply to the production environment without considering security implications. In future articles, I will explain an example of how to secure your mail using DANE, DMARC, SPK, and DKIM.

Deploy AWS EC2 instances using Ansible

We have seen in the past how to use Terraform to deploy AWS EC2 instance. But, this is also possible using Ansible. In this blog post, we will focus on the deployment of AWS EC2 instance using Ansible. I assume that you have already been to the basics installation of Ansible and basic playbook creation. Here are some links on tunnelix.com on Ansible. Please consider visiting them if you have any doubt. I assume that you have already install Ansible on your machine and know the basics of Ansible Playbook creation.

Setup the AWS IAM Account

1. Start by creating an AWS user account through the AWS IAM. Go to IAM, then click on USER, then click on ADD USER:

2. Once you have click on the ADD USER, Enter a name and tick on PROGRAMMATIC ACCESS, click on NEXT: PERMISSIONS

3. On the following page, Create a group, I have created one called ‘Ansible’ then attached the user to the group. After that click on ATTACH EXISTING POLICIES DIRECTLY’, then search for AMAZONEC2FULLACCESS and tick it and click on NEXT: TAGS.

4. Click on Next, add the tags and click on ‘CREATE USER’.

5. Consider downloading the credential.csv file by clicking on Download .csv

6. Consider also creating a key pair

Some installations and configurations on the Ansible controller

7. Now, on your Linux controller, we will need some Python modules to interact with AWS. Assuming you have already installed Ansible, consider installing python-pip:

yum install python-pip

8.  Let’s now install the AWS CLI

yum install awscli

9. Sync the clock of the VM to prevent any error

hwclock -s

10. Configure your AWS CLI

aws configure

It will prompt you to enter the AWS Access Key ID, secret key, etc. Just enter the information. Example:

[[email protected] ~]# aws configure

AWS Access Key ID [****************GYGY]: AKIA5xxxxxxxxxx
AWS Secret Access Key [****************458q]: EvEd55xxxxxxxxxx
Default region name [us-east-1]:
Default output format [json]: 

11. Create the following file: /home/.boto

[Credentials]
aws_access_key_id = AKIAxxxxxxxxxxxxx
aws_secret_access_key = xc3xxxxxxxxxxx

12. The following command should test your AWS credentials

aws get sts-caller-identity

13. Install the boto Python module. The boto python module will talk with the AWS CLI to authenticate on aws.

pip install boto 

Creating the Playbook and Deploying the AWS EC2 Instance

14. Now, let’s create a playbook as follows in /home/AWSTask.yml

- name: EC2 Instance creation
  hosts: localhost
  connection: local
  tasks:
  - name: Launching the EC2 instance
    ec2: 
      instance_type: t2.nano
      key_name: ansible
      image: ami-0b69ea66ff7391e80
      region: us-east-1
      group: default
      count: 1
      vpc_subnet_id: subnet-ef9179a4
      wait: yes
      assign_public_ip: yes

You can also access it on my Ansible Github repository.

15. Simply launch the Playbook

ansible-playbook AWSTask.yml

16. As you can see below, the EC2 instance has been created.

Puppet already installed ? What Next ? – Part 1

A few days back, we have seen the installation of the Puppet server and Puppet Agent on the RHEL7 environment. In this article, we will focus on the technical part to administer and write manifests in the Puppet server to instruct the Agent. If you landed directly in this article, consider viewing the 10 steps to install the Puppet configuration management tool before continuing further in this article. Otherwise, I invite you all to continue on in this discovery of what Puppet is capable of.

All manifests will be available on the My-Puppet-Manifests Github repository.

The first keyword that someone should be familiar with is “resource”. In Puppet everything is a resource. The second keyword is “manifest”. To instruct the Puppet server, we have to write a file with the extension ‘.pp’ and it is called a manifest.

1. To check what are the resources in Puppet, you can use the following command:

puppet resource --type

2. You will notice a lot of resources. Let’s say you want to get more details about the resource called ‘file’, use the following command

puppet describe file

3. Let’s do something locally. let’s create a file in /tmp called test.txt. Create a file called file.pp as follows:

file {'/tmp/test.txt':

        ensure=> file,

        content=> "My first puppet file",

}

This is very simple to grasp. ‘file’ here is an attribute, the /tmp/test is a ‘content’ and ensure is the ‘attribute’. The content inside the attribute is the ‘value’.

4. To apply it with puppet locally use the following command:

puppet apply file.pp

You would notice that the file has already been created in the /tmp directory with the content as well.

5. If you want to remove the file use puppet apply file.pp but instead of ensure => file use ensure => absent.

file {'/tmp/test.txt':

 ensure=> absent,

 content=> "My first puppet file",

}

6. In the same manner, if you want to create a directory instead, use ensure => directory.

7. You can also check if you have any syntax error in your Manifest by using the following command:

puppet parser validate file_absent.pp

8. You can also create a user and at the same time add it in the same playbook of that of file. For example:

file {'/tmp/test.txt':

 ensure=> file,

 content=> "My first puppet file",

}

user {'tom':

 ensure=> present,

}

9. The idea is to look at the documentation and understand the parameter for a certain module, for example, the module ‘user’ with the command ‘puppet describe user‘ and you will notice that you can also create the home directory and specify the shell.

user {'harry':

 ensure=> present,

 comment=> "Harry Bell",

 shell=> '/sbin/nologin',

 home=> "/home/harry",

}

10. Another interesting resource is ‘service’:

service{ 'sshd.service':

 ensure=> 'running',

 enable=> 'true',

}

At this stage, it should be very clear how to create puppet manifest and execute locally. I create a Github repository to store all the Puppet Manifests. In the next blog post on Puppet, I will share more details. If you like it do comment below 🙂

35 commands to understand Firewalld in RHEL7 environment

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.Firewalld.org

Photo Credits: Cloudflare.com
Photo Credits: Cloudflare.com

IPtables VS Firewalld

In RHEL6, we had IPtables. Now, in RHEL7, the firewall mechanism or say, the firewall daemon changed to Firewalld. Both serve the same purpose, i.e; packet filtering using the Netfilter module inbuilt in the Linux kernel. However, it is important to know why the Firewalld took over the IPtables. In Firewalld, you can change settings dynamically whilst being on production compared to IPtables which needs to flush out the entire rules set once a change has been made. Another difference is that during the installation of firewalld, you have support for both IPv4 and IPv6 compared to IPtables, you will have to install Ip6tables for IPv6 support. For those who are not acquainted with IPv6, please check out the article on “Diving into the basics of IPv6“. To briefly describe Firewalld, it is a set of services and daemons that manage the Netfilter in the Linux kernel. Finally, it is important to understand that both RHEL6 and RHEL7 used the IPtables (commands) to talk to the Netfilter.

Photo Credits: 8gwifi.org
Photo Credits: 8gwifi.org

Zones concept in Firewalld

One of the important concepts in firewalld is ‘zones’. Zones are groups of rules which is managed by the firewalld. Zones are based on the level of trust a user has on the interface and traffic within a network. Zones are even defined from least trusted to most trusted. These are the types of zones:

  • Drop zones: This is where incoming connections are dropped without any messages.
  • Block zones: Same as block zone but the only difference is that it gives an ICMP reply.
  • Public zones: It is an untrusted zone, but may allow connections based on case to case basis.
  • External zones: It is used when your firewall is also a gateway or simply, configuration for NAT.
  • Internal zones: This is the other side of the gateway or simply the firewall configurations used inside your own network, usually in a private network.
  • Demilitarized zones: Demilitarized zones or say DMZ, is where only certain incoming connections are allowed.
  • Work zones: There is a trust in the majority of hosts on the network which makes it possible to allow more services.
  • Home zones: The trust here is more and more acceptable and much more restrictions are removed.
  • Trusted: Here, there is absolute trust. Note that this should be used carefully.

VIEW information on your firewall

1. You can check if your firewall is running from either of the following commands:

systemctl status firewalld
firewalld-cmd --state

2. Like we said earlier, we can also check in which zone is the interface card configured:

firewalld-cmd --get-default-zone

firewalld-cmd

3. Now, to check which interface card is in which zone, simply do the following. As you can see below, both interface cards enp0s3 and enp0s8 is in the active zone:

firewalld-cmd --get-active-zone

firewalld-cmd

4. To check which rules are in the zones:

firewalld-cmd --list-all

5. If you want to get all the existing zones, simply do the following:

firewalld-cmd --get-zones

6. To list all existing rules within each zone, use the following:

Currently, you will also know which zones are your interfaces.

firewalld-cmd --list-all

firewalld-cmd

7. But, you can still list the rules for a specific zone, say, the ‘home’ zone.

firewall-cmd --zone=home --list-all

8. For more details of all zones:firewall-cmd –list-all-zones

9. We have also seen, for example, in part 4 that firewall-zone –get-active-zone also shows us the services associated with the zone. But, we can also see a list of services with the firewall-zone command:

firewall-cmd --get-services

The services are just XML file located in /usr/lib/firewalld/services

Change information on the Firewall

10. Let’s say you want to move one interface from one zone to another zone. In my case, I want to move enp0s3 from the public to the home zone.

firewall-cmd --zone=home --change-interface=enp0s3

You can verify same using firewall-cmd –list-all-zones

11. However, another way to made verifications can be done using the command:

firewall-cmd --get-active-zones

12. Please note that restarting the service firewalld will result in loss of the change carried out. To ensure it is effective even after a restart of the service, go on the configuration on the network card which is /etc/sysconfig/network-scripts/ifcfg-enp0s3 and add the following line to it.

ZONE=home

13. Also, note that you can always change the default zone from public to home directly with the command:

firewall-cmd --set-default-zone=home

14. To add a specific service to a zone, for example, adding https to the zone public.

firewall-cmd --zone=public --add-service=https

15. Please note that this is only temporarily and after a restart of the service, the https will not be anymore in the home zone. To make it permanent:

firewall-cmd --permanent --zone=public --add-service=https

Always test your change with a firewall-cmd –reload

16. Most of the time, if you are running your own custom application, let’s say it is running on port 8080 and the services are not seen using firewall-cmd get-services, you can still add it to a zone by mentioning the port.

firewall-cmd --permanent --zone=public --add-port=8080/tcp

After adding the port, you must reload it to view the change.

More crazy Firewalld rules

17. You can also specify a range, for example, from 8000 to 8080 using the command:

firewall-cmd --permanent --zone=public --add-port=8000-8080/tcp

18. More interesting if you want to allow a specific IP Address for a specific zone, you can use the –add-source parameter:

firewall-cmd --permanent --zone=public --add-source=10.0.3.16/24

19. We can also block a specific IP Address from a zone. Let’s say we want to block IP 10.10.10.10/24 from the zone public. For that, we have to use the parameter –add-rich-rule.

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.10/24" reject'

20. You might also want a particular service to be allowed from a particular IP Address. Let’s say we want to allow IP 10.10.10.5 for the zone public and only for the FTP service. In this example below, limit value=”2/m” means to limit 2 connections per minute.

[[email protected] services]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.5/24" service name="ftp" log prefix="tftp" level="info" limit value="2/m" accept'
21. Let’s say you want to know which zone is a specific interface. You can use the following command:
firewall-cmd --get-zone-of-interface=enp0s3
22. You can also find how many particular interfaces are in a particular zone:
firewall-cmd --zone=public --list-interfaces
23. To stop all communications, let’s say during an attack, you can fire this command:
firewall-cmd --panic-on

24. You can also stop the panic using the following command:

firewall-cmd --panic-off

25. You can also check if you are in a query panic using the following command:

firewall-cmd --query-panic

NAT, Port Forwarding and Masquerading

Network Address Translation (NAT) means to use a strategy to hide an IP address space into another IP address by modifying the network address information in the IP header. The packets in the IP header will transit through a routing device.

Port Address Translation (PAT) sometimes called Port forwarding works the same fashion except that it works on port level. You can forward port 22 on from your IP address to port 8000 to your internal web server.
The word Masquerading itself means to use something fake. NAT masquerading is another strategy to allow a device that does not have an IP address to communicate with other computers on the internet. IP Masquerading means to set up an IP gateway for a device.
26. To check if masquerading is on or off, you can use the following command:
firewall-cmd --query-masquerade
27. Or say you want to query a particular zone if masquerade is on or off, simply use the –zone parameter:
firewall-cmd --zone=public --query-masquerade
28. To enable masquerade for the zone public
firewall-cmd --zone=public --add-masquerade
29.  Before performing a port forwarding, we need to enable the masquerading:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.5/24" masquerade'

30.  Now, let’s say we want to forward all SSH traffic which is on port 22 to port 8000. This can be achieved using the following command:

firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=8000

31. Since we did not define the IP address, it will redirect to localhost. Otherwise, you can also add an IP address:

firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=8000:toaddr=10.0.2.16

32.  You can also query it by using the parameter –query-forward-port:

firewall-cmd --permanent --zone=public --query-forward-port=port=22:proto=tcp:toport=8000:toaddr=10.0.2.16

Other stuff in Firewalld

33.  You can also use firewalld on the graphic user interface. This can be done by installing the package firewall-config. The following command can be used:

yum install firewall firewalld-config

34. There are other ways to check if firewalld is running:

systemctl status firewalld
firewall-cmd --state

35. To active debug mode on firewalld logs enter the following parameter in the /etc/sysconfig/firewalld 

FIREWALLD_ARGS='--debug'

After setting the parameter, the service need to be restarted.

If you want to get to the Ninja level using firewalld, please refer to this blog article by certdepot.net