Monday, February 16, 2015

SuperBlock last mount time is in the future CENTOS

If you come across " SuperBlock last mount time is in the future " on CENTOS 6 when in booting process.
please added conf file in /etc/e2fsck.conf


# Superblock last mount time is in the future (PR_0_FUTURE_SB_LAST_MOUNT).
0x000031 = {
    preen_ok = true
    preen_nomessage = true
}

# Superblock last write time is in the future (PR_0_FUTURE_SB_LAST_WRITE).
0x000032 = {
    preen_ok = true
    preen_nomessage = true
}


 
 May help you
Posted by at No comments:

Thursday, February 12, 2015

Setup HTTPS filtering CENTOS

1. Update Centos

#!/bin/bash
set -e

# update should be done as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# update and upgrade
yum -y update

# disable selinux
sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

# and reboot
reboot

2. Install Apache Web Server

#!/bin/bash
set -e

# all web packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# install python libs
yum -y install python-setuptools python-ldap

# install python django for web ui
easy_install django==1.6.8

# install apache web server to run web ui
yum -y install httpd mod_wsgi

# make apache autostart on reboot
systemctl enable httpd.service

# this fixes some apache errors when working with python-django wsgi
echo "WSGISocketPrefix /var/run/wsgi" >> /etc/httpd/conf.d/wsgi.conf


# and restart apache
service httpd restart

echo "Web requirements installed correctly!"

3. Install Diladele Web Safety

#!/bin/bash

# all packages are installed as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# bail out on any error
set -e

# get latest qlproxy
curl http://packages.diladele.com/qlproxy/4.0.0.FD85/amd64/release/centos7/qlproxy-4.0.0-FD85.x86_64.rpm > qlproxy-4.0.0-FD85.x86_64.rpm

# install it
yum -y --nogpgcheck localinstall qlproxy-4.0.0-FD85.x86_64.rpm

# qlproxy installed everything needed for apache, so just restart
systemctl restart httpd.service

echo "Diladele Web Safety is installed!"

4. Install required build tool
#!/bin/bash

# install all build tools
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# install development packages required
yum install -y gcc-c++ pam-devel db4-devel expat-devel libxml2-devel libcap-devel libtool redhat-rpm-config rpm-build openldap-devel openssl-devel krb5-devel

# squid needs perl and needs additional perl modules not present by default in CentOS 6
curl http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm > epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm
yum install -y perl-Crypt-OpenSSL-X509


5. Install SQUID

#!/bin/bash

# stop on every error
set -e

# install RPMs as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# install stock squid
yum -y install squid

# make squid autostart after reboot
systemctl enable squid.service

echo "Squid RPM is installed successfully"

6. Configure Firewall for transparant Proxy

#!/bin/bash

# firewall setup should be done as root
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# check kernel forwarding is enabled
enabled=`cat /proc/sys/net/ipv4/ip_forward`
if [[ $enabled -ne 1 ]]; then
        echo "Kernel forwarding seems to be disabled, enable it in /etc/sysctl.conf, reboot and rerun this script" 1>&2
        exit 1
fi

# set the default policy to accept first (not to lock ourselves out from remote machine)
iptables -P INPUT ACCEPT

# flush all current rules from iptables
iptables -F

# allow pings from eth0 and eth1 for debugging purposes
iptables -A INPUT -p icmp -j ACCEPT

# allow access for localhost
iptables -A INPUT -i lo -j ACCEPT

# accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow ssh connections to tcp port 22 from eth0 and eth1
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# allow connection from LAN to ports 3126, 3127 and 3128 squid is running on
iptables -A INPUT -i eth0 -p tcp --dport 3126 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3127 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 3128 -j ACCEPT

# redirect all HTTP(tcp:80) traffic coming in through eth0 to 3126
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3126

# redirect all HTTPS(tcp:443) traffic coming in through eth0 to 3127
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127

# configure forwarding rules
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 22 -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

# enable NAT for clients within LAN
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# set default policies for INPUT, FORWARD (drop) and OUTPUT (accept) chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# list created rules
iptables -L -v

# save the rules so that after reboot they are automatically restored
/sbin/service iptables save

# enable the firewall
chkconfig iptables on

# and reboot machine
reboot

7. Squid Configuration

# ssl-bump settings managed by Diladele Web Safety for Squid Proxy
include "/opt/qlproxy/etc/squid/squid.acl"

# port configuration
http_port  3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem
http_port  3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem

# certificate storage manager
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB



icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service_failure_limit -1
icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
adaptation_access qlproxy1 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_etypes
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all

8. Add database

/usr/lib64/squid/ssl_crtd -c -s /var/spool/squid_ssldb
chown -R squid:squid /var/spool/squid_ssldb
Posted by at 1 comment:

Install NTOP NG on CENTOS 6

1. download latest epel-release and install

yum -y install http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

2. Create a repository for NTOP.

vi /etc/yum.repos.d/ntop.repo 
 
[ntop]
name=ntop packages
baseurl=http://packages.ntop.org/centos/$releasever/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://packages.ntop.org/centos/RPM-GPG-KEY-deri
[ntop-noarch]
name=ntop packages
baseurl=http://packages.ntop.org/centos/$releasever/noarch/
enabled=1
gpgcheck=1
gpgkey=http://packages.ntop.org/centos/RPM-GPG-KEY-deri
 
3.  
[epel]
name=Extra Packages for Enterprise Linux X - $basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-X&arch=$basearch
failovermethod=priority
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-X

and

# cd /etc/yum.repos.d/
# wget https://copr.fedoraproject.org/coprs/saltstack/zeromq4/repo/epel-X/saltstack-zeromq4-epel-X.repo 
 Note: replace X with 6 (for CentOS 6) or 7 (for CentOS 7)
then do:
 
yum erase zeromq3 (Do this once to make sure zeromq3 is not installed)
yum install zeromq 
yum clean all
yum update 
yum install pfring n2disk nprobe ntopng ntopng-data nbox
 
 
 *Note: At this point I had a Transaction Check error because my kernel 
was newer than what the ntop compile expected, so I had to install an 
older kernel for the yum install to complete. If the above completes 
without an error you can skip this step, else grab the older kernel and 
try the package install again.
 
 yum -y install kernel-2.6.32.431.20.3.el6 
 
 
edit config file: 
 
  vi /etc/ntopng/ntopng.start 
 
  --local-networks "192.168.0.0/24"
  --interface 0
 vi /etc/ntopng/ntopng.conf
 -G=/var/run/ntopng.pid

edit firewall 

vi /etc/sysconfig/iptables
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT
  • chkconfig redis on
 chkconfig ntopng on 
     
     
    Start the services.
                 service redis start
          service ntopng start
     Browse to the NTOP server address.
                    http://yourserveraddress:3000
          username: admin
          password: admin

Posted by at No comments:

Tuesday, February 10, 2015

FLUSH cache linux

Empty Linux Buffer Cache:
There are three options available to flush cache of linux memeory. Use one of below as per your requirements.

1. To free pagecache, dentries and inodes in cache memory
# sync; echo 3 > /proc/sys/vm/drop_caches
2. To free dentries and inodes use following command
# sync; echo 2 > /proc/sys/vm/drop_caches
3. To free pagecache only use following command
# sync; echo 1 > /proc/sys/vm/drop_caches
 
 
adding to cron job for regular flush/ hour
 
# crontab -e
0 * * *  * sync; echo 3 > /proc/sys/vm/drop_caches
 
 
Check cache linux used
 
# free -m 
 
 
Posted by at No comments:
Subscribe to: Posts (Atom)