Dark Training Information security, technology and general geekery! http://darktraining.com/ Tue, 03 Apr 2018 18:52:00 -0700 Tue, 03 Apr 2018 18:52:00 -0700 Jekyll v3.6.2 How to remove old versions of objects in S3 when using S3 versioning. <p>I wanted to show readers how they can reduce their Amazon S3 costs if they are hosting static content on Amazon Web Services S3.</p> <p>One of the nice functions of S3 is that it will allow you to version a bucket. For a blog site, this is a great feature that can save you if you accidentally commit a change that causes major issues on your site. However, one draw back is that each time you commit a change, a new version is created. If your site has many large files, that can add up quickly, so how can you ensure you only keep data as long as you need it?</p> <h1 id="s3-lifecycle-rules">S3 Lifecycle rules</h1> <p>In the S3 console for your bucket, you can enable a lifecycle rule that will expire out old versions of an object after a given window of time.</p> <p>First select your bucket in the S3 console and then choose the “Management” tab.</p> <p>Next select the Lifecycle Button and then press the “+ Add lifecycle rule” below it. <img src="http://darktraining.com/img/S3Lifecycle.png" alt="S3 Management option" /></p> <p>Enter a name for the rule and you can skip the prefix option if you want this to impact the entire bucket, then press next. <img src="http://darktraining.com/img/lifecyclerulename.png" alt="S3 Lifecycle policy name" /></p> <p>We can skip the 2nd screen which is “Transistions” because we dont want to move the old versions to S3 infrequent access or glacier, we want to delete them, so press next again.</p> <p>In my example, we are going to remove all old versions 30 days after they were last versioned, and we are going to select the permanently delete option. Note we also use the clean up options that are on the lower screen as well. <img src="http://darktraining.com/img/lifecycleexp.png" alt="S3 Lifecycle policy expires" /></p> <p>That’s it, simply select next, review and then complete the rule.</p> Sat, 23 Dec 2017 12:19:00 -0800 http://darktraining.com/2017/12/23/S3-version-cleanup/ http://darktraining.com/2017/12/23/S3-version-cleanup/ aws s3 NameCheaps private email MX settings for AWS Route53 <p>When you are moving your Website from Namecheap to AWS, one the functions you may want to keep is the email hosting from Namecheap. However, after you move your DNS to point route53, you’ll also need to make a MX (mail exchange) record for Route53 in order to have this work.</p> <p>I was a little surprised to see that I did not find a site that basically anwserd “What do I need to type into the route53 MX value”.</p> <p>Name cheap provides a block of text that looks like the image below but they don’t provide much else, and why would they, it’s not their service anymore.</p> <pre><code>This domain name is using third party DNS, please contact your DNS provider to add the following records: .mail(YOUR-DOMAIN).com IN MX mx1.privateemail.com. TXT v=spf1 include:spf.privateemail.com ~all MX mx2.privateemail.com. .autodiscover(YOUR-DOMAIN).com IN CNAME privateemail.com. .autoconfig(YOUR-DOMAIN).com IN CNAME privateemail.com. ._autodiscover._tcp(YOUR-DOMAIN).com IN SRV 0 443 privateemail.com. </code></pre> <p>In route53, create a new record set as type “MX”, then in the values simply paste:</p> <pre><code> 10 mx1.privateemail.com. 20 mx2.privateemail.com. </code></pre> <p>Now, if you want your subdomain mail.<strong>&lt;your-domain&gt;</strong>.com to redirect to their private mail server, create a CNAME and alias ‘mail.<strong>&lt;your-domain&gt;</strong>.com’ to point to ‘‘priavateemail.com’’.</p> Sun, 03 Jan 2016 06:19:00 -0800 http://darktraining.com/2016/01/03/Namecheap-privateemail-route53/ http://darktraining.com/2016/01/03/Namecheap-privateemail-route53/ aws namecheap New face lift for the site! <p>Well, after a good long while I’ve taken the plunge and moved from my old dynamic site to a static content driven site.</p> <p>I did this for a few reasons but one of the more important was security. The old site relyed on php and a RDBMS in the background to host the content and no matter how many safegards I put up, it always made me un-easy.</p> <p>Now with the new site, the page loads should be faster and the navigation should be slightly easier. I’ve also removed the comments for a little while as well. I greatly enjoyed hearing from viewers but bots were constantly trying to post and it was getting tiring to filter them out.</p> Sun, 27 Dec 2015 01:00:00 -0800 http://darktraining.com/2015/12/27/new-face/ http://darktraining.com/2015/12/27/new-face/ news Windows 2008 R2 stuck in recovery mode <p>Recently I came across a Windows Server 2008 R2 stuck in recovery mode after reboot.</p> <p>Booting with a Windows 2008 R2 recovery DVD, the following steps allowed the machine to boot normally.</p> <ol> <li>Put the Windows Server 2008 R2 installation disc in the disc drive, and then start the computer.</li> <li>Press any key when the message indicating "Press any key to boot from CD or DVD …". appears.</li> <li>Select a language, time, currency, and a keyboard or another input method. Then click Next.</li> <li>Click Repair your computer. </li> <li>Click the operating system that you want to repair, and then click Next. </li> <li>In the System Recovery Options dialog box, click Command Prompt. </li> <li>Type Bootrec /RebuildBcd, and then press ENTER. </li> &lt;/0l&gt; <p>If that does not work.</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">dism</span><span class="o">.</span><span class="n">exe</span> <span class="sr">/image:C:\ /</span><span class="n">cleanup</span><span class="o">-</span><span class="n">image</span> <span class="sr">/revertpendingactions</span></code></pre></figure> Then <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="s2">&quot;sfc /scannow /Offbootdir=c:\ /Offwindir=c:\windows</span></code></pre></figure> </ol> Wed, 05 Nov 2014 15:31:43 -0800 http://darktraining.com/2014/11/05/windows-2008-r2-stuck-in-recovery-mode/ http://darktraining.com/2014/11/05/windows-2008-r2-stuck-in-recovery-mode/ windows Mavericks install "This copy of the Install OS X Mavericks application can't be verified" <p>Recently I ran across and issue where we could not install a fresh copy of OS 10.9 on a mac. The error on screen was “This copy of the Install OS X Mavericks application can’t be verified..”</p> <p>The fix is relatively easy in this case. In the main menu when you first boot onto the USB drive (the one that has the option for disk utility, install etc), from the top of the screen menu, select utilities and then terminal.</p> <p>Set the current date as such (in this example lets say the date is 3/14/2014 at 9:00am</p> <p>date 031409002014</p> <p>Now exit the terminal by typing “exit” and then try to re-install as normal and you should be good to go.</p> Fri, 14 Mar 2014 04:49:58 -0700 http://darktraining.com/2014/03/14/Mavericks-install-This-copy-of-the-Install-OS-X-Mavericks-application-cant-be-verified/ http://darktraining.com/2014/03/14/Mavericks-install-This-copy-of-the-Install-OS-X-Mavericks-application-cant-be-verified/ mac Openindiana Public key SSH issue <p>I thought I would throw this one out there as it took me about 30 min to figure this out.<br /> I had an OpenIndiana server that I was working on and I wanted to make a new user that had a public key for access. The problem was that when I tried to connect, it would just come back with the usual "Permission denied (publickey)." error.<br /> Normally, this is because you forgot to set the key permissions correctly:<br /> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">chmod</span> <span class="mi">700</span> <span class="o">~</span><span class="sr">/.ssh</span> <span class="sr">chmod 600 ~/</span><span class="o">.</span><span class="n">ssh</span><span class="o">/</span><span class="n">authorized_keys</span></code></pre></figure> But in this case that was not the problem. I even tried to copy the keys to a windows host, used puttygen to convert the key and then putty to load it which gave the following error:<br /> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="s2">&quot;Server refused public-key signature despite accepting key!&quot;</span></code></pre></figure> WTF?<br /> By default, OI does not log like linux does so I had to enable auth logging:<br /> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">vi</span> <span class="sr">/etc/s</span><span class="n">yslog</span><span class="o">.</span><span class="n">conf</span> <span class="p">(</span><span class="n">uncomment</span> <span class="n">the</span> <span class="n">following</span> <span class="n">line</span><span class="p">)</span> <span class="n">auth</span><span class="o">.</span><span class="n">notice</span> <span class="n">ifdef</span><span class="p">(</span><span class="sb">`LOGHOST&#39;, /var/log/authlog, @loghost)</span></code></pre></figure> Now just restart the syslog service:<br /> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">svcadm</span> <span class="n">restart</span> <span class="nb">system</span><span class="o">-</span><span class="n">log</span></code></pre></figure> Now if you tail -f the authlog file you should see some details:<br /> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">root</span><span class="vi">@zfs</span><span class="o">-</span><span class="ss">server</span><span class="p">:</span><span class="o">~</span><span class="c1"># tail -f /var/log/authlog</span> <span class="no">Jan</span> <span class="mi">8</span> <span class="mi">18</span><span class="p">:</span><span class="mi">29</span><span class="p">:</span><span class="mi">48</span> <span class="n">zfs</span><span class="o">-</span><span class="n">server</span> <span class="n">sshd</span><span class="o">[</span><span class="mi">6387</span><span class="o">]</span><span class="p">:</span> <span class="o">[</span><span class="no">ID</span> <span class="mi">7311328</span> <span class="n">auth</span><span class="o">.</span><span class="n">notice</span><span class="o">]</span> <span class="ss">pam_unix_account</span><span class="p">:</span> <span class="n">sshd</span><span class="o">-</span><span class="n">pubkey</span> <span class="n">attempting</span> <span class="n">to</span> <span class="n">validate</span> <span class="n">locked</span> <span class="n">account</span> <span class="n">johnny</span> <span class="n">from</span> <span class="mi">10</span><span class="o">.</span><span class="mi">1</span><span class="o">.</span><span class="mi">1</span><span class="o">.</span><span class="mi">50</span> <span class="no">Jan</span> <span class="mi">8</span> <span class="mi">18</span><span class="p">:</span><span class="mi">29</span><span class="p">:</span><span class="mi">48</span> <span class="n">zfs</span><span class="o">-</span><span class="n">server</span> <span class="n">sshd</span><span class="o">[</span><span class="mi">6387</span><span class="o">]</span><span class="p">:</span> <span class="o">[</span><span class="no">ID</span> <span class="mi">8000347</span> <span class="n">auth</span><span class="o">.</span><span class="n">notice</span><span class="o">]</span> <span class="no">Failed</span> <span class="n">publickey</span> <span class="k">for</span> <span class="n">johnny</span> <span class="n">from</span> <span class="mi">10</span><span class="o">.</span><span class="mi">1</span><span class="o">.</span><span class="mi">1</span><span class="o">.</span><span class="mi">50</span> <span class="n">port</span> <span class="mi">64885</span> <span class="n">ssh2</span></code></pre></figure> See that, it looks like the account was just locked out! Pretty easy to fix this:<br /> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">passwd</span> <span class="o">-</span><span class="n">u</span> <span class="n">johnny</span></code></pre></figure> That's all it took, hope this helps another admin, if so please feel to let others know in the comments below. </p> Wed, 08 Jan 2014 13:46:56 -0800 http://darktraining.com/2014/01/08/Openindiana-Public-key-SSH-issue/ http://darktraining.com/2014/01/08/Openindiana-Public-key-SSH-issue/ solaris openindiana How to kill your camera in Mavericks <p>There have been a number of "fun" viruses and other code as of late that try to use your camera in your apple computer. A while back a group of folks at <a href="http://techslaves.org">techslaves.org</a> created a tool that would disable the ichat camera (that little camera in your macbook or iMac). The problem is that they have not updated their code in a while and there was not really a good solution for Mavericks.</p> <p>Today that changes, I'm releasing the following simple script that should help Mavericks users disable their cameras. You can download the file <a href="http://darktraining.com/kill-cam.zip">here</a>. </p> <p>To use the script, simply download the file, then open Applications &gt; Utilities &gt; Terminal.</p> <p>In terminal just type:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">cd</span> <span class="o">~</span><span class="sr">/Downloads</span> <span class="sr">unzip kill-cam.zip</span> <span class="sr">chmod 755 kill-cam.sh</span> <span class="sr">./</span><span class="n">kill</span><span class="o">-</span><span class="n">cam</span><span class="o">.</span><span class="n">sh</span></code></pre></figure> <p>This will prompt you to press either "1" or "2" depending on if you want to enable or disable the camera. </p> <p>If you want to change (read re-enable) your camera, all you need to do is launch terminal again and type:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">cd</span> <span class="o">~</span><span class="sr">/Downloads</span> <span class="sr">./</span><span class="n">kill</span><span class="o">-</span><span class="n">cam</span><span class="o">.</span><span class="n">sh</span></code></pre></figure> <p>Then select "2".</p> <p>Leave a comment below and let me know if this works for you in 10.9.</p> <p>For the un-trusting type (like me) here is the script:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="ch">#!/bin/bash</span> <span class="n">declare</span> <span class="o">-</span><span class="n">a</span> <span class="n">arr</span><span class="o">=</span><span class="p">(</span><span class="sr">/Library/</span><span class="no">CoreMediaIO</span><span class="o">/</span><span class="no">Plug</span><span class="o">-</span><span class="no">Ins</span><span class="o">/</span><span class="no">DAL</span><span class="o">/</span><span class="no">AppleCamera</span><span class="o">.</span><span class="n">plugin</span><span class="o">/</span><span class="no">Contents</span><span class="o">/</span><span class="no">MacOS</span><span class="o">/</span><span class="no">AppleCamera</span> <span class="sr">/Library/</span><span class="no">CoreMediaIO</span><span class="o">/</span><span class="no">Plug</span><span class="o">-</span><span class="no">Ins</span><span class="o">/</span><span class="no">FCP</span><span class="o">-</span><span class="no">DAL</span><span class="o">/</span><span class="no">AppleCamera</span><span class="o">.</span><span class="n">plugin</span><span class="o">/</span><span class="no">Contents</span><span class="o">/</span><span class="no">MacOS</span><span class="o">/</span><span class="no">AppleCamera</span> <span class="sr">/System/</span><span class="no">Library</span><span class="o">/</span><span class="no">Frameworks</span><span class="o">/</span><span class="no">CoreMediaIO</span><span class="o">.</span><span class="n">framework</span><span class="o">/</span><span class="no">Versions</span><span class="o">/</span><span class="n">A</span><span class="o">/</span><span class="no">Resources</span><span class="o">/</span><span class="no">VDC</span><span class="o">.</span><span class="n">plugin</span><span class="o">/</span><span class="no">Contents</span><span class="o">/</span><span class="no">MacOS</span><span class="o">/</span><span class="no">VDC</span><span class="p">)</span> <span class="n">trigger</span> <span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="err">$</span><span class="p">{</span><span class="n">arr</span><span class="o">[</span><span class="err">@</span><span class="o">]</span><span class="p">};</span> <span class="k">do</span> <span class="n">sudo</span> <span class="n">chmod</span> <span class="vg">$1</span> <span class="vg">$i</span> <span class="n">done</span> <span class="p">}</span> <span class="nb">printf</span> <span class="s2">&quot;(1) Kill camera </span><span class="se">\n</span><span class="s2">(2)enable camera </span><span class="se">\n</span><span class="s2">&quot;</span> <span class="n">read</span> <span class="n">coms</span> <span class="k">if</span> <span class="o">[</span> <span class="vg">$coms</span> <span class="o">-</span><span class="n">eq</span> <span class="mi">1</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="n">trigger</span> <span class="mo">000</span><span class="p">;</span> <span class="k">else</span> <span class="n">trigger</span> <span class="mi">755</span><span class="p">;</span> <span class="n">fi</span></code></pre></figure> Thu, 02 Jan 2014 11:26:18 -0800 http://darktraining.com/2014/01/02/How-to-kill-your-camera-in-Mavericks/ http://darktraining.com/2014/01/02/How-to-kill-your-camera-in-Mavericks/ security mac Install Puppet on CentOS 6.4 <p>Installing Puppet on CentOS 6.4</p> <p>Before I start I want to give credit to this site for starting me off in the right direction. His/Her instructions ALMOST work, but fail to finish the job for Centos 6.4 and Puppet 3.x. <a href="http://www.6tech.org/2013/01/how-to-install-puppet-open-source-on-centos-6-3/">6tech.org</a></p> <p>Before we start, there are assumptions being made. First, you are starting from a vanilla minimal install of CentOS 6.4. Secound, when I say "FQDN" that means replace that with the fully qualified domain name of the host. IE Server.internal.net</p> <p>First you need to grab the appropriate puppet installer for your OS (x86_64 or i386)</p> <p>http://yum.puppetlabs.com/el/6/products/</p> <p>wget http://yum.puppetlabs.com/el/6/products/x86_64/puppetlabs-release-6-7.noarch.rpm</p> <p>or </p> <p>wget http://yum.puppetlabs.com/el/6/products/i386/puppetlabs-release-6-7.noarch.rpm</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span></span>rpm -ivh puppetlabs-release-6-7.noarch.rpm yum clean all yum update</code></pre></figure> <p>Now lets get everything for the install:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">yum</span> <span class="n">groupinstall</span> <span class="s2">&quot;Development tools&quot;</span> <span class="n">yum</span> <span class="n">install</span> <span class="o">-</span><span class="n">y</span> <span class="n">httpd</span> <span class="n">httpd</span><span class="o">-</span><span class="n">devel</span> <span class="n">mod_ssl</span> <span class="n">ruby</span><span class="o">-</span><span class="n">devel</span> <span class="n">rubygems</span> <span class="n">gcc</span><span class="o">-</span><span class="n">c</span><span class="o">++</span> <span class="n">curl</span><span class="o">-</span><span class="n">devel</span> <span class="n">zlib</span><span class="o">-</span><span class="n">devel</span> <span class="n">openssl</span><span class="o">-</span><span class="n">devel</span> <span class="n">puppet</span><span class="o">-</span><span class="n">server</span></code></pre></figure> <p>Now start the Puppet-Server</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="sr">/etc/ini</span><span class="n">t</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">puppetmaster</span> <span class="n">start</span></code></pre></figure> <p>Set Puppet Master to run on start-up</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">puppet</span> <span class="n">resource</span> <span class="n">service</span> <span class="n">puppetmaster</span> <span class="k">ensure</span><span class="o">=</span><span class="n">running</span> <span class="n">enable</span><span class="o">=</span><span class="kp">true</span></code></pre></figure> <p>Configure Puppet and Apache server:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">vim</span> <span class="sr">/etc/</span><span class="n">httpd</span><span class="o">/</span><span class="n">conf</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">puppetmaster</span><span class="o">.</span><span class="n">conf</span> <span class="no">Replace</span> <span class="s2">&quot;your-fqdn&quot;</span><span class="o">.</span> <span class="no">With</span> <span class="n">your</span> <span class="n">servers</span> <span class="n">fully</span> <span class="n">qualified</span> <span class="n">domain</span> <span class="nb">name</span> <span class="c1"># RHEL/CentOS:</span> <span class="no">LoadModule</span> <span class="n">passenger_module</span> <span class="sr">/usr/</span><span class="n">lib</span><span class="o">/</span><span class="n">ruby</span><span class="o">/</span><span class="n">gems</span><span class="o">/</span><span class="mi">1</span><span class="o">.</span><span class="mi">8</span><span class="o">/</span><span class="n">gems</span><span class="o">/</span><span class="n">passenger</span><span class="o">-</span><span class="mi">3</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">19</span><span class="o">/</span><span class="n">ext</span><span class="o">/</span><span class="n">apache2</span><span class="o">/</span><span class="n">mod_passenger</span><span class="o">.</span><span class="n">so</span> <span class="no">PassengerRoot</span> <span class="sr">/usr/</span><span class="n">lib</span><span class="o">/</span><span class="n">ruby</span><span class="o">/</span><span class="n">gems</span><span class="o">/</span><span class="mi">1</span><span class="o">.</span><span class="mi">8</span><span class="o">/</span><span class="n">gems</span><span class="o">/</span><span class="n">passenger</span><span class="o">-</span><span class="mi">3</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">19</span> <span class="no">PassengerRuby</span> <span class="sr">/usr/</span><span class="n">bin</span><span class="o">/</span><span class="n">ruby</span> <span class="c1"># And the passenger performance tuning settings:</span> <span class="no">PassengerHighPerformance</span> <span class="no">On</span> <span class="no">PassengerUseGlobalQueue</span> <span class="no">On</span> <span class="c1"># Set this to about 1.5 times the number of CPU cores in your master:</span> <span class="no">PassengerMaxPoolSize</span> <span class="mi">6</span> <span class="c1"># Recycle master processes after they service 1000 requests</span> <span class="no">PassengerMaxRequests</span> <span class="mi">1000</span> <span class="c1"># Stop processes if they sit idle for 10 minutes</span> <span class="no">PassengerPoolIdleTime</span> <span class="mi">600</span> <span class="no">Listen</span> <span class="mi">8140</span> <span class="o">&lt;</span><span class="no">VirtualHost</span> <span class="o">*</span><span class="p">:</span><span class="mi">8140</span><span class="o">&gt;</span> <span class="no">SSLEngine</span> <span class="no">On</span> <span class="c1"># Only allow high security cryptography. Alter if needed for compatibility.</span> <span class="no">SSLProtocol</span> <span class="no">All</span> <span class="o">-</span><span class="no">SSLv2</span> <span class="no">SSLCipherSuite</span> <span class="ss">HIGH</span><span class="p">:</span><span class="o">!</span><span class="ss">ADH</span><span class="p">:</span><span class="no">RC4</span><span class="o">+</span><span class="ss">RSA</span><span class="p">:</span><span class="o">-</span><span class="ss">MEDIUM</span><span class="p">:</span><span class="o">-</span><span class="ss">LOW</span><span class="p">:</span><span class="o">-</span><span class="no">EXP</span> <span class="no">SSLCertificateFile</span> <span class="sr">/var/</span><span class="n">lib</span><span class="o">/</span><span class="n">puppet</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">certs</span><span class="o">/&lt;</span><span class="n">strong</span><span class="o">&gt;&lt;</span><span class="n">your</span><span class="o">-</span><span class="n">fqdn</span><span class="p">\</span><span class="o">&gt;&lt;</span><span class="sr">/strong&gt;.pem</span> <span class="sr"> SSLCertificateKeyFile /</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">puppet</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">private_keys</span><span class="o">/&lt;</span><span class="n">strong</span><span class="o">&gt;&lt;</span><span class="n">your</span><span class="o">-</span><span class="n">fqdn</span><span class="o">&gt;&lt;</span><span class="sr">/strong&gt;.pem</span> <span class="sr"> SSLCertificateChainFile /</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">puppet</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">ca</span><span class="o">/</span><span class="n">ca_crt</span><span class="o">.</span><span class="n">pem</span> <span class="no">SSLCACertificateFile</span> <span class="sr">/var/</span><span class="n">lib</span><span class="o">/</span><span class="n">puppet</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">ca</span><span class="o">/</span><span class="n">ca_crt</span><span class="o">.</span><span class="n">pem</span> <span class="no">SSLCARevocationFile</span> <span class="sr">/var/</span><span class="n">lib</span><span class="o">/</span><span class="n">puppet</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">ca</span><span class="o">/</span><span class="n">ca_crl</span><span class="o">.</span><span class="n">pem</span> <span class="no">SSLVerifyClient</span> <span class="n">optional</span> <span class="no">SSLVerifyDepth</span> <span class="mi">1</span> <span class="no">SSLOptions</span> <span class="o">+</span><span class="no">StdEnvVars</span> <span class="o">+</span><span class="no">ExportCertData</span> <span class="c1"># These request headers are used to pass the client certificate</span> <span class="c1"># authentication information on to the puppet master process</span> <span class="no">RequestHeader</span> <span class="n">set</span> <span class="n">X</span><span class="o">-</span><span class="no">SSL</span><span class="o">-</span><span class="no">Subject</span> <span class="sx">%{SSL_CLIENT_S_DN}</span><span class="n">e</span> <span class="no">RequestHeader</span> <span class="n">set</span> <span class="n">X</span><span class="o">-</span><span class="no">Client</span><span class="o">-</span><span class="no">DN</span> <span class="sx">%{SSL_CLIENT_S_DN}</span><span class="n">e</span> <span class="no">RequestHeader</span> <span class="n">set</span> <span class="n">X</span><span class="o">-</span><span class="no">Client</span><span class="o">-</span><span class="no">Verify</span> <span class="sx">%{SSL_CLIENT_VERIFY}</span><span class="n">e</span> <span class="no">RackAutoDetect</span> <span class="no">On</span> <span class="no">DocumentRoot</span> <span class="sr">/usr/s</span><span class="n">hare</span><span class="o">/</span><span class="n">puppet</span><span class="o">/</span><span class="n">rack</span><span class="o">/</span><span class="n">puppetmasterd</span><span class="o">/</span><span class="kp">public</span><span class="o">/</span> <span class="o">&lt;</span><span class="no">Directory</span> <span class="sr">/usr/s</span><span class="n">hare</span><span class="o">/</span><span class="n">puppet</span><span class="o">/</span><span class="n">rack</span><span class="o">/</span><span class="n">puppetmasterd</span><span class="o">/&gt;</span> <span class="no">Options</span> <span class="no">None</span> <span class="no">AllowOverride</span> <span class="no">None</span> <span class="no">Order</span> <span class="no">Allow</span><span class="p">,</span><span class="no">Deny</span> <span class="no">Allow</span> <span class="n">from</span> <span class="no">All</span> <span class="o">&lt;</span><span class="sr">/Directory&gt;</span> <span class="sr">&lt;/</span><span class="no">VirtualHost</span><span class="o">&gt;</span></code></pre></figure> <p>Start up Apache:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">httpd</span> <span class="n">restart</span></code></pre></figure> <p>Disable WEBrick and enable Apache on boot:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">chkconfig</span> <span class="n">puppetmaster</span> <span class="n">off</span> <span class="n">chkconfig</span> <span class="n">httpd</span> <span class="n">on</span></code></pre></figure> <p>Make sure the port is open and it’s listening:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">netstat</span> <span class="o">-</span><span class="n">ln</span> <span class="o">|</span> <span class="n">grep</span> <span class="mi">8140</span> <span class="mi">1</span> <span class="n">tcp</span> <span class="mi">0</span> <span class="mi">0</span> <span class="mi">0</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">0</span><span class="p">:</span><span class="mi">8140</span> <span class="mi">0</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">0</span><span class="ss">:*</span> <span class="no">LISTEN</span></code></pre></figure> <p>Set the server to auto-sign certs. (If you are worried about security, don't do this, use puppet cert --sign FQDN).</p> <p>*Append this to the end of the file</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">vim</span> <span class="sr">/etc/</span><span class="n">puppet</span><span class="o">/</span><span class="n">puppet</span><span class="o">.</span><span class="n">conf</span> <span class="o">[</span><span class="n">master</span><span class="o">]</span> <span class="n">certname</span> <span class="o">=</span> <span class="n">puppet</span><span class="o">-</span><span class="n">server</span> <span class="c1">#Use the FQDN here</span> <span class="n">autosign</span> <span class="o">=</span> <span class="kp">true</span></code></pre></figure> <h2>Client Node install</h2> <p>Add the puppet labs repo</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">rpm</span> <span class="o">-</span><span class="n">ivh</span> <span class="ss">http</span><span class="p">:</span><span class="sr">//</span><span class="n">yum</span><span class="o">.</span><span class="n">puppetlabs</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">el</span><span class="o">/</span><span class="mi">6</span><span class="o">/</span><span class="n">products</span><span class="o">/</span><span class="n">x86_64</span><span class="o">/</span><span class="n">puppetlabs</span><span class="o">-</span><span class="n">release</span><span class="o">-</span><span class="mi">6</span><span class="o">-</span><span class="mi">7</span><span class="o">.</span><span class="n">noarch</span><span class="o">.</span><span class="n">rpm</span></code></pre></figure> <p>Install the Puppet Client</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">yum</span> <span class="n">install</span> <span class="o">-</span><span class="n">y</span> <span class="n">puppet</span></code></pre></figure> <p>If you are not using DNS in your envrionment, you will need to manually edit your hosts file.</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">vim</span> <span class="sr">/etc/</span><span class="n">hosts</span> <span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="n">x</span><span class="o">.</span><span class="n">x</span> <span class="n">node</span> <span class="mi">192</span><span class="o">.</span><span class="mi">168</span><span class="o">.</span><span class="n">x</span><span class="o">.</span><span class="n">y</span> <span class="n">puppet</span><span class="o">-</span><span class="n">server</span></code></pre></figure> <p>Edit /etc/puppet/puppet.conf and add the agent variables:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">vim</span> <span class="sr">/etc/</span><span class="n">puppet</span><span class="o">/</span><span class="n">puppet</span><span class="o">.</span><span class="n">conf</span> <span class="c1"># In the [agent] section</span> <span class="n">server</span> <span class="o">=</span> <span class="n">puppet</span><span class="o">-</span><span class="n">server</span> <span class="c1">#Should be the FQDN!</span> <span class="n">report</span> <span class="o">=</span> <span class="kp">true</span> <span class="n">pluginsync</span> <span class="o">=</span> <span class="kp">true</span></code></pre></figure> <p>Set the puppet agent to run on boot:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">chkconfig</span> <span class="n">puppet</span> <span class="n">on</span> <span class="n">puppet</span> <span class="n">agent</span> <span class="o">--</span><span class="n">daemonize</span></code></pre></figure> <p>Now test the client:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">puppet</span> <span class="n">agent</span> <span class="o">--</span><span class="n">t</span></code></pre></figure> <p>That should connect you to the server which will automatically sign the cert. If you have opted to manually sign, you now need to go back to the server and run.</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">puppet</span> <span class="n">cert</span> <span class="o">--</span><span class="n">sign</span> <span class="no">FQDN</span></code></pre></figure> <p>Did this work for you? Let others know in the comments below!</p> Fri, 26 Apr 2013 10:54:05 -0700 http://darktraining.com/centos/2013/04/26/Install-puppet-on-centos-64/ http://darktraining.com/centos/2013/04/26/Install-puppet-on-centos-64/ centos puppet linux CentOS Installing NGINX on CentOS 6.4 <p>Installing NGINX is pretty easy on Cent, we just need to make the following changes.</p> <p>Create a new file called /etc/yum.repos.d/nginx.repo and append the following to it</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="o">[</span><span class="n">nginx</span><span class="o">]</span> <span class="nb">name</span><span class="o">=</span><span class="n">nginx</span> <span class="n">repo</span> <span class="n">baseurl</span><span class="o">=</span><span class="ss">http</span><span class="p">:</span><span class="sr">//n</span><span class="n">ginx</span><span class="o">.</span><span class="n">org</span><span class="o">/</span><span class="n">packages</span><span class="o">/</span><span class="n">centos</span><span class="o">/</span><span class="vg">$releasever</span><span class="o">/</span><span class="vg">$basearch</span><span class="o">/</span> <span class="n">gpgcheck</span><span class="o">=</span><span class="mi">0</span> <span class="n">enabled</span><span class="o">=</span><span class="mi">1</span></code></pre></figure> <p>Now run yum update and then yum install nginx</p> <p>Tada!</p> <p>If this was helpful, let others know in the comments below.</p> Thu, 04 Apr 2013 12:04:39 -0700 http://darktraining.com/2013/04/04/Installing-NGINX-on-CentOS-6.4/ http://darktraining.com/2013/04/04/Installing-NGINX-on-CentOS-6.4/ nginx centos linux Install Nagios 3.5 on CentOS 6.4 <p>Below I am going to outline how to install Nagios 3.5.0 on CentOS 6.4 from source. I'm assuming that you are starting from a clean minimal install of CentOS</p> <p>Ok first lets get the needed packages</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">yum</span> <span class="n">install</span> <span class="n">wget</span> <span class="n">httpd</span> <span class="n">php</span> <span class="n">gcc</span> <span class="n">glibc</span> <span class="n">glibc</span><span class="o">-</span><span class="n">common</span> <span class="n">gd</span> <span class="n">gd</span><span class="o">-</span><span class="n">devel</span> <span class="n">make</span> <span class="n">net</span><span class="o">-</span><span class="n">snmp</span> <span class="n">libssl</span><span class="o">-</span><span class="n">dev</span> <span class="n">openssl</span><span class="o">*</span> <span class="n">wget</span> <span class="n">policycoreutils</span><span class="o">-</span><span class="n">python</span></code></pre></figure> <p>Now lets get nagios and it's plugins, at this time the link below was the most up to date, but you can verify this by omitting the data after the last trailing slash.</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">cd</span> <span class="sr">/tmp</span> <span class="sr">wget http:/</span><span class="o">/</span><span class="n">prdownloads</span><span class="o">.</span><span class="n">sourceforge</span><span class="o">.</span><span class="n">net</span><span class="o">/</span><span class="n">sourceforge</span><span class="o">/</span><span class="n">nagios</span><span class="o">/</span><span class="n">nagios</span><span class="o">-</span><span class="mi">3</span><span class="o">.</span><span class="mi">5</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="n">tar</span><span class="o">.</span><span class="n">gz</span> <span class="n">wget</span> <span class="ss">http</span><span class="p">:</span><span class="sr">//sou</span><span class="n">rceforge</span><span class="o">.</span><span class="n">net</span><span class="o">/</span><span class="n">projects</span><span class="o">/</span><span class="n">nagiosplug</span><span class="o">/</span><span class="n">files</span><span class="o">/</span><span class="n">nagiosplug</span><span class="o">/</span><span class="mi">1</span><span class="o">.</span><span class="mi">4</span><span class="o">.</span><span class="mi">16</span><span class="o">/</span><span class="n">nagios</span><span class="o">-</span><span class="n">plugins</span><span class="o">-</span><span class="mi">1</span><span class="o">.</span><span class="mi">4</span><span class="o">.</span><span class="mi">16</span><span class="o">.</span><span class="n">tar</span><span class="o">.</span><span class="n">gz</span></code></pre></figure> <p>Now unpack and lets start with Nagios fist:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">gunzip</span> <span class="o">*.</span><span class="n">gz</span> <span class="n">tar</span> <span class="n">xf</span> <span class="n">nagios</span><span class="o">-</span><span class="mi">3</span><span class="o">.</span><span class="mi">5</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="n">tar</span> <span class="n">cd</span> <span class="n">nagios</span> <span class="sr">/usr/s</span><span class="n">bin</span><span class="o">/</span><span class="n">adduser</span> <span class="n">nagios</span> <span class="sr">/usr/s</span><span class="n">bin</span><span class="o">/</span><span class="n">groupadd</span> <span class="n">nagcmd</span> <span class="n">usermod</span> <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">G</span> <span class="n">nagcmd</span> <span class="n">nagios</span> <span class="o">.</span><span class="n n-Operator">/</span><span class="n">configure</span> <span class="o">--</span><span class="n">with</span><span class="o">-</span><span class="n">command</span><span class="o">-</span><span class="n">group</span><span class="o">=</span><span class="n">nagcmd</span> <span class="n">make</span> <span class="n">all</span> <span class="n">make</span> <span class="n">install</span> <span class="n">make</span> <span class="n">install</span><span class="o">-</span><span class="n">init</span> <span class="n">make</span> <span class="n">install</span><span class="o">-</span><span class="n">config</span> <span class="n">make</span> <span class="n">install</span><span class="o">-</span><span class="n">commandmode</span> <span class="n">make</span> <span class="n">install</span><span class="o">-</span><span class="n">webconf</span> <span class="n">chkconfig</span> <span class="o">--</span><span class="n">add</span> <span class="n">nagios</span> <span class="n">chkconfig</span> <span class="o">--</span><span class="n">level</span> <span class="mi">35</span> <span class="n">nagios</span> <span class="n">on</span> <span class="n">chkconfig</span> <span class="o">--</span><span class="n">add</span> <span class="n">httpd</span> <span class="n">chkconfig</span> <span class="o">--</span><span class="n">level</span> <span class="mi">35</span> <span class="n">httpd</span> <span class="n">on</span> <span class="c1">#Create a nagios login</span> <span class="n">htpasswd</span> <span class="o">-</span><span class="n">c</span> <span class="sr">/usr/</span><span class="n">local</span><span class="o">/</span><span class="n">nagios</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">htpasswd</span><span class="o">.</span><span class="n">users</span> <span class="n">nagiosadmin</span></code></pre></figure> <p>Now lets get those plugins working.</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">cd</span> <span class="sr">/tmp</span> <span class="sr">tar xf nagios-plugins-1.4.16.tar</span> <span class="sr">cd nagios-plugins-1.4.16</span> <span class="sr">./</span><span class="n">configure</span> <span class="o">--</span><span class="n">with</span><span class="o">-</span><span class="n">nagios</span><span class="o">-</span><span class="n">user</span><span class="o">=</span><span class="n">nagios</span> <span class="o">--</span><span class="n">with</span><span class="o">-</span><span class="n">nagios</span><span class="o">-</span><span class="n">group</span><span class="o">=</span><span class="n">nagios</span> <span class="n">make</span> <span class="n">make</span> <span class="n">install</span></code></pre></figure> <p>Now check your base build, if you get any errors, you will need to fix them first</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="sr">/usr/</span><span class="n">local</span><span class="o">/</span><span class="n">nagios</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">nagios</span> <span class="o">-</span><span class="n">v</span> <span class="sr">/usr/</span><span class="n">local</span><span class="o">/</span><span class="n">nagios</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">nagios</span><span class="o">.</span><span class="n">cfg</span></code></pre></figure> <p>Now start it up</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">service</span> <span class="n">nagios</span> <span class="n">start</span> <span class="n">service</span> <span class="n">httpd</span> <span class="n">start</span> <span class="c1">#Add port 80 to your iptables</span> <span class="n">vi</span> <span class="sr">/etc/s</span><span class="n">ysconfig</span><span class="o">/</span><span class="n">iptables</span> <span class="o">-</span><span class="n">A</span> <span class="no">INPUT</span> <span class="o">-</span><span class="n">m</span> <span class="n">state</span> <span class="o">--</span><span class="n">state</span> <span class="no">NEW</span> <span class="o">-</span><span class="n">m</span> <span class="n">tcp</span> <span class="o">-</span><span class="nb">p</span> <span class="n">tcp</span> <span class="o">--</span><span class="n">dport</span> <span class="mi">80</span> <span class="o">-</span><span class="n">j</span> <span class="no">ACCEPT</span> <span class="c1">#Now restart</span> <span class="n">service</span> <span class="n">iptables</span> <span class="n">restart</span></code></pre></figure> <p>Now, here is where I want to strangle most other websites... DO NOT disable selinux! It's dumb to not just properly configure it! Below I will help you to authorize Nagios in SElinux.</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">chcon</span> <span class="o">-</span><span class="n">R</span> <span class="o">-</span><span class="n">t</span> <span class="n">httpd_sys_content_t</span> <span class="sr">/usr/</span><span class="n">local</span><span class="o">/</span><span class="n">nagios</span> <span class="n">set</span> <span class="n">enforce</span> <span class="mi">0</span> <span class="n">chcon</span> <span class="o">-</span><span class="n">R</span> <span class="o">-</span><span class="n">t</span> <span class="n">httpd_sys_script_t</span> <span class="sr">/usr/</span><span class="n">local</span><span class="o">/</span><span class="n">nagios</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">rw</span><span class="o">/</span><span class="n">nagios</span><span class="o">.</span><span class="n">cmd</span> <span class="n">set</span> <span class="n">enforce</span> <span class="mi">1</span></code></pre></figure> <p>If you find that you are getting blocked cmd in nagios, run the following to fix it.</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span></span><span class="n">grep</span> <span class="n">denied</span> <span class="sr">/var/</span><span class="n">log</span><span class="o">/</span><span class="n">audit</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span> <span class="o">|</span><span class="n">audit2why</span> <span class="n">audit2allow</span> <span class="o">-</span><span class="n">a</span> <span class="c1">#For each context header (IE httpd_sys_script_t) run</span> <span class="n">audit2allow</span> <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">M</span> <span class="n">httpd_sys_script_t</span> <span class="c1">#Then activate each header</span> <span class="n">semodule</span> <span class="o">-</span><span class="n">i</span> <span class="n">httpd_sys_script_t</span><span class="o">.</span><span class="n">pp</span> <span class="c1">#repeat </span></code></pre></figure> <p>That should do it, to add hosts, you need to edit the files in /usr/local/nagios/etc/objects/</p> <p>If this was helpful, please let others know in the comments below!</p> Thu, 04 Apr 2013 10:51:50 -0700 http://darktraining.com/2013/04/04/Install-Nagios-3.5-on-CentOS-6.4/ http://darktraining.com/2013/04/04/Install-Nagios-3.5-on-CentOS-6.4/ nagios centos