Brian's How To

I have been wanting to setup Snort on a CentOS based firewall for a while and I finally got around to it.  The good thing is I finally got it working thanks to a blog Dennis Panagiotopoulos here, I have confirmed this works for CentOS 6.6 and 7.1.  The problem is as with getting Snort to run inline.  I was unable to find any thing on getting this to work correctly.  So here is what I had to do in addition to Dennis’s blog post:

Read more �

I was tired of having all these invalid or untrusted certs on my network applications and devices so I decided to load up a CentOS box with OpenSSL and make my own Certificate Authority (CA).  See the steps after the jump. Read more �

I wanted to post my findings on how to use OpenFiler as a Fiber Channel SAN.  This process isn’t documented as well as I hoped it would have been but the forums on OpenFiler helped a lot but still were lacking.  This post will go from blank box to Fiber Channel LUN being presented by OpenFiler.  My goal was for a faster SAN as I was using iSCSI but it just didn’t meet my expectations.  For the SAN I am using a Qlogic QLA-2342 fiber card and a Brocade Silkworm 3200 fiber switch.

1. Download the latest version of OpenFiler.  In this example I used 2.3.
2. Install OpenFiler with out the fiber channel card installed.
3. Once installed update OpenFiler using conary updateall.
4. Reboot once the updates have completed and make sure everything is working ok.
5. Shutdown the machine and install the fiber card.
6. Get the WWN of the fiber card port(s) by showing the content of /sys/class/fc_host/hostX/port_name
   cat /sys/class/fc_host/hostX/port_name
   NOTE: X in hostX is the number of the adapter.  If there is more than one port check all WWNs.
7. Edit /etc/init.d/scst and change the chkconfig to # chkconfig: –  99 36
8. Have the scst server run on startup with chkconfig scst on
9. Start the scst service.  service scst start
10. Write the blank config to file with scstadmin –writeconfig /etc/scst.conf
11. Create a logical volume for the LUN.
    1. This example we added a drive just for data /dev/sdb this will make prepare the drive to hold logical volumes for LUNs.  First get the geometry for the disk
       parted /dev/sdb print
    2. Label the partition
       parted /dev/sdb mklabel msdos
    3. Create the partition, 0.000 is the beginning and 1907328.000 is the end of the geometry from step 1
       parted /dev/sdb mkpart primary 0.000 1907328.000
    4. Enable lvm
       parted /dev/sdb set 1 lvm on
    5. Create the physical disk
       pvcreate /dev/sdb1
    6. Create the group, luns is the example name of the group
       vgcreate luns /dev/sdb1
    7. Create the logical volume, 50G is the size in GB, lun1 is the name of the logical volume and luns is the group
       lvcreate –L 50G –n lun1 luns
12. Edit /etc/scst.conf.  vim /etc/scst.conf
    1. Under [TARGETS disable] move the HOST entries under [TARGETS enable].  NOTE: The HOST entry WWN should match the WWN(s) from step 6.
    2. Under  [HANDLER vdisk] add the logical volume created in step 11.
       DEVICE lun1,/dev/luns/lun1,WRITE_THROUGH,512
    3. Under [GROUP Default] add the USER WWN.  This is the server you want to be able to access the LUN.
       USER 21:00:00:1b:32:17:87:7e
    4. Under [ASSIGNMENT Default] add DEVICE then the device created in step 12.2 then the LUN number for the device.
       DEVICE lun1,0
13. Edit modprobe.conf vim /etc/modprobe.conf and change qla2xxx to qla2x00tgt
14. Reboot the OpenFiler machine and when it starts the LUN should be presented to the server.

By default XenServer 5.5 uses source-based ARP load balancing (balance-slb or mode 7) for bonding.  If this is needed to be changed to a different mode all that is needed to do is edit the file /opt/xensource/libexec/interface-reconfigure on line 863.  Do this using the following command:

vi /opt/xensource/libexec/interface-reconfigure +863

once there the value for mode can be changed from “balance-slb” to any supported mode.  Here is a list of the modes:

balance-rr
active-backup
balance-xor
broadcast
802.3ad
balance-tlb
balance-alb
balance-slb

See Linux Channel Bonding for more information on the types of bond modes.  Unfortunately I could not find much information on balance-slb.

To check if the bond mode change worked correctly run

cat /proc/net/bonding/bond<bondnumber>

Run ifconfig to find the bondnumber.

This will list the bond mode and the slave interfaces to the bond.

This is based on CentOS but should be very similar for other distros as well.

If NFS is not installed install it

yum install nfs-utils

Have NFS start at startup

chkconfig nfs on

Create a directory to share

mkdir /nfs

Change the rights on the directory to allow users to create and delete data

chmod 777 /nfs

Edit /etc/exports to share the NFS directory

vim /etc/exports

add the following to allow the subnet 192.168.0.0 read/write access to /nfs

/nfs        192.168.0.0/24(rw)

Restart nfs service

service nfs restart

SSH Without a Password

On the client generate a new rsa ssh key.

NOTE: When prompted for a passphrase leave blank (just hit enter).

ssh-keygen -t rsa

From the client append the new key to the servers .ssh/authorized_keys file.

cat ~/.ssh/id_rsa.pub | ssh root@hostname_or_ip ‘cat >> ~/.ssh/authorized_keys’

NOTE: Enter the root password on the server for the last time.

Now ssh into the server

ssh -l root hostname

It should log in without any prompt for a password.

I wanted a way to create a backup of my whole hard drive or just a partition of the drive.  In windows I use Ghost or Acronis but for Linux I wanted something free and easy to use.  DD is build into Linux and works great.  I like that it is possible to compress the image with gzip.  Here is how to do backups with DD.

Compressed Backup

dd if=/dev/hdx | gzip > /path/to/image.gz

Change hdx for the hard drive to backup.

Restore Backup of hard disk copy

dd if=/path/to/image of=/dev/hdx

gzip -dc /path/to/image.gz | dd of=/dev/hdx

MBR backup

Backup MBR and partition table.

dd if=/dev/hdx of=/path/to/image count=1 bs=512

MBR restore

dd if=/path/to/image of=/dev/hdx

Add “count=1 bs=446″ to exclude the partition table from being written to the disk