Linux Performance Co-Pilot with WebUI

Performance Co-Pilot allow sysadmins to collect and measure data from various systems , it comes in RPM packages for Red Hat 6 to 7

website http://pcp.io/

installing Performance CO-Pilot

pcp  packages comes with different services pmcd,pmlogger 

pmcd  : performance metrics collector daemon

pcp packages come with many commands to gather information about the machine like pmatop, pmstat, pminfo,  pmval

pmatop one of my favorite tool as it give you a big picture

it shows information about disk , memory, cpu , network , process , swap , lvm

 

Screen Shot 2016-07-23 at 1.23.04 PM

pmstat   it show loadavg, memory ,  swap , io , system , cpu come with -s ( sample counter [how many times it should collect this data ] ) and -t for time interval

pminfo command to list all available metrics

lets use metrics called network.interface.in.bytes to see how many bytes we receive in our interface

let’s start pmlogger

the pmlogger service will save the log archievs into /var/log/pcp/pmlogger/[hostname]/date-day

we can use pmval with parameter -a to tell it to use this archive and set the matrix

we can assign specified start and end time for pmval

-S start time , -T end time

with  ISO-formatted date example -S  ‘@ Wed Feb 25 05:01:00 2016’ -T ‘@ Wed Feb 25 06:01:00 2016’

this will query 2 hours from 5am Feb 25 2016 TO 7am Feb 25 2016 with the metrics  you like

not the fun part pcp offer a web real time monitor in different flavours and styles one of my best is called vector.

first we need to install and run the pcp web service

check which port this service use

access to localhost:44323/vector

it shows nice metrics of disk IOPS , Throughputs ,Network Packets and more

vector

happy debugging folks

IPtables PREROUTING, POSTROUTING for mixed interfaces via DNAT & SNAT

hello world,

let’s hit the point directly

1 – we have traffic coming from Source IP to our box and we need to Route it to another destination ( traffic forwarding )

2- we have traffic coming from Source IP to our box and we need to Route it to another destination ( traffic forwarding )  through specified interface Continue reading IPtables PREROUTING, POSTROUTING for mixed interfaces via DNAT & SNAT

phpMyAdmin no password dev env

if you setup your development environment with no mysql root password

after you setup phpmyadmin package it will land you with this error

Login without a password is forbidden by configuration (see AllowNoPassword)

to fix this error  vi  /etc/phpmyadmin/config.inc.php

find line : 96 ”    /* $cfg[‘Servers’][$i][‘AllowNoPassword’] = TRUE;”

remove the comment /*

$cfg[‘Servers’][$i][‘AllowNoPassword’] = TRUE;

now you will be able to login without password

Fix Mcrypt WARNING Ubuntu Server

today i faced problem in setup a mcrypt module

i did install it via

when i did try to enable it via

i got this error

root@ubuntu:/etc/php5/apache2/conf.d# php5enmod mcrypt
WARNING: Not enabling the mcrypt module for apache2 SAPI since module symlink
WARNING: already exists in /etc/php5/apache2/conf.d with different content.
WARNING: Not enabling the mcrypt module for cli SAPI since module symlink
WARNING: already exists in /etc/php5/cli/conf.d with different content.

to solve this unlink the 20-mcrypt.ini inside this folders

 

Docker Containers Crash Course

Docker Crash Course

As Hypervisor is slow to boot and use a lot of resources and need full installation

the Container Technology not that old we used to use LXC – openVZ extra

but what a cool about Docker is it really lightweight with awesome images build  and we can ship many services in one machine

it come into two parts [DockerClient,  DockerServer]

and today i will write the best quick intro i could tell

1 – Introduction [how it will work]

docker run the process inside container and when it done it EXIT the container ( by EXIT i mean it STOP the container )

docker has a official images [distros] called  saved in ( registry ) there is public registry also you can have a private registry, example hub.docker.com

Continue reading Docker Containers Crash Course

audit keystrokes with pam

The pam_tty_audit PAM module is used to enable or disable TTY auditing. By default, the kernel does
not audit input on any TTY

this modules is part of auditd and it takes  3 parameters

1 – disable  is pattern to disable the module in specified users u can use =* to disable it globaly

2 – enable  is pattern to enable for specified users

3 – open_only to monitor fork apps

lets assume we want to monitor keystrokes via incoming ssh connection

this is helpful because some bad users could remove their history or use screen command

we will use the pam_tty_audit inside the ssh pam file /etc/pam.d/sshd

 

add this the module to end of the file

 

 

to view users log

here is output example

tty report provides u with the userid example 0 ? 18 bash user id 0 for root

500 ? 28 bash user id 500 for tester account

Protect Boot & Single user mode

as a physical security is main factor in our security prospective

we all need to to protect unauthorised access to our linux box after we protect bios

and we all know that anyone can rest the root password via accessing the single mode

so we have 3 ways 1st thing to disable single use mode entirely  2nd adding a password 3rd encrypt the disk with luks

single use mode configuration located under /etc/sysconfig/init

the last line of the init configuration instruct the user shell for single user mode

sushell  this shell allow access with full root privilege  we can change the shell type to control the single user mode

if we sit it /sbin/nologin no single user mode will be activated on the boot and the machine will continue booting to default run level 😉

we can set it to sulogin to make boot asks for root password before it continue to give a full root access

 

we can add more password layer for grub configuration via adding password –encrypt HASH from grub-crypt command

one important thing attacker can manipulate boot start services by pressing (i) in the boot sequence

attacker can disable any running service  example i disabled iptables in the boot 😀

Screen Shot 2015-08-17 at 3.32.33 AM

we can protect from this disaster by disable hot keys in /etc/sysconfig/init

protect console from reboot via ctrl-alt-delete

attacker can press ctrl-alt-delete to your machine to make it reboot

to disable it we need to change behaviour of this intercept in /etc/init/control-alt-delete.conf

by add comment to the exec line to disable reboot

SSH Tunnelling

the most famous method is using D parameter in ssh connection to bind a port local in your machine and this port tunnel back to our remotebox
to send our traffic to this server

example

then you can configure your application and browser to use the your local ip 127.0.0.1 with the port 1337 to send traffic to the remote server

this is the traditional tunnelling way

lets make bigger scenario

lets assume that we have access to box with 2 interfaces
first interface with public ip and second one with internal private lan

the public ip 41.x.x.x
the private lan ip 192.168.0.10

inside the private lan machine with ip 192.168.0.20 and running ssh service and we want to connect to this machine
its impossible to connect to it from outside without tunnelling

lets do some tunnel magic

from our box to the remote box we will do ssh
OURBOX ==SSH==> 41.x.x.x
inside the remote box we will tunnel back to our machine

this will open port 1337 in the OURBOX this port redirect to 192.168.0.20 machine in port 22

REMOTEBOX ==SSH+LOCAL FORWARD==>OURBOX

this ssh connection will lead u to the 192.168.0.20:22

sometimes you may need to skip ssh host verification as you connect to your local machine via this ssh option parameters UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

also this method could be use to bind to your internal ip to send ssh server back to better administration with vim also it possible to forward X via this tunnelling method

 

example scenario

our client don’t have public ip and writing commands in teamviewer is very silly thing

so we ask our client to connect back to our machine

after client log in inside our machine we can connect to our client ssh via

 

Happy Tunnelling

 

Secure/Lock accounts with PAM tally2

pam_tally2 is a PAM module to allow interaction in users interface on numbers of failed login attempt it can can reset count on success, can deny access if too many attempts fail.

this module is unique because it  not just reflect remote connection but also reflect the ttys and any system login method as it use PAM

example from tty:

 

some parameters

  1. deny used to block access of numbers of failed attempts
  2. unlock_time used to to set a time duration for blocked access in seconds
  3. even_deny_root root is excluded by default, you set this parameter to tell tally2 count for root too
  4. root_unlock_time same as unlock_time but  for root only

 

example PAM config:

 

to reflect the tty access we have to configure our tally2 module in /etc/pam.d/system-auth

 

here is our final layout for system auth

to reflect the  remote connections  that use password example sshd

we config our /etc/pam.d/password-auth with tally

 

notice that we have done 2 things  one in auth interface that verify the account and 2nd one in the account interface to reflect the permissions of the account

 

here is the  some output of /var/log/secure

 

as you see tally2 kills the connection 🙂

for manual interaction with tally2 counter

there is a command called pam_tally2

to remove a counter failures

 

 

password policy with pam_cracklib

cracklib pam module is method to check the password against dictionary list and gives you availability to check the strength of the password and set rules to identify the poor passwords

 

here is the most important parameters for this module

  1.  minlen minimal password length
  2. dcredit maximum number of digits
  3. ucredit maximum upper case letters
  4. lcredit maximum lower case letters
  5. ocredit maximum other letters not similer to the old one
  6. maxrepeat limit repeated letters
  7. reject_username check if the username inside the password to avoid this week accounts bob/bob or bob/bob123
  8. enforce_for_root this is the most important one , why ? , because if you didn’t apply it users will just notice the warrning and whatever password will be applied with the parameter will force the use to use our policy 😉
  9. dicpath set crack lib dictionary to specific passwords database base i recommend (rockyyou) database coz it contains many leaked passwords and used by  many attackers to bruteforce the system example dicpath=/var/wordlist/rockyyou.txt

 

time to deploy our password policy

we want to apply this for new password also we can force the users to update their passwords once they do login via this command

this command  have high impact  it will find all users with bash shell and  force them to update the password even the root  u can exclude the root by piping the output from grep and use grep -v root

example result

we will use the passwd module inside /etc/pam.d/passwd

to add our new policy

 

here is the output of different failed password change

BAD PASSWORD: is too similar to the old one
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: it is based on a (reversed) dictionary word
BAD PASSWORD: it is too short