Category Archives: tech

GDB init

Native GDB settings that help without third-party apps

Run MySQL Cluster Multi Masters For High Availability

Hello Folks, it’s has been a while I didn’t write new articles,

it’s has been a while I didn’t write new articles, so time to give back to the community, I will describe how to implement MySQL cluster for high-availability and disturbed workload

MySQL Cluster Architect comes with new process ndbd and ndb_mgmd

ndb is used to handle all data and table using the NDB Cluster Engine

ndbmtd multi-threaded data  handler in NDB Cluster Engine

ndb_mgmd is the Cluster Management Server Daemon responsible for distributing the configuration and log around the cluster

in this setup, we will use 4 servers to distribute MySQL service cluster process

Group Beta

  • 172.31.24.183  ndbd
  • 172.31.23.137 ndbd

Group Alpha

  • 172.31.16.43 mysqld & ndb_mgmd
  • 172.31.16.34 mysql & ndb_mgmd

our applications will communicate to load balance that distributes the workload  to Alpha Group

to begin setup we have to download MySQL cluster manager package from Oracle website https://edelivery.oracle.com/osdc/faces/Home.jspx feel free to create your account

pickup your platform and download the package for I use the Cluster+Generic Linux x86 (64bit) version

download and extract the package  in all nodes

inside the mcm1.4.3 folder  is a bin folder  has 2 files mcm and mcmd the client and the demon for the cluster manager

we need to run mcmd in all nodes so they can communicate to each other

lets setup out cluster first we need to create a site ( all nodes we need to group it in a site )

now lets run the client add the site  MySQL Cluster Manager Interface

mcm client

 

second, we need to load the cluster package in the site we created

 

now let’s define the roles for the node who plays what

172.31.23.137  & 172.31.24.183 plays data role

172.31.16.43 & 172.31.16.34  mysqld & cluster management

now run the cluster and check the services status

confirm the roles for each host upon your design

now we want to communicate with out lovely cluster

as we built 2 servers with mysqld they are up and running under node id 51,52

by default, mysql cluster will not sync the mysql.user table as it running in MyISM and for that, we need to enable a MySQL routine that sync the users over the cluster

to do that first login to mysqld nodes as a root and import distribute MySQL privileges routine .sql

now create your remote account and it will be synced over the cluster

Now feel free to scale up alpha or beta to any number you want also you can create nodes mixed of alpha and beta.

and keep your eyes on the nodes

to add a new node to our cluster we load the mcm package in the node and the demon

mcm> add package -b /home/ec2-user/mcm/cluster -h 172.31.20.215 7_6_8;

 

as it clear our new node 172.31.20.215 is in the sites but didn’t join the cluster yet because he has no rule to add it  and after that, we need to start the role inside the cluster so nodes can collaborate and sync

now adding extra node and load more database data store on 172.31.20.215

checking our cluster status

to run added processes  on target cluster we use start process -a mycluster

now everything should be steady for our cluster

now let’s change all ndbd to multi-threaded version

all our data engine now running multi-threaded version

 

Happy Hits 😀

Linux Performance Co-Pilot with WebUI

Performance Co-Pilot allow sysadmins to collect and measure data from various systems, it comes in RPM packages for Red Hat 6 to 7

website http://pcp.io/

installing Performance CO-Pilot

pcp  packages comes with different services pmcd,pmlogger 

pmcd  : performance metrics collector daemon

pcp packages come with many commands to gather information about the machine like pmatop, pmstat, pminfo,  pmval

pmatop one of my favourite tool as it gives you a big picture

it shows information about disk , memory, cpu , network , process , swap , lvm

 

Screen Shot 2016-07-23 at 1.23.04 PM

pmstat   it show loadavg, memory ,  swap , io , system , cpu come with -s ( sample counter [how many times it should collect this data ] ) and -t for the time interval

pminfo command to list all available metrics

lets use metrics called network.interface.in.bytes to see how many bytes we receive in our interface

let’s start pmlogger

the pmlogger service will save the log archievs into /var/log/pcp/pmlogger/[hostname]/date-day

we can use pmval with parameter -a to tell it to use this archive and set the matrix

we can assign specified start and end time for pmval

-S start time, -T end time

with  ISO-formatted date example -S  ‘@ Wed Feb 25 05:01:00 2016’ -T ‘@ Wed Feb 25 06:01:00 2016’

this will query 2 hours from 5am Feb 25 2016 TO 7am Feb 25 2016 with the metrics  you like

not the fun part pcp offer a web real-time monitor in different flavours and styles one of my best is called vector.

first we need to install and run the pcp web service

check which port this service use

access to localhost:44323/vector

it shows nice metrics of disk IOPS, Throughputs, Network Packets and more

vector

happy debugging folks

Facebook Mass Invite to Like script

today I wrote  a script to help in sending an invitation to like your page

this happens when you promote a post for your audience and they interact with your post but they forget to like your page

so this script will help you to mass invite them in once

Screen Shot 2016-07-21 at 1.30.18 PM

1 – click on the likes for the post

2- open your browser console

paste this code

 

hit enter

and result should be like this

Screen Shot 2016-07-21 at 1.23.20 PM

as you can see I sent around 200 invitation in once 😀

enjoy

Docker Persistent Storage for MySQL Server and SELinux

hello everyone today we will make

MySQL Docker Container with Shared Storage

first let’s pull latest MySQL  version of docker

after we did download the latest image

this image come in handy with some awesome parameters

  1. MYSQL_ROOT_PASSWORD
  2. MYSQL_DATABASE

with this  parameters, we can create a database and set root password for mysql

now let’s create a folder in our host so we can use it instead of /var/lib/mysql (let’s keep the mysql data in the host not inside a container)

remember it should be numeric formate

then we change the folder context to for selinux to  treat this as a virtualized sandbox

here we created a database called unixawy and root password un1x4wyp4ssw0rd

inspect your docker and connect to it IP

now each container you run with this command will share the same database data

check database content in your node storage via ls /var/mysql_data_store

cheers

IPtables PREROUTING, POSTROUTING for mixed interfaces via DNAT & SNAT

hello world,

let’s hit the point directly

1 – we have traffic coming from Source IP to our box and we need to Route it to another destination ( traffic forwarding )

2- we have traffic coming from Source IP to our box and we need to Route it to another destination ( traffic forwarding )  through a specified interface Continue reading IPtables PREROUTING, POSTROUTING for mixed interfaces via DNAT & SNAT

Protect Boot & Single user mode

as a physical security is the main factor in our security perspective

we all need to protect unauthorised access to our Linux box after we protect bios

and we all know that anyone can rest the root password via accessing the single mode

so we have 3 ways 1st thing to disable single user mode entirely  2nd adding a password 3rd encrypt the disk with luks

single use mode configuration located under /etc/sysconfig/init

the last line of the init configuration instructs the user shell for single user mode

sushell  this shell allows access with full root privilege  we can change the shell type to control the single user mode

if we sit it /sbin/nologin no single user mode will be activated on the boot and the machine will continue booting to default run level 😉

we can set it to sulogin to make boot asks for the root password before it continues to give a full root access

 

we can add more password layer for grub configuration via adding password –encrypt HASH from grub-crypt command

one important thing an attacker can manipulate boot start services by pressing (i) in the boot sequence

an attacker can disable any running service example I disabled iptables in the boot 😀

Screen Shot 2015-08-17 at 3.32.33 AM

we can protect from this disaster by disable hotkeys in /etc/sysconfig/init

protect the console from reboot via ctrl-alt-delete

an attacker can press ctrl-alt-delete to your machine to make it reboot

to disable it we need to change the behaviour of this intercept in /etc/init/control-alt-delete.conf

by adding a comment to the exec line to disable reboot

SSH Tunnelling

the most famous method is using D parameter in ssh connection to bind a port local in your machine and this port tunnel back to our remote box
to send our traffic to this server

example

then you can configure your application and browser to use your local IP 127.0.0.1 with the port 1337 to send traffic to the remote server

this is the traditional tunnelling way

let’s make a bigger scenario

let’s assume that we have access to the box with 2 interfaces
first interface with public IP and the second one with internal private LAN

the public IP 41.x.x.x
the private LAN IP 192.168.0.10

inside the private LAN machine with IP 192.168.0.20 and running ssh service and we want to connect to this machine
its impossible to connect to it from outside without tunnelling

let’s do some tunnel magic

from our box to the remote box we will do ssh
OUR BOX ==SSH==> 41.x.x.x
inside the remote box, we will tunnel back to our machine

this will open port 1337 in the OUR BOX this port redirect to 192.168.0.20 machine in port 22

REMOTE BOX ==SSH+LOCAL FORWARD==>OURBOX

this ssh connection will lead u to the 192.168.0.20:22

sometimes you may need to skip ssh host verification as you connect to your local machine via this ssh option parameters UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

also, this method could be used to bind to your internal ip to send ssh server back to better administration with vim also it possible to forward X via this tunnelling method

 

example scenario

our client don’t have public IP and writing commands in TeamViewer is an unusable thing

so we ask our client to connect back to our machine

after client log in inside our machine we can connect to our client ssh via

 

Happy Tunnelling

 

Secure/Lock accounts with PAM tally2

pam_tally2 is a PAM module to allow interaction in users interfaces on numbers of failed login attempt it can reset count on success, can deny access if too many attempts fail.

this module is unique because it  not just reflect remote connection but also reflect the ttys and any system login method as it uses PAM

example from tty:

 

some parameters

  1. deny used to block access of numbers of failed attempts
  2. unlock_time used to set a time duration for blocked access in seconds
  3. even_deny_root root is excluded by default, you set this parameter to tell tally2 count for root too
  4. root_unlock_time same as unlock_time but  for root only

 

example PAM config:

 

to reflect the tty access we have to configure our tally2 module in /etc/pam.d/system-auth

 

here is our final layout for system-auth

to reflect the  remote connections  that use password example sshd

we config our /etc/pam.d/password-auth with tally

 

notice that we have done 2 things  one in auth interface that verifies the account and 2nd one in the account interface to reflect the permissions of the account

 

here is some output of /var/log/secure

 

as you see tally2 kills the connection 🙂

for manual interaction with tally2 counter

there is a command called pam_tally2

to remove a counter failures

 

 

password policy with pam_cracklib

cracklib pam module is a method to check the password against dictionary list and gives you availability to check the strength of the password and set rules to identify the poor passwords

 

here is the most important parameters for this module

  1.  minlen minimal password length
  2. dcredit maximum number of digits
  3. ucredit maximum uppercase letters
  4. lcredit maximum lower case letters
  5. ocredit maximum other letters not similar to the old one
  6. maxrepeat limit repeated letters
  7. reject_username check if the username inside the password to avoid this week accounts bob/bob or bob/bob123
  8. enforce_for_root this is the most important one, why? , because if you didn’t apply it users will just notice the warning and whatever password will be applied with the parameter will force the user to use our policy 😉
  9. dicpath set crack lib dictionary to specific passwords database base I recommend (rockyyou) database coz it contains many leaked passwords and used by many attackers to brute-force the system example dicpath=/var/wordlist/rockyyou.txt

 

time to deploy our password policy

we want to apply this for new password also we can force the users to update their passwords once they do log in via this command

this command has a high impact  it will find all users with a bash shell and  force them to update the password even the root  u can exclude the root by piping the output from grep and use grep -v root

example result

we will use the passwd module inside /etc/pam.d/passwd

to add our new policy

 

here is the output of different failed password change

BAD PASSWORD: is too similar to the old one
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: it is based on a (reversed) dictionary word
BAD PASSWORD: it is too short