Thursday, February 16, 2017

Simple Mirroring and Striping with FreeBSD 10/11 with GMIRROR

This is just my installation note I prepared while installing the FreeBSD10. Initially the mirroring and installation was all confusing but once I got the knack I just love it and I could do that any number of times. So the steps are below

Boot the FreeBSD CD
Choose Shell options to drop you to a shell where we going to create GPT partitions by hand which gives us much better control over
Create the partions for the mirrors , we are going to use GPT partitions

Now create the gpt partitions in the first disk
#gpart create -s gpt ada0

Lets create needed partitions on the first disk, starting with boot partition on the first 64k section of the disk
create boot partition in first disk
# gpart add -s 64k -t freebsd-boot -l boot0 ada0

all other partitions as needed like root, swap, usr, var, home.
# gpart add -s 5G -t freebsd-ufs -l root0 ada0
# gpart add -s 4G -t freebsd-swap -l swap0 ada0
# gpart add -s 10G -t freebsd-ufs -l usr0 ada0
# gpart add -s 10G -t freebsd-ufs -l var0 ada0
# gpart add -s 10G -t freebsd-ufs -l home0 ada0

Once partition are created make the first disk bootable, with boot record to be installed in the boot partition.
#gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

Now create same gpt partition in the second disk
create boot partition in first disk
#gpart add -s 64k -t freebsd-boot -l boot1 ada1
other partitions as same as the first disk, you might notice only the change is in the last where ada0 is replaced with ada1

# gpart add -s 5G -t freebsd-ufs -l root1 ada1
# gpart add -s 4G -t freebsd-swap -l swap1 ada1
# gpart add -s 10G -t freebsd-ufs -l usr1 ada1
# gpart add -s 10G -t freebsd-ufs -l var1 ada1
# gpart add -s 10G -t freebsd-ufs -l home1 ada1

Now lets makes the second disk bootable by installing bootcode in the boot partition
# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada1

Next step is creating the mirrors and with labels and formatting them with a filesystem
Create mirrored UFS filesystems (GPT) and Create filesystems.
Lets load the mirroring driver first
# kldload geom_mirror

Create the mirrors
#gmirror label boot /dev/gpt/boot0 /dev/gpt/boot1
#gmirror label swap /dev/gpt/swap0 /dev/gpt/swap1
#gmirror label root /dev/gpt/root0 /dev/gpt/root1
#gmirror label usr /dev/gpt/usr0 /dev/gpt/usr1
#gmirror label var /dev/gpt/var0 /dev/gpt/var1
#gmirror label home /dev/gpt/home0 /dev/gpt/home1

Now let us check the gmirror status
# gmirror status

Create filesystems in created mirrors , use -t for ssds to enable TRIM
#newfs -U -L -t root /dev/mirror/root
#newfs -U -L -t usr /dev/mirror/usr
#newfs -U -L -t var /dev/mirror/var
#newfs -U -L -t home /dev/mirror/home

In the above example please note that -t option with newfs is used because I am doing this on SSDs so I wanted to have TRIM enabled

Create temporary directories to be mounted along with root
#mkdir -p /mnt/usr
#mkdir -p /mnt/var
#mkdir -p /mnt/home

Now mount the root temporary

#mount /dev/mirror/root /mnt
#mount /dev/mirror/usr /mnt/usr
#mount /dev/mirror/var /mnt/var
#mount /dev/mirror/home /mnt/home

Now time to create fstab file for mount points . Create the fstab file for the mirrored partitions or you could come back to shell just before reboot the system and create the fstab file  in /mnt/etc
 If you miss this step  you will not be able to boot up the new system
#vi /tmp/bsdinstall_etc/fstab or best is vi /mnt/etc/fstab
# Device          Mountpoint      FStype  Options Dump    Pass#
/dev/mirror/swap  none            swap    sw      0       0
/dev/mirror/root  /               ufs     rw      1       1
/dev/mirror/usr   /usr   ufs     rw      2       2
/dev/mirror/var   /var   ufs     rw      2       2
/dev/mirror/home   /home   ufs     rw      2       2

exit for shell and continue the installation as usual without creating the partitions and just before rebooting goto the shell again and add the following to load the mirror driver before booting the system.

echo 'geom_mirror_load="YES"'  >  /mnt/boot/loader.conf

Thats all for mirroring, striping just varies in 2 steps
1. instead of mirror we stripe the partitions as below
this example shows striping for swap partion
gstripe label swap /dev/gpt/swap0 /dev/gpt/swap1

Then kindly change change boot loader to
echo 'geom_stripe_load="YES"' >  /mnt/boot/loader.conf

Thats all simple to get a mirroring and striping in FreeBSD 10/11
Enjoy


Thursday, January 30, 2014

Setting up SNMP monitoring on Network interface with bsnmpd

Setting up SNMP monitoring on Network interface with bsnmpd

bsnmpd file is already installed so lets go ahead with utilities
run the following to install bsnmp-ucd:

        # cd /usr/ports/net-mgmt/bsnmp-ucd
        # make all install clean
Run the following to instal bsnmptools
        # cd /usr/ports/net-mgmt/bsnmptools
        # make all install clean
CONFIGURING BSNMP
edit /etc/snmpd.config to add the line:
        begemotSnmpdModulePath."ucd" = "/usr/local/lib/snmp_ucd.so"
edit the rest of that file - change the read variable to set your snmp community string

FINISHING TOUCHES AND FINAL COMMENTS
At this point you need to add
bsnmpd_enable="YES"

to the file /etc/rc.conf and start bsnmp by issuing
# /etc/rc.d/bsnmp start

Ok now run the testing from workstation to see if bsnmpd is working fine on server
to use snmpwalk / snmpget you must install package snmp in linux workstation

snmpwalk -v2c -c public 192.168.2.5

i you are getting getting no response , check the snmp service is running by netstat -a command and see snmp port is listed

Now its time to install MRTG and see if we can get the graph genarated

cd /usr/port/net-mgmt/mrtg
make install clean

Then create the configuration file for the NICs by using cfgmaker
cfgmaker --ifref=eth public@localhost > /usr/local/etc/mrtg/network.cfg

then modify the network.cfg file and run mrtg
mrtg network.cfg --logging /var/log/mrtg.log, run this command atleast 4,5 times to clean the rateup errors

Check the mrtg.log file for any erros and add a crontab entry to update the mrtg @ 5 minutes
crontab -e
*/5  *    *   *   *   /usr/local/bin/mrtg /usr/local/etc/mrtg/network.cfg --logging /var/log/mrtg.log > /dev/null

Now create the index file in the www home folder

indexmaker /usr/local/etc/mrtg/network.cfg > /home/www/mrtg/index.html

Transferring Files from Windows to FreeBSD without passwords in secured way. Keyless Authentication

Transferring Files from Windows to FreeBSD without passwords in secured way

Tools needed
putty - ssh client
puttygen - ssh key genarator for windows
pscp - secure copy clients of putty

First part is Genarating keys to be used to keyless operation
keylength 2048
Click on genarate and move the mouse on blank area to create some randomness
copy the private key safely and copy the public key and  signature

in the remote machine, paste the public key signature on authorized_keys in .ssh folder and try the keyless auth

Thats all and now Enjoy

Update after a long time!

Took a real break from all these to concentrate more on personal front.
So here I am after a big break wanted to post few things which is getting me hooked and exciting
First and foremost of FreeBSD - with just released version of 10 FreeBSD moves into a milestone with some solid changes all over
so what and all happened during these days of FreeBSD 8 to FreeBSD 10

1. Major changes in kernel where the kernel is much more fine tuned for processors with multi cores i.e FreeBSD scales pretty much very with latest all hardwares
2.Clag was introduced as the major/default compiler for FreeBSD system. Yes gcc is still there but not installed by default
3. Ports system under went major over haul with a security breach happend @ 2012 and pkg is the default package managment.
4. Bind is removed from the system, it got replaced with a super light unbind.
5. Major virtualization enhancements
6. Introduction of capsicum into the default system (enhanced jail/sandboxing)
7.Major changes in FreeBSD installer
8. Kernel can address upto 4 TB of system memory
9. Enhanced hardware support
10.ZFS got matured very much and considered to be very stable

These are of few I could think of and for the entire features you could visit the Whats New page of FreeBSD 10 hereSo that to start with
Wishing you all a great new year ahead

Thursday, December 23, 2010

Enabling Polling on FreeBSD 8.1 kernel

plucking your hair on enabling polling on 8.1 kernel by sysctl?

Yeah I know u might have tried your level best to get the polling enabled using
sysctl kern.polling.enable=1 
of modifying /etc/sysctl.conf
But both will produce an error saying "sysctl: unknown oid 'kern.polling.enable'"
Dont worry its enabled as long as you have a polling enabled while compiling the kernel


So just relax and check
sysctl kern.hz
shows ur some values must be 1000 or higher


Now go ahead and enable polling in your network card in /etc/rc.conf ifconfig statement


Happy polling :)



Sunday, June 20, 2010

Squid Log rotation with logrotate

I Install the lotrotate from ports
cd /usr/ports/sysutils/logrotate
make install clean


II Create a new logrotate.conf file.

vi /usr/local/etc/logrotate.conf

# Added the following to rotate Apache and Squid logs

# see “man logrotate” for details
# rotate log files weekly
#weekly
daily

# keep 4 weeks worth of backlogs
rotate 7

# send errors to root
#errors root

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

# RPM packages drop log rotation information into this directory
include /usr/local/etc/logrotate.d

/var/log/lastlog {
monthly
rotate 12
}

# system-specific logs may be configured here

III Create a directory for specific logrotate files

mkdir -p /usr/local/etc/logrotate.d

VI. First, create a logrotate file for Squid to rotate it’s access.log files for 90 days and cache.log for 7 days.

cd /usr/local/etc/logrotate.d/

vi /usr/local/etc/logrotate.d/squid

#Copy and paste the following

/var/log/squid/access.log {
daily
rotate 90
copytruncate
compress
notifempty
missingok
}
/var/log/squid/cache.log {
daily
rotate 7
copytruncate
compress
notifempty
missingok
}

V. Create the necessary directories and files for logrotate and test and debug logrotate

mkdir /var/lib/

touch /var/lib/logrotate.status

/usr/local/sbin/logrotate -d /usr/local/etc/logrotate.conf
/usr/local/sbin/logrotate -f /usr/local/etc/logrotate.conf

VI. Next, we will rotate and manage Apache logs

vi /usr/local/etc/logrotate.d/apache

#Add the following to rotate and manage Apache access_log and error_log for 30 days.

#Note: If your Apache logs may be in a different directory, simply change the directory.

/var/log/apache/access_log {
daily
rotate 30
copytruncate
compress
notifempty
missingok
}
/var/log/apache/error_log {
daily
rotate 30
copytruncate
compress
notifempty
missingok
}

If all goes well, that’s it. Your Apache and Squid logs should be rotated.

The last thing is to add an entry into crontab and letting the cron daemon rotate your Apache and Squid logs automatically.

VII. Automating logrotate using crontab

vi /etc/crontab

#Add the following to rotate your logs at 1 AM in the morning

#Logrotate
0 1 * * * root /usr/local/sbin/logrotate /usr/local/etc/logrotate.conf > /dev/null 2>&1

That’s it. Your Apache and Squid logs will be rotating without manual intervention!!

pf

Hammering those Hammers
If your server gets under attack what can be done and how we will be able to prevent server going down with hammering from the attackers
Few simeple steps with pf can do magic instead of some high fi pocket crashing firewalls

Say the server we want to protect is our web server

Add the following to the /etc/pf.conf
# Ok all the attackers goes to presistant mode with a file in /etc/pf.blocklist so
table persist file "/etc/pf.blocklist"

# block all incoming connections from attackers on FTPD
block in quick on $ext_if from

# Let us allow FTP with bruteforce protection
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80 keep state (max-src-conn-rate 5/40, overload flush global)

So what the previous lines gona do
i.e if any ip produces more than 5 connections in 40 seconds time, that ip gona end up in pf table of hammers and who are in pf table of hammers are blocked with block in command bfore that
But this work as long as system doesnt restart or pf looses the table so lets make it permamnet by adding it to rc.shutdown
# echo '/sbin/pfctl -t ftp-attacks -T show > /etc/pf.blocklist' >> /etc/rc.shutdown
Woah next time even if the system reboots we have the list of those guys who tried to hammer our web server

See how easy and cool it is
Yes ofcoz I came across from the net and used it for my purpose