Archive for the ‘Howtos’ Category

How to protect wordpress against xmlrpc-attack.

onsdag, oktober 22nd, 2014

Lately we have seen a huge increase in attacks against xmlrpc.php in wordpress-installations. This creates problems for other clients on the hosting servers, and for yourself.

To protect yourself against this you can use the following guide:

http://docs.host1.no/wiki/Securing_your_Wordpress_installation (See «bruteforce against xmlrpc.php».)

Add a .htaccess-file to the directory with wordpress (and xmlrpc.php) in it, copy the lines mentioned in the wiki-article into the .htaccess-file and your xmlrpc.php should be protected against any attacks.

Videotutorials.

mandag, november 18th, 2013

Notice to all our clients:

You can view videotutorials for cPanel, Fantastico, Softacalous, FTP and Email here: https://host1.no/client/knowledgebase/17/Videotutorials

How to build driver-iso for ARECA ARC18XX-series for XenServer

onsdag, oktober 5th, 2011

Due to the apparent need for a quick howto for building a driver-iso for the ARECA 18XX-series RAID-cards for XenServer i’ll post one here. It will only be available in English.

Step 1: Setup DDK

  • Download the DDK from http://www.citrix.com/xenserver
  • Mount or extract the iso, use the «import»-function in XenServer to import the ova.xml-file.
  • Start the DDK-appliance, configure network if needed.

Step 2: Driver

  • Login to the DDK Appliance as root.
  • Create a directory called /root/driver:
    mkdir /root/driver

    * Download the source files from ARECA to /root/driver and extract them, and rename the directory:

    wget http://www.areca.us/support/s_linux/driver/arcmsr.1.20.0X.15-110622.zip
    unzip arcmsr.1.20.0X.15-110622.zip
    mv arcmsr.1.20.0X.15-110622 arcmsr-1.20.0X.15

    * Copy the Makefile and the helloworld.spec-file from /root/examples/driver:

    cp /root/examples/driver/Makefile /root/driver/
    cp /root/examples/driver/helloworld.spec /root/driver/arcmsr.spec

    * Modify the Makefile and the arcmsr.spec-file with the correct Vendor names, versions and so on. Should be self-explaining.

    • In the makefile in this example: RPM_VERSION:= 1.20.0X.15 and RPM_RELEASE := 110622
    • In the arcmsr.spec in this example: VERSION: 1.20.0X.15 and Release: 110622

Step 2.1: Modifying the source files from ARECA

  • Due to a small section in the source from ARECA creating issues we have to modify /root/driver/arcmsr-1.20.0X.15/arcmsr.h, remove the following section from the file:
    #if !defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33)
           enum {
                   SCSI_QDEPTH_DEFAULT,    /* default requested change, e.g. from sysfs */
                   SCSI_QDEPTH_QFULL,      /* scsi-ml requested due to queue full */
                   SCSI_QDEPTH_RAMP_UP,    /* scsi-ml requested due to threshhold event */
           };
    #endif

     Step 2.2: Building the drivers

  • Now it’s time to build:
    cd /root/driver
    make build-srctarballs
    make build-iso

    * Now you should have a working driver-iso in /root/driver/arcmsr.iso, this can be loaded as a supplemental pack during the installation of XenServer.

How to install Puppet and Puppet Dashboard

fredag, november 12th, 2010

I’ve been using a lot of time on puppet lately. I had to setup a Puppetmaster with Puppet Dashboard, all running on passenger. I didn’t find any good howtos on the subject, so i’ll write one myself. Here is a step by step guide for how to setup a puppetmaster-server with puppet dashboard on a Ubuntu Server. I’m using the latest version of puppet from gems (2.6.2) instead of the one that ships with ubuntu (0.25.4). I’m also using mysql for the databases.

Puppetmaster:

First of all install rubygems and libmysql:

apt-get install rubygems1.8 libopenssl-ruby1.8 mysql-server libmysql-ruby

Create the database:

mysql> create database puppet;
mysql> grant all privileges on puppet.* to puppet@localhost identified by ‘password’;

Install puppet:

gem install rubygems-update
/var/lib/gems/1.8/bin/update_rubygems
gem install puppet activerecord

Deploy /etc/puppet/puppet.conf with the following content (adapt for your needs, see the comments):

[main]
# Basic config:
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/etc/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
pluginsync=false
templatedir=$confdir/templates

#Puppetmaster-config:
[master]
storeconfigs = true
# MySQL-configuration:
dbadapter = mysql
dbuser = puppet
dbpassword = password
dbserver = localhost
dbsocket = /var/run/mysqld/mysqld.sock
# SSL-config:
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
# Reports to puppet-dashboard for each run:
reports = http, store
reporturl = http://localhost:3000/reports

# Puppet client config enables reporting from the client
# This HAS to be enabled on ALL clients you want reports from
[agent]
report = true

You should also deploy init-scripts for puppet (not puppetmaster, it will run through apache) if needed, and logrotate if needed, here is my /etc/logrotate.d/puppet:

/var/log/puppet/*log {
missingok
create 0644 puppet puppet
compress
rotate 4

postrotate
[ -e /etc/init.d/puppetmaster ] && /etc/init.d/puppetmaster restart >/dev/null 2>&1 || true
[ -e /etc/init.d/puppet ] && /etc/init.d/puppet reload > /dev/null 2>&1 || true
endscript
}

Start puppetmasterd with «–mkusers» the first time to create the puppet-group and user:

puppetmasterd –mkusers

Puppet Dashboard

Now it’s time to install Puppet Dashboard. We’ll install this using Puppetlabs’ apt-repo. This will install Puppet Dashboard to /usr/share/puppet-dashboard.

Add puppetlabs’ apt-repo by adding the following lines to your /etc/apt/sources.list:

deb http://apt.puppetlabs.com/ubuntu lucid main
deb-src http://apt.puppetlabs.com/ubuntu lucid main

Fetch puppetlabs’ GPG-key and import it into apt:

gpg –recv-key 4BD6EC30
gpg -a –export 4BD6EC30 | sudo apt-key add –

Run apt-get update and install puppet-dashboard:

apt-get update
apt-get install puppet-dashboard

Create the database:

mysql -p
mysql > create database dashboard;
mysql > GRANT ALL PRIVILEGES ON dashboard.* to ‘dashboard’@’localhost’ IDENTIFIED BY ‘password’;

Edit /etc/puppet-dashboard/database.yml with the proper settings, i will assume that you want to use the production enviroment for the rest of this howto:

production:
database: dashboard
username: dashboard
password: password
encoding: utf8
adapter: mysql

Initialize the database:

rake RAILS_ENV=production db:migrate

Passenger

Now we’ve finished the basic setup of the Puppetmaster and Puppet Dashboard. Now it’s time to install passenger and make everything run through apache.

First of all, install passenger (it will also install dependencies such as apache):

apt-get install libapache2-mod-passenger

Enable SSL:

a2enmod ssl

Change the ownership of /etc/puppet/rack/config.ru to puppet:puppet:

chown puppet:puppet /etc/puppet/rack/config.ru

Copy /usr/share/puppet-dashboard/vendor/rails/railties/dispatches/config.ru to /usr/share/puppet-dashboard/config.ru and set the proper ownership:

cp /usr/share/puppet-dashboard/vendor/rails/railties/dispatches/config.ru /usr/share/puppet-dashboard/config.ru
chown www-data:www-data /usr/share/puppet-dashboard/config.ru

Deploy /etc/apache2/sites-enabled/puppetmaster with the following content (remember to edit hostname, tune as you see fit):

# You probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140


SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSLCertificateFile /etc/puppet/ssl/certs/puppet.domain.tld.pem
SSLCertificateKeyFile /etc/puppet/ssl/private_keys/puppet.domain.tld.pem
SSLCertificateChainFile /etc/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /etc/puppet/ssl/ca/ca_crt.pem
# If Apache complains about invalid signatures on the CRL, you can try disabl$
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /etc/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars

DocumentRoot /etc/puppet/rack/public/
RackBaseURI /

Options None
AllowOverride None
Order allow,deny
allow from all

Then deploy /etc/apache2/sites-enabled/puppet-dashboard with the following content:

# Dashboard configuration
Listen 3000


DocumentRoot /usr/share/puppet-dashboard/public/

# Use the production-enviroment:
SetEnv RAILS_ENV production
RackBaseURI /

Options None
AllowOverride AuthConfig
Order allow,deny
Allow from all

ServerSignature On
# Logs
ErrorLog /var/log/apache2/dashboard.domain.tld_error.log
LogLevel warn
CustomLog /var/log/apache2/dashboard.domain.tld_access.log combined

Then you just restart apache2, make sure it starts at boot and you should be good to go.

Puppet Dashboard should then be accessible via http://puppet.domain.tld:3000 while puppet should run properly on port 8140 (Test with a client).

UFW

I’ll also add a quick set of commands for securing the server, i’m using Ubuntu’s uncomplicated firewall, edit the rules to fit your IP-series, these rules will close down all ports on the server except port 22, 3000 and 8140 which will be open for specific ip-ranges:

ufw default deny
ufw allow from 192.168.0.0/24 to any port 22
ufw allow from 192.168.0.0/24 to any port 8140
ufw allow from 192.168.0.0/24 to any port 3000
ufw enable

This concludes this howto, i hope you will find it useful.

-Eivind