Showing posts with label centos. Show all posts
Showing posts with label centos. Show all posts

Tuesday, October 17, 2017

Centos 7: install epel and speedtest-cli

To install epel

# yum install epel-release

To install speedtest-cli

# yum install python2-speedtest-cli

To run speedtest-cli

# speedtest-cli
Retrieving speedtest.net configuration...
Testing from PT Media Andalan Nusa (103.253.113.233)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by CBN (Jakarta) [0.74 km]: 3.059 ms
Testing download speed................................................................................
Download: 236.99 Mbit/s
Testing upload speed....................................................................................................
Upload: 186.53 Mbit/s

References:
  • https://www.cyberciti.biz/faq/installing-rhel-epel-repo-on-centos-redhat-7-x/
Posted by at No comments:
Labels:

Tuesday, May 2, 2017

Centos 6: csf blocking whois

symptom:
# whois google.com
[Querying whois.verisign-grs.com]
[Unable to connect to remote host]
To solve this problem, edit /etc/csf/csf.conf, make sure outgoing to port 43 and 53 are allowed.
# vi /etc/csf/csf.conf
...
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,43,53,80,110,113,443,587,993,995"
...
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,43,53,113,123"
...
Restart your csf
# csf -r
Done!
Posted by at No comments:
Labels:

Friday, April 7, 2017

Centos 6/7: using needs-restarting after yum update

Install yum utility
# yum install yum-utils

Some update require system to restart or some services to restart. To determine system needs to restart or some services need to restart, run needs-restarting:

# needs-restarting
1512 : /usr/sbin/sshd
609 : /usr/sbin/NetworkManager --no-daemon
615 : /usr/lib/polkit-1/polkitd --no-debug

Tested on Centos 6.9 and Centos 7.3

References:

Posted by at No comments:
Labels:

Monday, January 23, 2017

Centos ConfigServer Security & Firewall

Download latest CSF & LFD from https://download.configserver.com/csf.tgz, extract it and install it:
# tar -xzf csf.tgz
# cd csf
# ./install.sh
Test CSF & LFD installation
Testing
# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server

 Remove other firewall that may conflict by running script
# /usr/local/csf/bin/remove_apf_bfd.sh
Removing apf and/or bfd...
/usr/local/csf/bin/remove_apf_bfd.sh: line 5: apf: command not found
error reading information on service apf: No such file or directory
error reading information on service apf: No such file or directory
...Done

Removing "Testing" mode
# vi /etc/csf/csf.conf
...
TESTING = "0"
...

Block country by adding 2 letters country code in csf.conf and restart
# vi /etc/csf/csf.conf
...
CC_DENY = "CN,VN"
...
csf -r
Country code can be found here 
References:
Posted by at No comments:
Labels:

Friday, August 5, 2016

Fix IP address after kernel 3.10.0-327.28.2.el7.x86_64 upgrade on Centos 7 (KVM Guest)

symptom: after schedule restart due to kernel upgrade to 3.10.0-327.28.2.el7.x86_64, something wrong happen to our guest KVM. Some network devices were disappeared. No more ensX device anymore.
Solution:
Note: this solution tested via host server (using virsh console) and ssh
Install Network Manager Text User Interface (TUI) 
# yum install NetworkManager-tui
Check your device status using Network Manager Command Line Interface (nmcli)
# nmcli dev status
DEVICE  TYPE      STATE         CONNECTION
eth0    ethernet  connected     eth0
ens4    ethernet  disconnected  --
lo      loopback  unmanaged     --
Edit your available/connected network using Network Manager TUI
# nmtui edit eth0
make sure to check 
  1. Require IPv4 addressing for this connection
  2. Automatically connected
  3. Available to all users
References:
  1. http://ask.xmodulo.com/configure-static-ip-address-centos7.html 
  2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Using_the_NetworkManager_Command_Line_Tool_nmcli.html 
Posted by at No comments:
Labels:

Saturday, May 14, 2016

Centos 7: installing deltarpm (Delta RPMs disabled)

Symptoms:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
Centos 7 with minimal installation does not include deltarpm. To fix error message "Delta RPMs disabled because /usr/bin/applydeltarpm not installed." during yum update, install it manually.
# yum install -y deltarpm

Posted by at No comments:
Labels:

Saturday, April 23, 2016

WHM/CPanel Centos 7: enabling ipset in csf

Prerequisite:
  • Iptables & Ipset
  • Serverconfig v7.54 or later
Follow WHM/CPanel centos 7: blocking brute force attack to replace firewalld with iptables and ipset.

Download and Install serverconfig:

# wget http://configserver.com/free/csf.tgz# tar -xzf csf.tgz# cd csf & ./install.cpanel.sh

To enable ipset in csf, edit file /etc/csf/csf.conf or edit it via WHM/CPanel:

TESTING = “0”
LF_IPSET = 1
TCP_IN= “22,80,53,443” 
TCP_OUT=”22,80,53,443″
UDP_IN=”53″
UDP_OUT=”53″
NOTE: don't forget to add your port services

Restart your csf

# service csf restart
Or via WHM/CPanel click Restart CSF+LFD

References:

Posted by at No comments:
Labels:

Sunday, April 17, 2016

WHM/CPanel Centos 7: blocking brute force attack

By default, Centos 7 use firewalld to manages net filter rules. Just like iptables, adding new rules may increase your cpu load. This is my notes to optimize net filtering ipset to block brute force attack.

Disable firewalld and enable iptables/ipset

Stop and mask the firewalld service:
# systemctl stop firewalld# systemctl mask firewalld
Install the iptables-services package:
# yum install iptables-services
Enable the service at boot-time:
# systemctl enable iptables
# systemctl enable ip6tables
Start iptables service
# systemctl start iptables
# systemctl start ip6tables
Install ipset
# yum install ipset

Install & Configure fail2ban (Optional)

Installing fail2ban
# yum install fail2ban
Enable fail2ban
# systemctl enable fail2ban
Start fail2ban
# systemctl start fail2ban
or
# service fail2ban start
Fix firewall run
# /scripts/configure_firewall_for_cpanel
Open some port for examples 12345
# iptables -I INPUT -p tcp --dport 12345 -m state --state NEW,ESTABLISHED -j ACCEPT
To disable fail2ban service
# systemctl stop firewalld
# systemctl disable fail2ban
If you prefered to use CSF (ConfigServer Sercurity & Firewall) follow WHM/CPanel Centos 7: enabling ipset in csf
Preferences: 
Posted by at No comments:
Labels:

Monday, January 18, 2016

Centos 6 bridge network

Directory /etc/sysconfig/network-scripts/

Note:
Instead of turning off NetworkManager , add "NM_CONTROLLED=no " to the ifcfg-* .

Edit or create /etc/sysconfig/network-scripts/ifcfg-eth0:
DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=none
# change the hardware address to match the hardware address your NIC uses
HWADDR=00:16:76:D6:C9:45
ONBOOT=yes
BRIDGE=br0
NM_CONTROLLED=no

Edit or create /etc/sysconfig/network-scripts/ifcfg-br0 dhcp:
DEVICE=br0
TYPE=Bridge
BOOTPROTO=dhcp
ONBOOT=yes
NM_CONTROLLED=no
DELAY=0

Edit or create /etc/sysconfig/network-scripts/ifcfg-br0 static
DEVICE=br0
TYPE=Bridge
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
NM_CONTROLLED=no
DELAY=0

# service network restart

Iptables
# iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
# service iptables save
# service iptables restart

Edit and append /etc/sysctl.conf:
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

Reload kernel parameter and libvirt service
# sysctl -p /etc/sysctl.conf
# service libvirtd reload

# brctl show

-----------------------------
2 nic bond
-----------------------------
Edit or create /etc/sysconfig/network-scripts/ifcfg-eth0:
DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=none
# change the hardware address to match the hardware address your NIC uses
HWADDR=00:16:76:D6:C9:45
ONBOOT=yes
BRIDGE=br0
NM_CONTROLLED=no
USERCTL=no
SLAVE=yes
MASTER=bond0

Edit or create /etc/sysconfig/network-scripts/ifcfg-eth1:
DEVICE=eth1
TYPE=Ethernet
BOOTPROTO=none
# change the hardware address to match the hardware address your NIC uses
HWADDR=00:16:76:D6:C9:45
ONBOOT=yes
BRIDGE=br0
NM_CONTROLLED=no
USERCTL=no
SLAVE=yes
MASTER=bond0

Edit or create /etc/sysconfig/network-scripts/ifcfg-bond0:
DEVICE=bond0
ONBOOT=yes
BONDING_OPTS='mode=1 miimon=100'
BRIDGE=br0
NM_CONTROLLED=no
BOOTPROTO=none

Edit or create /etc/sysconfig/network-scripts/ifcfg-br0:
DEVICE=br0
ONBOOT=yes
TYPE=Bridge
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NM_CONTROLLED=no

Available bond mode:
balance-rr or 0
active-backup or 1
balance-xor or 2
broadcast or 3
802.3ad or 4
balance-tlb or 5
balance-alb or 6

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-networkscripts-interfaces_network-bridge.html
http://www.linux-kvm.org/page/HOWTO_BONDING#Problem_with_Bridge_.2B_Bonding
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)