:::: MENU ::::

Install go in centos7

To install GOlang in centos follow the next instructions:

cd /tmp
wget --no-check-certificate https://storage.googleapis.com/golang/go1.6.2.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.6.2.linux-amd64.tar.gz
ln -s /usr/local/go/bin/go /usr/bin/go
ln -s /usr/local/go/bin/godoc /usr/bin/godoc
ln -s /usr/local/go/bin/gofmt /usr/bin/gofmt
go version


find the name of ethernet interface in ansible

you have to use the fact: ansible_default_ipv4.interface

tasks:
– name: “set the fact for the name of default eth”
set_fact: eth_name={{ansible_default_ipv4.interface}}
– debug: var=eth_name


Install Ansible in CentOS 7 from source

This is the process to install Ansible in CentOS 7 from source, it will create an RMP for ansible and install it.

You have to execute as root

  • install EPEL repository

    yum install epel-release
  • Install some necessary packages
    yum install gcc python python-devel libevent-devel python-setuptools

    yum install PyYAML libyaml python-crypto2.6 python-httplib2 python-keyczar python-pyasn1 python-simplejson python-jinja2 python-paramiko python-six sshpass asciidoc

    yum install make python2-devel rpm-build

    yum install git

  • Clone the code

    git clone git://github.com/ansible/ansible.git --recursive
  • Create RMP and install

    cd ./ansible
    make rpm
    rpm -Uvh ./rpm-build/ansible-*.noarch.rpm

if you want to manage Docker containers with ansible you need to install the API client for Docker python module, you can do that with the next command

yum install python-pip
pip install docker-py

if you have the module already installed maybe you want yo update it

pip install docker-py --upgrade

If you want to manage AWS resources with Ansible you need to install:

* AWS Command Line Interface

curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
unzip awscli-bundle.zip
sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws

* Python interface to Amazon Web Services (BOTO)

yum install python-pip
pip install boto


install ansible from source centos 6

It has been tested con centos6.5 / centos 6.6

  • install EPEL repository

    # wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
    # rpm -ivh epel-release-6-8.noarch.rpm
  • Install some necessary packages
    # yum install gcc python python-devel libevent-devel python-setuptools

    # yum install PyYAML libyaml python-crypto2.6 python-httplib2 python-keyczar python-pyasn1 python-simplejson python-jinja2 python-paramiko python-six sshpass asciidoc

    # yum install make python2-devel rpm-build

    # yum install git

  • Clone the code

    git clone git://github.com/ansible/ansible.git --recursive
  • Create RMP and install

    cd ./ansible
    $ make rpm
    $ sudo rpm -Uvh ./rpm-build/ansible-*.noarch.rpm

if you want to manage Docker containers with ansible you need to install the API client for Docker python module, you can do that with the next command

yum install python-pip
pip install docker-py

if you have the module already installed maybe you want yo update it

pip install docker-py --upgrade


Install Docker in CentOS 6.6

you need to install the EPEL repository fisrt and then install Docker, be aware that docker in the EPEL repository is called docker.io.


sudo yum install epel-release.noarch
sudo yum install docker-io


Block IP addresses by country using iptables in CentOS

You can block or allow access to your server by Country, this is another layer of security you can add to your services, for example if you have to allow access to ssh port from any IP and you know that all the persons that uses ssh to this server are in Ireland, you can block any access to ssh from any country except Ireland, with that you can avoid a huge amount of security risks.

Below are the steps to implement server access control by country for centos/Redhat servers:

Environment : CentOS 6.5 / 6.6 minimum install

  • Install some indirectly necessary packages:

    yum install gcc gcc-c++ make automake unzip zip xz

  • Install the kernel-devel matching the kernel of your system

    To check your kernel version:

    uname -r

    To install the kernel-devel package:

    yum install kernel-devel

    when you install the kernel-devel you can see the version of the kernel-devel installed, in my case the kernel-devel had a higher version than kernel version of the system, from my experience it was easier to upgrade the kernel than searching for the corresponding kernel-devel matching my kernel.

    In another post I will explain how to upgrade the kernel of your server.

  • Now due to a bug explained in this post xtables-addons-error you need to do the next steps:

    In my case I have kernel-devel version 2.6.32-504.16.2.el6 (and THE KERNEL OF THE SAME VERSION), if you installed another version, take into account to change the path of the file autoconf.h

    vi /usr/src/kernels/2.6.32-504.12.2.el6.x86_64/include/linux/autoconf.h
    comment this line:
    #define CONFIG_IP6_NF_IPTABLES_MODULE 1
    by changing it with this line:
    /*#define CONFIG_IP6_NF_IPTABLES_MODULE 1*/

  • Install xtables:
    xtables is included in iptables-devel, so we install iptables-devel

    #yum install iptables-devel
  • Install xtables-addons-1.47.1 xtables-addons-1.47.1.tar:

    tar -xvf xtables-addons-1.47.1.tar.xz
    cd xtables-addons-1.47.1
    ./configure
    make
    make install
  • Now we have to install GeoIP-devel and GeoIP, available in the EPEL repository:

    yum install epel-release.noarch
    yum install GeoIP-devel GeoIP
  • Now install perl-Text-CSV_XS.x86_64   ┬íKeep it up just some few more steps!

    yum install perl-Text-CSV_XS.x86_64

    Now follow the next steps:

    mkdir /usr/share/xt_geoip

    search for the location of the xt_geoip_dl in your server :

    sudo find / -name xt_geoip_dl -print

    go to that directory and run the net three commands:


    cd /usr/local/libexec/xtables-addons/
    ./xt_geoip_dl
    ./xt_geoip_build -D /usr/share/xt_geoip *.csv

    WE ARE DONE, GREAT!!!!!!

    Some examples :

    Allow access to ssh port only from France and Ireland:

    iptables -I INPUT -p tcp --dport 22 -m geoip ! --src-cc FR,IE -j DROP

    Block all traffic country with code XX:

    iptables -I INPUT -m geoip --src-cc XX -j DROP


Secure your website forms with fail2ban

So you waked up this morning and found a lot of spam content being sent to your website forms even though you have some kind of basic Captcha protection; so some idiot spammers are spamming your forms with the hope that they are able to send spam emails throw your website.  

To add another layer of security for your website you can use fail2ban to detect unusual form posts behaviour, for example if there are too many posts in a short period of time to your website contact form,  most probably to be an indicator for a spamming attempt.

In one of my websites I had a lot of posts to a feedback form URL, with spam contents, so I use fail2ban to fully block IP’s with suspicious activity. Once you have fail2ban installed you need to do 2 steps:

P.S: This is done with Fail2Ban v0.9.1 and CentOS6

Step 1:
Create a filter to detect POST actions of your form, in my case the POST action of the form targets 2 URL’s depending on the language.

/en/feedback/process_new_feedback
/fr/feedback/process_new_feedback

So the filter usually located at /etc/fail2ban/filter.d and have the extension .conf have the next content:

[Definition]
failregex = ^ -.*"POST .*?feedback/process_new_feedback
ignoreregex =

?=n Matches any string that is followed by a specific string n, this is to apply my filter to posts independently of the language part of the URL

Step 2
Create the jail rule in the file /etc/fail2ban/jain.conf  (append the new rule to the end of the file)
The jail rule is where you specify when to block an IP address and for how long.

[feedback-post]
enabled = true
filter = feedback-post
logpath = /var/log/nginx/nbc_pro_access.log
findtime = 50
bantime = 3600
maxretry = 7
banaction = iptables-allports

In this case if in an interval of 50 seconds I have 7 posts actions from the same IP address I ban the IP address by blocking any access for 3600 seconds.


Install Symantec certificate in AWS Elastic Load Balancer

After ordering you web server certificate from Symantec you will receive 3 files, below you can see an example of the received three files:

Intermediate certificate: Symantec_Class_3_Secure_Server_CA_-_G4.cer

Root Certificate:  VeriSign_Class_3_Public_Primary_Certification_Authority_G5.cer

Server Certificate: server.example.com.cer

To install the certificate in the Amazon Web Services Elastic Load Balancer you have to fill the next fields :

AWS Elastic Load Balancer ssl certificate install

 

The format of the certificates to be added is pem, you don’t have to convert your cer files to pem format, cer files are actually pem encoded just with another extension.

 .cert .cer .crt are .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not. 

The fields to fill in the AWS ELB new certificate form are:

 Private key: The private Key you have used to generate the csr file (Certificate Signing Request) you sent to semantic .

Public Key Certificate: This is the server.example.com.cer contents in the above example.

Certificate Chain: This is the combination of the intermediate certificate and a root certificate, you can create a file with the contents (from top to button) of the intermediate certificate and a root certificate and use the contents of that file to fill the Certificate chain field.

For example in bash, for the example files mentioned above, you can do:

cat Symantec_Class_3_Secure_Server_CA_-_G4.pem VeriSign_Class_3_Public_Primary_Certification_Authority_G5.pem > chain_file.pem