Montag, 31. März 2014

AWS Amazon webservices

Last week i took a short look on the AWS cloud system, basically because there was a free 12 month offer (750 hours a month). There are just a few types supported by this offer, so i created a "micro" machine.

You can choose between different operating systems, such as RedHat , Centos an one of amazones own distribution (Amazon Linux AMI 2013.09.2), which basically is another "fork" of RedHat/Centos.

So starting with documentation, i always like documentation and there are some really good whitepapers around, you can find them here. I guess you also should take a look at the overview whitepaper which is here.
Amazon pushed a lot of services into their cloud, like many different databases (mongoDB, DynamoDB, MySQL) and load balancers. The system is full scalable, so there is no need to buy a huge infrastructure, you can scale it to your needs. The paying is based on the amount of resources you need.

Currently there are two promos running

  • one promo where amazon and Intel are giving you 600 hrs compute time
  • and a basic 720hrs and 12 months free usage here

AWS comes around with some really nice features, for example security, so when you create anew instance you _must_ create a public key to login, and be sure to save it you cant access it twice.

Lets talk about Amazon Linux AMI

  • kernel 3.4.73-64.112.amzn1.x86_64
  • you can use yum 
  • nginx is available in 1.4.3 release 1.14.amzn1
  • mysql in version 5.5.34
As it seems selinux is available but not installed by default. I dont know if this is good or bad. You can use the micro instance within the 720hrs free offer.


So lets try it!
Enjoy!

Donnerstag, 27. März 2014

Vyatta Cluster

Have you ever tried vyatta?

Vyatta is an open source network operating system providing advanced IPv4 and IPv6 routing, stateful firewalling, IPSec and SSL OpenVPN, and more.

So basically its the software you want when it comes down to run your own core router or firewall. The configuration style is pretty close to JUNIPER. It has a creat structure and a very good autocomplete. There are two versions available an opensource and free to use one, and of course an enterprise version.

Now lets assume that you have your two machines installed, the installation is quite easy, you can run it from cd. login via user: "vyatta" and password: "vyatta" and type

install image

there is a short text interface which asks you some questions. Right after that you can reboot the system and enjoy the basics. Lets start with configuring the network.
ets say that our tw machines wil run with the ip 192.168.123.3 and  192.168.123.4 and we want to have 192.168.123.2 on both machines as an failover address between these two machines. Currently we dont think about what service will use this address as it could be everything from ipsec to outside NAT.

set interfaces ethernet eth0 address <x.x.x.x/x>

is the command you use to set these addresses.
Now we setup an vyatta cluster via (!the numbers in braces are just for my documentation!)

set cluster group myfirstcluster (1)
set cluster group myfirstcluster primary 'first-router' (2)
set cluster group myfirstcluster secondary 'second router' (3)
set cluster group myfirstcluster service '192.168.123.2/24/eth0' (4)
set cluster group myfirstcluster monitor '192.168.2.1'(5)
set cluster interface 'eth0'(6)
set cluster keepalive-interval '2000' (6)
set cluster dead-interval '10000'(7)
set cluster pre-shared-secret '!somesecret!'(8)


So what do we do in here?
In (1) we just name our cluster so the instance will be "myfirstcluster". 
In (2) and (3) we definde the primary and secondary system, please set them to the name you have given to your systems. 
In (4) we set the service IP, so here we say that we want to have the ip 192.168.123.2/24 on interface eth0 be the ip for the cluster instance.
(5) is just to add an monitor to the system. Wehenever one node cant connect to the other node it will check if the monitor is available, if not the node will not obtain the service ip as it seems that the machine itself has a problem. You can add as many nodes as you want to.
In (6) we definde the keepalive interval, so in which interval are keepalive pakets sended here it is set to 2000ms.
(7) the deadinterval, how many ms do we wait before we asume the node to be death.
And (8) of course we need a pass, as we dont want an other node to shutdown our system.

Basically you do this on both machines.

No something very useful. As vyatta is just an debian, you can always use "sudo -i" to be root and tcpdump or something like that. When being root you can also perform failovers by hand, you will find the scripts at:
  •  /usr/share/heartbeat/
    • hb_standby - will set the node into standby mode
    • hb_takeover - will let the node be master again

Dienstag, 25. März 2014

'Fedora Security Lab' - Spin

While looking around i found a very nice spin which is worth talking about. "Fedora Security Lab"

The fedora security lab combines all software you need for forensic or security testing in one fedora spin.
The Fedora Security Lab provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies in universities and other organizations.
The spin is maintained by a community of security testers and developers. It comes with the clean and fast Xfce Desktop Environment and a customized menu that provides all the instruments needed to follow a proper test path for security testing or to rescue a broken system. The Live image has been crafted to make it possible to install software while running, and if you are running it from a USB stick created with LiveUSB Creator using the overlay feature, you can install and update software and save your test results permanently.
I tested it during the last days, and it really looks good, there really just a few improvements i would like to see. But i guess i can help that :-)

Currently the spin uses XFCE and works quite nice with 1200 MB RAM (i installed it in virtualbox). The software is located in an own subfolder. If you select a package the console open and will display the "-h" output. So you can easily start to use the software.

As i would like to support the spin, i currently think about an documentation system, in basic an man2html output of the packages, so you can pick you toll of choice via browser and have an "handout" of the config.

In my opinion fedora Security Lab is a great tool for forensics and security testing issues. You can run from LiveCD or USB stick and perform tests on potential infected systems.

Some software you may want to use is

  • rkhunter - a tool which is looking for root kits on your system
  • nmap - of course the ultimate port scanner tool :-)
and many many more

Enjoy!

Mittwoch, 19. März 2014

Fedora on Raspberry PI (Pidora)

After quite a long time i finally bought an Raspberry Pi Model B. Many people i know use them for months (or a year) now, and we already use them at the company where we dont need a huge machine.

As i would like ferdora to run on it, let me introduce you to Pidora.
Its an fedora remix to run on Raspberry and  currently version Fedora 18 is available.

The installation (which is currently ongoing) seems to be quite and easy. Lets take a look of the steps you need to do

  1. Follow the instractions on the Fedora Raspberry side and install "fedora arm-installer 
    yum install fedora-arm-installer
  2. You can obtain the Pidora version from here
  3. Now its easy, open the installer, choose the .img file, choose the target device and press install
So, now i will connect it to my television and see what happen

[...some minuits later...]

Okay, worked, after booting (or actually powering the system) a setup menu showed up, one powercycle later the system was available.

Some things to mention:
  • sshd starts automatically
  • the network is set to dhcp
  • the firewalld is off by default
so you can start using ssh to yourvi /et box :-)

Enjoy!

Dienstag, 18. März 2014

Travelreport: Chemnitzer Linux Tage

So, this is my first conference where i am wearing a different jersey, i switched from a green one to a brand new blue one.

On Friday i started my journey. I stopped in Frankfurt for a short meeting and made my way to Chemnitz right after that (571km, 5:10 hrs). It was a nice day to it the 'autobahn' and except for 12km stop and go while leaving Frankfurt there was no interruption.

Saturday, first day of CLT, it started right at 8:30 in the morning. I was quite impressed by the amount of people visiting the CLT. As always, many people stopping by to ask questions about fedora or just to tell that they are already using Fedora and like it.
Very few people just came around to get some technical support or ask about the next features (maybe i should say Fedora.NEXT features).

As a note to myself:
  • someone should write a "Kickstart Fedora"-Book, there was a guy who asked for it and thought the documentation is just to much as a starting guide
  • I must do a feature request or "loook", which seems to be available in a new version, a friendly lady at the OpenOffice booth asked for it
Sunday, means sleeping a bit longer, as the CLT starts at 9:00 am. Mostly the same as on Saturday :-)

I drove home 4:50 hrs, and arrived on 22:15.
3 days, 1142 km across the republic, i really enjoyed it :-)

As you can easily see, we have an 3D printer :-)

Freitag, 7. März 2014

Running devstack on Fedora (Heisenbug)

Last week i played around with devstack on my home development server (actually an old Core2Duo notebook). I have tried it once on an Centos 6.5 machine, but as it seems the differ a bit, so it was not easy to get it going.

First the basics, i cloned devstack via git to my home folder
git clone https://github.com/openstack-dev/devstack.git
now, we need to create a stack user. There is a command available for this
/home/devstack/tools/create-stack-user.sh
and we need to change the ownership of the stack folder
chown -R stack:stack /home/stack
now we need to create a local.conf file. I choosed the minimal and added some lines, as the rabbitmq didnt work out on my setup i changed the used erlang server
[[local|localrc]]
ADMIN_PASSWORD=secret
DATABASE_PASSWORD=$ADMIN_PASSWORD
RABBIT_PASSWORD=$ADMIN_PASSWORD
SERVICE_PASSWORD=$ADMIN_PASSWORD
SERVICE_TOKEN=a682f596-76f3-11e3-b3b2-e716f9080d50
#FIXED_RANGE=172.31.1.0/24
#FLOATING_RANGE=192.168.20.0/25
#HOST_IP=10.3.4.5
DEST=/home/stack
LOGFILE=$DEST/logs/stack.sh.log
RECLONE=yes
disable_service rabbit
enable_service qpid

IMAGE_URLS="http://berrange.fedorapeople.org/images/2012-02-29/f16-x86_64-openstack-sda.qcow2"
right after that we run
./stack.sh local.conf
to compile it, everything went fine so far. Quite nice, devstack opens a screen with all the output which is given by the different components.
Then there was some trouble accessing the webinterface, caused by SELinux, so for a short workaround it just did a
setenforce 0
and the login side showed up.