Submitted by eth00 on Mon, 11/14/2005 - 17:19
The ServerIron XL Server Load Balancer (SLB) Guide
The ServerIron XL
Server Load Balancer (SLB) Guide
This guide was written by John Wigle “eth00” with the help
of carlos “theuruguayan” of
www.totalserversolutions.com
please direct any questions or comments to
[email protected] .
This guide is not finished and I am always open to corrections or additions.
Please do not publish this guide on any public websites or fourms, I would appreciate any knowledge of such postings.
I have recently had the pleasure of working with a few of
the server irons that ev1 deploys as load balancers within the private racks
and in the process of setting them up noticed the lack of easy to read
documentation.
The foundry website is
full of great information but it takes a lot of reading and most of it is
targeted at the telnet prompt and not the web interface. I have written this
guide targeted at doing an initial setup of the slb as well as some more the
more advanced configuration that clients may need. If you have purchased a load
balancer inside of a private rack you will be dealing with the same hardware
that this guide is targeted towards.
Submitted by eth00 on Fri, 04/22/2005 - 15:47
Untitled DocumentHELP! My server is constantly crashing!
There are a lot of things that may cause a server to crash, this guide is
going to primarily look at the hardware side of crashing. There are many things
that might be causing the server to crash from a software standpoint such a
process that runs out of control or uses too many resources. There are a few
things that might be going wrong with a server. Normally the component that
goes wrong is the hard drive, simply because it is use so
much and is a moving part. The RAM on a server will occasionally go but this
is more common when the server is moved around or the RAM moved because it
has a chance of being statically shocked. On the less common side of things
you could have the CPU, powersupply, ethernet card, or motherboard going out.
Submitted by eth00 on Tue, 04/19/2005 - 12:18
Untitled Document
A recent problem with RHEL and cPanel causes some servers to crash on a daily
or every couple of days basis. The normal symptoms of this sort of crashing are
having the server crashing at the same time every time that it crashes. If you
are having these problems I would suggest that you go ahead and just disable
the auditd for now since the system can run fine without it and it seems to be
causing a lot of trouble for some people. The below has worked fine for me on hundreds of servers and should not cause any issues.
Submitted by eth00 on Thu, 04/07/2005 - 12:07
The below has been known to fix most cPanel mail issues. They can range from spamd failed messages to exim just flat out not working at all.
/scripts/perlinstaller Digest::SHA1
/scripts/perlinstaller --force Mail::SpamAssassin
/scripts/fixspamassassinfailedupdate
/scripts/updatenow
/scripts/installspam --force
/scripts/exim4 --force
/etc/rc.d/init.d/exim restart
/scripts/restartsrv spamd
/etc/rc.d/init.d/chkservd restart
Submitted by eth00 on Sat, 04/02/2005 - 21:22
This guide was designed for PSFservers using centos 3.4 but it will work fine for just about any server install of
centos or RHEL.
This guide is going to be using a text mode install simply because it is the
most compatible. Note that in doing so the mouse is not going to work! Simply
use the tab and arrow keys to move. The install itself is pretty simple but
if you have any problems please email me or post them below.
Submitted by eth00 on Sat, 04/02/2005 - 21:21
Untitled Document
No security system is perfect and it is always good to have some forms of intrusion
detection just incase somebody does get in you can be notified. Do not immediatly
get worried if in an email you get a positive, many of them are false and from
upgrades. I would first suggest running "rkhunter -c" from ssh and looking at
the errors. If it is a few bad binaries you should check to see what was updated
recently. If you have a rootkit detected you should start to worry because it
is very uncommon for a false positive on a rootkit or trojan.
Submitted by eth00 on Sat, 04/02/2005 - 21:20
A firewall is a very good idea for a server. Though many people think that a
firewall is instant protection that will do everything it really is not. A
firewall will help prevent some things but it is not going to stop everything.
It is just one piece of the security network that is being woven. I recommend
advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing
and incoming
ports. It can also be configured to use information from some block lists. The
below port list will work for cPanel. For the other control panels you will
need to add in the administration ports.
Submitted by eth00 on Sat, 04/02/2005 - 19:48
Install HotSaNICHotSaNIC is a very nice tool which combines all sorts of very important system
graphs into a simple and easy to understand webpage. It allows the admin to
take a quick glance at the graphs to see what may or may not be working with
the system. With the new APPS graph it is also possible to watch as more processes
are started which can be helpful in tracking down why the server load is increasing.
For instance if you see a huge load spike but you see that the number of exim
processes has gone up significantly at the same time you can start to investigate.
I built this guide on a cPanel server but it will work fine on an ensim box
as well. I don't recall the plesk mailserver off the top of my head but changing
that small part will make it work great fine plesk.
A HUGE THANKS TO FOGGY!! Much of this guide has been copied from the original
posted here: http://forums.ev1servers.net/showthread.php?p=70160 .
I have cleaned it up a little and updated it for the latest version of hotsanic.
Submitted by eth00 on Sat, 04/02/2005 - 19:37
Though a newcomer in the server management and server administration field Total
Server Solutions (TSS) has been around for a few months and has proven
itself. I formed TSS with other 3 friends back in January and since then we have
been very successful in keeping our current clients and adding more. If you
would like your server secured, monitored 24/7 or even just checked out by
TSS stop by the website and put in a ticket. We strive hard to work with all
of our clients on a personal level providing the best support possible. We will always give you a straight answer.
I have provided a lof of what we do free on this website in an effort to give
back to the same community that has given me so much. Please support me by
using TSS if you need somebody else to work with you for server administration.
Thanks for visiting eth0.us and I hope you find everything that you need!
Submitted by eth00 on Sat, 04/02/2005 - 19:14
Untitled DocumentHELP! My server is under a DDOS attack!
Submitted by eth00 on Sat, 04/02/2005 - 19:14
Server overloading
HELP! My server is having load problems!
Ok first of all this guide is not going to be entirely comprehensive on everything
you need to do towards optimizing a server and figuring what is causing the
server to overload. All of the guides in my HELP! series are not meant to replace
a professional only give you a general idea of what you can do. If after reading
this do not think that there is nothing you can do, it may be you simply have
to hire somebody to take a look at it. It is very hard to write every single
thing that might be wrong and sometimes it just takes a lot of experience to
see what is wrong. The first thing to do is determine what bottleneck is slowing
your system down. There are many things that can be causing the load on a server
run out of control but the main things are CPU limitations, memory (RAM), or
I/O of your disks. Typically people will look at the "uptime" of
their server to give a general idea of if it is a load problem causing issues
with a server. In general a load of ~1 for each cpu is reasonable, if you have
2 cpus with hyperthreading linux will see them as 4 which means your load can
be around 4 without any major problems. That being said it is very possible
that your server handles even double what the uptime load shows without any
problems. The load from uptime has a lot of factors that go into it and if
you are interested in finding out more I would suggest looking on google. When
writing this guide i am assuming that your server is optimized so if I say
you are running low on RAM you probably need to optimize it some more or get
RAM for it.
Submitted by eth00 on Sat, 04/02/2005 - 18:53
How-To: Compile a monolithic 2.6.9 kernel with grsecurity
This guide is superceded by the 2.6.10 + grsec kernel. It is not longer going to be updated.
This guide was designed for the ev1 configurated poweredge servers. I have
tested it on the the 2.0 and 2.4 Ghz Xeons, and 2.0 Ghz celeron. It should
also work fine with the P4 2.0 Ghz + but I have personally not tested one yet.
I do not have any plans to test this kernel on any older systems though as
long
as they network card support is built in it will probably work. I started this
as a project to increase the performance and security of my servers. The 2.6.x
kernel has many improvements that have dramatically dropped the load on the
servers I have tested this on so far. In addition to that the kernel does not
support loadable modules, the definiation of monolithic, which removes one
method of possible vulnerabilities as well as more efficient. Though there
are no studies directly linking grsecurity to increased security it only adds
additional security to your system with very few negative drawbacks. I think
that is worth the extra time to configure in grsecurity in the chance that
it may possibly block a possible cracker.
Submitted by eth00 on Sat, 04/02/2005 - 18:53
How-To: Compile a 2.6.9 Kernel
This guide is to be used completely at your own risk! It was designed with
an ev1 dual xeon hardware configuration in mind but will also work on some
of the P4 modals. I am not going to try and support every possible hardware
combination. I started this because I wanted a kernel for my own use but
decided to share my work. Upgrading a kernel from rpm is easy and doing it
as i have below is pretty easy as I have already done much of the hard configuration
work. I was able to use the following
guide
on
multiple
servers
with no problem and I know that it works. The key that makes this much easier
is that you are using the .config file I have already created which contains
all of the variables and configuration options. If you would like to view the
.config file and offer any input please feel free! I have a little experience
with compiling kernels but I am sure there are a few more things here and there
I can remove.
Submitted by eth00 on Sat, 04/02/2005 - 18:52
How-To: Compile a monolithic 2.6.10 kernel with grsecurity and secfix patch
Note 2.6.10 is an old version of the kernel however, this guide will work with the latest 2.6.11.7 and grsecurity if you get those instead of the files described. If you go that route the patch described below for a specific vulnerability is not requied.
This guide was designed for the ev1 configurated poweredge servers. I have
tested it on the the 2.0 and 2.4 Ghz Xeons, and 2.0 and 3.0 Ghz celeron. It
should also work fine with the P4 2.0 Ghz + but I have personally not tested
one yet.
I do not have any plans to test this kernel on any older systems though as
long
as they network card support is built in it will probably work. If you post
here with specific problems on boot I can try to add the needed modules to
my config. I started this as a project to increase the performance and security
of my servers.
The
2.6.x
kernel has many improvements that have dramatically dropped the load on the
servers I have tested this on so far. In addition to that the kernel does not
support loadable modules, the definiation of monolithic, which removes one
method of possible vulnerabilities as well as more efficient. Though there
are no studies directly linking grsecurity to increased security it only adds
additional security to your system with very few negative drawbacks. I think
that is worth the extra time to configure in grsecurity in the chance that
it may possibly block a possible cracker.
This kernel is patched against the following vulerability: http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt.
This
is the root level exploit that was release January 7th. It is *HIGHLY* suggested
that you upgrade ASAP. This particular exploit along with a worm much like the
phpBB worm could be disasterous yeilding full root access.
Updated Feb 6th for instructions on updating grub
Updated Feb 2nd for rpm problems with RH9
Submitted by eth00 on Sat, 04/02/2005 - 18:52
Untitled DocumentGrsecurity is a set of patches and options that works to help increase the
security of a server at the kernel level. Here is a very basic guide of how
to download it and patch your kernel. This guide is meant to be used alongside
of my generic 2.6.10 kernel guide if
you are not familiar with the process of compiling a kernel. This guide can also be adapted to the latest 2.6.11.7 and version of grsecurity just fine.
Submitted by eth00 on Sat, 04/02/2005 - 18:47
How-To: Compile and configure a 2.6.10 kernel
Note 2.6.10 is an old version of the kernel however, this guide will work with the latest 2.6.11.7 and grsecurity if you get those instead of the files described. If you go that route the patch described below for a specific vulnerability is not required.
My previous guides use a very specific config file that only works for a few
different servers. This guide is meant to be a lot more generic and should
work on more servers. I have taken the default config from a redhat 2.4 kernel
and kept all the driver configuration. I have removed the extra support such
as USB and sound that are not needed on a server. I also explain how to remove
some of the drivers that are not necessary such as scsi/ide support depending
on what type of drives you have. If you do not want to deal with the menuconfig
you can simply compile it and not configure it. I hope that this guide will
help alleviate some of the problem with segfaulting that some of the configurations
have. If you would like to compile in grsecurity please follow my
2.6.10 grsecurity guide.
This guide has taken me a long time to create. If you have used it for your
donate please consider donating :) With that being said good luck with compiling
your new kernel.
Submitted by eth00 on Sat, 04/02/2005 - 18:44
How-To secure cPanel
*********************WARNING********************
This guide is no longer going to be updated as it is too large and complex to maintain. Instead all of the other guides on the right will continue to be updated. I am going to leave it up just because some people still look at it for a general idea of what to do with a new server. I would suggest that you not actually follow these directions as the versions may be old.
First and foremost I want to say that this is not going to make your server
100% cracker proof, there is always a possibility that somebody will find
a way in. I have listed a lot of things you can do to protect your server
and that will help you secure it. While securing your server you have to
find a median between what is secure and what restricts your clients or websites.
You can easily make your server 100% secure from remote attacks by unplugging
the ethernet cable, but chances are you will not get much good with it. This
is not a complete guide and I will update it when I find time or it needs
it. Overall it is a very good start and it is probably more then most servers
have.
If you have any problems with the guide please post them and I will try and
help/update the guide. I have not included everything you can do but it is
a very good start. If you need somebody to secure server please feel free to
private message or email me.
Submitted by eth00 on Sat, 04/02/2005 - 18:25
Untitled Document
I know that cPanel and plain redhat do not use proprietary ssh version and this
will work fine for those servers. Ensim does not use special rpms like I had posted before, they use PAM authentication which is the same as cPanel does. I believe this guide should work with plesk (there is no reason it should not) but I have not personally tried so if you do please post! As always
I take no responsibility if this guide screws up your server, it worked fine
for me!
Updated 7/17 for the latest version of openssh. Thanks goes to DXtremz for
pointing out the compiling error with open ssh and then even providing the
fix! :)
First step we will enable telnet so if something screws up you can still access
the server:
-----command-----
pico -w /etc/xinetd.d/telnet
-----command-----
Submitted by eth00 on Sat, 04/02/2005 - 18:25
Untitled DocumentThe purpose of syctl hardening is to help prevent spoofing and dos attacks.
This short guide will show what I have found to be a good configuration for
the sysctl.conf configuration file. The most important of the variables listed
below is the enabling of syn cookie protection. Only place the bottom two
if you do not want your server to respond to ICMP echo, commonly referred
to as ICMP ping or just ping requests.
NOTICE: Make sure that eth0 is your primary interface, if it is not replace eth0 with eth1 in the code below.
-----command-----
pico -w /etc/sysctl.conf
-----command-----
Now paste the following into the file, you can overwrite the current information.
Submitted by eth00 on Sat, 04/02/2005 - 18:24
Securing temp directoriesHow-To: Secure your temp directories
Every system needs temporary folders that any user is able to read and write
BUT these directories should not be able to execute programs or scripts. Though
this will only protect you from somebody running the script directly it will
help with a large portion of the automated rootkits and trojans that script
kiddies use. They will still be able to put the files on the system but they
will be unable to execute them and create the back door. One of the biggest
problems is php injection via apache in which people will have apache download
and then run an exploit. Securing the temp directories is probably the single
biggest thing you can do towards securing your server.
Pages