Foundry Server Iron Server Load Balancer (SLB)

The ServerIron XL Server Load Balancer (SLB) Guide

The ServerIron XL Server Load Balancer (SLB) Guide

 

This guide was written by John Wigle “eth00” with the help of carlos “theuruguayan” of www.totalserversolutions.com please direct any questions or comments to john@totalserversolutions.com . This guide is not finished and I am always open to corrections or additions. Please do not publish this guide on any public websites or fourms, I would appreciate any knowledge of such postings.

 

I have recently had the pleasure of working with a few of the server irons that ev1 deploys as load balancers within the private racks and in the process of setting them up noticed the lack of easy to read documentation. The foundry website is full of great information but it takes a lot of reading and most of it is targeted at the telnet prompt and not the web interface. I have written this guide targeted at doing an initial setup of the slb as well as some more the more advanced configuration that clients may need. If you have purchased a load balancer inside of a private rack you will be dealing with the same hardware that this guide is targeted towards.

HELP! Server Crashing

Untitled Document

HELP! My server is constantly crashing!

There are a lot of things that may cause a server to crash, this guide is going to primarily look at the hardware side of crashing. There are many things that might be causing the server to crash from a software standpoint such a process that runs out of control or uses too many resources. There are a few things that might be going wrong with a server. Normally the component that goes wrong is the hard drive, simply because it is use so much and is a moving part. The RAM on a server will occasionally go but this is more common when the server is moved around or the RAM moved because it has a chance of being statically shocked. On the less common side of things you could have the CPU, powersupply, ethernet card, or motherboard going out.

Articles and guides:

Auditd crashing

Untitled Document A recent problem with RHEL and cPanel causes some servers to crash on a daily or every couple of days basis. The normal symptoms of this sort of crashing are having the server crashing at the same time every time that it crashes. If you are having these problems I would suggest that you go ahead and just disable the auditd for now since the system can run fine without it and it seems to be causing a lot of trouble for some people. The below has worked fine for me on hundreds of servers and should not cause any issues.

cPanel Mail Issues

The below has been known to fix most cPanel mail issues. They can range from spamd failed messages to exim just flat out not working at all.

/scripts/perlinstaller Digest::SHA1
/scripts/perlinstaller --force Mail::SpamAssassin
/scripts/fixspamassassinfailedupdate
/scripts/updatenow
/scripts/installspam --force
/scripts/exim4 --force

/etc/rc.d/init.d/exim restart
/scripts/restartsrv spamd
/etc/rc.d/init.d/chkservd restart

Centos 3.4 install guide

This guide was designed for PSFservers using centos 3.4 but it will work fine for just about any server install of centos or RHEL.

This guide is going to be using a text mode install simply because it is the most compatible. Note that in doing so the mouse is not going to work! Simply use the tab and arrow keys to move. The install itself is pretty simple but if you have any problems please email me or post them below.

 

Rkhunter Installation

Untitled Document No security system is perfect and it is always good to have some forms of intrusion detection just incase somebody does get in you can be notified. Do not immediatly get worried if in an email you get a positive, many of them are false and from upgrades. I would first suggest running "rkhunter -c" from ssh and looking at the errors. If it is a few bad binaries you should check to see what was updated recently. If you have a rootkit detected you should start to worry because it is very uncommon for a false positive on a rootkit or trojan.

Configure APF Firewall

A firewall is a very good idea for a server. Though many people think that a firewall is instant protection that will do everything it really is not. A firewall will help prevent some things but it is not going to stop everything. It is just one piece of the security network that is being woven. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists. The below port list will work for cPanel. For the other control panels you will need to add in the administration ports.

HotSaNIC

Install HotSaNIC

HotSaNIC is a very nice tool which combines all sorts of very important system graphs into a simple and easy to understand webpage. It allows the admin to take a quick glance at the graphs to see what may or may not be working with the system. With the new APPS graph it is also possible to watch as more processes are started which can be helpful in tracking down why the server load is increasing. For instance if you see a huge load spike but you see that the number of exim processes has gone up significantly at the same time you can start to investigate.

I built this guide on a cPanel server but it will work fine on an ensim box as well. I don't recall the plesk mailserver off the top of my head but changing that small part will make it work great fine plesk.

A HUGE THANKS TO FOGGY!! Much of this guide has been copied from the original posted here: http://forums.ev1servers.net/showthread.php?p=70160 . I have cleaned it up a little and updated it for the latest version of hotsanic.

Total Server Solutions - TSS

Though a newcomer in the server management and server administration field Total Server Solutions (TSS) has been around for a few months and has proven itself. I formed TSS with other 3 friends back in January and since then we have been very successful in keeping our current clients and adding more. If you would like your server secured, monitored 24/7 or even just checked out by TSS stop by the website and put in a ticket. We strive hard to work with all of our clients on a personal level providing the best support possible. We will always give you a straight answer.

I have provided a lof of what we do free on this website in an effort to give back to the same community that has given me so much. Please support me by using TSS if you need somebody else to work with you for server administration. Thanks for visiting eth0.us and I hope you find everything that you need!

Articles and guides:

HELP! DDOS attack

Untitled Document

HELP! My server is under a DDOS attack!

Articles and guides:

HELP! Server overloading

Server overloading HELP! My server is having load problems!

Ok first of all this guide is not going to be entirely comprehensive on everything you need to do towards optimizing a server and figuring what is causing the server to overload. All of the guides in my HELP! series are not meant to replace a professional only give you a general idea of what you can do. If after reading this do not think that there is nothing you can do, it may be you simply have to hire somebody to take a look at it. It is very hard to write every single thing that might be wrong and sometimes it just takes a lot of experience to see what is wrong. The first thing to do is determine what bottleneck is slowing your system down. There are many things that can be causing the load on a server run out of control but the main things are CPU limitations, memory (RAM), or I/O of your disks. Typically people will look at the "uptime" of their server to give a general idea of if it is a load problem causing issues with a server. In general a load of ~1 for each cpu is reasonable, if you have 2 cpus with hyperthreading linux will see them as 4 which means your load can be around 4 without any major problems. That being said it is very possible that your server handles even double what the uptime load shows without any problems. The load from uptime has a lot of factors that go into it and if you are interested in finding out more I would suggest looking on google. When writing this guide i am assuming that your server is optimized so if I say you are running low on RAM you probably need to optimize it some more or get RAM for it.

Articles and guides:

Compiling a 2.6.9 kernel + Grsecurity

How-To: Compile a monolithic 2.6.9 kernel with grsecurity




This guide is superceded by the 2.6.10 + grsec kernel. It is not longer going to be updated.




This guide was designed for the ev1 configurated poweredge servers. I have tested it on the the 2.0 and 2.4 Ghz Xeons, and 2.0 Ghz celeron. It should also work fine with the P4 2.0 Ghz + but I have personally not tested one yet. I do not have any plans to test this kernel on any older systems though as long as they network card support is built in it will probably work. I started this as a project to increase the performance and security of my servers. The 2.6.x kernel has many improvements that have dramatically dropped the load on the servers I have tested this on so far. In addition to that the kernel does not support loadable modules, the definiation of monolithic, which removes one method of possible vulnerabilities as well as more efficient. Though there are no studies directly linking grsecurity to increased security it only adds additional security to your system with very few negative drawbacks. I think that is worth the extra time to configure in grsecurity in the chance that it may possibly block a possible cracker.

Articles and guides:

Compiling 2.6.9 Kernel

How-To: Compile a 2.6.9 Kernel


This guide is to be used completely at your own risk! It was designed with an ev1 dual xeon hardware configuration in mind but will also work on some of the P4 modals. I am not going to try and support every possible hardware combination. I started this because I wanted a kernel for my own use but decided to share my work. Upgrading a kernel from rpm is easy and doing it as i have below is pretty easy as I have already done much of the hard configuration work. I was able to use the following guide on multiple servers with no problem and I know that it works. The key that makes this much easier is that you are using the .config file I have already created which contains all of the variables and configuration options. If you would like to view the .config file and offer any input please feel free! I have a little experience with compiling kernels but I am sure there are a few more things here and there I can remove.

Articles and guides:

Compiling 2.6.10 Kernel + Grsecurity

How-To: Compile a monolithic 2.6.10 kernel with grsecurity and secfix patch



Note 2.6.10 is an old version of the kernel however, this guide will work with the latest 2.6.11.7 and grsecurity if you get those instead of the files described. If you go that route the patch described below for a specific vulnerability is not requied.


This guide was designed for the ev1 configurated poweredge servers. I have tested it on the the 2.0 and 2.4 Ghz Xeons, and 2.0 and 3.0 Ghz celeron. It should also work fine with the P4 2.0 Ghz + but I have personally not tested one yet. I do not have any plans to test this kernel on any older systems though as long as they network card support is built in it will probably work. If you post here with specific problems on boot I can try to add the needed modules to my config. I started this as a project to increase the performance and security of my servers. The 2.6.x kernel has many improvements that have dramatically dropped the load on the servers I have tested this on so far. In addition to that the kernel does not support loadable modules, the definiation of monolithic, which removes one method of possible vulnerabilities as well as more efficient. Though there are no studies directly linking grsecurity to increased security it only adds additional security to your system with very few negative drawbacks. I think that is worth the extra time to configure in grsecurity in the chance that it may possibly block a possible cracker.

This kernel is patched against the following vulerability: http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt. This is the root level exploit that was release January 7th. It is *HIGHLY* suggested that you upgrade ASAP. This particular exploit along with a worm much like the phpBB worm could be disasterous yeilding full root access.

Updated Feb 6th for instructions on updating grub
Updated Feb 2nd for rpm problems with RH9

Articles and guides:

2.6.10 + Grsecurity

Untitled Document

Grsecurity is a set of patches and options that works to help increase the security of a server at the kernel level. Here is a very basic guide of how to download it and patch your kernel. This guide is meant to be used alongside of my generic 2.6.10 kernel guide if you are not familiar with the process of compiling a kernel. This guide can also be adapted to the latest 2.6.11.7 and version of grsecurity just fine.


Articles and guides:

Compiling a generic 2.6.10 Kernel

How-To: Compile and configure a 2.6.10 kernel



Note 2.6.10 is an old version of the kernel however, this guide will work with the latest 2.6.11.7 and grsecurity if you get those instead of the files described. If you go that route the patch described below for a specific vulnerability is not required.

My previous guides use a very specific config file that only works for a few different servers. This guide is meant to be a lot more generic and should work on more servers. I have taken the default config from a redhat 2.4 kernel and kept all the driver configuration. I have removed the extra support such as USB and sound that are not needed on a server. I also explain how to remove some of the drivers that are not necessary such as scsi/ide support depending on what type of drives you have. If you do not want to deal with the menuconfig you can simply compile it and not configure it. I hope that this guide will help alleviate some of the problem with segfaulting that some of the configurations have. If you would like to compile in grsecurity please follow my 2.6.10 grsecurity guide.

This guide has taken me a long time to create. If you have used it for your donate please consider donating :) With that being said good luck with compiling your new kernel.

Articles and guides:

Secure cPanel

How-To secure cPanel














*********************WARNING********************



This guide is no longer going to be updated as it is too large and complex to maintain. Instead all of the other guides on the right will continue to be updated. I am going to leave it up just because some people still look at it for a general idea of what to do with a new server. I would suggest that you not actually follow these directions as the versions may be old.


First and foremost I want to say that this is not going to make your server 100% cracker proof, there is always a possibility that somebody will find a way in. I have listed a lot of things you can do to protect your server and that will help you secure it. While securing your server you have to find a median between what is secure and what restricts your clients or websites. You can easily make your server 100% secure from remote attacks by unplugging the ethernet cable, but chances are you will not get much good with it. This is not a complete guide and I will update it when I find time or it needs it. Overall it is a very good start and it is probably more then most servers have.

If you have any problems with the guide please post them and I will try and help/update the guide. I have not included everything you can do but it is a very good start. If you need somebody to secure server please feel free to private message or email me.

Articles and guides:

Upgrade sshd

Untitled Document I know that cPanel and plain redhat do not use proprietary ssh version and this will work fine for those servers. Ensim does not use special rpms like I had posted before, they use PAM authentication which is the same as cPanel does. I believe this guide should work with plesk (there is no reason it should not) but I have not personally tried so if you do please post! As always I take no responsibility if this guide screws up your server, it worked fine for me!

Updated 7/17 for the latest version of openssh. Thanks goes to DXtremz for pointing out the compiling error with open ssh and then even providing the fix! :)



First step we will enable telnet so if something screws up you can still access the server:

-----command-----
pico -w /etc/xinetd.d/telnet
-----command-----

Syctl.conf Hardening

Untitled Document

The purpose of syctl hardening is to help prevent spoofing and dos attacks. This short guide will show what I have found to be a good configuration for the sysctl.conf configuration file. The most important of the variables listed below is the enabling of syn cookie protection. Only place the bottom two if you do not want your server to respond to ICMP echo, commonly referred to as ICMP ping or just ping requests.


NOTICE: Make sure that eth0 is your primary interface, if it is not replace eth0 with eth1 in the code below.

-----command-----
pico -w /etc/sysctl.conf
-----command-----

Now paste the following into the file, you can overwrite the current information.


Secure temporary directories

Securing temp directories

How-To: Secure your temp directories


Every system needs temporary folders that any user is able to read and write BUT these directories should not be able to execute programs or scripts. Though this will only protect you from somebody running the script directly it will help with a large portion of the automated rootkits and trojans that script kiddies use. They will still be able to put the files on the system but they will be unable to execute them and create the back door. One of the biggest problems is php injection via apache in which people will have apache download and then run an exploit. Securing the temp directories is probably the single biggest thing you can do towards securing your server.

Pages

Subscribe to Server admin info for cPanel, Plesk and linux! RSS