Harden SSH on a Linux instance with Multi-Factor Authentication

With stories like the recent iCloud hack popping up in mainstream media, security and privacy are becoming increasingly important to the average consumer. These topics however are even more important to system administrators, those of us entrusted with safeguarding sensitive data against an ever changing threat. As technology professionals we have access to a number of tools to assist in defending our networks and protecting private data, but one of the most powerful tools at our disposal is multi-factor authentication. In this post we will take a high level look at multi-factor authentication and discuss the implementation of one multi-factor authentication solution to secure SSH access on a Linux instance. Continue reading “Harden SSH on a Linux instance with Multi-Factor Authentication”

Building a Scalable Highly Available Web Cluster Part 1: The Load Balancing Tier

In an earlier post we discussed overall cluster configuration and now we’re going to begin actual cluster configuration with the load-balancing tier. Each load balancer will run following software:

  • HAProxy – HAProxy will facilitate the actual load balancing of traffic to web nodes behind the load balancers.
  • Keepalived – Keepalived will allow for IP failover in the event one of the load balancers fails.

Continue reading “Building a Scalable Highly Available Web Cluster Part 1: The Load Balancing Tier”

Building a Scalable Highly Available Web Cluster Part 0: The Architecture

The modern internet user expects websites to be consistently fast and available, and a single box architecture may not deliver the levels of scalability and redundancy necessary to deliver on those expectations. Over the next few weeks, we’re going to dive into the configuration of a scalable, highly available web cluster that can grow to meet your needs as your traffic grows. We’ll begin with a high level overview of the cluster components and overall cluster architecture. Continue reading “Building a Scalable Highly Available Web Cluster Part 0: The Architecture”

Quick Tip: Quickly Rename a Group of Files with BASH

While configuring Nagios checks for my Asterisk box I stumbled upon something interesting I hadn’t noticed before, PBX in a Flash is based on a 32-bit version of CentOS 6. This was a problem as both my Nagios and Puppet infrastructures are designed to monitor and manage 64-bit machines. A simple if/else statement was all that was required to expand my NRPE Puppet manifest to address both 32 and 64-bit architectures, but the Nagios check files themselves proved more of a challenge.
Continue reading “Quick Tip: Quickly Rename a Group of Files with BASH”

Integrate Git and Puppet-Lint into your Puppet workflow

As a Systems Administrator the majority of my work entails designing, building, deploying, and supporting systems and I never thought I’d have a reason to add a tool like Git to my toolchain. However, my discovery of Puppet and embracing of the DevOps philosophy has fundamentally altered the way I handle systems administration tasks. Alone, Puppet is an incredibly powerful tool that delivers a consistent and scaleable administration experience, but integrating it with other tools with give your Puppet Master super powers (well, not really, but it will extend its functionality significantly). In this post, we’re going to discuss how to integrate Puppet-Lint and Git into the traditional Puppet workflow to proactively block the deployment of Puppet manifests that contain syntax errors.
Continue reading “Integrate Git and Puppet-Lint into your Puppet workflow”

Quick Tip: Ping an IP Range From the Command Line

A few weeks ago I was finishing up some year-end infrastructure documentation and realized I had a wayward host on my network. Specifically, I’d lost a wireless access point. I had failed to document the access point’s IP address and wasn’t looking forward to aimlessly pinging hosts on my network and navigating to the hosts that responded in hopes of finding a web interface. While tools like Angry IP Scanner, which allows you to ping a pre-determined IP range and reports hosts that respond, exist for Windows I use OS X and CentOS daily and wanted a UNIX-native solution that would be reusable should I ever lose another host. With that goal in mind, I came up with a quick and dirty bit of shell script that’s nothing more than a simple for loop.
Continue reading “Quick Tip: Ping an IP Range From the Command Line”

Quick Tip: Resolve a Local HTTP 403 Forbidden Warning in a Nagios Installation

After installing Nagios some weeks ago to monitor my local infrastructure, all was well with the exception of a persistent warning logged by Nagios against the local HTTP service.  Specifically, I was seeing a 403 Forbidden warning being returned by Apache (pictured below).

Continue reading “Quick Tip: Resolve a Local HTTP 403 Forbidden Warning in a Nagios Installation”

Quick Tip: Easily Set SELinux Enforcement Levels in CentOS 6

This post, like any other dealing with altering a security mechanism, should (and will) begin with a warning to NOT do this in a production environment. Obligatory bold warning text:
SELinux is a major security component in any RHEL-based Linux distribution and should never be disabled in a production environment without extensive consideration and forethought as it can seriously compromise system security. It’s best practice to work with an application vendor to ensure the application works with SELinux if it’s going to be placed in production. Now we return to the regularly scheduled Blog post.

Continue reading “Quick Tip: Easily Set SELinux Enforcement Levels in CentOS 6”

Quick Tip: Pass a Command to an SSH Session as an Argument

Today’s Quick Tip isn’t necessarily an easier way of accomplishing a task, it’s simply a time saver I find myself using often. SSH is a fabulous tool for administrating remote systems via a remote shell, but you may not always need a fully interactive environment to accomplish a given task. Let’s take for example restarting a service. In order to restart a service via a traditional SSH session you must connect to the machine, restart the service with either the service command or /etc/init.d/, and disconnect. Using today’s Quick Tip, that entire process can be wrapped up into a single command. First, we’ll look at the basic method of passing the command then show how a service can be restarted in this way.
Continue reading “Quick Tip: Pass a Command to an SSH Session as an Argument”

Force CentOS 6 to Re-Detect Network Devices

Recently, I began transitioning from VMware ESXi to Proxmox VE and ran into an unexpected issue. After imaging the VM’s running on top of ESXi and redeploying them into blank KVM VM’s, I noticed that even though the new VM’s had network interfaces they had no connectivity. After some investigation, I discovered that CentOS 6 uses udev to deal with all hardware devices; so restoring connectivity was as a quick, two-step process. Before we discuss the solution, though, let’s examine the root cause of the issue.

Continue reading “Force CentOS 6 to Re-Detect Network Devices”