Category Archives: CentOS

Postfix

Leave a reply

SSL Self certificate

# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
......................................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
140645244917648:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters
Enter pass phrase for server.key: ***********
Verifying - Enter pass phrase for server.key: ***********
# openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key: ***********
writing RSA key
# mv server.key server.key.secure
# mv server.key.insecure server.key

# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:NL
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Rotterdam
Organization Name (eg, company) [Default Company Ltd]: *********
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: ***********
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=NL/L=Rotterdam/O=Welgg/CN=one.welgg.com
Getting Private key
#

Elasticsearch

Leave a reply

Installation from RPM

[root@NLRTM1-S0503 ~]# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
[root@NLRTM1-S0503 ~]# vi /etc/yum.repos.d/elastic.repo

[logstash-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

[kibana-6.x]
name=Kibana repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

[root@NLRTM1-S0503 ~]# yum install elasticsearch
[root@NLRTM1-S0503 ~]# yum install kibana
[root@NLRTM1-S0503 ~]# yum install logstash

User preparation

Logstash

WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using –path.settings. Continuing using the defaults

[root@NLRTM1-S0503 logstash]# ./bin/logstash -t
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2018-12-06 00:08:16.015 [main] writabledirectory - Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
[INFO ] 2018-12-06 00:08:16.024 [main] writabledirectory - Creating directory {:setting=>"path.dead_letter_queue", :path=>"/usr/share/logstash/data/dead_letter_queue"}
ERROR: Failed to read pipelines yaml file. Location: /usr/share/logstash/config/pipelines.yml

remedy:

[support@NLRTM1-S0503 logstash]$ ./bin/logstash --path.settings /etc/logstash -t

Start logstash as a service

Check logstash service user and correct permissions

[root@NLRTM1-S0503 logstash]# vi /etc/systemd/system/logstash.service 
[root@NLRTM1-S0503 etc]# chown -R logstash:logstash /etc/logstash
[root@NLRTM1-S0503 etc]# chown -R logstash:logstash /usr/share/logstash

# chmod -R g+rwx /usr/share/logstash/
# chown -R logstash:logstash /var/log/logstash

[root@NLRTM1-S0503 logstash]# /bin/systemctl daemon-reload
[root@NLRTM1-S0503 logstash]# systemctl enable logstash.service
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
[root@NLRTM1-S0503 logstash]# systemctl start logstash.service

Setting up ELK components as service

[root@cilacap etc]# chown -R logstash:logstash logstash
[root@cilacap etc]# chown -R elasticsearch:elasticsearch elasticsearch
[root@cilacap etc]# chown -R kibana:kibana kibana

[root@cilacap etc]# usermod -aG logstash elastic
[root@cilacap etc]# usermod -aG elasticsearch elastic
[root@cilacap etc]# usermod -aG kibana elastic
[root@cilacap etc]# groups elastic
elastic : elastic wheel logstash elasticsearch kibana

[root@cilacap etc]# sudo /bin/systemctl daemon-reload
[root@cilacap etc]# sudo /bin/systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
[root@cilacap etc]# systemctl enable logstash.service
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.
[root@cilacap etc]# systemctl enable kibana.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
[root@cilacap etc]#


# cp /etc/systemd/system/logstash-ecn4.service /etc/systemd/system/logstash-apex.service
# vi /etc/systemd/system/logstash-apex.service
# cd /etc/logstash/
# cp -R ecn4 apex
# cd apex
# vi logstash.yml 
[root@NLRTM1-S0503 logstash]# vi /etc/logstash/apex/pipelines.yml
[root@NLRTM1-S0503 logstash]# chown -R logstash:logstash apex
[root@NLRTM1-S0503 logstash]# systemctl enable logstash-apex.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash-apex.service to /etc/systemd/system/logstash-apex.service.

Filebeat module APACHE2

[root@one filebeat]# ./filebeat modules enable apache2

[root@one filebeat]# nohup ./filebeat >/dev/null 2>&1 &

[root@one filebeat]# tail logs/filebeat
2018-12-08T21:06:44.246+0100	ERROR	pipeline/output.go:100	Failed to connect to backoff(elasticsearch(http://www.atikin.nl:49200)): Connection marked as failed because the onConnect callback failed: Error loading pipeline for fileset apache2/access: This module requires the following Elasticsearch plugins: ingest-user-agent, ingest-geoip. You can install them by running the following commands on all the Elasticsearch nodes:
    sudo bin/elasticsearch-plugin install ingest-user-agent
    sudo bin/elasticsearch-plugin install ingest-geoip

Install Elasticsearch plugins

[root@cilacap ~]# cd /usr/share/elasticsearch/
[root@cilacap elasticsearch]# ./bin/elasticsearch-plugin install ingest-user-agent
-> Downloading ingest-user-agent from elastic
[=================================================] 100%   
-> Installed ingest-user-agent
[root@cilacap elasticsearch]# ./bin/elasticsearch-plugin install ingest-geoip
-> Downloading ingest-geoip from elastic
[=================================================] 100%   
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.reflect.ReflectPermission suppressAccessChecks
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
Continue with installation? [y/N]y
-> Installed ingest-geoip

[root@cilacap elasticsearch]# systemctl restart elasticsearch

Apache module configuration

[root@one filebeat]# vi /opt/elastic/filebeat/modules.d/apache2.yml
- module: apache2
  # Access logs
  access:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/var/log/httpd/paulowna_site.com-access_log*","/var/log/httpd/paulowna_shop.com-access_log*" ]

  # Error logs
  error:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/var/log/httpd/paulowna_site.com_error_log", "/var/log/httpd/paulowna_shop.com-error_log"]

Run filebeat

[root@one filebeat]# /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat -d "publish"

Run filebeat in background

nohup /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat  -d "publish" 2>&1 >/dev/null &

Journalctl

[root@NLRTM1-S0503 es00]# journalctl -u elasticsearch.service

Webalizer on Red Hat and CentOS

Leave a reply

https://blog.100tb.com/analyze-your-website-statistics-with-webalizer-on-red-hat-and-centos

Analyze Your Website Statistics with Webalizer on Red Hat and CentOS

When running a webserver your log files can rapidly fill with information about the visitors to your site, Webalizer can help.

Your webserver’s log files can be a mine of useful information with regards to the users visiting your website. Unfortunately, reading this information from the logs isn’t the simplest of tasks. To make this resource more useful there are tools available that look through the log files and generate statistics from them. Webalizer is one of these tools: it runs at regular intervals and creates statistics from your website logs as well as charts of usage. It is free and open source, being licensed under the GNU GPL.

How do I install Webalizer?

***For infomation on installing Webalizer on Debian & Ubuntu, read yesterdays post on the 100TB blog

Red Hat & CentOS

Installing Webalizer in Red Hat and CentOS is pretty straightforward as it is in the base repositories. So the install is as simple as the following command:

yum install webalizer

If you are using Apache, in its default configuration then your task of installing Webalizer is complete. Webalizer comes pre-configured to use Apache’s default log file for its data source, and then output its information to /var/www/usage with Apache configured to serve that directory as a subdirectory of the main website under /usage. To test this, simply run the following command:

webalizer

If all has worked correctly, Webalizer should have placed the various files that it creates in the /var/www/usage directory. If so, then you are done and the default cron task that is created through the installation should see you fine with keeping the statistics up to date.

 

100TB offers arround the clock technical support as a resource to help whenever you need answers. 

 

Apache with Virtualhost

If, on the other hand, you are using Apache with Virtualhosts then you have some work ahead of you, the first thing needing to be done is to create configuration files for each of your Virtualhosts. For this I’d suggest making a directory for these files then making copies of the webalizer.conf file in there for each Virtualhost domain you are running:

mkdir /etc/webalizer

cp /etc/webalizer.conf /etc/webalizer/webalizer.yourdomain.com.conf

The above commands create the webalizer config directory and then adds a config file. Note that you need to change yourdomain.com for the domain that you are using webalizer on. The next thing you need to do is edit the new configuration file to fit your configuration. For the following example we will be using a server configured to store log files in /var/log/httpd/yourdomain.com_access.log and the website files in the /var/www/yourdomain.com directory. The configuration file will need editing – I’m going to use nano in this example, but other text editors are available.

nano /etc/webalizer/webalizer.yourdomain.com.conf

The main lines to change are the LogFile line and the OutputDir line, so find those and edit them to match your configuration.

LogFile /var/log/httpd/yourdomain.com_access.log

OutputDir /var/www/yourdomain.com/webalizer

You can now save and exit this file. To avoid having to create a lot of extra configuration files for Apache, I’m using a subdirectory within the website directory for the Webalizer output. This means that it would be accessible from the web as below:

http://yourdomain.com/webalizer

The next step is to populate the directory for which we’ll need to run Webalizer:

webalizer -c /etc/webalizer/webalizer.yourdomain.com.conf

The -c flag tells Webalizer to use the specified configuration file rather than its default, so it should process the new configuration file and create the correct output. If this has worked properly then you should see the files in the directory you uses for the OutputDir.

 

Finalizing Webalizer

The last step is to create the cron task required to generate the webalizer output. This is where putting the configuration all within one directory will come in handy as we can create a simple BASH script to process the configuration files. Edit the Webalizer cron task created when Webalizer was installed and then use it to continue:

nano /etc/cron.daily/00webalizer

Remove all the content of this and then paste in the following code:

#!/bin/bash

# Update website statistics for Virtualhosts using /etc/webalizer directory

for i in /etc/webalizer/*.conf; do

  [ -f $i ] || continue;

  /usr/bin/webalizer -c ${i} -Q

done;

SSH: packet_write_wait: Broken pipe

Leave a reply

SSH won’t establish connection for specific user. 

pdeneef@semarang:~# ssh -vvv user@hostname
OpenSSH_6.9p1, LibreSSL 2.1.7
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: ssh_connect: needpriv 0
..
..
Authenticated to hostname ([ip.add.re.s]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
packet_write_wait: Connection to ip.add.re.s: Broken pipe

Resolution:
Remove and recreate user

 $ userdel -r username
$ useradd username
$ passwd username

Retry eting up SSH connection:


pdeneef@semarang:~# ssh user@hostname
user@hostname's password: 
Last failed login: Fri Nov  6 00:42:53 CET 2015 from fromhostname on ssh:notty
There were 2 failed login attempts since the last successful login.
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
[jforces@one ~]$

Configuring VNC Server on Linux

Leave a reply

Configuring VNC Server on Linux

Firewall

Open port OEL 7 :

# firewall-cmd --zone=public --add-port=portnumber/tcp --permanent
#firewall-cmd --reload

 

systemd

Install the VNC Server.

# yum install tigervnc-server

Create a new configuration file for each of the display numbers you want to enable. In the following case, I am setting up the display number “:3”. Notice how the display number is included in the configuration file name.

# cp /lib/systemd/system/vncserver@.service /lib/systemd/system/vncserver@:3.service

Edit the new configuration file, amending the user and startup arguments as necessary. An example of the changed lines is shown below. All other lines should be unmodified.

User=oracle
ExecStart=/usr/bin/vncserver %i -geometry 1280x1024
 The vncserver service unit file
#
# Quick HowTo:
# 1. Copy this file to /etc/systemd/system/vncserver@:.service
# 2. Edit root and vncserver parameters appropriately
#   ("runuser -l root -c /usr/bin/vncserver %i -arg1 -arg2")
# 3. Run `systemctl daemon-reload`
# 4. Run `systemctl enable vncserver@:.service`
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted!  For a secure way of using VNC, you should
# limit connections to the local host and then tunnel from
# the machine you want to view VNC on (host A) to the machine
# whose VNC output you want to view (host B)
#
# [user@hostA ~]$ ssh -v -C -L 590N:localhost:590M hostB
#
# this will open a connection on port 590N of your hostA to hostB's port 590M
# (in fact, it ssh-connects to hostB and then connects to localhost (on hostB).
# See the ssh man page for details on port forwarding)
#
# You can then point a VNC client on hostA at vncdisplay N of localhost and with
# the help of ssh, you end up seeing what hostB makes available on port 590M
#
# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.
#
# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel.  See the "-via" option in the
# `man vncviewer' manual page.


[Unit]
Description=Remote desktop service (VNC)
After=syslog.target network.target

[Service]
Type=simple
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/sbin/runuser -l username  -c "/usr/bin/vncserver %i -geometry 1280x1024"
PIDFile=/home/root/.vnc/%H%i.pid
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

[Install]
WantedBy=multi-user.target

Run the following command.

# systemctl daemon-reload

Set the VNC password for the user defined in the new configuration file.

# su - oracle
$ vncpasswd
Password:
Verify:
$ exit
logout
#

Enable the service for autostart and start the service.

# systemctl enable vncserver@:3.service
# systemctl start vncserver@:3.service

You should now be able to use a VNC viewer to connect to system using the display number and password defined.

Use the following commands to stop the service and disable autostart.

# systemctl stop vncserver@:3.service
# systemctl disable vncserver@:3.service

VNC Clients

Once your VNC server is configured, you can connect to it from any VNC server. On Linux this will often be TigerVNC, installed using the following command.

# yum install tigervnc

Connect to a VNC server using the following command.

# vncviewer machine-name:port

# vncviewer maggie.localdomain:3
# vncviewer 192.168.0.4:3
Fedora 18  gets an “Oh no. Something has gone wrong” message in the VNC Client when trying to connect.

This is bug 896648 in the Red Hat bugzilla. According to comment 15 you can fix it by:

  • Add -session optional pam_systemd.so to /etc/pam.d/runuser-l; the whole file should look like: 
    auth            include         runuser
session         optional        pam_keyinit.so force revoke
-session        optional        pam_systemd.so
session         include         runuser
  • Edit vncserver@:<display>.service
    • Change Type to simple
    • Add an -fg parameter to the vncserver command in ExecStart
    • Comment out the ExecStop line