The most basic authentication can be configured on a Apache is access by file, but in this post we will see how to configure Apache to authenticate users against an LDAP.
The advantages are obvious, we can use a centralized authentication LDAP directory, either to validate us in applications or to access the web services of the company.
For the examples we have used a Ubuntu 12.04 and Apache 2.2, the first thing we have to do is install the necessary Apache modules and activate them:
sudo aptitude install libapache2-mod-ldap-userdir
sudo a2enmod authnz_ldap
Recently has contacted me a companion called Miguel Angel (greetings) to see if he could help out with attacks that are suffering. Obviously I will not use your data for anything in this entry.
In this post we will make a more accurate filtering of incoming communications, to prevent DOS attacks.
In the previous post “iptables ddos limit configuration, prevent denial of service attacks on Linux (Match extension limit)” is shown as filter limiting the number of hits. The great improvement in recent vs limit extension is that recent maintains a list of source IPs communication and limits are set by source IP. The limits imposed limit extension regardless of origin, is an overall limit.
Almost everyone knows how to add an automatic mounting /etc/fstab, perhaps not used as it should the mounting is using UUIDs.
The UUID (Universally Unique Identifier) is a unique identifier for each file system. It is very interesting because it allows use as a reference for installation, ie instead of using /dev/sdb1 (physical connection reference) may use UUID and thus could change the connections of the discs without the mount points they saw affected.
The tool to know the UUID of the discs is:
[root@test ~]# blkid
/dev/sdb1: UUID="a210f4aa-0333-4827-b4f0-4a987c3364cf" TYPE="ext4"
/dev/sdb2: UUID="2133ef48-5eb9-4413-8b42-2f5f023a765b" TYPE="ext4"
/dev/sda1: UUID="0cdd3b92-349c-407f-87d2-63242782b531" TYPE="ext4"
/dev/sda2: UUID="rNf0sI-d44o-5c3f-VJMJ-zdhk-eT4q-Lc8xXT" TYPE="LVM2_member"
/dev/mapper/vg_test-lv_root: UUID="6c9fa623-8bc4-4143-b8a5-f7d0966980c9" TYPE="ext4"
/dev/mapper/vg_test-lv_swap: UUID="b382f6a5-0a63-4ab8-aaf4-8b8c1c0b969d" TYPE="swap"
In this post we will create an encrypted volume, which is useful if you work with a laptop and want to ensure your data against theft.
You can do interesting things, as we ask the key to start or hold the key for example in a USB. It seems to me very good choice of a USB device with the key to start.
Let the matter, the steps are:
1- make sure we have the kernel module loaded with dm_crypt :
[root@test ~]# lsmod | grep dm_crypt
dm_crypt 10848 2
dm_mod 63859 11 dm_crypt
When we operate a web server, it should apply basic protection to avoid any possibility that a “good” person (with all the sarcasm), is dedicated to run JMeter (excellent software designed for load tests) with the idea of saturate our server.
These are things that really happens, it is nothing paranoid.
One way to avoid these attacks is through iptables (I have a broader input on iptables), a configuration example would be:
IPTABLES is the firewall kernel-level included in Linux distributions, it’s very powerful (once understood its operation), very useful and flexible. This post has been made on a CentOS 6 (clone of RedHat), almost all should be able to apply to any distribution.
The basic operation of iptables is the following:
- Exist chains of rules. Basically 3: INPUT, OUTPUT and FORWARD.
- The rules within a chain are evaluated in order. This is where there is a multitude of filtering options.
- When a rule is evaluated positively, it is directed at a TARGET. It can be accepted, rejected, deleted, written in a log or other much more (see man TARGET EXTENSIONS iptables).
We can list the current rules:
Working with ACL (Access Control List), it is useful when you want to allow or remove a user or group on directories and objects. I personally do not like too much, is all too “hidden” and whimsical for my taste. Though admittedly that in certain situations it may be the best solution.
A requirement to work with ACL is to have the volume mounted with the appropriate option. This is possible without dismounting or restart with the command:
In linux you can assign attributes to files, this allows to increase the security level. It is possible for example, to protect a file so that can not be removed.
To view the attributes of a file:
[root@tester1 prueba]# lsattr
I will show how to create, expand and reduce LVM volumes, all these actions have been performed with RedHat 6 LVM directly from the console. I think it goes without saying, but it is advisable to make a backup of the original disks.
The first thing is to understand the structure that follows LVM works with 3 types of elements:
- Volume groups, all related commands that begin with vg*, a volume group can contain one or more logical volumes. And it is composed of physical volumes.
- Logical volumes, all related commands begin with lv*, a logical volume resides within a volume group.
- Physical volumes, in this case all commands start with pv*, a volume group are composed of one or more physical volumes.
There are a number of commands to manage LVM volumes:
More and more frequently, we can meet the need to install an OS (Red Hat or Fedora) on a physical server without DVD drive.
In these cases from the DVD ISO we can prepare a USB flash drive to perform a network installation.
The steps are:
- We mount the iso with:
mount -o loop DVD.iso /mnt
- Assuming that the pendrive you have clicked on /dev/sdd, copy the image (eye that will erase everything you have):
dd if=/mnt/images/efidisk.img of=/dev/sdd
- Umount the iso:
We have the pendrive ready to start.