rubysecurity.org

Cloud Architect / DevOps Engineer / SRE / Developer | /root

Home About Books Blog Portfolio Archive

Tag Cloud


Currently Reading

Certified Kubernetes Administrator (CKA) Study Guide
Certified Kubernetes Administrator (CKA) Study Guide
38 / 155 Pages


Latest Book Reviews

Latest Posts


December 28, 2013

Password protecting single user mode

by Alpha01

I was surprise to find out how easy it was to password protect runlevel 1 aka single user mode in RHEL/CentOS.

Simply update the SINGLE variable in the file /etc/sysconfig/init

SINGLE=/sbin/sulogin

Single User mode password protected

If the root password cannot be retrieved/reset, then at this point the only option will be to boot into a rescue environment, assuming encryption hasn’t been enabled.

Tags: [ centos security ]
December 22, 2013

Password protecting GRUB in RHEL/CentOS

by Alpha01

Specifying a password to modify GRUB during the boot start-up phase can be initially set during the install, but it can also be manually added and or modified after the installation.

Using the grub-md5-crypt utility, you can generate an md5 hashed password (some security better than no security).

[root@centos6 ~]# grub-md5-crypt 
Password: 
Retype password: 
$1$/dvPV1$ngGsOO21eHj2lzEk7wg9d0

Now, is just a matter of adding the following entry in /boot/grub/grub.conf.

password --md5 $1$/dvPV1$ngGsOO21eHj2lzEk7wg9d0

Restart, and voala.

GRUB image

Tags: [ centos rhel security ]
November 28, 2013

Leaving Gmail and Google Apps: Part I

by Alpha01

Since I’m paying for essentially unmanaged dedicated hosting so I can run my mail server. I opted to consolidate my personal web applications to the same physical box. This is why I created a KVM guest that would solely be used for my web traffic. One of the main challenges I’m faced is the fact that I only have one public IP address. This means that all of my KVM guests have been configured using the default NAT networking.

For all http traffic I’m using Varnish as the proxy and caching server and for https traffic I’m using Nginx. http_architecture

First thing that broke using this different architecture on my sites are the mod_access IP restrictions that I originally had set in place previously. This is because the Apache backend see’s all requests originating from the Varnish and Nginx proxies. Luckily both Varnish and Nginx have really simple access control mechanism built in them.

For example, in Varnish I can create a list of IPs that I can use to their block or grant access to certain URLs.

acl admin {
   "localhost";
    "MyPublicIPAddress";
} 

sub vcl_recv {
  # Only allow access to the admin ACL
  if (req.url ~ "^/secureshit" && req.http.host ~ "rubysecurity.org") {
    if (client.ip ~ admin) {
      return(pass);
    } else {
      error 403 "Not allowed in admin area.";
    }
  }
}

Nginx acl

location  /secureshit {
  allow MyPublicIPAddres;
  deny all;
  proxy_pass https://www.rubysecurity.org/secureshit;
}
Tags: [ google centos kvm varnish nginx ]
November 28, 2013

Varnish WordPress Performance Testing

by Alpha01

Thanks to my new job, I’ve been working a lot with Varnish. Man, Varnish is one kick ass HTTP web accelerator! A few months back I ran a few performance Apache performance tests on my WordPress site with different layers of caching enabled:

So now I wanted to see how the results may differ using Varnish.

Configuration

At a bare minimal, Varnish needs to be configured to remove cookies set by WordPress in order to make the content cacheable.

sub vcl_recv {
  # Drop any cookies sent to Wordpress.
  if (!(req.url ~ "wp-(login|admin)") && req.http.host ~ "rubyninja.org") {
    unset req.http.cookie;
  }
}

sub vcl_fetch {
  # Drop any cookies Wordpress tries to send back to the client.
  if (!(req.url ~ "wp-(login|admin)") && req.http.host ~ "rubyninja.org") {
    unset beresp.http.set-cookie;
  }
}

With this configuration enabled, I ran the same identical ab tests that used to benchmark my server previously.

[root@rubyninja ~]# ab -n 1000 -c 5 http://www.rubyninja.org/index.php
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/

Benchmarking www.rubyninja.org (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Finished 1000 requests


Server Software:        Apache/2.2.15
Server Hostname:        www.rubyninja.org
Server Port:            80

Document Path:          /index.php
Document Length:        0 bytes

Concurrency Level:      5
Time taken for tests:   39.528015 seconds
Complete requests:      1000
Failed requests:        0
Write errors:           0
Non-2xx responses:      1001
Total transferred:      374139 bytes
HTML transferred:       0 bytes
Requests per second:    25.30 [#/sec] (mean)
Time per request:       197.640 [ms] (mean)
Time per request:       39.528 [ms] (mean, across all concurrent requests)
Transfer rate:          9.23 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:       87  100 134.1     93    3092
Processing:    88   95  10.7     91     220
Waiting:       87   94  10.6     90     218
Total:        177  196 134.4    186    3183

Percentage of the requests served within a certain time (ms)
  50%    186
  66%    192
  75%    196
  80%    199
  90%    207
  95%    217
  98%    234
  99%    251
 100%   3183 (longest request)

The requests per second handled by the webserver weren’t much different from the caching layer that I already had enabled previously, which is the WordPress W3 Total Cache plugin configured with Page, Database, Object, and Browser cache enabled using APC, and mod_pagespeed.

However the huge difference is that all requests never reached the Apache backend. Varnish cached all content and served all the requests directly. Varnish is just fucking awesome.

Tags: [ varnish apache wordpress testing ]
November 17, 2013

Leaving Gmail and Google Apps

by Alpha01

Ever since finding out about Google’s involvement in PRISM a few months back, I’ve been wanting to completely ditch their Gmail and Google Docs services for good. Having used those services for such a long time, and more importantly them being free (as in beer), deciding which new platform I would use as the replacement was my first challenge. Firstly, all email services will be managed by me solely. So my first task was to find a reliable, and perhaps more importantly, a really cheap unmanaged dedicated hosting provider. I opted to go with OVH. Having first heard of OVH on a Linux Journal advertisement, I became completely sold on their $29.99 a month dedicated hosting offering. Even better, OVH is not an American company and they themselves having to deal with lots of scrutiny for hosting WikiLeaks. The really cheap $29.99 dedicated hosting plan does have a catch, the hardware is not enterprise quality server hardware, but rather desktop hardware. The disk is not RAIDed, and the memory is non ECC. Personally, since I don’t believe my server will have much heavy load, I really don’t see this as a problem. Additionally, using my home Nagios monitoring server and with the help of NRPE, I’m going to monitoring just about everything on the dedicated machine.

My current hypothetical architecture

Install configure KVM on the system, and run three virtual machine instances. The host machine will have the following:

  • Varnish, to proxy all HTTP traffic
  • Nginx, to proxy all HTTPS traffic
  • Proxy POP/IMAP mail traffic using iptables (if this does not work as I expect, I might look into using haproxy instead)

1). VM 1: http

  • Apache PHP/Ruby, all of my web apps will be using on this VM. (including this site itself)

2). VM 2: database

  • MySQL
  • PostgreSQL

3). VM 3: email

  • Postfix for sending mail
  • Dovecot for receiving mail
Tags: [ google ]