Tag Cloud
Currently Reading
Latest Book Reviews
- Certified Kubernetes Application Developer (CKAD) Study Guide, 2nd Edition Posted on January 11, 2025
- Rancher Deep Dive Posted on March 31, 2023
- Leveraging Kustomize for Kubernetes Manifests Posted on March 24, 2023
- Automating Workflows with GitHub Actions Posted on October 13, 2022
- Deep-Dive Terraform on Azure Posted on August 30, 2022 All Book Reviews
Latest Posts
- Password protecting single user mode Posted on December 28, 2013
- Password protecting GRUB in RHEL/CentOS Posted on December 22, 2013
- Leaving Gmail and Google Apps: Part I Posted on November 28, 2013
- Varnish WordPress Performance Testing Posted on November 28, 2013
- Leaving Gmail and Google Apps Posted on November 17, 2013
December 28, 2013
Password protecting single user mode
by Alpha01
I was surprise to find out how easy it was to password protect runlevel 1 aka single user mode in RHEL/CentOS.
Simply update the SINGLE variable in the file /etc/sysconfig/init
SINGLE=/sbin/sulogin
If the root password cannot be retrieved/reset, then at this point the only option will be to boot into a rescue environment, assuming encryption hasn’t been enabled.
Tags: [centos security December 22, 2013
Password protecting GRUB in RHEL/CentOS
by Alpha01
Specifying a password to modify GRUB during the boot start-up phase can be initially set during the install, but it can also be manually added and or modified after the installation.
Using the grub-md5-crypt utility, you can generate an md5 hashed password (some security better than no security).
[root@centos6 ~]# grub-md5-crypt
Password:
Retype password:
$1$/dvPV1$ngGsOO21eHj2lzEk7wg9d0
Now, is just a matter of adding the following entry in /boot/grub/grub.conf.
password --md5 $1$/dvPV1$ngGsOO21eHj2lzEk7wg9d0
Restart, and voala.
centos rhel security November 28, 2013
Leaving Gmail and Google Apps: Part I
by Alpha01
Since I’m paying for essentially unmanaged dedicated hosting so I can run my mail server. I opted to consolidate my personal web applications to the same physical box. This is why I created a KVM guest that would solely be used for my web traffic. One of the main challenges I’m faced is the fact that I only have one public IP address. This means that all of my KVM guests have been configured using the default NAT networking.
For all http traffic I’m using Varnish as the proxy and caching server and for https traffic I’m using Nginx.
First thing that broke using this different architecture on my sites are the mod_access IP restrictions that I originally had set in place previously. This is because the Apache backend see’s all requests originating from the Varnish and Nginx proxies. Luckily both Varnish and Nginx have really simple access control mechanism built in them.
For example, in Varnish I can create a list of IPs that I can use to their block or grant access to certain URLs.
acl admin {
"localhost";
"MyPublicIPAddress";
}
sub vcl_recv {
# Only allow access to the admin ACL
if (req.url ~ "^/secureshit" && req.http.host ~ "rubysecurity.org") {
if (client.ip ~ admin) {
return(pass);
} else {
error 403 "Not allowed in admin area.";
}
}
}
Nginx acl
location /secureshit {
allow MyPublicIPAddres;
deny all;
proxy_pass https://www.rubysecurity.org/secureshit;
}
google centos kvm varnish nginx November 28, 2013
Varnish WordPress Performance Testing
by Alpha01
Thanks to my new job, I’ve been working a lot with Varnish. Man, Varnish is one kick ass HTTP web accelerator! A few months back I ran a few performance Apache performance tests on my WordPress site with different layers of caching enabled:
So now I wanted to see how the results may differ using Varnish.
Configuration
At a bare minimal, Varnish needs to be configured to remove cookies set by WordPress in order to make the content cacheable.
sub vcl_recv {
# Drop any cookies sent to Wordpress.
if (!(req.url ~ "wp-(login|admin)") && req.http.host ~ "rubyninja.org") {
unset req.http.cookie;
}
}
sub vcl_fetch {
# Drop any cookies Wordpress tries to send back to the client.
if (!(req.url ~ "wp-(login|admin)") && req.http.host ~ "rubyninja.org") {
unset beresp.http.set-cookie;
}
}
With this configuration enabled, I ran the same identical ab tests that used to benchmark my server previously.
[root@rubyninja ~]# ab -n 1000 -c 5 http://www.rubyninja.org/index.php
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/
Benchmarking www.rubyninja.org (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Finished 1000 requests
Server Software: Apache/2.2.15
Server Hostname: www.rubyninja.org
Server Port: 80
Document Path: /index.php
Document Length: 0 bytes
Concurrency Level: 5
Time taken for tests: 39.528015 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Non-2xx responses: 1001
Total transferred: 374139 bytes
HTML transferred: 0 bytes
Requests per second: 25.30 [#/sec] (mean)
Time per request: 197.640 [ms] (mean)
Time per request: 39.528 [ms] (mean, across all concurrent requests)
Transfer rate: 9.23 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 87 100 134.1 93 3092
Processing: 88 95 10.7 91 220
Waiting: 87 94 10.6 90 218
Total: 177 196 134.4 186 3183
Percentage of the requests served within a certain time (ms)
50% 186
66% 192
75% 196
80% 199
90% 207
95% 217
98% 234
99% 251
100% 3183 (longest request)
The requests per second handled by the webserver weren’t much different from the caching layer that I already had enabled previously, which is the WordPress W3 Total Cache plugin configured with Page, Database, Object, and Browser cache enabled using APC, and mod_pagespeed.
However the huge difference is that all requests never reached the Apache backend. Varnish cached all content and served all the requests directly. Varnish is just fucking awesome.
Tags: [varnish apache wordpress testing November 17, 2013
Leaving Gmail and Google Apps
by Alpha01
Ever since finding out about Google’s involvement in PRISM a few months back, I’ve been wanting to completely ditch their Gmail and Google Docs services for good. Having used those services for such a long time, and more importantly them being free (as in beer), deciding which new platform I would use as the replacement was my first challenge. Firstly, all email services will be managed by me solely. So my first task was to find a reliable, and perhaps more importantly, a really cheap unmanaged dedicated hosting provider. I opted to go with OVH. Having first heard of OVH on a Linux Journal advertisement, I became completely sold on their $29.99 a month dedicated hosting offering. Even better, OVH is not an American company and they themselves having to deal with lots of scrutiny for hosting WikiLeaks. The really cheap $29.99 dedicated hosting plan does have a catch, the hardware is not enterprise quality server hardware, but rather desktop hardware. The disk is not RAIDed, and the memory is non ECC. Personally, since I don’t believe my server will have much heavy load, I really don’t see this as a problem. Additionally, using my home Nagios monitoring server and with the help of NRPE, I’m going to monitoring just about everything on the dedicated machine.
My current hypothetical architecture
Install configure KVM on the system, and run three virtual machine instances. The host machine will have the following:
- Varnish, to proxy all HTTP traffic
- Nginx, to proxy all HTTPS traffic
- Proxy POP/IMAP mail traffic using iptables (if this does not work as I expect, I might look into using haproxy instead)
1). VM 1: http
- Apache PHP/Ruby, all of my web apps will be using on this VM. (including this site itself)
2). VM 2: database
- MySQL
- PostgreSQL
3). VM 3: email
- Postfix for sending mail
- Dovecot for receiving mail
google