Monday, November 25, 2013

Configuring FreeNAS 8 for iSCSI on VMware vSphere 5 part 3

iSCSI stands for Internet SCSI and allows client machines to send SCSI commands to remote storage servers such as FreeNAS. This allows you to consolidate your storage drives into a single machine for lower cost per GB and easier maintenance, with the illusion of local disk drives on your client machines. The functionality to use iSCSI drives is built into both Windows Vista and Server 2008 natively. At the higher end you can also use iSCSI for low cost clustering solutions and disaster recovery.

In Part 1 of the tutorial we Installed and Configured FreeNAS Server on a VM.. in Part 2, We configured FreeNAS as a iSCSI..

In this Part, we are going to add the newly created iSCSI to an ESXi Server.


Once you have your ESXi ready, first thing to do is log on to it using VMware vSphere Client 


 Go to Configuration Tab -> "Storage adapters" and click "Add" to add a software iSCSI adapter if it does not exist already.


Click OK when prompted as shown below 


You now will have to configure the iSCSI properties. to continue, click OK 


You should see the newly added iSCSI Software Adapter as shown below. Click on Properties 


You will first need to enable your iSCSI initiator. To do this, click “Configure” in the properties dialog. 

In my case, it was already enabled.


On the next Tab (Dynamic Discovery), click on “Add” and enter the IP address of one of your iSCSI ports of your SAN.. in our case, the FreeNAS server IP was 192.168.2.155 


the Static Discovery Tab should auto-populate if your FreeNAS Server (iSCSI) was configured properly. Click “Close” to quite the properties window.


Once this is done, vSphere will prompt you to rescan the iSCSI host for any new LUNS available, click “Yes” 


Once the adapter is rescanned (Takes a couple of seconds), your LUN will be shown in the list view below. 


Now, your SAN LUN is Added to ESXi. Only config left is to tell ESXi what to use the new storage for.
Click on “Storage” on the left menu in the “Hardware” section, where you will see it displays my current local datastore (datastore1) which is only the local hard drives. Click on “Add Storage


In the Add Storage wizard first page, select “Disk/LUN” and click Next 


Your Added LUN will be in the list, select it, and click “Next” 


Select the File System Version..
NOTE: VMFS-5 does not support older ESXi versions i.e. any version older than 5 will not be supported. 


Next will be a summary of your disk layout, click Next
(NOTE: If you get an error when this page loads, it will probably be because there is a SAN operation running on the LUN like Initialization, Syncing, capacity expansion, etc – all in all, if you get an error here, your LUN isn’t ready on the SAN)


Next enter a Name for the LUN (Just so you can identify it). I have named it as SHARED_DATASTORE 


On the next page you will see the file formatting config, I left the defaults, and clicked Next


You will get a final summary page to confirm everything, click “Finish” 


Once you have successfully finished the wizard, you will see your LUN storage ready in the storage list. 


That's it from me for now..
More such posts coming your way !!

Configuring FreeNAS 8 for iSCSI on VMware vSphere 5 part 2

iSCSI stands for Internet SCSI and allows client machines to send SCSI commands to remote storage servers such as FreeNAS. This allows you to consolidate your storage drives into a single machine for lower cost per GB and easier maintenance, with the illusion of local disk drives on your client machines. The functionality to use iSCSI drives is built into both Windows Vista and Server 2008 natively. At the higher end you can also use iSCSI for low cost clustering solutions and disaster recovery.

In the past this was usually done using special hardware and Fibre cabling, though with iSCSI you can leverage your existing network infrastructure. It should be noted that depending on the network load and performance requirements of your servers this can be drastically slower than the dedicated options. For a high performance production application you can still use iSCSI but I would look at setting it up on its own network at 1GB speeds.

How Does iSCSI Work? 

 

There are two parts to the iSCSI protocol, the first being clients and the second being storage devices.
Clients are called iSCSI initiators and can be configured either using hardware or software solutions. As I mentioned earlier this functionality is already built into Vista and Server 2008, so we will not have to add any software/hardware to these machines.
The storage devices are called iSCSI targets and must be running some type of software/hardware to receive the incoming requests from the iSCSI initiators. Luckily FreeNAS has the ability to create iSCSI drives as part of its core package so I am going to use the FreeNAS server I used in a past demo.

Setup iSCSI Target Drive on FreeNAS Server

I’m going to use FreeNAS as the iSCSI target, and if you are going to follow along with this demo, it is imperative that you have one setup as well.
If you don’t you can read how to setup FreeNAS server and then come back to this article for the next steps.

This demo is going to assume that while the hard drives are installed in the server they are NOT added to the FreeNAS interface.

You must add the second hard disk (or partition) to use as iSCSI storage disk.
 I have added one more virtual hard disk to my VMware Workstation virtual machine.

NOTE: You can follow these same steps for configuring a iSCSI in VMware vSphere Environments as well..

First, we will add a new HDD to the FreeNAS VM.

Open the Settings Wizard of the FreeNAS VM


 In the "Add Hardware Wizard", select the Hard Disk and click Next


Select "Create New Virtual Disk" and click Next


 Select "SCSI" and click Next


Provide the disk space for the new HDD. I have provide 20 GB.. You can use your imagination here !!

NOTE: The space that you provide here will be used as a iSCSI storage, so plan accordingly and provision.


Click FINISH when done


The best part of FreeNAS is that the newly added disk automatically shows up on the FreeNAS VM Console as shown below:


We now Create the volume as shown below:
Storage –> Volumes –> Create Volume 


Select the disk you want to add to Volume pool. Provide a Volume Name (testvolume).. select ZFS as the filesystem type and when done, click Add Volume


 You should see the new volume as shown below:



To configure iSCSI, go to Services –> iSCSI 

If you like you can change the ‘Target Global Base Name’ under iSCSI settings. Otherwise, leave with existing example name. I changed as below (iqn.2011-03.test)


Add portal in next step. You can leave the default or provide the IPv4 address of FreeNAS virtual machine. In my case it is 192.168.2.155, so I can add 192.168.2.155:3260 in portal filed, but I left if with default 0 values. 


 Add the Authorized Initiator now.
  

 You can go with default option ‘ALL’, if more security is required then insert the particular network in Authorized network, like 192.168.2.155/24


Now we need to create TargetsExtends and match them in Associated Targets.

NOTE: We have to repeat the same steps for each iSCSI disks we are going to create.

Create a target first:


Specify the target name (disk1), the TYPE (disk), the Target Flags (read-Write), Portal Group IDInitiator ID 

NOTE: If you have multiple HDDs, then do the same step again for second target


Add Extends now. 


Provide a Extent Name (extent1)

‘Path to the extend’ filed should contain mounted storage name (Created earlier.. testvolume) with extended name. I have allocated 17 GB as below.  

NOTE: Follow the same for the second extend if you are creating two iSCSI disks in FreeNAS


 Go to ‘Associated Targets’ and match the targets and extends we have created earlier.


We are almost done, but the important part is still pending, which is enabling iSCSI service in FreeNAS 0.8, it was disabled by default.

Go to ‘Services’ and Click on OFF to make it ON in iSCSI.



Now your iSCSI storage disks in FreeNAS is ready to connect from other hosts

Configuring FreeNAS 8 for iSCSI on VMware vSphere 5 part 1

FreeNAS is a NAS (Network Attached Storage) server OS based on FreeBSD 8.0 supporting wide range of technologies. FreeNAS™ 8 features a ground up redesign of the web user interface. 


No mess, no fuss – your server is easily controlled from any web-enabled device. Configuration is straightforward and simple, and you can make your changes on the fly. One of FreeNAS™ 8′s most important features is full support for the ZFS filesystem

ZFS includes data integrity protection, practically unlimited size caps, cloneable snapshots, automatic repair, RAID-Z, and more. ZFS is fully open-source, and is a great way to store and manage your important files.

10Gig Ethernet drivers are included in FreeNAS™ 8. If you’ve got onboard 10GigE, or better yet, a 10GigE card, FreeNAS™ 8 becomes screamingly fast when transferring files. This is especially noticeable for video streaming, and multiple simultaneous connections.

If your data is somehow lost, FreeNAS™ makes it easy to restore from a previously generated snapshot. With the periodic snapshots feature, you can worry less about data loss, and use your system stress free. It takes far less time than a full backup, but a continuous set of snapshots will provide the same level of protection.

So lets get started..

Firstly, download the latest edition of FreeNAS from HERE
NOTE: For this tutorial I have used FreeNAS v8.0.4

Create a simple new virtual machine on VMware Workstation.. 
NOTE: You can follow the same installation steps for VMware vSphere Environments also.

in the "New Virtual Machine Wizard" Specify your “FreeNAS” ISO path in “Installer Disc Image file” & click next.

Select Operating System as “Other” & Version as “FreeBSD 64-bit” & click next.

Specify the disk size. You can give it a minimalistic HDD size. I gave it 5 GB. This is just going to be used for the installation of the OS. 

I am going to add one hard disk for my FreeNAS Server in following steps for Additional storage & that will be used as a NFS storage.

Set minimum 256 MB, recommended is 512MB memory for VM. 

Once done, Power ON the VM

You can go with default option 1. If you don't provide any options, it will automatically boot FreeNAS

Select the Install option in next screen. 


 FreeNAS 8 should be installed on any of the disks. As we only have a single disk (5 GB), we will install the OS on this HDD


Proceed with the installation as shown. This will basically format the disk for installing the OS. 


 Once installed, it will prompt you to REBOOT the VM


Select option 3 and hit OK 


Once the reboot completes, you will be shown the URL to access the web console


Log in to FreeNAS. User name for GUI access is admin and password freenas

Make sure VMware network is connected to virtual machine and it’s in any type of networks where host and guest can communicate. In our case, we have used a Bridged Network for the VM

Once you have logged in, FreeNAS will prompt you to change the Admin password by showing a ALERT in the top right hand corner of your browser as shown:


 Click on My Account --> Change Admin Password
Provide the old password as "freenas" and a new one of your choice.



That’s the end of How to Install FreeNAS 8 on VMware.

FreeNAS is an ideal solution to make your old computer or virtual machine as storage for production and testing environment - 

Thursday, October 17, 2013

Bảo mật dữ liệu cho website PHP sử dụng Share host linux

Ngày nay các ứng dụng web với mã nguồn mở phát triển rất mạnh, trong đó đặc biệt phổ biến là PHP – MySQL. Nhưng công nghệ phát triển đồng thời kéo theo những “tin tặc” trẻ luôn muốn khẳng định mình sau khi xem những hướng dẫn tấn công, khai thác lỗi đầy rẫy trên các forum hacker.
Bất kì một website nào cũng có khả năng bị tấn công bất cứ lúc nào, đặc biệt là các site cá nhân, tập thể vừa và nhỏ sẽ chọn giải pháp là thuê shared hosting trên một server. Vì các shared hosting ở cùng server nên độ riêng tư không cao, việc kiên cố hoá website trên shared hosting là rất cần thiết.

1. Phân quyền hợp lí

A. Tìm hiểu về chmod:
Là sự phân quyền truy cập vào một file hay một folder đối với các lớp người dùng giống như các thuộc tính dùng lệnh attrib trong DOS.
+ Các lớp người dùng gồm có: Owner – Group – World
- Owner : người “sở hữu” host.
- Group : là nhóm người dùng.
- World : bất kì ai.
+ Các quyền khi chmod:
- Read : đọc (r = 4)
- Write : ghi (w = 2)
- Execute : thực thi (x = 1)
VD: chmod 751 = rwxr-x–x
+ Cách chmod: xem thêm chmod
B. CHMOD thế nào để an toàn:
Cách CHMOD tối ưu nhất :
- chmod 404 (chỉ cho phép đọc) tất cả các file.
- chmod 101 (chỉ cho thực thi) tất cả các folder.
- chmod 501 thư mục /public_html/
Các cách chmod trên đều không cho write, do đó bố cục được bảo toàn, đồng thời không thể xem cấu trúc site, thư mục, file. Có thể nói đó là các chmod an toàn nhất mà ứng dụng web như diễn đàn, site nhạc, tin tức có thể hoạt động ổn định. Tuy nhiên không phải server nào cũng cho phép bạn chmod như vậy, nếu bạn dùng FTP không thể chmod được như vậy, thì hãy chmod như sau:
- chmod 704 (chỉ cho phép đọc) tất cả các file.
- chmod 701 (chỉ cho thực thi) tất cả các folder.
Lưu ý: Phiên bản cPanel 11 có File Manager V3, có thể dùng để chmod hàng loạt rất tốt và có thể chmod được file 404, folder 101.
Cách CHMOD cho tệp tin (file) và thư mục (folder/directory)

2. “Ẩn mình” – Hide path

Khi đăng kí hosting, domain chính thường được trỏ vào ngay trong thư mục /public_html/, điều này giúp “kẻ tấn công” dễ dàng mò đến file quan trọng của website (vd như file config.php của các forum chẳng hạn), và khi đó thông tin đăng nhập quản lí cơ sở dữ liệu của website đã bị kẻ xấu lấy mất. Điều tệ hại gì sẽ xảy ra ?
Để khắc phục điểm này, ta nên yêu cầu bên cung cấp hosting tạo host không có domain (tên miền) chính và để ta tự gắn vào bằng chức năng add-on domain. Khi add domain sẽ có chỗ để bạn nhập đường dẫn đến thư mục mà domain sau khi gắn thành công sẽ trỏ vào như hình:
VD: /public_html/foder1/folder2/folder3/forum/
Sau khi bạn bấm add các thư mục folder1, folder2, …, forum sẽ được tự động tạo ra. Và bây giờ bạn áp dụng cách chmod ở trên để chmod các thư mục folder1, folder2 … để giấu đường dẫn của site trên server.

3. Không hiển thị lỗi nếu phát sinh

Khi có lỗi phát sinh, PHP sẽ hiện thông báo ra trình duyệt và chỉ rõ lỗi ở file nào, dòng nào và đường dẫn của file, vì thế điều này rất nguy hiểm. Để che lỗi, bạn tạo một file php.ini với nội dung như sau:
display_errors = Off
log_errors = On
Sau đó upload lên thư mục chứa website. Gợi ý: bạn nên up file php.ini trên vào các thư mục mà người dùng sẽ truy cập bằng trình duyệt, thường là thư mục chứa website, thư mục quản trị, thư mục của user …

4. Bật safe-mode (chế độ an toàn) và vô hiệu các hàm nguy hiểm

Thêm hoặc edit 2 dòng sau trong nội dung file php.ini
disable_functions = passthru, system, shell_exec, exec, dir, readfile, virtual,proc_terminate
safe-mode = on
Lưu ý: bạn có thể bỏ bớt các hàm trong danh sách hàm bị vô hiệu nếu hàm đó cần cho website của bạn hoạt động.

5. Phân quyền account truy cập cơ sở dữ liệu MySQL

Khi bạn tạo user truy cập vào database, bạn cần lưu ý:
- Không dùng user và pass của host làm user của database.
- Không cấp quyền DROP như hình.

6. Tránh chmod 777 cho folder/file

Đôi khi bạn gặp một số yêu cầu chmod 777 cho file/folder để thực hiện công việc gì đó, bạn hãy chú ý chmod lại sau khi công việc đã được thực hiện xong.

7. Mã hoá các file chứa thông tin nhạy cảm

Các file nhạy cảm chứa các thông tin kết nối cơ sở dữ liệu như config.php với các kiểu mã hoá như base64 của PHP hoặc mã hoá dùng phần mềm zendguard của www.zend.com. Nếu mã hoá base64 PHP thì các bạn có thể dùng google để tìm với từ khoá “base64 encode”. Mình xin giới thiệu một link để các bạn mã hoá base64 file php: http://dnstools.it-4vn.com/phpencode.php

8. Ngăn download source code khi server gặp sự cố:

Tạo file .htaccess nội dung như sau:

Order Allow,Deny
Deny from All
Ví dụ:

Order Allow,Deny
Deny from All
Mục đích để ngăn cản việc download source code khi PHP bị overload hoặc terminated. Nguyên nhân có thể đến từ bên trong hoặc bên ngoài. Tôi không đề cập ở đây.

9. Vô hiệu hoá biên dịch mã PHP trong thư mục chỉ định

Nếu bạn có một thư mục dành cho việc upload, bạn nên vô hiệu hoá việc biên dịch và thực thi mã PHP trong thư mục ấy vì attacker có thể lợi dụng việc upload để đưa script độc (webshell) lên host của bạn. Tạo file .htaccess đặt vào thư mục đó với nội dung như sau:
php_admin_flag engine off
Sau đó chmod 444 cho file.

10. Thường xuyên cập nhật vá lỗi cho website và đặt một mật khẩu quản trị tương đối kiên cố, liên hệ với nhà cung cấp dịch vụ để sửa lỗi.

Lưu ý cuối cùng:
- File php.ini mình đề cập ở trên chỉ có tác dụng tại thư mục chứa nó, các thư mục không chứa nó sẽ không bị nó chi phối mà sẽ bị cấu hình trong php.ini của server chi phối.
- Các file php.ini và .htaccess nên chmod 444 để bảo vệ cấu hình.

Friday, May 3, 2013

Download YouTube videos with youtube-dl

Install & using

1. install youtube-dl
sudo apt-get update && sudo apt-get install youtube-dl
2. use this command to download files from YouTube
youtube-dl -o [name of output file] [YouTube URL]
3. To view all options youtube-dl, paste this in command line
man youtube-dl
To quit from manual press q key

Examples

1. Download classic flv type and save it as file.flv
youtube-dl -o file.flv "http://www.youtube.com/watch?v=Y54ABqSOScQ"
 
2. Download Full HD mp4 file and save it as file.mp4
 
youtube-dl -o file.mp4 -f 37 "http://www.youtube.com/watch?v=Y54ABqSOScQ"

This table from Wikipedia may be useful
Comparison of YouTube media types
Comparison of YouTube media types (Wikipedia)

Installing FFMPEG on CentOS with ATRPMS repo

  1. Import Key
    rpm --import http://packages.atrpms.net/RPM-GPG-KEY.atrpms 
     
  2. Create repo file
    vim /etc/yum.repos.d/atrpms.repo
    
    [atrpms]
    name=Fedora Core $releasever - $basearch - ATrpms
    baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable
    gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
    gpgcheck=1
    enabled=0
    
    [atrpms-testing]
    name=Fedora Core $releasever - $basearch - ATrpms
    baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/testing
    gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
    gpgcheck=1
    enabled=0
     
    
  3. Install from Atrpms (example output)
    [root@computer ~]# yum --enablerepo=atrpms* install ffmpeg
    
    Loaded

Thursday, May 2, 2013

NGINX location priority rules


NGINX is great. Fast, efficient, etc. But the “location” rules are a bit cryptic and not very well explained in the manuals.

There are 4 types of location rule, and are applied with the following priorities:

1: Exact matches
There can be only one exact match – the clue is in the name!
location = /foo/bar {
# exact match
}

2: High priority prefix
There can be more than one match, the longest one takes priority
location ^~ /foo {
# request beginning with /foo
}

3: Regex
There can be more than one match, the first one found takes priority. There are two variants
location ~ .foo$ {
# case-sensitive regex
}
location ~* .foo$ {
# case-insensitive regex
}
4: Low priority prefix
There can be more than one match, the longest one takes priority
location /foo {
# request beginning with /foo
}

Tuesday, April 23, 2013

Backing Up The Database via SSH/Telnet



In order to back up your database via SSH or Telnet you will require 2 things:

1) SSH or Telnet access to your site. You will need to check with your hosting company to see if this is available.

2) An SSH/Telnet Client, such as PuTTy.

Open your SSH/Telnet client and log into your website. The command line prompt you will see will vary by OS.
For most hosting companies, this will bring you into the FTP root folder.

Type in the following to create a backup in the current directory:

mysqldump --opt -Q -u dbusername -p databasename > backupname.sql

Or to create a backup in a separate directory (signified by /path/to/) type:

mysqldump --opt -Q -u dbusername -p databasename > /path/to/backupname.sql

You will be prompted for the database password. Enter it and the database will backup.

If your hosting company has you on a remote MySQL server, such as mysql.yourhost.com, you will need to add the servername to the command line. The servername will be the same as in your config.php. The command line will be:

Current directory:

mysqldump --opt -Q -h servername -u dbusername -p databasename > backupname.sql

Separate directory:

mysqldump --opt -Q -h servername -u dbusername -p databasename > /path/to/backupname.sql

You can then, if you wish, download the backup to your home computer.

Thursday, April 18, 2013

SSH Tunnel in 30 Seconds (Mac OSX & Linux)



Some days, I wonder why VPN’s are really necessary when we can just use an SSH tunnel.
If you’re on Mac or a flavour of Linux, this SSH tunnelling tutorial is for you.
“A secure shell (SSH) tunnel consists of an encrypted tunnel created through a SSHprotocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel.” – Wikipedia

Launch an SSH tunnel

To initiate your SSH tunnel, simply open Mac OSX / Linux Terminal and connect to your remote server via SSH with the following flags:

ssh -D 8080 -C -N -p 5050 username@example.com
 
This will launch our SSH tunnel on port 8080 and route all traffic (securely) through the server at example.com.

Browse the Web with Your SSH Tunnel (Chrome)

Now, let’s start browsing the web using our new SSH tunnel.
Mac OSX:
  1. Open Google Chrome
  2. Select ‘Chrome’ up the top left
  3. Select ‘Preferences’
  4. Select ‘Show advanced settings…’
  5. Select ‘Change proxy settings…’
  6. Select ‘SOCKS Proxy
  7. Enter ’127.0.0.1′
  8. Enter port ’8080
  9. Save changes by selecting ‘OK’
Fedora Linux:
  1. Open Google Chrome
  2. Select the wrench icon on the top right
  3. Select ‘Settings’
  4. Select ‘Show advanced settings…’
  5. Select ‘Change proxy settings…’
  6. Select ‘SOCKS Proxy’
  7. Enter ’127.0.0.1′
  8. Enter port ’8080′
  9. Save changes by selecting ‘OK’
Search Google for ‘my ip’ and take a look at what your IP address is now. Cool right? 

Exiting the SSH Tunnel

To exit the SSH tunnel, simply disable the SOCKS proxy within your browser.
Hope this helps, let me know if you have any suggestions in the comments below!

Incoming search terms:

  • set up pptp web tunnel ssh on linux
  • mac shh tunneling browser
  • ssh -l tunnel connection

Friday, January 25, 2013

Install VPN PPTP Server on CentOS 6

1. Install ppp via yum:
$ yum install ppp -y

2. Download and install pptpd (the daemon for point-to-point tunneling). You can find the correct package at this website http://poptop.sourceforge.net/yum/stable/packages/ :
$ wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-2.el6.x86_64.rpm
$ rpm -Uhv pptpd-1.3.4-2.el6.x86_64.rpm

3. Once installed, open /etc/pptpd.conf using text editor and add following line:
localip 192.168.5.1
remoteip 192.168.5.100-200
 Chú ý:  192.168.5.1 không phải là IP của server

4. Open /etc/ppp/options.pptpd and add  authenticate method, encryption and DNS resolver value:
 
ms-dns 8.8.8.8
ms-dns 4.2.2.1 

5. Lets create user to access the VPN server. Open /etc/ppp/chap-secrets and add the user as below:
vpnuser pptpd password *

The format is: [username] [space] [server] [space] [password] [space][IP addresses]

6. We need to allow IP packet forwarding for this server. Open /etc/sysctl.conf via text editor and change line below:
net.ipv4.ip_forward = 1

7. Run following command to take effect on the changes:
$ sysctl -p

8. Allow IP masquerading in IPtables by executing following line:
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ service iptables save
$ service iptables restart
$ chkconfig iptables on 

Update: Once you have done with step 8, check the rules at /etc/sysconfig/iptables. Make sure that the POSTROUTING rules is above any REJECT rules.

9. Turn on the pptpd service at startup
$ chkconfig pptpd on

$ service pptpd start

Once the server is online after reboot, you should now able to access the PPTP server from the VPN client. You can monitor /var/log/messages for ppp and pptpd related log. Cheers!