Q. What is PFX File ?

-- Personal Information Exchange Format (PFX) enables transfer of certificates and their private keys from one computer to another or to removable media. The Microsoft Windows CryptoAPI uses the PFX format, also known as PKCS #12. Export the certificate and key file together to PFX format using OpenSSL.

Step: 1. First Go To Start Menu & Click Run or Simply Press Win+R & Type "mmc" & Press OK button.


Step: 2. Microsoft Management Console (MMC) Wizard Will Appear. Click on File Menu & Then click "Add/Remove Snap in".


Step: 3. Select "Certificate" & Click Add.


Step: 4. Select "Computer Account" & Click on Next.


Step: 5. Select "Local Computer" & Click on Finish.


Step: 6. Finally, Click OK.


Step: 7.  Now, Expand "Certificates" & Right Click on "Personal". Then go to "All Tasks" & Click "Import".


Step: 8. Certificate Import Wizard will Appear & Click Next.


Step: 9. Click on "Browse".


Step: 10. Select Certificate Type in Drop down List. Select "All Files" Or You can use "Personal Information Exchange".


 Step: 11. Select Your .pfx File & Click Open.


Step: 12. Click on Next.



Step: 13. Give Exportable Password & Check "Mark this Key as Exportable..." & "Include all Extended properties" & Click Next.


 Step: 14. Select "Automatically select the Certificate store..." & Click Next.


Step: 15. Completing the Certificate Import Wizard by Clicking Finish.



Step: 16. Click OK. Refresh the MMC Panel to view the Newly Imported Certificate.



Step: 17. Now, Go to IIS Management Console & Bind the SSL Certificate.

Thanks For Visiting on My Blog, For More Tutorials Keep Visiting My Blog

Q. What is NFS?

-- NFS stands for Network File System, a file system developed by Sun Microsystems, Inc. It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. For example, if you were using a computer linked to a second computer via NFS, you could access files on the second computer as if they resided in a directory on the first computer.

Scenario :

192.168.100.220    ser1.domain.com    (NFS Server)
192.168.100.221    ser2.domain.com    (NFS Client)

Used Ports :

TCP: 111, 2049
UDP: 111, 32806

Here :
/assets and /var/www/html/domain.com/assets

These two are the directory, which are going to be share via NFS.

Step: 1. Install NFS Server ( On Server) :

# yum -y install nfs-utils rpcbind

Step: 2. Configure NFS Server :

# vi /etc/exports

# Access For All :
/assets      *(rw,async)
/var/www/html/domain.com/assets     *(rw,async)

OR

# Access For Particular Network :
/assets      192.168.100.0/24(rw,async)
/var/www/html/domain.com/assets     192.168.100.0/24(rw,async)

-- Save & Quit (:wq)

Important Note :
============



Step: 3. To Exexute the Changes made on /etc/exports :
   
# exportfs -ar

Step: 4. Restart the NFS Service :
   
# service rpcbind restart
# service nfs restart
# service nfslock restart

# chkconfig rpcbind on
# chkconfig nfs on
# chkconfig nfslock on

Step: 5. Install NFS on Client Machine :

# yum -y install nfs-utils rpcbind

Step: 6. Configure NFS Client :

# showmount -e NFS_Server_IP_Address

Export list for 192.168.100.220:
/assets 192.168.100.221
/var/www/html/domain.com/assets 192.168.100.221


Step: 7. Create a new Directory on your Client & Mount the NFS Export to the Directory :
   
# mkdir /assets
# mkdir -p /var/www/html/domain.com/assets
# mount -t nfs 192.168.100.220:/assets /assets
# mount -t nfs 192.168.100.220:/var/www/html/domain.com/assets /var/www/html/domain.com/assets

Step: 8. Restart the NFS Service :

# service rpcbind restart
# service nfs restart
# service nfslock restart

# chkconfig rpcbind on
# chkconfig nfs on
# chkconfig nfslock on

Step: 9. Finally, Mount NFS Directory Permanently on your System across the Reboots :

# vi /etc/fstab

192.168.100.220:/assets    /assets       defaults 0 0
192.168.100.220:/var/www/html/domain.com/assets   /var/www/html/domain.com/assets  nfs defaults 0 0

-- Save & Quit (:wq)

Step: 10. After any subsequent Server reboots, You can use a Single Command to mount Directories specified in the fstab file :

# mount -a

Step: 11. Now You can check the Mounted Directories :

# df -h -F nfs

Important commands for NFS :

1. showmount -e : Shows the available shares on your local machine
2. showmount -e <server-ip or hostname>: Lists the available shares at the remote server
3. showmount -d : Lists all the sub directories
4. exportfs -v : Displays a list of shares files and options on a server
5. exportfs -a : Exports all shares listed in /etc/exports, or given name
6. exportfs -u : Unexports all shares listed in /etc/exports, or given name
7. exportfs -r : Refresh the server’s list after modifying /etc/exports

Thanks For Visiting on My Blog, For More Tutorials Keep Visiting My Blog

Q. What is Mod_Security?

Mod_Security is an open source web application firewall (WAF) and intrusion detection and prevention system for web applications. It is used to protect and monitor real time HTTP traffic and web applications from brute fore attacks.

Q. What is Mod_Evasive?

Mod_Evasive is an open source evasive maneuvers system for Apache server to provide evasive action in the event of an HTTP brute force, Dos or DDOS attack. It was designed to use as a network traffic detection and network management tool and can be easily configured and integrated into firewalls, ipchains, routers etc. Presently, it sends abuses reports via email and syslog facilites.

Step: 1. Installing Dependencies for mod_security :

# yum -y install gcc make wget
# yum -y install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel

Step: 2. Installing Mod_Security :

# cd /usr/src
# wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
# tar xzf modsecurity-apache_2.6.6.tar.gz
# cd modsecurity-apache_2.6.6
# ./configure
# make install
# cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

Step: 3. Downloading OWASP Mod_Security Core Rule Set :

# cd /etc/httpd/
# wget http://pkgs.fedoraproject.org/repo/pkgs/mod_security_crs/modsecurity-crs_2.2.5.tar.gz/aaeaa1124e8efc39eeb064fb47cfc0aa/modsecurity-crs_2.2.5.tar.gz
# tar xzf modsecurity-crs_2.2.5.tar.gz
# mv modsecurity-crs_2.2.5 modsecurity-crs
# cd modsecurity-crs
# cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

Step: 4. Configuring Mod_Security :

# vi /etc/httpd/conf/httpd.conf

Search for the line LoadModule in your httpd.conf and add this below line at the bottom.

LoadModule security2_module modules/mod_security2.so

Uncommented this Module :

LoadModule unique_id_module modules/mod_unique_id.so

Now set the basic rule set in your httpd.conf file. Add the following lines of code at the end of the file :

<IfModule security2_module>
    Include modsecurity-crs/modsecurity_crs_10_setup.conf
    Include modsecurity-crs/base_rules/*.conf
</IfModule>

-- Save & Quit (:wq)

Step: 5. Restart Apache Server :

# service httpd restart

How to Install Mod_Evasive in RHEL/CentOS

Step: 1. Installing Mod_Evasive :

# cd /usr/src
# wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
# tar xzf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# apxs -cia mod_evasive20.c

Step: 2. Configuring Mod_Evasive :

# vi /etc/httpd/conf/httpd.conf

By default installation adds the following line of mod_evasive configuration to your Apache configuration file. Please verify that it should be there like similar to below. If you can’t see this below line, then add this to your httpd.conf file.

LoadModule evasive20_module   /usr/lib64/httpd/modules/mod_evasive20.so

Now add the mod_evasive configuration parameters to your Apache configuration at the end. Replace someone@somewhere.com with your Email Id to get email alerts.

<IfModule mod_evasive20.c>
        DOSHashTableSize    3097
        DOSPageCount        2
        DOSSiteCount        50
        DOSPageInterval     1
        DOSSiteInterval     1
        DOSBlockingPeriod   60
        DOSSystemCommand  "echo 'My Organization-mod_evasive HTTP Blacklisted %s on your_hostname (192.168.100.220) more info here: http://www.whatismyipaddress.com/ip/%s' | mail -s 'My Organization Banned IP by mod_evasive on your_hostname' -r myapache@domian.com someone@somewhere.com"
</IfModule>

-- Save & Quit (:wq)

Step: 3. Next restart the Apache service to Update Changes :

# service httpd restart

Thanks For Visiting on My Blog, For More Tutorials Keep Visiting My Blog

Q. What Is Memcached ?

-- Memcached is a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read.

Step: 1. Bind Hosts File :

# vi /etc/hosts

192.168.72.141    memcache.domain.com    memcache

-- Save & Quit (:wq)

Step: 2. Disable Selinux & Stop Firewall :

# vi /etc/sysconfig/selinux

SELINUX=disabled

-- Save & Quit (:wq)

# service iptables stop
# chkconfig iptables off

Step: 3. Reboot the System :

# init 6

Step: 4. Configure EPEL Repo :

# yum -y install epel-release

Step: 5. Install Apache Server :

# yum -y install httpd httpd-devel

Step: 6. Install PHP :

# yum -y install php php-mysql php-common php-gd php-mbstring php-mcrypt php-devel php-xml php-xmlrpc php-snmp

Step: 7. Install Memcached :

# yum -y install memcached

Step: 8. Configure Memcached :

# vi /etc/sysconfig/memcached

# Running on Port 11211
PORT="11211"

# Start as memcached daemon
USER="memcached"

# Set max simultaneous connections to 1024
MAXCONN="1024"

# Set Memory size to 2048 - 4GB(4096)
CACHESIZE="2048"

# Set server IP address
OPTIONS="-l 192.168.72.141"

-- Save & Quit (:wq)

Step: 9. Start Memcached :

# chkconfig memcached on
# service memcached start
# service memcached status

Step: 10. Verifing Memcached :

# netstat -tulpn | grep :11211

# memcached-tool 192.168.72.141 stats

Step: 11. Install Memcached PHP Extension :

# yum -y install php-pecl-memcached php-pecl-memcache

Step: 12. Install Memcached Perl Library :

# yum -y install perl-Cache-Memcached

Step: 13. Install Memcached Python Library :

# yum -y install python-memcached

Step: 14. Star Apache Server :

# service httpd restart
# chkconfig httpd on

Step: 15. Configure Memcache For Web Monitoring :

# cd /var/www/html
# mkdir memcached
# cd memcached
# wget http://phpmemcacheadmin.googlecode.com/files/phpMemcachedAdmin-1.2.2-r262.tar.gz
# tar -xvzf phpMemcachedAdmin-1.2.2-r262.tar.gz
# chmod +rx *
# chmod 0777 Config/Memcache.php
# chmod 0777 Temp/
# rm phpMemcachedAdmin-1.2.2-r262.tar.gz

Step: 16. Configure Apache Password Protected Directory :

# vi /etc/httpd/conf/httpd.conf

<Directory /var/www/html/memcached>
        Options -Indexes +Multiviews
           DirectoryIndex index.php index.html
        AllowOverride AuthConfig
        AuthUserFile /etc/httpd/.htpasswd
        AuthName "phpMemcachedAdmin Login Area"
        AuthType Basic
        require user memadmin        
        Allow from all
</Directory>

-- Save & Quit (:wq)

Step: 17. Setup AuthUserFile for Apache :

# htpasswd -cm /etc/httpd/.htpasswd memadmin

New password:
Re-type new password:
Adding password for user memadmin

Step: 18. Restart Apache Service & Access URL :

# service httpd restart

http://192.168.72.141/memcached

Thanks For Visiting on My Blog, For More Tutorials Keep Visiting My Blog

About Fail2ban :

-- Fail2ban is an intrusion prevention software framework that protects Servers from Brute-force Attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper.

Step: 1. Install Fail2Ban :

Note: Fail2ban is not Available from CentOS, we should start by downloading the EPEL Repository.

# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Follow up by Installing Fail2ban :

# yum -y install fail2ban

Step: 2. Copy the Configuration File :

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Step: 3. Configure defaults in Jail.Local :

# vi /etc/fail2ban/jail.local

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 x.x.0.0/16

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 1800

# "maxretry" is the number of failures before a host get banned.
maxretry = 3


[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=destinaton@mydomain.com, sender=sender@mydomain.com]
logpath  = /var/log/secure
maxretry = 5

-- Save & Quit (:wq)

Step: 4. Restart Fail2Ban :

# service fail2ban restart
# chkconfig fail2ban on

Step: 5. Change Mail Subject :

# vi /etc/fail2ban/action.d/sendmail-whois.conf


actionstart = printf %%b "Subject: [FAIL2BAN] <name>: started on Server5.mydomain.com
              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
              From: My Organization <<sender>>
              To: <dest>\n
              Hi,\n
              The jail <name> has been started successfully.\n
              Regards,\n
              My Organization" | /usr/sbin/sendmail -f <sender> <dest>


actionstop = printf %%b "Subject: [FAIL2BAN] <name>: stopped on Server5.mydomain.com
             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
             From: My Organization <<sender>>
             To: <dest>\n
             Hi,\n
             The jail <name> has been stopped.\n
             Regards,\n
             My Organization" | /usr/sbin/sendmail -f <sender> <dest>


actionban = printf %%b "Subject: [FAIL2BAN] <name>: banned <ip> on Server5.mydomain.com (192.168.72.142)
            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
            From: My Organization <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned on Server2.mydomain.com (192.168.72.142) for 30 Minutes by My Organization after
            <failures> attempts against <name>.\n\n
            Here are more information about http://www.whatismyipaddress.com/ip/<ip> \n
#            `/usr/bin/whois <ip>`\n
            Regards,\n
            My Organization" | /usr/sbin/sendmail -f <sender> <dest>

-- Save & Quit (:wq)

Step: 6. Restart Fail2Ban Service :

# service fail2ban restart

Thanks For Visiting on My Blog, For More Tutorials Keep Visiting My Blog

This Cluster will be assembled of Two (2) Servers/Nodes :

Node #1
Hostname: server1.centos.com
IP: 192.168.100.140

Node #2
Hostname: server2.centos.com
IP: 192.168.100.142

Prerequisites :
==========

1. All two Nodes have a CentOS 6.6 Installation.
2. Firewall has been set up to allow Connecting to Ports 3306, 4444, 4567 and 4568
3. SELinux is Disabled
4. MySQL should be Removed.
5. Configure Password-less Authentication (RSA/DSA) (Optional).

Installation :
=========
   
Step: 1. Make entry to the host file of each Server :

# vi /etc/hosts

192.168.100.140 server1.centos.com   server1
192.168.100.142 server2.centos.com   server2

-- Save & Quit (:wq)
   
Step: 2. Enable EPEL Repo and Percona Repo on your Server :

# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
   
Step: 3. Install Dependency for Percona :

# yum install -y socat libaio* perl-DBD-MySQL  perl-Time-HiRes rsync wget
# wget --no-cache http://www.convirture.com/repos/definitions/rhel/6.x/convirt.repo -O /etc/yum.repos.d/convirt.repo
# yum makecache
   
Step: 4. Download the Packages on the Server :

# yum -y install http://www.percona.com/downloads/percona-release/redhat/0.1-3/percona-release-0.1-3.noarch.rpm
# yum install -y Percona-XtraDB-Cluster-56
   
Step: 5. Configuring the Nodes :
   
On Node1 : i.e 192.168.100.140
========================
# vi /etc/my.cnf
   
[mysqld]
skip-host-cache
skip-name-resolve
max_connections=10000
max_connect_errors=200

datadir=/var/lib/mysql
user=mysql

# Path to Galera library
wsrep_provider=/usr/lib64/libgalera_smm.so

# Cluster connection URL contains the IPs of node#1, node#2
wsrep_cluster_address=gcomm://192.168.100.140,192.168.100.142

# In order for Galera to work correctly binlog format should be ROW
binlog_format=ROW

# MyISAM storage engine has only experimental support
default_storage_engine=InnoDB

# This is a recommended tuning variable for performance
innodb_locks_unsafe_for_binlog=1

# This changes how InnoDB autoincrement locks are managed and is a requirement for Galera
innodb_autoinc_lock_mode=2

# Node #1 Address
wsrep_node_address=192.168.100.140

# SST Method
wsrep_sst_method=xtrabackup

# Cluster Name
wsrep_cluster_name=my_centos_cluster

# Authentication for SST Method
wsrep_sst_auth="sstuser:s3cret"
wsrep_replicate_myisam=1

-- Save & Quit (:wq)
       
Step: 6. Start the first Node with the Following Command :
   
# /etc/init.d/mysql bootstrap-pxc

OR

# /etc/init.d/mysql start --wsrep-cluster-address="gcomm://"
   

Step: 7. Now, Login to MySQL and check the Cluster Status :

# mysql -u root

mysql> show status like 'wsrep%';


Step: 8. Change the MySQL root Password :

# mysql -u root
   
mysql> UPDATE mysql.user SET password=PASSWORD("redhat") where user='root';
mysql> FLUSH PRIVILEGES;

Step: 9. In order to perform Successful State Snapshot Transfer using XtraBackup new user Needs to be set up with proper Privileges :

# mysql -u root -p
Enter Password:

mysql> CREATE USER 'sstuser'@'localhost' IDENTIFIED BY 's3cret';
mysql> GRANT RELOAD, LOCK TABLES, REPLICATION CLIENT ON *.* TO 'sstuser'@'localhost';
mysql> FLUSH PRIVILEGES;
   
Note: MySQL root account can also be used for setting up the SST with Percona XtraBackup, BUT it's recommended to use a different (non-root) user for this.
   
Node 2 : i.e 192.168.100.142
======================

# vi /etc/my.cnf
   
[mysqld]
skip-host-cache
skip-name-resolve
max_connections=10000
max_connect_errors=200

# Path to Galera library
wsrep_provider=/usr/lib64/libgalera_smm.so

# Cluster connection URL contains IPs of node#1, node#2
wsrep_cluster_address=gcomm://192.168.100.140,192.168.100.142

# In order for Galera to work correctly binlog format should be ROW
binlog_format=ROW

# MyISAM storage engine has only experimental support
default_storage_engine=InnoDB

# This is a recommended tuning variable for performance
innodb_locks_unsafe_for_binlog=1

# This changes how InnoDB autoincrement locks are managed and is a requirement for Galera
innodb_autoinc_lock_mode=2

# Node #2 address
wsrep_node_address=192.168.100.142

# Cluster name
wsrep_cluster_name=my_centos_cluster

# SST method
wsrep_sst_method=xtrabackup

# Authentication for SST method
wsrep_sst_auth="sstuser:s3cret"
wsrep_replicate_myisam=1

-- Save & Quit (:wq)

Now Start the Cluster on Node 2 :
       
# service mysql restart
# mysql -u root -p
Enter Password:

mysql> show status like 'wsrep%';

  















Testing :
======

A. Creating the new Database on the Node2 :

mysql> CREATE DATABASE test;

B. Creating the Example Table :

mysql> USE test;
mysql> CREATE TABLE example (node_id INT PRIMARY KEY, node_name VARCHAR(30));

C. Inserting Records on the Node1 :

mysql> INSERT INTO test.example VALUES (1, 'test1');

D. Retrieving all the Rows from that Table on the Node2 :

mysql> SELECT * FROM test.example;









Thanks For Visiting on My Blog, For More Tutorials Keep Visiting My Blog