Archive

Archives pour 12/2015

Guide to rsnapshot and incremental backups on Linux

30/12/2015 Comments off

1. Introduction

rsnapshot is a backup tool written in Perl that utilizes rsync as its back-end. rsnapshot allows users to create customized incremental backup solutions. This article will discuss the following: the benefits of an incremental backup solution, rsnapshot’s installation, its configuration, and usage examples.

2. Back-it up!

I was recently discussing with a colleague the benefits of backing up your data. My colleague was telling me how one of her customers had recently lost a rather lengthy article that they had been working on. I decided that this may be a good chance to experiment with my netbook and rsnapshot. For this tutorial, I’ll assume you have have 2 pieces of hardware: your host computer, and your destination equipment. I’ll be using an external hard drive for the majority of this post. However, I will briefly cover usage for backing up files over a LAN.

Backing up your data should not be the question to ask but rather how should I backup my stuff? What’s the best way? Well there are many different backup pathways you can take, including block level (dd, partimage), partition level (RAID and all its variations), file level (rsyncand its children applications). I’ll discuss two types of backups in the context of file-based backups.

Normal backups, or full backups, are self explanatory. Normal backups are one way of backing up ALL your files every time you perform a backup. One issue with utilizing a multiple normal backup scheme is that a normal backup takes up a considerable amount of space. For example, if you perform a full backup of a 250gig hard drive at 20% capacity, everyday for just one week (assuming that the amount of data does not fluctuate) will mean that you already have used 350gigs for only one week’s worth of backups. As you can see, that is not feasible in the long run. The other method that I prefer is the incremental backup method. An incremental backup consists of one full backup and then performing additional backups. These additional backups will only backup files that  have changed since the last backup. Instead of backing up your entire hard drive, only the specific files that have changed since the last backup are backed up. As you can probably imagine this is a much more efficient process. One tool that does this on *nix is rsnapshot.

3. What is rsnapshot?

rsnapshot, as mentioned earlier, is an incremental backup utility. In this tutorial, I will show you how to create a seven day rotation backup scheme using rsnapshot. Essentially, rsnapshot will create 1 full backup and then subsequent backups will backup only files that have changed. The true power of rsnapshot is its ability to utilize hard-links between each backup. Each backup will appear to be a full backup. In reality each new backup consists of newly created or updated files. rsnapshot can be used over a LAN and can also be ran from cron. In this tutorial, I’ll show both usage examples.

4. Installation

Installation of rsnapshot is pretty straightforward, simply run the following command:

On Debian (or Ubuntu):

apt-get install rsnapshot

On Fedora:

yum install rsnapshot

On ArchLinux:

pacman -S rsnapshot

Now let’s configure rsnapshot.

Lire la suite…

Categories: Logiciel, Système, Tutoriel Tags: ,

Rsnapshot

30/12/2015 Comments off

Introduction

Vous le savez maintenant, les sauvegardes sont indispensables… Sauvegardes. Nécessaires, mais facile à oublier, sauf si elles sont effectuées automatiquement.

Voici un tutorial qui décrit la procédure pour mettre en place une solution de sauvegarde automatique simple basée sur rsnapshot.

Rsnapshot est un script écrit en perl.

Il utilise Rsync (et ssh si vous le souhaitez) pour effectuer des sauvegardes à intervalle régulier.

Il est capable de réaliser des sauvegardes d’un systèmes de fichier ou bien de bases de données par l’intermédiaire de scripts.

Un des principaux avantages de rsnapshot est son extrême simplicité.

rsnapshot utilise les « hard link unix » pour :

  • Éviter de dupliquer inutilement les fichiers.
  • Faciliter la restauration.

rsnapshot crée l’illusion de plusieurs sauvegardes complètes, alors qu’il n’y a sur le système de fichier que la première et les différences éventuelles apparues entre cette dernière et les suivantes. Il s’agit d’une méthode de sauvegarde différentielle.

Dans ce tuto nous allons vous expliquer comment mettre en place la sauvegarde différentielle sécurisée d’un répertoire d’une machine distante.

Prérequis: Configuration de SSH et des clefs

Vous devez pouvoir vous connecter aux machines auxquelles vous allez vous connecter sans mot de passe:

Tout d’abord, il faut configurer ssh et importer la clef du serveur distant.

Je vais procéder comme dans ce tuto

Testez:

root@nas:~# ssh -p 10122 vanille
Linux vanille.zehome.org 2.6.32-5-amd64 #1 SMP Tue Jun 14 09:42:28 UTC 2011 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Aug 11 08:07:48 2011 from nas.zehome.org
root@vanille:~#

Installation de rsnapshot

root@nas:~# apt-get install rsnapshot

Qui vous installera par la même occasion Rsync

Sauvegarde du fichier de configuration:

root@nas:~# cp /etc/rsnapshot.conf /etc/rsnapshot.conf.sos

Lire la suite…

Sauvegarde journalisée de votre machine avec RSnapShot

30/12/2015 Comments off

Source: Nicolargo

Ce logiciel libre permet d’automatiser une sauvegarde journalisée de vos machines et ceci localement comme à distance.

RSnapShot est disponible dans la plupart des dépôts des distributions GNU/Linux et *BSD. Nous allons illustrer cet article avec une installation et une configuration de RSnapShot sur un serveur Gandi sous Ubuntu 10.04 LTS.

Installation de RSnapShot

On utilise la version disponible dans les dépôts officiels:

sudo aptitude install rsnapshot

Configuration de RSnapShot

L’ensemble de la configuration est centralisé dans le fichier /etc/rsnapshot.conf.

sudo vi /etc/rsnapshot.conf

Attention à la syntaxe dans ce fichier, RSnapShot est assez pointilleux. Il veut que tout les répertoires finissent par un / et des tabulations entre chaque variables.

Les variables importantes à configurer sont les suivantes:

snapshot_root   /.snapshots/

La variable snapshot_root permet de configurer le répertoire racine ou les sauvegardes seront stockées. Ce répertoire peut être sur le même disque que le disque système (c’est le cas de la configuration par défaut avec l’utilisation du répertoire /.snapshots/).

Je vous conseille pour ma part d’utiliser si possible un répertoire stocké sur un deuxième disque physique. Par exemple sur mon serveur Gandi, j’ai un deuxième disque qui est monté sur le répertoire /srv/backup. Je vais donc configurer la variable à /srv/backup/snapshots/ (noter le / à la fin du répertoire !).

Exemple: snapshot_root /srv/backup/snapshots/

cmd_ssh /path/to/ssh

Si vous voulez utiliser les fonctions de sauvegarde de serveur distant (en utilisant le protocole SSH), il faut dé-commenter la ligne précédente. Si vous avez besoin de passer des arguments spécifique à SSH, il faudra compléter la ligne ssh_args.

Exemple: cmd_ssh /usr/bin/ssh

interval monthly 3

Activation de la sauvegarde mensuelle (désactivé par défaut).

On passe ensuite aux variables permettant de configurer ce que l’on veut sauvegarder.

Sauvegardes locales

On parle ici d’une sauvegarde journalisée de répertoires de la machine ou RSnapShot est installé.

backup /home/ localhost/

Le répertoire /home/ sera sauvegardé dans le sous répertoire $snapshot_root/localhost/.

Exemple:

backup /home/ localhost/
backup /etc/ localhost/
backup /var/svn/ localhost/

Lire la suite…

Using Bash Arrays with Examples

29/12/2015 Comments off

bash-scripting-32-638Arrays can be a useful tool when coding your bash scripts.  The simplest way that I can define an array is to state that an array is a variable for a multi-instance dataset.

For example, a variable is used when there is a single value from a dataset like the IP Address of a server.  However, an array can be used to store all of the IP Addresses in your server room.

Speaking of IP Addresses and bash arrays, my last article (Detect and Block WordPress Brute Force Login Attacks) includes a script which is an example of how an array can be used in bash scripting.

Because arrays can be so useful in bash scripting, I thought that I would put together the following article detailing ways of Using Bash Arrays with Examples.

Initializing Bash Arrays or Assigning Values to Arrays

For arrays to be useful, we need to be able to assign values to them.  We assign values to an array by listing the array along with its instance number as shown below.  This method will assign each instance of the array one by one.

#!/bin/bash
myarray[0]=Hello
myarray[1]=World,
myarray[3]=Happy
myarray[4]=Friday

# Display all instances of the array
echo ${myarray[*]}

We can see above that in addition to being able to assign the values one by one, we can reference all array instances with an asterisk (*).  Another way to display all instances of the array is to use the following “echo ${myarray[@]}”

We run the script and get:

$ ./arrays.sh
Hello World, Happy Friday

We can also retrieve individual instances of an array by specifying the individual array instance number.  We modify the above script slightly to retrieve a couple of the instances.

#!/bin/bash
myarray[0]=Hello
myarray[1]=World,
myarray[3]=Happy
myarray[4]=Friday

# Display all instances of the array
echo ${myarray[0]} ${myarray[4]}

We run the script again and we get:

$ ./arrays.sh
Hello Friday

Lire la suite…

Categories: Système, Tutoriel Tags: , , ,

Securing your server with iptables

23/12/2015 Comments off

Securing your server with iptables

securing your server linuxIn the Getting Started guide, you learned how to deploy a Linux distribution, boot your Linode and perform some basic administrative tasks. Now it’s time to harden your Linode to protect it from unauthorized access.

Update Your System–Frequently

Keeping your software up to date is the single biggest security precaution you can take for any operating system–be it desktop, mobile or server. Software updates frequently contain patches ranging from critical vulnerabilities to minor bug fixes, and many software vulnerabilities are actually patched by the time they become public.

Automatic Security Updates

There are opposing arguments for and against automatic updates on servers. Nonetheless, CentOS, Debian, Fedora and Ubuntu can be automatically updated to various extents. Fedora’s Wiki has a good breakdown of the pros and cons, but if you limit updates to those for security issues, the risk of using automatic updates will be minimal.

The practicality of automatic updates must be something which you judge for yourself because it comes down to what you do with your Linode. Bear in mind that automatic updates apply only to packages sourced from repositories, not self-compiled applications. You may find it worthwhile to have a test environment which replicates your production server. Updates can be applied there and reviewed for issues before being applied to the live environment.

Add a Limited User Account

Up to this point, you have accessing your Linode as the root user. The concern here is that roothas unlimited privileges and can execute any command–even one that could accidentally break your server. For this reason and others, we recommend creating a limited user account and using that at all times. Administrative tasks will be done using sudo to temporarily elevate your limited user’s privileges so you can administer your server without logging in as root.

To add a new user, log in to your Linode via SSH.

CentOS / Fedora

  1. Create the user, replacing example_user with your desired username, and assign a password:
    useradd example_user && passwd example_user
  2. Add the user to the wheel group for sudo privileges:
    usermod -aG wheel example_user

Debian / Ubuntu

  1. Create the user, replacing example_user with your desired username. You’ll then be asked to assign the user a password.
    adduser example_user
  2. Add the user to the sudo group so you’ll have administrative privileges:
    adduser example_user sudo

With your new user assigned, disconnect from your Linode as root:

exit

Log back in to your Linode as your new user. Replace example_user with your username, and the example IP address with your Linode’s IP address:

ssh example_user@203.0.113.0

Now you can administer your Linode from your new user account instead of root. Superuser commands can now be prefaced with sudo; for example, sudo iptables -L. Nearly all superuser commands can be executed with sudo, and those commands will be logged to /var/log/auth.log.

Lire la suite…

Simple stateful firewall

23/12/2015 Comments off

Source: archlinux.org

This page explains how to set up a stateful firewall using iptables. It also explains what the rules mean and why they are needed. For simplicity, it is split into two major sections. The first section deals with a firewall for a single machine, the second sets up a NAT gateway in addition to the firewall from the first section.

Warning: The rules are given in the order that they are executed. If you are logged into a remote machine, you may be locked out of the machine while setting up the rules. You should only follow the steps below while you are logged in locally.The example config file can be used to get around this problem.

Prerequisites

Note: Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.

First, install the userland utilities iptables or verify that they are already installed.

This article assumes that there are currently no iptables rules set. To check the current ruleset and verify that there are currently no rules run the following:

# iptables-save
# Generated by iptables-save v1.4.19.1 on Thu Aug  1 19:28:53 2013
*filter
:INPUT ACCEPT [50:3763]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [30:3472]
COMMIT
# Completed on Thu Aug  1 19:28:53 2013

or

# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 156 packets, 12541 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 82 packets, 8672 bytes)
num   pkts bytes target     prot opt in     out     source               destination

If there are rules, you may be able to reset the rules by loading a default rule set:

# iptables-restore < /etc/iptables/empty.rules

Otherwise, see Iptables#Resetting rules.

Lire la suite…

Linux Users and Sudo

19/12/2015 Comments off

Introduction

users sudoBefore we proceed, it would be best to cover some basic user administration topics that will be very useful in later chapters. Adding Users

One of the most important activities in administering a Linux box is the addition of users. Here you’ll find some simple examples to provide a foundation for future chapters. It is not intended to be comprehensive, but is a good memory refresher. You can use the command man useradd to get the help pages on adding users with the useradd command or the man usermod to become more familiar with modifying users with the usermod command.

Who Is the Super User?

The super user with unrestricted access to all system resources and files in Linux is the user named root. This user has a user ID, of 0 which is universally identified by Linux applications as belonging to a user with supreme privileges. You will need to log in as user root to add new users to your Linux server.

Debian Note: When installing Ubuntu Linux systems, you are prompted to create a primary user that is not root. A root user is created but no password is set, so you initially cannot log in as this user. The primary user can become the root user using the sudo su - command that will be discussed later.

How To Add Users

Adding users takes some planning; read through these steps below before starting:

1) Arrange your list of users into groups by function. In this example there are three groups « parents« , « children » and « soho« .

Parents    Children     Soho
Paul       Alice        Accounts
Jane       Derek        Sales

2) Add the Linux groups to your server:

[root@bigboy tmp]# groupadd parents
[root@bigboy tmp]# groupadd children
[root@bigboy tmp]# groupadd soho

3) Add the Linux users and assign them to their respective groups

[root@bigboy tmp]# useradd -g parents paul
[root@bigboy tmp]# useradd -g parents jane
[root@bigboy tmp]# useradd -g children derek
[root@bigboy tmp]# useradd -g children alice
[root@bigboy tmp]# useradd -g soho accounts
[root@bigboy tmp]# useradd -g soho sales

If you don’t specify the group with the -g, RedHat/Fedora Linux creates a group with the same name as the user you just created; this is also known as the User Private Group Scheme. When each new user first logs in, they are prompted for their new permanent password.

4) Each user’s personal directory is placed in the /home directory. The directory name will be the same as their user name.

[root@bigboy tmp]# ll /home
drwxr-xr-x 2 root root 12288 Jul 24 20:04 lost found
drwx------ 2 accounts soho 1024 Jul 24 20:33 accounts
drwx------ 2 alice children 1024 Jul 24 20:33 alice
drwx------ 2 derek children 1024 Jul 24 20:33 derek
drwx------ 2 jane parents 1024 Jul 24 20:33 jane
drwx------ 2 paul parents 1024 Jul 24 20:33 paul
drwx------ 2 sales soho 1024 Jul 24 20:33 sales
[root@bigboy tmp]#

Lire la suite…

How to upgrade Plex Media Server on Ubuntu Server

17/12/2015 Comments off

upgrade plex media serverPlex Media Server is amazing and fantastic in so many ways! It’s got a better interface, better streaming capabilities, and better library scraping. It’s completely replaced XBMC for my media needs. The biggest drawback is there isn’t quite as much documentation out there for it. I noticed that my Plex Server was out of date, and a quick search didn’t give any exact results for upgrading on Ubuntu.

With enough research, I found how easy an upgrade actually is. For those trying to do the same, I’ll share the exact commands with you.

Grab the latest version

Go to Plex’s site and look for the latest version. You ned the link for the ‘.deb’ file. For me, I was upgrading to 0.9.8.10.215.

So, on your Ubuntu server, run the following:

Categories: Logiciel Tags: ,

Linux Firewalls Using iptables

16/12/2015 Comments off

Source: linuxhomenetworking.com

Introduction

Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a firewall. Though prices are always falling, in some cases you may be able to create a comparable unit using the Linux iptables package on an existing server for little or no additional expenditure.
This chapter shows how to convert a Linux server into:

  • A firewall while simultaneously being your home website’s mail, web and DNS server.
  • A router that will use NAT and port forwarding to both protect your home network and have another web server on your home network while sharing the public IP address of your firewall.

Creating an iptables firewall script requires many steps, but with the aid of the sample tutorials, you should be able to complete a configuration relatively quickly.

What Is iptables?

Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it such improvements as:

  • Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.
  • Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.
  • Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.
  • System logging that provides the option of adjusting the level of detail of the reporting.
  • Better network address translation.
  • Support for transparent integration with such Web proxy programs as Squid.
  • A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.

Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedora Linux.

Download And Install The Iptables Package

Before you begin, you need to make sure that the iptables software RPM is installed. (See Chapter 6, « Installing Linux Software« , if you need a refresher.) When searching for the RPMs, remember that the filename usually starts with the software package name by a version number, as in iptables-1.2.9-1.0.i386.rpm.

Managing the iptables Server

Managing the iptables daemon is easy to do, but the procedure differs between Linux distributions. Here are some things to keep in mind.

  • Firstly, different Linux distributions use different daemon management systems. Each system has its own set of commands to do similar operations. The most commonly used daemon management systems are SysV and Systemd.
  • Secondly, the daemon name needs to be known. In this case the name of the daemon is iptables.

Armed with this information you can know how to:

  • Start your daemons automatically on booting
  • Stop, start and restart them later on during troubleshooting or when a configuration file change needs to be applied.

For more details on this, please take a look at the « Managing Daemons » section of Chapter 6 « Installing Linux Software »

Note: Remember to configure your daemon to start automatically upon your next reboot.

Lire la suite…

Les Firewalls

09/12/2015 Comments off

par Alban Jacquemin et Adrien Mercier

1 – Pourquoi un firewall

De nos jours, toutes les entreprises possédant un réseau local possèdent aussi un accès à Internet, afin d’accéder à la manne d’information disponible sur le réseau des réseaux, et de pouvoir communiquer avec l’extérieur. Cette ouverture vers l’extérieur est indispensable… et dangereuse en même temps. Ouvrir l’entreprise vers le monde signifie aussi laisser place ouverte aux étrangers pour essayer de pénétrer le réseau local de l’entreprise, et y accomplir des actions douteuses, parfois gratuites, de destruction, vol d’informations confidentielles, … Les mobiles sont nombreux et dangereux.

Pour parer à ces attaques, une architecture sécurisée est nécessaire. Pour cela, le coeur d’une tel architecture est basé sur un firewall. Cette outil a pour but de sécuriser au maximum le réseau local de l’entreprise, de détecter les tentatives d’intrusion et d’y parer au mieux possible. Cela représente une sécurité supplémentaire rendant le réseau ouvert sur Internet beaucoup plus sûr.  De plus, il peut permettre de restreindre l’accès interne vers l’extérieur. En effet, des employés peuvent s’adonner à des activités que l’entreprise ne cautionne pas, le meilleur exemple étant le jeu en ligne. En plaçant un firewall limitant ou interdisant l’accès à ces services, l’entreprise peut donc avoir un contrôle sur les activités se déroulant dans son enceinte.

Le firewall propose donc un véritable contrôle sur le trafic réseau de l’entreprise. Il permet d’analyser, de sécuriser et de gérer le trafic réseau, et ainsi d’utiliser le réseau de la façon pour laquelle il a été prévu et sans l’encombrer avec des activités inutiles, et d’empêcher une personne sans autorisation d’accéder à ce réseau de données.

2 – Les différents types de filtrages

2.1 – Le filtrage simple de paquet (Stateless)

2.1.1 – Le principe

C’est la méthode de filtrage la plus simple, elle opère au niveau de la couche réseau et transport du modèle Osi. La plupart des routeurs d’aujourd’hui permettent d’effectuer du filtrage simple de paquet. Cela consiste à accorder ou refuser le passage de paquet d’un réseau à un autre en se basant sur :

– L’adresse IP Source/Destination.
– Le numéro de port Source/Destination.
– Et bien sur le protocole de niveau 3 ou 4.

Cela nécessite de configurer le Firewall ou le routeur par des règles de filtrages, généralement appelées des ACL (Access Control Lists).

2.1.2 – Les limites

Le premier problème vient du fait que l’administrateur réseau est rapidement contraint à autoriser un trop grand nombre d’accès, pour que le Firewall offre une réelle protection. Par exemple, pour autoriser les connexions à Internet à partir du réseau privé, l’administrateur devra accepter toutes les connexions TCP provenant de l’Internet avec un port supérieur à 1024. Ce qui laisse beaucoup de choix à un éventuel pirate.

Il est à noter que de définir des ACL sur des routeurs haut de gamme – c’est à dire, supportant un débit important – n’est pas sans répercussion sur le débit lui-même. Enfin, ce type de filtrage ne résiste pas à certaines attaques de type IP Spoofing / IP Flooding, la mutilation de paquet, ou encore certaines attaques de type DoS. Ceci est vrai sauf dans le cadre des routeurs fonctionnant en mode distribué. Ceci permettant de gérer les Acl directement sur les interfaces sans remonter à la carte de traitement central. Les performances impactées par les Acl sont alors quasi nulles.

Lire la suite…