Archive

Articles taggués ‘Apache’

Benchmark Your Webpage with Siege

15/03/2019 Comments off

Siege_Benchmark_WebpageA few articles ago, I wrote about using the “apachebench” or “ab” utility to benchmark your website (see: apachebench). Ab is a great tool, but since then, I have found and fallen in love with a new tool for benchmarking your website. This new tool is named “siege”.

Install Siege on CentOS 6

CentOS 6 has added the siege package to the CentOS EPEL (Extra Packages for Enterprise Linux) repository which makes installation easy using yum if you have the EPEL repository installed. If you need to install it still, you can do it using these quick steps:

# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -Uvh ./epel-release-6-8.noarch.rpm
Preparing...                ########################################### [100%]
package epel-release-6-8.noarch is already installed

Once the EPEL repository is installed, you can go ahead and install the siege package:

# yum install siege

Using Siege to Benchmark Your Website

We can get really detailed usage information on the siege utility in the man pages. We can get a list of the switches that siege can use by using the –help option:

# siege --help
SIEGE 3.0.0
Usage: siege [options]
       siege [options] URL
       siege -g URL
Options:
  -V, --version             VERSION, prints the version number.
  -h, --help                HELP, prints this section.
  -C, --config              CONFIGURATION, show the current config.
  -v, --verbose             VERBOSE, prints notification to screen.
  -q, --quiet               QUIET turns verbose off and suppresses output.
  -g, --get                 GET, pull down HTTP headers and display the
                            transaction. Great for application debugging.
  -c, --concurrent=NUM      CONCURRENT users, default is 10
  -i, --internet            INTERNET user simulation, hits URLs randomly.
  -b, --benchmark           BENCHMARK: no delays between requests.
  -t, --time=NUMm           TIMED testing where "m" is modifier S, M, or H
                            ex: --time=1H, one hour test.
  -r, --reps=NUM            REPS, number of times to run the test.
  -f, --file=FILE           FILE, select a specific URLS FILE.
  -R, --rc=FILE             RC, specify an siegerc file
  -l, --log[=FILE]          LOG to FILE. If FILE is not specified, the
                            default is used: PREFIX/var/siege.log
  -m, --mark="text"         MARK, mark the log file with a string.
  -d, --delay=NUM           Time DELAY, random delay before each requst
                            between 1 and NUM. (NOT COUNTED IN STATS)
  -H, --header="text"       Add a header to request (can be many)
  -A, --user-agent="text"   Sets User-Agent in request
  -T, --content-type="text" Sets Content-Type in request

Copyright (C) 2013 by Jeffrey Fulmer, et al.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.

so, with these options in mind, allow me to demonstrate a few of the coolest siege options that I like best:

Lire la suite…

Categories: Système Tags: , ,

How to manage a DDOS or DOS attempt directed at your Linux Server

20/02/2019 Comments off

Stopping a DDOS (distributed denial of service attack) or DOS (denial of service attack) is no simple task.  Frequently, these attacks become more than just a nuisance, they completely immobilize your server’s services and keep your users from using your website.

We’ve found a few common sense ways to help ease the pain of DDOS and/or DOS attacks.  While no method is fool proof, we certainly can minimize the profound effect these attacks have on your users and subsystems.

Identify the Source

Good luck with that one.  Many DDOS and DOS attacks are from roaming IP addresses.  A distributed denial of service attack can come from many different IP addresses and it quickly becomes impossible for the Linux system administrator to isolate and confine each IP with a firewall rule.

Wikipedia does a great job of describing the various types of attacks here: http://en.wikipedia.org/wiki/Denial-of-service_attack.  For the purpose of this tutorial, I’ll leave the research on the types of attacks up to you, and address the most common form that we’ve encountered over the years, the Apache directed DDOS or DOS attack.

Apache Based Attacks

Symptoms of the Apache DDOS or DOS attack:

  • Website(s) serve slow
  • You notice hanging processes
  • Apache Top tells you that the same IP address is requesting a system resource
  • The system resource continues to multiplex, causing more processes to spawn
  • The Command:
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
  • Says that you have a few too many connections to feel comfortable with.

The end result:

  • Apache goes down
  • System load goes sky high
  • Server stops responding
  • You cant ssh to the server node
  • You’ve lost connectivity completely and a reboot is mandatory in order to restore access to the system

Preventative Measures and Counter Measures:

  • Enable SYN COOKIES at the kernel level
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  • Enable and Configure iptables to prevent the attack or at least work to identify the attack
    /sbin/iptables -N syn-flood
    /sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
    /sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
    /sbin/iptables -A syn-flood -j DROP
  • Install the APF firewall to work to identify risky behavior
    • APF stands for Advanced Policy Firewall.  Its a rock solid firewall that normally plays nice with iptables.  You can grab a the most recent copy here: http://www.rfxn.com/projects/
  • Install (D)DosDeflate
    • Great software, rock solid, and plays nice with either APF or iptables.  Install and configure the service in seconds using the commands below.  Edit the .conf file to utilize whichever flavor of firewall you’d like to integrate it with.  Set a few configuration settings and you’re done.
    • To Install (D)DosDeflate:
      wget http://www.inetbase.com/scripts/ddos/install.sh
      chmod 0700 install.sh
      ./install.sh
  • If it doesnt workout, its simple to uninstall too.  To uninstall:
    wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
    chmod 0700 uninstall.ddos
    ./uninstall.ddos

So a few tools are outlined above.  We’ve found that this will stop 90% of the attacks that are out there.  Some nice firewall rules above your server (at the router or switch level) also help.  Most of the time we can identify suspicious traffic before it even hits your servers, so a shameless plug here is probably in order.

Source: Liquid Communications

How To Isolate Servers Within A Private Network Using Iptables

02/02/2019 Comments off

Source: DigitalOcean – Mitchell Anicas

Introduction

In this tutorial, we will teach you how to use a Iptables with shared private networking to simulate the network traffic isolation that a true private network can provide. We will also cover why you would want to do this, and provide an example of how to implement this in your own environment. The example should explain the concept well enough that you should be able to adapt the configuration to your own needs.

DigitalOcean’s private networking option grants a second networking interface to a VPS, which is only accessible to other VPSs in the same datacenter–which includes the VPSs of other customers in the same datacenter. This is known as shared private networking. This means that data sent over a VPS’s private interface does not leave the datacenter at all, and no billable bandwidth usage will be incurred.

At the time of this writing, DigitalOcean offers the private networking option for VPSs in the following data centers:

  • Amsterdam 2
  • New York 2
  • Singapore 1

Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, iptables only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called ip6tables, which can be used to maintain firewall rules for IPv6 network addresses.

If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS

Example Scenario

For our example, we will use the environment created by the following tutorial: How To Optimize WordPress Performance With MySQL Replication On Ubuntu 14.04.

Here is a diagram of what the environment looks like:

prereq_no_private

The example environment uses five VPSs (and iptables are not configured):

  • haproxy-www: Reverse proxy load balancer
  • wordpress-1: First application server
  • wordpress-2: Second application server
  • mysql-1: Master MySQL database server
  • mysql-2: Slave MySQL database server

If your setup doesn’t look like this, you should still be able to follow along. Also, if you would like to read up on setting up a VPS with private networking or iptables basics, here are a few links that you might find to be useful (this tutorial assumes you know the basics of iptables):

If you are already familiar with the concepts, and would like to see the iptables setup, feel free to skip to the Overview of Iptables Configuration section.

Our Goal

When we are finished with this tutorial, we should have an environment that looks something like the following diagram:

goal

All of the servers in the private network area can only be communicated with by other servers within this private network (the orange box). The load balancer will be accessible via the Internet and also be linked to the private network. The enforcement of this policy will be implemented via iptables on each server.

Note: To block traffic to your public interface, you can either disable your public interface or set up firewall rules to achieve a similar effect with Iptables. We will go with the firewall option because we can configure it block unwanted network traffic, while allowing our server to access the Internet when it initiates the connection (this is useful for things like downloading updates on the server).

Administration réseau sous Linux: Apache

25/01/2019 Comments off

Source: Wikilivres

Apache est un serveur HTTP libre. Un serveur HTTP permet d’héberger des sites web qui seront accessibles avec un navigateur tel que Mozilla Firefox, Internet Explorer ou encore Chrome.

Un site web peut fournir tout type de contenu (des fichiers textes, HTML, Flash, zip…). Ce contenu peut être statique (le serveur transmet un fichier au navigateur) ou dynamique (le contenu est généré par un programme exécuté par le serveur). Les sites web contiennent généralement plusieurs types de documents, certains étant statiques et d’autres dynamiques.

Nous traiterons ici d’Apache 2.2 sur un système Debian (et ses dérivés, comme Ubuntu).

Fichiers log

Par défaut sous Debian, Apache enregistre les erreurs dans le fichier /var/log/apache2/error.log. Quand quelque chose ne fonctionne pas, ce fichier fournit souvent des pistes pour trouver la solution.

Il enregistre également toutes les requêtes dans /var/log/apache2/access.log.

Configuration de base

Sous Debian, Apache se lance automatiquement lorsqu’on l’installe et à chaque démarrage du système. Lorsqu’on modifie sa configuration, il faut lui faire prendre connaissance des changements avec la commande

/etc/init.d/apache2 reload

Pour l’arrêter, le lancer ou le relancer on utilisera la même commande avec stop, start ou restart.

Pour d’autres systèmes il faudra consulter la documentation du système ou celle d’Apache [archive].

Configuration du serveur

La configuration [archive] du serveur se trouve dans /etc/apache2/apache2.conf. Ce fichier contient des instructions Include [archive] qui permettent de déplacer certaines parties de la configuration dans d’autres fichiers. Debian utilise cette fonctionnalité pour les modules [archive] (comme PHP) et la gestion des serveurs virtuels [archive] :

Configuration des modules

Le répertoire /etc/apache2/mods-available contient les modules installés. Le répertoire /etc/apache2/mods-enabled contient les modules activés. Les modules activés sont des liens symboliques vers les modules installés.

Pour activer ou désactiver un module, on peut manipuler directement les liens ou utiliser les commandes a2enmod et a2dismod (voir les pages de man).

Configuration des sites

De la même manière, le répertoire /etc/apache2/sites-available contient les sites web disponibles et /etc/apache2/sites-enabled les sites activés. Il en existe un préinstallé : le site default.

Les sites peuvent s’activer ou se désactiver en manipulant les liens dans sites-enabled ou en utilisant a2ensite et a2dissite. Lire la suite…

Categories: Logiciel Tags: , ,

iptables: Linux firewall rules for a basic Web Server

15/01/2019 Comments off

What is iptables?

linux firewall web serveriptables is a package and kernel module for Linux that uses the netfilter hooks within the Linux kernel to provide filtering, network address translation, and packet mangling. iptables is a powerful tool for turning a regular Linux system into a simple or advanced firewall.

Firewall & iptables basics

Rules are first come first serve

In iptables much like other (but not all) firewall filtering packages the rules are presented in a list. When a packet is being processed, iptables will read through its rule-set list and the first rule that matches this packet completely gets applied.

For example if our rule-set looks like below, all HTTP connections will be denied:

  • Allow all SSH Connections
  • Deny all connections
  • Allow all HTTP Connections

If the packet was for SSH it would be allowed because it matches rule #1, HTTP traffic on the other hand would be denied because it matches both rule #2 and rule #3. Because rule #2 says Deny all connections the HTTP traffic would be denied.

This is an example of why order matters with iptables, keep this in mind as we will see this later in this article.

Lire la suite…