Last week while trying to create a Linux VM on a VMware ESX 6.5 server, I saw this;
No DEFAULT or UI configuration directive found
Solution
Normally the error indicates theres something wrong with the install media, so I deleted it and uploaded it again, same error. So I downloaded the setup iso file again and checked its checksum, to make sure it was OK, (it was, but the problem persisted).
To fix the problem I simply had to connect to the host, using a different browser, (I used Firefox). Upload the .iso file and start again. Once I did that, hey presto;
Related Articles, References, Credits, or External Links
There are couple of good posts out there on setting up Rancid (Really Awesome New Cisco Config Differ). Some even show you how to set it up with ViewVC (Formally ViewVCS, basically a nice web based GUI front end, that does version control and highlights differences). It does this using a system called CVS (Concurrent Version System, hence the original name.)
Then I had to do some more searching to get it to back up my Cisco ASA firewalls and get the whole thing automated, which Ill cover in Part Two.
OS: CentOS 7 x64
Rancid: 3.4.1
ViewVC: 1.1.24
Solution
Once it’s built, let’s update our server;
[box]
yum upgrade
yum update
Answer any questions with 'y' for yes.
We only need a simple web server, so set the firewall accordingly (I’m opening http (TCP 80) and https (TCP 443) but we will only configure http in this example);
We have already installed Apache (web server), so we need to start it up, then set it to ‘auto-start’ with the server. Then create a group, and a user (rancid), and place that user in the group we created. Finally create a directory for us to ‘unzip’ rancid into.
Move into the directory, we just created then download RANCID, unzip it, then install it.
[box]
cd /home/rancid/tar/
wget ftp://ftp.shrubbery.net/pub/rancid/rancid-3.4.1.tar.gz
tar -zxvf rancid-3.4.1.tar.gz
cd rancid-3.4.1
./configure --prefix=/usr/local/rancid
make install
[/box]
Copy over the ‘clogin’ file, (more on this later). Then set the ownership and and permissions on the rancid files and directories.
Now to set the ‘top level’ groups. Above I’ve got Firewalls and Switches, you might want to create a group for each customer you are backing up, or each site. (the design is up to you), but these are the ‘folder names’ you will see when you first log into the ViewVC web front end. Next you need to edit the main Rancid configuration file;
[box]
nano /usr/local/rancid/etc/rancid.conf
[/box]
Uncomment and add your groups, i.e.
LIST_OF_GROUPS=”Firewalls Switches“
Save and Exit the file, (in nano that’s CTRL+X, then Y to save, and finally {Enter}.) Now we need to change to the rancid user we created earlier, (remembering to swap back to ‘root’ afterwards). We do this to create the folder structure for the groups we just created. Most importantly this creates the router.db file(s) which lives in each group/folder. This file specifies what the devices are, and where they are, that you will be backing up.
[box]
su -rancid
Or 'su rancid' if you are logged in as root
/usr/local/rancid/bin/rancid-cvs
su
[/box]
Download and install ViewVC.
[box]
cd /home/rancid/tar/
wget http://viewvc.tigris.org/files/documents/3330/49471/viewvc-1.1.24.tar.gz
tar -zxvf viewvc-1.1.24.tar.gz
cd viewvc-1.1.24
./viewvc-install
[/box]
Open the ViewVC config file;
[box]
nano /usr/local/viewvc-1.1.24/viewvc.conf
[/box]
Uncomment and change the values, (as shown above).
Then in the Apache config file, scroll to the end and add the following text, (don’t forget to save and exit the file).
[box]
nano /etc/httpd/conf/httpd.conf
Paste the following (at the bottom)
# Custom Rancid Config
<VirtualHost>
DocumentRoot /var/www
ScriptAlias /cgi-bin/ "/var/www/cgi-bin"
ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
ScriptAlias /query /var/www/cgi-bin/query.cgi
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
[/box]
We already installed MariaDB, (similar to MySQL) earlier, we just need to start it up, then set it to auto start with the server. Out of the box, MariaDB is a little insecure, so there’s a process of hardening it called ‘mysql_secure_installation’.
Note: the first time you run the secure installation it will ask for a password, this is the root password for MariaDB NOT the Linux root password, this will be {blank} so just hit {Enter}, then Yes to set the password, and set the MySQL/MariaDB root password (NEVER LOSE OR FORGET THIS). You will need it in a minute anyway, for all the other questions simply press {Enter} to accept the defaults.
Now that MariaDB is installed, we need to create a user in SQL that ViewVC will use, to do that we need to log into SQL using the root password you just setup.
[box]
mysql -u root -p
Enter your SQL root password
CREATE USER 'VIEWVC'@'localhost' IDENTIFIED BY ‘Password123’;
GRANT ALL PRIVILEGES ON *.* TO 'VIEWVC'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
quit
[/box]
Note: sometime it does not like you copying and pasting the first ‘CREATE USER…’ line, (I don’t know why.) If it complains, type it out manually!
Now that is set up we can get ViewVC to create its database.
[box]
cd /usr/local/viewvc-1.1.24/bin
./make-database
[/box]
Use the following settings when prompted;
MySQL Hostname (leave blank for default):{Enter}
MySQL Port (leave blank for default):{Enter}
MySQL User: VIEWVC
MySQL Password: Password123
ViewVC Database Name [default: ViewVC]:{Enter}
Then, (the same as you did earlier,) create another user in MariaDB, that will be a ‘read-only’ user.
[box]
mysql -u root -p
Enter your SQL root password
CREATE USER 'VIEWVCRO'@'localhost' IDENTIFIED BY ‘Password456’;
GRANT SELECT ON ViewVC.* TO 'VIEWVCRO'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
quit
[/box]
Edit the ViewVC configuration so that it uses all the parameters you have setup;
Note: This is to install the VMware Tools NOT the OPEN-VM-TOOLS.
I’ve had to do this a few times now, and every time I Goolge how to do it, I get pages of instructions on how to install the open vm tools. When what I really want is to install the VMware Tools.
Solution
I’m using vSphere ESX, but even if you are using VMware Workstation or VMware Fusion, you can still select ‘Install/Upgrade VMware tools’, this presents a DVD image to the virtual machine.
The install for VMware tools uses Perl, so you will need to have that installed.
[box]
yum install perl
[/box]
Now we are going to mount the virtual CDROM/DVD drive into a folder, (called/mnt). Then when we have a look inside this folder, you will see the VMwareTools-{version}.tar.gz (take a note of this).
[box]
mount /dev/cdrom /mnt
cd /mnt
ls
TAKE NOTE OF THE VERSION!
[/box]
Unzip those files into the /tmp directory, then run the installer.
[box]
cd /tmp
tar zxf /mnt/VMwareTools-9.10.0-2476743.tar.gz
cd vmware-tools-distrib
./vmware-install.pl
[/box]
Keep pressing {Enter} to accept the defaults, when complete the mounted VMware tools DVD will be ejected.
Related Articles, References, Credits, or External Links
This has tripped me up a couple of times, and if you Google the problem, you find a load of posts saying ‘Just install VMware tools that will fix the problem’
It Wont!
And I’ll tell you why, run ifconfig
You will notice you have a network card, but you will also notice that it’s got a strange name ‘ens160’ not eth0 as you would normally expect? Anyway let’s prove it’s not a driver issue by issuing a dhclient -vcommand. This basically forces the NIC up and makes it get a DHCP address, (assuming your NIC is connected to the correct network, and you have DHCP running of course!)
So this tells me it’s not a driver issue, and that installing VMware tools probably wont cure the problem.
It Didn’t!
Also if you reboot, you will find it’s not working again!
Solution
I’m going to use nano in a minute, (other editors are available), so I’ll install that first. (I’m logged in as root, you may need to prefix the following command with sudo if you are not).
[box]
yum install nano
[/box]
Remember my network card had a ‘funny name’, well change directory to the /etc/sysconfig/network-scripts directory, and you will see it’s config file, so let’s edit that, (change the text in red, to reflect your interface name, from the ifconfig command earlier);
[box]
cd /etc/sysconfig/network-scripts
nano ifconfig-ens160
[/box]
Make sure;
BOOTPROTO=dhcp
ONBOOT=yes
Now if you reboot your VM, it should come back up with networking enabled.
Related Articles, References, Credits, or External Links
This week I’ve been working on changing the site over to https. Buying a digital certificate used to be an expensive long winded affair, but not anymore. A quick internet search turned up a 3 year SSL certificate for less than 15 quid.
Getting the certificate was the easy bit, getting it installed so that Apache would use it was another ‘challenge’. On a scale of one to ten, I’m about a three (on a good day) with Linux!
Before you start, you need to generate a CSR and send that to whoever you are going to buy your cert from
What about free Certs? There are some firms that offer free certs, some require you to install software that updates the cert every ninety days, other have a short lifespan. I’m not usually one to spend any money but for a fiver a year, why not?
Solution
Your certificate vendor will sent you your certificate, it will probably come with at least one other cert. In my case it came with three other CA Certs (a RootCA and two Intermediate CA Certs). If you are unfamiliar with certificates, here’s the two golden certificate rules;
You MUST trust the authority (CA), that issued the certificate, or issued the cert to the CA that issued the cert etc.
The NAME on the certificate, either the Common Name (CN), or the Subject Alternative Name (SAN). MUST match the address you are going to.
What you will find with these <ahem> cheaper certificates, is that you trust a CA, and that CA issues another CA Certificate, (to a subordinate CA), that Issues another CA Certificate (To a Subordinate CA), and that CA issues your certificate. All these certificates form a ‘chain’ and it looks like this;
OK why is that important? Well to trust your certificate, your visitors, (and Apache) need to be able to see all the certificates in this chain, right back to the RootCA certificate at the top (which they will trust, or there’s not much point selling them!)
Some vendors will give you a certificate bundle, mine did not so I had to make one (this is not hard to do, see below). But now when you make that certificate bundle, you will have a better understanding of what you are doing, (putting all the CA certs in the chain order, into one file).
Installing SSL Certificates Into Apache
Before you start you may need to install mod_ssl ‘yum install mod_ssl’ will do that 🙂
First you need to copy all the files into CentOS, I created a folder in ‘/etc/ssl/’ called ‘localcertificates’ and copied in the domain cert, the key file (that got generated when I made the CSR – See the link above). And I’ve copied in all the CA Certificates. (I use FileZilla to do this because it’s free, and easy to use).
Now Log into your CentOS server via SSH and navigate to this directory, then use the ‘CAT’ command to make a certificate bundle with all your CA Certificates, (notice the order, SubCA2 > SubCA1 > RootCA). Note: Your certificates will probably have different names.
[box]
cd /etc/ssl/localcerts
cat COMODORSADomainValidationSecureServerCA.crtCOMODORSAAddTrustCA.crtAddTrustExternalCARoot.crt > My-CA.ca-bundle
[/box]
Now in the same directory you will have another file called My-CA.ca-bundle. To get Apache to use the certificates you need to edit the httpd.conf file. In CentOS 7 that usually lives in ‘/etc/httpd/conf’. I use nano because it’s easier to edit files with, (yum install nano). Im also going to back-up the config up as well, in case something goes wrong!
[box]
cd /etc/httpd/conf
cp httpd.conf httpd.conf-old
nano httpd.conf
[/box]
Locate the part of the file that says ‘Listen *.80’ and place a line below it that says ‘Listen *.443’.
Scroll to the end of the file and paste in the following, (change the filenames to match your own).
Note: Make Sure the Logs folder exists in /var/www if you use the same paths as me! Also SSLCertificateChainFile will change in newer versions of Apache to SSLCACertificatePath.
You can now restart Apache and browse to https://www.your-site.com. It can take a little while before it’s back up!
[box]
apachectl restart
apachectl status
[/box]
Everything’s Broken Help!!
This is why we backed up the config, first if there’s a problem ‘apache status’ usually says ‘theres a problem on line XYZ of the httpd.conf file’, if you open it in a text editor that will point you to a resolution. If all else fails, you can restore the original config like so;
[box]
cd /etc/httpd/conf
cp httpd.conf-old httpd.conf
apachectl start
apachectl status
[/box]
How To Redirect All HTTP Traffic to HTTPS in Apache?
That’s even easier, if you have a virtual host for poor 80 already setup in https.conf then just add ‘ Redirect / https://www.your-site.com/’ to it. I did not, but adding one did not break/affect my site at all. After the text you pasted in above for the virtualhost for SSL just paste in a new one for http (TCP port 80).
If you want to use digital certificates on your CentOS server, then you will need to generate a CSR. It does not matter if you want to purchase a publicly signed certificate, or even if you are going to sign your own. Below is how to generate a CSR for a single web host.
Note: Most cert vendors now require a minimum key length of 2048 so thats what I’m going to use. And I’m assuming you have openSSL installed (type ‘openssl version‘ to find out).
The CSR Generation process will begin and you will have to answer some questions;
[box]
Generating a 2048 bit RSA private key
.........................................+++
........................+++
writing new private key to 'www.YourSite.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:Teesside
Locality Name (eg, city) [Default City]:Middlesbrough
Organization Name (eg, company) [Default Company Ltd]:YourSite
Organizational Unit Name (eg, section) []:YourSite
Common Name (eg, your name or your server's hostname) []:www.YourSite.com
Email Address []:administrator@YourSite.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password123
An optional company name []:YourSite
[/box]
This will actually create the CSR, now you need to get the text from the CSR, and sent it to your certificate vendor ,or sign it with your own CA.
This was a much more complicated job than I expected it to be! The following procedure is done on CentOS 6, so will be the same for Red Hat Enterprise 6.
Solution
1. Connect to the server via SSH, (or open a terminal session). Logon as, (or su to) root.
2. Execute the following commands;
[box]yum install make gcc kernel-devel kernel-headers glibc-headers perl
mkdir /mnt/cdrom[/box]
3. Then present the VMware tools CD to the virtual machine, by connecting to the VI client > right click the VM > Guest > Install/Upgrade VMware tools.
4. Execute the following commands;
[box]mount -t iso9660 /dev/cdrom/ /mnt/cdrom
cp /mnt/cdrom/VMware-Tools*.tar.gz /tmp/
cd /tmp/
tar xvfz VMwareTools*.tar.gz
cd /tmp/vmware-tools-distrib
./vmware-install.pl -d[/box]
Related Articles, References, Credits, or External Links
While moving my DNS records from my old hosting company, I finally got round to pointing my domain name server records at my own server. I then saw my web traffic nose dive! Some troubleshooting steps later I realised I could not connect to my server on TCP port 53 (use an online port scanner to test yours).
Solution
Allow Access to DNS BIND From Remote Clients
1. Firstly let’s make sure that the firewall is not blocking DNS (Note: I’m using iptables).
[box]iptables -A INPUT -p udp -m state –state NEW –dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW –dport 53 -j ACCEPT
service iptables save
service iptables restart[/box]
2. Still mine refused to work! I had to edit the named.conf file
[box] nano /etc/named.conf[/box]
3. Mine was set to only respond to 127.0.0.1, and only return localhost.
I was a little perturbed to find out the firewall on my CentOS web server was wide open today. My server setup notes yielded no clues, so it was time to put my ‘Linux Head’ on and fix it.
Solution
1. Connect to the server via console or SSH. As I’m going to change the iptables config file lets back it up (always assume you are going to smash something!)
2. I have a VPS so I’m usually logged on via SSH, so to avoid locking myself out I’m going to change the default policy to allow (yes in my current scenario that’s a moot point, but it’s good practice). Then I can flush the current rules, without kicking myself out.
[box]iptables -P INPUT ACCEPT
iptables -F[/box]
3. Then allow packets destined to Loopback (127.0.0.1), some processes on the server rely on this, and expect it to be open.
[box] iptables -A INPUT -i lo -j ACCEPT [/box]
4. Allow packets that were not initiated by the server, but are already established or related to an established connection.
[box] iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT[/box]
5. Allow in the ports you require (your requirements may differ).
[box]iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
iptables -A INPUT -p tcp –dport 25 -j ACCEPT
iptables -A INPUT -p tcp –dport 110 -j ACCEPT
iptables -A INPUT -p tcp –dport 53 -j ACCEPT
iptables -A INPUT -p tcp –dport 993 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
iptables -A INPUT -p tcp –dport 12345 -j ACCEPT[/box]
6. To allow your server to respond to pings (if required);
[box]iptables -A INPUT -p icmp -j ACCEPT
[/box]
7. Drop all other traffic, and set the forwarding table to also drop all traffic. Then I’m going to allow all outbound ports from the server.
[box]iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT[/box]
8. TEST EVERYTHING! Then save the changes, to make them persistent.
[box] /sbin/service iptables save[/box]
Show iptables Settings
[box] iptables -L -v[/box]
Start/Stop and Restart the iptables Service
[box]service iptables stop
service iptables start
service iptables restart[/box]
Related Articles, References, Credits, or External Links
I needed to back up a Cisco firewall, and perform an upgrade remotely, despite my best efforts to use the ASDM and update via http, I had to go ‘old school’ and bring up a TFTP server on one of my CentOS Linux servers.
Solution
1. Log onto the server and install the xinetd TFTP Server. Execute the following command and follow the on-screen prompts.
[box]Using username “root”.
Last login: Thu Aug 7 17:58:10 2014 from midd-8.cable.virginm.net
[root@Web-Test ~]# yum install tftp tftp-server xinetd[/box]
2. Now you need to edit the config file, here I’m using nano, but you could use vi as well.
# default: off
# description: The tftp server serves files using the trivial file transfer
# protocol. The tftp protocol is often used to boot diskless
# workstations, download configuration files to network-aware printers,
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /var/lib/tftpboot
disable = yes
per_source = 11
cps = 100 2
flags = IPv4
}
[/box]
4. Edit the file and save it, so it looks like this;
[box]
# default: off
# description: The tftp server serves files using the trivial file transfer
# protocol. The tftp protocol is often used to boot diskless
# workstations, download configuration files to network-aware printers,
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -c -s /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
Note: if you run SELinux you may also need to execute the following command, ‘setsebool -P tftp_anon_write 1‘.
WARNINIG: This enables anonymous access on the TFTP root folder, if your server is public facing and not firewalled, then I would suggest you do what I do, (stop and start the service manually, and only open the firewall for TFTP when you need to use it – see below).
6. If you use iptables as a firewall, you will need to open the TFTP port (UDP Port 69).
10. I could SSH into the server and change to the /var/lib/tftpboot directory and see the file. But I’ve got WinSCP installed so I can view the backup with that.
11. Let’s see if we can copy a file off the TFTP server back to the firewall.
[box]
Petes-ASA# copy tftp flash
Address or name of remote host []? 123.123.123.123