Saturday, October 24, 2015

Study MongoDB security by setup and configure server and client on secure line

It's been a while since my last learning on MongoDB. The last learning on MongoDB was on administration. Today, we will learn another topic of mongoDB; MongoDB security. As a general for MongoDB security context, it means

Maintaining a secure MongoDB deployment requires administrators to implement controls to ensure that users and applications have access to only the data that they require. MongoDB provides features that allow administrators to implement these controls and restrictions for any MongoDB deployment.

This article is reference the official documentation which can be found here. As the security context is pretty huge, in this short article, we will focus how to setup mongdb server to use on ssl and how client will access the database resource securely.

First, make sure you have install the server and client package. If you are on deb package linux distribution, it is as easy as sudo apt-get install mongodb-clients mongodb-server. Once both packages are install, you can check in the log file at /var/log/mongodb/mongodb.log similar such as the following. So our mongodb version is 2.6.3 and it has support using openssl library.

 2015-09-27T16:04:48.849+0800 [initandlisten] db version v2.6.3  
 2015-09-27T16:04:48.849+0800 [initandlisten] git version: nogitversion  
 2015-09-27T16:04:48.849+0800 [initandlisten] OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014

Next, let's generate a public and private key and a self sign certifcate.

 user@localhost:~/test1$ openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb-cert.crt -keyout mongodb-cert.key  
 Generating a 2048 bit RSA private key  
 .............................+++  
 ..................................................................................................................................................................................................................+++  
 writing new private key to 'mongodb-cert.key'  
 -----  
 You are about to be asked to enter information that will be incorporated  
 into your certificate request.  
 What you are about to enter is what is called a Distinguished Name or a DN.  
 There are quite a few fields but you can leave some blank  
 For some fields there will be a default value,  
 If you enter '.', the field will be left blank.  
 -----  
 Country Name (2 letter code) [AU]:MY  
 State or Province Name (full name) [Some-State]:KL  
 Locality Name (eg, city) []:Kuala Lumpur  
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.com  
 Organizational Unit Name (eg, section) []:Engineering  
 Common Name (e.g. server FQDN or YOUR name) []:Jason Wee  
 Email Address []:jason@example.com  
 user@localhost:~/test1$ ls  
 mongodb-cert.crt mongodb-cert.key

Now put everything into a file with extension .pem.

 user@localhost:~/test1$ cat mongodb-cert.key mongodb-cert.crt > mongodb.pem

Now, stop mongodb instance if it is running. As we will now configured the server to use the certificate we generated previously.

 user@localhost:~/test1$ sudo systemctl status mongodb  
 ● mongodb.service - An object/document-oriented database  
   Loaded: loaded (/lib/systemd/system/mongodb.service; enabled; vendor preset: enabled)  
   Active: inactive (dead) since Sun 2015-09-27 16:13:34 MYT; 23min ago  
    Docs: man:mongod(1)  
  Main PID: 15343 (code=exited, status=0/SUCCESS)  
   
 Sep 27 16:04:48 localhost systemd[1]: Started An object/document-oriented database.  
 Sep 27 16:04:48 localhost systemd[1]: Starting An object/document-oriented database...  
 Sep 27 16:13:33 localhost systemd[1]: Stopping An object/document-oriented database...  
 Sep 27 16:13:34 localhost systemd[1]: Stopped An object/document-oriented database.  
 Sep 27 16:36:30 localhost systemd[1]: Stopped An object/document-oriented database.  
 user@localhost:~/test1$ sudo tail -10 /etc/mongodb.conf   
 # Size limit for in-memory storage of op ids.  
 #opIdMem = <bytes>  
   
 # SSL options  
 # Enable SSL on normal ports  
 sslOnNormalPorts = true  
 # SSL Key file and password  
 #sslPEMKeyFile = /etc/ssl/mongodb.pem  
 sslPEMKeyFile = /home/user/test1/mongodb.pem  
 #sslPEMKeyPassword = pass  
 user@localhost:~/test1$

In the above output, as an example, I have set the file mongodb.pem to the configuration sslPEMKeyFile and also set sslOnNormalPorts to true. Now if you start mongodb instance.

 user@localhost:~/test1$ sudo systemctl start mongodb  
 user@localhost:~/test1$

In the log file, noticed that ssl is enabled and no ssl related error.

 2015-09-27T16:46:41.648+0800 [initandlisten] options: { config: "/etc/mongodb.conf", net: { bindIp: "127.0.0.1", ssl: { PEMKeyFile: "/home/user/test1/mongodb.pem", mode: "requireSSL" } }, storage: { dbPath: "/var/lib/mongodb", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongodb.log" } }  
 2015-09-27T16:46:41.788+0800 [initandlisten] journal dir=/var/lib/mongodb/journal  
 2015-09-27T16:46:41.797+0800 [initandlisten] recover : no journal files present, no recovery needed  
 2015-09-27T16:46:42.162+0800 [initandlisten] waiting for connections on port 27017 ssl

On the server configuration and setup, it is now done. Now, we will focus on the mongdb client. If you connect to mongodb using its client, you will get error.

 user@localhost:~/test1$ mongo foo  
 MongoDB shell version: 2.6.3  
 connecting to: foo  
 2015-09-27T17:22:54.300+0800 DBClientCursor::init call() failed  
 2015-09-27T17:22:54.302+0800 Error: DBClientBase::findN: transport error: 127.0.0.1:27017 ns: admin.$cmd query: { whatsmyuri: 1 } at src/mongo/shell/mongo.js:146  
 exception: connect failed  
 user@localhost:~/test1$ mongo --ssl --sslPEMKeyFile mongodb.pem  
 MongoDB shell version: 2.6.3  
 connecting to: test  
 Server has startup warnings:   
 2015-09-27T16:46:41.647+0800 [initandlisten]   
 2015-09-27T16:46:41.647+0800 [initandlisten] ** NOTE: This is a 32 bit MongoDB binary.  
 2015-09-27T16:46:41.647+0800 [initandlisten] **    32 bit builds are limited to less than 2GB of data (or less with --journal).  
 2015-09-27T16:46:41.647+0800 [initandlisten] **    See http://dochub.mongodb.org/core/32bit  
 2015-09-27T16:46:41.647+0800 [initandlisten]   
 > show dbs  
 admin (empty)  
 local 0.078GB  
 >

As you can read above, you need to specify parameter ssl and the pem file. That's it for this article, if you want to go the distance, try using tcpdump to listen to this port traffic. Good luck!

Posted by at No comments:
Labels: , , ,

Friday, October 23, 2015

cracking wireless wep router encryption

Recently I noticed one of my neighbor router encryption is using WEP and I thought maybe to spend sometime to aircrack it. Googling shown many articles that teach you on how to gain access to wireless router that using WEP as the encryption standard. In this article, I mainly reference this article and running this on my linux workstation.

With that said, let's begin. Install aircrack-ng package that contain essentials applications that sniff the air traffic and crack it.

 root@localhost:~# apt-get install aircrack-ng  
 Reading package lists... Done  
 Building dependency tree      
 Reading state information... Done  
 The following packages were automatically installed and are no longer required:  
  libgee2 libmono-2.0-1 libmono-2.0-dev libmono-accessibility4.0-cil libmono-c5-1.1-cil libmono-cecil-private-cil libmono-codecontracts4.0-cil  
  libmono-compilerservices-symbolwriter4.0-cil libmono-cscompmgd8.0-cil libmono-custommarshalers4.0-cil libmono-db2-1.0-cil libmono-debugger-soft2.0a-cil  
  libmono-debugger-soft4.0a-cil libmono-entityframework-sqlserver6.0-cil libmono-entityframework6.0-cil libmono-http4.0-cil libmono-ldap2.0-cil  
  libmono-ldap4.0-cil libmono-management2.0-cil libmono-management4.0-cil libmono-messaging-rabbitmq2.0-cil libmono-messaging-rabbitmq4.0-cil  
  libmono-messaging4.0-cil libmono-microsoft-build-engine4.0-cil libmono-microsoft-build-framework4.0-cil libmono-microsoft-build-tasks-v4.0-4.0-cil  
  libmono-microsoft-build-utilities-v4.0-4.0-cil libmono-microsoft-build2.0-cil libmono-microsoft-build4.0-cil libmono-microsoft-visualc10.0-cil  
  libmono-microsoft-web-infrastructure1.0-cil libmono-microsoft8.0-cil libmono-npgsql2.0-cil libmono-npgsql4.0-cil libmono-opensystem-c4.0-cil  
  libmono-oracle2.0-cil libmono-oracle4.0-cil libmono-parallel4.0-cil libmono-peapi2.0a-cil libmono-peapi4.0a-cil libmono-profiler libmono-rabbitmq2.0-cil  
  libmono-rabbitmq4.0-cil libmono-relaxng2.0-cil libmono-relaxng4.0-cil libmono-sharpzip2.6-cil libmono-simd2.0-cil libmono-simd4.0-cil  
  libmono-system-componentmodel-composition4.0-cil libmono-system-componentmodel-dataannotations4.0-cil libmono-system-configuration-install4.0-cil  
  libmono-system-data-datasetextensions4.0-cil libmono-system-data-linq4.0-cil libmono-system-data-services-client4.0-cil  
  libmono-system-data-services2.0-cil libmono-system-data-services4.0-cil libmono-system-design4.0-cil libmono-system-drawing-design4.0-cil  
  libmono-system-dynamic4.0-cil libmono-system-identitymodel-selectors4.0-cil libmono-system-identitymodel4.0-cil  
  libmono-system-io-compression-filesystem4.0-cil libmono-system-io-compression4.0-cil libmono-system-json-microsoft4.0-cil libmono-system-json2.0-cil  
  libmono-system-json4.0-cil libmono-system-ldap-protocols4.0-cil libmono-system-ldap2.0-cil libmono-system-ldap4.0-cil libmono-system-management4.0-cil  
  libmono-system-messaging4.0-cil libmono-system-net-http-formatting4.0-cil libmono-system-net-http-webrequest4.0-cil libmono-system-net-http4.0-cil  
  libmono-system-net2.0-cil libmono-system-net4.0-cil libmono-system-numerics4.0-cil libmono-system-reactive-core2.2-cil  
  libmono-system-reactive-debugger2.2-cil libmono-system-reactive-experimental2.2-cil libmono-system-reactive-interfaces2.2-cil  
  libmono-system-reactive-linq2.2-cil libmono-system-reactive-observable-aliases0.0-cil libmono-system-reactive-platformservices2.2-cil  
  libmono-system-reactive-providers2.2-cil libmono-system-reactive-runtime-remoting2.2-cil libmono-system-reactive-windows-forms2.2-cil  
  libmono-system-reactive-windows-threading2.2-cil libmono-system-runtime-caching4.0-cil libmono-system-runtime-durableinstancing4.0-cil  
  libmono-system-servicemodel-activation4.0-cil libmono-system-servicemodel-discovery4.0-cil libmono-system-servicemodel-routing4.0-cil  
  libmono-system-servicemodel-web4.0-cil libmono-system-servicemodel4.0a-cil libmono-system-serviceprocess4.0-cil  
  libmono-system-threading-tasks-dataflow4.0-cil libmono-system-web-abstractions4.0-cil libmono-system-web-dynamicdata4.0-cil  
  libmono-system-web-extensions-design4.0-cil libmono-system-web-extensions4.0-cil libmono-system-web-http-selfhost4.0-cil  
  libmono-system-web-http-webhost4.0-cil libmono-system-web-http4.0-cil libmono-system-web-mvc1.0-cil libmono-system-web-mvc2.0-cil  
  libmono-system-web-mvc3.0-cil libmono-system-web-razor2.0-cil libmono-system-web-routing4.0-cil libmono-system-web-webpages-deployment2.0-cil  
  libmono-system-web-webpages-razor2.0-cil libmono-system-web-webpages2.0-cil libmono-system-windows-forms-datavisualization4.0a-cil  
  libmono-system-windows-forms4.0-cil libmono-system-windows4.0-cil libmono-system-xaml4.0-cil libmono-system-xml-serialization4.0-cil  
  libmono-tasklets2.0-cil libmono-tasklets4.0-cil libmono-webbrowser4.0-cil libmono-webmatrix-data4.0-cil libmono-windowsbase3.0-cil  
  libmono-windowsbase4.0-cil libmono-xbuild-tasks2.0-cil libmono-xbuild-tasks4.0-cil libmonoboehm-2.0-1 libmonoboehm-2.0-dev libmonosgen-2.0-1  
  libnunit-cil-dev libts-0.0-0 libts-0.0-0:i386 libupower-glib1 linux-image-amd64 mono-2.0-service mono-4.0-service mono-csharp-shell mono-jay mono-utils  
  mono-xbuild monodoc-base monodoc-browser monodoc-manual python-gtksourceview2 python3-packagekit tsconf  
 Use 'apt-get autoremove' to remove them.  
 The following extra packages will be installed:  
  ieee-data  
 The following NEW packages will be installed:  
  aircrack-ng ieee-data  
 0 upgraded, 2 newly installed, 0 to remove and 523 not upgraded.  
 Need to get 1,244 kB of archives.  
 After this operation, 5,914 kB of additional disk space will be used.  
 Do you want to continue? [Y/n] Y  
 Get:1 http://cdn.debian.net/debian/ unstable/main aircrack-ng amd64 1:1.2-0~beta3-4 [435 kB]  
 Get:2 http://cdn.debian.net/debian/ unstable/main ieee-data all 20141019.1 [809 kB]  
 Fetched 1,244 kB in 5s (228 kB/s)   
 Selecting previously unselected package aircrack-ng.  
 (Reading database ... 325525 files and directories currently installed.)  
 Preparing to unpack .../aircrack-ng_1%3a1.2-0~beta3-4_amd64.deb ...  
 Unpacking aircrack-ng (1:1.2-0~beta3-4) ...  
 Selecting previously unselected package ieee-data.  
 Preparing to unpack .../ieee-data_20141019.1_all.deb ...  
 Unpacking ieee-data (20141019.1) ...  
 Processing triggers for man-db (2.7.0.2-5) ...  
 Setting up aircrack-ng (1:1.2-0~beta3-4) ...  
 Setting up ieee-data (20141019.1) ...

okay, the package installed successfully. Next you need to turn the wireless interface to monitor mode and so the interface can intercept any wireless traffic nearby.


As you can read above, I have stop network-manager and so my interface will not automatically connect to my wireless router. In this example, I use one of my wireless interface for this learning adventure. Once the wireless interface is turned into monitor mode, you can start to dump the air traffic using the command airodump-ng .




Identify any wireless router that use WEP encryption protocol, and then start another terminal to write all these traffics into a tcpdump file. You can do that using the command airodump-ng -c 6 -w data-capture wlan0 .


Next, you can inject (send traffic) more packets to the identified router using aireplay . As you can see below, I experiment with a few aireplay parameter and you should too.




If your neighbour WEP wireless router is an active users, airodump-ng should be able to capture sufficient of initialization vectors(IVs) for your next aircrack command. I suggest you leave over few hours to collect maybe 10k of IVs and run this tcpdump capture with a powerful cpu.



That's it. Good luck, have fun and be good.



Posted by at No comments:
Labels: , ,

Sunday, October 11, 2015

How to install D-Link DWA-123 Wireless N 150 adapter in debian

Today I got myself a new wireless usb device. Pricing for D-Link DWA-123 wireless N 150 is very affordable and only at 17MYR (01 september 2015) in local computer store. So I got myself a unit and try out, and it's working fine after more than ten days. I will share with you how do I install this unit in linux debian.


If you are using kernel 4.0 or above, the module should come together with the kernel. You can identify below and you plug the device into the usb port.

 root@localhost:~# modinfo r8188eu  
 filename:    /lib/modules/4.0.0-2-amd64/kernel/drivers/staging/rtl8188eu/r8188eu.ko  
 version:    v4.1.4_6773.20130222  
 author:     Realtek Semiconductor Corp.  
 description:  Realtek Wireless Lan Driver  
 license:    GPL  
 srcversion:   A3DA328AE8853D31D90212F  
 alias:     usb:v0DF6p0076d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v2001p3311d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v2001p3310d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v2001p330Fd*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v07B8p8179d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v056Ep4008d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v0BDAp0179d*dc*dsc*dp*ic*isc*ip*in*  
 alias:     usb:v0BDAp8179d*dc*dsc*dp*ic*isc*ip*in*  
 depends:    usbcore  
 staging:    Y  
 intree:     Y  
 vermagic:    4.0.0-2-amd64 SMP mod_unload modversions   
 parm:      rtw_ips_mode:The default IPS mode (int)  
 parm:      ifname:The default name to allocate for first interface (charp)  
 parm:      if2name:The default name to allocate for second interface (charp)  
 parm:      rtw_initmac:charp  
 parm:      rtw_channel_plan:int  
 parm:      rtw_chip_version:int  
 parm:      rtw_rfintfs:int  
 parm:      rtw_lbkmode:int  
 parm:      rtw_network_mode:int  
 parm:      rtw_channel:int  
 parm:      rtw_wmm_enable:int  
 parm:      rtw_vrtl_carrier_sense:int  
 parm:      rtw_vcs_type:int  
 parm:      rtw_busy_thresh:int  
 parm:      rtw_ht_enable:int  
 parm:      rtw_cbw40_enable:int  
 parm:      rtw_ampdu_enable:int  
 parm:      rtw_rx_stbc:int  
 parm:      rtw_ampdu_amsdu:int  
 parm:      rtw_lowrate_two_xmit:int  
 parm:      rtw_rf_config:int  
 parm:      rtw_power_mgnt:int  
 parm:      rtw_smart_ps:int  
 parm:      rtw_low_power:int  
 parm:      rtw_wifi_spec:int  
 parm:      rtw_antdiv_cfg:int  
 parm:      rtw_antdiv_type:int  
 parm:      rtw_enusbss:int  
 parm:      rtw_hwpdn_mode:int  
 parm:      rtw_hwpwrp_detect:int  
 parm:      rtw_hw_wps_pbc:int  
 parm:      rtw_max_roaming_times:The max roaming times to try (uint)  
 parm:      rtw_fw_iol:FW IOL (int)  
 parm:      rtw_mc2u_disable:int  
 parm:      rtw_80211d:Enable 802.11d mechanism (int)  
 parm:      rtw_notch_filter:0:Disable, 1:Enable, 2:Enable only for P2P (uint)  
 parm:      debug:Set debug level (1-9) (default 1) (int)  
 root@localhost:~# dpkg -S /lib/modules/4.0.0-2-amd64/kernel/drivers/staging/rtl8188eu/r8188eu.ko  
 linux-image-4.0.0-2-amd64: /lib/modules/4.0.0-2-amd64/kernel/drivers/staging/rtl8188eu/r8188eu.ko

If you get the following message in your syslog,

 Sep 1 19:12:33 localhost kernel: [ 385.525522] r8188eu 1-1.1.2.3:1.0: firmware: failed to load rtlwifi/rtl8188eufw.bin (-2)  
 Sep 1 19:12:33 localhost kernel: [ 385.525530] r8188eu 1-1.1.2.3:1.0: Direct firmware load for rtlwifi/rtl8188eufw.bin failed with error -2  
 Sep 1 19:12:33 localhost kernel: [ 385.525534] r8188eu 1-1.1.2.3:1.0: Firmware rtlwifi/rtl8188eufw.bin not available  
 Sep 1 19:12:33 localhost kernel: [ 385.525539] MAC Address = 00:00:00:00:00:00

What you need to do next is to install the firmware. The firmware is in the repository and you can install as easy as apt-get.

 root@localhost:~# apt-get install firmware-realtek

Now the userspace application should be able to identify the device correctly. I am using gnome so, it is detected as USB Wi-FI. Note that I have an existing pci wifi as shown in the screenshot below.


Try out to device to retrieve the IP address etc. If you get your wireless to a funky name such as wlxc412f52da87d , then you can create a rule in the udev configuration file.

 # cat /etc/udev/rules.d/70-persistent-net.rules  
 # This file was automatically generated by the /lib/udev/write_net_rules  
 # program, run by the persistent-net-generator.rules rules file.  
 #  
 # You can modify it, as long as you keep each rule on a single  
 # line, and change only the value of the NAME= key.  
   
 # PCI device 0x0000:0x0000 (atl1c)  
 SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:00:00:00:00:00", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"  
   
 # PCI device 0x0000:0x0000 (brcm80211)  
 SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:00:00:00:00:0", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="wlan*", NAME="wlan0"  
   
 # USB device 0x0000:0x0000 (r8188eu)  
 SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:00:00:00:00:00", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="wlan*", NAME="wlan1"

As you can see above, PCI device my existing device and you should add another line similar to the above. You need to replace ATTR{address} value to your device mac address. When the operating system bring up this device, it will be renamed to wlan1 instead of a random interface name next time.
Posted by at No comments:
Labels: , , , , ,

Saturday, October 10, 2015

post mortem of anonymous vs najib on august 2015


When the video is circulating in the social media, it create additional sensational hype on the verge of incoming bersih 4.0 rally at the month end of august of 2015. Some said in the youtube comment this video above is fake, some news circulating even the IGP of malaysia has even commented on this.

Whether it is conspiracies from any parties or if this incident really happened, it has been weeks after the date set forth in the video. In this article, we will take a look at what actually had happened on 29 august 2015.

For a start, one things is ascertain, the sites that were identified by the anonymous groups in the video; on that day were all having ddos protections. Take a look at the screenshots below taken on 29 august 2015.






All the sites above have taken precaution steps to prevent denial of services from happening. From the norse map, as usual, ddos happen every time but nothing particulary on the time declared by the anonymous toward malaysia IPs.




However, sometime around 7.30pm, the royal malaysian police website cannot be access for duraiton of time. It could be just a minor glitch.


So today I take a look at the digital attack map on the day 29 and 30 august 2015. Nothing massive attack happened to malaysia IPs.




It definitely looks like there is no obvious denial of services happened on that two days. But why and what is the motive of the anonymous video was created for? Has anonymous failed in the attack given the additional security prevention has setup in placed? Well, I would say unlikely. It's a strange world indeed.

Posted by at 2 comments:
Labels: ,

Friday, October 9, 2015

Mail server setup


“Why is legitimate email sent from my server rejected or flagged as spam?”

In the last eight years working as mail- and spam filter administrator I’ve had to answer this question many times. If you google it on the web, you’re often getting answers like “because you don’t have SPF/DKIM/DMARC”. This might be the reason in some cases, but most of the time the problem lies in the basic server hostname and DNS setup.


Many spam filters first try to find out, if the sending device was meant to send mail or if its just yet another hacked VPS / home PC  out there. So your job is to clearly tell them "yes, the administrator of this device and the ISP agree that this system should send mail".  And you tell them this by setting a distinctive SMTP HELO (which makes clear that the SMTP engine was set up by a mail administrator), DNS A-record (which defines that IP address is the one meant send mail) and reverse DNS (which confirms that the owner of the IP adddress  agrees). If you get these three things right, chances are already pretty high that your legitimate mail will be accepted even without SPF and DKIM.  

System hostname / SMTP HELO


Most mail servers automatically use the system hostname as SMTP HELO - so this is the first thing that should be set correctly.
  • Configure a fully qualified domain name on your mailserver (something like ‘mail.example.com’, 'exchange.example.com', 'mta.example.com' )
  • DO NOT actually use “example.com” - we will use this domain as an example here, but you should not on your server. Whenever you read ‘mail.example.com’ below, replace it with the fully qualified hostname you’ve chosen in a domain under your control. (yes, I’ve seen people literally configure ‘example.com’ on their servers. It’s a bad idea.)
  • DO NOT use hostname in a domain of your ISP/VPS Provider. Use your OWN domain.
  • DO NOT choose a hostname that looks auto-generated (based your IP address etc). 
  • DO NOT try to be cute and invent your own top level domain ("myserver.home", "exchange.lan") - your hostname should be publicly resolvable

IP

  • Send mail from a static IP address. If you don’t have one, use a smarthost that does
  • If your IP address is listed on the Spamhaus PBL it is not meant to be used to send mail directly. Use a smarthost or ask your ISP for an IP in a different range.
  • if you have multiple static IP addresses available, configure a dedicated IP for your mail server which is not used as gateway by any other devices in your network. This reduces the risk of an infected device causing your mail IP to get blacklisted

Reverse DNS

  • Set the reverse DNS (PTR) entry to the your server’s hostname (x.x.x.x.in-addr.arpa PTR mail.example.com)
  • DO NOT set multiple PTRs. Your sending IP should have exactly one PTR. It does not matter if this server is hosting multiple domains for web / mail. The PTR is used to identify the sending server, not the domains it is hosting
  • DO NOT use generic PTRs from your upstream/IP/vps provider. (like x.x.x.x-static.reverse.softlayer.com). Set this to a domain under your control.

A-record

  • Make sure there is an A record that maps the hostname used in your PTR back to your sending IP address (see FcRDNS)
  • if you used a different FQDN in your smtp HELO for any reason, add an A record for this  as well . Only extremely agressive spam filters will actually check if your helo is resolvable, but RFC 5321 states "Only resolvable, fully-qualified domain names (FQDNs) are permitted  when domain names are used in SMTP.", so better be safe than sorry.

Posted by at No comments:

Sunday, September 27, 2015

First learning into mariadb galera cluster

We will learn a cluster known as galera cluster today. There are 3 Galera versions (Codership, Percona XtraDB Cluster and MariaDB Galera Cluster). We will pick MariaDB galera cluster.  But what is MariaDB Galera Cluster?

MariaDB Galera Cluster is a synchronous multi-master cluster for MariaDB. It is available on Linux only, and only supports the XtraDB/InnoDB storage engines (although there is experimental support for MyISAM - see the wsrep_replicate_myisam system variable).

For this, I have setup 3 virtual machines in the host ubuntu. The virtual machines are using ubuntu 1404. The network settings for this devices are bridge to my host network card and so I can access these vms remotely via ssh. This tutorial primarily is reference this  and this. If you want explanation, please read the links mentioned before. I will quickly demonstrate what actually is galera cluster in few minutes.



Below shown are apt update on node 2. We then install package python-software-properties and add the mariadb galera package repository. You should repeat these steps on all 3 nodes.

 galera2@galera2-VirtualBox:~$ sudo apt-get update  
 [sudo] password for galera2:   
 Ign http://my.archive.ubuntu.com trusty InRelease                 
 Ign http://security.ubuntu.com trusty-security InRelease              
 Ign http://my.archive.ubuntu.com trusty-updates InRelease             
 Hit http://security.ubuntu.com trusty-security Release.gpg        
 Ign http://extras.ubuntu.com trusty InRelease              
 Ign http://my.archive.ubuntu.com trusty-backports InRelease  
 Hit http://security.ubuntu.com trusty-security Release          
 Hit http://extras.ubuntu.com trusty Release.gpg             
 Hit http://my.archive.ubuntu.com trusty Release.gpg           
 Hit http://extras.ubuntu.com trusty Release                
 Hit http://my.archive.ubuntu.com trusty-updates Release.gpg        
 Hit http://my.archive.ubuntu.com trusty-backports Release.gpg       
 Hit http://security.ubuntu.com trusty-security/main Sources        
 Hit http://my.archive.ubuntu.com trusty Release  
 Hit http://extras.ubuntu.com trusty/main Sources  
 Hit http://my.archive.ubuntu.com trusty-updates Release  
 Hit http://security.ubuntu.com trusty-security/restricted Sources         
 Hit http://extras.ubuntu.com trusty/main i386 Packages               
 Hit http://my.archive.ubuntu.com trusty-backports Release             
 Hit http://security.ubuntu.com trusty-security/universe Sources          
 Hit http://security.ubuntu.com trusty-security/multiverse Sources         
 Hit http://security.ubuntu.com trusty-security/main i386 Packages         
 Hit http://my.archive.ubuntu.com trusty/main Sources                
 Hit http://security.ubuntu.com trusty-security/restricted i386 Packages      
 Hit http://my.archive.ubuntu.com trusty/restricted Sources             
 Hit http://security.ubuntu.com trusty-security/universe i386 Packages       
 Hit http://my.archive.ubuntu.com trusty/universe Sources              
 Hit http://security.ubuntu.com trusty-security/multiverse i386 Packages      
 Hit http://my.archive.ubuntu.com trusty/multiverse Sources             
 Hit http://security.ubuntu.com trusty-security/main Translation-en         
 Hit http://my.archive.ubuntu.com trusty/main i386 Packages             
 Hit http://security.ubuntu.com trusty-security/multiverse Translation-en      
 Hit http://my.archive.ubuntu.com trusty/restricted i386 Packages          
 Hit http://security.ubuntu.com trusty-security/restricted Translation-en      
 Hit http://security.ubuntu.com trusty-security/universe Translation-en       
 Hit http://my.archive.ubuntu.com trusty/universe i386 Packages           
 Ign http://extras.ubuntu.com trusty/main Translation-en_US             
 Hit http://my.archive.ubuntu.com trusty/multiverse i386 Packages          
 Ign http://extras.ubuntu.com trusty/main Translation-en              
 Hit http://my.archive.ubuntu.com trusty/main Translation-en            
 Hit http://my.archive.ubuntu.com trusty/multiverse Translation-en         
 Hit http://my.archive.ubuntu.com trusty/restricted Translation-en         
 Hit http://my.archive.ubuntu.com trusty/universe Translation-en          
 Hit http://my.archive.ubuntu.com trusty-updates/main Sources            
 Hit http://my.archive.ubuntu.com trusty-updates/restricted Sources         
 Hit http://my.archive.ubuntu.com trusty-updates/universe Sources          
 Hit http://my.archive.ubuntu.com trusty-updates/multiverse Sources         
 Hit http://my.archive.ubuntu.com trusty-updates/main i386 Packages         
 Hit http://my.archive.ubuntu.com trusty-updates/restricted i386 Packages      
 Hit http://my.archive.ubuntu.com trusty-updates/universe i386 Packages       
 Hit http://my.archive.ubuntu.com trusty-updates/multiverse i386 Packages      
 Hit http://my.archive.ubuntu.com trusty-updates/main Translation-en        
 Hit http://my.archive.ubuntu.com trusty-updates/multiverse Translation-en     
 Hit http://my.archive.ubuntu.com trusty-updates/restricted Translation-en     
 Hit http://my.archive.ubuntu.com trusty-updates/universe Translation-en      
 Hit http://my.archive.ubuntu.com trusty-backports/main Sources           
 Hit http://my.archive.ubuntu.com trusty-backports/restricted Sources  
 Hit http://my.archive.ubuntu.com trusty-backports/universe Sources  
 Hit http://my.archive.ubuntu.com trusty-backports/multiverse Sources  
 Hit http://my.archive.ubuntu.com trusty-backports/main i386 Packages  
 Hit http://my.archive.ubuntu.com trusty-backports/restricted i386 Packages  
 Hit http://my.archive.ubuntu.com trusty-backports/universe i386 Packages  
 Hit http://my.archive.ubuntu.com trusty-backports/multiverse i386 Packages  
 Hit http://my.archive.ubuntu.com trusty-backports/main Translation-en  
 Hit http://my.archive.ubuntu.com trusty-backports/multiverse Translation-en  
 Hit http://my.archive.ubuntu.com trusty-backports/restricted Translation-en  
 Hit http://my.archive.ubuntu.com trusty-backports/universe Translation-en  
 Ign http://my.archive.ubuntu.com trusty/main Translation-en_US           
 Ign http://my.archive.ubuntu.com trusty/multiverse Translation-en_US        
 Ign http://my.archive.ubuntu.com trusty/restricted Translation-en_US        
 Ign http://my.archive.ubuntu.com trusty/universe Translation-en_US         
 Reading package lists... Done                           
 galera2@galera2-VirtualBox:~$ sudo apt-get install python-software-properties  
 Reading package lists... Done  
 Building dependency tree      
 Reading state information... Done  
 The following extra packages will be installed:  
  python-pycurl  
 Suggested packages:  
  libcurl4-gnutls-dev python-pycurl-dbg  
 The following NEW packages will be installed:  
  python-pycurl python-software-properties  
 0 upgraded, 2 newly installed, 0 to remove and 48 not upgraded.  
 Need to get 66.5 kB of archives.  
 After this operation, 352 kB of additional disk space will be used.  
 Do you want to continue? [Y/n] Y  
 Get:1 http://my.archive.ubuntu.com/ubuntu/ trusty/main python-pycurl i386 7.19.3-0ubuntu3 [46.9 kB]  
 Get:2 http://my.archive.ubuntu.com/ubuntu/ trusty-updates/universe python-software-properties all 0.92.37.3 [19.6 kB]  
 Fetched 66.5 kB in 2s (26.8 kB/s)          
 Selecting previously unselected package python-pycurl.  
 (Reading database ... 167815 files and directories currently installed.)  
 Preparing to unpack .../python-pycurl_7.19.3-0ubuntu3_i386.deb ...  
 Unpacking python-pycurl (7.19.3-0ubuntu3) ...  
 Selecting previously unselected package python-software-properties.  
 Preparing to unpack .../python-software-properties_0.92.37.3_all.deb ...  
 Unpacking python-software-properties (0.92.37.3) ...  
 Processing triggers for doc-base (0.10.5) ...  
 Processing 32 changed doc-base files, 1 added doc-base file...  
 Setting up python-pycurl (7.19.3-0ubuntu3) ...  
 Setting up python-software-properties (0.92.37.3) ...  
 galera2@galera2-VirtualBox:~$   
 galera2@galera2-VirtualBox:~$ sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db  
 [sudo] password for galera2:   
 Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.reQL8fqGDv --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db  
 gpg: requesting key 1BB943DB from hkp server keyserver.ubuntu.com  
 gpg: key 1BB943DB: public key "MariaDB Package Signing Key <package-signing-key@mariadb.org>" imported  
 gpg: Total number processed: 1  
 gpg:        imported: 1  
 galera2@galera2-VirtualBox:~$ sudo add-apt-repository 'deb http://mariadb.nethub.com.hk//repo/5.5/ubuntu trusty main'  
 galera2@galera2-VirtualBox:~$ sudo apt-get update  
 Get:1 http://mariadb.nethub.com.hk trusty InRelease [2,488 B]           
 Ign http://security.ubuntu.com trusty-security InRelease              
 Ign http://my.archive.ubuntu.com trusty InRelease                 
 Hit http://security.ubuntu.com trusty-security Release.gpg             
 Ign http://extras.ubuntu.com trusty InRelease                   
 Ign http://my.archive.ubuntu.com trusty-updates InRelease             
 Ign http://my.archive.ubuntu.com trusty-backports InRelease  
 Hit http://security.ubuntu.com trusty-security Release  
 Hit http://extras.ubuntu.com trusty Release.gpg     
 Hit http://my.archive.ubuntu.com trusty Release.gpg   
 Hit http://extras.ubuntu.com trusty Release       
 Hit http://my.archive.ubuntu.com trusty-updates Release.gpg        
 Get:2 http://mariadb.nethub.com.hk trusty/main i386 Packages [5,041 B]   
 Hit http://my.archive.ubuntu.com trusty-backports Release.gpg           
 Hit http://my.archive.ubuntu.com trusty Release   
 Hit http://security.ubuntu.com trusty-security/main Sources            
 Hit http://my.archive.ubuntu.com trusty-updates Release              
 Hit http://my.archive.ubuntu.com trusty-backports Release             
 Hit http://extras.ubuntu.com trusty/main Sources                  
 Hit http://my.archive.ubuntu.com trusty/main Sources                
 Hit http://security.ubuntu.com trusty-security/restricted Sources         
 Hit http://extras.ubuntu.com trusty/main i386 Packages               
 Hit http://my.archive.ubuntu.com trusty/restricted Sources             
 Hit http://security.ubuntu.com trusty-security/universe Sources          
 Hit http://security.ubuntu.com trusty-security/multiverse Sources         
 Hit http://my.archive.ubuntu.com trusty/universe Sources              
 Hit http://my.archive.ubuntu.com trusty/multiverse Sources             
 Hit http://security.ubuntu.com trusty-security/main i386 Packages         
 Hit http://security.ubuntu.com trusty-security/restricted i386 Packages      
 Hit http://my.archive.ubuntu.com trusty/main i386 Packages             
 Hit http://security.ubuntu.com trusty-security/universe i386 Packages       
 Hit http://security.ubuntu.com trusty-security/multiverse i386 Packages      
 Hit http://my.archive.ubuntu.com trusty/restricted i386 Packages          
 Hit http://security.ubuntu.com trusty-security/main Translation-en         
 Hit http://my.archive.ubuntu.com trusty/universe i386 Packages           
 Hit http://security.ubuntu.com trusty-security/multiverse Translation-en      
 Hit http://my.archive.ubuntu.com trusty/multiverse i386 Packages          
 Ign http://mariadb.nethub.com.hk trusty/main Translation-en_US           
 Hit http://security.ubuntu.com trusty-security/restricted Translation-en      
 Ign http://mariadb.nethub.com.hk trusty/main Translation-en            
 Hit http://my.archive.ubuntu.com trusty/main Translation-en            
 Ign http://extras.ubuntu.com trusty/main Translation-en_US             
 Hit http://security.ubuntu.com trusty-security/universe Translation-en       
 Ign http://extras.ubuntu.com trusty/main Translation-en              
 Hit http://my.archive.ubuntu.com trusty/multiverse Translation-en         
 Hit http://my.archive.ubuntu.com trusty/restricted Translation-en         
 Hit http://my.archive.ubuntu.com trusty/universe Translation-en          
 Hit http://my.archive.ubuntu.com trusty-updates/main Sources            
 Hit http://my.archive.ubuntu.com trusty-updates/restricted Sources         
 Hit http://my.archive.ubuntu.com trusty-updates/universe Sources          
 Hit http://my.archive.ubuntu.com trusty-updates/multiverse Sources         
 Hit http://my.archive.ubuntu.com trusty-updates/main i386 Packages         
 Hit http://my.archive.ubuntu.com trusty-updates/restricted i386 Packages      
 Hit http://my.archive.ubuntu.com trusty-updates/universe i386 Packages       
 Hit http://my.archive.ubuntu.com trusty-updates/multiverse i386 Packages      
 Hit http://my.archive.ubuntu.com trusty-updates/main Translation-en        
 Hit http://my.archive.ubuntu.com trusty-updates/multiverse Translation-en     
 Hit http://my.archive.ubuntu.com trusty-updates/restricted Translation-en     
 Hit http://my.archive.ubuntu.com trusty-updates/universe Translation-en      
 Hit http://my.archive.ubuntu.com trusty-backports/main Sources  
 Hit http://my.archive.ubuntu.com trusty-backports/restricted Sources  
 Hit http://my.archive.ubuntu.com trusty-backports/universe Sources  
 Hit http://my.archive.ubuntu.com trusty-backports/multiverse Sources  
 Hit http://my.archive.ubuntu.com trusty-backports/main i386 Packages  
 Hit http://my.archive.ubuntu.com trusty-backports/restricted i386 Packages  
 Hit http://my.archive.ubuntu.com trusty-backports/universe i386 Packages  
 Hit http://my.archive.ubuntu.com trusty-backports/multiverse i386 Packages  
 Hit http://my.archive.ubuntu.com trusty-backports/main Translation-en  
 Hit http://my.archive.ubuntu.com trusty-backports/multiverse Translation-en  
 Hit http://my.archive.ubuntu.com trusty-backports/restricted Translation-en  
 Hit http://my.archive.ubuntu.com trusty-backports/universe Translation-en  
 Ign http://my.archive.ubuntu.com trusty/main Translation-en_US           
 Ign http://my.archive.ubuntu.com trusty/multiverse Translation-en_US        
 Ign http://my.archive.ubuntu.com trusty/restricted Translation-en_US        
 Ign http://my.archive.ubuntu.com trusty/universe Translation-en_US         
 Fetched 7,529 B in 35s (212 B/s)                          
 Reading package lists... Done  
 galera2@galera2-VirtualBox:~$ sudo apt-get install mariadb-galera-server galera rsync  
 Reading package lists... Done  
 Building dependency tree      
 Reading state information... Done  
 Note, selecting 'galera-3' instead of 'galera'  
 rsync is already the newest version.  
 The following extra packages will be installed:  
  gawk libaio1 libdbd-mysql-perl libdbi-perl libhtml-template-perl  
  libmariadbclient18 libmysqlclient18 libsigsegv2 mariadb-client-5.5  
  mariadb-client-core-5.5 mariadb-common mariadb-galera-server-5.5  
  mysql-common  
 Suggested packages:  
  gawk-doc libmldbm-perl libnet-daemon-perl libplrpc-perl  
  libsql-statement-perl libipc-sharedcache-perl libterm-readkey-perl tinyca  
  mailx mariadb-galera-test socat  
 The following NEW packages will be installed:  
  galera-3 gawk libaio1 libdbd-mysql-perl libdbi-perl libhtml-template-perl  
  libmariadbclient18 libmysqlclient18 libsigsegv2 mariadb-client-5.5  
  mariadb-client-core-5.5 mariadb-common mariadb-galera-server  
  mariadb-galera-server-5.5 mysql-common  
 0 upgraded, 15 newly installed, 0 to remove and 48 not upgraded.  
 Need to get 12.0 MB of archives.  
 After this operation, 115 MB of additional disk space will be used.  
 Do you want to continue? [Y/n] Y  
 Get:1 http://mariadb.nethub.com.hk//repo/5.5/ubuntu/ trusty/main mysql-common all 5.5.45+maria-1~trusty [8,366 B]  
 Get:2 http://mariadb.nethub.com.hk//repo/5.5/ubuntu/ trusty/main mariadb-common all 5.5.45+maria-1~trusty [3,178 B]  
 Get:3 http://my.archive.ubuntu.com/ubuntu/ trusty/main libsigsegv2 i386 2.10-2 [14.8 kB]  
 Get:4 http://mariadb.nethub.com.hk//repo/5.5/ubuntu/ trusty/main libmariadbclient18 i386 5.5.45+maria-1~trusty [511 kB]  
 Get:5 http://my.archive.ubuntu.com/ubuntu/ trusty/main gawk i386 1:4.0.1+dfsg-2.1ubuntu2 [730 kB]  
 Get:6 http://mariadb.nethub.com.hk//repo/5.5/ubuntu/ trusty/main libmysqlclient18 i386 5.5.45+maria-1~trusty [2,850 B]  
 Get:7 http://mariadb.nethub.com.hk//repo/5.5/ubuntu/ trusty/main mariadb-client-core-5.5 i386 5.5.45+maria-1~trusty [607 kB]  
 Get:8 http://my.archive.ubuntu.com/ubuntu/ trusty/main libaio1 i386 0.3.109-4 [6,578 B]  
 Get:9 http://my.archive.ubuntu.com/ubuntu/ trusty/main libdbi-perl i386 1.630-1 [881 kB]  
 Get:10 http://mariadb.nethub.com.hk//repo/5.5/ubuntu/ trusty/main mariadb-client-5.5 i386 5.5.45+maria-1~trusty [928 kB]  
 Get:11 http://my.archive.ubuntu.com/ubuntu/ trusty/main libdbd-mysql-perl i386 4.025-1 [99.6 kB]  
 Get:12 http://my.archive.ubuntu.com/ubuntu/ trusty/main libhtml-template-perl all 2.95-1 [65.5 kB]  
 Get:13 http://mariadb.nethub.com.hk//repo/5.5/ubuntu/ trusty/main galera-3 i386 25.3.9-trusty [797 kB]  
 Get:14 http://mariadb.nethub.com.hk//repo/5.5/ubuntu/ trusty/main mariadb-galera-server-5.5 i386 5.5.45+maria-1~trusty [7,329 kB]  
 Get:15 http://mariadb.nethub.com.hk//repo/5.5/ubuntu/ trusty/main mariadb-galera-server all 5.5.45+maria-1~trusty [2,930 B]  
 Fetched 12.0 MB in 2min 19s (85.8 kB/s)                      
 Preconfiguring packages ...  
 Selecting previously unselected package libsigsegv2:i386.  
 (Reading database ... 167858 files and directories currently installed.)  
 Preparing to unpack .../libsigsegv2_2.10-2_i386.deb ...  
 Unpacking libsigsegv2:i386 (2.10-2) ...  
 Setting up libsigsegv2:i386 (2.10-2) ...  
 Processing triggers for libc-bin (2.19-0ubuntu6.6) ...  
 Selecting previously unselected package gawk.  
 (Reading database ... 167866 files and directories currently installed.)  
 Preparing to unpack .../gawk_1%3a4.0.1+dfsg-2.1ubuntu2_i386.deb ...  
 Unpacking gawk (1:4.0.1+dfsg-2.1ubuntu2) ...  
 Selecting previously unselected package libaio1:i386.  
 Preparing to unpack .../libaio1_0.3.109-4_i386.deb ...  
 Unpacking libaio1:i386 (0.3.109-4) ...  
 Selecting previously unselected package mysql-common.  
 Preparing to unpack .../mysql-common_5.5.45+maria-1~trusty_all.deb ...  
 Unpacking mysql-common (5.5.45+maria-1~trusty) ...  
 Selecting previously unselected package mariadb-common.  
 Preparing to unpack .../mariadb-common_5.5.45+maria-1~trusty_all.deb ...  
 Unpacking mariadb-common (5.5.45+maria-1~trusty) ...  
 Selecting previously unselected package libdbi-perl.  
 Preparing to unpack .../libdbi-perl_1.630-1_i386.deb ...  
 Unpacking libdbi-perl (1.630-1) ...  
 Selecting previously unselected package libmariadbclient18.  
 Preparing to unpack .../libmariadbclient18_5.5.45+maria-1~trusty_i386.deb ...  
 Unpacking libmariadbclient18 (5.5.45+maria-1~trusty) ...  
 Selecting previously unselected package libmysqlclient18.  
 Preparing to unpack .../libmysqlclient18_5.5.45+maria-1~trusty_i386.deb ...  
 Unpacking libmysqlclient18 (5.5.45+maria-1~trusty) ...  
 Selecting previously unselected package libdbd-mysql-perl.  
 Preparing to unpack .../libdbd-mysql-perl_4.025-1_i386.deb ...  
 Unpacking libdbd-mysql-perl (4.025-1) ...  
 Selecting previously unselected package mariadb-client-core-5.5.  
 Preparing to unpack .../mariadb-client-core-5.5_5.5.45+maria-1~trusty_i386.deb ...  
 Unpacking mariadb-client-core-5.5 (5.5.45+maria-1~trusty) ...  
 Selecting previously unselected package mariadb-client-5.5.  
 Preparing to unpack .../mariadb-client-5.5_5.5.45+maria-1~trusty_i386.deb ...  
 Unpacking mariadb-client-5.5 (5.5.45+maria-1~trusty) ...  
 Selecting previously unselected package galera-3.  
 Preparing to unpack .../galera-3_25.3.9-trusty_i386.deb ...  
 Unpacking galera-3 (25.3.9-trusty) ...  
 Processing triggers for man-db (2.6.7.1-1ubuntu1) ...  
 Setting up mysql-common (5.5.45+maria-1~trusty) ...  
 Setting up mariadb-common (5.5.45+maria-1~trusty) ...  
 Selecting previously unselected package mariadb-galera-server-5.5.  
 (Reading database ... 168240 files and directories currently installed.)  
 Preparing to unpack .../mariadb-galera-server-5.5_5.5.45+maria-1~trusty_i386.deb ...  
 Unpacking mariadb-galera-server-5.5 (5.5.45+maria-1~trusty) ...  
 Selecting previously unselected package libhtml-template-perl.  
 Preparing to unpack .../libhtml-template-perl_2.95-1_all.deb ...  
 Unpacking libhtml-template-perl (2.95-1) ...  
 Selecting previously unselected package mariadb-galera-server.  
 Preparing to unpack .../mariadb-galera-server_5.5.45+maria-1~trusty_all.deb ...  
 Unpacking mariadb-galera-server (5.5.45+maria-1~trusty) ...  
 Processing triggers for man-db (2.6.7.1-1ubuntu1) ...  
 Processing triggers for ureadahead (0.100.0-16) ...  
 ureadahead will be reprofiled on next reboot  
 Setting up gawk (1:4.0.1+dfsg-2.1ubuntu2) ...  
 Setting up libaio1:i386 (0.3.109-4) ...  
 Setting up libdbi-perl (1.630-1) ...  
 Setting up galera-3 (25.3.9-trusty) ...  
 Setting up libhtml-template-perl (2.95-1) ...  
 Setting up libmysqlclient18 (5.5.45+maria-1~trusty) ...  
 Setting up libdbd-mysql-perl (4.025-1) ...  
 Setting up libmariadbclient18 (5.5.45+maria-1~trusty) ...  
 Setting up mariadb-client-core-5.5 (5.5.45+maria-1~trusty) ...  
 Setting up mariadb-client-5.5 (5.5.45+maria-1~trusty) ...  
 Setting up mariadb-galera-server-5.5 (5.5.45+maria-1~trusty) ...  
  * Stopping MariaDB database server mysqld                                                                       [ OK ]   
 150907 23:31:54 [Note] /usr/sbin/mysqld (mysqld 5.5.45-MariaDB-1~trusty-wsrep-log) starting as process 5897 ...  
 150907 23:31:54 [Note] WSREP: Read nil XID from storage engines, skipping position init  
 150907 23:31:54 [Note] WSREP: wsrep_load(): loading provider library 'none'  
 150907 23:31:58 [Note] Plugin 'InnoDB' is disabled.  
 150907 23:31:58 [Note] Plugin 'FEEDBACK' is disabled.  
 150907 23:32:00 [Note] WSREP: Service disconnected.  
 150907 23:32:01 [Note] WSREP: Some threads may fail to exit.  
  * Starting MariaDB database server mysqld                                                                       [fail]   
 invoke-rc.d: initscript mysql, action "start" failed.  
 dpkg: error processing package mariadb-galera-server-5.5 (--configure):  
  subprocess installed post-installation script returned error exit status 1  
 dpkg: dependency problems prevent configuration of mariadb-galera-server:  
  mariadb-galera-server depends on mariadb-galera-server-5.5 (= 5.5.45+maria-1~trusty); however:  
  Package mariadb-galera-server-5.5 is not configured yet.  
   
 dpkg: error processing package mariadb-galera-server (--configure):  
  dependency problems - leaving unconfigured  
 Processing triggers for libc-bin (2.19-0ubuntu6.6) ...  
 No apport report written because the error message indicates its a followup error from a previous failure.  
                                                      Processing triggers for ureadahead (0.100.0-16) ...  
 Errors were encountered while processing:  
  mariadb-galera-server-5.5  
  mariadb-galera-server  
 E: Sub-process /usr/bin/dpkg returned an error code (1)

At this stage, it is okay if it fail as we have yet to configure the cluster configuration for each node. Just ignore the error message and stop the mysql instance in all the nodes if it started. Next , we will configure in each node for the configuration files.

 galera1@galera1-VirtualBox:~$ sudo nano /etc/mysql/conf.d/cluster.cnf  
 galera1@galera1-VirtualBox:~$ hostname  
 galera1-VirtualBox  
 galera1@galera1-VirtualBox:~$ sudo nano /etc/mysql/conf.d/cluster.cnf  
 [sudo] password for galera1:   
 galera1@galera1-VirtualBox:~$ sudo cat /etc/mysql/debian.cnf  
 # Automatically generated for Debian scripts. DO NOT TOUCH!  
 [client]  
 host   = localhost  
 user   = debian-sys-maint  
 password = IIM5sEkzTo4rCBRa  
 socket  = /var/run/mysqld/mysqld.sock  
 [mysql_upgrade]  
 host   = localhost  
 user   = debian-sys-maint  
 password = IIM5sEkzTo4rCBRa  
 socket  = /var/run/mysqld/mysqld.sock  
 basedir = /usr  
 galera1@galera1-VirtualBox:~$ sudo su -  
 root@galera1-VirtualBox:~# cat /etc/mysql/debian.cnf  
 # Automatically generated for Debian scripts. DO NOT TOUCH!  
 [client]  
 host   = localhost  
 user   = debian-sys-maint  
 password = IIM5sEkzTo4rCBRa  
 socket  = /var/run/mysqld/mysqld.sock  
 [mysql_upgrade]  
 host   = localhost  
 user   = debian-sys-maint  
 password = IIM5sEkzTo4rCBRa  
 socket  = /var/run/mysqld/mysqld.sock  
 basedir = /usr  
 root@galera1-VirtualBox:~# ps aux | grep mysql  
 root   8128 0.1 0.5  5508 2976 ?    S  Sep07  0:07 /bin/bash /usr/bin/mysqld_safe  
 mysql   9186 2.8 14.6 838928 74456 ?    Sl  Sep07  1:40 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 --wsrep_start_position=00000000-0000-0000-0000-000000000000:-1  
 root   9187 0.0 0.3  4236 1808 ?    S  Sep07  0:00 logger -t mysqld -p daemon.error  
 root   9472 0.0 0.4  4692 2060 pts/14  S+  00:05  0:00 grep --color=auto mysql  
 root@galera1-VirtualBox:~# service mysql stop  
  * Stopping MariaDB database server mysqld                                                                       [ OK ]   
 root@galera1-VirtualBox:~# cat /etc/mysql/debian.cnf  
 # Automatically generated for Debian scripts. DO NOT TOUCH!  
 [client]  
 host   = localhost  
 user   = debian-sys-maint  
 password = IIM5sEkzTo4rCBRa  
 socket  = /var/run/mysqld/mysqld.sock  
 [mysql_upgrade]  
 host   = localhost  
 user   = debian-sys-maint  
 password = IIM5sEkzTo4rCBRa  
 socket  = /var/run/mysqld/mysqld.sock  
 basedir = /usr  
 root@galera1-VirtualBox:~# ps aux | grep mysql  
 root   9524 0.0 0.4  4692 2100 pts/14  S+  00:06  0:00 grep --color=auto mysql  
 root@galera1-VirtualBox:~# service mysql start --wsrep-new-cluster  
  * Starting MariaDB database server mysqld   
    
 -----------------------------------------  
   
 galera2@galera2-VirtualBox:~$ sudo ls /etc/mysql/conf.d/  
 mariadb.cnf mysqld_safe_syslog.cnf  
 galera2@galera2-VirtualBox:~$ hostname  
 galera2-VirtualBox  
 galera2@galera2-VirtualBox:~$ sudo nano /etc/mysql/conf.d/cluster.cnf  
 [sudo] password for galera2:   
 galera2@galera2-VirtualBox:~$ sudo su -  
 root@galera2-VirtualBox:~# cat /etc/mysql/debian.cnf  
 # Automatically generated for Debian scripts. DO NOT TOUCH!  
 [client]  
 host   = localhost  
 user   = debian-sys-maint  
 password = 0LhDWkMUHLeXWYyv  
 socket  = /var/run/mysqld/mysqld.sock  
 [mysql_upgrade]  
 host   = localhost  
 user   = debian-sys-maint  
 password = 0LhDWkMUHLeXWYyv  
 socket  = /var/run/mysqld/mysqld.sock  
 basedir = /usr  
 root@galera2-VirtualBox:~# service mysql stop  
  * Stopping MariaDB database server mysqld                                                                       [fail]   
 root@galera2-VirtualBox:~# ps aux | grep mysql  
 root   5980 0.1 0.6  5508 3072 ?    S  Sep07  0:07 /bin/bash /usr/bin/mysqld_safe  
 mysql   7019 2.1 14.7 839220 74532 ?    Sl  Sep07  1:55 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 --wsrep_start_position=00000000-0000-0000-0000-000000000000:-1  
 root   7020 0.0 0.3  4236 1840 ?    S  Sep07  0:00 logger -t mysqld -p daemon.error  
 root   7390 0.0 0.4  4692 2060 pts/1  S+  01:07  0:00 grep --color=auto mysql  
 root@galera2-VirtualBox:~# kill 7019  
 root@galera2-VirtualBox:~# ps aux | grep mysql  
 root   7402 0.0 0.4  4692 2064 pts/1  S+  01:08  0:00 grep --color=auto mysql  
 root@galera2-VirtualBox:~# service mysql start  
  * Starting MariaDB database server mysqld                                                                                                                                                                      [fail]  
 root@galera2-VirtualBox:~#   
   
   
 ---------------------  
   
 galera3@galera3-VirtualBox:~$ sudo vi /etc/mysql/conf.d/cluster.cnf  
 [sudo] password for galera3:   
 galera3@galera3-VirtualBox:~$ hostname  
 galera3-VirtualBox  
 galera3@galera3-VirtualBox:~$ ll /usr/lib/galera/libgalera_smm.so  
 -rw-r--r-- 1 root root 2520000 Feb 27 2015 /usr/lib/galera/libgalera_smm.so  
 galera3@galera3-VirtualBox:~$ sudo nano /etc/mysql/conf.d/cluster.cnf  
 [sudo] password for galera3:   
 galera3@galera3-VirtualBox:~$ sudo su -  
 root@galera3-VirtualBox:~# nano /etc/mysql/debian.cnf  
 root@galera3-VirtualBox:~# service mysql stop  
  * Stopping MariaDB database server mysqld                                                                       [fail]   
 root@galera3-VirtualBox:~# ps aux | grep mysql  
 root   9415 0.1 0.5  5508 2996 ?    S  Sep07  0:05 /bin/bash /usr/bin/mysqld_safe  
 mysql  10466 2.8 14.6 839220 74408 ?    Sl  Sep07  2:13 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 --wsrep_start_position=00000000-0000-0000-0000-000000000000:-1  
 root   10467 0.0 0.3  4236 1756 ?    S  Sep07  0:00 logger -t mysqld -p daemon.error  
 root   10813 2.0 0.3  4692 2016 pts/6  S+  01:08  0:00 grep --color=auto mysql  
 root@galera3-VirtualBox:~# kill 10466  
 root@galera3-VirtualBox:~#   
 root@galera3-VirtualBox:~# ps aux | grep mysql  
 root   10823 0.0 0.3  4692 2004 pts/6  S+  01:09  0:00 grep --color=auto mysql  
 root@galera3-VirtualBox:~# service mysql start  
  * Starting MariaDB database server mysqld                                                                       [fail]   
 root@galera3-VirtualBox:~# service mysql restart  
  * Stopping MariaDB database server mysqld                                                                       [ OK ]   
  * Starting MariaDB database server mysqld                                                                       [fail]   
 root@galera3-VirtualBox:~#

There are two files to edit for all the nodes as of following. The content of the files can be found here.

  • /etc/mysql/conf.d/cluster.cnf
  • /etc/mysql/debian.cnf

Once all three nodes configuration files edited, you start a node with this parameter --wsrep-new-cluster .  You can see above I started on the first node. Then start the remaining nodes just like normal mysql start process.

As you might noticed, mysql cannot stop in my virtual machine. I have no idea why is that as on my good old host machine, with three vms running make these vms crawling.. I don't bother to investigate further and just want to quickly get into the database crud. But eventually all my three nodes are started and see below.

 galera1@galera1-VirtualBox:~$ mysql -uroot -pgalera123  
 Welcome to the MariaDB monitor. Commands end with ; or \g.  
 Your MariaDB connection id is 5  
 Server version: 5.5.45-MariaDB-1~trusty-wsrep-log  
   
 Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.  
   
 Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.  
   
 MariaDB [(none)]> CREATE DATABASE playground;  
 Query OK, 1 row affected (3.50 sec)  
   
 MariaDB [(none)]> CREATE TABLE playground.equipment ( id INT NOT NULL AUTO_INCREMENT, type VARCHAR(50), quant INT, color VARCHAR(25), PRIMARY KEY(id));  
 Query OK, 0 rows affected (10.96 sec)  
   
 MariaDB [(none)]>   
   
   
 -----------------------  
   
   
 galera2@galera2-VirtualBox:~$ mysql -uroot -pgalera123  
 Welcome to the MariaDB monitor. Commands end with ; or \g.  
 Your MariaDB connection id is 5  
 Server version: 5.5.45-MariaDB-1~trusty-wsrep-log  
   
 Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.  
   
 Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.  
   
 MariaDB [(none)]> show databases;  
 +--------------------+  
 | Database      |  
 +--------------------+  
 | information_schema |  
 | mysql       |  
 | performance_schema |  
 | playground     |  
 +--------------------+  
 4 rows in set (0.04 sec)  
   
 MariaDB [(none)]> use playground;  
 Reading table information for completion of table and column names  
 You can turn off this feature to get a quicker startup with -A  
   
 Database changed  
 MariaDB [playground]> show tables;  
 +----------------------+  
 | Tables_in_playground |  
 +----------------------+  
 | equipment      |  
 +----------------------+  
 1 row in set (0.01 sec)  
   
 MariaDB [playground]> INSERT INTO playground.equipment (type, quant, color) VALUES ("slide", 2, "blue");  
 Query OK, 1 row affected (0.67 sec)  
   
 MariaDB [playground]> SELECT * FROM playground.equipment;  
 +----+-------+-------+--------+  
 | id | type | quant | color |  
 +----+-------+-------+--------+  
 | 2 | slide |   2 | blue  |  
 | 3 | swing |  10 | yellow |  
 +----+-------+-------+--------+  
 2 rows in set (0.00 sec)  
   
 MariaDB [playground]>   
   
 -----------------------  
   
 galera3@galera3-VirtualBox:~$ mysql -uroot -pgalera123  
 Welcome to the MariaDB monitor. Commands end with ; or \g.  
 Your MariaDB connection id is 3  
 Server version: 5.5.45-MariaDB-1~trusty-wsrep-log mariadb.org binary distribution, wsrep_25.11.r4026  
   
 Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.  
   
 Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.  
   
 MariaDB [(none)]> use playground;  
 Reading table information for completion of table and column names  
 You can turn off this feature to get a quicker startup with -A  
   
 Database changed  
 MariaDB [playground]> SELECT * FROM playground.equipment;  
 +----+-------+-------+-------+  
 | id | type | quant | color |  
 +----+-------+-------+-------+  
 | 2 | slide |   2 | blue |  
 +----+-------+-------+-------+  
 1 row in set (0.03 sec)  
   
 MariaDB [playground]> INSERT INTO playground.equipment (type, quant, color) VALUES ("swing", 10, "yellow");  
 Query OK, 1 row affected (0.43 sec)  
   
 MariaDB [playground]>

If this excite you, then you should probably spend more time to learn how to administer and how to best use mariadb galera cluster. Last but not least, if you would like to sponsor/donate for me or this site, please do so as this this fund will channel into server maintenance and buy better hardware for my learning and share to you in future.

Posted by at No comments:
Labels: , ,

Saturday, September 26, 2015

How to port forward in asus router RT N14UHP

We will do something fun today. But you will need a router which has the feature universal plug and play  . In this article, I will use Asus router RT N14UHP for this demo.

Login to your router and locate the UPnP setting. Go to WAN then on the basic config, click yes for Enable UPnP. See screenshot below.


Next, get this script from github. See command line below which I have experience myself.

 user@localhost:~$ wget https://raw.githubusercontent.com/gryphius/port-forward/master/port-forward.py  
 --2015-09-04 02:53:28-- https://raw.githubusercontent.com/gryphius/port-forward/master/port-forward.py  
 Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 103.245.222.133  
 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|103.245.222.133|:443... connected.  
 HTTP request sent, awaiting response... 200 OK  
 Length: 9115 (8.9K) [text/plain]  
 Saving to: ‘port-forward.py’  
 port-forward.py                 100%[=======================================================================================================>]  8.90K --.-KB/s  in 0s     
 2015-09-04 02:53:29 (46.3 MB/s) - ‘port-forward.py’ saved [9115/9115]  
 user@localhost:~$ chmod 755 port-forward.py   
 user@localhost:~$ ./port-forward.py   
 Found 1 UPnP routers: 192.168.133.1:42917  
 No external port specified.  
 user@localhost:~$ ./port-forward.py -e 1337 -v -r 192.168.133.1 -l 9999 -d 'forward 1337 to 9999'   
 Discovering routers...  
 Found 1 UPnP routers: 192.168.133.1:42917  
 port forward on 192.168.133.1 successful, 1337->192.168.133.20:9999  
 user@localhost:~$ nc -l 9999  
 user@localhost:~$

As you can read above, the script is downloaded and then permission is set accordingly. Noticed that UPnP is found on my router on port 42917. Then you can instruct the router to port forward, in this example port 1337 to an internal of this machine. In this example, my local ip is 192.168.133.1 and the application is running on port 9999. Now, to simulate this work, you can use command nc to listen on port 9999.

To test if this work, just get your public ip and telnet to your router on port 1337, your router should forward this traffic to internal machine 92.168.133.20 port 9999. As you can also see above, when telnet is done, nc port listen is also closed. That's it. Have fun port forwarding!


Posted by at 3 comments:
Labels: , ,
Subscribe to: Posts (Atom)