Friday, July 29, 2011

Reverse Proxy with ModProxy


Mod proxy is a versatile module for apache that has many uses. One of its many uses is the reverse proxy feature. Lets say you have multiple web servers behind a router and want to give the outside world access to each server. Your router can only open port 80 for one host, but with modproxy you can direct users to different servers depending on which sub domain or directory they are requesting. This also works for external sites that may not be on your private network.
Hit the jump to see how.
To do this is quite simple:
ProxyRequests Off

Order deny,allow
Allow from all
ProxyPass /foo http://foo.example.com/bar
ProxyPassReverse /foo http://foo.example.com/bar
Example from: http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
Basically when some one requests /foo on your web server that the public port 80 points to, it proxies the request to foo.example.com/bar. The reverse is to make sure that the requests come back to the user that requested it. As the documentation states you should secure your servers before using mod_proxy which is probably a wise choice, but you should always secure your servers.

Why The Antivirus?


Although viri on Linux are not very common, it is not unusual to find anti virus utilities available. You may ask what the point is if your operating system is not as vulnerable to these types of threats but perhaps you are looking at it the wrong way. What better platform is there to act as an anti-virus scanner then one that isn’t as likely to get owned?
Take this example: a Linux file server Vs. a Windows 2003 file server. Just by plugging the Windows server in it may be at risk, in an hostile environment (eg Internet), while the Linux server may not have as much risk (at least from a Virus attack)
We all know the benefits of running Linux file servers such as cost, stability and coolness so we won’t touch on those but there are downsides to running a Linux file server. One of the major downsides is that Linux servers have a perception of being hard to manage. While they can be significantly different from managing a Windows server this myth is often on the top of the list for decision makers.
Often system administrators (myself included in this one) get lazy in their samba configurations. This is a potential problem because a sneaky virus could attempt to write its self to any writable volume, which could cause a lot of grief for the poor Windows machines. Or perhaps in tandem with the writable volume an exploit for a piece of out dated software allowing the writable file to be executed.
A friend of mine first introduced me to the concept of anti-virus scanners on a machine he had created specifically for the purpose of housing his virus collection. He had made a script that extracted information about the virus and cataloged it for easy reading and searching. All he had to do to add a virus to his collection was copy it to a folder. With this method he was able to quickly search and find any virus he had on file for specific traits or purposes for analysis. While some may call this overkill for him it was a hobby. Would you keep your entire virus collection on a Windows machine?
As with any operating system, it is only as secure as you make it, therefore running an anti virus on your Linux machine may not be as stupid as it first sounds. Especially if they interact with the dirty Windows boxes on a regular basis. Then again, if you’re purely a Linux shop, enjoy the cleanliness while it lasts.

Linux Server Monitoring



Linux Server MonitoringThere is a bunch of Linux Server Monitoring software available. The problem is sifting through it all. The first thing to do is identify what it is you want to monitor then you can find what software will work best for your needs. As far as system monitoring goes there is old school and new school. Any combination of tools could be used and there are also a number of ways you can home brew some monitoring solutions. Click for the large version of the Linux Server Monitoring Image.

Workstation Monitoring

Although not exactly server monitoring, workstation monitoring is a good starting point if you want to explore the available options.
Top
The most basic form of monitoring is top. This comes installed with most distributions, live cd’s and servers. To use it just open up a terminal and type the command.  It will auto update by default every 5 seconds but there are some tweaks to make it more useful, my favorite is the < and keys, which change which field it is ordered by. It is very useful to see what is taking up precious CPU or memory resources, the man page is the best resource to learn more.
htopA slightly newer top, with colors and textual bar graphs.
GKrellMIt’s not quite as old as top, but still old school and its still available in many distributions repositories. Its great to have sitting on your desktop and has a whole range of plugins to make it do some pretty cool stuff.
Torsmo / Conky
Torsmo (http://torsmo.sourceforge.net/) and Conky (http://conky.sourceforge.net/) are pretty much the same thing. Conky started out as a fork of Torsmo which is why I’ve included them under the same category. Basically these are little apps that live on your desktop like GKrellM except in text mode. You can display pretty much any information you want, and run external applications including shell scripts.
phpSysInfo
A tool long forgotten about is phpSysInfo (http://phpsysinfo.sourceforge.net/) It requires a webserver such as apache to run, but provides a broad range of information. This tool really has improved over the years becoming more visually appealing, supporting more operating systems and languages. It gives the most basic information out of the box, and to be honest Top gives you more info, but it can now be extended with plugins, meaning you can do whatever you want with it.
rrdtool
Perhaps for the most hardcore users that wish to and some zing to their monitoring rrdtool (http://www.mrtg.org/rrdtool/) provides a great interface to creating graphs from data. Check out their Gallery for some examples of what rrdtool can do. A lot of the other tools in this document also utilize rrdtool.
Cacti
If you’re not as daring as the die-hard rrdtool users Cacti (http://cacti.net) is a great piece of software that provides an interface and simplifies using rrdtool. You can create your own templates or use the pre-built templates that allow you to monitor a variety of things.

Web Server monitoring

I couldn’t get away with talking about Linux Server Monitoring without mentioning Web Server monitoring. If you’ve ran a website before you know how exciting it can be to monitor your server. *Chuckles*, seriously though these tools can make it more fun and worthwhile. These tools may monitor, but some have very different uses from others. I’ll start with the most basic.
Apache Logs
While not exactly server monitoring software, these deserve a mention. You can  monitor a number of things such as access logs:
tail -f /var/log/httpd/access_log
tail -f /var/log/httpd/ssl_access_log
or error logs:
tail -f /var/log/httpd/error_log
tail -f /var/log/httpd/ssl_error_log
If you want to get really snazzy with it you can use a tool like multitail.
apachetop
A great piece of software that simplifies using a pager and opening the log files and puts it into a top like interface. Handy to see real time statistics.
mod_status
Possibly the most complex apache monitoring software available. I’ve honestly never used this before, but after reading this I may just have to give it a try.

Web Analytic Software

These don’t per say monitor but rather give you statistics. They can be useful to identify issues related to traffic spikes.
Apart from Google Analytics My favorite is analogstats, I have not yet got a chance to run PiWik but it looks pretty good too. Evaluate them all and make a decision.

Database Monitoring

MySQLTop
A hard one to find in some distributions repositories. I actually found mysqltop:http://jeremy.zawodny.com/mysql/mytop by mistake one day. Its similar to top and apache top except it monitors mysql databases.
InnoTop (http://sourceforge.net/projects/innotop)
I perceive innotop to be the same as mysqltop except for innodb.
check_postgresWithout mentioning postgres I wouldn’t be completing the database section. check_postgres (http://bucardo.org/wiki/Check_postgres) is a set of scripts to help monitor it. I’ve always found that configuring postgres can be tricky, and since I haven’t tried this one I’m wondering how hard it would be to set up.

Network Monitoring

What good is all this server monitoring if your network is crap non-functioning? A start would be to monitor your network, after all even if your server is up, its no good if your network doesn’t work.
netstat (http://freshmeat.net/projects/netstat/)
Possibly the simplest form of monitoring for the network. Not very functional for more than a workstation listening post monitor unless you were to hack something together. Worth a mention none the less.
etherape
I’m assuming this is pronounce ether ape as in the chimp variety and not eth-rape, since there is an “e” in between. Etherape is a powerful graphic network monitoring tool. Check out the screenshots to see what I’m talking about.http://sourceforge.net/projects/etherape/
iptraf
This one has been around about 10 or so years, but the website hasn’t been updated in 5. Some may think that it looks like Kismet, but I say Kismet looks like iptraf.
mrtg
If you have the Multi Router Traffic Grapher open to the public it gives them an idea on how much traffic you get. Oh what I’d give to get a sneak at Youtubes graph. Used by script kiddies everywhere to see if their DDoS’s are working. Mrtg makes nice rrdtool graphs and wraps an interface around them.
netmonitor (http://netmonitor.sourceforge.net/)
Top like network interface to view network bandwidth / usage. Updated slightly more recently than iptraf.
Use:
netmonitor –config
to generate a config file, startup netmonitor and watch magic in the making.
jnettop
Project page is here: http://jnettop.kubs.info/wiki/ but the freshmeat pagehttp://freshmeat.net/projects/jnettop/ has working screenshots. This is a top like interface that you guessed it, displays information like top.
ntop (http://www.ntop.org)
I know what your thinking, another top interface, give it a rest already. Well, you are wrong. Although ntop shares its name the user interface is far from the same.
even runs on win32 since it uses the libpcap library.
Smokeping
Sounding like a deep purple song we have smokeping, measure and track your network latency in style. http://oss.oetiker.ch/smokeping/

Linux Enterprise Server Monitoring

Lets get to the part that every one wants to hear about. Linux Server Monitoring forsuits enterprise. So, these are the top picks that are either open source, free or little support cost. I’ll be honest here, I don’t have that much experience in this arena.
Monit
Monit (http://mmonit.com/monit/) was suggested to me by NOGREP while writing this article. I’m not sure how well it scales but it certainly has all the makings of an enterprise solution. It can monitor process, files, and network stuff either locally or on remote hosts. It also has its own web server for graphical server monitoring.
Nagios
The world famous Nagios (http://nagios.org) Huge community here and for good reason. Possibly one of the most robust monitoring software solutions out there. I’ve talked to a few IT managers that swear by it, Nagios is also available in many distributions repositories already making it a great choice. Monitoring, Alerting, Response, Reporting, Maintenance and Planning are the larger areas that Nagios supports.
Zenoss
Perhaps known more for its enterprise services zenoss has a community edition. Look for the community edition link on their home page, at the time of this writing the URL is http://community.zenoss.org. Zenoss provides availability monitoring, performance monitoring, event monitoring, alerting and more. A neat feature is the XML-RPC and REST api’s making it integrable and extensible.  The community edition released under the GPL license.
OpenNMS
OpenNMS Either Network Management software or solution (http://www.opennms.org/) is perhaps geared more towards the network infrastructure side of the house, although as stated before this can be useful. Its perhaps the oldest available and can be highly customized like the others.
PandoraFMS
The Pandora Flexible monitoring system (http://pandorafms.org/) doesn’t mean its bendy. Its a really pretty monitoring system with some unique features I haven’t seen in any of the others. The web cam overlay is nice, although I don’t really know how practical. The graphs are pretty and not so rrd like and the maps look awesome. The network auto generation is not unique but gives a cool visualization of a network fairly quickly.

Conclusion

This could be the most comprehensive list I’ve ever come up with. As you can see there is a ton of open source Linux Server Monitoring software available. Give them a try, use the comments to tell what you think of if any nuggets were missed.

Linux Server Management


linux server management
Management… What more is there to say? Management has the ability to either make your life easier or make your life a living hell, server management can go the same way. With these utilities Linux Server Management doesn’t have to be quite as grim. In fact having the right server management software can be very rewarding. In this post we’ll cover some of the Linux Server Management software that is available. As always, feel free to contribute your favorite tools!

                                  Linux Server Management Software

Webmin
I used to run webmin when I wasn’t as experienced with server management. What a long way it has come since then!
Probably one of the more well known pieces of server management software.
OpenNMS is the world’s first enterprise grade network management application platform developed under the open source model.
next generation, open-source Data-center management platform”
splunk
Strange Name neat software. Where’s my t-shirt? All joking aside Splunk is rather unique and powerful. Definitely worth a gander.

Configuration Management

Samba Administration

SWAT
We finish with SWAT, the Samba Web Administration Tool. I wouldn’t exactly call this enterprise ready but for those managing small to medium sized workgroups SWAT may just do the trick.

htaccess allow from


htaccess allow from gives you the ability to allow (or deny) specific IP’s or domain names from a directory on your server. To do this the syntax is quite simple. UsingVIM or nano open up the .htaccess file in the directory that you want to restrict access to. You need to add the following:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
This allows access from your local host and the IP address you specify. Using .htaccess you can also allow by host name. This is useful if you wish to allow or deny a friend access to a directory. (note: it will also work if you have them in your hosts file)
Order Deny,Allow
Deny from all
Allow from LinuxBlog
Allow from .thelinuxblog.com
Using htaccess to allow from your LAN is also pretty easy. You use your CIDR address (ip/subnet) to do this try something like this (changing to match your LAN):
Order Deny,Allow
Deny from all
Allow from 192.168.1.1/24
I run into htaccess allow problems a lot, and hope that this will clear the air up for me. htaccess can be very handy if you do not want to keep turning your firewall on and off, but do not want your directories wide open. Just remember, if you want to stop everyone except those you choose to access your apache web directories, use htaccess allow from!

Using SSH as a Proxy


A helpful reader left a comment on this blog about using SSH as a Socks Proxy. Here is how to do it.
ssh -D
Thats it, once your logged in you are good to go.
Now, the problem I ran into was making Firefox use this proxy. I found a great extension called SwitchProxy which can be installed from the extensions site. Once installed, you can easily switch between proxies. This is really useful to use while at a coffee shop.
Check out the screenshot of the toolbar that it installs (click for a larger image):
Using SSH as a proxy on Linux
It makes it really easy to turn the proxy on or off. One day if there is interest I might try to extend this to establish the SSH connection.

Remote SSH Port Forwarding


SSH is an amazing tool, I often find myself finding new and interesting ways (at least to me) to use it. It is a great tool to have in your toolbox.
This may be hard to explain in works, but here goes.
Picture this: you have 3 hosts, Host A has outbound access only and is on the same network as Host B. Host B has port 22 open, accepts ssh and is allowed to ssh to Host A. Host C is the computer you are sitting at and on a different network. So, you need to connect to Host A from host C. The way to do this is with SSH port forwarding.
Lets say Host A is 192.168.1.2, Host B is 192.168.1.1 and Host C is 10.0.0.1 on the different network. Host C also has port 22 open.
So, in order to connect to Host A from Host C you can do the following with local port forwarding:
ssh -L 2222::22 user@HostB
Since this is a local forward in another terminal you use ssh -p 2222 remoteuser@localhost (on your localmachine host c) to connect to Host A. This works, but you have to keep the SSH session to Host B open. Which may or may not be a problem.
One thing I like to do is use the SSH Remote port forward, this gives the advantage of not needing to keep the Host C (local) -> Host B connection open. Here is how it goes:
SSH from your current workstation (local) to the host that has access to your target host (host A in this case)
user@hostC: ssh hostB
From that connection, ssh to host A (the final target)
user@hostB: ssh hostA
Now you’re on your target host, you can open screen (to resume if you need to) and then ssh back to your current workstation (host C) and use the remote forward option (-r) and use a port that is open on your current workstation (2222) to connect to localhost (host A on port 22.
user@hostA: screen
user@hostA: ssh hostC -r 2222:localhost:22
Finally, from your workstation, in another terminal window, you’ll connect to your local port 2222, to connect to Host A.
user@hostC: ssh localhost -p2222
Once this is done, you can actually de-attach from your screen session on host a, logout of host A and host B. Once that is done, you’ll essentially have a connection from host A, to host C with a port forward that allows host C to connect to host A even though you cannot SSH directly to host A from host C.
So, if you’ve followed it this far good job. Here is an attempt at drawing a graphic to represent what I typed. It should make the text a little easier to follow.
Remote SSH Port Forwarding