Enable DnsCrypt on your Ubuntu machine

For mirroring purposes, this is a working copy-paste of https://madebits.github.io/#blog/2014/2014-12-12-Using-DNSCrypt-on-Ubuntu-14.04.md

DNSCrypt enables making encrypted DNS quires to the DNS providers that support it. There is PPA for DnsCrypt for Ubuntu, but it is not maintained at the time of this writing and it has no binary for Ubuntu 14.04 LTS. To install DNSCryp I used these steps, that I tried on Lubuntu 14.04 LTS:

  • Visit DNSCryp PPA packages and download libsodium for trusty and dnscrypt-proxy for saucy (I used the 64 bit version for my machine, you may need the 32 bit versions).
  • I used gdebi-gtk tool to install first libsodium4_0.4.5-0~trusty5_amd64.deb and then dnscrypt-proxy_1.4.0-0~oldconf2+saucy1_amd64.deb (you can also use dpkg -i).
  • dnscrypt-proxy runs then locally in address 127.0.0.2 on port 53 (use netstat -tuplen to verify).
  • The default DNSCryp PPA package apparmor profile prevents Ubuntu 14.04 from shutting down. To fix that I edited it (sudo leafpad /etc/apparmor.d/usr.sbin.dnscrypt-proxy) and replacing its content with the following:
 # Last Modified: Tue Dec 02 22:20:12 2014

  #include <tunables/global>

  /usr/sbin/dnscrypt-proxy {
    #include <abstractions/base>

    network inet stream,
    network inet6 stream,
    network inet dgram,
    network inet6 dgram,

    capability net_admin,
    capability net_bind_service,
    capability setgid,
    capability setuid,
    capability sys_chroot,
    capability ipc_lock,

    /bin/false r,
    /etc/ld.so.cache r,
    /etc/nsswitch.conf r,
    /etc/passwd r,

  # In case of custom libsodium installation
    /usr/local/lib/{@{multiarch}/,}libsodium.so* mr,

  # Reasonable pidfile location - tweak this if you prefer a different one
    /run/dnscrypt-proxy.pid rw,

  }

(Ed.) You may want to which libsodium4 and which dnscrypt-proxy and check the actual paths.

  • Optional: dnscrypt-proxy configuration for the init service daemon is found in /etc/default/dnscrypt-proxy. The parameters (with — added) are documented in man dnscrypt-proxy. I edited /etc/default/dnscrypt-proxy as root to specify an alternative DNS server. The list of the official available servers can be found in GitHub, or locally in /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv. To verify that a given server works use dig -p 443 @176.56.237.171 google.com (replace ip and port as needed). If you edit /etc/default/dnscrypt-proxy, you should run sudo restart dnscrypt-proxy afterwards.
  • Verify that dnscrypt-proxy runs by using ps -ef | grep dnscrypt. Then verify it can resolve addresses by using dig @127.0.0.2 google.com (if you configured tcp-only for dnscrypt-proxy then use dig +vc @127.0.0.2 google.com).
  • If all ok, you can replace you current DNS servers in the Network Manager UI. If you use DHCP, select Automatic (DHCP) addresses only, and set the 127.0.0.2 in Additional DNS servers. Once done, run sudo service network-manager restart for it to take effect. Verify the server used with nm-tool | grep -i dns.

End of copy-paste. You could download the latest package of dnscrypt-proxy and libsodium and compile it locally – best advice so far.

Advertisements

Repair/configure a RunAbove snapshot (clone) booted as a new server

If you clone (make a snapshot) of a CentOS 6 in your RunAbove ControlPanel, you might encounter difficulties placing it online. This is due to the fact that a snapshot is literally a clone, therefore cloning IP and MAC addresses onto the new server. To overcome this, we should…

  1. Check your old MAC address `ifconfig -a`.
  2. Login into the new server via VNC and do a `ifconfig -a`
    • your interface will show up as `eth1` at this very moment.
    • go to `/etc/udev/rules.d/70-persistant-net.rules`.
  3. Confront the two interfaces eth1/eth0 and
    • delete or comment out `eth0`
    • modify the `eth1` to `eth0` parameter  on the line where you MAC (HWaddr) address resembles the `ifconfig -a` on the cloned server
  4. Reboot and voila, you’re online.
  5. Some modifications need to be made
    1. `/etc/hostname` and enter the corresponding hostname + IP address
    2. run `hostname your.new.hostname`
    3. `service network restart` or reboot

Shortcut: simply delete the /etc/udev/rules.d/70-persistant-net.rules file and reboot :)

Don’t forget! You’re ssh keys will be cloned too. Fork the old putty config for the new server and simply change the IP address. You may want to generate a new login key and add it to .ssh/authorized_keys!

Collection of various Postfix/Dovecot configuration scenarios

The order is NOT random:

INSTALLING A FULLY FLEDGED, READY TO USE MAILSERVER ON CENTOS 6 WITH POSTFIX, POSTGRESQL, AMAVIS, CLAMAV, SPAMASSASSIN AND DOVECOT:
• http://www.shisaa.jp/postset/mailserver-1.html
 – tested, fully working

A Mailserver on Ubuntu 14.04: Postfix, Dovecot, MySQL:
• https://www.exratione.com/2014/05/a-mailserver-on-ubuntu-1404-postfix-dovecot-mysql/
– tested, fully working

Ubuntu + Postfix + Courier IMAP + MySQL + Amavisd-new + SpamAssassin + ClamAV + SASL + TLS + Roundcube + Postgrey:
• http://flurdy.com/docs/postfix/#test-common

• http://www.krizna.com/centos/setup-mail-server-in-centos-6/

• https://www.rosehosting.com/blog/mailserver-with-virtual-users-and-domains-using-postfix-and-dovecot-on-a-centos-6-vps/

• http://www.yolinux.com/TUTORIALS/Postfix.html

• http://techarena51.com/index.php/configure-secure-postfix-email-server/

FTP is dead. Long live SFTP. An interesting alternative to secure ftp. How to jail SFTP users on a CentOS 6

This mini how-to addresses jailing of SFTP users (SFTP = SSH File Transfer Protocol), which means restrict user’s access to their home directory. It will also disable shell login, therefore additional configuration must be done to allow restricted shell access, all finers pointing towards http://olivier.sessink.nl/jailkit/

• Edit your /etc/ssh/sshd_config

• Find the line where /usr/libexec/openssh/sftp-server resides (path is distribution dependant)

• Replace it with internal-sftp. The whole line should look:
» Subsystem sftp internal-sftp

• Create a group “upload” or “sftpusers” – something intuitive. Every user that you want to grant upload access via SFTP must be a member of this group.

• In your sshd_config file add:

Match Group upload
   ChrootDirectory %h
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp

NB: Further access can be enforced by playing with Match Group X or Match user Y.

• Check for errors by doing a fast
» service sshd reload

• Next, add a group under which we will gather all accounts that we want to allow upload access. I’m going to add a system user (no login) and a group with the same name.
» adduser --system --group upload for Debian
» adduser -M -s /bin/false upload for CentOS

• Issue the following commands
» chown -R root:root /home
» chmod -R 755 /home
» usermod -aG upload user1 ; usermod -aG upload user2 etc.
» chown -R user1:upload /home/user1/directory_you_wish_to_be_writeable
(tip: wildcard is supported, eg chown -R user1:upload /home/user1/*/www )

• At this point you need to service sshd restart and check for any errors.

• Final exam: simply login with FileZilla (SFTP!) or your client of choice and try to cd.

References
• http://serverfault.com/questions/591781/creating-sftp-users-and-jailing-to-chroot-on-centos-user-authentication-error
• http://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes

MySQL 5.6 Master-Master replication setup and configuration on CentOS 6

We’ll be using two servers. You can add as many as you like. Low latency is preferable (<50ms) if important changes are being made on both servers at the same time. Please note that the “master-master” expression translates somewhere between the lines like so: each server is a slave for another, accepting and operating changes (slave behaviour) and at the same time instructing the next server to operate the same changes (master behaviour) until full synchronization is achieved.

changes on Server1 –> send them to be executed on –> Server2 –> send them to be executed on –> Server1

If the synchronization is full (same for all servers), the cycle stops. Otherwise, the data will again be passed between the servers.

Onto installation:

  1. Get the official repository and install it, along with the server:
wget http://dev.mysql.com/get/mysql-community-release-el6-5.noarch.rpm ; rpm -Uvh mysql-community-release-el6-5.noarch.rpm ; yum update ; yum install mysql mysql-client mysql-server
  1. # mysql_secure_installation

  2. On server1:
    mysql > CREATE USER 'username'@'ip-of-server2' IDENTIFIED BY 'password';
    mysql > GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'username'@'ip-of-server2' IDENTIFIED BY 'password';
    mysql > RESET SLAVE;
    mysql > CHANGE MASTER TO MASTER_HOST='ip-of-server2', MASTER_USER='username_for_server2', MASTER_PASSWORD='password_for_server2', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=120;

  3. On server2:
    mysql > CREATE USER 'username'@'ip-of-server1' IDENTIFIED BY 'password';
    mysql > GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'username'@'ip-of-server1' IDENTIFIED BY 'password';
    mysql > RESET SLAVE;
    mysql > CHANGE MASTER TO MASTER_HOST='ip-of-server1', MASTER_USER='username_for_server1', MASTER_PASSWORD='password_for_server1', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=120;

  4. service mysqld stop

  5. Centralize logging into /var/log/mysql
    # mkdir /var/log/mysql ; cd /var/log/mysql; touch bin.log error.log log-bin.index relay-log.index relay-log.info log-bin.index_crash_safe log-bin.~rec~ ; chown mysql:mysql . ; chown mysql:mysql *.log ; chown mysql:mysql *.index ; chown mysql:mysql *.info ; chown mysql:mysql *.~rec~ ; chown mysql:mysql *.index_crash_safe

  6. Append or overwrite and adjust as needed /etc/my.cnf :

# If you omit server-id the master refuses any connections from slaves.
# CHANGE ID! MUST BE UNIQUE TO EACH SERVER!
server-id=1

# Prevent key collisions
# CHANGE OFFSET! MUST BE UNIQUE TO EACH SERVER!
auto-increment-offset = 1
auto-increment-increment = 4

# Binary logging must be enabled on the master because the binary
# log is the basis for replicating changes from the master to its slaves.
# If binary logging is not enabled using the log-bin option, replication is not possible.
log-bin=mysql-bin
binlog_format=row
binlog_do_db=include_database_name

# For the greatest possible durability and consistency
# in a replication setup using InnoDB with transactions
innodb_flush_log_at_trx_commit=1
sync_binlog=1

# Listen!
bind-address = 0.0.0.0

#######################
### LOG MANAGEMENT ####
#######################
# mkdir /var/log/mysql ; cd /var/log/mysql; 
# touch bin.log error.log log-bin.index relay-log.index relay-log.info log-bin.index_crash_safe log-bin.~rec~
# chown mysql:mysql . ; chown mysql:mysql *.log ; chown mysql:mysql *.index ; chown mysql:mysql *.info ; chown mysql:mysql *.~rec~ ; chown mysql:mysql *.index_crash_safe
#log-bin = /var/log/mysql/bin.log
log-slave-updates
log-bin-index = /var/log/mysql/log-bin.index
log-error = /var/log/mysql/error.log
relay-log = /var/log/mysql/relay.log
relay-log-info-file = /var/log/mysql/relay-log.info
relay-log-index = /var/log/mysql/relay-log.index
expire_logs_days = 10
max_binlog_size = 500M

#######################
##### CREDENTIALS #####
#######################
# Uncomment after running the MASTER SETUP
#master_host = [private IP address of second server]
#master_user = [replication username]
#master_password = [replication password]
#master_connect-retry = 60
#MASTER_SSL = {0|1}
#MASTER_SSL_CA = 'ca_file_name'
#MASTER_SSL_CAPATH = 'ca_directory_name'
#MASTER_SSL_CERT = 'cert_file_name'
#MASTER_SSL_KEY = 'key_file_name'
#MASTER_SSL_CIPHER = 'cipher_list'
#MASTER_SSL_VERIFY_SERVER_CERT = {0|1}

Don’t forget to service mysqld restart.

References:
• http://scale-out-blog.blogspot.com/2012/04/if-you-must-deploy-multi-master.html
• http://www.rackspace.com/knowledge_center/article/mysql-master-master-replication
• https://www.digitalocean.com/community/tutorials/how-to-set-up-mysql-master-master-replication
• http://dev.mysql.com/doc/refman/5.6/en/replication-howto.html
• http://www.lefred.be/node/45
• http://myoracleproduct.blogspot.com/2013/09/mysql-standby-creation-master-slave.html
• http://www.howtoforge.com/setting-up-master-master-replication-on-four-nodes-with-mysql-5-on-debian-etch