Configuring A High Availability Cluster (Heartbeat) On RHEL/CentOS

This section shows how you can set up a two node, high-availability HTTP cluster with heartbeat on CentOS. Both nodes use the Apache web server to serve the same content.

Pre-Configuration Requirements
1.   Assign hostname cluster1 to primary node with IP address 192.168.1.4 to eth0.
2.   Assign hostname cluster2 to slave node with IP address 192.168.1.5
Note: on cluster1

# uname  -n
  
must return cluster1

On cluster2

# uname -n

must return cluster2

192.168.1.6 is the virtual IP address that will be used for our Apache webserver (i.e., Apache will listen on that address).

Configuration
Step 1. Download and install the heartbeat package. In our case we are using CentOS so we will install heartbeat with yum:

# yum install heartbeat
or download these packages:

heartbeat-2.08
heartbeat-pils-2.08
heartbeat-stonith-2.08

Step 2. Now we have to configure heartbeat on our two node cluster. We will deal with three files. These are:

authkeys
ha.cf
haresources

Step 3. Now moving to our configuration. But there is one more thing to do, that is to copy these files to the /etc/ha.d directory. In our case we copy these files as given below:

cp /usr/share/doc/heartbeat-2.1.2/authkeys /etc/ha.d/
cp /usr/share/doc/heartbeat-2.1.2/ha.cf /etc/ha.d/
cp /usr/share/doc/heartbeat-2.1.2/haresources /etc/ha.d/

Step 4. Now let's start configuring heartbeat.First we will deal with the authkeys file, we will use authentication method 2 (sha1). For this we will make changes in the authkeys file as below.

vi /etc/ha.d/authkeys
Then add the following lines:
auth 2
2 sha1 test-ha
Change the permission of the authkeys file:
chmod 600 /etc/ha.d/authkeys
Step 5. Moving to our second file (ha.cf) which is the most important. So edit the ha.cf file with vi:

vi /etc/ha.d/ha.cf

Add the following lines in the ha.cf file:

logfile /var/log/ha-log
logfacility local0
keepalive 2
deadtime 30
initdead 120
bcast eth0
udpport 694
auto_failback on
node cluster1
node cluster2

Note: cluster1 and cluster2 is the output generated by

# uname -n

Step 6. The final piece of work in our configuration is to edit the haresources file. This file contains the information about resources which we want to highly enable. In our case we want the webserver (httpd) highly available:

# vi /etc/ha.d/haresources

Add the following line:

cluster1 192.168.1.6 httpd
Step 7. Copy the /etc/ha.d/ directory from cluster1 to cluster2:

# scp -r /etc/ha.d/ root@cluster2:/etc/

Step 8. As we want httpd highly enabled let's start configuring httpd:

# vi /etc/httpd/conf/httpd.conf

Add this line in httpd.conf:
Listen 192.168.1.6:80

Step 9. Copy the /etc/httpd/conf/httpd.conf file to cluster2:

# scp /etc/httpd/conf/httpd.conf root@cluster2:/etc/httpd/conf/

Step 10. Create the file index.html on both nodes (cluster1 & cluster2):
On cluster1:

echo "Cluster1 apache Web server Test Page " > /var/www/html/index.html

On Cluster2:
echo "cluster2 Apache test server Test page too" > /var/www/html/index.html

Step 11. Now start heartbeat on the primary cluster1 and slave cluster2:

# /etc/init.d/heartbeat start

Step 12. Open web-browser and type in the URL:
http://192.168.1.6

It will show  “Cluster1 apache Web server Test Page”

Step 13. Now stop the hearbeat daemon on Cluster1:

# /etc/init.d/heartbeat stop

In your browser type in the URL http://192.168.1.6 and press enter.

It will show “cluster2 Apache test server Test page too”

Step 14. We don't need to create a virtual network interface and assign an IP address (192.168.1.6) to it. Heartbeat will do this for you, and start the service (httpd) itself. So don't worry about this.

Don't use the IP addresses 192.168.1.4 and 192.168.1.5 for services. These addresses are used by heartbeat for communication between Cluster1 and Cluster2. When any of them will be used for services/resources, it will disturb hearbeat and will not work.

how to install csf firewall on linux server for Cpanel

CSF firewall commonly known as Configserver Security and Firewall has become one of the popular firewall not just because of its easy of use it also provides a cpanel interface and can be easily installed and tuned by any novice users. If you are running cpanel without firewall then CSF firewall is very much recommended, considering the security aspects of your server.
You can visit the CSF firewall website for more information. You can also download necessary files there.

Important Features

• WHM Interface for CPanel
• Firewall Running Status
• Easy to Install and Administer
• Brute Force Attack Prevention
• One Click Server Security Checks
• Port scan prevention and blocking
• Intrusion detection system
• Easy Installation and Configuration
• IP Blocking and more..

Let us prepare a linux based server running with cpanel. Note that CSF firewall requires to remove any currently running IP based firewall (APF or other IP tables firewall). It comes with all necessary scripts that will remove APF or IP tables firewall.

Installation Steps

1. Download the package here

wget <<path_of_tgz_file>>

2. Untar it

tar -zxf csf.tar.gz

3. Run the Install script.

sh /csf/install.sh

Thats it! wait until the script ends!
4. Remove APF or IPTables Firewall
If you have any existing IP tables firewall remove them using uninstall scripts located at /etc/csf. In this case i was running APF firewall and BFD in my server so i have to remove it.

sh /etc/csf/remove_apf_bfd.sh

5. Start the Firewall in Testing Mode
Start the firewall with the following command.

csf -s
// start the firewall
csf -r
// restart the firewall
csf -f
// flush the rules or stop the firewall.

If you are running a VPS plan, then you might get the error like this
"iptables LKM ip_tables missing so this firewall cannot function unless you enable MONOLITHIC_KERNEL in /etc/csf/csf.conf
Error: aborted, at line 156"
To fix:
Open the /etc/csf/csf.conf and look for a line MONOLITHIC_KERNEL = "0" and change to MONOLITHIC_KERNEL = "1"
Thats all! Now restart the firewall.
7. Specify which ports you want to allow.
It is very important to check the firewall on which ports to open and close all remaining port numbers. Open the /etc/csf/csf.conf and edit the following line with port numbers

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2087"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"
# Allow incoming UDP ports
UDP_IN = "20,21,53,953"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,873,953,6277"

21 => FTP
22 => SSH
23 => Telnet
25 => SMTP Mail Transfer
43 => WHOIS service
53 => name server (DNS)
80 => HTTP (Web server)
110 => POP protocol (for email)
443 => HTTP Secure (SSL for https:// )
995 => POP over SSL/TLS
9999 => Urchin
3306 = > MysQL Server
2082 => CPANEL Default
2083 => CPANEL - Secure/SSL
2086 => CPANEL WHM
2087 => CPANEL WHM - Secure/SSL
2095 => cpanel webmail
2096 => cpanel webmail - secure/SSL
Plesk Control Panel => 8443
DirectAdmin Control Panel => 2222
Webmin Control Panel => 10000
For more information about commonly used port numbers refer to this article
6. Disable the Testing Mode and Start the Firewall
Remember by default the firewall is running in testing mode. You might want to disable the firewall running in testing mode.

nano /etc/csf/csf.conf

//Look for the first line and set testing mode to "0"
TESTING = "0"

//Now restart the firewall!
csf -r

In Cpanel

If you have successfully installed the CSF firewall, then you will find this CSF Security & Firewall option within cpanel WHM at the bottom of the menu. Just click on the link and you can also edit the firewall settings inside Cpanel, which is very easy to do.

Config Files

/etc/csf/csf.conf CSF Firewall configuration file
/etc/csf/csf.allow => Config file to allow IPs
/etc/csf/csf.deny => Config file to deny IPs
/etc/csf/ => Alert files with TXT extension are stored within this directory

Final Steps

1. Check the status of firewall inside cpanel
2. Harden the firewall security by performing the system security check. To do this go to Cpanel WHM > CSF Firewall & Security > Check System Security. There it will list WARNINGS based on your server.

---

1. How do i know whether the firewall is running or not?

Just login to Cpanel WHM > Config Security & Firewall > Status: Running

Another good idea is to check and see which ports have been opened and closed by firewall.
To look for open ports, just use the following commands in linux and observe which ports are open.

netstat -nap
OR
nmap fuser localhost

2. How do i Remove the CSF Firewall

Just run the uninstall script located at /etc/csf/ directory

sh /etc/csf/uninstall.sh

How do I set up Chroot Sftp ?

Issue How do I set up Chroot Sftp on Red Hat Enterprise Linux 5 ? How to setup sftp so that a specially-created ftp user can't get out of its home directory How to setup sftp such that user can only access to his home directory and its subdirectories? It is called a "chroot-jail" in FTP terminology. Environment Red Hat Enterprise Linux 5.4 openssh-server-4.3p2-30.el5 or later Resolution Chroot sftp is possible with openssh (openssh-server-4.3p2-30.el5) which is shipped in Red Hat enterprise Linux 5.4. If you are using an older openssh version than this, upgrade it to openssh-server-4.3p2-30.el5 or later. Below is a sample chroot sftp configuration :    1.  Create a specific chrooted directory. mkdir /chroot/home    2.  Mount it to /home as follows: mount -o bind /home /chroot/home    3.  Edit /etc/ssh/sshd_config as follows: ChrootDirectory /chroot Subsystem sftp internal-sftp Please ensure the directories of ChrootDirectory, "/chroot" in this example, are root owned directories and are not writable by any other user or group. This affects all users, however. There is no per-user configuration. 4. Save & Exit service sshd restart Please refer to sshd_config man page for details on ChrootDirectory

How can I secure the FTP servers?

The File Transport Protocol (FTP) is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured.

Red Hat Enterprise Linux provides three FTP servers.

• gssftpd - A kerberized xinetd -based FTP daemon which does not pass authentication information over the network.
  
• Red Hat Content Accelerator (tux ) - A kernel-space Web server with FTP capabilities.
  
• vsftpd - A standalone, security oriented implementation of the FTP service.
  

The following security guidelines are for setting up the vsftpd FTP service.

FTP Greeting Banner

Before submitting a user name and password, all users are presented with a greeting banner. By default, this banner includes version information useful to crackers trying to identify weaknesses in a system.To change the greeting banner for vsftpd, add the following directive to
/etc/vsftpd/vsftpd.conf:

ftpd_banner=<insert_greeting_here>

Replace <insert_greeting_here> in the above directive with the text of the greeting message. For mutli-line banners, it is best to use a banner file. To simplify management of multiple banners, place all banners in a new directory called /etc/banners/. The banner file for FTP connections in this example is /etc/banners/ftp.msg. Below is an example of what such a file may look like:

  ####################################################
  # Hello, all activity on ftp.example.com is logged.#
  ####################################################

Note: It is not necessary to begin each line of the file with 220. To reference this greeting banner file for vsftpd , add the following directive to
/etc/vsftpd/vsftpd.conf :

banner_file=/etc/banners/ftp.msg

Note: It also is possible to send additional banners to incoming connections using TCP wrappers.

Anonymous Access

The presence of the /var/ftp/ directory activates the anonymous account. The easiest way to create this directory is to install the vsftpd package. This package sets a directory tree up for anonymous users and configures the permissions on directories to read-only for anonymous users.By default the anonymous user cannot write to any directories.Caution: If enabling anonymous access to an FTP server, be aware of where sensitive data is stored.

Anonymous Upload

To allow anonymous users to upload, it is recommended that a write-only directory be created within
/var/ftp/pub.To do this type:

mkdir /var/ftp/pub/upload

Next change the permissions so that anonymous users cannot see what is within the directory by typing:

chmod 730 /var/ftp/pub/upload

A long format listing of the directory should look like this:

drwx-wx---    2 root    ftp     4096 Feb 13 20:05 upload

Warning: Administrators who allow anonymous users to read and write in directories often find that their servers become a repository of stolen software. Additionally under vsftpd, add the following line to /etc/vsftpd/vsftpd.conf :

anon_upload_enable=YES

User Accounts

Because FTP passes unencrypted usernames and passwords over insecure networks for authentication, it is a good idea to deny system users access to the server from their user accounts.To disable user accounts in vsftpd , add the following directive to /etc/vsftpd/vsftpd.conf:

local_enable=NO

Restricting User AccountsThe easiest way to disable a specific group of accounts, such as the root user and those with sudo privileges, from accessing an FTP server is to use a PAM list file. The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.It is also possible to disable user accounts within each service directly.To disable specific user accounts in vsftpd, add the username to /etc/vsftpd.ftpusers .

Use TCP Wrappers To Control Access

Use TCP wrappers to control access to either FTP daemon.