Currently Browsing: Linux

Alpine Linux with Docker – node build tool updates

Smaller distros like Alpine for containers just seems to make sense.

Some build tools for node.js include:

apk --update add bash nano wget python make gcc g++

You can install on a “build” container and create an artifact to transfer to a sparse box without the build tools. See base images like:
mhart/alpine-node.

Basic HTTP Auth on Nginx

Quick set-up for basic authentication on Nginx.

Create htpasswd file on local or install tools via apt or yum, e.g.,

apt-get install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd exampleuser

Will be presented with password prompts

Update your Nginx site config with:

auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;

Reload or restart Nginx

/etc/init.d/nginx reload

RAR on CentOS 7

sudo rpm -ivh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm
sudo yum -y install rar unrar

Iptables see specific table rules

See specific table rules for iptables — otherwise filter table is used. Add -v for more info.

iptables --table nat --list

CentOS 7 / RHEL firewalld settings

CentOS 7 has adopted firelwalld by default over the previous iptables, which will require some new steps to configure your firewall.

Rule Permanence

In firewalld, rules can be designated as either permanent or immediate. If a rule is added or modified, by default, the behavior of the currently running firewall is modified. At the next boot, the old rules will be reverted.

Most firewall-cmd operations can take the --permanent flag to indicate that the non-ephemeral firewall should be targeted. This will affect the rule set that is reloaded upon boot. This separation means that you can test rules in your active firewall instance and then reload if there are problems. You can also use the --permanent flag to build out an entire set of rules over time that will all be applied at once when the reload command is issued.

Some key take-aways:

  • check active zones: firewall-cmd --get-active-zones
  • use “permanent” flag for rules you want to persist reload: firewall-cmd --permanent --zone=public --add-service=https
  • Add service FOR EACH ZONE you want. Leaving out the zone will just apply it to the default zone only.

    more info:

  • redhat.com – Security_Guide sec-Using_Firewalls
  • digitalocean – how-to-set-up-a-firewall-using-firewalld-on-centos-7
    # CentOS/RHEL 7 Firewall: 
     
    # add service to zone:
     
    $ firewall-cmd --permanent --zone=public --add-service=ssh
     
    # reload to add:
     
    $ firewall-cmd --reload
    # _or_ firewall-cmd --reload
     
    # check:
    $ sudo firewall-cmd --state
    $ firewall-cmd --zone=public --list-all
     
     
    ## apache / httpd:
    $ firewall-cmd --permanent --zone=public --add-service=http
    $ firewall-cmd --permanent --zone=public --add-service=https
    $ systemctl reload firewalld

    more info info: see:

    http://linuxmanpages.net/manpages/fedora20/man5/firewalld.zone.5.html

    http://searchdatacenter.techtarget.com/tip/A-few-ways-to-configure-Linux-firewalld?abRg=f

    https://www.certdepot.net/rhel7-get-started-firewalld/

    https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos

    Example for setting mysql 3306 and 3307 to LAN (eth1 in this case, using “dmz” zone):

    Pre-configured services are in: /etc/firewalld/services (or similar).
    You can create your own like:

    firewall-cmd --zone=public --change-interface=eth0 --permanent
    firewall-cmd --zone=dmz --change-interface=eth1 --permanent
     
    firewall-cmd --zone=dmz --permanent --add-service=mysql
    firewall-cmd --zone=dmz --permanent --add-service=mysql-ro
     
    # verify:
    firewall-cmd --permanent --zone=public --list-all
    firewall-cmd --permanent --zone=dmz --list-all
     
    firewall-cmd --reload
     
    #if any network settings were updated:
    # NOTE: may disrupt network, take care on production machine
    systemctl restart network.service
     
    # to make sure firewalld settings are updated:
    systemctl restart firewalld.service

    mysql-ro (port 3307) service: /etc/firewalld/services/mysql-ro.xml

    <?xml version="1.0" encoding="utf-8"?>
    <service>
      <short>MySQL</short>
      <description>MySQL Database Server - secondary port</description>
      <port protocol="tcp" port="3307"/>
    </service>
  • Next Entries »