Nagios Checker for Firefox
April 8, 2008 – 3:09 pmJust found that - very handy. You can download it from here.
Attached screenshot shows it in action (yeah, we had a power outage).
Solaris IP MultiPathing
April 1, 2008 – 10:20 amSolaris IPMP provides resilience from network adapter failure by detecting the failure or repair of a network adapter and switching the network address to and from the alternative adapter. Moreover, when more than one network adapter is functional, Solaris IPMP increases data throughput by spreading outbound packets across adapters..
Setting IPMP is quite easy. Let’s assume, that we have 2 network adapters: e1000g0 and e1000g1. They are going to be in the same network (10.0.0.0/24). First of all, we have to add entries to the /etc/hosts/ file:
10.0.0.1 server-e1000g0
10.0.0.2 server-e1000g1
10.0.0.3 server-mgmt
Make sure, that you have correct netmask set in /etc/netmasks like:
10.0.0.0 255.255.255.0
Then we have to create 2 files called: /etc/hostname.e1000g0:
server-e1000g0 netmask + broadcast + group mgmt deprecated -failover up addif server-mgmt netmask + broadcast + failover up
and /etc/hostname.e1000g1:
server-e1000g1 netmask + broadcast + group mgmt deprecated -failover standby up.
That’s it. The IPMP is already configured. Please, do remember to put some static routes just in case you have more than one network configured on your Solaris box. It’s just to keep IPMP happy.
Solaris 10 - Hardening - Part 1
March 31, 2008 – 3:50 pmSolaris 10 provides a lot of network services running by default, which is unacceptable at the present.
This document describes how to disable these services and also tune some parameters of the TCP/IP stack in order to avoid DDoS network floods and globally increase network security.
1. Disable unrequested network services:
svcadm disable bind \
rpc_ticotsord \
rpc_tcp \
rpc_udp \
autofs \
sendmail \
telnet \
ftp \
finger \
svc:/network/login:rlogin \
svc:/network/shell:default \
xfs \
ktkt_warn \
stfsloader
2. Edit the file /lib/svc/method/net-init and add these lines after the ISS generation:
# Change this to 2, as it's probably set to 1 by default.
/usr/sbin/ndd -set /dev/tcp tcp_strong_iss 2
# Combat ARP DOS attacks by flushing entries faster.
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000
/usr/sbin/ndd -set /dev/ip ip_ire_arp_interval 60000
# Combat ICMP DOS attacks by ignoring them.
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip6_respond_to_echo_multicast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
# Ignore redirect requests. These change routing tables.
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip6_ignore_redirect 1
# Don't send redirect requests. This is a router function.
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
/usr/sbin/ndd -set /dev/ip ip6_send_redirects 0
# Don't respond to timestamp requests. This may break rdate on some systems.
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
# If a packet isn't for the interface it came in on, drop it.
/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ndd -set /dev/ip ip6_strict_dst_multihoming 1
# Don't forward broadcasts.
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
# Don't forward source routed packets.
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ndd -set /dev/ip ip6_forward_src_routed 0
# Combat SYN flood attacks.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 8192
# Combat connection exhaustion attacks.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
# Don't forward reverse source routed packets.
/usr/sbin/ndd -set /dev/tcp tcp_rev_src_routes 0
# Combat IP DOS attacks by decreasing the rate at which errors are sent.
/usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 1000
/usr/sbin/ndd -set /dev/ip ip_icmp_err_burst 5
To apply the changes and update the system configuration restart the initial network service:
svcadm restart initial
3. ONLY on SPARC servers add these two lines to /etc/system to disallow execution of instructions in the stack. The changes are made effective only after a reboot:
set noexec_user_stack=1
set noexec_user_stack_log=1
4. Change the value of TCP_STRONG_ISS to 2 (/etc/default/inetinit file).
Creating ZFS datasets under ZFS pool in Solaris 10.
March 29, 2008 – 1:17 pmSolaris 10 comes with powerful command called ‘zpool’. It configures ZFS storage pools. A storage pool is a collection of devices that provides physical storage and data replication for ZFS datasets.
All datasets within a storage pool share the same space.
Let’s create our first ZFS pool. As states in the manual, ZFS can use individual slices or partitions, though using whole disk is recommended.
root@server # zpool create samplepool cXdXsX
or if we have 2 disks mirrored:
root@server # zpool create mirror samplepool cXdXsX cYdYsY
If we don’t specify the mountpoint (-m /mountpoint), the /poolname (in this case /samplepool) will be used.
You can use:
root@server # zpool iostat -v samplepool
and/or
root@server # zpool list
commands to verify.
Now let’s have a look at the ZFS datasets:
root@server # zfs list
NAME USED AVAIL REFER MOUNTPOINT
samplepool 6.0G 192G 270M /samplepool
As we can see, there is one dataset already created and 192GB available space there. Now we want to create additional ZFS dataset for the log files with 2GB quota on it.
root@server # zfs create samplepool/sample_dataset
root@server # zfs set mountpoint=/usr/local/sample_dataset samplepool/sample_dataset
root@server # zfs set quota=2g samplepool/sample_dataset
Here we go! It’s already done! We can verify this using:
root@server # zfs list
NAME USED AVAIL REFER MOUNTPOINT
samplepool 16.4G 192G 270M /samplepool
samplepool/sample_dataset 2.0G 24K 2.0G 1% /usr/local/sample_dataset
or
root@server # df -kh | grep sample
samplepool 209G 270M 192G 1% /samplepool
samplepool/sample_dataset 2.0G 24K 2.0G 1% /usr/local/sample_dataset
Pretty easy, isn’t it?