Iprables example

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j DROP
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5950 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8002 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8899 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7777 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

How to check Fibre Channel HBAs in Linux

Step-1: Determine the Manufacturer and Model of the HBAs.

Run the lspci command to list all PCI cards detected on the system.

# lspci | grep "Fibre Channel"
07:00.0 Fibre Channel: QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA (rev 02)
0a:00.0 Fibre Channel: QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA (rev 02)

The above output shows the system bus has detected two QLogic HBAs.

Step-2: Get the Vendor and Device IDs for the HBAs installed.

These can be obtained from the file /usr/share/hwdata/pci.ids

# vi /usr/share/hwdata/pci.ids
.....
1077  QLogic Corp.
 2532  ISP2532-based 8Gb Fibre Channel to PCI Express HBA
.....

The vendor id for QLogic is 1077 and the device id is 2532. You could confirm this using the lspci -nn command as shown below

# lspci -nn | grep "Fibre Channel"
07:00.0 Fibre Channel [0c04]: QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA [1077:2532] (rev 02)
0a:00.0 Fibre Channel [0c04]: QLogic Corp. ISP2532-based 8Gb Fibre Channel to PCI Express HBA [1077:2532] (rev 02)

Step-3: Check if the driver modules are installed.

This can be done by searching the list of available modules. (Replace 2.6.18-308.el5PAE with your kernel version in the command below)

# grep 1077 /lib/modules/2.6.18-308.el5PAE/modules.* | grep 2532
/lib/modules/2.6.18-308.el5PAE/modules.alias:alias pci:v00001077d00002532sv*sd*bc*sc*i* qla2xxx
/lib/modules/2.6.18-308.el5PAE/modules.pcimap:qla2xxx              0x00001077 0x00002532 0xffffffff 0xffffffff 0x00000000 0x00000000 0x0

The above output shows that this HBA is supported by the module qla2xxx

Step-4: Check if the drivers for these HBAs are loaded in the kernel.

The lsmod command will list the currently loaded kernel modules

# lsmod | grep qla2xxx
qla2xxx              1205905  0
scsi_transport_fc      44745  1 qla2xxx
scsi_mod              144277  16 be2iscsi, ib_iser, iscsi_tcp, bnx2i, libcxgbi, libiscsi2, scsi_transport_iscsi2, scsi_dh, sr_mod, sg, usb_storage, qla2xxx, scsi_transport_fc, libata,cciss, sd_mod

The output shows the module qla2xxx is loaded by the kernel. If you don't see any output for lsmod command then you can load the module using modprobe command

# modprobe -v qla2xxx

Step-5: Getting detailed information

You can find detailed information about the fibre channel adapters in the location /sys/class/fc_host/

# ll /sys/class/fc_host/
drwxr-xr-x 3 root root 0 Feb  5 11:28 host3
drwxr-xr-x 3 root root 0 Feb  5 11:28 host4

The directories host3 and host4 in the example above contains information specific to each adapter like node name (WWN), port name (WWN), type, speed,state etc.,
An easier way to get this information is to use the systool command.

# systool -c fc_host
Class = "fc_host"
  Class Device = "host3"
    Device = "host3"
  Class Device = "host4"
    Device = "host4"

The -v option gives you detailed output

# systool -c fc_host -v host3
Class = "fc_host"

 Class Device = "host3"
 Class Device path = "/sys/class/fc_host/host3"
   fabric_name         = "0x50014380272531e9"
   issue_lip           = <store method only>
   node_name           = "0x50014380281412e9"
   port_id             = "0x0000e8"
   port_name           = "0x50014380281412e8"
   port_state          = "Online"
   port_type           = "LPort (private loop)"
   speed               = "8 Gbit"
   supported_classes   = "Class 3"
   supported_speeds    = "1 Gbit, 2 Gbit, 4 Gbit, 8 Gbit"
   symbolic_name       = "HPAK344A FW:v5.06.03 DVR:v8.03.07.09.05.08-k"
   system_hostname     = ""
   tgtid_bind_type     = "wwpn (World Wide Port Name)"
   uevent              = <store method only>

   Device = "host3"
   Device path = "/sys/devices/pci0000:00/0000:00:01.0/0000:07:00.0/host3"
     edc               = <store method only>
     fw_dump           =
     nvram             = "ISP "
     optrom_ctl        = <store method only>
     optrom            =
     reset             = <store method only>
     sfp               = ""
     uevent            = <store method only>
     vpd               = "&" 

How to scan new FC LUNS and SCSI disks in Linux ?

1.First find out how many disks are visible in “fdisk -l” .

# fdisk -l 2>/dev/null | egrep '^Disk' | egrep -v 'dm-' | wc -l

2.Find out how many host bus adapter configured in the Linux box.you can use “systool -fc_host -v” to verify available FC in the system.

# ls /sys/class/fc_host
host0  host1

In this case,you need to scan host0 & host1 HBA.


3.If the system virtual memory is too low ,then do not proceed further.If you have enough free virtual memory,then you can proceed with below command to scan new LUNS.

# echo "1" > /sys/class/fc_host/host0/issue_lip
# echo "- - -" > /sys/class/scsi_host/host0/scan
# echo "1" > /sys/class/fc_host/host1/issue_lip
# echo "- - -" > /sys/class/scsi_host/host1/scan

Note: You need to monitor the “issue_lip” in /var/log/messages to determine when the scan will complete.This operation is an asynchronous operation.

4.Verify if the new LUN is visible or not by counting the available disks.

# fdisk -l 2>/dev/null | egrep '^Disk' | egrep -v 'dm-' | wc -l

If any new LUNS added ,then you can see more count is more then before scanning the LUNS.

 

Some problems with mysql & mariadb

MySQL max_open_files more than 1024

Edit /etc/security/limits.conf and add the following lines mysql soft nofile 65535 mysql hard nofile 65535

 Edit file /usr/lib/systemd/system/mysqld.service ( /usr/lib/systemd/system/mariadb.service  ) and /etc/systemd/system/mariadb.service.d/migrated-from-my.cnf-settings.conf 

Add at end:

LimitNOFILE=65535
LimitNPROC=65535

Key VMware vSphere -vCenter

   1. Key VMware vSphere 5.x Enterprise Plus Unlimited CPU :


JU2HK-4HH05-JZA89-J1CQP-1A2JW
4F47K-6EH47-RZW90-ZH252-C2J45
0U25N-6W305-JZTL0-FK2QM-3CFPC
1F6HF-4824J-GZXH0-D225H-8AUN5
HA4EU-D231L-ZZ5N8-3HA7M-A3TQ2



    2. Key VMware vSphere 5.x Enterprise Plus Unlimited VM :


5U6HE-6YJ86-DZ798-1LCZH-12YMH
4Y295-6W00L-6Z5K0-DK95K-8C6H4
1A0MR-08156-MZZ90-KL95M-32U7R
NU2P3-6D113-UZH29-Q0AN6-8AZ1G
1F02R-8H15M-RZ8C1-K10QH-9A3LL

 3. Vmware vSphere 6 Standard)

JA08H-6AJ03-H80G8-WT2Z0-0F06F
JU2D0-2FK13-088Q9-J93X0-928H2
JF092-FFLE6-H8940-Z22NP-06R1F
0V6XK-41J8L-M80P1-K39Z4-AYU2F
1Z6DK-FPK5J-H80U1-N12Z0-2P22D
4V042-DWK8J-084X9-CR0N0-9KU1F
5U4X0-DQ24K-485W0-LV2ZP-0YK5D
4C202-DXH12-H89U0-X39G0-1AK62

Optimizing MySQL, Intermediate results

Configuration options, that made huge difference, comparing to the default values

1. Query cache must be enabled and configured

query_cache_type=1        
query_cache_limit=1M
query_cache_size=256M
query_cache_min_res_unit=512

2. Various read and sort buffers must be set

key_buffer_size=128M
join_buffer_size=8M
myisam_sort_buffer_size=1M
sort_buffer_size=1M
read_buffer_size=4M 
read_rnd_buffer_size=4M

3. Set InnoDB tables to be stored each in separate file

innodb_file_per_table=1

4. Tweak MyISAM table

myisam_use_mmap=1

Coping with the TCP TIME-WAIT state on busy Linux servers

TL;DR: Do not enable net.ipv4.tcp_tw_recycle.
The Linux kernel documentation is not very helpful about what net.ipv4.tcp_tw_recycle does:

Enable fast recycling TIME-WAIT sockets. Default value is 0. It should not be changed without advice/request of technical experts.

Its sibling, net.ipv4.tcp_tw_reuse is a little bit more documented but the language is about the same:

Allow to reuse TIME-WAIT sockets for new connections when it is safe from protocol viewpoint. Default value is 0. It should not be changed without advice/request of technical experts.

The mere result of this lack of documentation is that we find numerous tuning guides advising to set both these settings to 1 to reduce the number of entries in the TIME-WAIT state. However, as stated by tcp(7) manual page, the net.ipv4.tcp_tw_recycle option is quite problematic for public-facing servers as it won’t handle connections from two different computers behind the same NAT device, which is a problem hard to detect and waiting to bite you:

Analyzing DDoS Attack with Nginx log

In this small post I would like to show a few useful commands to use if someone is experiencing a DDoS attack. In my case, there is an nginx as a front-end server. The access log format looks like this:

log_format main '$remote_addr — $remote_user [$time_local] "$host" "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" -> $upstream_response_time';

In the log file we’ll see something like this:

188.142.8.61 — - [14/Sep/2014:22:51:03 +0400] «www.mysite.com» «GET / HTTP/1.1» 200 519 «kiloccnp.com.vn/» «Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.191602; .NET CLR 3.5.191602; .NET CLR 3.0.191602» "-" -> 0.003