Aug 272014
 

I have several Xen and KVM vps servers and they all suffer with the same problem of “nf_conntrack: table full, dropping packet” but its an easy fix

You can check what the current number of nf_conntrack_max is set to.
cat /proc/sys/net/nf_conntrack_max
the default is 65535 but all mine were set to 15000.

Now to increase the number of nf_conntrack_max
echo 100000 > /proc/sys/net/nf_conntrack_max
Now if you check again it should be the new value.

Now to make the change permanent we add the following to the bottom of /etc/sysctl.conf
net.nf_conntrack_max = 100000

Please note that the directory path to “nf_conntrack_max” differs between Linux distributions, the above works for CentOS

Aug 262014
 

I’ve been playing around and getting to know CentOS 7 and have decided i prefer iptables (over firewalld) which i have been using for the last few years so here’s how to swap firewalld for iptables.

Disable Firewalld Service.
systemctl disable firewalld
Stop Firewalld Service.
systemctl stop firewalld
Now we install the iptables services.
yum -y install iptables-services
Start iptables at boot.
systemctl enable iptables
Start ip6tables at boot. (skip if you don’t use ipv6)
systemctl enable ip6tables
Finally we start iptables.
systemctl start iptables
Finally we start ip6tables. (skip if you don’t use ipv6)
systemctl start ip6tables

Now our firewall uses iptables and we can add our rules like we always have.

Jul 072014
 

Centos 7 has now been released to the public.

Release announcement can be found here http://lists.centos.org/pipermail/centos-announce/2014-July/020393.html
Release notes can be found here http://wiki.centos.org/Manuals/ReleaseNotes/CentOS7
The fastest way to download is via torrent, I’m currently seeding all images available and am pushing approx 300Mbps (megabits per second) across my servers and have done 200GB+ of bandwidth in under 3 hours.

I will be updating most of my servers over the next few weeks/months and will start updating my tutorials again, happy testing.

Apr 232014
 

This site is now available over https and here’s what i did to get the certificate.

Generating a Certificate Signing Request (CSR) using OpenSSL

Generate a pair of private key and public Certificate Signing Request (CSR) for a webserver, use the following command :

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

This creates two files. The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.

In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

You will now be asked to enter details to be entered into your CSR.

For some fields there will be a default value, If you enter ‘.’, the field will be left blank.


    Country Name (2 letter code) [AU]: GB
    State or Province Name (full name) [Some-State]: Yorks
    Locality Name (eg, city) []: York
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
    Organizational Unit Name (eg, section) []: IT
    Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
    Email Address []:

Please enter the following ‘extra’ attributes to be sent with your certificate request

    A challenge password []: 
    An optional company name []:

Use the name of the web-server as Common Name (CN). If the domain name (Common Name) is mydomain.com append the domain to the hostname (use the fully qualified domain name). i.e. for this site i used www.webstershome.co.uk

The fields email address, optional company name and challenge password can be left blank for a webserver certificate.

Your CSR will now have been created. Open the server.csr in a text editor and copy and paste the contents into the online enrollment form when requested.

Purchase SSL Certifcate

Now go buy your certificate from your favourite supplier, i used https://www.ssls.com/ to purchase my SSL certificate from Comodo.

Install SSL Certifcate

Now depending on where you got your certificate you will receive a zip file with yourDomainName.crt(your certificate) and 1 or more .crt Certificate Trust Chain which should be put into a .pem file

easiest way to do that is open a text editor (such as notepad++) and paste the entire body of each certificate into one text file.
You need to make sure you include the beginning and end tags on each certificate. The result should look like this:


-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: Intermediate1.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: Intermediate2.crt)
-----END CERTIFICATE-----

There is no need to include the trusted root crt as your browser already has it, and if you use a browser from the stone age that doesn’t it won’t trust it anyway.
Note: Save the combined file as “yourDomainName_ca_bundle.pem”. The .pem file is now ready to use.

Now we can setup apache to use it, as i use Virtualmin i go to the Manage SSL certificate page for my domain and go to the CA Certificate page and upload “yourDomainName_ca_bundle.pem” then go to the Update Certificate and Key page and upload your “yourDomainName.crt” and private key “myserver.key”

If you don’t use Virtualmin you need to manually add this to your virtual host section of /etc/httpd/conf/httpd.conf

SSLEngine on
SSLCertificateKeyFile /etc/ssl/myserver.key
SSLCertificateFile /etc/ssl/yourDomainName.crt
SSLCertificateChainFile /etc/ssl/yourDomainName_ca_bundle.pem

Testing

Now you should be running with your new certificate, go check your setup using https://www.ssllabs.com/ssltest/

Your looking to get at least an A- otherwise you need to fix stuff and make sure it says your Certifcate is Trusted and valid and there are no chain issues.

Now time to test your website for any errors, your looking to make sure you get the padlock symbol and no errors.
The most common error is linking to images. You need to make sure any images can be reached over https. As an example on this site i use relative links which means i don’t include the “http://www.webstershome.co.uk” part of the link i just have “/image/pic1.jpg” that way the image works over both http and https.
The next issue is likely to be your css and js files will need the same treatment.
If you use a CDN service you need to make sure they allow https connections as well.

Apr 142014
 

In this blog I’ll try and explain what ipv6 is and how i setup the server to use it.

What is IPv6? IPv6 is pretty much the same as IPv4. IPv4 is what is primarily used on the internet today. The big difference is the size of the address. The address for IPv6 are 128 bits long vs 32 bits for IPv4. IPv6 also uses hex to express address where as IPv4 only uses numeric values so you will see numbers 0-9 and letters A-F in a IPv6 address.

Why do we need IPv6? Well simply put we are running out of IPv4 address. There are roughly 4.2 billion or 4,294,967,296 to be precise unique address for IPv4 where as IPv6 has 340,282,366,920,938,463,463,374,607,431,768,211,456 unique addresses, I’ll let you work out how many that is.

So what do IPv6 addresses look like? Ipv6 addresses look like this, 2001:0470:1f09:0d2b:0000:0000:0000:0300. IPv6 addresses can be shortened by removing all leading zeros so this address would become 2001:470:1f09:d2b::300. :: is used to shorten down IPv6 addresses. :: means that the space in between is filled by zeros and can only be used once in an address.

When using IPv6 the minimum allocation you are given is a /64 which would give you 18,446,744,073,709,551,616 unique IPv6 addresses, that’s way more than enough for the average person but some places will allow you to request a /48 which would give you 1,208,925,819,614,629,174,706,176 unique IPv6 addresses now compare that to the 1 IPv4 address most people get given.

Now onto setting up the server to use IPv6. As one of my server provider doesn’t offer native IPv6 yet i have to use a tunnel service, you can find a few different providers but i chose Hurricane Electric IPv6 Tunnel Broker as i heard good things about there support and their tunnel server is located very close to my server (average of 1-2ms away).

So first off sign-up for an account (its free). Time to create our first tunnel, click on “Create Regular Tunnel” it should then automatically select the closes tunnel server to use (you can override this if need be) now just input your IPv4 address where the tunnel will finish i.e. 192.168.0.200 (make sure its the servers Public IPv4 address) then click “submit”. It will then create the tunnel and show you all the info you will need to setup on the server, at the bottom of the page their is a drop down box where you can get the config info for different operating systems.

As I want it to connect to the tunnel server automatically after reboots i need to manually add it to the config file (this is for CentOS 6.x)

Create or edit “/etc/sysconfig/network-scripts/ifcfg-sit1”

NAME=""
BOOTPROTO=none
IPV6TUNNELIPV4=216.66.80.26
IPV6INIT=yes
DEVICE=sit1
MTU=""
NETMASK=""
IPV6TUNNELIPV4LOCAL="192.168.0.200"
BROADCAST=""
IPV6ADDR="2001:470:1f08:d2b::2/64"
IPADDR=""
NETWORK=""
ONBOOT=yes

Obviously change “IPV6TUNNELIPV4” to the ip of the tunnel server, change “IPV6TUNNELIPV4LOCAL” to your servers IPv4 address and change “IPV6ADDR” to the “Client IPv6 address” you will find all the info on the details page of your tunnel.

Then i added the following to “/etc/sysconfig/network-scripts/ifcfg-eth0”

IPV6INIT=yes
IPV6ADDR=2001:470:1f09:d2b::300/64
IPV6ADDR_SECONDARIES="2001:470:1f09:d2b::220/64 2001:470:1f09:d2b::200/64"

The “IPV6ADDR” is the main IPv6 address for the network adapter and “IPV6ADDR_SECONDARIES” is used to specify any extra address you want to use on the same server. If like me your using Webmin/Virtualmin it will automatically add new IPv6 address to the “IPV6ADDR_SECONDARIES” when you create them.

UPDATE – When i setup my new server i had to edit “/etc/sysconfig/network” and add the following

IPV6_DEFAULTDEV=sit1

You could also setup the server to act as a router and give other devices on your network IPv6 address but a don’t need that here (but i have done that at home) just use google to find the extra info you need to add for it to act as a router.

Your server should now be accessible by IPv6, test by pinging a few different IPv6 enabled site and then remember to setup your firewall. Here’s a link to a quick example IPv6 Firewall For Linux google also has loads of others.