Symantec BackupExec 2010, RALUS and Centos 5 Works
Whew, what a pain this has been.
Always had a heck of a time with BackupExec 12.5 and below backing up CentOS versions. I think early versions of RALUS were operational and worked back in the BackupExec 8-10.5 days prior to Symantec's acquistion of Veritas. But, it has never been really easy to get this going well and incorporating a RedHat-like but not RedHat system into the BackupExec remote client world. Bring in 64-bit CentOS, and it got even more of a pain.
Well, now it seems it is possible and repeatable with Symantec BackupExec 2010. The change in naming conventions off the versions to years (even though everyone else is going back to the versions and moving off of years now!) signifies some code investment from Symantec in what must be a cash-cow for them in BackupExec.
We have a few Windows 2003 and 2008 servers along with some OS X 10.5.x servers and are backing them up to a LTO3 library on a 2008 server and made the move to BackupExec 2010 recently to try and shake some of the lingering issues with 12.5 rehashed code and makeshift RALUS client patches for Unix, Linux and Mac clients Symantec seems to have inherited and continued.
It seems you need to disable IPv6 to get the negotiation to happen correctly on top of the obvious IPTables and IPTables configurations to allow TCP ports 10000 and 6101 to communication between the BackupExec Server and your RALUS client.
Disabling IPv6 on CentOS (run all as root or you can sudo everything below)
- in /etc/sysconfig/network you need to add
NETWORKING_IPV6=no
- in /etc/modprobe.conf add:
alias ipv6 off
alias net-pf-10 off
- make sure IPTablesv6 is disabled at startup
/sbin/chkconfig ip6tables off
After all of that, give your network a restart
/etc/init.d/network restart
Then run the RALUS install from the Symantec BE 2010 download. If you have issues here during the install and possibly have multiple network interfaces straddling different networks, try ip addresses in lieu of hostnames. Also, on the BE 2010 server, restart all the services. Starting the RALUS client on CentOS 5 is
/etc/init.d/VRTSralus.init start
or
/etc/init.d/VRTSralus.init restart
More Complex GUI IPTables Setup for CentOS 5.x with Bastille Linux
We have a few CentOS boxes and require a little more IPTables tweaking than the standard security setup in the GUI. I could go into the IPTables config files, but I am more than a little rusty on the logic for IPTables. So, I went back to an old stand-by to config the multiple interfaces on a couple of my CentOS boxes.
http://bastille-linux.sourceforge.net
Download the RPM and install it.
sudo rpm -i Bastille-3.2.1-0.1.noarch.rpm
You can get perl-tk and and perl-curses via CPAN. I know DAG's RPMForge is just about standard now, but I prefer going to source if it is not standard. Of course, yum and the RPM model is basically kind of a pain now if you are used to apt-get in Debian/Ubuntu systems.I suppose the DAG RPMForge makes is a little less painful. But, CPAN is great.
You can do a couple of commands to get the pre-reqs for the graphical Bastille hardener. I would make sure you do these via the server console inside a gnome session. You get quite a site to watch on the Tk install.
sudo cpan install Tk
and
sudo cpan install Curses
I ended-up having to do a force install on Tk because I failed some of the TK install tests in the GUI. Anyway, no problem. This will get you what you need to then run
sudo bastille -x
I tend to run it via the console, but you should do it via ssh -X. Bastille comes in VERY handy when you have to do some IPTables configs for multiple network interfaces and you want different rules for different interfaces. Firestarter is another nice GUI tool when you don't want to get into tables configs yourself.
Problems with Lacie iamakey USB Flash Drives fixed
I really like the design of the Lacie iamakey and related USB flash memory sticks that look like actual keys. I was thinking about moving off the consistent performers I issue to employees, faculty and staff from Sandisk. So, I got an 8 gig and 32 gig to test over the last couple of months.
I am constantly moving files between Macs, Windows and Linux workstations and servers, so they really can take a pounding. The Sandisk Cruzer models are really solid once you get rid of the software that comes with them through their uninstallers. Initially, the Lacie iamkey USB drives have given me a lot of problems. I need to format them as FAT32 so I can have read/write on on the operating systems I am hitting.
The crazy thing is when I would copy large amounts of files (say many software installers for Office, Adobe, etc.) they would take the write just fine, but when I brought them to another Mac or Windows machine, the partition/format would not be read. I reformatted many times on the Mac and over the course of a few weeks still have constant issues with all operating systems.
It wasn't until I did a low-level format of the drive on Windows (not a quick format) did the FAT32 partition stick. I have been using now for a week or so without problems between OS X, Windows XP, Windows 2003, Windows 2008, CentOS and Ubuntu. Performance is great now.
So, if you are having issues, try a solid low-level format and I think you will have better results. It will take some time. the 32 gig took an hour or two I believe, but you will be happy you did.
Denyhosts is your friend to stop ssh login attempts
If you have a few linux servers that for whatever reason you have to leave open to ssh into on the standard port 22, denyhosts is a great way to get rid of the annoying daily logwatch email logs showing some losers somewhere have been spending all day doing a denial of service trying to brute-force attack their way in to ssh. Better ways are just to not even let ssh be accessible to non-legit IPs as well as disable ssh logins except for a couple of valid users, but in the case of mobile devices, locations, etc. you just sometimes need to have the ability to ssh into servers anywhere and other services might be dependent on the default port number, so changing it to get it out of the range of the script-kiddie or russian mafia is just not an option. It is one thing to have secure passwords, keys, etc. but just the fact they continue to bang on your servers can really rack-up bandwidth and annoyance.
Denyhosts is written in python and works with your logs to (based on your settings) inhibit attempts once thresholds you configure are met on login attempts. Really cool.
http://denyhosts.sourceforge.net
I have tested on ubuntu and centos and works great. The default configs are basically ready for centos/fedora/redhat out of the rpm or from source.