More Complex GUI IPTables Setup for CentOS 5.x with Bastille Linux

We have a few CentOS boxes and require a little more IPTables tweaking than the standard security setup in the GUI. I could go into the IPTables config files, but I am more than a little rusty on the logic for IPTables. So, I went back to an old stand-by to config the multiple interfaces on a couple of my CentOS boxes.

http://bastille-linux.sourceforge.net

Download the RPM and install it.

sudo rpm -i Bastille-3.2.1-0.1.noarch.rpm

You can get perl-tk and and perl-curses via CPAN. I know DAG’s RPMForge is just about standard now, but I prefer going to source if it is not standard. Of course, yum and the RPM model is basically kind of a pain now if you are used to apt-get in Debian/Ubuntu systems.I suppose the DAG RPMForge makes is a little less painful. But, CPAN is great.

You can do a couple of commands to get the pre-reqs for the graphical Bastille hardener. I would make sure you do these via the server console inside a gnome session. You get quite a site to watch on the Tk install.

sudo cpan install Tk

and

sudo cpan install Curses

I ended-up having to do a force install on Tk because I failed some of the TK install tests in the GUI. Anyway, no problem. This will get you what you need to then run

sudo bastille -x

I tend to run it via the console, but you should do it via ssh -X. Bastille comes in VERY handy when you have to do some IPTables configs for multiple network interfaces and you want different rules for different interfaces. Firestarter is another nice GUI tool when you don’t want to get into tables configs yourself.

Fixing the flashing red alert light on an Altus 1600 SS

Top view of the Altus 1600 server with top panel removed

Don’t know how many of them are still out there, but my school had a couple of Penguin Computing Altus 1600 SS 1U servers when I arrived. One was offline and the other was being used as a sendmail/dovecot email system. They might have come shipped with Fedora back in the day. I setup the offline line one with RAID1 and put CentOS 5.4 on it. It is doing some DNS and Apache serving for us.

It was still barely on the support contract at the time with Penguin Computing so I was able to get some semi-recent BIOS and controller updates¬† (July 2008). Since that time, have really been on my own. The server is older and I can’t blame them for not doing anything further with it. It has been running great actually and there has only been one annoyance. The flashing red warning light on the front of the chassis. The light has been blinking for at least a year.

After multiple resets and looks into the IPMI logs in BIOS, there were always intrusion detection errors. I would clear them and not open the chassis, but still get the errors in the BIOS. I guessed the red flashing had to be related to that and if I could disable the intrusion detection sensor, my annoying red light would cease. When I was moving the server room rack locations, I decided to solve this once and for all.

Sliding the top cover back and off, you will see an intrusion switch/sensor towards the rear near the power supply. Here are a couple of shots of it. I did this ‘hot’ (i.e. while the server was running) but don’t do that.

Side view of intrusion detection switch/sensor on the Altus 1600
Another side view of intrusion sensor on the Altus 1600

You can wiggle the body of that senor free and disconnect the wires that lead to the jumpers on the motherboard. This will nix the sensor feeding a bad result to the BIOS. If you have the server on when you do this (not recommended!) you will see the front bezel red warning light stop.

The pulled intrusion detection sensor from the Altus 1600

With the faulty sensor yanked, and the warning light dark, it was time to move on to better things.

Flashing red light no more!

Problems with Lacie iamakey USB Flash Drives fixed


I really like the design of the Lacie iamakey and related USB flash memory sticks that look like actual keys. I was thinking about moving off the consistent performers I issue to employees, faculty and staff from Sandisk. So, I got an 8 gig and 32 gig to test over the last couple of months.

I am constantly moving files between Macs, Windows and Linux workstations and servers, so they really can take a pounding. The Sandisk Cruzer models are really solid once you get rid of the software that comes with them through their uninstallers. Initially, the Lacie iamkey USB drives have given me a lot of problems. I need to format them as FAT32 so I can have read/write on on the operating systems I am hitting.

The crazy thing is when I would copy large amounts of files (say many software installers for Office, Adobe, etc.) they would take the write just fine, but when I brought them to another Mac or Windows machine, the partition/format would not be read. I reformatted many times on the Mac and over the course of a few weeks still have constant issues with all operating systems.

It wasn’t until I did a low-level format of the drive on Windows (not a quick format) did the FAT32 partition stick. I have been using now for a week or so without problems between OS X, Windows XP, Windows 2003, Windows 2008, CentOS and Ubuntu. Performance is great now.

So, if you are having issues, try a solid low-level format and I think you will have better results. It will take some time. the 32 gig took an hour or two I believe, but you will be happy you did.

IPCop and Intel Quad PT Gigabit Ethernet Card

ipcop-logo1000pt_quad_port_server_adapter_off

IPCop is a great little Linux-based firewall distro I use for many reasons. It is really easy to work with and some modules are really great to have around for minimizing bandwidth waste and handling content-filtering as needed. The distro is designed to work on older, basic hardware and it does a great job with that. I remember a few years ago, I had it running on an old Gateway 500 mhz pentium and it ran like a champ.

But, as you get more and more users, it is nice to get some decent hardware for it. The new version if IPCop is around the corner, but until it arrives and because it is currently still based in the 2.4.x kernel, nicities like SATA and some more complex hardware options like SATA RAID, SATA CD-ROMs, etc. are not super easy to deal with. This is a distro that works well with an old PC, a bunch of PCI Intel nics, and some RAM and away you go. Well, when I bought a basic HP Proliant DL 120 1U server with native SATA and a PCI-X slot and the Intel Quad PT nic with the hope of getting a slick firewall box going, it was not a breeze.

The HP DL 120 can do SATA RAID via software but that is kind of off the table if I you want to do a hardware install. Getting IPCop running in a virtual image with VMWare Server or VMWare ESX is fine, but really I was not going to use those boxes for anything more than dedicated firewalls and routers and needed at least the four interfaces and didn’t want a huge 5U box in the server room, much less a few of those 5U PCs on their side.

So, enter the Intel Quad PT nic. IPCop sees and understands it just fine after you can get 1.4.20 to install. I had to hard-set the drive in the DL 120 BIOS to manual settings since it really didn’t have a legacy mode so IPCop’s 2.4.x kernel could easily deal with it. I also had to boot off the IPCop CD and have the IPCop installer media on USB to get things going, but once I did, I was able to see my 1U firewall on modern hardware running nicely. Except, I noticed a real problem on network latency.

My first idea was that the IPCop drivers for the Intel quad pt nic was just crappy. I started to go down the road of posting to the IPCop user list on whether it made sense to recompile the drivers from source available at Intel site. But, REALLY didn’t want to go down that road if I could help it. I was able to limp along on the system to be able to get the IPCop 1.4.21 update. I also played around with all teh various settings in the bios thinking perhaps the IRQs were more complex so perhaps the BIOS could better and more effectively dish the IRQs to the kernel.

None of that really did anything. It was only after I chose the kernel with ACPI did it really perform like it should. I then went through a bunch of high volume transfers to make sure the quad nic was going well. So, if are you going to try and build something like this and have performance issues with your Intel quad nic, ACPI is probably your friend on this.

Using kmsrecover in Kerio Mailserver (It works!)

Screen shot 2009-10-10 at 10.58.04 PM

Recently, we had an issue with our Kerio Mailserver where we had to restore data for a couple of users from a backup and kmsrecover worked well. Kerio Support directed me to the manuals. A direct link is here. The server does need to be shutdown prior to the restore. I recommend using the flags to redirect the restore to a directory different than the one for the user in the default store.

As root, here are some example restores I did. I am currently running Kerio Mailserver on OS X.

# cd /usr/local/kerio/mailserver
# kmsrecover -d mydomain.com -u jmergy -f “INBOX” -s /Volumes/restore-dir /Volumes/backup/keriosnapshot

The -s flag redirects the restore to a different directory.It actually goes relatively quickly. You need to have the Kerio-generated backup files (both full and incremental) for the day you want to restore from. The example above is pointing kmsrecover to look for the INBOX for user jmergy in the domain mydomain.com in the directory of the Kerio backup files located in /Volumes/backup/keriosnapshot and will put the files in /Volumes/restore-dir. In my case, I wanted to restore a folder and then bring that folder back into the user’s mail directory as a sub-folder. After the restore is done, you can move the restore directories and files back into your user. I would recommend NOT displacing existing files unless you don’t case about what is already there.

If you are in need of using this, work with Kerio support to make sure this is the best way to go. Also, this is relatively new tool so probably was brought into the product in version 6.7, so earlier versions do not apply.

Links of note:

Kerio Support

Kerio Manuals

Kerio Mailserver Product Page