backup - Infn

blueberrystoreSecurity

Dec 9, 2013 (3 years and 6 months ago)

98 views

Maurizio
Montis



July
, 20
th

2009


Maurizio
Montis



July
, 20
th

2009


NETWORK ARCHITECTURE

Maurizio
Montis



July
, 20
th

2009


FUNCTIONAL CHARACTERISTICS OF THE NETWORK:


-

Controlling the flow of data from / to the public:


Solution:
Endian Firewall
con
DNS
,
DHCP
,
NAT
supports

-

Monitoring of machines and network services
:



Solution : macchina dedicata con software
Nagios

-

Backup and dump&restore operations:



Solution :
NAS

unit and two machines for the
DRBD

-

Automation of the entry into production of a machine
:

Solution :
PXE+KICKSTART

-

Documentation online:




Solution :
MediaWiki

su macchina dedicata

-

Connections from remote locations with secure connections
:




Solution :
VPN
connections



NETWORK ARCHITECTURE

Maurizio
Montis



July
, 20
th

2009


ENDIAN FIREWALL

DNS
:

Domain Name System is a system used for resolving host
names into IP addresses and vice versa.

The service is realized through a distributed database
consisting of the DNS server.


The name denotes the DNS protocol which governs the
operation of the service, the programs that implement the
server on which they run, all of these servers that cooperate
to provide the service.


The operation to convert a name into an address is called
DNS
resolution
, convert an IP address in the name is
called
reverse resolution
.

Maurizio
Montis



July
, 20
th

2009


ENDIAN FIREWALL

DHCP
:

The Dynamic Host Configuration Protocol is a protocol that enables network devices to receive the IP
configuration needed to be able to operate on a network based on Internet Protocol.


It allows you to spread automatically configuring TCP / IP to client computers in a network.

DHCP Server

DHCP Client

Check the TCP / IP

only to DHCP clients

Automatic

TCP/IP
configuration

Maurizio
Montis



July
, 20
th

2009


ENDIAN FIREWLL

NAT
:

Network Address Translation (RFC 1631) allows a device to act as an intermediary between the Internet (public
network) and a private network.


One can distinguish between source NAT (SNAT) and destination NAT (DNAT), as amended, which is the
source address or destination address of the package that starts a new connection, the packets are traveling in
the opposite direction will be modified accordingly .

Maurizio
Montis



July
, 20
th

2009


ENDIAN FIREWLL

Endian Firewall
is a Linux distribution dedicated to open source Routing / Firewalling and Unified Threat
Management.


Its main features are:


Firewall (both directions)


Virtual Private Network (VPN) Gateway

with OpenVPN o IPsec


Web Antivirus


Web Antispam


E
-
Mail Antivirus


E
-
Mail Antispam


Transparent HTTP
-
Proxy


Content Filter


Wireless Hotspot Security


SIP VoIP support


Network Address Translation (NAT)


Multi IP address (aliases)


HTTPS web interface


Statistics connection


Network traffic Log


Sending logs to an external server


DHCP
-
Server


NTP
-
Server


Intrusion Detection System


Maurizio
Montis



July
, 20
th

2009


ENDIAN FIREWLL

The firewall has been set as follows:



-

have enabled the necessary services for the control
of the network (Cron Server, DHCP, DNS, NAT,
Logging Server, NTP Server, VPN, Virus Scanner,
Web Proxy) in order not to initiate processes that
employ hardware resources;



-
Was set as Private SPES Domain Name:

spes.lnl.infn.it

and the network IP is:

10.5.0.0/24




-

HTTPS interface provides a set of tools for
monitoring traffic to and from the network;





Maurizio
Montis



July
, 20
th

2009


ENDIAN FIREWLL


-

were set IP addresses and the names for all
machines on the network


example
:


IP:
10.5.0.254


Domain Name:
efw


DNS resolution:
efw.spes.lnl.infn.it



-

were spent the following range of addresses for
particular functions :



10.5.0.[80
-
95] for dynamic IP address


10.5.0.[200
-
205] for VPN connections





-

was enabled to be able to PXE boot the machine
from the network.


This is necessary to perform the automated
installation of machines.


option space PXE;

class "PXE" {


match if substring(option vendor
-
class
-
identifier, 0, 9) = "PXEClient";


option vendor
-
encapsulated
-
options 01:04:00:00:00:00:ff;


option boot
-
size 0x1;


filename "pxelinux.0";


next
-
server 10.5.0.100;


option tftp
-
server
-
name "10.5.0.100";


option vendor
-
class
-
identifier "PXEClient";


vendor
-
option
-
space PXE;

}


Maurizio
Montis



July
, 20
th

2009



How to install the same software on different computers?

















SOLUTIONS:

1)
Obtain a variety of installation media and install COMPUTER by COMPUTER

2)
Using a server to automate the installation


KICKSTART AND INSTALLATION

Maurizio
Montis



July
, 20
th

2009



This is what occurs if you take the first approach ...


KICKSTART AND INSTALLATION

Maurizio
Montis



July
, 20
th

2009


KICKSTART

The kickstart is a configuration file that automatically responds to the questions that are posed during the
installation process.


This file allows you to define all the procedures necessary for post installation to properly configure the machine:


-

Installing specific packages and application
;


-

configuration of the system’s environment variables
.

# Kickstart file automatically generated by anaconda.


nfs
--
server=10.5.0.100
--
dir=/var/ftp/pub

install

text

lang en_US.UTF
-
8

keyboard it

xconfig
--
startxonboot

network
--
device eth0
--
bootproto dhcp

rootpw "12epics?"

firewall
--
disabled

authconfig
--
enableshadow
--
enablemd5

selinux
--
disabled

timezone
--
utc Europe/Rome

reboot

bootloader
--
location=mbr
--
driveorder=sda
--
append="quiet"


clearpart
--
linux

part /
--
fstype ext3
--
size=4096

part /usr
--
fstype ext3
--
size=4096

part /opt
--
fstype ext3
--
size=8192

part /boot
--
fstype ext3
--
size=100

part /home
--
fstype ext3
--
size=1
--
grow

part swap
--
size 1024

%packages

@editors

@text
-
internet

@core

@base

@base
-
x

@graphics

@kde
-
desktop

@sound
-
and
-
video

@graphical
-
internet

kdepim

device
-
mapper
-
multipath

kdegraphics

libsane
-
hpaio

kdemultimedia

openmotif

gcc

gcc
-
c++

libstdc++
-
devel




readline

readline
-
devel

libtermcap
-
devel

ncurses

ncurses
-
devel

-
bluez
-
libs

-
bluez
-
gnome

-
bluez
-
utils



Maurizio
Montis



July
, 20
th

2009


KICKSTART



%post

ntpdate
-
b 10.5.0.254


cat > /etc/ntp.conf <<END

restrict default ignore

restrict 127.0.0.1

restrict 10.5.0.254

server 10.5.0.254

driftfile /var/lib/ntp/drift

broadcastdelay 0.008


END


rpm
-
i
ftp://10.5.0.100/pub/CentOS/vim
-
common
*

rpm
-
i
ftp://10.5.0.100/pub/CentOS/vim
-
enhanced
*

rpm
-
i
ftp://10.5.0.100/pub/updates/jre
-
6u13
-
linux
-
i586.rpm


cd /usr/

ln
-
s java javasun

cd /usr/javasun

ln
-
s jre1.6.0_11 jdk1.6.0_11


useradd epics

echo "epics" | passwd
--
stdin epics


cat > /etc/profile.d/epics.sh <<EOF










## EPICS CONFIG SETUP


export EPICS_HOST_ARCH=linux
-
x86

export EPICS_BASE=/opt/epics/base
-
3.14.9


PATH=
\
$PATH:/opt/epics/base
-
3.14.9/bin/linux
-
x86

PATH=
\
$PATH:/opt/epics/extensions/bin/linux
-
x86

PATH=
\
$PATH:/opt/epics/modules/asyn
-
4.9/bin/linux
-
x86


alias vdct="java
-
jar /opt/epics/extensions/bin/linux
-
x86/VisualDCT.jar"


export EDMBASE=/opt/epics/extensions/src/edm


export EDMFILES=
\
$EDMBASE/setup

export EDMOBJECTS=
\
$EDMBASE/setup

export EDMPVOBJECTS=
\
$EDMBASE/setup


#export EPICS_CA_AUTO_ADDR_LIST=YES

export EPICS_CA_AUTO_ADDR_LIST=NO

#export EPICS_CA_ADDR_LIST="10.5.0.7 10.5.0.18 10.5.0.16
10.5.0.18

10.5.39.98 10.5.39.95"

export EPICS_CA_ADDR_LIST="10.5.0.7 10.5.0.9 10.5.0.16 10.5.0.18"

EOF

chmod +x /etc/profile.d/epics.sh




#################################################
######

cd /tmp

wget
http://10.5.0.100/backup_opt.tar.gz

cd /

tar xzf /tmp/backup_opt.tar.gz

Maurizio
Montis



July
, 20
th

2009


NAGIOS

Nagios is an open source application for monitoring of computer and network resources. Its basic function is to
monitor nodes, networks and services, this warning when they do not guarantee their service or returning
assets.


The software allows you to
:


-

Monitoring of network services (SMTP, POP3, HTTP, NNTP, ICMP, SNMP, FTP, SSH)


-

Monitoring system resources (cpu load, hard disk, system logs);


-

Remote monitoring supported through SSH or SSL encrypted tunnels
;


-

Simple plugin that allows users to easily develop new controls for the services according to your


needs
, using Bash, C++, Perl, Ruby, Python, PHP, C#, etc. ;


-

Checks parallel services;


-

Ability to define hierarchies of nodes of the network nodes using "parent", allowing the distinction


between nodes that are down and not reachable nodes
;


-

Notifications when the application encountered problems or fix them (via email, pager, SMS, or with


other systems by means of plug
-
ins);


-

Ability to define "event handlers", ie actions that are activated automatically all'apparire or solving a


problem;


-

Automatic rotation of log files;


-

Support for the implementation of redundant monitoring
;



Maurizio
Montis



July
, 20
th

2009


NAGIOS

Within the network SPES was given a machine for monitoring and surveillance of the network
:

nagios.spes.lnl.infn.it (10.5.0.104)


The control panel is an http page with authentication
.


In the Nagios menu it’s possible
:


-

select between different types of network visualization
;


-

obtain general information on the health of the controlled network
;


-

obtain detailed information on individual hosts on the network (host state, the state of each individual host,
records check, duration, etc.).


Maurizio
Montis



July
, 20
th

2009


NAGIOS

Maurizio
Montis



July
, 20
th

2009


NAGIOS

In case of alarm
:


-

the system warns the failure
on the control panel indicating the host and the type of the fault
.



for example in case of shutdown of a host
:





















-

y
ou can also
enable the sending of an email to the
Network Administrator
with all information about the
failure: we implemented and tested this service on the microIOCs.

Maurizio
Montis



July
, 20
th

2009


BACKUP

In the SPES network can be identified 1+2 machines to backup operations
:


-

production files backup
NAS
: nas.spes.lnl.infn.it (10.5.0.102)


-

OS backup

DRBD1

drbd1.spes.lnl.infn.it (10.5.0.100)






DRBD2
: drbd2.spes.lnl.infn.it (10.5.0.101)

NAS:

A Network Attached Storage is a device connected to a computer network whose purpose is to share among
users of a network area storage (or disk).


The NAS is one ofthe most popular PC; it has a Linux operating system (not visible by the user), and several
hard disk for storing data. This architecture has the advantage of making the files available simultaneously on
different platforms such as Linux, Windows and Unix (or Mac OSX).


In our case we used a NETGEAR NAS with the following characteristics:


-

4 hot
-
swap SATA hard disk (250GB per HD) with XRAID configuration


-

1 ethernet connection (10/100/1000 type)


-

X
-
RAID™ technology plus RAID 0
-
1
-
5


-

1 USB port for connecting external HD




Maurizio
Montis



July
, 20
th

2009


BACKUP

The NAS carries out the backup of all the production files o every machines situated in the SPES Network
.


For the backup the following script is used
:

#!/bin/bash


## 20090704
-

Gaetano La Rosa gaetano@intertech.it

## script per il backup delle info generali di tutti i server SPES


date=`date +%Y%m%d
-
%H%M`

dir="backup/$date"


mkdir $dir



for i in $(grep
-
v
\
# lista_server.txt |cut
-
f1 ); do


ping
-
c 1 $i >> /dev/null

if [ $? = "0" ]

then

echo $i

ssh root@$i "ip r l" > $dir/$date
-
$i
-
ip_route_list

ssh root@$i "rpm
-
qa" |gzip > $dir/$date
-
$i
-
rpm_qa.gz

ssh root@$i "iptables
-
save" > $dir/$date
-
$i
-
iptables
-
save

ssh root@$i "cat .bash_history" | gzip > $dir/$date
-
$i
-
history.gz

ssh root@$i "tar
-
czf
-

/etc" > $dir/$date
-
$i
-
etc.tar.gz

ssh root@$i "sfdisk
-
d; echo;cat /proc/mdstat;echo;df;echo;mount

;echo;vgdisplay
-
v;echo;mdadm
--
detail /dev/md*" > $dir/$date
-
$i
-
disk

else

(echo
-
e "$i
\
nnon pinga dalla rete SPES.INFN.IT" | mail
-
s "KO

-

fallito il bkup conf di $i" mauro.giacchini@lnl.infn.it)

fi

done

the
program
:

1)
create a directory
named

with

the date
of

the
backup;

2)
for

every

IP
address

wtitten

in
lista_server.txt

it

save

a copy
of

alle the
following

informations
:

-
Route

list

-
List

of

installed

packages


-
Iptables


-
Bash

history

-
Directory /
etc

-
“Directory” /
proc

-
List

of

the
partition

table

-
List

of

the
mounted

devices

3)
In case
of

Failure
, the
administrator is
contacted with an email containing all details
of the error.



Maurizio
Montis



July
, 20
th

2009


BACKUP

DRBD
:

DRBD refers to block devices

designed as

a building block to

form high availability (HA) clusters.

This is done by mirroring a whole block device via an assigned network.


DRBD can be understood as network based raid
-
1.

In the illustration, the two orange
boxes represent two servers that
form an HA cluster.


The boxes

contain the usual
components of a Linux kernel.


The black arrows illustrate the flow
of data between these
components.


In the DRBD system there are:


-

the
primary

server used for data
collection;

-

the
secondary

server used for
make the mirroring with the
primary server.


The orange arrows indicate the data flow for making the mirroring between the primary and the secondary
server.

Maurizio
Montis



July
, 20
th

2009


BACKUP

Data mirroring on two different servers allows us to have greater integrity of information (given by the
redundancy of the same) and greater tolerance to failures.

HOW IT WORKS:

At the top of the picture, the left
node is currently active (that is the
primary server): all clients save
their filesystem making a copy in
this node.


The nose on the right (the
secondary server)
make the data
mirroring from primary
.


In case of failure of the primary
server,
the system identifies the
problem and promotes the
secondary node to be the primary
server.

When the broken server is changed, this node will be the new secondary node and it will make the mirroring with
the new primary one.

Maurizio
Montis



July
, 20
th

2009


BACKUP

DRBD works on top of block devices, i.e., hard disk partitions or LVM's logical volumes.


It mirrors each data block that it is written to disk to the peer node.


possible ways:

1 )
synchronous
:


-

Mirroring can be done tightly coupled (synchronous).

That means that the file system on the active node

is
notified that the writing of the block was finished only when the block made it to both disks of the cluster.


-

Synchronous mirroring (called protocol C in DRBD speak) is the right choice for HA clusters where you

dare
not

lose a single transaction in case of the complete crash of the active (primary in DRBD speak) node.


2)
asynchronous
:

-

The other option is asynchronous mirroring. That means that the entity that issued the write requests

is
informed about completion as soon as the data is written to the local disk.

-

Asynchronous mirroring is necessary to build mirrors over long distances, i.e., the interconnecting network's
round trip time is higher than the write latency you can tolerate for your application



IMPORTANT
: you
can access the data file only through the primary node!

Maurizio
Montis



July
, 20
th

2009


VPN

A VPN (Virtual Private Network) is a good solution for
connecting two private networks via a public network in
a safe manner.


This application uses the transport mechanisms of the
public network (eg Internet) to connect in a transparent
way two remote networks.


Moreover, instead of creating physically private Wide
Area Networks (with dedicated lines, etc..), it uses the
public channel (Internet) to transfer data between two
remote networks.



This system guarantees confidentiality and security through the mechanism of
tunneling
.


The tunneling is implemented with two fondamental tools:



1)
Authentication;



2)

encryption
(
encryption algorithms with asymmetric key
)








Maurizio
Montis



July
, 20
th

2009


EPICS MEDIAWIKI

All documentation relating to the design (architecture of the network, development), the management (software
installation, backup, etc.) and use of the system is avaible
as a wiki at

http://www.lnl.infn.it/~epics/WikiDumps/localhost/index.html

Maurizio
Montis



July
, 20
th

2009


THE NETWORK SPES COMPONENTS

NAS

DRBD

Nagios

Endian Firewall

Epics Archiver
SubVersionRepository
MediaWiki

RoadWarrior
connected via
VPN with
spes.lnl.infn.it