January 2017 – SantaBarbaraDataSystems

setup Firewalld

Posted on January 18, 2017 - April 12, 2017 by elijah

install firewalld:

yum install firewalld
systemctl start firewalld.service
systemctl enable firewalld.service

create zones, add rules, and attach to interfaces:

firewall-cmd --permanent --new-zone=pci-web
firewall-cmd --reload
firewall-cmd --permanent --zone=pci-web --add-service=https
firewall-cmd --permanent --zone=pci-web --add-service=ntp
firewall-cmd --zone=pci-web --permanent --change-interface=eno1

firewall-cmd --permanent --new-zone=lcl-mgt
firewall-cmd --reload
firewall-cmd --permanent --zone=lcl-mgt --add-rich-rule 'rule family="ipv4" source address="172.16.0.0/12" service name="ssh" log prefix="ssh" level="info" limit value="1/m" accept'
firewall-cmd --permanent --zone=lcl-mgt --change-interface=eno2

confirm:

firewall-cmd --state
firewall-cmd --zone=pci-web --list-all
firewall-cmd --zone=lcl-mgt --list-all
firewall-cmd --get-active-zones

Apache security settings

Posted on January 16, 2017 - April 12, 2017 by elijah

Relax settings for web frame:

<Location "/ipa">
. . .
# Header always append X-Frame-Options DENY
# Header always append Content-Security-Policy "frame-ancestors 'none'"
Header append X-Frame-Options ALLOWALL
Header always set Content-Security-Policy: "frame-src 'self' *.SantaBarbaraDataSystems.com;"
Header always set Content-Security-Policy: "frame-ancestores 'all';"
</Location>

curl for public IP address

Posted on January 12, 2017 - March 7, 2017 by elijah

curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//'

install Sensu with Redis, RabbitMQ, Carbon, Graphite-API

Posted on January 12, 2017 - March 7, 2017 by elijah

Redis

yum install redis
systemctl start redis
systemctl enable redis

RabbitMQ

yum install rabbitmq-server
systemctl start rabbitmq-server
systemctl enable rabbitmq-server

rabbitmqctl add_vhost /sensu
rabbitmqctl add_user sensu wh@t3v3r
rabbitmqctl set_permissions -p /sensu sensu ".*" ".*" ".*"

rabbitmqctl list_exchanges -p /sensu

Sensu

vim /etc/yum.repos.d/sensu.repo
  [+] [sensu]<br >name=sensu
  [+] baseurl=http://sensu.global.ssl.fastly.net/yum/$basearch/
  [+] gpgcheck=0<br >enabled=1

yum install sensu
systemctl start sensu-server
systemctl start sensu-api
systemctl start sensu-client
systemctl enable sensu-server
systemctl enable sensu-api
systemctl enable sensu-client

Carbon

yum install python-carbon
pip install txAMQP

Graphite-API

pip install graphite-api

install Python3 inside a virtual environment, and compile mod_wsgi

Posted on January 11, 2017 - March 14, 2017 by elijah

install Python 3.6.0

wget https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tgz
tar xzvf Python-3.6.0.tgz
cd Python-3.6.0
./configure --prefix=/usr/local --enable-shared
make
make altinstall

In case of an error like this: “/usr/local/bin/python3.6: error while loading shared libraries: libpython3.6m.so.1.0: cannot open shared object file: No such file or directory“, do this:

vim /etc/ld.so.conf
  [+] /usr/local/lib
ldconfig

install a Python virtual environment

/usr/local/bin/python3.6 -m venv /stuff/grafster/env36
source /stuff/grafster/env36/bin/activate
pip install --upgrade pip

upgrade mod_wsgi to run Python 3 applications

cd /stuff/downloads/mod_wsgi
git pull
./configure --with-python=/stuff/wholebadgermilk/env36/bin/python
make clean
make
make install