I have syncrepl all working for the config database and the ldap database, let just concentrate on the ldap database. in this solution we require encryption between consumer and provider in a multi master configuration.
i have this working all well without tls, here is the non tls configuration for syncrepl
olcSyncRepl:
rid=003
provider=ldap://<server1>
binddn="cn=ldapadm,dc=test,dc=local"
bindmethod=simple
credentials=password
searchbase="dc=test,dc=local"
type=refreshOnly
interval=00:00:00:30
retry="5 5 300 5"
timeout=1
olcSyncRepl:
rid=004
provider=ldap://<server2>
binddn="cn=ldapadm,dc=test,dc=local"
bindmethod=simple
credentials=password
searchbase="dc=test,dc=local"
type=refreshOnly
interval=00:00:00:30
retry="5 5 300 5"
timeout=1
updates to server1 updates server2 and updates to server2 updates server1 all good
when trying this replace this configuration with self signed certificates and use ldaps over 636 it fails
this is the ldaps syncrepl config
olcSyncRepl:
rid=003
provider=ldaps://<server1>
binddn="cn=ldapadm,dc=test,dc=local"
bindmethod=simple
credentials=password
searchbase="dc=test,dc=local"
tls_cacert=/etc/openldap/certs/IntInfCA.ca.pem
tls_key=/etc/openldap/certs/serevr1
tls_cert=/etc/openldap/certs/server1.cert
type=refreshOnly
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
olcSyncRepl:
rid=004 provider=ldaps://server2
binddn="cn=ldapadm,dc=test,dc=local"
bindmethod=simple
credentials=password
searchbase="dc=test,dc=local"
tls_cacert=/etc/openldap/certs/IntInfCA.ca.pem
tls_key=/etc/openldap/certs/server2
tls_cert=/etc/openldap/certs/server2.cert
type=refreshOnly
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
this does not work, error messages
Jan 13 08:16:36 hbtc5003 slapd[32321]: slap_client_connect: URI=ldaps://hbtc5503.test.vocalink.co.uk DN="cn=ldapadm,dc=ips,dc=local" ldap_sasl_bind_s failed (-1)
Jan 13 08:16:36 hbtc5003 slapd[32321]: do_syncrepl: rid=004 rc -1 retrying
Jan 13 08:16:36 hbtc5003 slapd[32321]: conn=1001 fd=23 closed (TLS negotiation failure)
Jan 13 08:17:06 hbtc5003 slapd[32321]: conn=1002 fd=23 ACCEPT from IP=10.105.189.178:46550 (IP=0.0.0.0:636)
Jan 13 08:17:06 hbtc5003 slapd[32321]: conn=1002 fd=23 closed (TLS negotiation failure)
any ideas?
Related
below apache2ctl status with almost no users online.
For over 5 years we (cloud ERP supplier) deploy instances on Google Cloud with Apache with mod_perl.
This week our largest server became slow and unresponsive. No idle workers were available. It turned out increasing both MaxRequestWorkers and ServerLimit to 400 from 150 in mpm_prefork.conf got our server back fast.
I’m wondering why many requests stay in "R" Reading Request, at least 10 times more requests then actually should be.
We did further checking, DoS does not seem to be the issue, as also other servers – in different clouds as ASW or Alibaba – we notice the same ratio of 10 between requests actually being processed (R/W/K) and requests that stay in Reading mode.
What could cause this?
sudo /usr/sbin/apache2ctl status
Apache Server Status for localhost (via 127.0.0.1)
Server Version: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.29 OpenSSL/1.0.1f
mod_perl/2.0.8 Perl/v5.18.2
Server MPM: prefork
Server Built: Apr 3 2019 18:04:25
Current Time: Saturday, 29-Feb-2020 10:15:35 CET
Restart Time: Thursday, 27-Feb-2020 09:45:48 CET
Parent Server Config. Generation: 1
Parent Server MPM Generation: 0
Server uptime: 2 days 29 minutes 47 seconds
Server load: 0.75 0.77 0.75
Total accesses: 1581181 - Total Traffic: 8.6 GB
CPU Usage: u30.32 s9.64 cu0 cs0 - .0229% CPU load
9.06 requests/sec - 51.5 kB/second - 5.7 kB/request
96 requests currently being processed, 9 idle workers
RRKRRRK_RKRKKRRRRRK_RRRRKRCK_RRRC_CKK_KCRKCRK_RCR__CKKCCRCRRRRRR
RRRRR.RRRKRRRKRRR_RR..R.K.RCRKR.CKK.RRKKR.W.RRKR.....RR.........
................................................................
................................................................
................................................................
................................................................
................
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process
I have a camel FTPS Route which connetcs to an FTPS Server with enabled "Require TLS session resumption on data connection when seing PROT P"
Is there a possiblity on http://camel.apache.org/ftp2.html to enable this option. I didn't found anything similar. The Filezilla Server runs on a customers server and cannot be modified.
My Route is configured now like this
ftps://cent#CUSTOMERS_IP:990//?antInclude=**%2F*.tif&autoCreate=false&binary=true&disconnect=true&ftpClient.keyStore.file=D%3A%2FCent%2Fjboss-fuse%2Fetc%2Fcent-fuse.jks&ftpClient.keyStore.keyPassword=xxxxxx&ftpClient.keyStore.password=xxxxxx&isImplicit=true&maxMessagesPerPoll=100&move=%24%7Bfile%3Aname%7D.done&moveFailed=%24%7Bfile%3Aname%7D.error&passiveMode=true&password=xxxxxx&readLock=markerFile&recursive=false&scheduler=quartz2&scheduler.cron=0+0%2F5+*+*+*+%3F&securityProtocol=SSL&sortBy=file%3Aname&stepwise=false] failed polling endpoint: Endpoint[ftps://cent#46.14.136.146:990//?antInclude=**%2F*.tif&autoCreate=false&binary=true&disconnect=true&ftpClient.keyStore.file=D%3A%2FCent%2Fjboss-fuse%2Fetc%2Fcent-fuse.jks&ftpClient.keyStore.keyPassword=xxxxxx&ftpClient.keyStore.password=xxxxxx&isImplicit=true&maxMessagesPerPoll=100&move=%24%7Bfile%3Aname%7D.done&moveFailed=%24%7Bfile%3Aname%7D.error&passiveMode=true&password=xxxxxx&readLock=markerFile&recursive=false&scheduler=quartz2&scheduler.cron=0+0%2F5+*+*+*+%3F&securityProtocol=SSL&sortBy=file%3Aname&stepwise=false
And I have follow Error now
at org.apache.camel.component.file.remote.FtpOperations.listFiles(FtpOperations.java:821)[251:org.apache.camel.camel-ftp:2.17.0.redhat-630224]
at org.apache.camel.component.file.remote.FtpConsumer.doPollDirectory(FtpConsumer.java:122)[251:org.apache.camel.camel-ftp:2.17.0.redhat-630224]
at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:82)[251:org.apache.camel.camel-ftp:2.17.0.redhat-630224]
at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:131)[232:org.apache.camel.camel-core:2.17.0.redhat-630224]
at org.apache.camel.impl.ScheduledPollConsumer.doRun(ScheduledPollConsumer.java:175)[232:org.apache.camel.camel-core:2.17.0.redhat-630224]
at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:102)[232:org.apache.camel.camel-core:2.17.0.redhat-630224]
at org.apache.camel.pollconsumer.quartz2.QuartzScheduledPollConsumerJob.execute(QuartzScheduledPollConsumerJob.java:61)[348:org.apache.camel.camel-quartz2:2.17.0.redhat-630224]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)[346:org.quartz-scheduler.quartz:2.2.2]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)[346:org.quartz-scheduler.quartz:2.2.2]
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)[:1.8.0_131]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)[:1.8.0_131]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)[:1.8.0_131]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)[:1.8.0_131]
at org.apache.commons.net.ftp.FTPSClient._openDataConnection_(FTPSClient.java:619)[216:org.apache.commons.net:3.3.0.redhat-3]
at org.apache.commons.net.ftp.FTPClient._openDataConnection_(FTPClient.java:759)[216:org.apache.commons.net:3.3.0.redhat-3]
at org.apache.commons.net.ftp.FTPClient.initiateListParsing(FTPClient.java:3293)[216:org.apache.commons.net:3.3.0.redhat-3]
at org.apache.commons.net.ftp.FTPClient.initiateListParsing(FTPClient.java:3271)[216:org.apache.commons.net:3.3.0.redhat-3]
at org.apache.commons.net.ftp.FTPClient.listFiles(FTPClient.java:2930)[216:org.apache.commons.net:3.3.0.redhat-3]
at org.apache.camel.component.file.remote.FtpOperations.listFiles(FtpOperations.java:814)[251:org.apache.camel.camel-ftp:2.17.0.redhat-630224]
... 8 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)[:1.8.0_131]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)[:1.8.0_131]
... 17 more
09:05:01,947 | WARN | etadata_Worker-2 | SftpOperations | 251 - org.apache.camel.camel-ftp - 2.17.0.redhat-630224 | JSCH -> Permanently added 'egkpercosrelay-int.apps.cent-systems.swiss' (RSA) to the list of known hosts.
09:05:01,947 | WARN | etadata_Worker-2 | SftpOperations
| 2
I have started server with port 6001 as master with persistence aof turned off,slave with port 6002 as master of 6001.However on startup of slave i am getting below error in infinite loop also note able to find any error logs of the same..
Slave infinite loop logs :
[5556] 20 Aug 21:34:28.499 # Server started, Redis version 3.2.100
[5556] 20 Aug 21:34:28.500 * DB loaded from disk: 0.001 seconds
[5556] 20 Aug 21:34:28.500 * The server is now ready to accept connections on port 6002
[5556] 20 Aug 21:34:28.501 * Connecting to MASTER localhost:6001
[5556] 20 Aug 21:34:28.513 * MASTER <-> SLAVE sync started
[5556] 20 Aug 21:34:29.513 * Non blocking connect for SYNC fired the event.
[5556] 20 Aug 21:34:29.513 # Sending command to master in replication handshake: -Writing to master: Unknown error
[5556] 20 Aug 21:34:29.516 * Connecting to MASTER localhost:6001
[5556] 20 Aug 21:34:29.517 * MASTER <-> SLAVE sync started
Issue resolved,redis.conf contained 127.0.0.1 as bind value,and from slave redis.conf file ,I had SLAVE OF localhost .Replacing localhost with 127.0.0.1 resolved the issue
I'd like to understand something on my SSH server.
When I type
netstat -an | grep -i ':22'
It came out this :
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.1:22 192.168.0.3:49236 ESTABLISHED
tcp 0 0 192.168.0.1:22 43.229.53.72:16866 ESTABLISHED
My local IP is actually 192.168.0.3 and my server is at 192.168.0.1
How can I interpret 43.229.53.72:16866 ? It appears to be a Chinese address.
who -a
Gives me
2015-09-09 02:05 62 id=si term=0 sortie=0
démarrage système 2015-09-09 02:05
niveau d'exécution 2 2015-09-09 02:05 dernier=S
2015-09-09 02:06 1890 id=l2 term=0 sortie=0
IDENTIFIANT tty1 2015-09-09 02:06 2987 id=1
IDENTIFIANT tty5 2015-09-09 02:06 2991 id=5
IDENTIFIANT tty2 2015-09-09 02:06 2988 id=2
IDENTIFIANT tty4 2015-09-09 02:06 2990 id=4
IDENTIFIANT tty3 2015-09-09 02:06 2989 id=3
IDENTIFIANT ttyAMA0 2015-09-09 02:06 2993 id=T0
IDENTIFIANT tty6 2015-09-09 02:06 2992 id=6
pi + pts/0 2015-09-12 19:17 . 4965 (192.168.0.3)
pts/1 2015-09-12 18:59 3529 id=ts/1 term=0 sortie=0
cat /var/log/auth.log | grep '43.229.53.72'
It appears that 43.229.53.72 tried so much times to connect to my ssh
Sep 8 21:55:21 raspberrypi sshd[30282]: Failed password for root from 43.229.53.72 port 39483 ssh2
Sep 8 21:55:23 raspberrypi sshd[30282]: Failed password for root from 43.229.53.72 port 39483 ssh2
Sep 8 21:55:25 raspberrypi sshd[30282]: Failed password for root from 43.229.53.72 port 39483 ssh2
Sep 8 21:55:25 raspberrypi sshd[30282]: Received disconnect from 43.229.53.72: 11: [preauth]
Sep 8 21:55:25 raspberrypi sshd[30282]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.72 user=root
For sure he tries to brute-force the access and he succeed.
How to kick&blacklist this address and how to prevent from this in the future ?
First note, that establishing TCP connection doesn't mean that the authentication succeed.
On public IP, this is really frequent that bots are trying to connect and try some common passwords and known users. You don't have to worry about this, but you can mitigate this phenomenon by these things:
Install and set up fail2ban as proposed in the other answer
Disable password authentication -- bots don't try public keys or other methods
Disable root login -- most of the bots are trying to connection only to root user
Move your service to different port than 22 -- this is hiding but also mitigates the most of the connections
Install "port-knocking" tool that will hide your service for unauthorized access -- for example fwknop
I'm having trouble getting our system up and running using HTTPS.
I have created a keyfile from our wildcard certificate and placed the keyfile in our ./conf directory:
473 zbeckman:glimpulse-server$ ll conf
total 72
drwxr-xr-x 9 zbeckman staff 306 Sep 7 09:26 ./
drwxr-xr-x 22 zbeckman staff 748 Sep 7 09:32 ../
-rwxr-xr-x 1 zbeckman staff 1213 Sep 7 09:26 application.conf*
-rw-r--r-- 1 zbeckman staff 1374 Sep 7 08:49 glimpulse.keystore
-rw-r--r-- 1 zbeckman staff 1439 Aug 9 15:58 logback.xml
-rwxr-xr-x 1 zbeckman staff 5206 Aug 8 15:36 routes*
-rw-r--r-- 1 zbeckman staff 575 Apr 29 18:55 ws.conf
474 zbeckman:glimpulse-server$
And I have added the following to our ./conf/application.conf file, as per instructions in the Play Configuring HTTPS page:
play.server.https.keyStore.path = "./conf/glimpulse.keystore"
play.server.https.keyStore.password = "xxxxxxxxxxxxx"
And finally, I'm using -Dhttp.port=disabled -Dhttps.port=9000 to try and start the server, but it refuses to start.
Here are the results. Note the last line of output:
472 zbeckman:glimpulse-server$ ./activator start -Dhttp.port=disabled -Dhttps.port=9000
[info] Loading project definition from /Users/zbeckman/Projects/Glimpulse/Server/project/glimpulse-server/project
[info] Set current project to Glimpulse (in build file:/Users/zbeckman/Projects/Glimpulse/Server/project/glimpulse-server/)
[warn] The start command is deprecated, and will be removed in a future version of Play.
[warn] To run Play in production mode, run 'stage' instead, and then execute the generated start script in target/universal/stage/bin.
[warn] To test your application using production mode, run 'testProd' instead.
[info] Wrote /Users/zbeckman/Projects/Glimpulse/Server/project/glimpulse-server/target/scala-2.11/glimpulse_2.11-1.0-SNAPSHOT.pom
(Starting server. Type Ctrl+D to exit logs, the server will remain in background)
Must provide either an HTTP or HTTPS port
473 zbeckman:glimpulse-server$
As far as the keystore goes, I used the Java keytool to generate the store, based on our wildcard domain certificate:
keytool -import -alias tomcat -keystore glimpulse.keystore -trustcacerts -file star_glimpulse_com.crt
That seemed to go just fine, and the keystore was generated without any errors or warnings.
You could try to run it like this:
./activator "start -Dhttp.port=disabled -Dhttps.port=9000"
The quotes may be required to make sure the parameters get passed to the start command the right way.
Simply add this to your application.conf:
https {
# The HTTPS port of the server.
port = 9001
}
and your app will listen on port 9001