Tag Archives: root privileges

Configuring NTP Server on Ubuntu

As part of a few changes happening I’ve been asked to look into how difficult would it be to configure our own local NTP server. From looking at very useful Ubuntu Man Pages and finding great articles on The Geek Stuff (one of my favourites sites) and Blogging Dragon, it appears that it’s more straightforward than I expected! Soooo this post will note down how to install and configure a NTP Server.

Network Time Protocol (NTP) is a network protocol for clock synchronization between servers, network devices and desktops. NTP is defined in RFC5905 and is described as:

Network Time Protocol version 4 (NTPv4), which is widely used to synchronize system clocks among a set of distributed timeservers and clients…. The NTP subnet model includes a number of widely accessible primary time servers synchronized by wire or radio to national standards. The purpose of the NTP protocol is to convey timekeeping information from these primary servers to secondary time servers and clients via both private networks and the public Internet.

For this test, I’m using ESXi Ubuntu 14.04LTS host as the local NTP server and will be configuring both a Juniper SRX220 and another ESXi Ubuntu 14.04LTS host as a NTP clients. The local NTP server’s IP address is 10.1.0.148

You will need root and/or sudo privileges

With all the background done, let’s get cracking 😀

As always, when getting anything from Ubuntu’s apt-get repository we’ll need to make sure to run update; to get all the newest version of packages currently installed and run dist-upgrade; to ensure the most important packages are updated as it has a “smart” conflict resolution system.

sudo apt-get update
sudo apt-get dist-upgrade

Having ensured the server’s packages are up to date, we can install the ntp and ntpdate packages by using apt-get install ntp ntpdate

sudo apt-get install ntp ntpdate

Before making any changes we need to make sure that the default time zone to Universal Time Coordinated (UTC). This is because UTC is regarded as the primary time standard by which the world regulates clocks and time. You can check/change the default time zone by running the command dpkg-reconfigure tzdata. You will be prompted to these screens where you can select the time zone: Screen #1 and Screen #2.

Once the time zone has been set, you will get the output below confirming the Time Zone:

[email protected]:~$ sudo dpkg-reconfigure tzdata

Current default time zone: 'Etc/UTC'
Local time is now:      Mon Jan 11 14:56:57 UTC 2016.
Universal Time is now:  Mon Jan 11 14:56:57 UTC 2016.

Next create a backup of the ntp.conf file

sudo cp /etc/ntp.conf /etc/ntp.conf.old

Use a text editor (I prefer nano) to open up the ntp.conf file and find the following lines below:

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org

You can comment them out, delete, keep or replace the lines. The lines are specifying multiple servers to act as a timeserver, which is helpful when one of the timeservers fail. You can use regional pool ntp severs from ntp.org’s Regional Pools. In my example, as I live in the UK, I’ve used the regional pool of servers closest to the UK

server 0.uk.pool.ntp.org iburst dynamic
server 1.uk.pool.ntp.org iburst dynamic
server 2.uk.pool.ntp.org iburst dynamic
server 3.uk.pool.ntp.org iburst dynamic

The sytax iburst and dynamic are optional commands but can be useful to have set, depending on your environment.

  • iburst: After every poll a burst of eight packets is sent instead of one. When the server is not responding, packets are sent at 16 seconds intervals. When the server responds, packets are sent every 2 seconds. This means that after reboot or restart ntp synchronizations are established quicker.
  • dynamic: This option tells NTP it can try a configured server again later if it’s unavailable at some point, which can be useful when the server doesn’t always have Internet connectivity.
NOTE
You can see my full example ntp.conf file here

Having saved and close the updated ntp.conf file, we’ll need to restart the daemon running service ntp restart

[email protected]:~$ sudo service ntp restart
 * Stopping NTP server ntpd                 [ OK ] 
 * Starting NTP server ntpd                 [ OK ]

After restarting the daemon, the server will take around 10-15 minutes for NTP to synchronize with the timeservers and it will automatically set the system clock. By using the command ntpq -p we’ll be able to check the status of the NTP servers that we are synchronized with

[email protected]:~$  ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 time.rdg.uk.as4 85.25.105.105    2 u   21   64    3    3.138    0.047   0.506
 resntp-a-vip.lo 44.24.199.34     3 u   22   64    3    1.723    2.038   0.526
 2a03:b0c0:1:d0: 46.4.28.205      3 u   19   64    3    2.870    1.632   0.337
 neon.trippett.o 193.67.79.202    2 u   26   64    3    2.928    1.863   0.473
 golem.canonical 140.203.204.77   2 u   24   64    3    9.211    3.418   0.387

The table below explains the different parameters from the ntpq -p output:

Parameters Function
Remote Specifics the hostname of the timeserver
Refid This is a 32-bit code identifying the particular reference clock.
St (Stratus) This indicates your physical GPS closeness to the timeserver. Anything under 3 is seen as good
When Number of Seconds passed since the last poll or time check
Poll This is the minimum interval between transmitted messages, in seconds as a power of two. For instance, a value of six indicates a minimum interval of 64 seconds.
Reach How well a clock can maintain a constant frequency.
Delay Provides the capability to launch a message to arrive at the reference clock at a specified time. Relative to a selected reference clock.
Offset The time difference between two clocks, relative to a selected reference clock. Represents the amount to adjust the local clock to bring it into correspondence with the reference clock.
Jitter Short-term variations in Frequency with components greater than 10 Hz. The estimated time error of the system clock measured as an exponential average of RMS time differences.

You will be able start, stop, restart and/or check ntp status by using these commands

service ntp status
service ntp start
service ntp stop
service ntp restart

And with that we have a NTP server configured!

Enabling NTP Client

For testing, I configured a Juniper SRX220 to be the NTP client. It’s quite straightforward to enable ntp on a SRX; you’ll need to set and commit the commands to below and with that you will have NTP enabled. Simple Right! 🙂

set system ntp server 10.1.0.148 prefer
set system ntp server 10.1.0.148 version 4

For verification of NTP on the SRX we can run show ntp associations, show ntp status and show system uptime

show ntp associationsshow system uptimeshow ntp status
[email protected]> show ntp associations no-resolve 
     remote           refid      st t when poll reach   delay   offset  marquk01
==============================================================================
*10.1.0.148      178.62.6.103     3 -    8   64    1    1.849    2.498   0.160
[email protected]> show system uptime 
Current time: 2016-01-11 10:15:27 UTC
System booted: 2016-01-08 10:02:36 UTC (3d 00:12 ago)
Protocols started: 2016-01-08 10:05:13 UTC (3d 00:10 ago)
Last configured: 2016-01-11 10:13:34 UTC (00:01:53 ago) by marquk01
10:15AM  up 3 days, 13 mins, 2 users, load averages: 0.05, 0.11, 0.04
[email protected]> show ntp status                     
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Fri Nov 13 15:40:48 UTC 2015 (1)",
processor="octeon", system="JUNOS12.1X47-D30.4", leap=00, stratum=4,
precision=-17, rootdelay=13.781, rootdispersion=2.340, peer=31708,
refid=10.1.0.148,
reftime=da3dff68.c47f84ec  Mon, Jan 11 2016 10:16:08.767, poll=6,
clock=da3dff6b.8ee12a6f  Mon, Jan 11 2016 10:16:11.558, state=3,
offset=0.000, frequency=0.000, jitter=0.213, stability=0.000

And on the Ubuntu host, it’s exactly the same as I described above, but in the /etc/ntp.conf file you’ll need to set the server as your local NTP server

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
#server 0.ubuntu.pool.ntp.org
#server 1.ubuntu.pool.ntp.org
#server 2.ubuntu.pool.ntp.org
#server 3.ubuntu.pool.ntp.org

server 10.1.0.148 prefer iburst dynamic

We can then run ntpq -p to check the ntp server is the local server!

[email protected]:~$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*10.1.0.148      176.126.242.239  3 u   28   64    1    0.454    0.380   0.315

For more in-depth detailed information on how to use NTP pools see ntp.org and the Ubuntu Man page for more detail on ntp.conf file.

Share this:
Share

Useful tcpdump Commands

Tcpdump is a network debugging tool that runs under the command line. It allows the user to intercept and display TCP/UDP/IP and other packets being transmitted or received over a network to which the computer is attached. Running tcpdump by it’s self will begin recording traffic that is seen on the wire printing the output to the screen.

I found this list by @r_paranoid on their website Rationally Paranoid. Very Very useful set of tcpdump commands that can assist with troubleshooting and/or when a packet capture is needed.

See the list of interfaces on which tcpdump can listen:

tcpdump -D

Listen on interface eth0:

tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):

tcpdump -i any

Be verbose while capturing packets:

tcpdump -v

Be more verbose while capturing packets:

tcpdump -vv

Be very verbose while capturing packets:

tcpdump -vvv

Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:

tcpdump -v -X

Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:

tcpdump -v -XX

Be less verbose (than the default) while capturing packets:

tcpdump -q

Limit the capture to 100 packets:

tcpdump -c 100

Record the packet capture to a file called capture.cap:

tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:

tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:

tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:

tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):

tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

tcpdump -v icmp

Capture any ARP packets:

tcpdump -v arp

Capture either ICMP or ARP packets:

tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

Capture all bytes of data within the packet:

tcpdump -s 0

Additionally cyberciti.biz has a great man page on tcpdump commands

Share this:
Share

Manually changing an Active Slave in a Bond-Type 1 Configuration

As I was doing testing in my previous post, I ran into an issue where I had configured bond-type 1 (Active-Backup) interface however Active Slave never failed over when I disconnected the interface. For the life of me, I didn’t have a clue why! Subsequently, I found out that the configuration I had on ESXi host’s vSwitch was wrong and this is why the failover never happened.

Before I told about the ESXi vSwitch, I was looking at a number of different ways to fix this issue. From my searching I found a great article written by Ivan Erben on how you can manually fail over active slave in bond-type 1 configuration

It was quite straightforward, as I like it :p

Firstly, check to see what the active slave is by using the command cat /proc/net/bonding/bond0

[email protected]:~$ cat /proc/net/bonding/bond0 
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth1
MII Status: up
MII Polling Interval (ms): 0
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth1
MII Status: up
Speed: 10000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:0c:29:4f:26:c5
Slave queue ID: 0

Slave Interface: eth2
MII Status: up
Speed: 10000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:0c:29:4f:26:cf
Slave queue ID: 0

Having seen that eth1 is the active slave, we can remove the interface from the bond, by running echo -eth1 > /sys/class/net/bond0/bonding/slaves

Note
You will need to sudo root to make this change.
[email protected]:~$ sudo -s
[sudo] password for marquk01: 
[email protected]:~# echo -eth1 > /sys/class/net/bond0/bonding/slaves

We can see that the eth1 has been removed from bond configuration

[email protected]:~# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth2
MII Status: up
MII Polling Interval (ms): 0
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth2
MII Status: up
Speed: 10000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:0c:29:4f:26:cf
Slave queue ID: 0

The bond will still pass traffic and work as expected to add the interface back into the bond, we would need to run echo +eth1 > /sys/class/net/bond0/bonding/slaves

As we can see, eth1 has been added back into the bond and eth2 has become the active slave.

[email protected]:~# echo +eth1 > /sys/class/net/bond0/bonding/slaves
[email protected]:~# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth2
MII Status: up
MII Polling Interval (ms): 0
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth2
MII Status: up
Speed: 10000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:0c:29:4f:26:cf
Slave queue ID: 0

Slave Interface: eth1
MII Status: up
Speed: 10000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:0c:29:4f:26:c5
Slave queue ID: 0

This is very useful, if you know you have planned maintenance or need a quick failover of interfaces and you don’t have link detection enabled. Definitely a great find and post by Ivan! You can check out his blog here

Share this:
Share

Creating a Virtual Host on Apache2 Ubuntu 14.04LTS

You will need to have installed/Created:

Sudo or root access
Apache2
Folder Path Directory

1. create a virtual host for the website, by copying and renaming the default configuration file in apache

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/(exmaple.co.uk).conf

2. edit virtual host conf file

sudo nano /etc/apache2/sites-available/(example.co.uk).conf

The config file should look like this in the end:

ServerAdmin [email protected]
DocumentRoot /var/www/(example.co.uk)/html
ServerName (example.co.uk)
ServerAlias (example.co.uk)
<Directory /var/www/(example.co.uk)/html/>
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

3. enable the virtual hosts

sudo a2ensite (example.co.uk).conf

You will get the message below:

Enabling site (example.co.uk).
To activate the new configuration, you need to run:
service apache2 reload

4. reload apache

sudo service apache2 restart

All done 😀

Share this:
Share

Securing Webpages with .htaccess

You will need to have following installed or available:

sudo and/or root privilages
text editor (nano or vi)
apache2-utils

Firstly you will need to enable apache to allow overrides. You will need to edit your apache config file.

sudo nano /etc/apache2/sites-available/exmaple.co.conf

You will need to add the AllowOverride All within the section. You have to manual set the directory section to the folder you want to protect. In this example, I just wanted to protect anything within the html folder


 AllowOverride All

Normally (from my experience) their isn’t a Directory section, so you can just copy and paste the code into your file. In the end it should look something like this:

<VirtualHost *:80>
ServerName example.co
ServerAlias example.co
ServerAdmin [email protected]
DocumentRoot /var/www/example.co/html
 <Directory /var/www/example.co/html/>
   AllowOverride All
 </Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Once you have saved and closed, you will need to apply the change via an apache restart

sudo service apache2 restart

Next, create the .htaccess

touch .htaccess

Within the .htaccess, you will need to add the following details:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /home/example/.htpasswd
Require valid-user

Save and close, once the details have been added.

Finally, we will need to add users that can have access to the newly restricted folder

sudo htpasswd -c /home/example/.htpasswd {username}

You will prompted to enter a password that will not be shown.

If you wanted to additional users, you will use the same command without -c

sudo htpasswd /home/example/.htpasswd {username}

Now you should be able to browser to the website/folder and be greeted with login prompt 😀

For more in-depth detail and explanation visit Digital Ocean’s htaccess guide

Share this:
Share