Most of the networks (enterprise or public) are filtering and most of the time, only the ports 80 (HTTP) and 443 (HTTPS) are open. The consequence is obviously that you cannot connect to another port and this is a pity!
The dream for the geeks would be to use a single port for several protocols. Yves Rutschle (aka WhiteRabbit) started from a simple observation :
- When you’re browsing on a secured website, the https client (your web browser) talks the first.
- A ssh client (putty for example) is waiting for a response from the SSH server. The server talks first (login prompt)
Imagine a daemon that listens on a TCP port (ex : port 443), and it waits.
- When no packet is received and after 2 seconds, it means it’s a ssh connection and it forwards to the ssh server.
- When it gets an incoming packet, and depending of the header, it’s either a https, openvpn, xmpp or even a tinc request and it forwards to the right server!
This amazing proxy exists and is called sslh. sslh is a SSL/SSH multiplexer pretty easy to use and install.
For Fedora Core 16, there is no rpm package yet, that’s why I made one, and you can download it : sslh-1.10-1.fc16.i686.rpm
Please note that this package is unofficial for now, I’ve submitted it for being part of the official Fedora repositories.
Another IMPORTANT note: For now, sslh is launched under the user root, and it’s not a good thing at all on a security point of view. I’m looking forward to solve this as soon as possible.
How to install sslh on Fedora Cora 16 ?
- Install the package
rpm -ivh sslh-1.10-1.fc16.i686.rpm
- check the file /etc/sysconfig/sslh and the ports where SSH and https (SSL) will listen. I want sslh to listen on port 443, ssh listen on its original port (22) and https to listen on 8443. Mine file looks like this :
LISTEN=ifname:443
SSH=localhost:22
SSL=localhost:8443
- check the file /etc/init.d/sslh. Locate the line OPTIONS= and set up the ports for your needs. Eventually replace –user=root by a restricted existing user name. This will workaround the root security flaw. Mine looks like this :
- configure the web server. Edit the file /etc/httpd/conf.d/ssl.conf and locate every line containing the string “443″ and replace by “8443″
- configure the ssh server : Edit the file /etc/ssh/sshd_config and modify the line starting by “Port 22″ according to your needs. Mine didn’t require any change.
- restart the syslog daemon, ssh and httpd
OPTIONS="-v --user=root -p 0.0.0.0:443 --ssl 127.0.0.1:8443 --ssh 127.0.0.1:22"
systemctl restart rsyslog.service
systemctl restart httpd.service
systemctl restart sshd.service
- Finally start sslh
systemctl start sslh.service
- Enjoy!
If you have applied this mini how-to, please leave a comment if you found something wrong or if you want to propose improvements.
I don’t know how to name it. A command ? A tool ? No matter! Every Unix SysAdmin knows “top” and find it very useful when troubleshooting the performance of an Unix system.
But do you know HTOP ? Htop is similar to top but with nice features. It requires ncurses.
Instead of just showing numbers, htop will show you in a graphic way the CPU Usage, Memory Usage, Swap Usage.
Among those nice features (non-exhaustive list) :
- Horizontal and vertical Scrolling.
- Easier to kill a task. No need to type the PID of the process you want to kill. Just scroll to the process you want to kill and press “k” or F9, then the signal you want to send.
- Same if you want to renice a process : Press F7 to lower or F8 to raise the priority level.
- You want to see the parents/child processes ? No problem, press F5 and you got a nice treeview.
- Sorting the processes by CPU%, MEM%, PID ? F6 will do it!
- Finding the open files by a process ? pressing “l” will make it!
- Setting CPU Affinity (“a” key)
Tree View
Support for a large number of processors
Setting up CPU Affinity
htop running on a machine with 128 cores and 1TB of RAM
The father of “htop” is Hisham Muhammad (now you know where the “h” comes from ^^), and is hosted on sourceforge.
Packages available for Fedora, Debian and Ubuntu.
Next episode in those obvious things a backup administrator *must* know is about the tape rotation schemes.
I’m filling my wiki slowly and today I wrote a page about the GFS (Grandfather Father Son) tape rotation. This tape rotation scheme is very often described as an industry standards. Right or Wrong, I don’t know? What I’m sure of, is that I used it many times. And this GFS scheme is very interesting and can be adapted to most business need. Depending of the constraints of data retention you might have, depending on the number of tapes you have, depending on the amount of data to backup, GFS is the first scheme to look at.
Click here to read the wiki page about the GFS Tape rotation scheme
I’ve been around the block in this fantastic world of data backup. I know amanda for more than 10 years. I’ve worked on using amanda for saving a beta site when I worked at Isabel . The constraint was to avoid paying a lot of money for buying Legato Networker (Now called EMC Networker) licences. I used amanda with a Digital Equipment 8-tapes DLT Library. Again using amanda, I reworked the full backup strategy for another of my system engineer jobs (Molis [now called vision4health]) but the interest for backups came back for good when I worked in a Google Datacenter. Those huge libraries of several thousand of tapes made me very excited to embrace again data saving.
In the cases I mentioned above, Amanda had all the features that were fitting perfectly with my needs. Why ?
- Amanda is an Open Source software. It’s released under the GNU GPL Licence. In two words, you can use it for private purposes, but also for your business needs. You can even charge a fee for the service you provide. I would recommend you to browse to http://www.gnu.org/licenses/licenses.html for more details on the GNU Public License
- Amanda can handle a single tape drive, but also a 10.000 tapes library.
- Amanda offers a command line interface, which was very insteresting because I could monitor it more easily (Especially with Nagios, the Open Source Monitoring software). This is also a *very* useful feature when you’re working remotely!
- Amanda can backup and restore using the network. In other words, one tape library could backup several servers. This may seem obvious, but in the late 90’s, that was purely awesome!
Today, I don’t remember much about amanda. Because I just left it aside because I had no need and opportunity to use it. But as soon as I found an interest in this software again, I was pleasantly surprised it was still there and that it had improved!
The goal of this post is to tell you that I’m happy and excited to have a new takeover of amanda as I had done in the past.
Then, I’ll plan to explore the new features this fabulous backup software offers.
So I think to do all that more in a spirit of re-learning, with details on how I configured it.
This is the time to introduce you to my new personal wiki where I’ll cover the topics I’m interested in. My wish is to make this wiki my personal knowledge base, but also for anyone who might be interested in those topics as well. I hope they will find relevant information for their private or business use and share theirs.
So, what is Amanda ?
As the official website says, AMANDA, is the acronym of “Advanced Maryland Automatic Network Disk Archiver”. It consists of a backup solution that allows the IT administrators to set up a single master backup server to back up multiple hosts over network to tape drives/changers or disks or optical media. Amanda uses native utilities and formats (e.g. dump and/or GNU tar) and can back up a large number of servers and workstations running multiple versions of Linux or Unix. Amanda uses also a native Windows client to back up Microsoft Windows desktops and servers. This may seem little, but believe me, having the possibility to save any type of Unix, or Windows server is purely great, especially when used in a professional environment.
As I’ve retrieved 2 old good SCSI DAT-40 drives, I said to myself it’s the right time to spend time on Amanda and start a topic called Amanda Cookbook on my wiki
The first topic is pretty obvious, and talks about installing Amanda on a RPM based linux distribution using Yum. More infos will come with the time.
Thanks for reading
Hi guys!
This is my first post, and I’m starting up a technical blog. The goal of this blog is simple : Keeping my readers updated on some technical stuffs I wrote.
What I plan is a new takeover of the skills I had in the past. I think to do all that more in a spirit of re-learning, with details on how I made it. I hope the readers of this technical blog will find relevant information for their private or business use.
In addition to this blog, I’ve set up a wiki that you can reach at the following URL : http://wiki.opsyx.com/
Thanks for reading, and you can already bookmark this website 
Wangee
