1. Attach the USB device to the Dom0 and run ‘dmesg’ to see if the device attached
2. Run ‘fdisk -l’ to see if the drive is partitioned the way you want it
3. For instance:
   [root@example ~]# fdisk -l /dev/sdc
   Disk /dev/sdc: 1000.2 GB, 1000204886016 bytes
   255 heads, 63 sectors/track, 121601 cylinders
   Units = cylinders of 16065 * 512 = 8225280 bytes
   Device Boot Start End Blocks Id System
   dev/sdc1 1 121601 976760001 8e Linux LVM
4. Now find a drive letter that is not being used on the DomU, in this instance we’ll use /dev/sde
5. To attach the USB device to the DomU run the following command
   • xm block-attach exampledomu phy:/dev/sdc sde w
6. You should now see the device on the DomU, run either ‘dmesg’ or ‘fdisk -l’ to verify
7. Mount the device as normal
   • mount /dev/sde1 /mnt/usb

Unmounting the device

1. You first need to get the device id number from the block list. Do this by running:
   • xm block-list exampledomu
2. This will return:
   Vdev BE handle state evt-ch ring-ref BE-path
   51712 0 0 4 9 8 /local/domain/0/backend/tap/23/51712
   2176 0 0 4 10 1338 /local/domain/0/backend/vbd/23/2176
3. The number you need to use to remove the device is 2176
4. Unmount the USB device from the DomU
   • umount /mnt/usb
5. Now on the Dom0 run:
6. xm block-detach exampledomu 2176
7. You may now remove the USB device

There are six different kinds of NIC bonding in Linux, the one we will set up is mode 4 which follows the 802.3ad standard known as link aggregate control protocol. This allows for an active-active grouping of network cards and in testing resulted in zero ping drop, though I did see a momentary spike in response time (from 2ms to 20-30ms during convergence).

1. First you need to check that your network card is capable of 802.1q VLAN tagging. You will need to research the capabilities of the card to make sure. Run ‘lspci | grep -i ethernet’ and note the response.
2. Second, check to see if the 802.1q module is installed by running ‘lsmod | grep 8021q’.  If its not installed then run ‘yum install bridge-utils’
3. Once those steps are done we can start configuring the network cards.  Go to /etc/sysconfig/network-scripts, in there you should see your network card configuration files; usually named ‘ifcfg-eth#’.  Write down or make a backup copy of the network information in your active NIC configuration file as you will need it later.
4. Edit your first configuration file with the following
   

   
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
MASTER=bond0
SLAVE=yes


5. Your secondary card will contain the same information however the ‘DEVICE=eth#’ should match the name of the second card.
6. Next we card the bonded interface, which then becomes the main device for the server. Create a new file named ‘ifcfg-bond0′:
   

   
DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
USERCTL=no


7. We now create the configuration file which will handle the 802.1q jumbo frames. Note that the device is named ‘bond0.17′. This is important as the ’17′ is the VLAN ID which the server will listen on. Make sure you know which VLAN’s are in your environment! Create a file named ‘ifcfg-bond0.17′:
   

   
DEVICE=bond0.17
BOOTPROTO=static
ONBOOT=yes
VLAN=yes
TYPE=Ethernet
BRIDGE=xenbr17

    

8. The ‘BRIDGE’ string is also important as this will tie the bond0.17 config file to the Xen bridge we are about to create. Repeat that step for every VLAN that you want your server to listen to.
9. Next we will create the configuration file that the DomU will be given. Create a file called ‘ifcfg-xenbr17′ and place the following:
   

   
DEVICE=xenbr17
TYPE=Bridge
BOOTPROTO=static
ONBOOT=yes
DELAY=0
STP=off

    

10. We will now create the management interface for the server. The management interface should have the same security restrictions as a management interface would have for a switch or any other network device. If someone compromises your Dom0, then all of your DomU’s are also compromised. ACL’s should be implemented for this network!
    

    
DEVICE=xenbr192
TYPE=Bridge
BOOTPROTO=static
ONBOOT=yes
DELAY=0
STP=off
IPADDR=192.168.1.12
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255

     

11. Edit the /etc/modprobe.conf file and append the following:
    

    
alias bond0 bonding
options bond0 miimon=100 mode=4 lacp_rate=1

     

12. That told the server what type of network bonding we will use. ‘mode=4′ tells the server that we want to use 802.3ad as our protocol for communication to the switch device.
13. Edit the /etc/xen/xend-config.sxp file, change where it says ‘(network-script network-bridge)’ to ‘(network-script ‘network-bridge-bonding bridge=bond0 netdev=0′)’
14. Now reboot the server

The next steps we will configure a Cisco switch, create the port channel, and configure it for LACP with 802.1q trunking.

1. Log into your switch, go to the global configuration mode and create a port channel interface by typing ‘int port-c 1′
2. Enter the following:
   

   
switchport trunk encapsulation dot1q
switchport mode trunk

    

3. Now go to the actual switch interfaces and enter the following:
   

   
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active

    

4. If the switch ports had originally been set up as an access interface, you can remove the configuration by entering:
   

   
no switchport mode access
no switchport access vlan VLAN ID

    

5. Now save the configuration file

Installation of new DomU’s will be the same as before by giving them a ‘xenbr#’ interface

To use:

1. Download the EPEL RPM which can be found at: http://download.fedora.redhat.com/pub/epel/
2. Install pymydb-0.5.1-1.noarch.rpm which can be found at: GitHub
• This script creates the necessary directories and user account
3. After installation, there will be two scripts placed in /usr/local/bin which are pymydb.py and setup.py
4. Run the setup.py script, this will configure the pymydb.py script
• Logs into the MySQL server
• Creates the backup user, sets a password, and gives him select and lock tables privileges
• Configures the email settings
5. Change the permissions on the pymydb.py script
• chown root.pymydb pymydb.py
6. Add the pymydb.py script into cron and make sure to add a password for the system user

There are a lot of examples and scripts out on the Internet to automate MySQL backups but not a whole lot written in Python. This was developed to use in a MySQL replication environment and should be run on the slave server. This is an optimal solution as backup’s can run without affecting production. The script dumps each database individually, calculates the size of the sql backup, tarball them up, and emails a log when its done.

To run this the MySQLdb module must be installed on the server. You should also create a user specifically designed to run backups. You can effectively do this by running:

grant select, lock tables on *.* to backup@'localhost' identified by 'password';

The password is stored in base64 format. To encrypt the password for use in the script, run the following command within the Python terminal:


>>> from base64 import b64encode as encode
>>> encode("password")
'cGFzc3dvcmQ='

Though this is not the most secure way to encrypt a password to use within a script, it will prevent shoulder surfers.

Here it is, enjoy – https://github.com/jasonbrown17/MySQL-Backups

Server 1

server-id=1
auto_increment_offset=1
auto_increment_increment=3
log-bin=mysql_log

Server 2

server-id=2
auto_increment_offset=1
auto_increment_increment=3
log-bin=mysql_log

Make sure that the server id’s in the my.cnf file are unique for each server and the auto_increment_increment is n+1 more than the total amount of servers in your environment. This way your slave servers will update correctly. Once that is complete, restart the MySQL Service

service mysqld restart

To configure your slave user, log into the master and type the following:

mysql> create user slaveuser@’slavehost.example.com’ identified by ‘somepassword’;
mysql> grant replication slave on *.* to slaveuser@’slavehost.example.com’
mysql> flush privileges;

The next step is to dump the database from your primary server and import it on the slave server. To dump the database:

mysqldump -u root -p –lock-tables database > database.sql

Import the database on the slave server:

mysql -u root -p database < database.sql

We need to get the log file and position information from the master server in order to sync it with the slave. First lock the tables so no changes can be made and then show the status.

mysql> FLUSH TABLES WITH READ LOCK;
mysql> show master status;
+——————+————–+———————-+—————————+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+——————+————–+———————-+—————————+
| mysql_log.000006 | 156005305 | | |
+——————+————–+———————-+—————————+
1 row in set (0.00 sec)

Configure the slave server to attach to the master with the correct credentials. Note the MASTER_LOG_FILE and the MASTER_LOG_POS information need to be identical as the master.

mysql> CHANGE MASTER TO
-> MASTER_HOST=’masterhost.example.com’,
-> MASTER_USER=’slaveuser’,
-> MASTER_PASSWORD=’somepassword’,
-> MASTER_LOG_FILE=’mysql-bin.000006′,
-> MASTER_LOG_POS=156005305;

Next start the replication

mysql> START SLAVE;

Unlock the tables on the master

mysql> UNLOCK TABLES;

Check to make sure that it is running properly

mysql> show slave status\G;
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: masterhost.example.com
Master_User: slaveuser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql_log.000006
Read_Master_Log_Pos: 156005305
Relay_Log_File: mysqld-relay-bin.000146
Relay_Log_Pos: 107097880
Relay_Master_Log_File: mysql_log.000006
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 155994592
Relay_Log_Space: 107097880
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 0
1 row in set (0.00 sec)

To set up a master-master replication, repeat the process on the second MySQL server.

That’s it!

Once this is done we can then configure Dom0 to communicate to these networks. In CentOS, you need to change directories to /etc/sysconfig/network-scripts.

First copy the ifcfg-eth0 file to make a back up then edit the file as follows:
DEVICE=eth0
HWADDR=
ONBOOT=yes
BOOTPROTO=none

Next we create four new files which will define our VLAN and non-VLAN traffic. The first two files will define which VLANs the server should listen on:

Create the file: /etc/sysconfig/network-scripts/ifcfg-eth0.17. This will define VLAN 17.
Then enter in the following:
DEVICE=eth0.17
BOOTPROTO=static
ONBOOT=yes
VLAN=yes
TYPE=Ethernet
BRIDGE=xenbr17

Make a secondary file which will sit on VLAN 192, VLAN 192 is where the IP of the Dom0 will reside.

DEVICE=eth0.192
BOOTPROTO=static
ONBOOT=yes
VLAN=yes
TYPE=Ethernet
BRIDGE=xenbr192

The next two files will define the bridged interfaces. These are necessary to strip the 802.1q header so the server and DomU’s can communicate across the network. The first file will be for the publicly routable network:

DEVICE=xenbr17
TYPE=Bridge
BOOTPROTO=static
ONBOOT=yes
DELAY=0
STP=off

The next file will be for the internal network.

DEVICE=xenbr192
TYPE=Bridge
BOOTPROTO=static
ONBOOT=yes
DELAY=0
STP=off
IPADDR=192.168.1.12
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255

After that reboot the server.

Next create a virtual instance with virt-install and run it as follows:
virt-install --name test --ram 1024 --location 'centos mirror' -f /dev/lvm/test -b xenbr17 -p
The '-b' is important as it will define the bridge the new server will sit on.

Look in the Dovecot config file located in /etc/dovecot.conf under “SSL ciphers to use” and you will see:
ssl_cipher_list = ALL:!LOW:!MEDIUM

To disable these weak ciphers change this to:
ssl_cipher_list = ALL:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA

Run the Nessus scan again and those two vulnerabilities go away

Which tells you to run the command:
sealert -l a1bc9b39-80a2-4f2e-963f-12daf766a8d4

Usually the report is very good and diagnosing and telling you which booleans to activate, however in this instance we have to create our own module.

First: Download and install selinux-policy-devel
Second: Parse through the raw audit messages. We are looking for two things; message type and comm name.
Third: Run the ausearch command and pipe it to audit2allow
For instance: ausearch -m AVC --comm cleanup | audit2allow -M ClamAV

Once the files have been generated then run: semodule -i ClamAV.pp and see if the problem has been resolved. If not, tail the messages log again to see if there is any additional SEAlerts that you should be aware of.

Networking
First, lets take a look at configuring kernel parameters to prevent network based attacks. These include disallowing intruders to alter routing tables and source routed packets, preventing an intruder from configuring the server to become a router, and turning on reverse path filtering. To change these settings edit the /etc/sysctl.conf file and enter:
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

If you are currently running IPv6 at your company, here are a few kernel parameters to prevent network based attacks:
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

To make these settings effective without rebooting the server type sysctl -p

We can go a step further by disabling unused network functions such as IPv6 and prevent self assigned addressing.

To detect whether or not IPv6 is running on a server type: ifconfig | grep inet6 which will return:
inet6 addr: fe80::240:5ff:fe32:ef19/64 Scope:Link
inet6 addr: ::1/128 Scope:Host
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
To prevent IPv6 from loading, run the following command:
echo "install ipv6 /bin/true" > /etc/modprobe.d/ipv6
Then add the following lines to /etc/sysconfig/network:
NETWORKING_IPV6=no
IPV6INIT=no
This will deactivate the IPv6 protocol from running on the server.

To prevent self assigned addressing on network cards, open the /etc/sysconfig/network file and add:
NOZEROCONF=yes

Server security
Turning off the ability to create core dumps is important as intruders can use this to gather information about running services and configurations in order to exploit them. To do so, edit the /etc/security/limits.conf file and insert:
* hard core 0
We should also prevent setuid programs from creating these as well:
sysctl -w fs.suid_dumpable=0

There are also built in kernel features which can help protect against buffer overflow attacks. These features are turned on by default, however these kernel parameters should be enabled in case they have been turned off:
sysctl -w kernel.exec-shield=1
sysctl -w kernel.randomize_va_space=1
These settings ensure randomization of the stack and memory regions, which are refereed to as the ExecShield.

There are many services which are running on a default installation which include cups, sendmail, isdn, bluetooth, and many others. If these services are not being used on the server then they should be turned off and configured not to start up on a reboot. To do so we can run the following bash script:
for i in acpid autofs avahi-daemon luetooth cups firstboot gpm hidd ip6tables sendmail exim xfs xinetd yum-updatesd rhnsd pcscd readahead_early readahead_later apmd hplip isdn ip6tables mcstrans
do
service $i stop
chkconfig $i off
done

Your services will vary depending on the installation. We should also ensure that X does not run on reboot, placing the server in run level three. To do so, edit the /etc/inittab file and change id:5:initdefault: to id:3:initdefault: