About limits.conf

You probably know about ‘nproc’ limits in Linux which are set in /etc/limits.conf
Nproc is defined at OS level to limit the number of processes per user.
Example :
user soft nproc 8192
user hard nproc 8192

Issue
Normal user is unable to login on the system with an error "fork: Resource temporarily unavailable" 
 
# su – <user> 
-bash: fork: retry: Resource temporarily unavailable 
-bash: fork: retry: Resource temporarily unavailable 
-bash: fork: retry: Resource temporarily unavailable 
-bash: fork: retry: Resource temporarily unavailable 
-bash: fork: Resource temporarily unavailable

Resolution
Increase the value of "nproc" parameter for user or all user's in /etc/security/limits.conf
 
#ps h -Led -o user | sort | uniq -c | sort -n
      1 nrpe
      1 ntp
      1 rpc
      1 rpcuser
      2 dbus
      2 postfix
      3 haldaemon
    401 wildfly
    440 root
    934 user





Set it high but monitor it when the number of processes reaches maximum of limit.
 
#ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 125379
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 8192
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 10240
cpu time               (seconds, -t) unlimited
max user processes              (-u) 8192
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited
 

#vim /etc/security/limits.conf 
user           soft    nproc           8192
user           hard    nproc           8192
user           soft    nofile          8192
user           hard    nofile          8192




These limits will be applied after reboot.
If you want to apply changes without reboot, modify /etc/pam.d/config-util by adding this line at the end of file: 

session required pam_limits.so

Openssl PATCH version 1.0.1t

OpenSSL has released a series of patches against six vulnerabilities, including a pair of high-severity flaws that could allow attackers to execute malicious code on a web server.

One of the high-severity flaws, CVE-2016-2107, allows a man-in-the-middle attacker to initiate a "Padding Oracle Attack" that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.


Detail here : https://www.openssl.org/news/vulnerabilities.html#y2016 

Patch version : 1.0.1t, 1.0.2h

How to patch,

wget https://www.openssl.org/source/openssl-1.0.1t.tar.gz
tar zxvf openssl-1.0.1t.tar.gz
cd openssl-1.0.1t
./config no-ssl2 no-ssl3 --prefix=/opt/openssl
make depend
make test
make install

finally,

/opt/openssl/bin/openssl version
OpenSSL 1.0.1t  3 May 2016

Streaming Replication PostgreSQL 9.x

Setup ssh for user postgres :
[on both server]
- change password postgres :
#sudo passwd postgres
[enter password]
#su - postgres
#ssh-keygen
#ssh-copy-id -i ~/.ssh/id_rsa.pub postgres@slave_IP_address
 
PostgreSQL Configuration

On Master :
[create user for replicator]
CREATE ROLE replicator WITH REPLICATION PASSWORD 'password' LOGIN;

[add to pg_hba.conf to allow slave connect to master]
pg_hba.conf
host   replication   replicator   IP_address_of_slave/32   md5
[Some configuration for replication on master]
Edit postgresql.conf

listen_address = '*'
wal_level = hot_standby
max_wal_senders = 5
wal_keep_segments = 32
checkpoint_segments = 8
archive_mode    = on
archive_command = 'rsync -a %p postgres@IP_address_of_slave:/var/lib/pgsql/9.x/archive/%f'

On Slave :
Using basebackup
pg_basebackup -h IP_address_of_master -D /var/lib/pgsql/9.x/data -P -U replicator --xlog-method=stream
Using rsync
run query
SELECT pg_start_backup('label');
rsync -argv
SELECT pg_stop_backup();
postgresql.conf
hot_standby = on

[Disable archive mode]
#archive_mode    = on
#archive_command = 'rsync -a %p postgres@IP_address_of_slave:/var/lib/pgsql/9.x/archive/%f'

Add file recoveri.conf [at /var/lib/pgsql/9.x/data/]

Config for recovery.conf
primary_conninfo = 'host=IP_address_of_master port=5432 user=replicator password=password'
trigger_file = '/var/lib/pgsql/9.4/data/failover'
standby_mode = 'on'
restore_command = 'cp -f /var/lib/pgsql/9.x/archive/%f %p </dev/null'
archive_cleanup_command = '/usr/pgsql-9.x/bin/pg_archivecleanup -d /var/lib/pgsql/9.x/archive %r 2>>cleanup.log'


Notes :

Strong IPTABLES Configuration [CentOS]

A persistent IPtables Firewall, for securing your server.









1. Reset all rules (F) and chains (X), necessary if have already defined iptables rules
iptables -t filter -F
iptables -t filter -X

2. Start by blocking all traffic
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

3. Keep established connexions
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

4. Allow loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

5. HTTPS
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

6. To allow SSH from specific IP Address
iptables -t filter -A INPUT -p tcp -s YourIP --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

etc,

note : Just allow the required course.

System Setings Wide Proxy RHEL 6

nano /etc/profile.d/proxy.sh

export http_proxy=http://host.name:port/
export ftp_proxy=http://host.name:port/
export HTTP_PROXY=http://host.name:port/
export FTP_PROXY=http://host.name:port/
export no_proxy=.localdomain.com

save

source /etc/profile.d/proxy.sh

now try yum update, or whatever. except ping (icmp)

[How To] E-Mail Alerts on a CentOS Server

Required :
- sSMTP (install using yum from epel repo)
- bash script and cron

First :
Enable epel-repo :

Centos 6.x 32 Bit :
#wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
#rpm -ivh epel-release-6-8.noarch.rpm

Centos 6.x 64 Bit :
#wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
#rpm -ivh epel-release-6-8.noarch.rpm

and than install ssmtp
#yum -y update
#yum -y install ssmtp


Change your default Mail Transfer Agent (MTA) to ssmtp
[root@ademahmudf ~]# alternatives --config mta

There are 2 programs which provide 'mta'.

  Selection    Command
-----------------------------------------------
*  1           /usr/sbin/sendmail.postfix
 + 2           /usr/sbin/sendmail.ssmtp

Enter to keep the current selection[+], or type selection number: 2

Next, configure the mail server info to relay outgoing email (i use gmail for example)
#mv /etc/ssmtp/ssmtp.conf /etc/ssmtp/ssmtp.conf.bak
#mv /etc/ssmtp/revaliases /etc/ssmtp/revaliases.bak

#nano /etc/ssmtp/ssmtp.conf
root=postmaster
mailhub=smtp.gmail.com:587
Hostname=example@gmail.com
FromLineOverride=YES
AuthUser=example@gmail.com
AuthPass=email-password
UseSTARTTLS=YES
TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt

#nano /etc/ssmtp/revaliases
root:example@gmail.com:smtp.gmail.com:587

Next, you can start sending email using your preferred email server using command below
echo "Testing outgoing email from Centos server" | mail -s "Testing" -r sender@gmail.com receiver@gmail.com

And here we go,
Let's create an example script for notification and run with cron

#nano disk_space_notif.sh

#!/bin/bash
CURRENT=$(df / | grep / | awk '{ print $4}' | sed 's/%//g')
THRESHOLD=90

if [ "$CURRENT" -ge "$THRESHOLD" ] ; then
echo "Your partition at server $HOSTNAME is critically low. Used: $CURRENT%" | mail -s "Disk Space Alert" -r sender@gmail.com receiver@gmail.com
fi

make script executable
#chmod +x disk_space_notif.sh

add cronjob for running script
#crontab -e

*  *  *  *  * /path/to/script/disk_space_notif.sh