20 September 2019

The Power of DNS


Years ago I wrote a somewhat shallow article on setting up a couple recursive BIND DNS servers to take the load off of the domain controllers titled The Day the DNS Died / BIND Triage Server Array.  I was pleased, although a little surprised, to hear recently that those machines are still ticking away.  There are so many more elegant ways to fix those problems now, but I guess BIND is bulletproof, and if it ain't broke, don't fix it.

Madness


What IS broken are the number of small networks, or isolated subnets of larger networks that don't have a DNS server.  I was recently doing some security consulting for a client, and a recommended that they disable netbios on all the machines (NetBIOS can help to mitigate an attacker's ability to: poison and spoof responses, obtain a user's hashed credentials, inspect web traffic, etc. That is another blog post) and the next day I got a call that they couldn't reach any network resources any more..... huh?  No dns, they were relying on netbios to resolve everything.  It's madness.

I have seen this all over the place, or worse, I have seen where net-admins don't want to spend the time to put dns on an isolated network or protected DMZ and just put everything in HOST files... MADNESS.

A DNS server, a DNS server, my Kingdom for a DNS server


We are going to walk through a simple, but powerful DNS server option called PowerDNS.  It is extensible, capable, flexible, and powerful... see what I did there.  We are going to use a SQL backend, because anyone can use a zone file (technically this can to).  The advantage of the SQL backend is historical data and the speed of not having to parse an entire text file.  We can even talk about front end options.  At the very end, we will add in a recursor, for those who need more than an authoritative dns for a closed system (i.e. internet access)

Housekeeping


I don't know the state of your server, but lets assume your the type of person who has been relying on NETBIOS and logs into SSH as root.

1. Forget about the Ubuntu server and run CentOS, otherwise lots of this tutorial won't make sense.
2. Create a user that can sudo

adduser username
passwd username
usermod -aG wheel username

2. Remove root from being able to ssh

sudo vi /etc/ssh/sshd_config
PermitRootLogin no
sudo service sshd restart

3.  Setup the firewall

sudo yum install firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --list-all
sudo firewall-cmd --zone=public --permanent --add-service=dns
sudo firewall-cmd --reload

4. Reboot

5. Make sure you are fresh and clean .... update.

sudo yum update

Finally to Business


1. Install Pre-Reqs

sudo yum install epel-release yum-plugin-priorities wget bind-utils net-tools

2. Install and configure MariaDB

sudo yum -y install mariadb-server mariadb
sudo systemctl enable mariadb.service
sudo systemctl start mariadb.service
sudo mysql_secure_installation

3. Install PowerDNS

sudo curl -o /etc/yum.repos.d/powerdns-auth-41.repo https://repo.powerdns.com/repo-files/centos-auth-41.repo
sudo yum install pdns
sudo yum install pdns-backend-mysql

4. Do Scary things with MariaDB
Don't freak out, we will take these one at a time

mysql -u root -p

CREATE DATABASE powerdns;
GRANT ALL ON powerdns.* TO 'powerdns'@'localhost' IDENTIFIED BY 'PASSWORD';
FLUSH PRIVILEGES;
USE powerdns;

SCHEME

CREATE TABLE domains (
id INT AUTO_INCREMENT,
name VARCHAR(255) NOT NULL,
master VARCHAR(128) DEFAULT NULL,
last_check INT DEFAULT NULL,
type VARCHAR(6) NOT NULL,
notified_serial INT UNSIGNED DEFAULT NULL,
account VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE UNIQUE INDEX name_index ON domains(name);

CREATE TABLE records (
id BIGINT AUTO_INCREMENT,
domain_id INT DEFAULT NULL,
name VARCHAR(255) DEFAULT NULL,
type VARCHAR(10) DEFAULT NULL, 
content VARCHAR(64000) DEFAULT NULL,
ttl INT DEFAULT NULL,
prio INT DEFAULT NULL,
change_date INT DEFAULT NULL,
disabled TINYINT(1) DEFAULT 0,
ordername VARCHAR(255) BINARY DEFAULT NULL,
auth TINYINT(1) DEFAULT 1,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);
CREATE INDEX ordername ON records (ordername);

CREATE TABLE supermasters (
ip VARCHAR(64) NOT NULL,
nameserver VARCHAR(255) NOT NULL,
account VARCHAR(40) CHARACTER SET 'utf8' NOT NULL,
PRIMARY KEY (ip, nameserver)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE TABLE comments (
id INT AUTO_INCREMENT,
domain_id INT NOT NULL,
name VARCHAR(255) NOT NULL,
type VARCHAR(10) NOT NULL,
modified_at INT NOT NULL,
account VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
comment TEXT CHARACTER SET 'utf8' NOT NULL,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';

CREATE INDEX comments_name_type_idx ON comments (name, type);
CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);

CREATE TABLE domainmetadata (
id INT AUTO_INCREMENT,
domain_id INT NOT NULL,
kind VARCHAR(32),
content TEXT,
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind);

CREATE TABLE cryptokeys (
id INT AUTO_INCREMENT,
domain_id INT NOT NULL,
flags INT NOT NULL,
active BOOL,
content TEXT,
PRIMARY KEY(id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE INDEX domainidindex ON cryptokeys(domain_id);

CREATE TABLE tsigkeys (
id INT AUTO_INCREMENT,
name VARCHAR(255),
algorithm VARCHAR(50),
secret VARCHAR(255),
PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);
quit;

That was a bit..... now go get a coffee and some chocolate, maybe a nice glass of scotch.  In this example we are installing PDNS 4.1 because I like it and I think it is very stable.  If you install a different version, there is a different scheme... always reference this: https://doc.powerdns.com/authoritative/guides/basic-database.html

5. Configure PDNS

sudo mv /etc/pdns/pdns.conf /etc/pdns/pdns.conf.bu
sudo vi /etc/pdns/pdns.conf

# pdns.conf
launch=gmysql
gmysql-host=localhost
gmysql-dbname=powerdns
gmysql-user=powerdns
gmysql-password=PASSWORD
gmysql-dnssec=yes

loglevel=10
log-dns-queries=1

6. Start her up

sudo systemctl enable pdns.service
sudo systemctl start pdns.service

7. Add Zones and Records

Start Simple.  Use the pdnsutil command to create zones and records (https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html)

pdnsutil:

create-zone ZONE
Create an empty zone named ZONE.

add-record ZONE NAME TYPE [TTL] CONTENT

Add one or more records of NAME and TYPE to ZONE with CONTENT and optional TTL. If TTL
is not set, the default will be used.

Example:

# pdnsutil create-zone example.com ns1.example.com
Creating empty zone 'example.com.'
Also adding one NS record
# pdnsutil add-record example.com ns1 A 192.168.1.2
New rrset:
ns1.example.com. IN A 3600 192.168.1.2

# pdnsutil list-zone example.com
example.com.    3600    IN      NS      ns1.example.com.
example.com.    3600    IN      SOA     ns1.example.com hostmaster.example.com 1 10800 3600 604800 3600
ns1.example.com.        3600    IN      A       192.168.1.2

$ dig +noall +answer ns1.example.com @127.0.0.1 
ns1.example.com.        3600    IN      A       192.168.1.2

Done .... ish

There are 3 other, possible simpler, methods for managing PDNS.

1. Webmin - Follow the instructions, use the MySQL plugin to manage your data.
2. phpMyAdmin -  Same as above.  Follow the instructions, manage everything in the tables you just created.
3. PowerAdmin - PowerAdmin is purpose built for PDNS.  I recommend it on at least one machine.  I don't use it on all of them, because I have replication enabled, but it is a simple powerful interface with minimal weight.

To install PowerAdmin


Follow these Directions: https://www.howtoforge.com/how-to-install-powerdns-and-poweradmin-on-centos-7/

Finally


So, everything is installed, and running, if you have worked through some bugs, but now have a major hangup.... it resolves all of your internal networks, but it won't resolve the google.com ... or *gasp* it won't resolve tomvoboril.com.

Recursion.

In a network, it is really a better practice to separate out your authoritative DNS servers, which we just built, and your internal recursive DNS servers.  Simple said.  If you did not need anything to resolve internally, you would just point to your ISPs DNS, or google's DNS, or OpenDNS, etc.  It is very simple to install a small recursor to break out traffic between internal and external.  We will run it on the same server as the authoritative, and do some fancy binding.

1. Install PowerDNS Recursor

sudo yum install pdns-recursor

2. Configure pdns-recursor

sudo mv /etc/pdns-recursor/pdns-recursor.conf /etc/pdns/pdns-recursor.conf.bu
sudo vi /etc/pdns-recursor/pdns-recursor.conf

local-address=your.ip.for.machine.goes.here
forward-zones=yournetwork.localname=127.0.0.1

2 lines of config.  make sure you bind it to the boxes IP, and the network.local is whatever you want the authoritative to run.

3.  Configure PDNS to bind to local.

sudo mv /etc/pdns/pdns.conf /etc/pdns/pdns.conf.bu2
sudo vi /etc/pdns/pdns.conf

local-address=127.0.0.1
launch=gmysql
gmysql-host=localhost
gmysql-dbname=powerdns
gmysql-user=powerdns
gmysql-password=PASSWORD
gmysql-dnssec=yes

loglevel=10
log-dns-queries=1

Add the yellow highlighted line to your PDNS config

sudo systemctl restart pdns.service
sudo systemctl enable pdns-recursor.service
sudo systemctl start pdns-recursor.service

Try it now....

18 September 2019

Redmine 4 with Puma and Nginx on Centos

Everyone's environments are different, but this should work for most and avoid some pitfalls that you are likely to fall into if you follow some of the other tutorials out there.
First and Foremost, get Centos 7 Minimum installed, make sure it has access to the internet and that your account is a sudoer.  Don't use root.... RVM doesn't like that.

Next install your core bits

sudo yum update
sudo yum install vim curl zlib-devel curl-devel openssl-devel httpd-devel apr-devel apr-util-devel mysql-devel ftp wget ImageMagick-devel gcc-c++ patch readline readline-devel zlib libyaml-devel libffi-devel make bzip2 autoconf automake libtool bison subversion sqlite-devel
sudo yum install epel-release
sudo yum install nginx

At this point, I leave it up to you how you want to deal with selinux.  You can search the internets to get a better idea, you can either disable temporarily or edit the config file and disable it.

sudo setenforce 0
sudo vim /etc/selinux/config

Next, take a moment to install MariaDB, and secore it, before we go on to configure it.

sudo yum install mariadb-server
sudo systemctl start mariadb
sudo systemctl enable mariadb

mysql_secure_installation

mysql -uroot -p

Now we setup the redmine database.  Pay attention to where you need to supply the password.

mysql -uroot -p
MariaDB [(none)]> CREATE DATABASE redmine CHARACTER SET utf8;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON redmine.* TO 'redmine'@'localhost' IDENTIFIED BY 'redmine_passwd';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> \q

Finally we get to install RVM and the magic begins.

\curl -sSL https://get.rvm.io | sudo bash -s stable

You might get told to download the gpg key, do so. At the end you will get a message that contains a few important things. PAY ATTENTION

  * First you need to add all users that will be using rvm to 'rvm' group,
    and logout - login again, anyone using rvm will be operating with `umask u=rwx,g=rwx,o=rx`.

  * To start using RVM you need to run `source /etc/profile.d/rvm.sh`
    in all your open shell windows, in rare cases you need to reopen all shell windows.
  * Please do NOT forget to add your users to the rvm group.

So take a moment to add yourself and nginx to the rvm group.  After that, log out, reboot, get some coffee.

 sudo usermod -a -G rvm USER
 sudo usermod -a -G rvm nginx

Now, we are going to do 4 things.
1. Install Ruby 2.5.5
2. Create a gemset for our application
3. Use said gemset
4. Make any other user who is working on this with us lives easier by setting said gemset as the default.

rvm install ruby-2.5.5
rvm gemset create redmine
rvm use 2.5.5@redmine
rvm use --default 2.5.5@redmine

Onwards to Redmine

We are going to put it in /var/www because that is what normal people do (here is looking at you ubuntu)

Follow the next few steps and we will meet back at the database config

cd /var/www
sudo svn co http://svn.redmine.org/redmine/branches/4.0-stable redmine

sudo cp redmine/config/configuration.yml.example redmine/config/configuration.yml
sudo cp redmine/config/database.yml.example redmine/config/database.yml

sudo vim redmine/config/database.yml


Ok, We are using Maria DB, so we are going to configure mysql12 in the Production enviroment.  It should look like this:

production:
  adapter: mysql2
  database: redmine
  host: localhost
  username: redmine
  password: "redmine_passwd"
  encoding: utf8

Now, a small aside, we want to add the Gem "puma" to our gemfile in Redmine under production, and remove it from test and development.

sudo vim /var/www/redmine/Gemfile

source 'https://rubygems.org'

gem "bundler", ">= 1.5.0"

gem "rails", "5.2.3"
gem "puma"
gem "rouge", "~> 3.3.0"
gem "request_store", "1.0.5"
gem "mini_mime", "~> 1.0.1"
gem "actionpack-xml_parser"
gem "roadie-rails", "~> 1.3.0"
gem "mimemagic"
gem "mail", "~> 2.7.1"
gem "csv", "~> 3.0.1" if RUBY_VERSION >= "2.3" && RUBY_VERSION < "2.6"

gem "nokogiri", (RUBY_VERSION >= "2.3" ? "~> 1.10.0" : "~> 1.9.1")
gem "i18n", "~> 0.7.0"
gem "xpath", "< 3.2.0" if RUBY_VERSION < "2.3"


Make sure it is up there at the top, and NO WHERE ELSE.

Now, from www change the owner of redmine to your user, install bundler and run the bundler.

sudo chown USER -R redmine
gem install bundler
bundle install --without development test

If that all goes well, get the database setup

rake generate_secret_token
RAILS_ENV=production rake db:migrate
RAILS_ENV=production REDMINE_LANG=en rake redmine:load_default_data

Now, from WWW, make a place for your puma socket to run (you may have to give it 777 or user nginx if you run into problems.

sudo mkdir share
sudo mkdir share/sockets

Almost done, change the owner of redmine to nginx and load up you puma.service file

sudo chown nginx -R redmine
sudo vim /etc/systemd/system/puma.service

The local ruby/puma wizard at work helped me whip up this next file.  There are options in there to do things a few different ways, but if you leave it as is, you should be fine.  You can see you can also test by putting it on a local port.

[Unit]
Description=Puma HTTP Server
After=network.target

[Service]
# Foreground process (do not use --daemon in ExecStart or config.rb)
Type=simple

# Preferably configure a non-privileged user
User=nginx

# The path to the puma application root
WorkingDirectory=/var/www/redmine

# The command to start Puma. The top one creates a scocke
# The bottom one creates a port
ExecStart=/usr/local/rvm/wrappers/ruby-2.5.5@redmine/bundle exec puma -e production -b unix:///var/www/share/sockets/puma.sock
#ExecStart=/usr/local/rvm/wrappers/ruby-2.5.5@redmine/bundle exec puma -e production -b "tcp://0.0.0.0:3000"

# Variant: Use config file with `bind` directives instead:
# ExecStart=<WD>/sbin/puma -C config.rb
# Variant: Use `bundle exec --keep-file-descriptors puma` instead of binstub

Restart=always

[Install]
WantedBy=multi-user.target


Now make a copy of your nginx configuration, and edit it to add : include sites-enabled

sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bu
sudo vim /etc/nginx/nginx.conf

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
    server {

You can remove the default server, but change it to port 81 if you do.  It can be good for testing.
Right above server... add that line.  Now, make some sites to include

sudo mkdir /etc/nginx/sites-enabled
sudo vim /etc/nginx/sites-enabled/redmine.conf

There are, again, two options here.  The port is for testing, the socket is for production

#server {
#  listen 80;
#  listen [::]:80;
#
#  server_name yoursite.com;
#
#  location / {
#      proxy_pass http://localhost:3000/;
#  }
#}

# http context

upstream backend_hosts {
#    server localhost:3000;
     server unix:///var/www/share/sockets/puma.sock;
}

server {
    listen 80;
    server_name yoursite.com;

    location / {
        proxy_pass http://backend_hosts;
    }
}

Now, wrap everything up, enable the things, open the firewall, and do a good reboot at some point to make sure it ACTUALLY works.

sudo systemctl enable puma
sudo systemctl enable nginx
sudo systemctl start puma
sudo systemctl start nginx
sudo service nginx status
sudo service puma status
sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --reload