noarch Archives - ☩ Walking in Light with Christ - Faith, Computing, Diary ☩ Walking in Light with Christ

Posts Tagged ‘noarch’

Enable automatic updates on CentOS 8 , CentOS 9 Stream Linux with dnf-automatic and Cockpit Web GUI package management tool

Wednesday, January 15th, 2025

Security for any OS is critical nowadays, thus as a CentOS legacy system admin at work or using CentOS Stream releases 8 and 9 that are to be around for the coming years

CentOS 8 and CentOS 9 Stream Lifecycle

CentOS Stream follows the same lifecycle as Red Hat Enterprise Linux. From version 8 onward this means every version is supported for 10 years, split into 5 years of Full Support and 5 years of maintenance support. Users also have the option to purchase an additional 3 years of Extended Life Cycle Support (ELS) as an add-on.

Version   General Availability   Full Support Ends   Maintenance Support Ends   Extended Life Cycle Support (ELS) Ends
8   May 7, 2019   May 31, 2024   May 31, 2029   May 31, 2032
9   May 18, 2022   May 31, 2027   May 31, 2032   May 31, 2035

In this article, you are going to learn how to enable automatic software updates on CentOS 8 and CentOS 9 ( Stream ) Linux OS-es. I'll show how to set up your system to download and apply security and other updates without user intervention.

It is really useful to use the CentOS automatic updates OS capability, turning on updates and instead typing all the time yum update && yum upgrade (and wasting time to observe the process) as it takes usually some 5 to 10 minutes to make the OS automatically install updates in the background and notify you once all is done so you can periodically check what the dnf-automatic automatic update tool has done that in most cases of success would save you at least few minutes per host. Automatic updates is critical especially if you have to maintain an infrastructure of CentOS virtual servers at version 8 or 9.

Those who use heavily used CentOS might have already enabled and used dnf-automatic, but I guess just like me until recently, most people using CentOS 8 don’t know how to enable and apply CentOS Linux updates automatically and those article might be helpful.

1. Enable Automatic CentOS 8 / 9 Updates Using DNF Automatic RPM Package

Install the DNF-automatic RPM package, it will provide a DNF component that enables start automatically the update process.
To install it on both CentOS 8 / 9.

[root@centos ~]# yum install dnf-automatic
CentOS Stream 9 – BaseOS 78 kB/s | 14 kB 00:00
CentOS Stream 9 – AppStream 28 kB/s | 15 kB 00:00
CentOS Stream 9 – Extras packages 81 kB/s | 18 kB 00:00
Dependencies resolved.
======================================================
Package Architecture Version Repository Size
======================================================
Installing:
dnf-automatic noarch 4.14.0-23.el9 baseos 33 k
Upgrading:
dnf noarch 4.14.0-23.el9 baseos 478 k
dnf-data noarch 4.14.0-23.el9 baseos 37 k
python3-dnf noarch 4.14.0-23.el9 baseos 461 k
yum noarch 4.14.0-23.el9 baseos 88 k

Transaction Summary
=======================================================
Install 1 Package
Upgrade 4 Packages

Total download size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
(1/5): dnf-data-4.14.0-23.el9.noarch.rpm 556 kB/s | 37 kB 00:00
(2/5): dnf-automatic-4.14.0-23.el9.noarch.rpm 406 kB/s | 33 kB 00:00
(3/5): yum-4.14.0-23.el9.noarch.rpm 1.4 MB/s | 88 kB 00:00
(4/5): python3-dnf-4.14.0-23.el9.noarch.rpm 4.9 MB/s | 461 kB 00:00
(5/5): dnf-4.14.0-23.el9.noarch.rpm 2.6 MB/s | 478 kB 00:00
——————————————————————————————————
Total 1.1 MB/s | 1.1 MB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : dnf-data-4.14.0-23.el9.noarch 1/9
Upgrading : python3-dnf-4.14.0-23.el9.noarch 2/9
Upgrading : dnf-4.14.0-23.el9.noarch 3/9
Running scriptlet: dnf-4.14.0-23.el9.noarch 3/9
Installing : dnf-automatic-4.14.0-23.el9.noarch 4/9
Running scriptlet: dnf-automatic-4.14.0-23.el9.noarch 4/9
Upgrading : yum-4.14.0-23.el9.noarch 5/9
Cleanup : yum-4.14.0-9.el9.noarch 6/9
Running scriptlet: dnf-4.14.0-9.el9.noarch 7/9
Cleanup : dnf-4.14.0-9.el9.noarch 7/9
Running scriptlet: dnf-4.14.0-9.el9.noarch 7/9
Cleanup : python3-dnf-4.14.0-9.el9.noarch 8/9
Cleanup : dnf-data-4.14.0-9.el9.noarch 9/9
Running scriptlet: dnf-data-4.14.0-9.el9.noarch 9/9
Verifying : dnf-automatic-4.14.0-23.el9.noarch 1/9
Verifying : dnf-4.14.0-23.el9.noarch 2/9
Verifying : dnf-4.14.0-9.el9.noarch 3/9
Verifying : dnf-data-4.14.0-23.el9.noarch 4/9
Verifying : dnf-data-4.14.0-9.el9.noarch 5/9
Verifying : python3-dnf-4.14.0-23.el9.noarch 6/9
Verifying : python3-dnf-4.14.0-9.el9.noarch 7/9
Verifying : yum-4.14.0-23.el9.noarch 8/9
Verifying : yum-4.14.0-9.el9.noarch 9/9

Upgraded:
dnf-4.14.0-23.el9.noarch dnf-data-4.14.0-23.el9.noarch python3-dnf-4.14.0-23.el9.noarch yum-4.14.0-23.el9.noarch
Installed:
dnf-automatic-4.14.0-23.el9.noarch

Complete!
[root@centos ~]#

Here is info on what dnf-automatic package will do:

[root@centos ~]# rpm -qi dnf-automatic
Name : dnf-automatic
Version : 4.14.0
Release : 23.el9
Architecture: noarch
Install Date: Wed 15 Jan 2025 08:00:47 AM -03
Group : Unspecified
Size : 57937
License : GPLv2+
Signature : RSA/SHA256, Thu 02 Jan 2025 01:19:43 PM -03, Key ID 05b555b38483c65d
Source RPM : dnf-4.14.0-23.el9.src.rpm
Build Date : Thu 12 Dec 2024 07:30:24 AM -03
Build Host : s390-08.stream.rdu2.redhat.com
Packager : [email protected]
Vendor : CentOS
URL : https://github.com/rpm-software-management/dnf
Summary : Package manager – automated upgrades
Description :
Systemd units that can periodically download package upgrades and apply them.

Next up is configuring the dnf-automatic updates. The configuration file is located at /etc/dnf/automatic.conf. Once you have opened the file, you can to set the required values to fit your software requirements.
The values you might want to modify are as so:

[root@centos ~]# grep -v \# /etc/dnf/automatic.conf|sed '/^$/d'
[commands]
upgrade_type = default
random_sleep = 0
network_online_timeout = 60
download_updates = yes
apply_updates = no
reboot = never
reboot_command = "shutdown -r +5 'Rebooting after applying package updates'"
[emitters]
emit_via = stdio
[email]
email_from = [email protected]
email_to = root
email_host = localhost
[command]
[command_email]
email_from = [email protected]
email_to = root
[base]
debuglevel = 1
[root@centos ~]#

The most important things you need to tune in automatic.conf are:

[root@centos ~]# vim /etc/dnf/automatic.conf

apply_updates = no

should be changed to yes

apply_updates = yes

for automatic updates to start by dnf-automatic service

It is nice to set the email server to use configuration values, as well as email from, email to and the way for
email to be set emit_via = stdio is default (check out the other options if to be used inside the commented lines)

Finally, you can now run dnf-automatic, execute the following command to schedule DNF automatic updates for your CentOS 8 machine.

[root@centos ~]# systemctl enable –now dnf-automatic.timer

The command above enables and starts the system timer. To check the status of the dnf-automatic service, run the following.

[root@centos ~]# systemctl list-timers *dnf-*
NEXT LEFT LAST PASSED UNIT ACTIVATES
Wed 2025-01-15 09:31:52 -03 13min left – – dnf-makecache.timer dnf-makecache.service
Thu 2025-01-16 06:21:20 -03 21h left Wed 2025-01-15 08:09:20 -03 1h 8min ago dnf-automatic.timer dnf-automatic.service

2 timers listed.
Pass –all to see loaded but inactive timers, too.
[root@centos ~]#

Enable and Manage Automatic updates with Cockpit GUI web interface

Sooner or later even hard core sysadmins has to enter the 21 century and start using a Web interfaces for server or Desktop Linux management to offload your head for more important stuff.
Cockpit is a great tool to help you automatically manage and update your servers with no need to use the Linux console most of the time.

Cockpit is a very powerful tool you can use to manage remotely updates through a web interface, it is very handy tool for system admins as it gives you overview over updates and supports automatic updates and set RPM package management tasks through web-based console.
Cockpit allows updates over multiple servers and it makes it a kind of server orchestration tool that allows yo to update many same versioned operating system software.

If you haven't it already pre-installed in CentOS 8 / 9 depending on the type ofinstall you have done, you might need to install Cockpit.

To install cockpit

[root@centos ~]# yum install cockpit -y

To make the web service accessible in a browser you'll have to start it with cmds:

[root@centos ~]# systemctl start cockpit
[root@centos ~]# systemctl status cockpit

To access cockpit you'll either have to access it on https://localhost:9090 in case you need to access it locally via https://SERVER_IP:9090/.
Note that of course you will have to have firewalld enabling traffic to SERVER_IP PORT 9090.

By default cockpit will run with self signed certificate, if you need you can set up a certbot certificate or regenerate the self signed one for better managed security risk. For a first time if you haven't changed the certificate simply use the browser exclusion menu and login to Cockpit.

Once logged in you can check the available updates.

centos-steam-cockpit-web-gui-autoupdate-tool-linux-screenshot0

By default you will have to login with non-root account, preferably that should be an account who is authorized to become root via sudo.
To elevate to administrative privileges while in cockpit clock on 'Administrative access' and grant cockpit your superuser privileges.

centos-steam-cockpit-web-gui-autoupdate-tool-linux-screenshot2

Once authorized you can run the upgrade and enojy a coffee or beer in the mean time 🙂

centos-steam-cockpit-web-gui-autoupdate-tool-linux-screenshot-update-ongoing

Among the useful cockpit options, is also the Terminal through which you can run commands like over a normal Web SSH service.

The 'Logs' section is also very useful as it shows you clearly synthesized information on failed services and modules, since last OS system boot.

To add and manage updates for multiple hosts use the 'Add new host' menu that is a expansion of the main machine on which cockpit runs.

centos-steam-cockpit-web-gui-autoupdate-tool-linux-automatic-updates-settings

In the next window, turn automatic updates ON. You can now select the type of updates you want (Apply All Updates or Apply Security Updates), the day and time you want the updates applied, and the server rebooted.

CentOS 9's cockpit even have support for the innovative Kernel live patching, so the machine kernel can be updated even Live and you can save the reboot after complete patching of OS including the kernel.

Note that you cannot set up automatic updates without rebooting the system. Therefore, make sure your server can be rebooted at the time you’ve selected for the updates.

Sum it up

In this post, we learned have learned how to set up automatic updates for your CentOS 8 / 9 Linux. There are two main stream ways you can do it.
1. By using DNF automatic updates tool.
By enabling DNF automatic updates on CentOS 8 Linux the machine updated is faster, seemless and frequent as compared to manual updates.

This protects the OS more about crackers cyber-attacks. Secondly for the more lazy admins or for better structuring of updates (if it has to be executed on multiple hosts), the Cockpit web console is available.

With Cockpit, it’s much easy to enable automatic updates as the GUI is self-explanatory graphical user interface (GUI) as opposed to the DNF automatic updates, which would waste you more time on CLI ( shell ).

Tags: CentOS, check, cmds, command, configuration file, dnf, noarch, package updates, rpm, running, Stream Lifecycle, Stream Linux, Users
Posted in CentOS, Linux, Linux and FreeBSD Desktop | 1 Comment »

Howto install Google Chrome web browser on CentOS Linux 7

Friday, December 11th, 2020

After installing CentOS 7 Linux testing Virtual Machine in Oracle Virtualbox 6.1 to conduct some testing with php / html / javascript web script pages and use the VM for other work stuff that I later plan to deploy on production CentOS systems, I came to requirement of having a working Google Chrome browser.

In that regards, next to Firefox, I needed to test the web applications in commercial Google Chrome to see what its usercan expect. For those who don't know it Google Chrome is based on Chromium Open source browser (https://chromium.org) which is available by default via default CentOS EPEL repositories.

One remark to make here is before installing Google Chrome, I've also test my web scripts first with chromium, to install Chromium free browser on CentOS:

[root@localhost mozilla_test0]# yum install chromium
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.wwfx.net
* epel: mirror.t-home.mk
* extras: mirror.wwfx.net
* updates: mirror.wwfx.net
Resolving Dependencies
–> Running transaction check
—> Package chromium.x86_64 0:85.0.4183.121-1.el7 will be installed
–> Processing Dependency: chromium-common(x86-64) = 85.0.4183.121-1.el7 for package: chromium-85.0.4183.121-1.el7.x86_64
–> Processing Dependency: nss-mdns(x86-64) for package: chromium-85.0.4183.121-1.el7.x86_64
–> Processing Dependency: libminizip.so.1()(64bit) for package: chromium-85.0.4183.121-1.el7.x86_64
–> Running transaction check
—> Package chromium-common.x86_64 0:85.0.4183.121-1.el7 will be installed
—> Package minizip.x86_64 0:1.2.7-18.el7 will be installed
—> Package nss-mdns.x86_64 0:0.14.1-9.el7 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
Package                              Arch                        Version                                   Repository                 Size
============================================================================================================================================
Installing:
chromium                             x86_64                      85.0.4183.121-1.el7                       epel                       97 M
Installing for dependencies:
chromium-common                      x86_64                      85.0.4183.121-1.el7                       epel                       16 M
minizip                              x86_64                      1.2.7-18.el7                              base                       34 k
nss-mdns                             x86_64                      0.14.1-9.el7                              epel                       43 k

Transaction Summary
============================================================================================================================================
Install 1 Package (+3 Dependent packages)

Total download size: 113 M
Installed size: 400 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): minizip-1.2.7-18.el7.x86_64.rpm                                                                               | 34 kB 00:00:00
(2/4): chromium-common-85.0.4183.121-1.el7.x86_64.rpm                                                                | 16 MB 00:00:08
(3/4): chromium-85.0.4183.121-1.el7.x86_64.rpm                                                                       | 97 MB 00:00:11
(4/4): nss-mdns-0.14.1-9.el7.x86_64.rpm                                                                              | 43 kB 00:00:00
——————————————————————————————————————————————–
Total                                                                                                       9.4 MB/s | 113 MB 00:00:12
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : minizip-1.2.7-18.el7.x86_64                                                                                              1/4
Installing : chromium-common-85.0.4183.121-1.el7.x86_64                                                                               2/4
Installing : nss-mdns-0.14.1-9.el7.x86_64                                                                                             3/4
Installing : chromium-85.0.4183.121-1.el7.x86_64                                                                                      4/4
Verifying : chromium-common-85.0.4183.121-1.el7.x86_64                                                                               1/4
Verifying : minizip-1.2.7-18.el7.x86_64                                                                                              2/4
Verifying : chromium-85.0.4183.121-1.el7.x86_64                                                                                      3/4
Verifying : nss-mdns-0.14.1-9.el7.x86_64                                                                                             4/4

Installed:
chromium.x86_64 0:85.0.4183.121-1.el7

Dependency Installed:
chromium-common.x86_64 0:85.0.4183.121-1.el7            minizip.x86_64 0:1.2.7-18.el7            nss-mdns.x86_64 0:0.14.1-9.el7

Complete!

Chromium browser worked however it is much more buggy than Google Chrome and the load it puts on the machine as well as resources it consumes is terrible if compared to Proprietary G. Chrome.

Usually I don't like google chrome as it is a proprietary product and I don't even install it on my Linux Desktops, neither use as using is against any secure wise practice and but I needed this time ..

Thus to save myself some pains therefore proceeded and installed Google Chromium.
Installion of Google Chrome is a straight forward process you download the latest rpm run below command to resolve all library dependencies and you're in:

chromium-open-source-browser-on-centos-7-screenshot

[root@localhost mozilla_test0]# rpm -ivh google-chrome-stable_current_x86_64.rpm
warning: google-chrome-stable_current_x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY
error: Failed dependencies:
   liberation-fonts is needed by google-chrome-stable-87.0.4280.88-1.x86_64
   libvulkan.so.1()(64bit) is needed by google-chrome-stable-87.0.4280.88-1.x86_64
[root@localhost mozilla_test0]# wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
–2020-12-11 07:03:02– https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
Resolving dl.google.com (dl.google.com)… 172.217.17.238, 2a00:1450:4017:802::200e
Connecting to dl.google.com (dl.google.com)|172.217.17.238|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 72280700 (69M) [application/x-rpm]
Saving to: ‘google-chrome-stable_current_x86_64.rpm’

100%[==================================================================================================>] 72,280,700 11.0MB/s   in 6.6s

2020-12-11 07:03:09 (10.4 MB/s) – ‘google-chrome-stable_current_x86_64.rpm’ saved [72280700/72280700]

[root@localhost mozilla_test0]# yum localinstall google-chrome-stable_current_x86_64.rpm
Loaded plugins: fastestmirror, langpacks
Examining google-chrome-stable_current_x86_64.rpm: google-chrome-stable-87.0.4280.88-1.x86_64
Marking google-chrome-stable_current_x86_64.rpm to be installed
Resolving Dependencies
–> Running transaction check
—> Package google-chrome-stable.x86_64 0:87.0.4280.88-1 will be installed
–> Processing Dependency: liberation-fonts for package: google-chrome-stable-87.0.4280.88-1.x86_64
Loading mirror speeds from cached hostfile
* base: mirror.wwfx.net
* epel: mirrors.uni-ruse.bg
* extras: mirror.wwfx.net
* updates: mirror.wwfx.net
–> Processing Dependency: libvulkan.so.1()(64bit) for package: google-chrome-stable-87.0.4280.88-1.x86_64
–> Running transaction check
—> Package liberation-fonts.noarch 1:1.07.2-16.el7 will be installed
–> Processing Dependency: liberation-narrow-fonts = 1:1.07.2-16.el7 for package: 1:liberation-fonts-1.07.2-16.el7.noarch
—> Package vulkan.x86_64 0:1.1.97.0-1.el7 will be installed
–> Processing Dependency: vulkan-filesystem = 1.1.97.0-1.el7 for package: vulkan-1.1.97.0-1.el7.x86_64
–> Running transaction check
—> Package liberation-narrow-fonts.noarch 1:1.07.2-16.el7 will be installed
—> Package vulkan-filesystem.noarch 0:1.1.97.0-1.el7 will be installed
–> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
Package                             Arch               Version                      Repository                                        Size
============================================================================================================================================
Installing:
google-chrome-stable                x86_64             87.0.4280.88-1               /google-chrome-stable_current_x86_64             227 M
Installing for dependencies:
liberation-fonts                    noarch             1:1.07.2-16.el7              base                                              13 k
liberation-narrow-fonts             noarch             1:1.07.2-16.el7              base                                             202 k
vulkan                              x86_64             1.1.97.0-1.el7               base                                             3.6 M
vulkan-filesystem                   noarch             1.1.97.0-1.el7               base                                             6.3 k

Transaction Summary
============================================================================================================================================
Install 1 Package (+4 Dependent packages)

Total size: 231 M
Total download size: 3.8 M
Installed size: 249 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): liberation-fonts-1.07.2-16.el7.noarch.rpm                                                                     | 13 kB 00:00:00
(2/4): liberation-narrow-fonts-1.07.2-16.el7.noarch.rpm                                                              | 202 kB 00:00:00
(3/4): vulkan-filesystem-1.1.97.0-1.el7.noarch.rpm                                                                   | 6.3 kB 00:00:00
(4/4): vulkan-1.1.97.0-1.el7.x86_64.rpm                                                                              | 3.6 MB 00:00:01
——————————————————————————————————————————————–
Total                                                                                                       1.9 MB/s | 3.8 MB 00:00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : vulkan-filesystem-1.1.97.0-1.el7.noarch                                                                                  1/5
Installing : vulkan-1.1.97.0-1.el7.x86_64                                                                                             2/5
Installing : 1:liberation-narrow-fonts-1.07.2-16.el7.noarch                                                                           3/5
Installing : 1:liberation-fonts-1.07.2-16.el7.noarch                                                                                  4/5
Installing : google-chrome-stable-87.0.4280.88-1.x86_64                                                                               5/5
Redirecting to /bin/systemctl start atd.service
Verifying : vulkan-1.1.97.0-1.el7.x86_64                                                                                             1/5
Verifying : 1:liberation-narrow-fonts-1.07.2-16.el7.noarch                                                                           2/5
Verifying : 1:liberation-fonts-1.07.2-16.el7.noarch                                                                                  3/5
Verifying : google-chrome-stable-87.0.4280.88-1.x86_64                                                                               4/5
Verifying : vulkan-filesystem-1.1.97.0-1.el7.noarch                                                                                  5/5

Installed:
google-chrome-stable.x86_64 0:87.0.4280.88-1

Dependency Installed:
liberation-fonts.noarch 1:1.07.2-16.el7         liberation-narrow-fonts.noarch 1:1.07.2-16.el7       vulkan.x86_64 0:1.1.97.0-1.el7
vulkan-filesystem.noarch 0:1.1.97.0-1.el7

Complete!

Once Chrome is installed you can either run it from gnome-terminal

[test@localhost ~]$ gnome-terminal &

Or find it in the list of CentOS programs:

Applications → Internet → Google Chrome

Last step to do is to make Google Chrome easily updatable to keep up VM level on high security and let it get updated every time when apply security updates with yum check-update && yum upgrade
for that its necessery to create new custom repo file /etc/yum.repos.d/google-chrome.repo

[root@localhost mozilla_test0]# vim /etc/yum.repos.d/google-chrome.repo
[google-chrome]
name=google-chrome
baseurl=http://dl.google.com/linux/chrome/rpm/stable/x86_64
enabled=1
gpgcheck=1
gpgkey=https://dl.google.com/linux/linux_signing_key.pub

Now letes import the gpg checksum key

[root@localhost mozilla_test0]# rpmkeys –import https://dl.google.com/linux/linux_signing_key.pub

That's all folks google-chrome is at your disposal.

Tags: Applications Internet Google Chrome, command, Dependency Installed, Installing, mirror, noarch, Package Arch Version Repository Size, RPMDB, running, Warning
Posted in Linux, Linux and FreeBSD Desktop, Various | No Comments »

How to check who is flooding your Apache, NGinx Webserver – Real time Monitor statistics about IPs doing most URL requests and Stopping DoS attacks with Fail2Ban

Wednesday, August 20th, 2014

check-who-is-flooding-your-apache-nginx-webserver-real-time-monitoring-ips-doing-most-url-requests-to-webserver-and-protecting-your-webserver-with-fail2ban

If you're Linux ystem administrator in Webhosting company providing WordPress / Joomla / Drupal web-sites hosting and your UNIX servers suffer from periodic denial of service attacks, because some of the site customers business is a target of competitor company who is trying to ruin your client business sites through DoS or DDOS attacks, then the best thing you can do is to identify who and how is the Linux server being hammered. If you find out DoS is not on a network level but Apache gets crashing because of memory leaks and connections to Apache are so much that the CPU is being stoned, the best thing to do is to check which IP addresses are causing the excessive GET / POST / HEAD requests in logged.

There is the Apachetop tool that can give you the most accessed webserver URLs in a refreshed screen like UNIX top command, however Apachetop does not show which IP does most URL hits on Apache / Nginx webserver.

1. Get basic information on which IPs accesses Apache / Nginx the most using shell cmds

Before examining the Webserver logs it is useful to get a general picture on who is flooding you on a TCP / IP network level, with netstat like so:

# here is howto check clients count connected to your server
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

If you get an extensive number of connected various IPs / hosts (like 10000 or something huge as a number), depending on the type of hardware the server is running and the previous scaling planned for the system you can determine whether the count as huge as this can be handled normally by server, if like in most cases the server is planned to serve a couple of hundreds or thousands of clients and you get over 10000 connections hanging, then your server is under attack or if its Internet server suddenly your website become famous like someone posted an article on some major website and you suddenly received a tons of hits.

There is a way using standard shell tools, to get some basic information on which IP accesses the webserver the most with:

tail -n 500 /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -gr

Or if you want to keep it refreshing periodically every few seconds run it through watch command:

watch "tail -n 500 /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -gr"

monioring-access-hits-to-webserver-by-ip-show-most-visiting-apache-nginx-ip-with-shell-tools-tail-cut-uniq-sort-tools-refreshed-with-watch-cmd

Another useful combination of shell commands is to Monitor POST / GET / HEAD requests number in access.log :

awk '{print $6}' access.log | sort | uniq -c | sort -n

     1 "alihack<%eval
      1 "CONNECT
      1 "fhxeaxb0xeex97x0fxe2-x19Fx87xd1xa0x9axf5x^xd0x125x0fx88x19"x84xc1xb3^v2xe9xpx98`X'dxcd.7ix8fx8fxd6_xcdx834x0c"
      1 "x16x03x01"
      1 "xe2
      2 "mgmanager&file=imgmanager&version=1576&cid=20
      6 "4–"
      7 "PUT
     22 "–"
     22 "OPTIONS
     38 "PROPFIND
   1476 "HEAD
   1539 "-"
65113 "POST
537122 "GET

However using shell commands combination is plenty of typing and hard to remember, plus above tools does not show you, approximately how frequenty IP hits the webserver

2. Real-time monitoring IP addresses with highest URL reqests with logtop

Real-time monitoring on IP addresses with highest URL requests is possible with no need of "console ninja skills" through – logtop.

2.1 Install logtop on Debian / Ubuntu and deb derivatives Linux

a) Installing Logtop the debian way

LogTop is easily installable on Debian and Ubuntu in newer releases of Debian – Debian 7.0 and Ubuntu 13/14 Linux it is part of default package repositories and can be straightly apt-get-ed with:

apt-get install –yes logtop

b) Installing Logtop from source code (install on older deb based Linuxes)

On older Debian – Debian 6 and Ubuntu 7-12 servers to install logtop compile from source code – read the README installation instructions or if lazy copy / paste below:

cd /usr/local/src
wget https://github.com/JulienPalard/logtop/tarball/master
mv master JulienPalard-logtop.tar.gz
tar -zxf JulienPalard-logtop.tar.gz
cd JulienPalard-logtop-*/
aptitude install libncurses5-dev uthash-dev
…
aptitude install python-dev swig
…

make python-module
…

python setup.py install
…

make
…

make install

mkdir -p /usr/bin/
cp logtop /usr/bin/

2.2 Install Logtop on CentOS 6.5 / 7.0 / Fedora / RHEL and rest of RPM based Linux-es

b) Install logtop on CentOS 6.5 and CentOS 7 Linux

– For CentOS 6.5 you need to rpm install epel-release-6-8.noarch.rpm

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm
links http://dl.fedoraproject.org/pub/epel/6/SRPMS/uthash-1.9.9-6.el6.src.rpm
rpmbuild –rebuild uthash-1.9.9-6.el6.src.rpm
cd /root/rpmbuild/RPMS/noarch
rpm -ivh uthash-devel-1.9.9-6.el6.noarch.rpm

– For CentOS 7 you need to rpm install epel-release-7-0.2.noarch.rpm

links http://download.fedoraproject.org/pub/epel/beta/7/x86_64/repoview/epel-release.html

Click on and download epel-release-7-0.2.noarch.rpm

rpm -ivh epel-release-7-0.2.noarch
rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
yum -y install git ncurses-devel uthash-devel
git clone https://github.com/JulienPalard/logtop.git
cd logtop
make
make install

2.3 Some Logtop use examples and short explanation

logtop shows 4 columns as follows – Line number, Count, Frequency, and Actual line

The quickest way to visualize which IP is stoning your Apache / Nginx webserver on Debian?

tail -f access.log | awk {'print $1; fflush();'} | logtop

logtop-check-which-ip-is-making-most-requests-to-your-apache-nginx-webserver-linux-screenshot

On CentOS / RHEL

tail -f /var/log/httpd/access_log | awk {'print $1; fflush();'} | logtop

Using LogTop even Squid Proxy caching server access.log can be monitored.
To get squid Top users by IP listed:

tail -f /var/log/squid/access.log | awk {'print $1; fflush();'} | logtop

logtop-visualizing-top-users-using-squid-proxy-cache

Or you might visualize in real-time squid cache top requested URLs

tail -f /var/log/squid/access.log | awk {'print $7; fflush();'} | logtop

visualizing-top-requested-urls-in-squid-proxy-cache-howto-screenshot

3. Automatically Filter IP addresses causing Apache / Nginx Webservices Denial of Service with fail2ban

Once you identify the problem if the sites hosted on server are target of Distributed DoS, probably your best thing to do is to use fail2ban to automatically filter (ban) IP addresses doing excessive queries to system services. Assuming that you have already installed fail2ban as explained in above link (On Debian / Ubuntu Linux) with:

apt-get install –yes fail2ban

To make fail2ban start filtering DoS attack IP addresses, you will have to set the following configurations:

vim /etc/fail2ban/jail.conf

Paste in file:

[http-get-dos]

enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/WEB_SERVER-access.log
# maxretry is how many GETs we can have in the findtime period before getting narky
maxretry = 300
# findtime is the time period in seconds in which we're counting "retries" (300 seconds = 5 mins)
findtime = 300
# bantime is how long we should drop incoming GET requests for a given IP for, in this case it's 5 minutes
bantime = 300
action = iptables[name=HTTP, port=http, protocol=tcp]

Before you paste make sure you put the proper logpath = location of webserver (default one is /var/log/apache2/access.log), if you're using multiple logs for each and every of hosted websites, you will probably want to write a script to automatically loop through all logs directory get log file names and automatically add auto-modified version of above [http-get-dos] configuration. Also configure maxtretry per IP, findtime and bantime, in above example values are a bit low and for heavy loaded websites which has to serve thousands of simultaneous connections originating from office networks using Network address translation (NAT), this might be low and tuned to prevent situations, where even the customer of yours can't access there websites 🙂

To finalize fail2ban configuration, you have to create fail2ban filter file:

vim /etc/fail2ban/filters.d/http-get-dos.conf

Paste:

# Fail2Ban configuration file
#
# Author: http://www.go2linux.org
#
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.

failregex = ^<HOST> -.*"(GET|POST).*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

To make fail2ban load new created configs restart it:

/etc/init.d/fail2ban restart

If you want to test whether it is working you can use Apache webserver Benchmark tools such as ab or siege.
The quickest way to test, whether excessive IP requests get filtered – and make your IP banned temporary:

ab -n 1000 -c 20 http://your-web-site-dot-com/

This will make 1000 page loads in 20 concurrent connections and will add your IP to temporary be banned for (300 seconds) = 5 minutes. The ban will be logged in /var/log/fail2ban.log, there you will get smth like:

2014-08-20 10:40:11,943 fail2ban.actions: WARNING [http-get-dos] Ban 192.168.100.5
2013-08-20 10:44:12,341 fail2ban.actions: WARNING [http-get-dos] Unban 192.168.100.5

Tags: check, configure, Debian Ubuntu, fail2ban stopping apache dos attacks, How to, how to view get post head requests, install logtop centos rhel fedora, install logtop debian ubuntu, install logtop from source, Installing Logtop, logtop, make, monitor apache log real-time, monitoring top ip requests apache log, nginx monitor top url requests, noarch, script, squid proxy log monitoring logtop, SRPMS, text, url, var
Posted in Computer Security, Everyday Life, Monitoring, System Administration, Various, Web and CMS | 2 Comments »

Monitoring MySQL server queries and debunning performance (slow query) issues with native MySQL commands and with mtop, mytop

Thursday, May 10th, 2012

If you're a Linux server administrator running MySQL server, you need to troubleshoot performance and bottleneck issues with the SQL database every now and then. In this article, I will pinpoint few methods to debug basic issues with MySQL database servers.

1. Troubleshooting MySQL database queries with native SQL commands

a)One way to debug errors and get general statistics is by logging in with mysql cli and check the mysql server status:

# mysql -u root -p mysql> SHOW STATUS; +-----------------------------------+------------+ | Variable_name | Value | +-----------------------------------+------------+ | Aborted_clients | 1132 | | Aborted_connects | 58 | | Binlog_cache_disk_use | 185 | | Binlog_cache_use | 2542 | | Bytes_received | 115 | ..... ..... | Com_xa_start | 0 | | Compression | OFF | | Connections | 150000 | | Created_tmp_disk_tables | 0 | | Created_tmp_files | 221 | | Created_tmp_tables | 1 | | Delayed_errors | 0 | | Delayed_insert_threads | 0 | | Delayed_writes | 0 | | Flush_commands | 1 | ..... ..... | Handler_write | 132 | | Innodb_page_size | 16384 | | Innodb_pages_created | 6204 | | Innodb_pages_read | 8859 | | Innodb_pages_written | 21931 | ..... ..... | Slave_running | OFF | | Slow_launch_threads | 0 | | Slow_queries | 0 | | Sort_merge_passes | 0 | | Sort_range | 0 | | Sort_rows | 0 | | Sort_scan | 0 | | Table_locks_immediate | 4065218 | | Table_locks_waited | 196 | | Tc_log_max_pages_used | 0 | | Tc_log_page_size | 0 | | Tc_log_page_waits | 0 | | Threads_cached | 51 | | Threads_connected | 1 | | Threads_created | 52 | | Threads_running | 1 | | Uptime | 334856 | +-----------------------------------+------------+ 225 rows in set (0.00 sec)

SHOW STATUS; command gives plenty of useful info, however it is not showing the exact list of queries currently processed by the SQL server. Therefore sometimes it is exactly a stucked (slow queries) execution, you need to debug in order to fix a lagging SQL. One way to track this slow queries is via enabling mysql slow-query.log. Anyways enabling the slow-query requires a MySQL server restart and some critical productive database servers are not so easy to restart and the SQL slow queries have to be tracked "on the fly" so to say.
Therefore, to check the exact (slow) queries processed by the SQL server (without restarting it), do

mysql> SHOW processlist;
+——+——+—————+——+———+——+————–+——————————————————————————————————+
| Id | User | Host | db | Command | Time | State | Info |
+——+——+—————+——+———+——+————–+——————————————————————————————————+
| 609 | root | localhost | blog | Sleep | 5 | | NULL |
| 1258 | root | localhost | NULL | Sleep | 85 | | NULL |
| 1308 | root | localhost | NULL | Query | 0 | NULL | show processlist |
| 1310 | blog | pcfreak:64033 | blog | Query | 0 | Sending data | SELECT comment_author, comment_author_url, comment_content, comment_post_ID, comment_ID, comment_aut |
+——+——+—————+——+———+——+————–+——————————————————————————————————+
4 rows in set (0.00 sec)
mysql>

SHOW processlist gives a good view on what is happening inside the SQL.

To get more complete information on SQL query threads use the full extra option:

mysql> SHOW full processlist;

This gives pretty full info on running threads, but unfortunately it is annoying to re-run the command again and again – constantly to press UP Arrow + Enter keys.

Hence it is useful to get the same command output, refresh periodically every few seconds. This is possible by running it through the watch command:

debian:~# watch "'show processlist' | mysql -u root -p'secret_password'"

watch will run SHOW processlist every 2 secs (this is default watch refresh time, for other timing use watch -n 1, watch -n 10 etc. etc.

The produced output will be similar to:

Every 2.0s: echo 'show processlist' | mysql -u root -p'secret_password' Thu May 10 17:24:19 2012

Id User Host db Command Time State Info 609 root localhost blog Sleep 3 NULL1258 root localhost NULL Sleep 649 NULL1542 blog pcfreak:64981 blog Query 0 Copying to tmp table \ SELECT p.ID, p.post_title, p.post_content,p.post_excerpt, p.pos t_date, p.comment_count, count(t_r.o 1543 root localhost NULL Query 0 NULL show processlist

Though this "hack" is one of the possible ways to get some interactivity on what is happening inside SQL server databases and tables table. for administering hundred or thousand SQL servers running dozens of queries per second – monitor their behaviour few times aday using mytop or mtop is times easier.

Though, the names of the two tools are quite similar and I used to think both tools are one and the same, actually they're not but both are suitable for monitoring sql database execution in real time.

As a sys admin, I've used mytop and mtop, on almost each Linux server with MySQL server installed.
Both tools has helped me many times in debugging oddities with sql servers. Therefore my personal view is mytop and mtop should be along with the Linux sysadmin most useful command tools outfit, still I'm sure many administrators still haven't heard about this nice goodies.

1. Installing mytop on Debian, Ubuntu and other deb based GNU / Linux-es

mytop is available for easy install on Debian and across all debian / ubuntu and deb derivative distributions via apt.

Here is info obtained with apt-cache show

debian:~# apt-cache show mytop|grep -i description -A 3 Description: top like query monitor for MySQL Mytop is a console-based tool for monitoring queries and the performance of MySQL. It supports version 3.22.x, 3.23.x, 4.x and 5.x servers. It's written in Perl and support connections using TCP/IP and UNIX sockets.

Installing the tool is done with the trivial:

debian:~# apt-get --yes install mytop ....

mtop used to be available for apt-get-ting in Debian Lenny and prior Debian releases but in Squeeze onwards, only mytop is included (probably due to some licensing incompitabilities with mtop??).

For those curious on how mtop / mytop works – both are perl scripts written to periodically connects to the SQL server and run commands similar to SHOW FULL PROCESSLIST;. Then, the output is parsed and displayed to the user.

Here how mytop running, looks like:

MyTOP showing queries running on Ubuntu 8.04 Linux - Debugging interactively top like MySQL

2. Installing mytop on RHEL and CentOS

By default in RHEL and CentOS and probably other RedHat based Linux-es, there is neither mtop nor mytop available in package repositories. Hence installing the tools on those is only available from 3rd parties. As of time of writting an rpm builds for RHEL and CentOS, as well as (universal rpm distros) src.rpm package is available on http://pkgs.repoforge.org/mytop/. For the sake of preservation – if in future those RPMs disappear, I made a mirror of mytop rpm's here

Mytop rpm builds depend on a package perl(Term::ReadKey), my attempt to install it on CentOS 5.6, returned following err:

[root@cenots ~]# rpm -ivh mytop-1.4-2.el5.rf.noarch.rpm warning: mytop-1.4-2.el5.rf.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6 error: Failed dependencies: perl(Term::ReadKey) is needed by mytop-1.4-2.el5.rf.noarch

The perl(Term::ReadKey package is not available in CentOS 5.6 and (probably other centos releases default repositories so I had to google perl(Term::ReadKey) I found it on http://rpm.pbone.net/ package repository, the exact url to the rpm dependency as of time of writting this post is:

ftp://ftp.pbone.net/mirror/yum.trixbox.org/centos/5/old/perl-Term-ReadKey-2.30-2.rf.i386.rpm

Quickest, way to install it is:

[root@centos ~]# rpm -ivh ftp://ftp.pbone.net/mirror/yum.trixbox.org/centos/5/old/perl-Term-ReadKey-2.30-2.rf.i386.rpmRetrieving ftp://ftp.pbone.net/mirror/yum.trixbox.org/centos/5/old/perl-Term-ReadKey-2.30-2.rf.i386.rpmPreparing... ########################################### [100%] 1:perl-Term-ReadKey ########################################### [100%]

This time mytop, install went fine:

[root@centos ~]# rpm -ivh mytop-1.4-2.el5.rf.noarch.rpm warning: mytop-1.4-2.el5.rf.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6 Preparing... ########################################### [100%] 1:mytop ########################################### [100%]

To use it further, it is the usual syntax:

mytop -u username -p 'secret_password' -d database

CentOS Linux MyTOP MySQL query benchmark screenshot - vpopmail query

3. Installing mytop and mtop on FreeBSD and other BSDs

To debug the running SQL queries in a MySQL server running on FreeBSD, one could use both mytop and mtop – both are installable via ports:

a) To install mtop exec:

freebsd# cd /usr/ports/sysutils/mtop freebsd# make install clean ....

b) To install mytop exec:

freebsd# cd /usr/ports/databases/mytop freebsd# make install clean ....

I personally prefer to use mtop on FreeBSD, because once run it runs prompts the user to interactively type in the user/pass

freebsd# mtop

Then mtop prompts the user with "interactive" dialog screen to type in user and pass:

Mtop interactive type in username and password screenshot on FreeBSD 7.2

It is pretty annoying, same mtop like syntax don't show user/pass prompt:

freebsd# mytop Cannot connect to MySQL server. Please check the:

* database you specified "test" (default is "test") * username you specified "root" (default is "root") * password you specified "" (default is "") * hostname you specified "localhost" (default is "localhost") * port you specified "3306" (default is 3306) * socket you specified "" (default is "") The options my be specified on the command-line or in a ~/.mytop config file. See the manual (perldoc mytop) for details. Here's the exact error from DBI. It might help you debug: Unknown database 'test'

The correct syntax to run mytop instead is:

freebsd# mytop -u root -p 'secret_password' -d 'blog'

Or the longer more descriptive:

freebsd# mytop --user root --pass 'secret_password' --database 'blog'

By the way if you take a look at mytop's manual you will notice a tiny error in documentation, where the three options –user, –pass and –database are wrongly said to be used as -user, -pass, -database:

freebsd# mytop -user root -pass 'secret_password' -database 'blog' Cannot connect to MySQL server. Please check the:

* database you specified "atabase" (default is "test") * username you specified "ser" (default is "root") * password you specified "ass" (default is "") * hostname you specified "localhost" (default is "localhost") * port you specified "3306" (default is 3306) * socket you specified "" (default is "")a ... Access denied for user 'ser'@'localhost' (using password: YES)

Actually it is interesting mytop, precededed historically mtop.
mtop was later written (probably based on mytop), to run on FreeBSD OS by a famous MySQL (IT) spec — Jeremy Zawodny .
Anyone who has to do frequent MySQL administration tasks, should already heard Zawodny's name.
For those who haven't, Jeremy used to be a head database administrators and developer in Yahoo! Inc. some few years ago.
His website contains plenty of interesting thoughts and writtings on MySQL server and database management

Tags: aut, Auto, blog, bottleneck, cache disk, CentOS, cli, count, database queries, default, Draft, DSA, freebsd, general statistics, host, info, information, innodb, Installing, launch, Linux, linux server, Linux-es, localhost, max pages, mtop, mysql database servers, mysql server, mytop, noarch, option, package, password, pcfreak, processlist, query issues, refresh, root, rpm, server administrator, server queries, server status, show, sql database, table locks, threads, time, timing, tmp files, tool, Ubuntu, Uptime, User, variable name
Posted in FreeBSD, Linux, Monitoring, MySQL, System Administration, Web and CMS | 1 Comment »

☩ Walking in Light with Christ – Faith, Computing, Diary

Posts Tagged ‘noarch’

How to check who is flooding your Apache, NGinx Webserver – Real time Monitor statistics about IPs doing most URL requests and Stopping DoS attacks with Fail2Ban

Daily Bible quote

GET ARTICLE UPDATES

Useful blog? Help it:

Links to Other Places

Recent Posts

Ads

Categories

About Myself

Recent Comments

Top Post Views

blogtopsites