Disaster Recovery and Backup Solutions
Download
Report
Transcript Disaster Recovery and Backup Solutions
Securing your Investment
with
OpenSource or not …
Simon Boardman
Topics Covered
• Security of my PC
• Security of my server
• Security of my data
PC Security
• Anti-Virus – Avast
– A good Free One is called AVAST which is free for Home Users:
– http://anti-virus-solution.com/avast4/index.asp
• Firewalls
– Use the Free One provided by Windows Service Pack 2/3 etc
• SpyBot
– Protect yourself against SpyWare with Free SpyBot
– There are plenty of web sites that 'pretend' to be SpyBot so you
end up installing SpyWare on your computer. This is the official
site and it's free:
– http://www.safer-networking.org/en/home/index.html
PC Software
• Disk Defragger
– Disk fragmentation leads to system slowdowns, PC crashes, slow
startups and shutdowns. Auslogics Disk Defrag is designed for fast
optimization of modern hard disks. Disk Defrag is absolutely FREE.
– http://www.auslogics.com/disk-defrag/index.php
• Registry Defragger
– Keeping the registry as compact as possible means better computer
performance. Auslogics Registry Defrag is fast becoming a useful and
essential tool in keeping your registry defragmented. As a result, the
Registry becomes compact and small, greatly improving your computer
performance
– http://www.auslogics.com/en/software/registry-defrag
• TCP/IP Optimiser
– The TCP Optimizer is a free, easy Windows program that provides an
intuitive interface for tuning and optimizing your Internet connection.
There is no installation required, just download and run.
– http://www.speedguide.net/downloads.php
Sever Security – What to Stop!
» Typical Multi-User Mode start-up: (Unix / Linux or
Windows)
rc2
S85tcp
S86rpc
S87nfs
P86sendmail
prngd
inetd
P90apache
S90nis
snmpd
S99cups
S95docview
sshd
aasd
S99smbd
S99nmbd
named
lpd
pppd
ntpd
Unix/Linux Network Security –
inetd.conf
• Services controlled by inetd(ADMN)
– inetd is knows as a Super Server
– inetd is started by /etc/rc2.d/S85tcp (/etc/tcp)
– inetd configures the services listed in
• /etc/inetd.conf
– inetd reads /etc/services (and /etc/protocol) to
get the name, aliases, port and protocol to
use for each service
Unix/Linux Network Security –
inetd.conf
• Services controlled by inetd(ADMN)
– On a traditional install inetd configures services including:
•
•
•
•
•
•
•
•
ftp
telnet
shell
login
exec
pop3
imap
swat
stream tcp nowait root
/etc/ftpd
ftpd -a
stream tcp nowait NOLUID /etc/telnetd telnetd
stream tcp nowait NOLUID /etc/rshd
rshd
stream tcp nowait NOLUID /etc/rlogind rlogind
stream tcp nowait NOLUID /etc/rexecd rexecd
stream tcp nowait root
/etc/popper popper
stream tcp nowait root
/etc/imapd imapd
stream tcp nowait root
/usr/sbin/swat swat
– Can disable a service by commenting it out
• # telnet stream tcp
nowait NOLUID /etc/telnetd
– And then restarting inetd with a SIGHUP
• kill -1 `cat /etc/inetd.pid`
telnetd
Unix/Linux What about
OpenSource?
• Well OpenSource products have been
included for some time …
– Tcp wrappers
– Ipfilter
– Openssh
– ipsec
Unix/Linux inetd.conf TCPWrappers
• Tcpwrappers:
– Can be used to log and control access to inetd services
– To enable tcpwrappers on telnetd:
• Edit /etc/inetd.conf
• Comment out the entry:
– telnet stream tcp nowait NOLUID /etc/telnetd
telnetd
• Uncomment the entry:
– # telnet stream tcp nowait NOLUID /etc/tcpd
telnetd
• Save the file
• Restart inetd using:
– kill -1 `cat /etc/inetd.pid`
– Telnet to the server and check syslog:
Unix/Linux inetd.conf TCPWrappers
• Controlling Access using tcpd(ADM)
– hosts_access(SFF) control implemented using:
/etc/hosts.allow and
/etc/hosts.deny
– These files contain no rules by default
– Access is controlled as follows:
• Grant access if you match an entry in the /etc/hosts.allow file
• Deny access if you match an entry in the /etc/hosts.deny file
– OpenSource:
• WEBMIN
Unix/Linux inetd.conf TCPWrappers
• Some hosts_access(SFF) examples:
– To deny everything, in /etc/hosts.deny add:
ALL: ALL
– To allow everything leave /etc/hosts.allow empty
– To allow exceptions in /etc/hosts.allow add:
ftpd: .friendly.domain
telnetd: [email protected]
rlogind: 192.168.1.0/255.255.255.0
– To report on blocked access
ALL :ALL : spawn (echo Attempt from %h %a to %d at `date` |
tee -a /var/log/tcp.deny.log |mail [email protected] )
Unix/Linux Firewalls / Secure Shell
/ VPN’s
• IP Filter Firewall Package for OS’s
– http://www.linuxsecurity.com/content/view/124
101/161/
• Openssh
– http://www.openssl.org/
• Ipsec
– http://support.real-time.com/opensource/ipsec/index.html
Questions – Boardman’s Pass it On
• What’s the Super Server controlling
networking?
• And what’s the services configuration file?
• What’s the most secure ; rcp, ftp or sftp?
• To deny telnet all access in which TCP
Wrapper would I put ALL: ALL?
• What the ‘IP filter’ package called?
• What tool would I use to set up a VPN?
Unix/Linux Securing my data …
•
•
•
•
The unfortunate basics …
The backup …
The remote backup …
The failover …
Stop being negative – what
disaster?
• FACT: Hardware Fails.
• CHOICES: What can we do about that?
• Accept the fact that one element of the
infrastructure will go down at some point,
usually sooner than we’d like.
• The Sales Guy said these things last
forever …
Ok, I accept that hardware fails
– so what?
• Do you have an effective Disaster Recovery Plan?
1. Yes, we do – it’s all documented, it’s simple and it’s
regularly tested as part of the yearly IT budget.
2. Yes, we do – The IT Dept produced a document and so
it ‘should’ work ‘should’ a disaster occurs.
3. Yes, we do – we backup nightly.
4. Not my problem – it’s the customer’s responsibility to do
this.
Whether you have one or not here’s the free stuff you
can do …
To think about …
•
•
•
•
•
•
•
•
Pre-Installation Work with the hardware:
Know to ‘know’ your hardware.
You need to ‘know’ your software too.
Build ‘Redundancy’ into your build with Power Supplies,
CPU’s, Network cards and, of course, disks.
RAID your operating system AND your data.
If I’m not using that piece of hardware should I leave it in,
turn it off in the BIOS or remove it?
I’ve just bought the hardware, why does it need a
Firmware upgrade?
Do I need to really look in the BIOS?
What does the OS give me?
• About the Installation …
• The installation doesn’t know how your
filesystems are going to be laid out does it
make assumptions.
• The installation doesn’t know what
packages you may need, so does it install
them all?
• Once installed, the OS will need
Maintenance applied.
Unix/Linux Preventing Disaster?
• Tricky to do but here are some useful things to do:
1. Add to /.profile the line:
PS1="`uname -n` # " export PS1
2. Keep a record of the disk structure or so you know how
they were laid out.
3. Take copies of critical Operating System files.
4. Traditionally; create Emergency Server Floppies and a
CD image or Tape to restore from.
5. Take a full ‘cpio’ backup.
Unix/Linux Common Post
Installation Faults …
•
•
•
•
The Server’s Slow …
- Have you checked, enabled, ‘sar’?
- Have you checked /etc/hosts ; DNS?
- Where’s the comparison? Can you thrash the server
with performance benchmark tools?
– http://sourceforge.net/projects/aimbench
• Have you enabled NTP?
• Have you pointed SendMail to your Exchange Server or
OpenSource email solution?
• A disk has failed – what do I do?
• - Test disk failures prior to production.
Can I configure redundant
network cards?
• Can I use Load Balancing on my Network
Cards
• Can I use Failover Network Cards?
• Can I simply plug a spare card into the
server?
What tools are there to make
backups?
•
•
•
•
How do I backup to tape?
- ‘cpio’ or ‘tar’ or ‘OpenSource’ gnu tools
More importantly, how do I restore files?
More likely, how do I get another server up and going
quickly because the production server’s down?
• Can I backup to a standby server?
Unix/Linux Introducing ‘cpio’:
• - Remote ‘cpio’ copies
– Host Equivalence ie. ‘trust’ – /.rhosts
– Can I copy over all the printers in /etc/lp
to another server?
– Can I copy over all the users in
/etc/passwd to another server?
– Can I copy over all the data on my
server to another server?
Unix/Linux Introducing ‘rdist’:
• http://www.magnicomp.com/rdist/
• Create a "distfile" in the form:
HOSTS = ( root@serverb )
FILES = ( /data )
${FILES} -> ${HOSTS}
install -R ;
• Here, we are going to sync the files in /data from this
server to "serverb" and run the command "rdist" in the
form:
# rdist -iR -f distfile
Unix/Linux Introducing ‘rsync’:
• http://samba.anu.edu.au/rsync/
• Now, let's start with some basic examples:
• Run: # rsync -bazv /local/rsync <other
server>:/tmp
• This will recursively copy the directory
/local/rsync from you Unixware system to the
<other server>.
• You will notice that by default 'ssl' transport is
used and you will be prompted for a password.
Windows
• Windows also has ‘rcp’ built in for free …
try in from your Windows XP command
prompt
• There are also plenty of OpenSource and
commerical ‘sync’ software products
available to achieve the same thing.
Third Party Tools
• Free or Paid For? = Supported or Not
• Free:
– http://www.roseindia.net/opensource/open-sourcebackup-software.shtml
• Paid for Examples:
–
–
–
–
–
ArcServe
LoneTar
MicroLite
NetVault
etc
Manual Failover Solutions
• Here’s the common scenario:
• Two Servers – One is in Production and
One is the ‘Standby’
• How do I sync the servers?
• I need to ensure the users and printers are
sycn’ed
• I need to ensure the application and data
are sycn’ed
• Ipalias (arp)
Shared Storage …
• If sycn’ing the data’s not the ideal solution here then
Shared Storage might be.
• Put a Storage Cabinet between the servers and place
the data there.
• Can both servers mount the filesystems on the storage
cabinet at the same time?
• If the cabinet goes down then we need either more
redundancy in the cabinet or a SaN …
• I can do a similar solution with Virtualisation …, such as
OpenSource Zen, VMware and Microsoft’s HyperV
Automated or Manual?
•
•
How much control do you want?
You can automate everything with, say, Veritas Cluster
or Sire Technologies – SavWare for mirroring disks …
or OpenSource:
– http://www.linux.com/feature/57073
•
a)
b)
c)
d)
•
•
You ‘still’ need to be aware of:
Where’s my application actually running?
Sync’ing the users and printers
What went wrong that caused a switch over?
Can I switch back?
You can take manual control with your own script.
It may be simple but gives you great flexibility.
Questions – Boardman’s Pass it On
• Easy One – What do you need to ‘know’?
• Can you name a performance monitoring
tool?
• What common tools can be used to copy
files remotely?
• Lastly, what’s the command to set a virtual
IP alias?