Feeds, issues, packages and code source about emulation and pograming, of VENENUX proyects, Debian related distros and massenkoh!

configuring ftp for sybase replication of data sync

|
Sybase its the only DBMS that includes a complete MQTT since acient times.

Currently can sync DB's using HTTP, SMB, FTP, File based or paste-based, we ignores the SMB option due obviously insecure.

Here due special requeriments of sybase replication sync, FTP need special requeriments, and most common options are very insecure (MS ftp, ProFTP, etc), so lest configure the most minimal and restricted posible, the PureFTP service software for Sybase sync databases.

Why and why not and where?

  1. Distributed data its the fashion and the rule those days.
  2. High availibility need real hardware, so Docker or VM are not viable.
  3. Sybase and ftp options offers the bi-directional feature.

Brief services in the Docker/machine/virtual

type port software exposed/ip objetivo
web 80 lighttpd [ ] internal only
ftp 21 pureftp [x] 192.168.1.105/200.44.8.12 -> 21 ftp sync
db 3309 mariadb [ ] admin ftp web
php
php5.3 [ ] admin ftp web
feature Best choices others options must or may change?
hardware DELL T110 II Docker/VM Its good idea a more cheap like docker or VM its the best.
Hard disk SAS RAID 250Gb nop FTP sync implicts many I/O operations, we need good performance
Net card e1000 (1) e1000 (1) FTP sync implicts many I/O operations, we need good performance
sistema operatvo Devuan 1.0 Debian 5 lenny A non-systemd OS its mandatory, due the init < 2 process do not perturb the remaining services.
ip4v a VPN could be great by-lan with DMZ?

 Instalation

Please when perform the OS install, dont partitioned too much, all the OS in one partition, all the partitions primary and one partition apart for the ftp sybase data.

Note the the FTP service can be in the same machine of the database running service.

OS misc preparations

paquetes base systema

apt-get install less groff bzip2 lrzip lzop libgio-fam linux-base

Usuario de acceso general "daru"

A special user to access, "daru" is 999 and not 1000 also its not system due are not UID < 500 so then:

apt-get install csh
adduser --uid 999 --home /opt/daru --shell /bin/csh daru
rm /opt/daru/*

escalado privilegios

This special user "daru" will use sudo but in special form only, so a non-privilegiate user can perform some administrative task limited:


apt-get install sudo
mv /usr/bin/sudo /bin/stupidgo
chmod u+s /bin/stupidgo

SSH limited to internal network

edit /etc/ssh/sshd
item editar valor colocar comando justificacion
AllowUsers daru rey
only "daru" connects
Address 192.168.1.105
so internal ip only
LoginGraceTime 60
Limitar tiempo
PermitRootLogin no
root solo en fisico
X11Forwarding no
pa machos
Banner /etc/issue.net
identificar login

server web internal misc

We preform a web server only for internal administrative and informative task, that need a web frontend.

install performed web server

dpkg --purge --force-all perl-base
apt-get install perl perl-base perl-modules fam libfam0
apt-get install perl perl-base perl-modules
apt-get install openssl lighttpd  php5-cgi phpsysinfo

habilitar los modulos de servidor web

lighty-enable-mod cgi dir-listing accesslog fastcgi status userdir usertrack
lighty-disable-mod ssl www
/etc/init.d/lighttpd restart

minimal web monitoring services

apt-get install phpsysinfo phpmyadmin php5-fgi php5-gd php5-mysql

Pure-FTP

install pure-ftp

apt-get install pure-ftp

enabled as service daemon, not as user demand

edit /etc/default/pure-ftp-common
item to edit value to set command justification
STANDALONE_OR_INETD standalone sed as service daemon
VIRTUALCHROOT true
restrict users

initial config: PAM and system users are enabled

The Debian based pureftp package are configured to use system users as regular ftp enabled users, this due the PAM integration are enabled by default, so this can be tuned a little to perform wich users will be enabled:

cat "1000" > /etc/pure-ftp/conf/MinUID

To make more permisive we can get low the value:

cat "99" > /etc/pure-ftp/conf/MinUID

With this the users like "postgres" that are valid but not permited can be used for ftp, also virtual users like staff cannot use ftp.

Fine tune parameters need for sybase sync:

item to edit/create value command justification
ChrootEveryone yes echo yes >/etc/pure-ftp/conf/ChrootEveryone due security
Daemonize yes echo yes > /etc/pure-ftp/conf/Daemonize as service (again here)
DontResolve yes echo yes > /etc/pure-ftp/conf/DontResolve thi its not a DNS
CreateHomeDir yes echo yes >/etc/pure-ftp/conf/CreateHomeDir para usuarios virtuales
BrokenClientsCompatibility no echo yes >/etc/pure-ftp/conf/BrokenClientsCompatibility please bitch!
MaxClientsNumber 90 echo 90 >/etc/pure-ftp/conf/MaxClientsNumber 80 tabasases+admins
MaxClientsPerIP 10 echo 10 >/etc/pure-ftpd/conf/MaxClientsPerIP 10 per each db try
DisplayDotFiles no echo no >/etc/pure-ftpd/conf/DisplayDotFiles due security
MaxIdleTime 1 echo 1 > /etc/pure-ftpd/conf/MaxIdleTime only will be active when data its in sync, of course manuall/auto connect
UserBandwidth 100 echo 100 > /etc/pure-ftpd/conf/UserBandwidth 100 kbps to share bandwidth, use 8 kps if you are in low performed connections, value recommended
LimitRecursion 21952100 4 echo "21952100 4">/etc/pure-ftpd/conf/LimitRecursion read below


limite recursividad y mensajes replicacion

Sybase use a "mmmmm.xyz" message files, where the "xyz" are ramdomn extension combinations, so we need to calculate:
VRp,n = n^p P=3 n=28
VR3,p=28^3 =21952
But for those variations of combinations we have 756 numbers, so lest calculate the total amount:
1 --------------- 1000 so: 21952 --------- 1000 x 21952/1=21952000
we will have a maximun of 21952000 messages limit!
So the ftp will limit the amount of displayed files to: 21952000+100 = 21952100
echo "21952100 4">/etc/pure-ftpd/conf/LimitRecursion

Optional: Virtual users by common system user:

adduser --system --group --disabled-password --no-create-home --home /dev/null --shell /bin/false ftpvirtual

now a first virtual user:

pure-pw useradd ftpreplica -u ftpvirtual -g ftpvirtual -d /home/ftpvdirs/ftpreplica

Now at this point, system users can log in ftp server and also the non-system user "ftpreplica" too, the login of system users can be disabled by:

Optional: disabling system users able to use ftp server:

echo no > /etc/pure-ftp/conf/PAMAuthentication

Optional: per address/network restrictions:

We can limit the connections to range of address, by routing the unkown ip and let only to a range ofd ip connections able to use (our servers to sync data):

echo "10.10.x.y" > /etc/pure-ftp/conf/Trustedip

Conclusions:

We choose pure-ftp due are a specific task, not a complete ftp service, its the recomended choice due security implications and due simplicity of configurations.

0 comments/comentarios:

Publicar un comentario

si vienes de guindo, winbuntu o parecido, limitate y escribe algo util...