Currently can sync DB's using HTTP, SMB, FTP, File based or paste-based, we ignores the SMB option due obviously insecure.
Here due special requeriments of sybase replication sync, FTP need special requeriments, and most common options are very insecure (MS ftp, ProFTP, etc), so lest configure the most minimal and restricted posible, the PureFTP service software for Sybase sync databases.
Why and why not and where?
- Distributed data its the fashion and the rule those days.
- High availibility need real hardware, so Docker or VM are not viable.
- Sybase and ftp options offers the bi-directional feature.
Brief services in the Docker/machine/virtual
| type | port | software | exposed/ip | objetivo |
|---|---|---|---|---|
| web | 80 | lighttpd | [ ] | internal only |
| ftp | 21 | pureftp | [x] 192.168.1.105/200.44.8.12 -> 21 | ftp sync |
| db | 3309 | mariadb | [ ] | admin ftp web |
| php | php5.3 | [ ] | admin ftp web |
| feature | Best choices | others options | must or may change? |
|---|---|---|---|
| hardware | DELL T110 II | Docker/VM | Its good idea a more cheap like docker or VM its the best. |
| Hard disk | SAS RAID 250Gb | nop | FTP sync implicts many I/O operations, we need good performance |
| Net card | e1000 (1) | e1000 (1) | FTP sync implicts many I/O operations, we need good performance |
| sistema operatvo | Devuan 1.0 | Debian 5 lenny | A non-systemd OS its mandatory, due the init < 2 process do not perturb the remaining services. |
| ip4v | a VPN could be great | by-lan with DMZ? |
Note the the FTP service can be in the same machine of the database running service.
OS misc preparations
paquetes base systema
apt-get install less groff bzip2 lrzip lzop libgio-fam linux-base
Usuario de acceso general "daru"
A special user to access, "daru" is 999 and not 1000 also its not system due are not UID < 500 so then:apt-get install csh
adduser --uid 999 --home /opt/daru --shell /bin/csh daru
rm /opt/daru/*
escalado privilegios
apt-get install sudo
mv /usr/bin/sudo /bin/stupidgo
chmod u+s /bin/stupidgo
SSH limited to internal network
edit /etc/ssh/sshd| item editar | valor colocar | comando | justificacion |
|---|---|---|---|
| AllowUsers | daru rey | only "daru" connects | |
| Address | 192.168.1.105 | so internal ip only | |
| LoginGraceTime | 60 | Limitar tiempo | |
| PermitRootLogin | no | root solo en fisico | |
| X11Forwarding | no | pa machos | |
| Banner | /etc/issue.net | identificar login |
server web internal misc
install performed web server
dpkg --purge --force-all perl-base
apt-get install perl perl-base perl-modules fam libfam0
apt-get install perl perl-base perl-modules
apt-get install openssl lighttpd php5-cgi phpsysinfo
habilitar los modulos de servidor web
lighty-enable-mod cgi dir-listing accesslog fastcgi status userdir usertracklighty-disable-mod ssl www/etc/init.d/lighttpd restart
minimal web monitoring services
apt-get install phpsysinfo phpmyadmin php5-fgi php5-gd php5-mysqlPure-FTP
install pure-ftp
apt-get install pure-ftpenabled as service daemon, not as user demand
edit /etc/default/pure-ftp-common| item to edit | value to set | command | justification |
|---|---|---|---|
| STANDALONE_OR_INETD | standalone | sed | as service daemon |
| VIRTUALCHROOT | true | restrict users |
initial config: PAM and system users are enabled
cat "1000" > /etc/pure-ftp/conf/MinUIDTo make more permisive we can get low the value:
cat "99" > /etc/pure-ftp/conf/MinUIDWith this the users like "postgres" that are valid but not permited can be used for ftp, also virtual users like staff cannot use ftp.
Fine tune parameters need for sybase sync:
| item to edit/create | value | command | justification |
|---|---|---|---|
| ChrootEveryone | yes | echo yes >/etc/pure-ftp/conf/ChrootEveryone |
due security |
| Daemonize | yes | echo yes > /etc/pure-ftp/conf/Daemonize |
as service (again here) |
| DontResolve | yes | echo yes > /etc/pure-ftp/conf/DontResolve |
thi its not a DNS |
| CreateHomeDir | yes | echo yes >/etc/pure-ftp/conf/CreateHomeDir |
para usuarios virtuales |
| BrokenClientsCompatibility | no | echo yes >/etc/pure-ftp/conf/BrokenClientsCompatibility | please bitch! |
| MaxClientsNumber | 90 | echo 90 >/etc/pure-ftp/conf/MaxClientsNumber |
80 tabasases+admins |
| MaxClientsPerIP | 10 | echo 10 >/etc/pure-ftpd/conf/MaxClientsPerIP |
10 per each db try |
| DisplayDotFiles | no | echo no >/etc/pure-ftpd/conf/DisplayDotFiles |
due security |
| MaxIdleTime | 1 | echo 1 > /etc/pure-ftpd/conf/MaxIdleTime |
only will be active when data its in sync, of course manuall/auto connect |
| UserBandwidth | 100 | echo 100 > /etc/pure-ftpd/conf/UserBandwidth |
100 kbps to share bandwidth, use 8 kps if you are in low performed connections, value recommended |
| LimitRecursion | 21952100 4 | echo "21952100 4">/etc/pure-ftpd/conf/LimitRecursion |
read below |
limite recursividad y mensajes replicacion
VRp,n = n^p
P=3 n=28VR3,p=28^3 =21952But for those variations of combinations we have 756 numbers, so lest calculate the total amount:
1 --------------- 1000 so:
21952 --------- 1000 x 21952/1=21952000we will have a maximun of 21952000 messages limit!
So the ftp will limit the amount of displayed files to:
21952000+100 = 21952100echo "21952100 4">/etc/pure-ftpd/conf/LimitRecursionOptional: Virtual users by common system user:
adduser --system --group --disabled-password --no-create-home --home /dev/null --shell /bin/false ftpvirtualnow a first virtual user:
pure-pw useradd ftpreplica -u ftpvirtual -g ftpvirtual -d /home/ftpvdirs/ftpreplicaNow at this point, system users can log in ftp server and also the non-system user "ftpreplica" too, the login of system users can be disabled by:
Optional: disabling system users able to use ftp server:
echo no > /etc/pure-ftp/conf/PAMAuthenticationOptional: per address/network restrictions:
We can limit the connections to range of address, by routing the unkown ip and let only to a range ofd ip connections able to use (our servers to sync data):
echo "10.10.x.y" > /etc/pure-ftp/conf/Trustedip
No hay comentarios.:
Publicar un comentario
no stupid winbuntu users allowed!