Creating a Load Balancing effect with DNS servers is easier than you might think. Maybe if you have ever heard of the term round robin algorythms you have an idea of what im talking about. Find out a detail article of load balancing using DNS servers like BIND.
Configure Round Robin
We take for granted that you already have multiple servers and that you are in need og dividing your load between servers. The most typical load balacing scenarios are applied on web servers, however you can do it with Mail Servers or other type of services as needed.
Balancing Mail
You can balance your mail simply adding different mail hosts with the same mail priority, like in the case below, you will notice 3 instances of mail servers with a priority of 10. This simply will divide the load between the 3 servers.
Define multiple MX records with the same priority
; zone file fragment IN MX 10 mail.example.com.
IN MX 10 mail1.example.com.
IN MX 10 mail2.example.com
.....
mail IN A 192.168.0.1
mail1 IN A 192.168.0.2
mail2 IN A 192.168.0.3
The name server will deliver the MX records in the order defined by the rrset-order and the receiving SMTP software will select one based on its algorithm. In some cases the SMTP alogithm may work against the definition of the rrset-order statement. Current versions of sendmail (8.13.x), Exim (4.44) and Postfix (2.1 or 2.2) all have definitive references to indicate they randomly select equal preference servers (Postfix allows control of the behaviour with the smtp_randomize_addresses parameter) and consequentially may use an address which the rrset-order has carefully tried to change! qmail, courier-mta and Microsoft (Exchange and IIS SMTP) documentation do not appear to have definitive references to indicate how they handle this case.
2. The alternate approach is to define multiple A records with the same name and different IP addresses.
; zone file fragment
IN MX 10 mail.example.com
.....
mail IN A 192.168.0.4
IN A 192.168.0.5
IN A 192.168.0.6
In this case the load-balancing effect is under the control of BIND and the rrset-order record. In order to avoid problems if the receiving mail system does reverse look up as a spam check then the PTR records for 192.168.0.4, 192.168.0.5, 192.168.0.6 above must all define to mail.example.com.
In all the above cases each mail server must be capable of handling and synchronising the load for all the mail boxes served by the domain, using some appropriate back-end to do this or by defining all but one server to be a relay or forwarder.
Balancing Other Services
Assuming you want to load share your ftp or web services then you simply define multiple A records with the same name and different IPs as in the example below.
; zone file fragment
ftp IN A 192.168.0.4
ftp IN A 192.168.0.5
ftp IN A 192.168.0.6
www IN A 192.168.0.7
www IN A 192.168.0.8
; or use this format which gives exactly the same result
ftp IN A 192.168.0.4
IN A 192.168.0.5
IN A 192.168.0.6
www IN A 192.168.0.7
IN A 192.168.0.8
The DNS will deliver all the IP addresses defined, the first IP address in the list will be in a default round robin (controlled by the rrset 'named.conf' directive). The FTP and WEB servers must all be exact replicas of each other in this scenario.
Controlling the order of RRs
You can control the order of RR that BIND supplies in response to queries by use of a rrset-order option which works for any set of equal records. The default behaviour is defined to be random-cyclic - a random selection of the initial order thereafter cyclic (round-robin). Experimentation with BIND 9.3.0 showed that the default is cyclic.
rrset-order
rrset-order { order_spec ; [ order_spec ; ... ]
rrset-order defines the order in which multiple records of the same type are returned. This works for any record type in which the records are similar. RRSET-ORDER IS FULLY IMPLEMENTED IN BIND > 9.2.3. The default is defined to be a random-cyclic order (the starting address is randomly chosen and thereafter round-robin order). Note: Experimentation showed the default to be pure cyclic.
The full specification of rrset-order is shown below. An 'order_spec' is defined as:
class class_name ][ type type_name ][ name "domain_name"] order ordering;
Where 'class_name' is the record class e.g. IN (default is 'any'), type is the resource record type (if none specified defaults to 'any'), domain_name limits the statement to a specific domain suffix and defaults to root (all domains), order is a key word and ordering may take one of the following values:
* fixed - records are returned in the order they are defined in the zone file
* random - records are returned in a random order
* cyclic - records are returned in a round-robin fashion
Examples
Defines that all equal records for all domains will be returned in random order.
rrset-order {order random;};
Defines that all equal MX records for all example.com will be returned in random order all others in cyclic order.
rrset-order {type MX order random name "example.com"; order cyclic};
This statement may be used in a view or a global options clause.
Effectiveness of DNS Load Balancing
Assuming the interest in controlling the order is to load balance across multiple servers supporting a single service - the real question is how effective can the DNS system be in providing this balancing?
The effects of caching will distort the effectiveness of any IP address allocation algorithm unless a 0 TTL is used which has the effect of significantly increasing the load on the DNS (and is not always implemented consistently). In this case the cure may be worse than the disease Good news we have good load balancing on our web servers. Bad news we need 17 more DNS servers!. Intuitively, and without running any experiments to verify, we would suggest that given a normal TTL (12 hours or more) and ANY IP allocation algorithm other than a single static list, loads should be reasonably balanced (measured by request arrivals at destination IPs) given the following assumptions:
1. traffic is balanced over a number of DNS caches i.e. traffic originates from a number of ISPs or customer locations. Specifically there are no PATHOLOGICAL patterns where 90% (or some large'ish number) of the load originates from a particular cache/service).
2. the volume of traffic is reasonably high - since PATHOLOGICAL patterns are more likely in small traffic volumes.
What DNS load balancing cannot do is to account for service loading e.g. certain transactions may generate very high CPU or resource loads. For this type of control only a local load balancer - one which measures response times - will be effective.
Finally on this topic if you still consider that a DNS solution will do the trick if only you could control the order of IP address generation you can use the BIND 9 SDB API to achieve the result.
Friday, July 6, 2007
Disable directory browsing , APACHE
One of the "must do's" on setting a secure apache webserver environment is to disable directory browsing. As a default Apache will be compiled with this option enabled, but its always a good idea to get rid of this setting unless its really necessary. If you have some basic knowledge of vi editor follow this steps
If you are on an RPM installation of Apache (which i dont really recommend) you will find the apache configuration
file probably here:
/etc/httpd/conf/httpd.conf
If you are using apache from the source tar balls ( like real men ) probably you will find the configuration file here:
/usr/local/apache/conf/httpd.conf
Using an editor like vi , edit the httpd.conf file and scroll until you find a line like this:
Options All Indexes FollowSymLinks MultiViews
To disable directory browsing carefully remove the line that says: Indexes and leave the line like this:
Options All FollowSymLinks MultiViews
Restart your apache webserver and thats it
If you are on an RPM installation of Apache (which i dont really recommend) you will find the apache configuration
file probably here:
/etc/httpd/conf/httpd.conf
If you are using apache from the source tar balls ( like real men ) probably you will find the configuration file here:
/usr/local/apache/conf/httpd.conf
Using an editor like vi , edit the httpd.conf file and scroll until you find a line like this:
Options All Indexes FollowSymLinks MultiViews
To disable directory browsing carefully remove the line that says: Indexes and leave the line like this:
Options All FollowSymLinks MultiViews
Restart your apache webserver and thats it
How to Restrict users in thier home directory?
Problem:
Traditionally, the best way to "lock down" users to their home directory is to use a "change rooted environment". However, this is expensive (resource wise) and sometimes not a very "nice" way to secure a server on a user per user basis.
For V-hosters, most of your concern lies in the simple feat of keeping customers from poking around your system, and other user's home dirs--without limiting their ability to execute binaries in their normal system path.
Solution:
To set up your system to use it... just do this:
chmod 700 /home -R
Not sure about that though. you might want a second oppinion.'Edit: That will work for home directory, as for system files I dont think that will work since many things have to be readable to work
Traditionally, the best way to "lock down" users to their home directory is to use a "change rooted environment". However, this is expensive (resource wise) and sometimes not a very "nice" way to secure a server on a user per user basis.
For V-hosters, most of your concern lies in the simple feat of keeping customers from poking around your system, and other user's home dirs--without limiting their ability to execute binaries in their normal system path.
Solution:
To set up your system to use it... just do this:
chmod 700 /home -R
Not sure about that though. you might want a second oppinion.'Edit: That will work for home directory, as for system files I dont think that will work since many things have to be readable to work
Some Unix Commands.
Directory:- pwd, cd, mkdir, rmdir, rm -rf
Display the current directory path you are in.
pwd
Change directories
cd directory
cd path\to\directory
Create a new directory
mkdir directory_name
Delete an empty directory
rmdir directory_name
Delete a directory and all sub directories/files.
rm -rf directory_name
----------
Files :- ls, ls -l,ls -la, cp, mv, rm, rm -i
List files in a directory
ls
ls -l
ls -al
copy a file to another filename.
cp filename1 filename2
move or rename a file.
mv filename1 filename2
mv filename1 directory\filename2
Delete a file (with rm you will not usually get a prompt to confirm)
rm filename
rm -i filename
--------------
Shortcuts :- cd, alias
Go to a directory within your home directory.
cd ~/directory
Change to your home directory
cd (by itself)
Display the current directory path you are in.
pwd
Change directories
cd directory
cd path\to\directory
Create a new directory
mkdir directory_name
Delete an empty directory
rmdir directory_name
Delete a directory and all sub directories/files.
rm -rf directory_name
----------
Files :- ls, ls -l,ls -la, cp, mv, rm, rm -i
List files in a directory
ls
ls -l
ls -al
copy a file to another filename.
cp filename1 filename2
move or rename a file.
mv filename1 filename2
mv filename1 directory\filename2
Delete a file (with rm you will not usually get a prompt to confirm)
rm filename
rm -i filename
--------------
Shortcuts :- cd, alias
Go to a directory within your home directory.
cd ~/directory
Change to your home directory
cd (by itself)
Go back 1 directory in the tree
cd ..
Create your own shortcuts for a command
alias shortcut='full command'
See a list of shortcuts that you have already created.
alias (by itself)
----------------
Search :- find, grep
Locate a file on the shell (looking in all sub directories)
find . -name filename -print
look for a file that contains a specific word and/or phrase .
grep word file(s)
grep blowfish *
-------------------
Getting Help :- man, apropox
Look up in the manual for information on a command
man command
Getting help when you have an idea of what to do but do not know what the relavent command is.
apropos word
-----------------------
Extract archives :- tar, unzip, gunzip
decompress a .tar.gz file:
tar -zxvf filename
decompress a .tar file:
tar -xvf filename
decompress a .zip file:
unzip filename
decompress a .gz file:
gunzip filename
-----------------
System :- ps, kill, uptime
Display basic information about current running processes.
ps x
Display more detailed information about runnging processes including memory/process usage.
ps ux
Kill a process corresponding to a PID number.
kill -15 #PID (Only use kill -9 #pid if your bot does not respond to a kill -15 #pid signal)
kill -9 #PID
kill -9 11542
Kill / Terminate all running processes in your account.
kill -15 -1
kill -9 -1
The uptime shell command shows the time since the system was last booted, the number of active user processes and a final column showing something called load averages. The 3 Values for load averages are taken from the last 1, 5 and 15 minutes and represent CPU utilisation.Ideally a load average below 1 is ideal, when you start to commonly see averages above 2 you should consider investing in a new server or upgrades to current hardware. You will notice high load average by poor response times from the machine.
uptime
-----------------
Chmod :-
Chmod changes the access privaledges on a file making it readable, writable and/or executable. It defines which users may have access to a file and how much access they have.
This column shows what access a file already has and is split into 3 sections, which can be represented by letters.
User Group Others/Everyone
- rw- r-- r--
u The User who owns the file (this means “you.”)
g The Group the file belongs to.
o The Other users.
a All of the above (an abbreviation for ugo)
To change the access permissions of a file you use the command chmod as discussed a little later.
Letter Correspnding Number Definition
r 1 Permission to Read a file (list a directory).
w 2 Permission for Writing to and deleting files and/or directories.
x 4 Permission to eXecute (run) a file.
The octal (0-7) value is calculated by adding up the values for each digit
User (rwx) = 4+2+1 = 7
Group(rx) = 4+1 = 5
Others (rx) = 4+1 = 5
chmod mode = 755
change the permissions on a file.
chmod who=permission(s) filename
chmod numbers filename
We will show you some examples of both these mothods using this file:
permissions before Commands permissions after
-rwxr-xr-x chmod 700 file.conf -rwx------
-rwxr-xr-x chmod go= file.conf -rwx------
-rwxr-xr-x chmod u=rw file.conf -rw-r-xr-x
-rwxr-xr-x chmod 555 file.conf -r-xr-xr-x
Personally i prefer using the numbers as opposed to letters to represent permissions on a file.
---------------
About yourself :- whoami, passwd, quota, du, last
Display what username you are currently logged on under
whoami
Change your password
passwd
Display your current quota on the shell
quota -v
Display current disk usage of a filename and/or directory. Without an option it will use the current directory. du -s will only give a total.
du filename/directory
Shows a list of your last logins
last YourUsername
----------------
Accessing external sites :- ftp, wget, lynx, telnet
Accessing an ftp site from your shell
ftp hostname
ftp ftp.url.org
common commands to remeber using ftp are get, dir, cd. You can type help command at any time while using ftp on your shell.
Getting a file directly from an http or ftp site without logging in.
wget file
wget ftp://somewebsite.com/filename.zip
wget http://www.somwhere.org/download/file.tar.gz
Browse the web from an ordinary terminal, type H at any time to learn more about lynx
lynx
To connect to a remote host you can use telnet as follows:
telnet hostname
--------------------
Please report inaccuracies or errors that I have made to hemant@allaboutunix.com
Subscribe to:
Posts (Atom)