technomenace.com

Bonding is the process of combining 2 NICs on a system into a single device. For e.g., if you have 2 network cards on a machine, eth0 and eth1, you combine the same into a bond device, bond0 and then configure an IP for this bond device.

Why do we have to do that, you may ask. In the case that I mentioned, if I configure bond0 as 192.168.1.5, both eth0 and eth1 can send or receive packets that are meant for bond device IP(192.168.1.5). Its like you now have 2 paths to reach a destination. Bond devices can be configured in different modes which can be utilized to provide fault tolerance, greater performance or both, depending on the mode.

Bonding is talked about in greater detail in  /usr/share/doc/kernel-doc-<kernel version>/Documentation/networking/bonding.txt.

As usual, all my experiments are on either Xen or VMWare guests and this one is no different. The below steps successfully worked for me on a RHEL 5.3 Xen guest. To start with, eth0 was configured as 192.168.122.118 while eth1 remained unassigned. I am about to create a bond device bond0 with eth0 and eth1, and assign this IP into it.

1. Add the below lines to /etc/modprobe.conf

alias bond0 bonding
options bond0 mode=1 miimon=100

We are loading the bonding kernel module required to make this work, along with some options. mode=1 means that I have opted for active-backup setup. Here, only one slave in the bond device will be active at the moment. If the active slave goes down, the other slave becomes active and all traffic is then done via the newly active slave. If this sounds a bit confusing, just read on. Also, the value of miimon specifies how often MII link monitoring occurs. For a complete list of all the available arguments, feel free to check the kernel documentation.

2. Create bond0 device file, /etc/sysconfig/network-scripts/ifcfg-bond0 with the following content:

DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
NETWORK=192.168.122.0
NETMASK=255.255.255.0
IPADDR=192.168.122.118
USERCTL=no

The lines are self-explanatory, defining the device name and then specifying its IP address, netmask and all.

3. Create /etc/sysconfig/network-scripts/ifcfg-eth0 with content:

DEVICE=eth0
MASTER=bond0
SLAVE=yes
USERCTL=no
BOOTPROTO=dhcp
IPV6INIT=yes
IPV6_AUTOCONF=yes
ONBOOT=yes

4. Create /etc/sysconfig/network-scripts/ifcfg-eth1 with content:

DEVICE=eth1
MASTER=bond0
SLAVE=yes
USERCTL=no
BOOTPROTO=dhcp
IPV6INIT=yes
IPV6_AUTOCONF=yes
ONBOOT=yes

The important lines here to note are “MASTER=bond0“, and “SLAVE=yes” which tells that both eth0 and eth1 are now part of bond0 device.

5. Restart network and you are done!

[root@localhost ~]# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface bond0:                               [  OK  ]
[root@localhost ~]# ifconfig
bond0     Link encap:Ethernet  HWaddr 00:16:3E:1C:C5:A7
          inet addr:192.168.122.118  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe1c:c5a7/64 Scope:Link
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:80 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11210 (10.9 KiB)  TX bytes:11630 (11.3 KiB)

eth0      Link encap:Ethernet  HWaddr 00:16:3E:1C:C5:A7
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:45 errors:0 dropped:0 overruns:0 frame:0
          TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3288 (3.2 KiB)  TX bytes:13120 (12.8 KiB)

eth1      Link encap:Ethernet  HWaddr 00:16:3E:1C:C5:A7
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:42 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8384 (8.1 KiB)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:764 (764.0 b)  TX bytes:764 (764.0 b)

As you can see from the output of ifconfig, device bond0 is listed as MASTER while devices eth0 and eth1 are listed as SLAVE. Also, the hardware address of bond0 and its underlying devices eth0 and eth1 are the same (00:16:3E:1C:C5:A7). In case you have multiple bond devices, comparing the hardware address of that bond device with the actual network device (ethX) will tell you whether it is a part of that particular bonding or not.

Now, the current status of the bond device bond0 is present in /proc/net/bonding/bond0. Time to fool around with bonding now…

[root@localhost ~]# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth0
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:16:3e:1c:c5:a7

Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:16:3e:58:02:c7

As I have highlighted above, the bonding mode is active-passive (since I used mode=1 to configure it in modprobe.conf). Also, both interfaces are up, but current active slave is eth0. Now, what happens when I down eth0? Normally when we down an interface, the IP associated with it also goes down (becomes unreachable). However, in bonding, it just switches over to next slave, eth1 - keeping the connection and the IP active:

[root@localhost ~]# ifdown eth0
[root@localhost ~]# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:16:3e:58:02:c7
[root@localhost ~]# ifup eth0
[root@localhost ~]# cat /proc/net/bonding/bond0 
Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:16:3e:58:02:c7

Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:16:3e:1c:c5:a7

Notice that when I started eth0 again (ifup eth0), it got added to the bond device automatically. Also, in the above output, even though the permanent HW Address of eth0 and eth1 are different, they retain the HW address of the bond device in ifconfig output:

[root@localhost ~]# ifconfig
bond0     Link encap:Ethernet  HWaddr 00:16:3E:1C:C5:A7 
          inet addr:192.168.122.118  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe1c:c5a7/64 Scope:Link
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:87 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:6340 (6.1 KiB)  TX bytes:4950 (4.8 KiB)

eth0      Link encap:Ethernet  HWaddr 00:16:3E:1C:C5:A7 
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:85 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6360 (6.2 KiB)  TX bytes:6424 (6.2 KiB)

eth1      Link encap:Ethernet  HWaddr 00:16:3E:1C:C5:A7 
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:574 (574.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:764 (764.0 b)  TX bytes:764 (764.0 b)

That’s it..!! Happy bonding..

This tutorial describes how to close an Open DNS server. An Open DNS server allows anyone to use that server as a DNS lookup server. This is a potential threat and such access must either be blocked, or restricted to a few trusted IPs. This is how it is done.

1. Make a list of IPs you consider as trusted (i.e., only those IPs which can use this DNS server for DNS lookups). The list should include all IPs on the server. Now if you don’t know what I am talking about, ssh to your server, and type in the below command as root:

ifconfig | grep 'inet addr' | cut -f2 -d: | cut -f1 -d' ' | sort | uniq

2. Open /etc/named.conf in an editor. I would recommend that you take a backup of the file first before this.

cp -p /etc/named.conf /etc/named.conf.bak
vi /etc/named.conf

3. Locate this line:

key "rndckey" {
};

Move your cursor below this block of code, and press ‘i’ (to change into vi’s insert mode) and then type in the following:

acl "trusted" {
IP1; IP2; IP3; IP4; externalIP1 ;
};

Modify the line IP1; IP2; IP3; IP4; externalIP1 ; to include server’s IP addresses and any external IPs which you wish to allow recursive queries.

4. Once the acl “trusted” is added, move down the file and locate the block named options. Inside it add the below lines:

allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

This is how the options block might look like once the changes are made:

options {
directory "/var/named";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

5. Save the changes (use ‘esc’ + ‘:wq’ in vi editor) and then restart named

/etc/init.d/named stop
/etc/init.d/named start

This article describes how to install ionCube loader extension in PHP. ionCube provides tools for PHP source code protection. Usually, a PHP file is in plain-text format. Which means anyone who has access to the actual PHP file can use a text editor (like vim) to view the source code.

If a skilled hacker/programmer gets access to the entire PHP source code, then it would allow him/her to find vulnerabilities which can be used to launch attack on website(s) or web server(s).

It was this reason which led to the web industry search for an encoding engine that is capable of translating source code to efficient bytecodes, and one of the best solution today is ionCube loader. ionCube encoding tools deliver the ideal combination of maximum source code protection without sacrificing performance, reliability or language compatibility.

By default, PHP is unable to parse files encoded using ionCube. In order to do so, you have to install ionCube loader extension in PHP. This is how it is done:

1. Download ionCube loader from ioncube.com

wget http://downloads2.ioncube.com/loader_downloads/ ioncube_loaders_lin_x86.tar.gz

2. Extract the tar.gz file

tar zxvf ioncube_loaders_lin_x86.tar.gz

3. Change to directory ‘ioncube’ and copy over the file ioncube-install-assistant.php to a web directory such as your hosting directory

cd ioncube/
cp ioncube-install-assistant.php /home/userdirectoryhere/public_html/

4. Then open it http://www.yourdomain.com/ioncube-install-assistant.php.
The output should be something similar to:

Analysis of your system configuration shows:

PHP Version 4.3.3
Operating System Linux
Threaded PHP No
php.ini file /usr/local/lib/php.ini
Required Loader ioncube_loader_lin_4.3.so

5. Now move the iconcube directory to a permanent location:

cd ../
mv ioncube /usr/local

6. Now that you know the location of php.ini you need to edit it.

pico /usr/local/lib/php.ini

Now find where other zend extentions are in the file.
ctrl + w: zend_extension

Paste in your new line for ioncube loader

zend_extension = /usr/local/ioncube/ioncube_loader_lin_4.3.so

7. Save the changes
ctrl + X then Y and enter

8. Restart the web server to take effect.

/etc/init.d/httpd restart

Now, create a new document named phpinfo.php. The file should contain the below lines:

phpinfo();
?>

Place this document in your www directory and open it from your web browser by pointing to http://www.yourdomain.com/phpinfo.php. You should now see ionCube loader listed in it (search for the string ‘ioncube’).

That’s it!