How to Install and Configure Puppet on CentOS, Fedora, Ubuntu or Opensuse

Reading Time: 4 minutes

What is Puppet?

Puppet: A Closer Look At Who Holds The Strings

Puppet is an intuitive, task-controlling software which provides a straightforward method to manage Linux and Windows server functions from a central master server. It can perform administrative work across a wide array of systems that are primarily defined by a “manifest” file, for the group or type of server(s) being controlled.

System Requirements

Puppet uses a master/client setup to communicate between the master and client servers. The master server will require more resources than the client servers utilize. The resources needed on the master server will mainly depend on:

  • The number of remote agents (servers) being utilized
  • How frequently those remote agents check in to the master server
  • How many resources are being managed on each remote agent
  • The complexity of the manifest files and modules in use
Note
A Puppet master server must run on UNIX variants known as  “ *nix ” operating systems. Currently, Puppet masters CANNOT run in a Windows environment.
Master Hardware Requirements

The minimum hardware requirements for the Puppet master servers will be based on multiple factors as stated above and noted in Puppet’s guidelines.

 

Client Software Platforms

The Puppet-agent (or client) packages are available for these platforms:

 

Dependencies

If you are installing the Puppet client using an official distribution package via a repository then your system’s package manager usually ensure that the proper dependencies are installed. If you install the agent on a platform without a supported package, you must also manually install the dependent packages, libraries, and gems:

  • Ruby 2.5.x
  • CFPropertyList 2.2 or later
  • Facter 2.0 or later
  • The msgpack gem from MessagePack, if you’re using msgpack serialization

 

Timekeeping and Name Resolution

Before installing the client, there are certain network requirements which you will require you to preparie, review and consider. The most important aspects include time syncing and implementing an idea for name resolution.

Timekeeping

You will want to make sure that the Network Time Protocol (NTP) service is in place to ensure that the time is in sync between the master server, (which acts as the certificate authority) and clients. This is recommended due to the issues that can develop if the servers time drifts out of sync. You may encounter odd certificate issues. A service like NTP (available on most servers) assures accurate timekeeping and will reduce the risk of error like this occurring.

Name resolution

The second part of this component is to decide on an iterable naming convention. For example, by using a master name like puppet.domain.com establishes the continuity of this naming convention. This also allows optimal master communication and that all future agents can reach the master. You can simplify this by utilizing a CNAME record (a name forwarding DNS entry) to ensure the master is always reachable.

 

Firewall Configuration

In a master/client setup, the master server must have port 8140 open to allow for incoming connections from the remote clients. You can use either of the following commands to check that the port is open and listening:

root@master [~]# netstat -tulpn | grep LISTEN |grep 8140
root@master [~]# lsof -i -P -n | grep LISTEN |grep 8140

If nothing is returned with the above command then you’ll need to open port 8140. To open the port in the UFW firewall, use the following command:

root@master:~# ufw allow 8140/tcp
Rules updated
Rules updated (v6)
root@master:~#

 

Puppet Installation

Usually, Puppet uses approximately 2 GB of RAM by default. Plan on this amount plus any additional RAM needed to run the server’s OS itself. If you plan on creating a 2 GB server, opt for one that has 4GB of RAM if you are going to use it as a Puppet master.

Puppet is available on multiple OS variants including:

  • Red Hat/CentOS/Fedora
  • Debian/Ubuntu
  • SUSE Linux Enterprise Server

The basic install steps across all of the above mentioned OS is as follows:

Available Puppet Repositories

root@master [~]# wget https://apt.puppetlabs.com/puppet-release-bionic.deb
root@master [~]# dpkg -i puppet-release-bionic.deb
root@master [~]# apt update
root@master [~]# apt install puppetserver

Note
Our Fully Managed servers (cPanel or Plesk) wouldn’t be good options for Puppet implementation since additional repositories may conflict.

Install the Puppet Master’s Software

Red Hat/CentOS/Fedora

yum install puppetserver

Debian/Ubuntu

apt-get install puppetserver

SUSE/Opensuse

zypper install puppetserver

 

Start the Puppet Master Service

Red Hat/CentOS/Fedora

systemctl start puppetserver

Debian/Ubuntu

service puppetserver start

SUSE/Opensuse

/etc/rc.d/puppetmaster start

 

Install the Puppet Client’s Software

Yum:

yum install puppet-agent

Apt:

apt-get install puppet-agent

Zypper:

zypper install puppet-agent

 

Puppet Configuration

Puppet contains around 200 different configuration settings located within the puppet.conf file. For most servers, you will only need to adjust about 20 settings or less in the file depending on your server’s setup. You can use the command below to set the needed values.

puppet config

We’ve listed the 5 most requested settings to suit your specific needs:

  • dns_alt_names – This is a list of allowed hostnames acting as the Puppet master.
  • environment_timeout – This setting is defaulted to 0 and should be untouched unless you have a particular cause to alter it. You can adjust this setting to unlimited to make master refreshes a part of your standard code deployment process.
  • environmentpath –  The environment path defines the locations where Puppet can find the specific directories for any unique environments. T
  • basemodulepath – This is a list of directories that contains the Puppet modules used in various environments.
  • reports – Directs which report handlers, listed below, to use.
    • HTTPS – Sends reports via HTTP/HTTPS as a POST request to the address defined in the reporturl setting.
    • Log – Sends reports to the local default log destination (usually syslog)
    • Store – Hosts will send a YAML dump of data to a local directory (defined by the reportdir setting in the puppet.conf)

The config reference provides a more comprehensive array of available options in modifying your server to suit your specific needs

 

More Information

Overall, Puppet is an attractive addition to your everyday toolset for managing and automating tedious tasks. Once it is installed and configured, it will maintain your day to day servers tasks with ease. You may want to consult the Puppet documentation for more in-depth information on this topic or consult the following resources for additional info.

 

How Can We Help?

If you would like more information on how this software can benefit your current setup, simply reach out to us via a phone call, chat or ticket, and one of our Most Helpful Humans in Hosting will follow up with you to advise on how best you can integrate this process into your existing infrastructure! We are looking forward to speaking with you!

 

 

How to Set Up A Firewall Using Iptables on Ubuntu 16.04

Reading Time: 5 minutes

This guide will walk you through the steps for setting up a firewall using iptables in Ubuntu 16.04. We’ll show you some common commands for manipulating the firewall, and teach you how to create your own rules.

 

What are Iptables in Ubuntu?

The utility iptables is a Linux based firewall that comes pre-installed on many Linux distributions. It is a leading solution for software-based firewalls. It’s a critical tool for Linux system administrators to learn and understand. Any publicly facing server on the Internet should have some form of firewall enabled for security reasons. In a typical configuration, you would only open ports for the services that you wish to be accessible via the Internet. All other ports would remain closed and inaccessible via the Internet. For example, in a typical server, you may want to open ports for your web services, but you probably would not want to make your database accessible to the public!

 

Pre-flight

Working with iptables requires root privileges on your Linux box. The rest of this guide assumes you have logged in as root. Please exercise caution, as commands issued to iptables take effect immediately. You will be manipulating how your server is accessible to the outside world, so it’s possible to lock yourself out from your own server!

Note
If you’re a Liquid Web customer, check out our VPN + IPMI remote management solutions. These solutions can help you restore access to your server even if you’ve blocked out the outside world. We have a VPN configuration guide to get you started. Of course, our support staff is also standing by 24×7 in the event you get locked out.

 

How Do Iptables Work?

Iptables works by inspecting predefined firewall rules. Incoming server traffic is compared against these rules, and if iptables finds a match, it takes action. If iptables is unable to find a match, it will apply a default policy action. Typical usage is to set iptables to allow matched rules, and deny all others.

 

How Can I See Firewall Rules in Ubuntu?

Before making any changes to your firewall, it is best practice to view the existing rule set and understand what ports are already open or closed. To list all firewall rules, run the following command.

iptables -L

If this is a brand new Ubuntu 16.04 installation, you may see there are no rules defined! Here is an example “empty” output with no rules set:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you’re running Ubuntu 16.04 on a Liquid Web VPS, you’ll see we’ve already configured a basic firewall for you. There are usually three essential sections to look at in the iptables ruleset. When dealing with iptables rulesets, they are called “chains”, particularly “Chain INPUT”, “Chain FORWARD”, and “Chain OUTPUT”. The input chain handles traffic coming into your server while the output chain handles the traffic leaving your server. The forwarding chain handles server traffic that is not destined for local delivery. As you can surmise, the traffic is forwarded by our server  to its intended destination.

 

Common Firewall Configurations

The default action is listed in “policy”. If traffic doesn’t match any of the chain rules, iptables will perform this default policy action. You can see that with an empty iptables configuration, the firewall is accepting all connections and not blocking anything! This is not ideal, so let’s change this. Here is an example firewall configuration allowing some common ports, and denying all other traffic.

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

iptables -A INPUT -s 192.168.0.100 -j ACCEPT

iptables -A INPUT -s 192.168.0.200 -j DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

We will break down these rules one at a time.

iptables -A INPUT -i lo -j ACCEPT

This first command tells the INPUT chain to accept all traffic on your loopback interface. We specify the loopback interface with -i lo. The -j ACCEPT portion is telling iptables to take this action if traffic matches our rule.


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Next, we’ll allow connections that are already established or related. This can be especially helpful for traffic like SSH, where you may initiate an outbound connection and wish to accept incoming traffic of the connection you intentionally established.


iptables -A INPUT -p icmp -j ACCEPT

This command tells your server not to block ICMP (ping) packets. This can be helpful for network troubleshooting and monitoring purposes. Note that the -p icmp portion is telling iptables the protocol for this rule is ICMP.


How Do I Allow a Port in Ubuntu?

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

TCP port 22 is commonly used for SSH. This command allows TCP connections on port 22. Change this if you are running SSH on a different port. Notice since SSH uses TCP, we’ve specified the protocol using -p tcp in this rule.


iptables -A INPUT -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

These two commands allow web traffic. Regular HTTP uses TCP port 80, and encrypted HTTPS traffic uses TCP port 443.


iptables -A INPUT -p udp --dport 1194 -j ACCEPT

This is a less commonly used port, but here is an example of how to open port 1194 utilizing the UDP protocol instead of TCP. Note that in this example we’ve specified UDP by using -p udp.


How Do I Allow an IP Address in Ubuntu?

iptables -A INPUT -s 192.168.0.100 -j ACCEPT

You can configure iptables to always accept connections from an IP address, regardless of what port the connections arrive on. This is commonly referred to as “whitelisting”, and can be helpful in certain circumstances. We’re whitelisting 192.168.0.100 in this example. Typically you would want to be very restrictive with this action and only allow trusted sources.


How Do I Block an IP Address in Ubuntu?

iptables -A INPUT -s 192.168.0.200 -j DROP

You can also use iptables to block all connections from an IP address or IP range, regardless of what port they arrive on. This can be helpful if you need to block specific known malicious IPs. We’re using 192.168.0.200 as our IP to block in this example.


How Do I Block All Other Ports?

iptables -P INPUT DROP

Next, we tell iptables to block all other inputs. We’re only allowing a few specific ports in our example, but if you had other ports needed, be sure to insert them before issuing the DROP command.


How Do I Forward Traffic in Ubuntu?

iptables -P FORWARD DROP

Likewise, we’re going to drop forwarded packets. Iptables is very powerful, and you can use it to configure your server as a network router. Our example server isn’t acting as a router, so we won’t be using the FORWARD chain.


How Do I Allow All Outbound Traffic?

iptables -P OUTPUT ACCEPT

Finally, we want to allow all outgoing traffic originating from our server. We’re mostly worried about outside traffic hitting our server, and not blocking our own box from accessing the outside world.


How Do I Permanently Save IP Rules?

To make your firewall rules persist after a reboot, we need to save them. The following command will save the current ruleset:

/sbin/iptables-save


How Do I Reset My Iptable?

To wipe out all existing firewall rules and return to a blank slate, you can issue the following command. Remember that an empty iptables configuration allows all traffic to your server, so you typically would not want to leave your server unprotected in this state for very long. Nevertheless, this can be very helpful when configuring new firewall rulesets and you need to revert to a blank slate.

iptables -F

 

We’ve covered a lot of ground in this article! Configuring iptables can seem like a daunting process when first looking at an extensive firewall ruleset, but if you break down the rules one at a time, it becomes much easier to understand the process. When used correctly, iptables is an indispensable tool for hardening your server’s security. Liquid Web customers enjoy our highly trained support staff, standing by 24×7, if you have questions on iptables configurations. Have fun configuring your firewall!

How to Configure Multiple Sites with Apache

Reading Time: 2 minutes

If you are hosting more than one site on a server, then you most likely use Apache’s virtual host files to state which domain should be served out. Name based virtual hosts are one of the methods used to resolve site requests. This means that when someone views your site the request will travel to the server, which in turn, will determine which site’s files to serve out based on the domain name. Using this method you’ll be able to host multiple sites on one server with the same IP. In this tutorial, we’ll show you how to set up your virtual host file for each of your domains on an Ubuntu 18.04 server. Continue reading “How to Configure Multiple Sites with Apache”

How to Install Apache 2 on Ubuntu 18.04

Reading Time: 2 minutes

Apache is the most popular web server software being used today.  Its popularity is earned through its stability, fast service, and security.  Most likely if you are building out a web page or any public facing app, you’ll be using Apache to display it. At the time of writing, the most current offering of Apache is 2.4.38, and it is the version we will be using to install on our Ubuntu 18.04 LTS server.  Let’s get started! Continue reading “How to Install Apache 2 on Ubuntu 18.04”

Install and Configure Mod_Security on Ubuntu 16.04 Server

Reading Time: 5 minutes

Mod_security, also commonly called Modsec for short, is a powerful WAF (Web Application Firewall) that integrates directly into Apache’s module system. This direct integration allows the security module to intercept traffic at the earliest stages of a request. Early detection is crucial for blocking malicious requests before they are passed along to web applications hosted by Apache web sites. This provides and extra layer of protection against common threats a server faces. This article will explore the installation of mod_security along with the CRS (Core Rule Set) in a Ubuntu 16.04 LTS Server running Apache 2.4. Continue reading “Install and Configure Mod_Security on Ubuntu 16.04 Server”

An Introduction to Firewalld

Reading Time: 5 minutes

In some ways, firewalld on systemd systems is easier to manage and configure than iptables. There are, for the most part, no long series of chains, jumps, accepts and denies that you need to memorize in order to get firewalld up and running in a basic configuration. The rules are simple and straightforward, but there is no reason you cannot still have all the power that iptables afforded. Continue reading “An Introduction to Firewalld”

How to Install and Configure Fail2ban on Ubuntu Server 16.04

Reading Time: 4 minutes

Have you ever logged into your server and seen a message such as this?

Last failed login: Fri Dec 28 11:37:02 MST 2018 from 192.168.0.102 on ssh:notty
There were 942 failed login attempts since the last successful login.
Last login: Mon Dec 24 13:35:57 2018 from 192.168.0.101

What happened here? This message is informing me that while I was logged out, there were 942 failed attempts to access my server via SSH! This type of message is a strong indicator that my server was probably under a “brute force” attack. In this type of scenario, an attacker will attempt to randomly guess passwords repeatedly until they get lucky with the correct password. This is one reason why using a secure password is so important! Fear not, Fail2ban can be a fantastic tool for dynamically thwarting these types of brute force attacks. This tutorial will walk you through installing and configuring Fail2ban to help protect sshd from brute force attacks. Let’s dig in!

Note:
The remainder of this tutorial requires you to have root privileges. Start by either logging in as root or prefix these commands with sudo.

 

Installing Fail2ban on Ubuntu Server 16.04 is simple. Run the following two commands to install the program:

apt-get update

apt-get install fail2ban -y

We will start the service, so it is running.

service fail2ban restart

Finally, we check to make sure Fail2ban is running after the restart:

service fail2ban status

The output should display active (running) which indicates the service is up and we’re ready to proceed to configuration.

 

Now that Fail2ban is installed and running, we can define custom rules for what services it protects, and how to handle violations.

First, create a configuration file for Fail2ban. This file doesn’t exist by default, but Fail2ban will look for this file and read the contents if it exists:

touch /etc/fail2ban/jail.local

Now we’ll open the configuration file for editing. We’re using vi as our text editor in this example, but feel free to use nano or whatever text editor you are most comfortable with. (Related: check out our helpful tutorial if you need to brush up on how to use vi.) Run the following command to open the file for editing:

vi /etc/fail2ban/jail.local

Paste in the following contents, and save the file:

[DEFAULT] ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5
[sshd] enabled = true

Let’s review the options we just set. First, we are telling Fail2ban to ignore IP addresses 127.0.0.1 and ::1. These are the IPv4 and IPv6 addresses for localhost, respectively. For the remaining lines, it is important to understand Fail2ban reads time as seconds in the configuration file. These rules will ban IP addresses for one hour {bantime = 3600}, if they make 5 mistakes {maxretry = 5}, within 10 minutes {findtime = 600}. Finally, we enabled the jail for sshd. Feel free to adjust these numbers to your liking, but please consider the following:

Note:
Setting a ban time of -1 will result in a permanent ban on that IP address. You may need to contact Liquid Web support if you accidentally block yourself from your own server. Consider these options carefully!

Now that we have created a configuration to use, restart Fail2ban so that our new rules are read and utilized:

service fail2ban restart

We will also double check to make sure Fail2ban is running after the restart:

service fail2ban status

Note:
If Fail2ban does not start successfully after creating your configuration file, it is possible you have a typo in the configuration file /etc/fail2ban/jail.local. Check the file contents and try again!

 

At this point, you have successfully installed and configured Fail2ban, congratulations! For the remainder of this tutorial, we will show you how to use to use the program and how to manage IP blocks.

Run the following command to check the status of Fail2ban:

fail2ban-client status

Example output shows you the number of currently configured jails. Right now we have only created a jail for sshd:

Status
|- Number of jail:    1
`- Jail list:    sshd

You can also poll the detailed status of individual jails. This command will check the status of the sshd jail we just configured:

fail2ban-client status sshd

Example output shows no IPs blocked, looks good!

Status for the jail: sshd
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    0
|  `- File list:                 /var/log/auth.log
`- Actions
|- Currently banned:    0
|- Total banned:    0
`- Banned IP list:

Now, for example, I’m going to fail five attempts to SSH to my server. After the fifth failed attempt, my IP should be automatically blocked! The following shows the output from my workstation when I try to SSH to the server after the fifth failed attempt:

ssh root@192.168.0.101
ssh: connect to host 192.168.0.101 port 22: Connection refused

The “connection refused” message indicates that the server’s firewall is now blocking us.

Back on the server, let’s again check the status of the SSH jail by running:

fail2ban-client status sshd

The output shows that my IP has indeed been blocked! Looking at the status, we can see my workstation’s IP address has been added to the “Banned IP list”.

Status for the jail: sshd
|- Filter
|  |- Currently failed:    1
|  |- Total failed:    1
|  `- File list:                 /var/log/auth.log
`- Actions
|- Currently banned:    1
|- Total banned:    1
`- Banned IP list:    192.168.0.102

Finally, we will demonstrate how to remove a banned IP. This is helpful if you have clients that accidentally block themselves from incorrect password attempts. The syntax for this command is as follows:

fail2ban-client set <JAIL NAME> unbanip <IP ADDRESS>

For example, this command will delist 192.168.0.102 from the sshd jail.

fail2ban-client  set sshd unbanip 192.168.0.102

Let’s double check our work and make sure my IP address has been successfully unblocked:

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed:    1
|  |- Total failed:    6
|  `- File list:                 /var/log/auth.log
`- Actions
|- Currently banned:    0
|- Total banned:    1
`- Banned IP list:

That wraps it up for this tutorial! We only discussed protecting sshd in this tutorial, but Fail2ban can be used to help protect all kinds of other services such as httpd. We encourage you to do some further reading and see what it is capable of! Just remember that while Fail2ban is awesome, it is not a replacement for a strong set of firewall rules. When properly configured, however, Fail2ban is a great tool to help further harden your server’s security. Have fun and happy IP blocking!