Zenload Update

Repros for Squeeze LTS
/etc/apt/sources.list

deb http://http.debian.net/debian/ squeeze main contrib non-free
deb-src http://http.debian.net/debian/ squeeze main contrib non-free

deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

Update Repros
apt-get update

Install latest Squeeze security update
apt-get upgrade

 
Reboot
reboot

 
 
 
 
 
Repros for wheezy upgrade
/etc/apt/sources.list

 

#official repository for Debian
deb http://ftp.debian.org/debian wheezy main contrib non-free
deb-src http://ftp.debian.org/debian wheezy main contrib non-free
deb http://ftp.debian.org/debian wheezy-updates main contrib non-free

deb http://http.debian.net/debian wheezy main contrib non-free
deb-src http://http.debian.net/debian wheezy main contrib non-free

deb http://http.debian.net/debian wheezy-updates main contrib non-free
deb-src http://http.debian.net/debian wheezy-updates main contrib non-free

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free

#official repository for Zen Load Balancer Updates
deb http://zenloadbalancer.sourceforge.net/apt/x86 v3/

Update Repros and add keys
apt-get update

gpg –keyserver pgpkeys.mit.edu –recv-key 9D6D8F6BC857C906
gpg -a –export 9D6D8F6BC857C906 | apt-key add –
gpg –keyserver pgpkeys.mit.edu –recv-key 7638D0442B90D010
gpg -a –export 7638D0442B90D010 | apt-key add –
Upgrade to Wheezy
apt-get dist-upgrade

Reboot
reboot

 

 

Pound and SSL update for Zen Load Balancer

 

Debian Wheezy upgrade required!
 
Preparations
install required tools
apt-get install build-essential devscripts m4 quilt debhelper zlib1g-dev bc gcc++ cmake

install Hoard for Pound  (increase speed)
apt-get install libpcrecpp0 libpcre3-dev libpcre3 libpcre++0 libpcre++-dev libtcmalloc-minimal4 libgoogle-perftools4 libgoogle-perftools-dev

mkdir hoard
cd hoard/

wget https://github.com/emeryberger/Hoard/releases/download/3.10/Hoard-3.10-source.tar.gz

gunzip Hoard-3.10-source.tar.gz
tar -xf Hoard-3.10-source.tar
cd Hoard/src

make linux-gcc-x86

cp libhoard.so /usr/lib/.

load Hoard library
export LD_PRELOAD=/usr/lib/libhoard.so

In /etc/profile folgendes eintragen
export LD_PRELOAD=/usr/lib/libhoard.so

ldd /bin/ls

Upgrade SSL security
configure OpenSS
cd ~
mkdir openssl
cd openssl

apt-get source openssl

cd openssl-*

quilt pop -a

disable compression, not secure chipers, SSLv2 and SSLv3 
vi debian/rules
CONFARGS  = -no-comp –prefix=/usr –openssldir=/usr/lib/ssl –libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib  enable-tlsext no-ssl2 no-ssl3  #Include no-ssl3 for even better security.

quilt push -a

dpkg-source –commit

debuild -uc -us

cd ..

dpkg -i *ssl*.deb

Configure OpenSSL Packet as not upgradeable
apt-mark hold libssl-dev libssl-doc libssl openssl libssl1.0.0 libssl1.0.0-dbg

reboot

Pound upgrade
mkdir pound
cd pound

wget https://fossies.org/linux/www/Pound-2.7.tgz

tar -xf Pound-2.7.tgz

cd Pound-2.7

./configure

make

cp pound /usr/local/zenloadbalancer/app/pound/sbin/pound2.7
cp poundctl /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.7
cp /usr/local/zenloadbalancer/app/pound/sbin/pound /usr/local/zenloadbalancer/app/pound/sbin/pound2.5
cp /usr/local/zenloadbalancer/app/pound/sbin/poundctl /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.5
cp /usr/local/zenloadbalancer/app/pound/sbin/pound2.7 /usr/local/zenloadbalancer/app/pound/sbin/pound
cp /usr/local/zenloadbalancer/app/pound/sbin/poundctl2.7 /usr/local/zenloadbalancer/app/pound/sbin/poundctl
cd ~

Change Ciphers for SSL in Zen Loadbalancer

Pound upgrade required!
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Add the following two lines to the Pound configuration (/usr/local/zenloadbalancer/config/<FARM>_pound.cfg):
        SSLHonorCipherOrder     1
        SSLAllowClientRenegotiation     0
http://sysadminosaurus.blogspot.de/

No Comments

Post a Comment