Managing the server
In this chapter you will learn how to check the server information. This information is not linked to the senhasegura features. Here we will talk about the settings that are common Linux operating systems.
Listing hardware information
Through the menu Orbit Config Manager ➔ Server ➔ Information you can view the Uptime of the server, IP, CPU Load, Memory, details of the network interfaces, DNS configuration, firewall rules applied and configuration with NTP service status.
Managing disks and partitions
Through the menu Orbit Config Manager ➔ Server ➔ Disks and partitions you can view the partitions that are mounted on the operating system senhasegura . The possible views are:
Disk use: Describes how the partitions use space.
inodes use: Presents how the partitions use inodes. A high use of inodes can lead to unavailability of services.
Partitions: Presents the relationship between virtual and physical partitions, their UUIDs and partition types.
Look at the mounted partition as /var
. This partition receives the recorded session files and the backup files. Orbit will monitor growth and alert through incident when it is close to exhaustion.
On this screen you can also add remote partitions using CIFS and NFS protocols. Fill the authentication methods based on the desired protocol. Orbit will automatic mount the partition without restart the instance.
Remote Partition Passwords must not contain the characters \, &
and !
in remote partition mapping
Disk resize
On this same screen is also possible to expand the free space of the physical disk in the virtual partitions. Orbit itself coordinate this resizing, without need for user intervention. But be careful! Take an instance snapshot before performing this procedure.
The primary hard disk where senhasegura is installed can be expanded up to 2TB. This size limit is based on the MBR partition scheme, choosed as default by senhasegura to ensure that old hypervisors can host the solution.
To expand the LVM patition to sizes over 2TB, you should add a new virtual hard disk and resize the partition using the Orbit interface.
To resize the primary hard disk or add a new hard disk, you should shutdown the instance. Into a cluster schema, keep every instances with the same hardware profile to avoid replication issues.
Adding an AWS S3 bucket for backup
This subsection aims to specify the installation of the AWS S3 client and the administration format for uploading the senhasegura backup files.
For general use, the aws configure command is the fastest way to configure the AWS CLI installation: aws configure
.
Next enter the Access Key ID, Secret Access Key, and if necessary fill in the rest of the information.
Access keys consist of an access key ID and a secret access key, which are used to sign programmatic requests that you make to AWS. If you do not have access keys, you can create them in the AWS Management Console.
To start synchronizing data to the bucket, use the following command:
aws s3 sync /var/orbini/backup/senhasegura s3://mybucket/folder
Change the //mybucket/folder
information according to the bucket configuration used.
Once this is done the bucket is configured and ready to receive the backup data from senhasegura .
To automate the backup process via bucket you need to create a file as follows:
vim /etc/cron.d/aws_sync
In this file enter the following information:
*/1 * * * * root /usr/local/bin/aws s3 sync /var/orbini/backup/senhasegura/ s3://mybucket/folder/ 2> /dev/null 1>/dev/null
*/10 * * * * root /usr/local/bin/aws s3 sync /var/senhasegura/arz/ s3://mybucket/folder/ 2> /dev/null 1>/dev/null
*/1 * * * * root /usr/local/bin/aws s3 sync /srv/cache/coba/ s3://mybucket/folder/ 2> /dev/null 1>/dev/null
If you do not want to backup videos, use the following parameters:
*/1 * * * * root /usr/local/bin/aws s3 sync /var/orbini/backup/senhasegura/ s3://mybucket/folder/ 2> /dev/null 1>/dev/null
*/1 * * * * root /usr/local/bin/aws s3 sync /srv/cache/coba/ s3://mybucket/folder/ 2> /dev/null 1>/dev/null
To apply the settings, save the file and run the following command to restart the service used for calling backups: service cron restart
.
Basic System Services Control
Through the Orbit Web interface you can view and control the status of some server services. Through the Orbit Command Lineinterface you have access to all services, but for security reasons, through the Web interface your choices are limited.
Access the Orbit Config Manager ➔ Server ➔ Services menu to view and control the CRON, Zabbix Agent, Open VMWare Tools, Database and SSH server services.
We do not recommend that the CRON, Database and SSH server services be shut down or restarted without necessity. Please contact our support if you need to perform this type of operation.
Changing the SSL Certificate of the application
Attention! The certificate exchange will restart the web server service.
The default senhasegura installation includes a self-signed 512-bit SSL certificate. It is highly recommended that you change this certificate for a valid market certificate.
Access the menu Orbit Config Manager ➔ Server ➔ Certificates to access the screen where you can upload a new pair of certificate files and your key.
Being a valid certificate, it will be listed in the list of certificates installed in the application. To apply it, click on the Install button of the desired certificate. At that moment, Orbit will apply the certificate to the web server and restart the service.
The certificate must be of the type PEM. Being a file extension crt
for the certificate and a file extension key
for the key.
Certificates of the type DER or PKCS#12 (PFX, P7B, and P12) must be converted.
Network Services
DNS
Although it is in the Orbit Wizard process, you can change DNS settings at any time. Just be aware that this action, although not restarting services in the instance, can put the senhasegura in a network situation that will prevent you from reaching devices that were previously accessible.
By accessing the menu Orbit Config Manager ➔ Server ➔ Settings you have access to the DNS configuration fields, being able to inform up to three DNS server addresses, Domain information and Search information.
When changing, apply the changes with the Save button and wait for Orbit to perform the necessary operations.
NTP
The NTP server can also be changed even after executing the Orbit Wizard steps. By changing the NTP server you are changing the time zone of the entire system. Users may be logged off the platform.
By accessing the Orbit Config Manager ➔ Server ➔ Settings menu you have access to the configuration fields Primary NTP server and Secondary NTP server.
Firewall information
By accessing the menu Orbit Config Manager ➔ Server ➔ Information you will have access to all firewall rules applied in the senhasegura . These rules cannot be modified through the web interface. System updates will always normalize firewall rules by removing non-standard rules.
HIDS Block (Wazuh)
senhasegura has an embedded HIDS system using Wazuh1. This system prevents SSH connections with authentication failure from continuing to try to access the passwords. Every three failed attempts, the source IP will be blocked.
This blocking is not immediate. Wazuh must perform the logs analysis for decision making. Therefore, the user can be prevented from accessing at any time from the third fault. Once blocked, the IP will not be automatically released. It is necessary that the administrator releases the IP manually.
You can access the menu Orbit Config Manager ➔ Server ➔ Security and locate the IP in the block list. Each blocked IP contains an action to Exclude the block. When confirming the action, Orbit will schedule the unblocking. This action may take a few minutes.
senhasegura account blocking through failed attempts in the web interface are not considered in Wazuh blocking. However, blocking also occurs after three attempts and with manual release by the administrator.
Server Tuning
When there is a change in the usage profile, or when there is a change in the hardware configuration, it is recommended that the load parameters of the web server and database be reconfigured so that the senhasegura always work in the best configuration of the hardware that is hosted and within the user's usage profile.
You can perform this maintenance in a practical way from the menu Orbit Config Manager ➔ Server ➔ System tuning. On this screen you can choose between different system usage profiles, which will calculate the best configuration with the available hardware resources.
This calculation may show low or no value variation if the available hardware is not sufficient for a change in usage profile.
This action will reboot the systems and affect the senhasegura behavior. Be aware of downtime.