Installing CentOS 5.5 with Linux Integration Services 2.1 on Hyper-V R2

Hyper-V R2 brings some powerful virtualization to the table for those of us who do not have either the skills or the desire to work with virtual machineware. Most fans of Hyper-V are also likely to be well versed in Windows and may often lack the knowledge to rummage through Linux. Although there are many resources available regarding Linux on Hyper-V, I felt that most assumed the reader had intimate knowledge with Linux, which is often not the case.

For Windows administrators new to Linux who wish to provide virtualized services to their end-users, my recommendation is to stick to CentOS 5.5. Being a close derivative of Red Hat Enterprise Linux (RHEL), the officially supported distribution by Microsoft, installation of the Integration Components is simplified and stability is matched to what is found when running RHEL.

You will need the CentOS 5.5 x64 installation DVD ISO (CentOS-5.5-x86_64-bin-DVD-1of2.iso) which can be found at http://isoredirect.centos.org/centos/5/isos/x86_64/.

You will also need the Linux Integration Services 2.1 ISO (LinuxIC v21.iso) available through the Microsoft Download Center at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=eee39325-898b-4522-9b4c-f4b5b9b64551.

To create the initial virtual machine, you will need to use the Legacy Network Adapter and limit yourself to a single CPU. You will also want to take time to decide how large of a VHD to allocate ahead of time as expanding a Linux partition can be a little complicated. Personally, I find 20GB to be sufficient for small, single purpose Linux virtual machines.

After booting from the CentOS ISO, you are presented with the choice to do a graphical or a text mode installation. To choose the text mode installation (as used here), simply type “linux text” at the boot: prompt and hit enter.

To navigate throughout the next portion of the text mode installation, use the Tab key to navigate between fields and the Space key to select options or hit buttons.

You will be asked if you would like to do a media test. You can safely skip this.

The initial welcome screen to the installation process.

Choose your language as appropriate.

And your keyboard.

You must then partition your VHD for Linux. As you will be starting off with a fresh VHD, you can simply choose “Use free space on selected drives and create default layout.” and continue with OK.

Be sure to hit No to continue as hitting Yes will simply bring you back to the previous screen.

As long as you have properly configured your virtual machine to use the Legacy Network Adapter, you will be presented with the opportunity to have the installation configure it for you.

Check the “Enable IPv4 support” option and hit OK to continue.

Switch to the “Manual address configuration” option and enter your IP address and netmask as appropriate.

Continue on by entering your default gateway (usually your router or your network’s default route). If you have internal DNS servers for your network, enter them here or alternatively, you can use OpenDNS.

The name of your virtual machine is defined here as the hostname.

Select your time zone and continue.

Be sure to choose a secure root password as the root user has complete access to the entire virtual machine and SSH is enabled on first boot.

For a bare minimum installation, uncheck all of the packages, check “Customize software selection” and hit OK.

Uncheck all package groups and continue. Anything you require can later be installed by yum anyway.

Installation will begin once you continue past this screen.

Once installation is complete, you will be required to reboot.

After rebooting, you will be ready to login. At this point, I recommend connecting via SSH in order to copy and paste commands.

The first thing that must be done is to update all the base packages and upgrade the kernel to the latest version. Simply run a “yum update”, then reboot.

yum updatereboot

You will need to install the required packages “kernel-devel”, “gcc” and “make” packages to compile and install the Linux Integration Components. Also, I suggest installing the VIM text editor.

yum install kernel-develyum install gccyum install makeyum install vim-enhanced.x86_64

Attach the Linux Integration Services ISO. Once attached, you will need to mount the cdrom. You must then copy and compile the source in a temporary folder. Finally, you will be able install the Linux Integration Components. “make” will compile the source, then “make install” will install the compiled drivers.

mkdir -p /mnt/cdrommount /dev/cdrom /mnt/cdromcp -rp /mnt/cdrom /opt/linux_icumount /mnt/cdromcd /opt/linux_icmakemake install

The time synchronisation component is not compatible with CentOS, therefore you will need to install “adjtimex”.

yum install adjtimex

You will need to shutdown the virtual machine in order to enable the Synthetic Network Adapter and increase the number of CPUs allocated. To do so, run the shutdown command.

shutdown -h -t 0 0

Change the settings in Hyper-V once the virtual machine has completely shutdown.

Start the virtual machine and log in. You will need to reconfigure the network adapter as “eth0? will have disapeared and a new adapter, “seth0?, will have taken its place.

The easiest way to do this is to edit the MAC address in the “eth0? backup file to match the MAC address of the Network Adapter as displayed in the virtual machine settings in Hyper-V, then copy the backup file as “seth0? and restart the network service.

vi /etc/sysconfig/network-scripts/ifcfg-eth0.bak(edit HWADDR)(save and exit)rm -f /etc/sysconfig/network-scripts/ifcfg-seth0mv /etc/sysconfig/network-scripts/ifcfg-eth0.bak /etc/sysconfig/network-scripts/ifcfg-seth0service network restart

If all went well, you will find yourself with a bare minimum install of CentOS 5.5 running the latest kernel and version 2.1 of the Linux Integration Services. Fully virtualized and synthetic. You can now enjoy the many benefits of Hyper-V Linux such as the ability to shutdown the virtual machine without the root password.

New Fedora Linux Project Leader Comes From Asterisk Roots

 
New Fedora Linux Project Leader Comes From Asterisk Roots The Red Hat sponsored Fedora Linux community is an open source development effort that includes a diverse set of participants. At the top of the organizational chart for Fedora is the position of Fedora Project Leader, the person tasked with overseeing the general direction and operations of the Fedora project.

In July, Jared Smith took up the position of Fedora Project Leader, replacing the outgoing Paul Frields. Among Smith's first jobs is to guide the development and release of the upcoming Fedora 14 Linux distribution, set for general availability in November. Building the Fedora Linux distribution is one of Smith's key responsibilities as Fedora Project Leader, but it involves more than just pure code.

"A lot of the time we think of Fedora as just the bits and the bytes that we burn on a CD every six months and ship out, but Fedora is more than that, it has to be a community," Smith said. "As such we have to concentrate on building that community and taking care of the community as much as we take care of the bits and bytes."

Using IP tables to secure Linux server against common TCP hack attempts

In the innocent communication world of TCP/IP, when using TCP protocol the communication starts with something called a three way handshake. Both parties assume that the other party is as innocent as it is itself. First party/computer sends a message called SYN to any IP address in the world. The computer/server which receives it and even not knowing who has sent this message, sends back a reply message called SYN-ACK and innocently starts waiting for the final reply from the sender (note that it waits, assuming that the sender will send a final reply). The sending computer upon receiving this reply and following the ethics of TCP/IP communication sends back the final reply message called ACK. This completes the three way hand shake which establishes a connection between these two computers and they start exchanging data between each other.

Computer1 -> SYN -> Computer2
Computer2-> SYN-ACK -> Computer1
Computer1 -> ACK -> Computer2

Now if the first computer simply starts sending a lot of SYN messages to a computer or multiple computers, and on receiving back the SYN-ACK replies never reply back with the final ACK message to any of the computers, then these poor computers who are replying back with the SYN-ACK messages will keep waiting for the final ACK message from the sender computer. The purpose of this attack is to flood a server with so many SYN packets that it starts ignoring incoming request from legitimate users.

Computer1 -> SYN -> Computer2
Computer2 -> SYN-ACK -> Computer1
Computer1 -> No rpely. Poor Computer2 waiting for reply
Computer1 -> another SYN -> Computer2
Computer2 -> SYN-ACK -> Computer1
Computer1 -> No rpely. Poor Computer2 now waiting for two replies
and so on

So make sure that on your system all the NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

DROP FRAGMENT PACKETS

Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.

iptables -A INPUT -f -j DROP

XMAS PACKETS

Incoming malformed XMAS packets drop them:

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

DROP ALL NULL PACKETS

Incoming malformed NULL packets:

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Filter ICMP/PING traffic

Pinging public IP addresses is a common way to find out which IP address is live. Pinging is a process in which a computer echoes back whatever data it receives. This is why in technical terms it is called an echo-request and echo-reply mechanism which works over ICMP protocol. An attacker can also send a computer with the largest possible TCP packet, i.e. 64Kb packet and the computer will reply back with a packet of the same size. Its an easy way to clog a server’s bandwidth and processing power. So its a good idea to either block all the ping requests or let them work only for the selected IP addresses. To block all the ping requests:

iptable -A INPUT -p icmp -j DROP

To exclude some IP address, e.g. 74.125.148.10:

iptable -A INPUT -p icmp -s ! 74.125.148.10 -j DROP

If you remove the ‘!’ sign before the IP address, it’ll mean that only this IP address can’t ping this server, but all the rest of the world can. Using the same way you can block the whole blocks of IP addresses.

Installing Linux Integration Services v2.1 Hyper-V R2 On CentOS 5

Virtualization Introduction

When installed on a virtual machine that is running a supported Linux operating system, Linux Integration Services for Hyper-V provides the following functionality:

Driver support for synthetic devices: Linux Integration Services supports the synthetic network controller and the synthetic storage controller that were developed specifically for Hyper-V. Fastpath Boot Support for Hyper-V: Boot devices now take advantage of the block Virtualization Service Client (VSC) to provide enhanced performance. Timesync: The clock inside the virtual machine will remain synchronized with the clock on the host. Integrated Shutdown: Virtual machines running Linux can be shut down from either Hyper-V Manager or System Center Virtual Machine Manager, using the "Shut Down" command.
Symmetric Multi-Processing (SMP) Support: Supported Linux distributions can use up to 4 virtual processors (VP) per virtual machine.
1. Download Linux Integration Components v2.1

a. Download Linux Integration Components v2.1 from Microsoft Download site.

b. Extract the .exe file into a temp folder. You will need only LinuxIC v21.iso file.

c. Place the LinuxIC v21.iso file into your VM host server where you can mount the ISO as a CDROM for your Centon Virtual Machine.

 

2. Installation

You will need Development Tools installed to be able to compile the Integration Components. You could do that by running yum:

yum groupinstall "Development Tools"

NOTE: This command will try to use your network connection to download and if you used Synthetic Network Adapter for your Hyper-V machine you will not have internet connection. So make sure to install Development Tools during your Centos initial installation.

Now make sure you added LinuxIC v21.iso file to your Hyper-V CDROM as Image.

As the root user, mount the CD in the virtual machine by issuing the following commands at a shell prompt:

mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom

Copy Linux Integration Services to the virtual machine and unmount CDROM that no longer needed:

mkdir /opt/linux_ic_v21_rtm
cp