Friday, November 6, 2020

Install mssql server in Ubuntu 20.04 Docker Container

 To install the Mssql server 19 in Ubuntu 20.04, you need to follow these steps.

1. Clone the systemd image.

sudo docker run -d --name linuxamination --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-ubuntu:20.04

2. Log into the container

sudo docker exec -it linuxamination bash

3. Run the commands inside the container

apt update

4. Install dependent packages

apt install wget curl sudo software-properties-common gnupg2

5. Add microsoft keys in your apt repository.

sudo wget -qO- https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo add-apt-repository "$(wget -qO- https://packages.microsoft.com/config/ubuntu/18.04/mssql-server-2019.list)"

6. Update the repository

apt update

7. Install Mssql server

sudo apt install mssql-server

8. Configure Mssql server

/opt/mssql/bin/mssql-conf setup

While configuration, You need to select Express (Free) option if you do not have License key for Mssql server.

Then you need to accept the License terms and add a password for your mssql server.

If you get following error while configuring Mssql server

Ubuntu Docker Container Error - System has not been booted with systemd as init system (PID 1). Can't operate

 Then you need to follow this tutorial from the beginning, you will not get this error. If you have launched a container from your existing Ubuntu Image and now you are following rest of the steps from this tutorial then you might get this error. 

Take a look at here for the solution.


 

http://linuxamination.blogspot.com/2020/11/ubuntu-docker-container-error-system.html

or if you need complete guide of solution, follow this.


 

9.Now you need to install mssql tools, run the command in your container.

curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
curl https://packages.microsoft.com/config/ubuntu/19.10/prod.list > /etc/apt/sources.list.d/mssql-release.list

10. Update the repository

sudo apt update 
sudo ACCEPT_EULA=Y apt install mssql-tools unixodbc-dev
echo 'export PATH="$PATH:/opt/mssql-tools/bin"' >> ~/.bashrc
source ~/.bashrc

11. Now Connect to MS SQL console using command.

sqlcmd -S 127.0.0.1 -U SA 

Enter the password you chose while configuration. Now you are on mssql command line.

12. Create database

1> create database mydb;

13. Get a list of databases:

1> select name from sys.databases;
2> go

You can see the solution in the following video.





System has not been booted with systemd as init system (PID 1). Can't operate - Docker Error

If you are starting a service in a docker container using systemctl command or you are configuring any service and you are getting above error, then you should check the output of the command 

ps aux

in your docker container. If PID 1 process is not systemd then this is the issue.


In above image, PID  1 process is bash because I launched the container using bash command.

While launching your container, you might have started the container with command bash or some other command. You should have launched the container with systemd command.

If you launch a container using systemd and your container is stopped after sometimes and you are not able to run it again, it means the image from which you are launching a container is not created for PID 1 systemd container.

You need an image which is created to handle such issue.

Solution :

Pull following image from docker repository.

docker run -d --name linuxamination --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-ubuntu:20.04

I needed ubuntu 20.04 for my service, if you need Ubuntu 18.04 or Ubuntu 16.04, you can simply replace 20.04 with 18.04 or 16.04 in above command and it will pull the requested image.

Once you run above command, you do not need to launch container from this image as it is already launched and running. You need to log into the container using following command.

docker exec -it linuxamination bash

Once you are inside the container, your PID 1 prcess will be systemd

Now if you run the systemctl command or configure any service you will not get the same error again which you were getting before.

Systemd Error solution for different Docker Images :

𝐚) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗨𝗯𝘂𝗻𝘁𝘂
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
docker run -d --name Linuxamination --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-ubuntu:20.04
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
docker exec -it Linuxamination bash

𝐛) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗖𝗲𝗻𝘁𝗢𝗦
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
docker run -d --name linuxaminationC8 --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro alekseychudov/centos8-systemd
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
docker exec -it linuxaminationC8 bash

𝐜) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝐃𝐞𝐛𝐢𝐚𝐧
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
sudo docker run -d --name systemd-debian --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-debian:11
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
sudo docker exec -it systemd-debian bash

𝐝) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗳𝗲𝗱𝗼𝗿𝗮
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
sudo docker run -d --name systemd-fedora --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-fedora
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
sudo docker exec -it systemd-fedora bash

𝗲) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗥𝗲𝗱𝗵𝗮𝘁 𝗟𝗶𝗻𝘂𝘅
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
sudo docker run -d --name linuxamination --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro registry.access.redhat.com/ubi8/ubi-init:8.1
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
sudo docker exec -it linuxamination bash

𝐟) 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝐀𝐥𝐦𝐚𝐋𝐢𝐧𝐮𝐱
𝐏𝐮𝐥𝐥 𝐈𝐦𝐚𝐠𝐞 𝐜𝐨𝐦𝐦𝐚𝐧𝐝 :
sudo docker run -d --name almalinuxamination --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro almalinux/8-init
𝐋𝐨𝐠 𝐢𝐧𝐭𝐨 𝐭𝐡𝐞 𝐂𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐫 :
sudo docker exec -it almalinuxamination bash

You can see the solution in the following video.




Monday, October 19, 2020

fail2ban to secure ssh server

SSH is a network protocol for operating network services securely over an unsecured network but there is a word secure in the name, it doesn't mean it cannot be broken. Admins need to configure it securely.

If you are forced to provide ssh access globally, I would suggest to not use passwords as a login method. RSA keys are more secured way to login and it is hard to take unauthorized access of the server.

But if there is a case and you cannot use RSA keys as a login method, you should install fail2ban on your server. It protects you in certain ways to prevent unauthorized access.

If you are under impression that no body is trying to log into your server, you can try this on dummy server. Open 22 port for ssh login and check /var/log/auth.log or /var/log/secure after an hour or two, you will find uncountable number of ssh login requests. People are trying very hard from every point of the earth to get inside of your server.

Here is the way to secure your server, if your ssh login method is password.

1) Install fail2ban on your linux system.

apt install fail2ban
or
yum install fail2ban

2) Configure jail.local

nano /etc/fail2ban/jail.local
	[DEFAULT]
	 ignoreip = 127.0.0.1/8 ::1
	 bantime = 7200
	 findtime = 900
	 maxretry = 5
	[sshd]
	 enabled = true
     
service fail2ban restart

Now fail2ban is configured on your server. Now you want to know, is it working or not? Your concern is valid. Read following steps.

A) If you want to know number of jails you have created in fail2ban, here is the command. Check number of jails.

sudo fail2ban-client status

In above configuration, we created only one jail, so it will list only one jail i.e. 'sshd'. 

B) Now you want to check, how many IPs have been blocked. It will show you total number of blocked IPs as well as the list of IPs which are in blocked status currently. Check status of current blocked IPs

sudo fail2ban-client status <jailname>
sudo fail2ban-client status sshd

You gave bantime 7200 in your config, it means it will block an IP for 2 hours if failed login attempts are 5 or more. You can reduce failed number of login attempts and increase bantime depends on your requirement.

C) If you want to block an IP or a whole IP range manually, here is the command, Block ip or ip range manually.

sudo fail2ban-client -vvv set sshd banip 141.98.10.0/24
sudo fail2ban-client -vvv set sshd banip 222.141.207.246

First command will block an IP range from 141.98.10.0 to 141.98.10.255. It includes all 256 IPs. Second command blocks only one IP i.e. 222.141.207.246

D) If you think, nobody wants to log into your server as those files are useless for them, try below command. If you put just one blank file a.txt in your server and if people will get access of your server, they will write in the file that how many bitcoins they want or they will simply remove the file with other OS files which can be removed by your user.

Check all fail login attempts

 cat /var/log/auth.log | grep rhost 
SSH unauthorized access can be a biggest damage for you and your server. Do not take it lightly.
1) Always use key login method for your ssh user and do not open port 22 globally.
2) If you are forced to open it globally, use key login method and that is too RSA only.
3) If you are forced to use password login method with global access, then you must choose super strong password for your user and configure fail2ban.