Oracle Linux

OCI Database Backup Service Configuration – Avoid 401 Unauthorized Error

While I a preparing new exercises for an Oracle Cloud Infrastructure training, I ran into an issue while configuring the Oracle Database Backup Service for the Object Storage. The OCI backup module installer returns an error 401.

My Environment

  • Oracle Linux 7 Virtual Box Machine
  • Oracle 19c RDBMS

Backup Service Module Installation Error

The installation was done according the documenation https://docs.oracle.com/en/cloud/paas/db-backup-cloud/csdbb/oracle-database-cloud-backup-module-oci.html

Error Message – java.io.IOException: testConnection: 401 Unauthorized

What I have verified:

  • Private key format and permissions
  • OCIDs
  • FingerPrint

But all of them were correct. There is no My Oracle Support note available about this error together with Oracle Database Backup Service. But after some more investigation, I found this note here: EBSCloudBackup.pl Failed When Performing Database Tier Upload Task (Doc ID 2588278.1) – bingo! This note described exactly my case with the cloud backup. The machine time is wrong!

My actual Machine Time and Date

The timezone CEST is correct. But wait, here in Kestenholz at the famous Jurasüdfuss / Switzerland, we have 14:38 local time. The virtual machine was 2 hours “in the future”. Let’s install the NTP service deamon.

NTP Installation and Configuration

Now the time is right:

OCI Backup Configuration – 2nd Try

Now the oci_installer.jar runs fine and the configuration will be created. Et voilà.

Lesson learned

Take care about time and date settings when you build virtual machines for testing purposes. And aways install a time service like NTP or chrony.

Monitor your Oracle Cloud Free Tier with Grafana on Oracle Linux 8

In a previous blog post I wrote about monitoring Oracle Cloud Infrastructure components by Grafana. In the meantime, we got the Oracle Cloud Free Tier. Here is an updated version.

This blog post shows you how to install and configure the Grafana plugin based on the Oracle blog entry https://blogs.oracle.com/cloudnative/data-source-grafana on an Oracle Enterprise Linux 8 server.

Steps to monitor the Oracle Cloud Free Tier by the OCI Grafana Plugin

  1. Install and configure the Oracle Cloud Infrastructure CLI – by download or by YUM install
  2. Configure Group, User and Policy in Oracle Cloud Infrastructure Console
  3. Install Grafana and the OCI Plugin
  4. Configure the Grafana DataSource
  5. Create a new Dashboard with OCI Metrics

Machine Requirements

The server needs access to the internet.

Install and configure the Oracle Cloud Infrastructure CLI

Link: https://docs.cloud.oracle.com/iaas/Content/API/SDKDocs/cliinstall.htm

In this step, the software will be installed an configured. The new created SSH public key has to be added in the OCI console for further actions.

As OS user root we create a new user for OCI actions. 

Login as user oci, execute the CLI download and installation script. Answer questions with Y / Enter to get the default installation.

Default values:

install directory /home/oci/lib/oracle-cli
executable directory /home/oci/bin
OCI scripts /home/oci/bin/oci-cli-scripts
optional CLI packages db
shell/tab completion Y
path to rc file /home/oci/.bashrc

 

After the successful CLI installation, you have to configure it.

Based on your OCI account, these information are required – let the config and key location on default values.

config location /home/oci/.oci/config
user OCID OCI > Identity > Users > [YOUR_USER] > OCID
tenancy OCID OCI > Administration > Tenancy Details > [YOUR_TENANCY] > OCID
region choose your region, e.g. eu-zurich-1
generate a new key pair Y -> only if you don’t have already created a key pair
key directory /home/oci/.oci
key name oci_api_key

 

Add the content of the public key file in the OCI console to your user which you want to work with.

Attention: Be sure that you add the public key to the user which you have used for the CLI configuration!

Test the CLI configuration – example to list all compartments in your tenant.

Alternative Method Oracle Linux 7 – YUM Repository

Thanks to Sergio Leunissen from Oracle for his input, the Python SDK and oci utilities are is available in the YUM repository too and ready to install. Take a look at his blog post to see how to work with the Python SDK and OCI metadata:

Configure Group, modify User and add a Policy in Oracle Cloud Infrastructure Web Interface

Group

Create a new OCI group called Grafana. OCI > Identity > Groups.

Modify User

Add the selected user to the group – for example this is my user.

Add a Policy

Create a new policy called GrafanaPolicy. OCI > Identity > Policies.

allow group grafana to read metrics in tenancy
allow group grafana to read compartments in tenancy

Install Grafana and the OCI Plugin

Link: https://grafana.com/grafana/download?platform=linux

Login as user root and install Grafana.

Enable auto start and start the Grafana server manually.

Enable port 3000 (Grafana default port in firewall – the port can be changed in /etc/grafana/grafana.ini) to provide web access to Grafana.

Install the Grafana Oracle Cloud Infrastructure oci-datasource plugin.

Verify the Grafana plugin directory with the installed plugin.

Grafana needs the configuration file and the SSH Key from the user oci. As user root, copy the files and set the ownership to OS user grafana.

Change the path to the key file in /usr/share/grafana/.oci/config.

# vi /usr/share/grafana/.oci/config

From:

To:

Create a new Dashboard based on OCI Metrics

Open your browser and log in into Grafana with [SERVERNAME]:3000. Username and password are admin/admin. You have to change your initial password imme diately.

Add data source

Select Oracle Cloud Infrastructure

Configure the Data Source

Fill in your tenancy OCI, region and set Environment = Local. Test the connection. For troubleshooting see Grafana logfile in directory /var/log/grafana. If your default region like ZRH / EU-ZURICH-1 is not listed, then you have to edit the a plugin file as described below. Otherweise no metrics are shown.

Example to use Grafana for the Datacenter eu-zurich-1:

Edit the file /var/lib/grafana/plugins/oci-datasource/dist/constants.js and add your missed region – restart Grafana.

Error message in the grafana.log when your region is not added in file content.js but you select the region as data source:

Create a new Dashboard and Add Query

Create a Query to visualize Data

In this dashboard example I used the region eu-zurich-1, my compartment, the namespace oci_autonomous_database and the metric CpuUtilization.

There are a lot of other metrics available like:

  • CurrentLogons
  • ExecutionCount
  • Sessions
  • StorageUtilization (in %)
  • etc.

Available Metrics

 Learn more about metrics and monitoring in the OCI documentation here:

Summary

The OCI Grafana plugin is a nice solution to visualize your Oracle Cloud Free Tier environment based on Open Source software. Take care, Grafana needs access to the OCI CLI SSH information for the Oracle Cloud Infrastructure connection.

OCI Compute Instances – Stop SSH Brute Force Attacks with fail2ban & UseDNS

Every day and night, the SSH login by key into my public accessible Oracle Cloud Infrastructure Linux Compute Instance was permitted for hours. And sometimes, when I had luck, it worked. For me it was not clear when it works and when not. But something has blocked me. The password authentification in the OCI Linux instance is basically disabled, the key is the only way to log in.

After some investigation on the OCI instance, I found a huge amount of login trials in the /var/log/secure file. These brute force attacks were locking me out!

There is a interesting OCI documentation available called Securing Compute with steps how to secure OCI compute cloud instances – and one of this recommendation is: install fail2ban.

https://docs.cloud.oracle.com/iaas/Content/Security/Reference/compute_security.htm

fail2ban

fail2ban is an open source tool which reads several types of logfiles and creates based on rules new entries in the firewall table to block remote connections. I has default filters for ssh, apache postfix and many more. From Wikipedia: 

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Link: https://www.fail2ban.org/wiki/index.php/Main_Page

Installation

All steps have to be executed as user root. FYI: I wanted to be informed when a new IP was banned, therefore I have installed sendmail too.

Configuration

For my fail2ban configuration I have created a new file called jail.local and made my settings there.

jail.local

After 2 unsuccesful logins, the source IP will be banned for 86400 seconds. And if a new IP is added to the ban list, I get an email.

/etc/fail2ban/jail.d/00-firewalld.conf

For OL7 where firewalld is used, verify if the command firewallcmd-ipset is set in /etc/fail2ban/jail.d/00-firewalld.conf. If you use iptables, the command can be changed. Please read the documentation how to change the firewall.

Start fail2ban

Verification

Status Check

Status Check with details, there is already one IP listed.

After some minutes, more entries were recognized in the /var/log/secure log file and added.

firewall-cmd

A new rule is automatically added with the match set failban-sshd.

sshd Configuration

After the fail2ban installation, there were other entries left in  /var/log/secure.

After changing the parameter UseDNS to no in /etc/ssdh/sshd_config and a restart, these entries were history.

Summary

Never let a OCI compute cloud running with a public IP without to monitor login attemps! fail2ban is one step to get more security. It is easy to configure and it helps a lot. But you have to do the basic work like software updates, SSH key enabling etc. The Oracle documentation is a good base to start! My next step will be to install and configure WAZUH – I keep you up to date!

Links

https://www.oracle.com/technetwork/articles/servers-storage-admin/tips-harden-oracle-linux-1695888.html

https://fedoraproject.org/wiki/Fail2ban_with_FirewallD