Posts Tagged ‘Xen’

XenServer basic security Tips – How do you secure your XenServer?

Posted on the January 29th, 2012 under Interesting,Linux,server,Tutorials,Xen,XenServer by

Using this post to keep some notes on a few things I did to my XenServer instance,  most of this is just common sense.

Disable root login via SSH

First things first, make sure you add a user on the Xenserver box.  This is the user you will allow to login via SSH (if you have SSH running at all).

Edit the sshd_config, and find the text #PermitRootLogin yes and change it to:

PermitRootLogin no

Right below that add a new line, and replace USERNAME with the username you created.

AllowUsers USERNAME

If you have more then one user that you want to add just put a space between them and add them in succession.  Example:

AllowUsers john harry bob

Then go ahead and restart sshd:

/etc/init.d/sshd restart

Open up a new terminal session and make sure you can login to the server under your new user, and you should be good to go!

Edit the web page that XenServer shows or limit access completely

Xenserver by default serves up a web page that gives your links to download the Xen Center admin console… The web server also servers up the XAPI that is needed for the admin console to access the server remotely. So you have a few options, edit the index.html page to remove the data on there and serve up a blank page.  Or the better option is to restrict access completely to the XAPI via the hosts file.  And the best option is to toss the Xenserver behind a firewall (hardware or software).  Perhaps I’ll go into detail on how to do that in a future post, but in short, firewall the entire server and tunnel in via SSH, which would be the most secure avenue. The only downside to restricting access via a firewall or restricting access via the hosts file is that if you are not at home / work / at a PC where you have access to the restrictions in place your, out of luck on getting access to your server.   Now keep in mind, there are alternatives for access (port knocking, ssh via another server or VM, etc)  I could go on forever, but everyones situation is different. With that said, lets go over the first two options.

To prevent XenServer from showing the default index.html page, you can either edit the actual file and change it to your liking. The file is located here:

/opt/xensource/www/index.html

For the second option, you can reference the Citrix support document here for detailed information on modifying the hosts file http://support.citrix.com/article/CTX118504, however below is essentially what you need to do.

First edit the hosts.deny file located here: /etc/hosts.deny and enter in: xapi:ALL – What this does is restrict every IP from accessing the XAPI.  Second, you’ll need to edit the hosts.allow file, which takes precedence over the hosts.deny and specify the ip adresses or range of ip addresses that you would like to allow access to the XAPI.  The hosts.allow file is located /etc/hosts.allow

Allow access to a specific ip in the hosts.allow you would put in the following replacing IPADDRESS with the ip you would like to grant access:

xapi:IPADDRESS

Example:

xapi:24.22.12.222

To allow access to a group of ip addresses, for our example, lets use 24.22. – this would allow any ip address that begins with 24.22. to access the XAPI.

Example:

xapi: 24.22.

If you happen to come across this page, what do you do to lock down your XenServer installs?  I’ll be writing a few more articles as I dive deeper into Xen and XenServer, so be sure to check back often.

 

 

 

XenServer Tips and Tricks – Auto Start Your VM

Posted on the January 28th, 2012 under Interesting,Tutorials,Xen,XenServer by

Figured I’d share a few of my notes from firing up a XenServer instance…  I went through lot of research before deciding to go with XenServer versus just firing up Xen on Debian, but thats for another post. The main reason I setup this server was to move off of Linode because I was at the point where it just made sense cost wise, essentially I have a more powerful server for way less money.  Granted, you do loose some of the conveniences of Linode  (simple management/upgrade/backup).  Anyways, onto XenServer…

When using the free edition of XenServer 6.0, you’ll want to do a few things such as enabling Auto Start / Auto Boot / Auto Power On.  For some reason this feature was removed from the “Free” version in 6.0, so lets go ahead and set this up.

First your going to want to get the UUID of the VM’s you wish to enable auto start on as well as the UUID of the pool these VM’s reside in.

To get the list of the pool’s on your XenServer type:

xe pool-list

Copy the UUID of the pool, in my case there ist just one pool. Then issue the following command, and replace the UUID with your pools UUID.

xe pool-param-set uuid=UUID other-config:auto_poweron=true

Then, at the command prompt of your XenServer type:

xe vm-list

You should get a full list of the VM’s on the server, along with their name and UUID. Copy the UUID of the VM you wish to enable autostart then issue the command below, again replacing the UUID with the UUID of the VM you wish to auto start.

To Auto Start your Pool (replace UUID with the UUID of your Pool):
xe pool-param-set uuid=UUID other-config:auto_poweron=true
To Auto Start your VM (replace the UUID with the UUID of your VM):
xe vm-param-set uuid=UUID other-config:auto_poweron=true

xe vm-param-set uuid=UUID other-config:auto_poweron=true

And thats it, the next time you ever need to power cycle your main server, the Xen instances should power up automatically.

I’ll be adding a few more articles over the next few weeks of some other notes and tips.  Next up is adding some monitoring to your main XenServer to see whats going on with your different instances.