ASL-Corp members, Bureaucrats, Check users, Structured Discussions bots, oversight, Suppressors, Administrators, Upload Wizard campaign editors
1,714
edits
Changes
Jump to navigation
Jump to search
mLine 1:
Line 1: + + + + + + + + + + Line 23:
Line 33: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 105:
Line 146: +
→Syslog and fail2ban
This is a page concerning the various servers and hosts which comprise the ASL network services
This is a page concerning the various servers and hosts which comprise the ASL network services
= Overview =
The ASL architecture is designed to be scalable across donated/purchased virtual machines. Any bare metal servers will be setup with a VM technology, ASL is agnostic to the chosen hypervisor.
At the core of ASL service is a distributed database, which is active-active across all nodes. Registration servers talk to this database along with the nodes list and DNS servers. These services are the core of ASL services; IAX2 registration, nodes list and DNS. All other services are nice to have, but don't affect the availability of the network for end users.
The core servers are all interconnected using host to host IPSEC. This not tunnels, but rather host to host, where traffic is encrypted between hosts using pre-shared keys. These have proven to be reliable and work well even over the best effort of the internet. The DB servers require encrypted channels, as they don't support encryption at the application level. This also simplifies networking between ASL hosts.
DNS is serviced for primary DNS with short TTL's on register.allstarlink.org. Should any one server go offline, it's pulled from the DNS and turns down after 30 seconds. For the remainder of ASL hosts, several secondary servers exist.
= Servers =
= Servers =
The ILO needs java installed to get at the console, but is licensed for full video access.
The ILO needs java installed to get at the console, but is licensed for full video access.
The ILO MAC is B4B5.2F5B.B90C
====== The ILO admin password is ======
<poem style="border: 2px solid #d6d2c5; background-color: #f9f4e6;padding: 1em; padding-top:0px; font-size:12px;">
<nowiki>
-----BEGIN PGP MESSAGE-----
hQEMA4nyEUPSzEPpAQgAuJvcngnoXbZq/audRVP09zPHKRZWoP6gZhrNpMVpu1fN
x0vGPbhWw94iloMjAWONeyLkNzOg2KGaSc1I7GY7dKQ8+0Snqez/lb0PAp5P1P+y
c2owsvqJ616G4mZTZ0ZAUXMfY4Rmoz0YDctJatbGxanT4jLpmQMua9jx6Ukjl+F+
BZHB+jZwzOeVx3lNOYuX7hrHu6NLjDkoFiBOHDQBY0d0CPamYhRm25d/eIcN2Zpf
pqXauSZJlFoKBhYRxpw3KzMMJhwR2F4Mda58fwJeuhTVf2HxijvqEOhv4NTgsSNJ
M7MLn13Yxyru8mEw+TM0JSw4Kd8/bSUE6E7iYYXl8NLAMgEhVuvJkiwUolYu+U3b
qVGOJD3+oAgdOqa9rZzecLGwCRUErXEWa3/1EvgWh+g31HG49ombZpC4AhHpWqXq
nPZ/7YJmg9SLmMB2FvGfsaxIXXj+5fSJHHCPfAXNwNb4GmsNIbPkqXjPBELVb3hd
woJxU0tc57MoJK8322WcoE4uKsV2r4oxZEK5g8/L3otN6Oz4VMgkQQyFUIBnGp7o
Mflja33bvBflp6rnDH+IlC7qdtOmNqMQ3bWuKUxIWr3P/+xEUBjSwIR8ohW7XaLV
BNQ5qnRi7iTF0o/JFBy6d6g7oQ1ZbqlDOoYmtwnz9dEkhU8X
=SIcB
-----END PGP MESSAGE-----
</nowiki></poem>
===== Syslog and fail2ban =====
The VM's are setup for remote syslog.
Fail2ban is configured to nullroute IPs and email the admin contact after 2 bad logins. As it's done with a nullroute, fail2ban can run on the hypervisor and will catch login attempts on the VM's. This means if you get locked out via fail2ban, you're locked out of all VMs.
There is a firewall configured at /etc/network/firewall.sh. Note this protects the hypervisor (INPUT) and to the 44net subnet (FORWARD). By default everything is blocked to the external interface and new services must be added to allow them out.
The Hard Disks are arranged as follows:
The Hard Disks are arranged as follows:
</pre>
</pre>
[[Category: Infrastructure]]