You are here

Syncing updates to guest systems

Submitted by Alan Mels on Sun, 08/27/2017 - 08:45

For the update server there is no need to install APF, just allow connections from only AG IP range:

  1. nano /etc/hosts.allow
  2. sshd : 24.18.207.167
  3. sshd : 216.218.184.96/27
  4. sshd : 66.160.206.192/26
  5. sshd : 216.218.219.80/28
  6. sshd : 216.218.139.240/29
  7. sshd : 65.49.80.96/27
  8. sshd : 216.218.133.16/28
  9. sshd : 78.47.141.96/28
  10. sshd : 148.251.51.172
  11. sshd : 144.76.49.0/28
  12. sshd : 136.243.118.16/28
  13. sshd : 192.99.185.192/28

And deny all other connections:

  1. nano /etc/hosts.deny:
  2. ALL : ALL

Create a user `drupdate` and then the `/home/drupdate/updates` directory with the following content.

  1. useradd -m drupdate
  2. passwd drupdate

Check open ports with ss -lntu or netstat -tlnp and make sure port 22 is closed and 19759 is open instead.

  1. iptables -I INPUT -p tcp --dport 19759 -j ACCEPT
  2. iptables -I INPUT -p tcp ! -s 216.218.184.108 --dport 22 -j DROP
  3. service iptables save
  4. service iptables restart
  5. iptables -S

Add the following tasks with crontab -e:

  1. 30 * * * * /home/drupdate/updates/cron/every30min
  2. 5 8 * * 0 tar cvzf /backup/updates-`date +%Y-%m-%d-%H-%M`.tgz /home/drupdate/updates
  3. */1 * * * * chmod 444 /home/drupdate/updates/hourly*

Note that after the above changes made you'll be able to SSH in only from within AG network.