How to specify proxy for veeam backup job? - veeam

I have one server veeam 8 backup & replication and some hosts with virtual machines. Also I installed veeam proxies (one proxy for each host) and added its into the veeam main server. How should i specify, which veeam proxy backup each job must use?
Thanks.

You can specify proxies on the "storage" page of the backup job configuration wizard. By default, "automatic selection" mode is used.

Yes, you can manually select which proxy servers to use, but I would suggest sticking to automatic selection. This will be beneficial when one proxy goes down for some reason. Thanks!

Related

MySQL, Remote connection and security

By default, when you open the bind-address to listen to the outside, the default communication between the MySQL client & server is not secured, that means anyone that can do a MitM attack can view every transactions made.
There is options out there to protect against this type of attack (SSH Tunneling or enabling SSL in MySQL) but from what I understand, Amazon RDS doesn't implement, by default, any SSL security.
So I'm wondering, when you create an RDS instance, is it like installing MySQL on a server and opening the 3306 port or am I missing something?
A few points. Firstly AWS RDS for mysql does support ssl. This is discussed here
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport
Second, the usual way to arrange servers in a AWS VPC is to have "private" and "public" subnets. The private subnets route to other private hosts and perhaps to other hosts in the same VPC. But they have no Elastic IPs and no direct access to the Internet Gateway. It is usual to put databases on private subnets so that their ports are not exposed
There is a nice diagram on this page showing this concept
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
Lastly, AWS RDS exists within the philosphy of the shared responsiblity model
This tries to make it clear what security AWS services provide and what is supposed to be the responsibility of the customer
If you're creating an instance you've to also allow port 3306 to be open at your endpoints. This means you've to also configure your security settings as to which IP you've to allow for this connection. Regarding SSL security or SSH, as a good practice you should rely on ssh keys with Pass phrase.

configure couchbase xdcr with ddos protection

Because xdcr is used over the internet, it is totally possible to perform ddos attacks on those xdcr ports?
Should I do something about it? What should I do?
XDCR ports only need to be open to the other cluster nodes; so if you did use XDCR over the open internet you would typically firewall those ports to only be accessible to the remote cluster.
(Note: You would likely want to use encryption of your data if you are doing XDCR over the internet, either using XDCR-with-SSL in Couchbase 2.5 or otherwise with a VPN tunnel / private WAN.

Connect to MySql database with OpenSSL while on localhost

The MySql server and client are on the same server. In time, they will be on separate machines. We want to establish secure protocols from the get go.
Does it make sense to require SSL on database connections? Or put another way, is there any reason NOT to use SSL?
If I were you, I'd refrain from connecting to localhost, and instead connect to your local machine by using its explicit hostname. I think you're also wise to use TLS / SSL to connect in this configuration if that's what you're expecting to use when you deploy in production.
You may want to ask yourself whether that's worth the trouble, though. If your app - to - mysqld connection is on a private backend network (as it may be) using TLS / SSL may be overkill. It's called "transport layer security" and it pretty much protects against badguys intercepting data going to and from mysql. Your app system will probably have other vulnerabilities that render TLS protection uninteresting. For example, if it's a web app the mysql password is probably hardcoded in a config file someplace. If the badguy wants to look at your data, he need only grab the password and log in to the mysqld. To keep your info safe you need to keep badguys off your private network.
It's a good idea always to paramaterize the hostname, port number, and production password of your mysql database. If those things are parameterized you can then deploy to a staging or production server system simply by changing those parameters.

Google Compute Engine adding disk and SSL support

I am new to GCE. I was able to create new instance using gcutil tool and GCE console. There are few questions unclear to me and need help:
1) Does GCE provides persistent disk when a new instance is created? I think its 10GB by default, not sure though. What is the right way to stop the instance without loosing data saved on it and what will be the charge (US zone) if say I need 20GB of disk space for that?
2) If I need SSL to enable HTTPS, is there any extra step I should do? I think I will need to add firewall as per the gcutil addfirewall command and create certificate (or install it from third part) ?
1) Persistent disk is definitely the way to go if you want a root drive on which data retention is independent of the life cycle of any virtual machine. When you create a Compute Engine instance via the Google Cloud Console, the “Boot Source” pull-down menu presents the following options for your boot device:
New persistent disk from image
New persistent disk from snapshot
Existing persistent disk
Scratch disk from image (not recommended)
The default option is the first one ("New persistent disk from image"), which creates a new 10 GB PD, named after your instance name with a 'boot-' prefix. You could also separately create a persistent disk and then select the "Existing persistent disk" option (along with the name of your existing disk) to use an existing PD as a boot device. In that case, your PD needs to have been pre-loaded with an image.
Re: your question about cost of a 20 GB PD, here are the PD pricing details.
Read more about Compute Engine persistent disks.
2) You can serve SSL/HTTPS traffic from a GCE instance. As you noted, you'll need to configure a firewall to allow your incoming SSL traffic (typically port 443) and you'll need to configure https service on your web server and install your desired certificate(s).
Read more about Compute Engine networking and firewalls.
As alternative approach i would suggest deploying VMs using Bitnami. There are many stacks you can choose from. This will save you time when deploying the VM. I would suggest you go with the SSD disks, as the pricing is close between magnetic disks and SSDs, but the performance boost is huge.
As for serving the content over SSL, you need to figure out how will the requests be processed. You can use NGINX or Apache servers. In this case you would need to configure the virtual hosts for default ports - 80 for non-encrypted and 443 for SSL traffic.
The easiest way to serve SSL traffic from your VM is generate SSL certificates using the Letsencrypt service.

Hudson cmd.exe running as

Where does hudson CI get user to run the cmd.exe ?
I'm trying to start and stop some remote services on various slaves and special credentials that are different than what hudson is using are needed. I can't find a place to override the user. I've tried running the server as various users, but it doesn't change anything.
Any other ideas?
Since you want to start and stop the services on the remote machine you need to login with these credentials on the remote machine, since I haven't found a way to start and stop a service on remote machine.
There are different ways to do that. You can create a slave that runs on the remote machines with the correct credentials. You can even create more than one slave for the same machine without any issues, than you can use different credentials for the same machine. These can then fire up the net stop and net start command.
You can also use the SSH plugin. This allows you to configure pre- and post-build ssh scripts. You 'just' need and ssh server on the windows machine. The password for the connection will be stored encrypted.
Use a commad line tool. So far I haven't found a Windows on board tool to have a scripted login to the remote machine. I would use plink for that task. plink is the scripted version of putty. Putty supports different connection types. So you can also use the build in telnet service (not recommended since telnet does not encrypt the connection). Disadvantage is that you will have the password unencrypted in the job configuration.
We had a similar problem, and I resorted to using PsExec. To my advantage, our machines exist on a separate LAN, within 2 firewalls, so I was OK with unencrypted passwords floating around. I had also explored SSH w/ Putty, which seemed to work, but not straightforward.
If someone can help with single line runas command, that could work too.
You don't say how your slaves are connected to Hudson, but I'll assume it's through the "hudson slave" service, since that's probably the most popular way to connect Windows slaves.
If so, the CMD.EXE is run with the same permissions as the user running the service. This can be checked by:
1. run services.msc
2. double-click hudson-slave service
3. go to Log On tab
By default, the slave service runs as "LocalSystem", which is the most powerful account on the system. It should be able to do whatever you need it to do. (i.e. start/stop services)