ESET: How to Enable Anti-Ransomware Module & Features

ESET: How to Enable Anti-Ransomware Module & Features

Cyberoam and Microsoft Azure

Establish IPSec VPN Connection between Cyberoam and Microsoft Azure
Applicable Version: 10.00 onwards


Microsoft Azure is a cloud computing platform and infrastructure, created by Microsoft, for building, deploying and managing applications and services through a global network of Microsoft-managed datacenters. It provides both PaaS and IaaS services and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems.

This article describes how to configure an IPSec VPN connection between Cyberoam and virtual networks hosted on Microsoft Azure. Cyberoam allows secure IPSec VPN connection with MS Azure such that an organization can safely use it as an extension of its own network.


Establish IPSec VPN connection between Cyberoam and Microsoft Azure.


You should be registered with and have access to Microsoft Azure. For details, refer to

Azure Configuration

You can configure the VPN connection in Azure by following the steps given below.

Step 1: Create Local Network

• Sign in to your Azure Account and go to Networks > Local Networks and click Add a Local Network to create a
Local Network that represents Cyberoam LAN in the VPN connection.

• Specify Local Network Details, as shown below.

• Specify the Address Space of the LAN and click to save the Local Network.

Step 2: Create Virtual Network

• Go to Networks > Virtual Networks and click Create a Virtual Network to launch the Create Virtual Network Wizard.

• Specify the Name and Affinity Group of the Virtual Network. Click to go to the next configuration screen.

• Check Configure a site-to-site VPN and select Cyberoam_LAN, created in step 1, as the Local Network. Click to go to the next configuration screen.

• Specify the address space and subnet of the Virtual Network, and add the gateway subnet by clicking add gateway subnet and specifying the values.

• Clickto add to save the Virtual Network.

Step 3: Add Gateway to Virtual Network

Once Virtual Network is created, click on the newly created Virtual Network and go to the Dashboard. Click Create Gateway at the bottom of the screen and select Static Routing to associate a gateway to the Virtual Network through which it would connect to Cyberoam LAN.

It takes a few minutes to create the Gateway.

Step 4: Obtain Preshared Key

Once Virtual Network is configured, obtain the Preshared Key which would be used in Cyberoam by clicking Manage Key at the bottom of the screen.

The Preshared Key to be used is displayed on the screen, as shown below.

Step 5: Create Virtual Machine to be accessed over VPN

Go to Virtual Machines and click Create a Virtual Machine.

The New tab at the bottom of the screen pops up. Select Compute > Virtual Machine > From Gallery to start the Create Virtual Machine Wizard.

• Select the Image of Virtual Machine to be created. Here, as an example, we create a Windows Server 2012 R2 Datacenter.Clickto go to the next configuration screen.

• Specify the Virtual Machine details, as shown below.

• Check Install the VM Agent and clickto save the Virtual Machine.

The above configuration prepares Azure to connect to Cyberoam over VPN.

Cyberoam Configuration

After configuration of VPN connection on Azure, configure IPSec connection in Cyberoam. You can configure IPSec in Cyberoam by following the steps given below. Configuration is to be done from the Cyberoam Web Admin Console using profile having read-write administrative rights over relevant features.

Step 1: Create VPN Policy

Go to VPN > Policy > Policy and click Add to add a new policy.


Configure IPSec Parameters in Cyberoam’s VPN Policy to match the IPSec Parameters supported by Azure. For information on parameters supported by Azure, refer to

Parameter Value Description
Name CR_Azure Specify a name to identify the VPN Policy.
Keying Method Automatic Keying Method defines how the keys for the connection are to be managed.Select Keying Method from the available options.

Available Options:
– Automatic

– Manual

Allow Re-Keying Disable Enable Re-Keying to start the negotiation process automatically before key expiry.
Key Negotiation Tries 3 Specify maximum key negotiation trials allowed. Set 0 for unlimited number of trials.
Authentication Mode Main Mode Select Authentication Mode. Authentication Mode is used for exchanging authentication information.

Available Options:
– Main Mode

– Aggressive Mode

Pass Data in Compressed Format Enable Enable to pass data in compressed format to increase throughput.
Perfect Forward Secrecy (PFS) Disable Enable to generate new key for every negotiation on key expiry and disable to use same key for every negotiation.
Phase 1
Encryption Algorithm 3DES Select encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Authentication Algorithm SHA1 Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
DH Group (Key Group) 2(DH1024) Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
Key Life 3600 Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.
Re-Key Margin 120 Specify Re-Key Margin. Re-Key Margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.
Randomize Re-Keying Margin By 0 Specify Randomize Re-Keying time.
Dead Peer Detection Disable Enable to check at regular interval whether peer is live or not.
Phase 2
Encryption Algorithm 3DES Select Encryption Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Authentication Algorithm SHA1 Select Authentication Algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
PFS Group (DH Group) Same as Phase-1 Select one Diffie-Hellman group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
Key Life 3600 Specify Key Life in terms of seconds. Key Life is the amount of time that will be allowed to pass before the key expires.

Click OK to save policy.

Step 2: Configure IPSec Connection

Go to VPN > IPSec > Connection and click Add to create a new connection using parameters given below.

Parameter Description

Parameter Value Description
Name CR_to_Azure Name to identify the IPSec Connection
Connection Type Site to Site Select Type of connection.

Available Options:

– Remote Access

– Site to Site

– Host to Host

Policy CR_Azure(created in step 1) Select policy to be used for connection
Action on VPN Restart Respond Only Select the action for the connection.

Available options:
Respond Only
– Initiate

– Disable

Authentication details
Authentication Type Preshared Key Select Authentication Type. Authentication of user depends on the connection type.
Preshared Key <As obtained from Azure Virtual Network created above > To obtain Preshared Key from Azure, refer to step 4 of Azure Configuration
Endpoints Details
Local PortB- Select local port which acts as end-point to the tunnel
Remote Specify Gateway IP Address assigned to Azure Virtual Network. It can be obtained from the Dashboard of the Virtual Network created in step 3 of Azure Configuration.
Local Network Details
Local Subnet Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button
Remote Network Details
RemoteLAN Network Select IP addresses and netmaskassigned to Azure Virtual Network.

Click OK to create the connection.

Step 3: Activate IPSec Connection

Go to VPN > IPSec > Connection and click under Active and Connection headsagainst BO_to_HO connection, created in step 2.

Under the Active status indicates that the connection is successfully activated.

Under the Connection status indicates that the connection is successfully established.

Acquire new skills on Microsoft’s cloud technologies

Dear Reader,

Expand your existing skills and acquire new skills on Microsoft’s cloud technologies including: Microsoft Office 365, Microsoft Exchange Online, Windows Azure, Windows Intune, Microsoft Hyper-V Server, Microsoft SharePoint Online, Microsoft Dynamics CRM Online, Microsoft System Center 2012 and SQL Azure.

Microsoft has made available over 30 learning resources to enable you to explore these technologies, including: eBooks, E-learning clinics, short videos (a.k.a. learning snacks), and classroom training courses.

Many of these valuable resources are free. To name a few:

  • Understanding Microsoft Virtualization Solutions (eBook)
  • Introduction to SQL Server 2012 (eBook)
  • Microsoft® Office 365: Connect and Collaborate Anywhere, Anytime (eBook)
  • Introducing Hyper-V in Windows Server 2008 R2 (learning snack)
  • SQL Server 2012: Cloud on Your Terms (learning snack)
  • Introduction to Microsoft Windows Azure Platform (learning snack)

Microsoft’s cloud-based technologies are relevant to specific job roles. Start here:

Thank you, and good luck!

Implementing Network Security Controls for CryptoLocker

What is CryptoLocker?

CryptoLocker is a Trojan horse in terms of mechanism and a ransomware in terms of objective. Being a Trojan horse, it comes in disguised forms and once unlocked it starts searching and encrypting the files present on your local Hard Disks, shared networks or Cloud networks. This means that your computer and software keep on working, but your personal files, such as documents, spreadsheets and images, are encrypted.


Often, CryptoLocker arrives as a file with a double extension, such as .pdf.exe. Since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.

Targets of CryptoLocker

CryptoLocker targets files with following extensions:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.


CryptoLocker then finds files that match with one of these types and encrypt the file using the pubic encryption key.

History of CryptoLocker

CryptoLocker was first discovered in the fall of 2013 and targeted computers running on Microsoft Windows. It displayed all the characteristics of a ransomware, i.e., the ability to target victims through phishing and malicious email links, encryption of user files and a notification box demanding a ransom for their return.

How it Works

CryptoLocker infects like normal malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It then tries to contact its command and control (C&C) server. The malware uses a random domain name generation algorithm to try and find the current C&C server. Some sample Crytpolocker domains might look like this:


Once CryptoLocker contacts its C&C, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer. CryptoLocker then uses that key pair to encrypt many different types of files on your computer.

After encrypting your files, following screen will be displayed to you:


So the screen will have a warning message with the time left to decrypt your data and asks for money.


The payment mechanism includes receiving a key on payment which unlocks the encrypted files. And those who deny paying before the timer expires, the corresponding private decryption key on a remote server is claimed to be deleted and hold a fair risk of losing access to their files forever.

The malware sends out system information and creates registry entries to get started after system reboots.

Modes of infection

Just like any other malware or Trojan attack, a CryptoLocker has common modes of infection. Some of which include:

–  Spam Emails

–  Infected portable data transfer devices

–  Click on an infected link

–  An infected system in the network

How Cyberoam can protect you?

Cyberoam Implements network based controls which can impact malware such as CryptoLocker and while the Antivirus, Anti Spam, Web Filtering are important, the IPS Engine also has the ability to block malware command & control (C&C) communications.

Following are some control mechanisms that you should follow to protect your network from malwares such as CryptoLocker in Cyberoam:

  • Keep your operating system and software up to date with patches : This lessens the chance of malware sneaking onto your computer
    unnoticed through security holes. The CryptoLocker authors didn’t need to use fancy intrusion techniques in their malware because they
    used other malware that had already broken in, to open the door for them.

Cyberoam issues maintenance releases regularly, these should be tested and installed as required

You can find the information about upgrading your Cyberoam Appliance from Upgrade Firmware of Cyberoam Appliance.


  • Secure DNS Settings DNS settings play an important role in protecting your network from malwares. In DNS settings you need to consider
    following points:


     –     Reliable DNS settings: Ensure your appliance is configured with reliable, trusted DNS server settings. You can configure DNS settings in
Cyberoam from Network > DNS > DNS.

–    Secure Firewall Rule
: Malware often spreads by changing DNS settings on devices to redirect users to malware serving sites. To prevent
this, you should lock down DNS so that devices use only approved internal servers. The advantage of using approved internal server is that only
approved forwarders on the Internet are allowed to access that internal server.

  • HTTPS Inspection : Malware often uses encrypted sessions and encrypted websites, to provide the fullest coverage, you need to perform both
    HTTP and HTTPS inspection.


To do this successfully you will need to distribute and install the Self Signed Certificate or set the appliance up as a trusted sub-ordinate authority to
your existing Enterprise Certificate Authority Information on SSL CA Certificate Installation Guide can be found at from the given link.


  • Antivirus/Anti Spam Scanning : One of the modes of malware entering into the network is through Emails. This makes it important to not only
    scan the Internet traffic but also Email communication channels. To prevent this, configure following settings in your network :

    –   Enable SMTP/SMTPS/POP3/IMAP/HTTP/HTTPS Antivirus scanning in your network : You can enable SMTP/ SMTPS/ POP3/ HTTP/ HTTPS
scanning in Cyberoam to scan Internet/Web traffic, as shown in the following screen shot:


      –   Secure SMTP Email Communication : You can define rules for SMTP/S scanning in Cyberoam from Antivirus > Email > SMTP/s Scanning Rules.
For more details refer Secure SMTP Email Configuration.

      –   Configure SMTP blocking of compressed attachments and other harmful attachments : Data Leakage through Emails is a serious threat to
business operations. Data Leakage Protection is a key necessity of any organization. As a solution, Cyberoam provides means to control the attachments
in outgoing Emails. Information of how to do it can be found out at Blocking Email Attachments over SMTP.

      –   Configure Anti Spam with Spam, Possible Spam, Virus Outbreak and Probable Virus Outbreak content action: You can configure these settings
in Cyberoam by identifying the mentioned content in the mail and then deciding the action for such content. You can configure these settings from
           ANTI SPAM > Spam Rules as shown in the following screen shot:


  • Enable IPS Scanning


In case of CryptoLocker, the IPS engine can block the download of the encryption keys, which means CryptoLocker is unable to encrypt the data on the End Point.
In order to achieve this, appropriate IPS policies should be implemented in Cyberoam.


Internet traffic (including encrypted HTTPS traffic) which is not monitored by the IPS is a potential exposure which can facilitate C&C communication.
To achieve this, create an IPS Policy which includes Malware Communication signatures and apply it on the relevant Firewall Rule(s).


  • Web/URL Filtering

To protect your network from malwares, you should filter Web/URL content as well. For Web or URL filtering related settings, keep following points in mind:

    –   Enable Pharming Protections
This allows the appliance to protect users against pharming by re-resolving the domain name of the website using the DNS configured on the appliance.


You can enable pharming in Cyberoam from Web Filter > Settings > Settings, refer the below screen shot for the same.


      –   Filter Websites that can cause security issues


To protect your network from malwares like CryptoLocker, lock following categories for all users and firewall rules:


          >  Hacking: Sites that provide information about or promote illegal or questionable access to or use of computer or communication
equipment, software, or databases.


          >  Illegal/ Unethical: Websites that feature information, methods, or instructions on fraudulent actions or unlawful conduct (non-violent)
such as scams, counterfeiting, child abuse, tax evasion, petty theft, blackmail, etc.


          >  Phishing and Fraud: Sites gathering personal information (such as name, address, credit card number, school, or personal schedules)
that may be used for malicious intent.


          >  SPAM URL: This category includes URLs that arrive in unsolicited Spam emails. Spam URL content ranges from product marketing to
potentially offensive or fraudulent sites.


          >  IP Address: Sites accessed through IP address, this will stop people accessing websites directly via the IP Address. This is not normal/expected
user behavior as most people use domain names which means this is often not user based traffic, often it is odd malware serving websites.


          >  Parked Domain: This category includes sites that once served content, but their domains have been sold and are no longer registered. Parked
domains do not host their own unique content, but usually redirect users to a generic page that states the domain name is for sale or redirect
users to a generic search engine and portal page, some of which provide valid search engine results. Some of these orphaned domains may
redirect users to malware serving sites.


          > Spyware: Sites or pages that download software that without the user’s knowledge.


How the above implementation will look like is showing in the below screen shot:


In Cyberoam, You can configure above settings from Web Filter. For more information about creating the policy and applying it to user or
firewall rule consider Configuring Web Filter Policy article.

  • Application Filtering

Controls should be implemented to restrict undesired applications in the network, this will normally block “Torrents” and applications that
“tunnel other apps” and “can bypass firewall policy”. It may also include undesired “P2P” Applications.
Failing to block tunneling applications and other applications that can be used to bypass firewall rules leaves you open to communication
channels that are beyond regular control mechanisms.
In Cyberoam you can configure these settings from Application Filter, by considering the Category, Risk, Characteristics and Technology
for individual applications.

For more information about blocking of particular application, refer Block P2P Applications. In the same way you can block other application as well.

Configuration for application filtering for blocking particular application is shown in the below screen shot:


  • GEO Blocking

Another option in controlling inbound and outbound security issues is GEO Blocking. In many situations malware and attacks can be tracked
to specific countries. So, blocking traffic from these countries can be a precautionary measure to minimize the impact of malware.
If you are able to identify the countries or regions with higher concentration of suspicious traffic you can choose to block them, and you can
create specific bypass rules to minimize exposure.
In Cyberoam, you can implement GEO blocking by creating Country-based firewall rules. By doing so you can block or manage traffic to/from
a particular country or group of counties.

To implement GEO blocking in Cyberoam, first create Country Based Host from Objects > Hosts > Country Hosts and then create Firewall rule for
the country from Firewall > Rule > Rule. For more details about GEO blocking, refer the article of Creating Country based Firewall Rules.



So to summarize, CryptoLocker is aggressively spreading, and has infected many victims. However, Cyberoam can detect and block it using various security services and control mechanisms mentioned above. CryptoLocker can also spread internally through network shares, which network security solutions can’t prevent. Ultimately, your best defence is awareness and vigilance


Monitorix installation on Elastix 2.4

Monitorix installation on Elastix 2.4

A small HOWTO install Monitorix 2.5.2 on Elastix 2.4 with Centos 5.10
Unfortunately in EPEL repository for Centos 5 there isn’t monitorix
But for fast solution without need to compile it from the source is OK.

yum install rrdtool rrdtool-perl perl-libwww-perl perl-MailTools perl-MIME-Lite perl-DBI perl-XML-Simple perl-Config-General perl-HTTP-Server-Simple perl-IO-Socket-SSL


rpm -ivh

( or use any other mirror from here … h.rpm.html )

mkdir /var/www/monitorix-cgi
cp /usr/share/monitorix/cgi-bin/monitorix.cgi /var/www/monitorix-cgi

Edit in the file /etc/httpd/conf.d/monitorix.conf
replace a line
<Directory /usr/share/monitorix/cgi-bin/>

with this
<Directory /var/www/monitorix-cgi/>

service  httpd  restart
service monitorix restart

Login to http://elastix-ip/monitorix

If i can do a comment for the folder cgi. A folder already exist here /var/www/cgi-bin/. To be clean, maybe change the target of directory here /var/www/cgi-bin/monitorix-cgi/

Source for this articular

Elastix RAID Setup Step By Step Including Recovery

Elastix RAID Setup Step By Step Including Recovery

16 July, 2014/in Application Notes /by Hugo Gaibor

Taken from:

Elastix Application Note #201201091:

This document will take you step by step, screen by screen on the setup of RAID at Elastix install
time. Once you get used to the concept and method, you can setup a RAID 1 configuration in less
than a few minutes, and have a little more confidence than the “ChipSet RAID” method.

Author Bob Fryer
Date Document Written 9th January 2012
Date of Last Revision 20th January 2012
Revision 1.1
Replaces Document N/A
Tested on Elastix Version 2.2
Backward Compatible Yes
Elastix Level Beginner to Experienced
Linux Level Intermediate to Experienced
Network Level N/A
Latest Document Source available from
Credits (See Document History) Shauw
Licence GNU FDL


What is RAID?
Hardware requirements for RAID
The Concept of what we are about to commence
RAID Configuration – Setup of the partitions
RAID Setup – Populating the RAID Sets and setting Mount Points
Confirming that your RAID is working
Management of your RAID
RAID Recovery
Document History


These application notes are intended to be a guide to implement features or extend the features of the Elastix IP PBX system.

Whilst many (but not all) guides available are basically a random collection of notes, usually while someone is implementing a feature for themselves, these guides are meant to be more definitive guide that has been tested in a lab with specific equipment, and particular versions of Elastix.

Finding information on the Internet can be haphazard due to the lack of document version control, lack of attention to software versions, and in some cases they are wrong. Then you have the cross pollination issues, where a guide has been done for another distribution, which may or may not be applicable to your Elastix system.

You will note on the front page of every Application note written in this way, will be an easy to read summary, regarding the Elastix system it was tested on, when the document was written, whether it is backward compatible, and the level of expertise needed to accomplish the implementation.

These application notes are written up and tested in a lab that has been specially setup to write these notes. This includes:

  • 5 x Elastix IP PBX Hardware with a mixture of SIP only, Digium, Sangoma, OpenVox Cards
  • 1 x WAN Simulator (including latency, jitter, random disconnects, random packet drop)
  • 8 x Consumer / Business routers, including Drayteks, Cisco 1842, Cisco 877, Linksys WRT54GL
  • 2 x IBM XSeries servers running VMware with 8 images of various versions of Elastix IP PBX
  • 1 x Standard Microsoft SBS Network providing DHCP and DNS and Mail system
  • 2 x Linux Servers

The Elastix IP PBX systems, both hardware and Virtual based have image systems to refresh the systems to limit infection from other testing. Combined with a range of Phones, which include Aastra, Linksys, Cisco, Yealink, it provides a reasonable cross section of typical systems currently in the field.

These application notes are not just done in isolation either. Behind them is over 6-7 years of commercial implementation of IP PBX systems, utilising these methods and concepts. The Lab is just used to reconfirm the implementation in a less production like environment.

How you use these application notes is entirely up to you. However, it is highly recommended that in the first instance, that you follow the notes and configurations in their entirety (except for IP addresses) of course. If you follow it exactly, then it will be easier for others to assist you when you do have an issue.


The most common hardware failure in an Elastix system is usually one of two things. Either the hard disk fails or the power supply fails, both having a mechanical aspect to their operation, more so the hard disk.

Yes you can implement a solid state hard disk, but as many have found out, these units, depending on their application, are still prone to failure. I have personally seen about 6-7 SSD failures (within their first year) to about 2 Mechanical Hard drive failures over 6 or so years (I am referring to Asterisk based systems here). The technology is good, but just not there with the confidence factor just yet.

An Elastix system with a single drive provides no redundancy in the case of a hard disk failure. Many of the lower end systems (which are great for Elastix) provide either none or poorly supported “Fake Raid”. There are various names for it, including “ChipSet Raid”, or “Onboard Raid”.

When I say poorly supported, I mean that the drivers are hard to obtain for Linux or non-existent as they are not built into Centos. Also in the event of a drive failure, there is little information on how to recover. It is more of a case of fingers crossed, I hope this does what I think it will do, especially as each chipset does it differently.

I am sure that they are exceptions, but on the whole, it is advisable to not use the “onboard” RAID as in many cases, you are better off with no RAID than using it. If you really want to implement Hardware raid then utilise a well known and trusted RAID Controllers such as the PERC range, or 3Ware and many other RAID Controllers out there.

One of the other alternatives is to use Linux Raid or Linux Software Raid. You don’t need anything else except the Centos O/S (which is what Elastix is running on). There are plenty of documents on the Web on how to repair a broken RAID, and plenty of people who have gone before you who can assist.

This document will take you step by step, screen by screen on the setup of RAID at Elastix install time. Once you get used to the concept and method, you can setup a RAID 1 configuration in less than a few minutes, and have a little more confidence than the “ChipSet RAID” method.

What is RAID?

RAID stands for Redundant Array of Inexpensive Disks. There are various levels of RAID, and mixtures of RAID levels, each with its benefits, but there is enough documentation on RAID on the Web, and if you are interested, I recommend performing some further research as it is another subject on its own.

In this tutorial we are covering RAID 1 which is also referred to as Mirroring. In other words everything written to one drive is written to the other. This is done at the O/S level so our software e.g. Asterisk, Elastix does not have to perform any special handling.

The theory and general practice is that one drive can fail and the operating system will continue without interruption on the remaining good hard disk, allowing you to replace the faulty drive at a convenient time.

Hardware requirements for RAID

Fairly simple, two hard drives, preferably identical. One of the benefits of Linux RAID, over Hardware RAID is that the disks can be dissimilar as long as the smallest drive is what you base your partition sizes on. The Drives can be SCSI, IDE, SATA, SAS, even SSD drives.

However, whilst not as critical, it is recommended that you get into the practice of using similar drives, for any type of RAID Level.

The Concept of what we are about to commence

In a nutshell, we are going to use the partitioning tool that is part of the Elastix Installation to create three partitions on the first drive, and exactly the same partitions on the second drive.

Once we have completed this, we are then going to match each partition from both drives and bring them into a RAID Set. It is only when we bring them into the RAID set will we assign the mount points for the partitions.

Just so you can follow, this tutorial was done with two 10Gb hard drives. To perform the setup, I decided to use the following partition sizes for this system

  • 100Mb – Boot Partition (/boot)
  • 2000Mb – SWAP partition
  • 8134Mb – Root Filesystem Partition (/)

That’s all there is to it!

RAID Configuration – Setup of the partitions

Commence the Elastix install as you normally would.

When you get to the next screen, this is where we take a departure from the normal process that you may have followed before.

Normally you would have probably selected the “Remove all partitions on select drives……”. In this case however, we are going to select Custom Layout.

Before we proceed, make sure that you can see two hard drives. Take note of what there device name is as it will matter as you move through this tutorial. In most systems, you will find the hard disk device names as sda and sdb, however, depending on your system, they may differ e.g. hda and hdb.. This is not an issue, but for the purpose of this tutorial, we will remain with the sda and sdb. You will just need to use the correct translation for your devices.

If you don’t see two drives, then you need to go back and correct the issue. It might be you have played with the “ChipSet” RAID and left it enabled or you have a hardware issue.

Anyhow, select CREATE CUSTOM LAYOUT and select the OK button.

Your screen should look similar except that your drive sizes will differ from this example.

Click on the NEW Button and the following screen comes up:

Tab your way through each of the options. There is no need to type anything into the mount point as when you select the File System type as Software RAID, it will mark it as <Not Applicable>. Make sure that you select Allowable drives as sda only.

The reason for this is that we are only working on the sda drive at the moment. If you select sda and sdb, it will place the partition on either drive, which is not what we want.

As this will be our boot partition, we only need a size of 100Mb, and it is set as a Fixed Size.

Last thing, make sure you toggle Force to be a primary Partition.

Click OK and you should now see the following screen.

Nothing much to see, except you will now see that you have created a 100Mb partition on sda.

Click on NEW again and we are now going to setup a partition which will be the SWAP Partition.

Basically go through the same routine, except the size may vary between this tutorial and what you want to use as a swap file size. The system has 1Gb of RAM, so I have run along standard lines, which is usually the swap file partition being double that size (or thereabouts). The only other difference from the boot partition is that you do not select Force to be a Primary Partition.

Click ok and you should see the following screen. Again nothing spectacular, but it shows the two partitions that you have setup.

Click on NEW again so that we can setup the final partition on the sda drive.

Again same routine as the last partition we setup. This partition will be our main partition, which generally you want to make as large as possible. If you have two exact identical disks, then you could just select Fill all available Space and it will use whatever is left of the hard disk. However I prefer to set the partition size myself, and the size I used was what was shown as left on the previous screen.

Click ok and you should see the next screen.

This screen shows you the partitions that you have setup, and in fact you have finished partitioning the sda hard drive.

One thing you will notice is that sda2 and sda3 have switched around, which might throw you a little bit. Centos appears to “optimise” how the partitions are laid out. Don’t panic, as long as the sda and sdb partitions are the same when you are finish, you will be fine. Click on NEW again, and we run
through the same thing for sdb

You will note the same selections, except that we now only select sdb as opposed to sda in the previous three partitions. Again on this one, we mark it with Force to be a Primary Partition.

Once done click OK and you will see the following screen

I think by now you are starting to see the idea

Same as we did on the sda drive, but remember to make sure that sdb is the only allowable drive

Click OK and again check that it looks correct on the partitioning table

Click on NEW and perform the final partition on the sdb drive.

Click on OK and you should see a screen similar to the one below

Ok we have now setup the partitions and marked them as RAID Partitions. Almost there….!!

Now click on RAID and we will move onto the next chapter.

RAID Setup – Populating the RAID Sets and setting Mount Points

Very simply, this is the section where we tie everything together.

Everything is done on this screen. First of all we set a mount point, which in this case will be /boot .

It will have a file system type of EXT3, the RAID Level will be RAID1, and we need to select the partition members that will be used for this mount point, and also which partitions are the matching RAID Partitions.

So follow the settings that are on this screenshot, except the one thing you cannot see in the screenshot is the list of RAID Members. When you tab across to this option, use the down arrows and you will see that it lists

  • sda1
  • sda2
  • sdb1
  • sdb2
  • sdb3

The asterisk should only be beside sda1 and sdb1 (the two matching partitions from each hard drive).

This is where the most common mistake is for first time setup of RAID, as it is not overly intuitive, but it is the most critical part.

Once you are finished, click on ok and you will see the following list, and our first RAID partition setup.

Click on RAID again and you will come to the next screen

Here we setup and assign the SWAP Partition. SWAP is not mounted, so it does not have a mount point. Leave it blank, and select the file system as SWAP. Again make sure the RAID level is RAID 1 and like before, select the RAID Members.

You will find that the RAID Members has shortened and you should now only be left with:

  • sda2
  • sda3
  • sdb2
  • sdb3

As you remember, we selected a 2000Mb partition as the SWAP partition which is sda3 and sdb3, so make sure the asterisk is next to those two only, and click on OK.

As you can see, we are progressing and we are almost finished.

Finally we setup the Root File system partition.

Same routine as like the /boot Partition, instead using the / as the mount point but you will find only two partitions left which are

  • sda3
  • sdb3

Make sure they are selected with the asterisk, and click OK and the final screen will appear

If you have the capability, I fully recommend taking a photo or a screen shot or copying the information down. It’s not necessary for general day to day, but if you have to perform a RAID repair or replace a disk the information in that screen is invaluable, and could save you making a mistake.

Now complete the Elastix install as per normal.

One area that we need to complete once Elastix has finished its install, is that we need to install GRUB onto the second hard drive, otherwise if you need to reboot the system in the event of the first hard drive failing, it will not be able to boot.

GRUB is not replicated to the second hard drive as it is a unique item, in that it is a bootloader that normally is installed into sector 0 of the device. Very much the same thing you might have seen on dual boot systems, where you can have Windows and Linux and choose to boot onto either system.

There is also cases where GRUB does not install on some systems, so what we do is take precautions, and we install the GRUB bootloader, not just onto the second drive, but also the first drive for safety.

This is done very easily…..

As soon as the Elastix install is completed and at the login prompt, login as root and at the Linux prompt type Grub

And the following GRUB Shell will appear

Type each of this commands one by one








grub&amp;gt; device (hd0) /dev/sda &amp;lt;enter&amp;gt;

grub&amp;gt; device (hd1) /dev/sdb &amp;lt;enter&amp;gt;

grub&amp;gt; root (hd0,0) &amp;lt;enter&amp;gt;

grub&amp;gt; setup (hd0) &amp;lt;enter&amp;gt;

grub&amp;gt; root (hd1,0) &amp;lt;enter&amp;gt;

grub&amp;gt; setup (hd1) &amp;lt;enter&amp;gt;



grub&amp;gt; quit &amp;lt;enter&amp;gt;

And now reboot

Confirming that your RAID is working

Now to confirm that you have successfully completed your RAID Setup

At the Linux prompt type



cat /proc/mdstat &amp;lt;enter&amp;gt;

and a similar screen will appear. In this case, with the [UU] it shows that my RAID Mirror is complete and completed building.

If you are missing a U on all or any partitions, then your RAID setup is degraded.

Depending on your hard disks and sizes, you may find that one or more arrays are still building and you will see its progress on the screen.

Take note that your RAID sets are now referred to as MD0 through to MD2 (MD stands for multiple drives). This is important when you are checking status or rebuilding the RAID set.

Management of your RAID

I mentioned at the start that the tools in some of the “Chipset RAIDs” left a lot to be desired, and that’s if you can trust them. Linux O/S Raid has some nice tools, and the one that is available is MDADM

For instance, I can issue the following command



mdadm –detail /dev/md0

and it will display the following screen

This command tells mdadm to provide the details and status on MD0 which if you remember from the final partition list, is our SWAP partition. It shows the state, shows the members of the RAID, the RAID Level.

This is one of the first commands that you might run on each of your partitions to confirm their health.

We will also use this command to reconstruct a failed RAID set, so it is worthwhile learning what it can do.

RAID Recovery

The most common thing that will occur will be a failed hard drive. You ring the vendor, they come out and replace the drive. So you now need to rebuild the RAID.

We can perform the following command from the Linux prompt



cat /proc/mdstat

As you can see each of the MD sets are now showing (F) for failed, and you can see what has failed (in this case all the partitions on the second drive)

If I check what the system can see, I perform the following command



fdisk –l

And the following screen shows is that the sda drive is running and has a partition table, it shows us that it can see the second drive (the replaced drive), however it complains that md0, md1, and md2 have an invalid partition table, which is understandable.

So the first step we need to complete is to get a copy of the partition table onto the new replacement drive.

We can do this by a very simple command…



sfdisk –d /dev/sda | sfdisk /dev/sdb

You will then see the following screen if everything is successful.

If we perform the command:



cat /proc/mdstat

We can see that the system is still degraded. Nothing is rebuilding.

We need to tell mdadm to re-add the partitions to the RAID set which we will do with the following commands:





mdadm -a /dev/md0 /dev/sdb3

mdadm -a /dev/md1 /dev/sdb1

mdadm -a /dev/md2 /dev/sdb2

Be careful with the above commands. You need to precisely map the correct (original) partitions. This is part of the reason why I recommend taking a screen shot or copying the details down when you first setup your RAID. Don’t panic if you haven’t as you can extract this information using fdisk and mdadm, but you need to take your time and be confident that you have them correct.

After you run them, you should see the following.

Now if you run



cat /proc/mdstat

You should see a similar screen to the one below as it commences rebuilding the RAID set.

Depending on your Hard Drive size, this can be about 10 minutes, or many hours.

It will rebuild each partition, and once it has completed each partition, it will show the familiar [UU] next to the partition.

And finally the RAID will be back online

But there is one more thing to do, especially if you have a replacement drive and that is to install GRUB on the second drive





grub&amp;gt; device (hd1) /dev/sdb

grub&amp;gt; root (hd1,0)

grub&amp;gt; setup (hd1)

We know that we already have GRUB on the first disk, so we are only running the commands to install it on the second disk.

The results should be as per the following screenshot

This chapter is not meant to be a full run down on how to manage or recover from RAID issues, but to provide a quick insight on how to at least replace a failed hard drive.

Take the time to learn mdadm and what it can do for you. Mdadm can also remove a drive from a RAID set, which actually is useful for learning how to recover. There are many great guides on how to use mdadm, so take the time, have a “play”. It’s better to do it now on a pre-production system or test system, instead of on a live system.


The following trademarks used in these guides and are required to be acknowledged.

Asterisk® is a registered trademark of DIGIUM, Inc
FreePBX® is a Registered Trademark of
Elastix® is a registered Trademark of Palosanto Solutions


Your use of these application notes is subject to the following conditions:

  • Your application of the information provided is entirely at your own risk
  • Whilst tested in a test environment, your environment may be different and the application of these notes may be totally incorrect.
  • It is up to you to test in a test environment as to the suitability of these notes.
  • You will not hold myself, or any company that I am associated with, responsible for any damages arising from the use of these notes.

Document History

Version Date Change

Version 1.0

Date: 9th Jan 2011

  • Initial Release

Version 1.1

Date: 20th Jan 2011

  • Included table of contents
  • Shaunw pointed out that clarification of the partitions changing was needed – thanks.
  • Added Document History
  • Added Trademarks

How to Clone/Backup Linux Systems Using – Mondo Rescue Disaster Recovery Tool

How to Clone/Backup Linux Systems Using – Mondo Rescue Disaster Recovery Tool

Mondo Rescue is an open source, free disaster recovery and backup utility that allows you to easily create complete system (Linux or WindowsClone/Backup ISO Images to CDDVDTape,USB devicesHard Disk, and NFS. And can be used to quickly restore or redeploy working image into other systems, in the event of data loss, you will be able to restore as much as entire system data from backup media.

Mondo program is available freely for download and released under GPL (GNU Public License) and has been tested on a large number of Linux distributions.

This article describes Mondo installation and usage of Mondo Tools to backup of your entire systems. The Mondo Rescue is a Disaster Recovery and Backup Solutions for System Administrators to take full backup of their Linux and Windows file system partitions into CD/DVD,TapeNFS and restore them with the help of Mondo Restore media feature that uses at boot-time.

Installing MondoRescue on RHEL / CentOS / Scientific Linux

The latest Mondo Rescue packages (current version of Mondo is 3.0.3-1) can be obtained from the “MondoRescue Repository“. Use “wget” command to download and add repository under your system. The Mondo repository will install suitable binary software packages such as afio,buffermindimindi-busyboxmondo and mondo-doc for your distribution, if they are available.

For RHEL/CentOS/SL 6,5,4 – 32-Bit

Download the MondoRescue repository under “/etc/yum.repos.d/” as file name “mondorescue.repo“.

Please download correct repository for your Linux OS distribution version.

# cd /etc/yum.repos.d/

## On RHEL/CentOS/SL 6 - 32-Bit ##
# wget

## On RHEL/CentOS/SL 5 - 32-Bit ##
# wget

## On RHEL/CentOS/SL 4 - 32-Bit ##
# wget

For RHEL/CentOS/SL 6,5,4 – 64-Bit

# cd /etc/yum.repos.d/

## On RHEL/CentOS/SL 6 - 64-Bit ##
# wget

## On RHEL/CentOS/SL 5 - 64-Bit ##
# wget

## On RHEL/CentOS/SL 4 - 64-Bit ##
# wget

Once you successfully added repository, do “yum” to install latest Mondo tool.

# yum install mondo

Installing MondoRescue on Debian / Ubuntu / Linux Mint

Debian user’s can do “wget” to grab the MondoRescue repository for Debain 6 and 5distributions. Run the following command to add “mondorescue.sources.list” to “/etc/apt/sources.list” file to install Mondo packages.

On Debian

## On Debian 6 ##
# wget
# sh -c "cat mondorescue.sources.list >> /etc/apt/sources.list" 
# apt-get update 
# apt-get install mondo
## On Debian 5 ##
# wget
# sh -c "cat mondorescue.sources.list >> /etc/apt/sources.list" 
# apt-get update 
# apt-get install mondo

On Ubuntu/Linux Mint

To install Mondo Rescue in Ubuntu 12.1012.0411.1011.0410.10 and 10.04 or Linux Mint 13, open the terminal and add the MondoRescue repository in “/etc/apt/sources.list” file.

Run these following commands to install Mondo Resuce packages.

# wget`lsb_release -r|awk '{print $2}'`/mondorescue.sources.list
# sh -c "cat mondorescue.sources.list >> /etc/apt/sources.list" 
# apt-get update 
# apt-get install mondo

Creating Cloning or Backup ISO Image of System/Server

After installing Mondo, Run “mondoarchive” command as “root” user. Then follow screenshots that shows how to create an ISO based backup media of your full system.

# mondoarchive

Welcome to Mondo Rescue

Mondo Rescue Welcome Screen

Please enter the full path name to the directory for your ISO Images. For example: /mnt/backup/

Mondo Rescue Storage Directory

Select Type of compression. For example: bzipgzip or lzo.

Select Type of Compression

Select the maximum compression option.

Select Compression Speed

Please enter how large you want each ISO image in MB (Megabytes). This should be less than or equal to the size of the CD-R(W)’s (i.e. 700) and for DVD’s (i.e. 4480).

Define Mondo Rescue ISO Size

Please give a name of your ISO image filename. For example: tecmint1 to obtain tecmint-[1-9]*.iso files.

Enter Name of Mondo Rescue

Please add the filesystems to backup (separated by “|“). The default filesystem is “/” means full backup.

Enter Backup Paths

Please exclude the filesystem that you don’t want to backup (separated by “|“). For example: “/tmp” and “/proc” are always excluded or if you want full backup of your system, just hit enter.

Enter Exclude File System

Please enter your temporary directory path or select default one.

Enter Temporary Directory Name

Please enter your scratch directory path or select default one.

Enter Scratch Directory Name

If you would like to backup extended attributes. Just hit “enter“.

Enter Extended Backup Attributes

If you want to Verify your backup, after mondo has created them. Click “Yes“.

Verify Backups

If you’re using stable standalone Linux Kernel, click “Yes” or if you using other Kernel say “Gentoo” or “Debain” hit “No“.

Select Stable Linux Kernel

Click “Yes” to proceed further.

Proceed Cloning Process

Creating a catalog of “/” filesystem.

Creating Catalog for File System

Dividing filelist into sets.

Dividing File List

Calling MINDI to create boot+data disk.

Creating Boot Data Disk

Backing up filesytem. It may take a couple of hours, please be patient.

Backing up File System

Backing up big files.

Big Files Backup

Running “mkisofs” to make ISO Image.

Making ISO Image

Verifying ISO Image tarballs.

Verify ISO

Verifying ISO Image Big files.

Verify Big Files

Finally, Mondo Archive has completed. Please hit “Enter” to back to the shell prompt.

Backup Completed

If you’ve selected default backup path, you will see an ISO image under “/var/cache/mondo/“, that you can burnt into a CD/DVD for later restore.

To restore all files automatically, boot the system with Mondo ISO Image and at boot prompt type “nuke” to restore files.