Saturday, August 30, 2014

CentOS 7 : Install And Configure Nagios

Install And Configure Nagios

Nagios is an open source software that can be used for network and infrastructure monitoring. Nagios will monitor servers, switches, applications and services. It alerts the System Administrator when something went wrong and also alerts back when the issues has been rectified.

With Nagios you can:

Monitor your entire IT infrastructure.;
Identify problems before they occur;
Know immediately when problems arise;
Share availability data with stakeholders.hypothetical question;
Detect security breaches;
Plan and budget for IT upgrades;
Reduce downtime and business losses.

Scenario

In this tutorial i am going to use two systems as mentioned below.

Nagios server:

Operating system : CentOS 7 minimal installation
IP Address       : 192.168.1.101/24

Nagios client:

Operating System : Ubuntu 14.04
IP Address       : 192.168.1.102/24

Prerequisites

Before installing Nagios, make sure that you’ve a properly installed and configured LAMP stack in your server. To install and configure LAMP server, refer the following link.

Install LAMP server On CentOS/RHEL/Scientific Linux 7

Also install the following prerequisites too. All commands should be run as root user.

yum install gd gd-devel gcc glibc glibc-common

Install Nagios

I tested this how-to on CentOS 7 minimal server, although it should work on all RHEL 7 and its clones like Scientific Linux 7 too.

Nagios is not available in CentOS official repositories, so let us add the EPEL repository to install nagios. To add and enable EPEL repository, refer the following link.

Install EPEL Repository On CentOS/RHEL/Scientific Linux 7

Next install nagios with all plug-ins and nagios agents(nrpe-agent) using command:

yum install nagios*

Configure Nagios

Add the admin mail address in the nagios contact file to receive alerts from nagios server.

To do that edit file /etc/nagios/objects/contacts.cfg,

vi /etc/nagios/objects/contacts.cfg

Find the following line and enter the email id:

[...]
define contact{
        contact_name                    nagiosadmin             ; Short name of user
        use                             generic-contact         ; Inherit default values from generic-contact template (defined above)
        alias                           Nagios Admin            ; Full name of user

        email                           sk@unixmen.com  ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******
        }
[...]

Save and close the file.

Then, Edit file /etc/httpd/conf.d/nagios.conf,

vi /etc/httpd/conf.d/nagios.conf

And edit the following lines if you want to access nagios administrative console from a particular IP series. Here, I want to allow nagios administrative access from 192.168.1.0/24 series only.

[...]
## Comment the following lines ##
#   Order allow,deny
#   Allow from all

## Uncomment and Change lines as shown below ##
Order deny,allow
Deny from all
Allow from 127.0.0.1 192.168.1.0/24
[...]

Set nagiosadmin password:

htpasswd /etc/nagios/passwd nagiosadmin

New password:
Re-type new password:
Updating password for user nagiosadmin

Start nagios and httpd services and let them to start automatically on every boot.

systemctl start nagios
systemctl restart httpd
chkconfig nagios on

Access Nagios admin console

Open nagios administrator console with URL http://nagios-server-ip/nagios and enter the username asnagiosadmin and its password which we created in the earlier steps.

This is how Nagios administrative console looks:

Click on the “Hosts” section in the left pane of the console. You will see there the no of hosts to be monitored by Nagios server. Initially, the nagios server (localhost) itself will only be monitored.

Click on the monitoring host to display more details:

Add Monitoring targets to Nagios server

Now, let us add some clients to monitor by Nagios server. To do that we have to install nrpe and nagios-plugins in our monitoring targets.

On CentOS/RHEL/Scientifc Linux clients:

As I mentioned before, you have to add EPEL repository in your CentOS/RHEL/Scientific Linux 6.x or 7 clients to install nrpe package.

Install “nrpe” and “nagios-plugins” packages in client systems to be monitored.

yum install nrpe nagios-plugins-all openssl

On Debian/Ubuntu clients:

sudo apt-get install nagios-nrpe-server nagios-plugins

Configure Monitoring targets

Edit /etc/nagios/nrpe.cfg file,

sudo vi /etc/nagios/nrpe.cfg

Add your Nagios server ip address:

[...]
## Find the following line and add the Nagios server IP ##
allowed_hosts=127.0.0.1 192.168.1.101
[...]

Start nrpe service on CentOS clients:

service nrpe start
chkconfig nrpe on

For Debian/Ubuntu Clients, start nrpe service as shown below.

sudo /etc/init.d/nagios-nrpe-server restart

Now, go back to your Nagios server to add the clients to be monitored through nagios server.

To do that, Edit “/etc/nagios/nagios.cfg” file,

vi /etc/nagios/nagios.cfg

and uncomment the following lines.

## Find and uncomment the following line ##
cfg_dir=/etc/nagios/servers

Create a directory called “servers” under “/etc/nagios/”.

mkdir /etc/nagios/servers

Create config file to the client to be monitored:

vi /etc/nagios/servers/clients.cfg

Add the following lines:

define host{

use                             linux-server

host_name                       client

alias                           client

address                         192.168.1.102

max_check_attempts              5

check_period                    24x7

notification_interval           30

notification_period             24x7

}

Finally restart nagios service.

systemctl restart nagios

Now, open the nagios admin console in the browser and navigate to “Hosts” section in the left pane. You will see the newly added client will be visible there. Click on the host to see if there is anything wrong or any alerts it has.

Click on the monitoring target to view the detailed output:

By this way, you can define more clients by creating a separate config files “/etc/nagios/servers” directory for each client.

Define services

We just defined the monitoring host before. Now, let us add some services of the monitoring host. For example, to monitor the ssh service, add the following lines shown in bold in the /etc/nagios/servers/clients.cfg file.

vi /etc/nagios/servers/clients.cfg

Add the following lines:

define host{

use                             linux-server

host_name                       client

alias                           client

address                         192.168.1.102

max_check_attempts              5

check_period                    24x7

notification_interval           30

notification_period             24x7

}

define service {
        use                             generic-service
        host_name                       client
        service_description             SSH
        check_command                   check_ssh
        notifications_enabled           0
        }

Save and close the file. Restart Nagios.

systemctl restart nagios

Now log in to Nagios web console and check for the added services. Navigate to Services section on the left side bar, you’ll see the ssh service there.

To know more about object definitions such as Host definitions, service definitions, contact definitions, please dovisit here. This page will explain you the description and format of all object definitions.

Thats it. Cheers!

Reference Links:

Nagios Homepage

Friday, August 29, 2014

Squid Proxy : ACL & Content Filters Setup

Access Control ListsThe importance of access controls cannot be overstated. It is important to have a good understanding of how to control who uses squid. When access controls are created you will use two components. The first is the acl which defines, clients, IP Addresses, hostnames, origin port numbers and request methods. Once these are created they are combined with rules for the acls.

The acls are created using a basic structure.

acl name type value

Here is an example which shows the name as “net”, the type is “src” which is the source and the vlaue is the network address.

acl net src 192.168.7.0/24

ACL Types
There are about 25 acl types which can be used.

src, dst, myip
Several types use ip addresses as a value. The following three examples are all acceptable to squid. Squid will try to calculate the subnet if it is not included, however, it is a good practice to add the correct subnet when the acl is written.

acl net src 192.168.7.0/24
acl net src 192.168.7.0/255.255.255.0
acl net src 192.168.7.0

Hostnames may be used in the acls but this is not a god idea and squid will convert hostnames on startup but will not make DNS lookups after that so if the address of the host changes it will be incorrect.

src
The src is the source or where the request is coming from.

acl myworkstation src 192.168.7.56

Here the source is the specific ip address of 192.168.7.56.

dst
dst is where the request is directed at. One of the problems of using dst is that it must make a host lookup before it can process the request and this may take too long. Better to use dstdomain.

myip
This type is useful only when squid will use several ip addresses. It is used to indicate which ip address for squid to use. This may be very useful for setting up squid so that it will listen on two separate networks with different ip addresses.

srcdomian, dstdomain, cache_host_domain
These types use domain names. Be careful with domain names because of the difference between domain names and subdomains. If the acl begins with a “.” then it is used as a wildcard and it will
match all domains and subdomians. If it is without the “.”, then it will be considered an exact match.

acl example1 srcdomain example.com
acl example2 srcdomain .example.com

In the examples above the acl example1 will not match mail.example.com nor www.example.com because it must be an exact match. However,
mail.example.com, www.example.com and example.com all will match the second acl.

The differences between dst and dstdomain.
The dst type only checks the domain one time, so that if it changes you will not have the correct information. However, when using dstdomain, squid will check it every time it is accessed, which is a
safer situation.

srcdomain
The srcdomain will force squid to do a reverse DNS lookup to verify the IP Address. If a domain is not configured correctly, then it will not be able to complete the reverse lookup and fail. This is the biggest
drawback to using srcdomain.
ident, proxy_auth
These two types use usernames.
srcdom_regex, dstdom_regex, url_regex, urlpath_regex,
browser, referer_regex, ident_regex, proxy_auth_regex,
req_mime_type, rep_mime_type

^http://
The regular expression matches any URL that begins with http://.

\.jpg$
The regular expression matches any file extension that ends in .jpg.
the \ is added because “.” is also a wildcard.

acl net url_regex ^http://www

Squid is case sensitive by default. In order to make it
case insensitive use the -i option.

acl net url_regex -i ^http://www

port, myport
The port number is a number that is used by a service on a server or workstation to communicate with another service.

acl net port 22
acl net port 20-21

port
Ports are an area to be careful with. The best configuration will deny all ports and only allow those determined to be safe. The configuration below allows only ports 21,80.443,1209 and unregistered ports. Port 21 is used
for ftp, port 80 for web services, port 443 for encrypted sites and port 1209 is a special port used for a web
based learning site. Unregistered ports are ports that are used to connect to services on the Internet and are generally accepted as safe when they are outgoing ports.

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 1209        # plato
acl Safe_ports port 1025-65535 # unregistered ports

http_access deny !Safe_ports

myport
Myport is used when a squid server may receive different types of requests for specific services. For example if the squid server was accepting connections as a proxy for users and also accepting connections as a HTTP accelerator.

acl accelerator myport 80
acl proxy myport 3128
acl net src 192.168.7.0/24

=======================================================================

Dansguardian Content Filter

Dansguardian is a content filter that is easy to set up and configure with your preferences including the ability to scan http access with clamav. The main concept behind content filtering is that the application will read the text, evaluate images and types of file extensions before the client has access. This has the advantage of stopping unacceptable content before the user has access and preventing harmful file access.

sudo apt-get install dansguardian clamav-daemon

Once Dansguardian is installed you will have a directory /etc/dansguardian that shows this content.
authplugins dansguardian.conf downloadmanagers lists
contentscanners dansguardianf1.conf languages

The ,main configuration file is dansguardain.conf. This file needs to be modified so that this line is either commented out or removed.

#UNCONFIGURED – Please remove this line after configuration

You do not need to make any other adjustments to this configuration file to get it to work. As you can see below, once you implement Dansguardian you will be using two ports, 3128 so that Dansguardian can talk to Squid and port 8080 so the client can talk to Dansguardian. The illustration shows how this works. The important implication is that you now need to alter the client so it listens on port 8080 not 3128.

filterip =
# the port that DansGuardian listens to.
filterport = 8080
# the ip of the proxy (default is the loopback – i.e. this server)
proxyip = 127.0.0.1
# the port DansGuardian connects to proxy on
proxyport = 3128

You should see that the server is listening on two ports with netstat.

netstat -aunt
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN

Once you have commented out the necessary line in the dansguardian.conf you must restart squid and Dansguardian. Next, adjust your client to listen on the correct port.

Here is the client adjusted to listen on port 8080.

You also have the ability to scan files for virus activity with clamav. Check to see if clamav is available with this command.

ps -ef | grep clamav
clamav 14054 1 0 07:00 ? 00:00:00 /usr/bin/freshclam -d –quiet
clamav 14978 1 0 14:27 ? 00:00:00 /usr/sbin/clamd

Content Management
The configuration files in /etc/dansguardian, dansguardain.conf and dansguardianf1.conf are both well commented and provide a lot of options. In the dansguardian.conf you will find these options that are commonly adjusted.

You can either block all downloads or follow the lists and select specific file types you will not all ow to be downloaded.
blockdownloads = off
exceptionextensionlist = ‘/etc/dansguardian/lists/exceptionextensionlist’
exceptionmimetypelist = ‘/etc/dansguardian/lists/exceptionmimetypelist’
bannedextensionlist = ‘/etc/dansguardian/lists/bannedextensionlist’
bannedmimetypelist = ‘/etc/dansguardian/lists/bannedmimetypelist’

The content is rated using a numbering system, which you can adjust, and once content is evaluated and goes over the “naughtynesslimit” the content is denied. So you can adjust the number which is that top limit with this setting, increase the number for greater access.

naughtynesslimit = 50

The lists directory contains a list of files that can be adjusted to your requirements. These files include text files that are easy to adjust in terms of ratings for terms, file types, etc. The files are one of three types; banned, exceptions or lists of terms and weights for those terms. These should be easy enough to modify as they are heavily comments.

[Quick Tips] : Firewalls

Firewall

Linux Firewalls

The standard iptables firewall can be managed by using the command line or it can be managed by using a frontend like UFW. Bridges are a powerful option to protect a network.

Linux Firewall Tutorials

Zentyal : Install and Configure Zentyal Linux 3.5 as A BDC (Backup Domain Controller)

On 1st July 2014, Zentyal developers announced the release of Zentyal Linux 3.5 Community Small Business Server, a native drop-in replacement for Windows Small Business Server and Microsoft Exchange Server based on Ubuntu 14.04 LTS. This release comes with new features, the most important being a single implementation of LDAP based on Samba4 and Microsoft Outlook 2010 support, while some modules found in previous versions have been completely removed: FTP Server, Zarafa Mail, User Corner, Bandwidth Monitor, Captive Portal and L7 Filer.

Configure Zentyal 3.5 as BDC

Following former topics on Zentyal 3.4 installed and used as a PDC, this tutorial will concentrate on how you can configure Zentyal 3.5 Server to act as a BDC – Backup Domain Controller for Windows Servers or Zentyal 3.4 or 3.5 PDC, by replicating user accounts database, but skipping installation guides since it can be used the same procedure as described for Zentyal 3.4, without setting as a PDC.

Requirements

Download Zentyal 3.5 Community Edition CD ISO image –http://www.zentyal.org/server/
Install Zentyal 3.5 using the same procedure as described for Zentyal Linux 3.4.

Step 1: Install Required Modules for Zentyal BDC

1. After a fresh installation of Zentyal 3.5 Server, login to console prompt and verify your server IP address using ifconfig command, if you use a DHCP server on your network that automatically assigns IP addresses to your network hosts, to be able to login to Zentyal Web Administration.

Verify Zentyal IP Address

2. After you get your Zentyal system IP address, open a browser from a remote location and login to Web Remote Admin Interface using the address https://zentyal_IP and credentials configured for Zentyal Admin User on installation process.

3. On the first window choose the following Zentyal packages to install so you can configure your server to act as a BDC and hit on OK button on next prompt.

DNS Service
Firewall
NTP Service
Network Configuration
Users, Computers and File Sharing

Install Zentyal Software Packages

Confirm Zentyal Packages

4. Zentyal Ebox will start installing the required packages with their dependencies and when will reach Network Interfaces configuration wizard. Here setup your Network Interface asInternal and hit on Next button to proceed further.

Configure Network Interface

5. Due to the fact that you will be using Zentyal as a BDC in your network interface, must be assigned with a static IP address. Choose Static as IP configuration Method, provide your local network static IP Address, Netmask and Gateway and – very important – choose your Primary Domain Controller IP Address or the servers responsible for DNS PDC resolutions to be used on Domain Name Server field, then click on Next to continue.

Enter Network Interface Details

6. On the next stage on Users and Groups leave it as default and hit Skip button and the modules installation should continue.

Select Default Server

7. After this step if you configured other static IP Address than the one automatically issued by DHCP server, you will lose connectivity to Zentyal Server from browser. To re-login, go back to browser and type your newly Static IP Address that you manually added above on step 5and use the same credentials as earlier.

Re-Login to Zentyal Web Portal

8. After all modules finish installing move to Module Status, make sure you check all modules listed, hit on above Save Changes button and click again on Save button prompt to apply changes and start modules.

Module Status Configuration

Step 2: Setup Zentyal 3.5 as a BDC

9. After all required modules installed and operational, it’s time to configure Zentyal 3.5 to act as a Backup Domain Controller or Additional Domain Controller by synchronizing User Accounts Database.

10. Go to System -> General -> Hostname and Domain and check your Hostname andDomain name entries – provide an descriptive name for Hostname, like bdc for example and use your main domain name on Domain field – by default this step should be configured on system installation process by choosing your server BDC hostname.

Enter Hostname and Domain

11. But before starting to join the main domain, assure that you have connectivity and DNS resolution to Primary Domain Controller Server. First open Putty, login to your Zentyal BDC server and edit resolv.conf file to point to your Primary Domain Controller IP Address or DNS Server Address responsible with PDC name resolutions.

# nano /etc/resolv.conf

This file is automatically generated by Zentyal DNS Resolver and manual changes will be overwritten after modules restart. Replace nameserver statement line with your Primary Domain Controller IP Address (in this case my Zentyal PDC has 192.168.1.13 IP Address – change it accordingly).

Add Primary Domain Controller DNS

12. After the file was edited, don’t restart any modules at all and issue a ping command with your Primary Domain Controller FQDN domain name and verify if it responds with the correct IP Address (in this case my PDC FQDN is pdc.mydomain.com – a fictive one used only locally).

# ping pdc.mydomain.com

Confirm Your Domain

13. If you want to conduct other DNS test go to Zentyal Web Remote Admin Tool and use Pingand Lookup with your specific PDC FQDN domain name buttons from Network -> Tools Menu as presented on the below screenshots.

Network Diagnostic Tool

Verify Your Domain

Verify Domain DNS Entries

14. After the DNS test revealed that everything is correctly configured and functional move toDomain -> Settings left Menu and use the following Settings and after you finish hit onChange button and OK on Domain Join notification prompt, then upper Save Changes to apply configurations and stat importing User Accounts Database from your man PDC Server.

Server Role = Additional Domain Controller.
Domain Controller FQDN = your Primary Domain Controller FQDN.
Domain DNS Server IP = your Primary Domain Controller IP Address or DNS responsible with PDC resolutions.
Administrator Account = your Primary Domain Controller Administrator User.
Administrator Password = your Primary Domain Controller Administrator User password.
NetBIOS Domain Name = choose a domain name for NetBIOS – it can be your main domain name.
Server Description = Choose a descriptive name that defines your BDC server.

Enter Domain Settings

Confirmation to Join Domain

Save Domain Changes

15. That’s it! Depending on your database size the replication process can take a while, and after it finishes you can go to Users and Computers -> Manage and you should see the entire Users and Computers database from PDC completely synchronized with your Zentyal 3.5 BDC Server. Use klist command to see your domain Administrator Users.

Users and Computers Database

$ klist

Check Domain Administrator Users

16. You can also check your Zentyal 3.5 BDC from a Windows based system if you have installed RSAT (Remote Server Administration Tools) by opening Active Directory Users and Computers -> Domain Controllers.

Verify Zentyal from Windows

17. As the last checks and setting you can open DNS Manager and see that a new DNS A entry has been added with your BDC Server Hostname using its IP Address. Also make sure that you open a SSH connection to your Zentyal BDC Server with Putty and sync time on both Domain Controllers using ntpdate command.

$ sudo ntpdate -ud domain.tld

Confirm New DNS Entries

Sync Time on Domain Controller

Zentyal Linux 3.5 Community Edition Server with Samba4 can fully participate in Active Directory, and once configured as a part of the domain you can use RSAT Active Directory tools from a remote location and switch FSMO roles to the AD servers on your network.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Linux Services & Free WordPress Setup

Our post is simply ‘DIY’ aka ‘Do It Yourself, still you may find difficulties and want us to help you out. We offer wide range of Linux and Web Hosting Solutions at fair minimum rates. Please submit your orders by Clicking Here.

« PREVIOUS POST

How to Install and Configure OpenVPN Server on Zentyal 3.4 PDC – Part 12