Wednesday, December 29, 2010

NDOUtils installation on CentOS for Nagios

NDOUtils installation on CentOS

NDOUtils Requirements

  • GCC-C++
  • MySQL
  • MySQL-Devel
  • MySQL-Server

Installing MySQL

# yum -y install mysql mysql-devel mysql-server gcc-c++

# /etc/init.d/mysqld start

# chkconfig --add mysqld


-> make sure it's running

# ps -ef | grep mysql


-> Creating MySQL DB

mysql -u root

(no password

#Now, inside MySQL shell

mysql>create database nagios;

Query OK, 1 row affected (0.00 sec)

mysql>show databases;

+----------+

| Database |

+----------+

| database |

| mysql |

| nagios |

| test |

+----------+

4 rows in set (0.01 sec)

mysql>

Create a username/password that has at least the following privileges for the database: SELECT, INSERT, UPDATE, DELETE"

mysql> GRANT ALL ON nagios.* TO nagios@localhost IDENTIFIED BY "example";

Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.00 sec)

mysql> quit


-> NDOUtils Install

Download and untar

# cd /usr/local/nagios/var/

# wget http://internap.dl.sourceforge.net/sourceforge/nagios/ndoutils-1.4b9.tar.gz

# tar zxfv ndoutils-1.4b9.tar.gz


-> Compiling

# cd ndoutils-1.4b9

# ./configure

# make


Look through config.log for problems.

# less config.log

(If problems, run "make clean" to blow away bad binaries)


-> Copying Binaries

ndomod

There are two different versions of the NDOMOD module that get compiled, so make sure you use the module that matches the version of Nagios you are running, and adjust the directions given below to fit the name of the module version you're using.

ndomod-2x.o = NDOMOD module for Nagios 2.x ndomod-3x.o = NDOMOD module for Nagios 3.x (unstable)

In our CentOS example, we use the stable 2.x version

# /usr/local/nagios/var/ndoutils-1.4b9/src/ndomod-2x.o

Copy the compiled NDOMOD module to your Nagios installation:

# cp /usr/local/nagios/var/ndoutils-1.4b9/src/ndomod-3x.o /usr/local/nagios/bin/ndomod.o

ndo2db

There are two different versions of the NDO2DB daemon that get compiled, so make sure you use the daemon that matches the version of Nagios you are running, and adjust the directions given below to fit the name of the daemon you're using.

ndo2db-2x.o = NDO2DB daemon for Nagios 2.x ndo2db-3x.o = NDO2DB daemon for Nagios 3.x (unstable)

Copy the compiled NDO2DB daemon to your Nagios installation:

# cp /usr/local/nagios/var/ndoutils-1.4b9/src/ndo2db-2x /usr/local/nagios/bin/ndo2db

-> Creating NDO database

It's time now to create the NDO MySql database Run the DB installation script in the /tmp/ndoutils-1.4b9/db/ subdirectory of the NDO distribution to create the necessary tables in the database.

(-u = user; -p = password; -h = name of computer; -d = MySQL DB)

# cd /usr/local/nagios/var/ndoutils-1.4b9/db

# ./installdb -u nagios -p password -h localhost -d nagios

DBD::mysql::db do failed: Table 'nagios.nagios_dbversion' doesn't exist at ./installdb line 51.

** Creating tables for version 1.4b9

Using mysql.sql for installation...

** Updating table nagios_dbversion

Done!

We'll need to later make sure that the database name, prefix, and username/password we created and setup match the variable specified in our NDO2DB config file (which will ultimately live in /etc/nagios/)

CFG File Changes for CentOS-MySQL Environment

ndo2db.cfg

# cp //usr/local/nagios/var/ndoutils-1.4b9/config/ndo2db.cfg /usr/local/nagios/etc/


->in ndo2db.cfg

# SOCKET TYPE

# This option determines what type of socket the daemon will create

# an accept connections from.

# Value:

# unix = Unix domain socket (default)

# tcp = TCP socket

socket_type=unix

#socket_type=tcp

. . .

# SOCKET NAME

# This option determines the name and path of the UNIX domain

# socket that the daemon will create and accept connections from.

# This option is only valid if the socket type specified above

# is "unix".

socket_name=/usr/local/nagios/var/ndo.sock

#socket_name=/var/run/nagios/ndo.sock

. . .

# DATABASE USERNAME/PASSWORD

# This is the username/password that will be used to authenticate to the DB.

# The user needs at least SELECT, INSERT, UPDATE, and DELETE privileges on

# the database.

#db_user=ndouser

#db_pass=ndopassword

db_user=nagios

db_pass=password

ndomod.cfg

Copy the sample NDOMOD config file to your Nagios installation

Note: this config is not ready yet; we will need to modify it later to our environment.

# cp //usr/local/nagios/var/ndoutils-1.4b9/config/ndomod.cfg /usr/local/nagios/etc/

Add a line similiar to the following to the *main* Nagios config file (usually /usr/local/nagios/etc/nagios.cfg):

nagios.cfg file (all one one line, this cfg_file!=confg_file variable)

broker_module=/usr/local/nagios/bin/ndomod.o config_file=/usr/local/nagios/etc/ndomod.cfg


The config directive above will cause Nagios to load the NDOMOD event broker the next time it starts. Of course, this requres that you compiled Nagios with support for the event broker in the first place, which is not a problem if we installed via package (via RPMforge repository).

Make sure you have a line similar to the following in the *main* Nagios config file (usually /usr/local/nagios/etc/nagios.cfg):

event_broker_options=-1

That directive will cause the Nagios daemon to send data to the NDOMOD module. Without that option, NDOMOD won't get any information. Finaly make sure that output parameter in ndomod.cfg is set up to

output=//usr/local/nagios/var/ndo.sock

It's very important that output parameter has exactly the same value as socket_name parameter in ndo2db.cfg file. If not, you will get this message when starting nagios daemon.

[1192222122] ndomod: Error writing to data sink! Some output may get lost...

Start NDO2DB daemon

# /usr/local/nagios/bin/ndo2db -c /usr/local/Nagios/etc/nagios/ndo2db.cfg

[root@localhost nagios]# ps -ef | grep ndo2db

nagios 26516 1 0 19:36 ? 00:00:00 ndo2db -c /etc/nagios/ndo2db.cfg

root 26536 26460 0 19:40 pts/0 00:00:00 grep ndo

[root@localhost nagios]#

restart Nagios

# /etc/init.d/nagios restart

Proof it's working:

# tail /var/log/nagios/nagios.log

[1192222138] ndomod: Successfully reconnected to data sink! 0 items lost, 68 queued items to flush.

[1192222138] ndomod: Successfully flushed 68 queued items to data sink.

Nagios and nrpe setup CentOs

Nagios and nrpe setup CentOs 5.3 :

Nagios/nrpe how to :

For this session, I am demonstrating a basic Nagios set up of nrpe.

There are two hosts involved.
1. The nagios host. (the master node; where the nagios web ui is)
2. The remote host (the node you want to monitor remotely from the master node)

Software Versions involved:
both hosts: CentOS release 5.3 (Final) (64 bit)

master node:
Nagios® Core™ Version 3.2.0
nagios.x86_64 3.2.0-1.el5.rf (yum install)

remote host:
nagios-nrpe.x86_64 2.12-1.el5.rf (yum install)

(I assume you have a basic nagios set up already - this is just to enable nrpe)

nagios host: (master)

$ sudo yum install nagios-plugins-nrpe nrpe

$ sudo chown nagios.nagios /etc/nagios/nrpe.cfg

$ sudo vi /etc/nagios/objects/commands.cfg

# add

define command{

command_name check_nrpe

command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$

}

$ sudo vi /etc/nagios/objects/myremote_host.cfg

# add

define service{

use remote-service

host_name example.com

service_description Check Remote Users

check_command check_nrpe!check_users

}

# nrpe (remote checks) syntax is check_nrpe(as defined above) ! 'command to

run' (as defined on remote host, see below)

remote host: (node to be remotely monitored)
(NOTE: nagios itself should not be installed on this host)

$ sudo yum install nagios-nrpe

$ cd /etc/nagios

$ sudo chown nagios.nagios *.cfg

$ sudo vim /etc/xinetd.d/nrpe

# add

service nrpe

{

flags = REUSE

type = UNLISTED

port = 5666

socket_type = stream

wait = no

user = nagios

group = nagios

server = /usr/sbin/nrpe

server_args = -c /etc/nagios/nrpe.cfg --inetd

log_on_failure += USERID

disable = no # was yes

only_from = NAGIOS_MASTER_IP (master nagios host you want to

connect from) # was localhost

}

$ sudo vim cat /etc/hosts.allow

# add same ip from xinetd above

NAGIOS_MASTER_IP

$ sudo vim /etc/nagios/nrpe.cfg

#allowed_hosts=127.0.0.1 #

# add same ip from xinetd above

allowed_hosts=NAGIOS_MASTER_IP

$ sudo vim /etc/services

# append this line to the file

# Local services

nrpe 5666/tcp # nrpe (nagios)

$ sudo /sbin/service nrpe start

Starting Nagios NRPE daemon (nrpe): [ OK ]

$ sudo /etc/init.d/xinetd reload

$ sudo /sbin/chkconfig --list |grep nrpe

nrpe 0:off 1:off 2:off 3:off 4:off 5:off 6:off

nrpe: off

$ sudo /sbin/chkconfig --levels 35 nrpe on

$ sudo /sbin/chkconfig --list |grep nrpe

nrpe 0:off 1:off 2:off 3:on 4:off 5:on 6:off

nrpe: off

$ netstat -an | grep 5666

tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN

ok, good, it's running

now from nagios (master) server:
(can we see it's running too?)
telnet REMOTE_HOST_WE_JUST_CONFIGURED_IP 5666

$ /usr/lib64/nagios/plugins/check_nrpe -H REMOTE_HOST_WE_JUST_CONFIGURED_IP -p5666 -c check_disk1

to add new commands to be run via nrpe, we must add those to the remote host, nrpe.cfg file:

added new test on remote host:
$ sudo vim /etc/nagios/nrpe.cfg
command[check_mapper]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /dev/sda5

test from master node:
$ /usr/lib64/nagios/plugins/check_nrpe -H REMOTE_HOST_WE_JUST_CONFIGURED_IP -p5666 -c check_mapper
DISK OK - free space: / 41180 MB (50% inode=99%);| /=40614MB;68993;77617;0;86242

helpful master node commands:
server config test:
$ sudo /usr/bin/nagios -v /etc/nagios/nagios.cfg
#start/stop/restart:
$ sudo /sbin/service nagios restart
#command line check commands against remote host:
$ /usr/lib64/nagios/plugins/check_nrpe -H REMOTE_SERVER_IP -p5666 -c check_disk1

Wednesday, December 15, 2010

Installing Nagios on CentOS

1. First we make sure these prerequisites are installed and up to date
Run these commands from a command line:
-> yum install httpd
-> yum install gcc
-> yum install glibc glibc-common
-> yum install gd gd-devel

2. Elevate to root
From command line:
-> su -

3. Create a new nagios user account and give it a password
From command line:
-> /usr/sbin/useradd -m nagios
-> passwd nagios
Type the new password twice.

4.Create a new nagcmd group for external commands
From Command line:
-> /usr/sbin/groupadd nagcmd
-> /usr/sbin/usermod -a -G nagcmd nagios
-> /usr/sbin/usermod -a -G nagcmd apache

5. Create a directory to install Nagios
From command line:
-> mkdir downloads
-> cd dowloads/

6. Download source code from http://www.nagios.org/download/
These commands will download version 3.2.0 of the Core Nagios files and version 1.4.13 of the Nagios plugins.
From command line:
-> wget http://downloads.sourceforge.net/project/nagios/nagios-3.x/nagios-3.2.0/nagios-3.2.0.tar.gz?use_mirror=softlayer
-> wget http://downloads.sourceforge.net/project/nagiosplug/nagiosplug/1.4.13/nagios-plugins-1.4.13.tar.gz?use_mirror=softlayer

7. Extract and compile nagios-3.0.6.tar.gz
From Command line:
-> tar -xzvf nagios-3.0.6.tar.gz
-> cd nagios-3.0.6
-> ./configure --with-command-group=nagcmd
-> make all
-> make install
-> make install-init
-> make install-config
-> make install-commandmode

8. Edit the /usr/local/nagios/etc/objects/contacts.cfg config file. Change the email address associated with the nagiosadmin contact to the address you'd like to use for receiving alerts.
From command line:
-> vi /usr/local/nagios/etc/objects/contacts.cfg

9. Install the Nagios web config file in the Apache conf.d directory
From command line:
-> make install-webconf

10. Create a nagiosadmin account for logging into the Nagios web interface
From command line:
-> htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

11. Restart Apache
From command line:
-> service httpd restart

12. Compile and Install the Nagios Plugins
From command line:
-> cd downloads/
-> tar xzf nagios-plugins-1.4.11.tar.gz
-> cd nagios-plugins-1.4.11
-> ./configure --with-nagios-user=nagios --with-nagios-group=nagios
-> make
-> make install

13. Add Nagios to the list of system services
From command line:
-> chkconfig --add nagios
-> chkconfig nagios on

14. Check for config errors
From command line:
-> /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

15. Start Nagios
From command line:
-> service nagios start

16. Login to the Web Interface using username (nagiosadmin) and password you specified earlier
From your internet browser navigate to the following URL:
http:///nagios

Saturday, August 21, 2010

Configuring BIND on CentOS 5

1. Install packages :
yum install bind bind-chroot bind-libs bind-utils caching-nameserver
2. Configure RNDC :
cd /var/named/chroot/etc
rndc-confgen > rndc.key
chown root:named rndc.key
Edit rndc.key so it looks like this :
key "rndckey" {
algorithm hmac-md5;
secret "SGsvd1dF+mv+yU4ywCCkkg==";
};
You DON’T NEED anything else in the file (you must remove some option lines!)
A symlink in /etc exists and points to the rndc.key file we’ve just created, named expects that file there in order to be able to authenticate against rndc.
3. Configure /var/named/chroot/etc/named.conf
// we include the rndckey (copy-paste from rndc.key created earlier)
key "rndckey" {
algorithm hmac-md5;
secret "SGsvd1dF+mv+yU4ywCCkkg==";
};

// we assume our server has the IP 192.168.254.207 serving the 192.168.10.0/24 subnet
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndckey"; };
inet 192.168.10.10 allow { 192.168.10.0/24; } keys { "rndckey"; };
};

options {
directory "/var/named";
pid-file "/var/run/named/named.pid";

recursion yes;

allow-recursion {
127.0.0.1;
192.168.10.0/24;
};

// these are the opendns servers (optional)
forwarders {
208.67.222.222;
208.67.220.220;
};

listen-on {
127.0.0.1;
192.168.10.10;
};

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;

// so people can't try to guess what version you're running
version "REFUSED";

allow-query {
127.0.0.1;
192.168.10.0/24;
};
};

server 192.168.10.10 {
keys { rndckey; };
};

zone "." IN {
type hint;
file "named.ca";
};

// forward zone
zone "example.com" IN {
type master;
file "data/example.zone";
allow-update { none; };
// we assume we have a slave dns server with the IP 192.168.10.11
allow-transfer { 192.168.10.11; };
};

// reverse zone
zone "10.168.192.in-addr.arpa" IN {
type master;
file "data/192.168.10.zone";
allow-update { none; };
allow-transfer { 192.168.10.11; };
};
4. Our first zone
Let’s say I own the domain example.com
We create our first zone under /var/named/chroot/var/named/data/example.zone
Here’s an example :
$ttl 38400
example.com. IN SOA ns.example.com. admin.example.com. (
2007020400 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
example.com. IN NS ns.example.com.

example.com. IN MX 1 mx.example.com.
example.com. IN MX 5 mx2.example.com.

www.example.com. IN A 192.168.10.5
ns.example.com. IN A 192.168.10.10
mx.example.com. IN A 192.168.10.20
mx2.example.com. IN A 192.168.10.21
mail.example.com. IN CNAME mx.example.com.
Here’s the corresponding reverse zone under /var/named/chroot/var/named/data/192.168.10.zone :
$TTL 86400
10.168.192.in-addr.arpa. IN SOA ns.example.com. admin.example.com. (
2007032000
10800
900
604800
3600 )

10.168.192.in-addr.arpa. IN NS ns.example.com.

20.10.168.192.in-addr.arpa. IN PTR mx.example.com.
5.10.168.192.in-addr.arpa. IN PTR www.example.com.
5. Start the service and make sure it’ll start at boot
service named start
chkconfig named on
Make sure it’s running:
# rndc status
number of zones: 1
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
6. Query
# nslookup mx.example.com. 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: mx.example.com
Address: 192.168.10.20

# nslookup www.google.com. 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 216.239.59.99
Name: www.l.google.com
Address: 216.239.59.103
Name: www.l.google.com
Address: 216.239.59.104
Name: www.l.google.com
Address: 216.239.59.147
7. /etc/resolv.conf
If the query made on the previous point is working, you can set up /etc/resolv.conf on the server.
It should look like this :
search example.com
nameserver 127.0.0.1

Wednesday, April 7, 2010

Vsftpd FTP Server With Virtual Users ( Berkeley DB + PAM )

Vsftpd supports virtual users with PAM (pluggable authentication modules). A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services such as ssh or smtp.

Required software

  • Berkeley DB (version 4) databases
  • pam_userdb.so

Install Berkeley DB And Utilities Under RHEL / CentOS

Type the following command:
# yum install db4-utils db4

Create the Virtual Users Database

To create a "db4" format file, first create a plain text files with the usernames and password on alternating lines. For e.g. create user called "shah" with password called "shahpass" and saif with password "saifpass":

# cd /etc/vsftpd
# cat > vusers.txt

Sample output:

shah

shahpass

saif

saifpass

Next, create the actual database file like this:

# db_load -T -t hash -f vusers.txt vsftpd-virtual-user.db
# chmod 600 vsftpd-virtual-user.db
# rm vusers.txt

Configure VSFTPD for virtual user

Edit the vsftpd configuration file. Add or correct the following configuration options:

anonymous_enable=NO
local_enable=YES
# Virtual users will use the same privileges as local users.
# It will grant write access to virtual users. Virtual users will use the
# same privileges as anonymous users, which tends to be more restrictive
# (especially in terms of write access).
virtual_use_local_privs=YES
write_enable=YES

# Set the name of the PAM service vsftpd will use
# RHEL / centos user should use /etc/pam.d/vsftpd
pam_service_name=vsftpd.virtual

# Activates virtual users
guest_enable=YES

# Automatically generate a home directory for each virtual user, based on a template.
# For example, if the home directory of the real user specified via guest_username is
# /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user shah
# logs in, he will end up (usually chroot()'ed) in the directory /home/virtual/shah.
# This option also takes affect if local_root contains user_sub_token.
user_sub_token=$USER

# Usually this is mapped to Apache virtual hosting docroot, so that
# Users can upload files
local_root=/home/vftp/$USER

# Chroot user and lock down to their home dirs
chroot_local_user=YES

# Hide ids from user
hide_ids=YES

Save and close the file.

Create a PAM File Which Uses Your New Database

The following PAM is used to authenticate users using your new database. Create /etc/pam.d/vsftpd.virtual:

# cat > /etc/pam.d/vsftpd.virtual

Append the following:

#%PAM-1.0

auth required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user

account required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user

session required pam_loginuid.so

Create The Location Of The Files

You need to set up the location of the files / dirs for the virtual users. Type the following command:

# mkdir /home/vftp
# mkdir -p /home/vftp/{shah,saif}
# chown -R ftp:ftp /home/vftp

Restart The FTP Server

Type the following command

# service vsftpd restart

Test Your Setup

Open another shell session and type:

$ ftp ftp.example.com

Sample output:

Connected to ftp.example.com.
Name (localhost:root): shah
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Sample log from /var/log/secure:

# tail -f /var/log/secure


Apr 07 14:54:28 xentest vsftpd: pam_userdb(vsftpd.virtual:auth): user 'shah' granted access