January 29, 2014

Configure Nagios Monitoring

Prerequisite

Before you begin verify you server and client configuration. From the server test client connection.

To setup server, see http://magnus-k-karlsson.blogspot.se/2014/01/install-nagios-core-35-on-rhel-6-from.html.

And for client, see http://magnus-k-karlsson.blogspot.se/2014/01/install-nagios-agent-nrpe-on-rhel-6.html

Client Nagios Plugins Configuration

First decide what you want to monitor. Then find a plugin that do the job. The standard plugins are documented here (http://nagios-plugins.org/doc/man/index.html).

You could also get help documentation for a specific plugin by executing it with option '--help'.

After you have tested it and is satisfied, you now define it as a nagios command.

Restart nrpe to let new configuration take effect.

Server Nagios Plugins Configuration

From the server test that you can call the client nrpe command.

If this did not work, go back to the prerequisites and verify you server and client installation. If good, lets continue and define the nrpe command on the server.

Then we need to define a service that will run this command.

Finally you will need to define a host, if you have not already done that.

Before we restart the nagios server, you can test you new configuration

If everything is fine, you can now restart you nagios server.

Open you nagios web admin and login in and check you new service.

January 21, 2014

The NTP Daemon on RHEL 6

Installation

Check that NTP services is started at boot.

If not automatically started.

If NTP service is not running, start it.

Configuration

Default configuration is almost always sufficient.

Test

Check system clock against a reliable source.

January 13, 2014

Install Nagios Agent NRPE on RHEL 6 from EPEL Repository

Introduction

The Nagios Plugins are the components that do the actual monitoring work. They are all bash scripts and are located in:

To make the plugins/agents talk with server/Nagios Core you use the NRPE (Nagios Remote Plugin Executor).

Agent/Client Installation

Install the EPEL (Extra Packages for Enterprise Linux) repository. [https://fedoraproject.org/wiki/EPEL]

Install NRPE and all Nagios plugins.

Agent/Client Configuration

Add the Nagios Core server IP adress.

Start the nrpe service or restart if you have previously started it, to let the new configuration take effects.

The NRPE is using port 5666 (see /etc/nagios/nrpe.cfg) to communicate with the server, so we need to open that port in the firewall. Below is the current settings in iptables for the client computer we are trying to monitor.

Open tcp port 5666 for incoming traffic.

Nagios Core Server Configuration

Install the nagios nrpe plugin on the server.

Then we need to enable it. Add the below command to the end of the file.

Before we can proceed, we now need to understand how Nagios arrenge items in it's admin GUI.

If you look at the selected menu items to the right, I have selected:

  • Hosts
  • Services
  • Host Groups
  • Service Groups

Now if we open the main nagios configuration file, you will see a similiar structure of the configuration files.

You can open the /etc/nagios/objects/localhost.cfg and compare how items are arrenged in the web admin GUI.

Now when we have got a basic understanding of the internal configuration structure we are going to put our new configuration file in /etc/nagios/conf.d/.

Finally restart nagios service and watch you new Host and Service in the web admin GUI.

If you run into problems, open the default nagios log file.

And RHEL default log file. And also read mine previous blog how to configure iptables and logging. [http://magnus-k-karlsson.blogspot.se/2014/01/configure-iptables-for-ftp-server-vsftp.html]

Install Nagios Core 3.5 on RHEL 6 from EPEL Repository

Introduction

The Nagios is one of the most poplur product for monitoring IT Infrastructure, such as servers, network and services.

The system overview of the Nagios modules:

  • Nagios Core - The Server with Monitor GUI.
  • NRPE (Nagios Remote Plugin Executor) - The communication handler between server and client/agent.
  • Nagios Plugins - Client or Agent that do the actual monitoring, e.g. check server load or if service is running.

Remember Nagios is not supported by Red Hat and installing Nagios from EPEL repository, is on you own risk. But if you think of the alternative, which is installing Nagios from source and compiling it with gcc is not an attractive alternative. Since then you have to manually uphold the patch level you want in production. And beside you do not want to have the gcc compiler installed in production, due to security risks.

For manual installation see http://nagios.sourceforge.net/docs/3_0/quickstart-fedora.html.

Installation

Install the EPEL (Extra Packages for Enterprise Linux) repository. [https://fedoraproject.org/wiki/EPEL]

Install the Nagios Core and all plugins.

Start Nagios Server.

Start Nagios Server Web GUI.

Nagios Core Web GUI

http://localhost/nagios

username: nagiosadmin
password: nagiosadmin

To change the default password for admin, see /etc/httpd/conf.d/nagios.conf.

Reference for htpasswd - Manage user files for basic authentication. [http://httpd.apache.org/docs/2.2/programs/htpasswd.html]

Configuration Files

The Nagios main configuration file.

The Nagios Core Admin Server is built with CGI scripts.

HTTPD configuration for Nagios Core

Appendix. RPM Dependency and Installation

January 8, 2014

Virtualization with KVM on RHEL 6

Install KVM

Verify Installation

Check that kvm kernel modules are loaded. There should be two: kvm and either kvm_intel or kvm_amd.

If kvm_intel or kvm_amd is not loaded, try to load it. E.g. kvm_intel.

In my case, I recieved an error. And in the general RHEL log file, i recieved the following.

So for my HP Elite 7500 I had to enable Virtualization in the BIOS:

  1. Computer Setup
  2. Security
  3. System Security
  4. Virtualization Technology (VTx/VTd): Enable
  5. Save and reboot

NOTE: REALLY TRY TO FIX THE PROBLEM OF NOT HAVING LOADED THE KVM_INTEL OR KVM_AMD, OTHERWISE WILL THINGS GO REALLY SLOW.

Start KVM

Prerequisite RHEL DVD

The easiest way to distribute the RHEL 6 DVD is to actually use the ISO. To make it accessible for the KVM, we place it under libvirt default images folder.

Finally we need to restore the SELinux type for the ISO file.

Install Guest Virtual Machine Graphically

The easiest way is to do it graphically with Virtual Machine Manager

If you had a kickstart file, you could here press TAB and enter the URI for the kickstart file.

Make sure you auto starts the default network. Otherwise you have to manually start it, every time you boot.

Since this is a virtual server, you can fill the entire virtual disk with RHEL.

A nice feature before writing the new partition table to disk is to preview. You do that with the option at the bottom.

Again the RHEL installation will stretch the entire virtual disk, so cleaning the Master Boot Record, MBR, is no problem. But if you were to install a system along with other OS, you must have good strategy how these OS can work alongside and be booted.

The most common installation is for server is Minimal and for client it is Desktop.

Install Guest Virtual Machine CLI

Install Guest Virtual Machine CLI with Kickstart

You can automate the entire installation process of new virtual guest in line, with the help of a kickstart file.

To do this you need to extract the ISO file, for example an FTP server. On the FTP server

Manage Virtual Machine

List all virtual machines.

Auto start of virtual machine.

Disable auto start of virtual machine.

Stop virtual machine.

Start virtual machine.

Remove Virtual Machine

January 7, 2014

Configure iptables for FTP Server, vsftp

Server Installation

Now the ftp server is ready to be used. Lets create a simple text file in the root of the ftp server.

Configure iptables

Existing iptables rules.

First we will add a LOG operation just before the last line in INPUT of iptables that rejects the incoming traffic.

Then we try to list the root of the ftp server. Which will fail, because we have not opened the firewall ftp port and which you will see in the log file.

Now lets open the ftp port in the firewall. We will insert the rule just before the log rule.

Now lets try to list the root again, which will fail. Now look at the log.

You might now wonder why ftp is trying to open port 29736 and the reason is that vsftp is using passive ports to communicate. To fix this we need to add to add ftp filter rules to iptables. The relevant filter rules are found in the kernel module filter directory.

Now add those two filters two iptables

Now save your iptables new rules and restart iptables.

And finally try to list the content of the root in the server again and this should work.

Scanning network for open ports with nmap command

Whenever you are configuring a firewall, you want to make sure afterwards that the firewall really is configured properly and to do that is to scan it. Below follows two great links that helped me.

http://www.cyberciti.biz/tips/linux-scanning-network-for-open-ports.html
 
http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/

January 6, 2014

Precaution When Working With Remote Firewall (iptables)

Configure a remote machine's firewall, can be hazardous. So here is one way of making it a little more safer.

First backup current firewall rules.

Secondly create a script with all you firewall rules, which are well tested. Below follows an example for a stateful firewall.

Now with help of the cron job like command at, we can schedule a resturation of the original firewall settings in for example 20 min. Or how long you think it will take to test and verify your new firewall configuration.

You exit the at editor with Ctrl+D. Now you can list you at command with:

And if your firewall configuration all checks out good, you can delete the at job with:

And if it dont, you just have to wait 20 min, before the old configuration is restored

Configure Stateful Firewall

iptables Configuration Files

Contains persisted kernel filtering rules.

Contains configuration for iptables.

List iptables filtering rules

iptables -vnL --line-numbers

options:

  1. v - verbose, if not used you will, e.g. for which interface the rule applies. Every system have atleast two interfaces: loopback and eth0.
  2. n - numeric values
  3. L - list

Basic iptables

iptables divides traffic into 3 catogories: INPUT, FORWARD and OUTPUT.

  1. INPUT. Is for incoming traffic.
  2. FORWARD. Is traffic passing through, typical scenario is a router.
  3. OUTPUT. Is outgoing traffic.

Each category (or formely chain) has a default action (or formely target): ACCEPT, DROP and REJECT is the most common.

Then for each category you define a list of rules. The list is strictly ordered, which means if rule number 3 of 6 matches, the looping of the list is ended and the action is applied, that is defined for rule.

Demo

Lets get started with an open system, where the default action is ACCEPT.

First we accept all incoming traffic to loopback interface.

ACCEPT all already establed/ongoing conversation.

If you want to enable PING, add below.

Accept SSH in port 22, but only from LAN (192.168.122.*)

If you need VNC it is working in port 5900, and accept only connections from LAN (192.168.122.*)

Finally we need to add either a REJECT or DROP rule at the end since our default action to ACCEPT incoming traffic.

And the same thing goes for FORWARD.

If you have above typed some typo, e.g. line number 4, you delete that row with.

And if you need to insert a specific rule at specific row, e.g. line number 4.

Test

To test your firewall you can for example use nmap. Take notice though that you are not violating any policy when using a port scanning utility.

Make persistent

Write rules to /etc/sysconfig/iptables.

And if you really want to make sure that the new configuration is loaded restart iptables service.

Log

Logging firewall activity is a great way to debug your configuration. But beware if used on a production machine connected to Internet, you should make room for a big log partition.

I will insert the log action just before mine INPUT REJECT, wich is for me on line 5.

Now you can tail the default syslog log.

January 4, 2014

How To Make a Bootable USB to Partition HDD

A great tool for partitioning a hard disk is gparted. You find a longer description here http://gparted.org/liveusb.php#linux-method-b.

In brief the steps are the following

  1. Download gparted-live-0.17.0-1-i486.zip from http://sourceforge.net/projects/gparted/files/gparted-live-stable/0.17.0-1/.
  2. unzip gparted-live-0.4.5-2.zip -d /media/usb/
  3. cd /media/usb/utils/linux
  4. bash makeboot.sh /dev/sdd1

Use Tree View in RHEL File Browser (Nautilus)

The default file browser mode in Nautilus is with icon, but that view requires quite a lot of clicks to navigate your files. A better view is the tree view.

To change to the tree view, is not that obvious. One would first guess that it can be changed from the View menu. But you have to open the Preferences window.

  1. Select List View for View new folders using.
  2. Select tab Behavior and click Always open in browser windows..

Finally close all Nautilus windows and restart.