Administrations

Icininga on SSL

by

 

 

This is intended to be an introduction for implementation of stronger authentication and server security focused around the CGI web interface.

There are many ways to enhance the security of your monitoring server and Icinga environment. This should not be taken as the end all approach to security. Instead, think of it as an introduction to some of the techniques you can use to tighten the security of your system. As always, you should do your research and use the best techniques available. Treat your monitoring server as it were the most important server in your network and you shall be rewarded.

Additional Techniques

Stronger Authentication using Digest Authentication . If you have followed the quickstart guides, chances are that you are using Apache's Basic Authentication. Basic Authentication will send your username and password in "clear text" with every http request. Consider using a more secure method of authentication such as Digest Authentication which creates a MD5 Hash of your username and password to send with each request.

Forcing TLS/SSL for all Web Communication . Apache provides TLS/SSL through the mod_ssl module. TLS/SSL provides a secure tunnel between the client and server that prevents eavesdropping and tampering using strong publickey/privatekey cryptography.

Locking Down Apache Using Access Controls . Consider locking down access to the Icinga box to your IP address, IP address range, or IP subnet. If you require access outside your network you could use VPN or SSH Tunnels. This is a easy and strong to limit access to HTTP/HTTPS on your system.

Read more

Share

Nagios LDAP Monitoring (works for icinga as well)

by

on commands.cfg file

 

define command {

        command_name check_ldaps

        command_line    $USER1$/check_ldap.pl -H 192.168.0.123 -p 389

}

on your <server.cfg> file-

 

define service{

     use generic-service   ; template name, available by default

     host_name LDAP  ; unique name of the host being defined

     service_description LDAP Daemon   ; description of the host

     check_command check_ldaps

}

But this plugin requires Perl Net::LDAP modules installed. For installation of Net::LDAP perl CPAN module, you read this post

Download the check_ldap.pl from here.

Share

Install Perl CPAN on CentOS troubleshooting Net::LDAP

by
First we need to make sure our perl modules are all there and up to date. We can do this easily by Running
perl -MCPAN -e –shell
Let it run. Answer “no” when it asks about Manual configuration.
 
Once it stops you'll be at the cpan prompt….type
install Bundle::CPAN
this will install many perl modules for you. Answer “yes” to any dependency questions. When you get to the question about “libnet”….answer “no”. Once you are finished…hit “enter” to exit….it'll run for a few seconds more and then bring you back to the cpan prompt. For good measure let's type
install Net::LDAP (it should be up to date)
Share

Installing NRPE For Icinga on Ubuntu 10.10 & CentOS 5.5

by

I currently have Icigna 1.2 (classic, web, and mobile) running on Ubuntu 10.10. I have a few other Linux servers that I would like to monitor as well. There is a good amount of information on installing Nagios and things to accompany it but Icigna documentation and blogs are fewer.

The goal of this post is to document how to install NRPE on a Icinga server (Ubuntu 10.10 x64) and monitor a remote host (CentOS 5.5 x64).

I also want to give credit to two other blog posts I used to get my systems functional and for this post.

fishfood: http://www.fishfood.co.nz/2010/03/howto-install-nagios-nrpe-for-use-with.html

The Geek Stuff: http://www.thegeekstuff.com/2008/06/how-to-monitor-remote-linux-host-using-nagios-30/

Read more

Share

Step by Step Zimbra 6.x installation on CetOS 5.x

by

First you need to install a fresh CentOS operating system, keeping almost everything as default state. In this installation note I'm assuming few things-

  • There is either a LARGE '/' partion or a LARGE '/opt' partition. Zimbra by  default is installed on /opt directory
  • I'm also assuming that the server is not sitting beehind a firewall (for example if it's reched by port/ip forwarding from firewall, it won't work). But there are some  additional tasks that can allow you to run it behind a firewall. But unfortunately, I won't cover that up here.
  • SELinux and Linux firewall, should be disabled for the time being.
  • You can install webmin, and from there you can create your custom firewall policy/rule- but you can always do this later, after post installation of Zimbra

Now let's start.

Now we need to shutoff some services that will interfere with ZCS.

Read more

Share

Running Zimbra on HTTPS

by

1. First you need to su as 'zimbra' user

2. go to /opt/zimbra/bin/

3. Use the following commands to enable SSL:

./zmtlsctl https
./zmcontrol restart

Now it's working like a charm. For other readers:

I can only access to webclient by SSL now (but that's ok for me).

other options are:

[mixed|both|http|https|redirect]

Share

Setting up LDAP on Debian Distro

by

LDAP (Lightweight Directory Access Protocol) allows central user, group, domain….. authentication, information storage …

Using LDAP in a local network, you can allow your users to login and authenticate from anywhere on your network.

This tutorial will be split in 2 parts. In the first part, I will explain how-to install, configure the LDAP server, add a few users and group, in the second part, we will set up Linux client to authenticate through LDAP if the user does not exist on the local filesystem.

In this tutorial, I will suppose that our LDAP server is located at 192.168.1.4. All machines in the network can resolve the host name ldap to 192.168.1.4. The LDAP server is going to manage domain debuntu.local.
The server runs Debian 4 (testing but almost stable) and the client Ubuntu Feisty 7.04.

Read more

Share

Group-Office installation on Debian 6.x

by

I used the auto installation as guided by the group-office wiki. However, for conveniences, quoting the contents once again:

Easy installation on a dedicated Debian or Ubuntu server

This is the easiest way of installing Group-Office. With the debian packages everything is configured automatically and Group-Office updates will be installed automatically when you update your Debian or Ubuntu system.

Install Debian >= 5 or Ubuntu >=8.10

Note: All the commands here use "sudo". This is necessary on Ubuntu. If you are on Debian you can use the "su" command first and execute all the commands without "sudo".

Add the following line to /etc/apt/sources.list

deb http://repos.groupoffice.eu/ threeseven main

You can do that easily by executing the following command in the terminal:

echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ threeseven main" | sudo tee -a /etc/apt/sources.list

To authenticate the packages you need to import the public key by running the folowing commands: In ubuntu don't do this as root because you will have trouble with the gpg keyring permissions. On debian you can do this as root and omit the sudo command before the apt-key add command.

gpg –keyserver hkp://keyserver.ubuntu.com:11371 –recv-keys 01F1AE44

gpg –export –armor 01F1AE44 | sudo apt-key add –

Note: The keyservers are often very slow. If the keyserver doesn't respond you may try this one instead: hkp://pgp.mit.edu

Read more

Share

Install Tomcat 6 in Debian

by

This article outlines a procedure for installing Tomcat 6 in Debian Lenny. Keep in mind that this does not include Apache 2 installation or integration. Apache must be installed separately and integrated to work with Tomcat.

Add following line in sources list-

nano /etc/apt/sources.list

deb http://ftp.debian.org/debian/ squeeze non-free
 

Update and install java

apt-get update
apt-get install sun-java6-jdk sun-java6-jre libtcnative-1

Ensure installed

java -version

Set JAVA_HOME

nano ~/.bashrc

Add the following at the end of the file:

Read more

Share

Neighbour table overflow

by

If you have a big network with the hundreds of hosts you can expect “Neighbour table overflow” error which occurs in large networks when there are two many ARP requests which the server is not able to reply. For example you’re using server as a DHCP server, cable modems provisioning, etc.

Nov 10 03:18:17 myhost Neighbour table overflow.
Nov 10 03:18:23 myhost printk: 12 messages suppressed.

To check the present threshold level 1

cat /proc/sys/net/ipv4/neigh/default/gc_thresh1

It will give some value as 128 or 256 or 512.

This can be increased to the next level.Like if the value is 128 then

make the thresh1 value as 256 and thresh2 as 512 and thresh3 as 1024.

Read more

Share