Perl script to check thread and memory usage of a Jboss server.
Usage: check_jboss_status.pl [-H
[-m
[-h
-H
-P
-a
-h
-t
(default: 80,50)
-m
(default: 80,50)
Brain's Workbench
Perl script to check thread and memory usage of a Jboss server.
Usage: check_jboss_status.pl [-H
[-m
[-h
-H
-P
-a
-h
-t
(default: 80,50)
-m
(default: 80,50)
This is intended to be an introduction for implementation of stronger authentication and server security focused around the CGI web interface.
There are many ways to enhance the security of your monitoring server and Icinga environment. This should not be taken as the end all approach to security. Instead, think of it as an introduction to some of the techniques you can use to tighten the security of your system. As always, you should do your research and use the best techniques available. Treat your monitoring server as it were the most important server in your network and you shall be rewarded.
Additional Techniques
Stronger Authentication using Digest Authentication . If you have followed the quickstart guides, chances are that you are using Apache's Basic Authentication. Basic Authentication will send your username and password in "clear text" with every http request. Consider using a more secure method of authentication such as Digest Authentication which creates a MD5 Hash of your username and password to send with each request.
Forcing TLS/SSL for all Web Communication . Apache provides TLS/SSL through the mod_ssl module. TLS/SSL provides a secure tunnel between the client and server that prevents eavesdropping and tampering using strong publickey/privatekey cryptography.
Locking Down Apache Using Access Controls . Consider locking down access to the Icinga box to your IP address, IP address range, or IP subnet. If you require access outside your network you could use VPN or SSH Tunnels. This is a easy and strong to limit access to HTTP/HTTPS on your system.
on commands.cfg file
define command {
command_name check_ldaps
command_line $USER1$/check_ldap.pl -H 192.168.0.123 -p 389
}
on your <server.cfg> file-
define service{
use generic-service ; template name, available by default
host_name LDAP ; unique name of the host being defined
service_description LDAP Daemon ; description of the host
check_command check_ldaps
}
But this plugin requires Perl Net::LDAP modules installed. For installation of Net::LDAP perl CPAN module, you read this post
perl -MCPAN -e –shell
install Bundle::CPAN
install Net::LDAP (it should be up to date)
I currently have Icigna 1.2 (classic, web, and mobile) running on Ubuntu 10.10. I have a few other Linux servers that I would like to monitor as well. There is a good amount of information on installing Nagios and things to accompany it but Icigna documentation and blogs are fewer.
The goal of this post is to document how to install NRPE on a Icinga server (Ubuntu 10.10 x64) and monitor a remote host (CentOS 5.5 x64).
I also want to give credit to two other blog posts I used to get my systems functional and for this post.
fishfood: http://www.fishfood.co.nz/2010/03/howto-install-nagios-nrpe-for-use-with.html
The Geek Stuff: http://www.thegeekstuff.com/2008/06/how-to-monitor-remote-linux-host-using-nagios-30/
First you need to install a fresh CentOS operating system, keeping almost everything as default state. In this installation note I'm assuming few things-
Now let's start.
Now we need to shutoff some services that will interfere with ZCS.
1. First you need to su as 'zimbra' user
2. go to /opt/zimbra/bin/
3. Use the following commands to enable SSL:
./zmtlsctl https
./zmcontrol restart
Now it's working like a charm. For other readers:
I can only access to webclient by SSL now (but that's ok for me).
other options are:
[mixed|both|http|https|redirect]
You have created a Web application using a JBoss application server and you are going to put it in production. Great!
But deploying your application with JBoss serving the Web requests directly may not be the optimal solution. First because the Tomcat web server embedded within JBoss is not the best server to serve static files and second because configuring Tomcat and JBoss for best performance and security is in general a complex and tedious task.
Instead, it is a good practice to use an Apache server (2.0 or 2.2) in front of your JBoss/Tomcat. This Apache server can serve static files, take care of your SSL security and manage for you all the details of HTTP headers (Expires and other headers) and more….
In a production environment, you should not put your JBoss application as a Web front-end. Instead, you should use an Apache server and configure it to redirect specific Web application requests to your J2EE server. There are many many advantages in doing this:
The Apache server can serve static files (CSS, images, javascript files) faster than JBoss/Tomcat.
When you need it, you can activate SSL on Apache without having to change your application.
The Apache SSL implementation is faster compared to the Tomcat implementation (and a lot easier to configure!).
You can have a better control of HTTP headers. No need to develop any servlet filter for that.
You can get compression out of the box. No need to develop another servlet filter either (no need to configure Tomcat connector either!).
I assume here that the Apache server is already installed with the following modules and these modules are enabled.
JBoss can add headers in the HTTP response. The X-Powered-By header exposes what implementation is behind your site. This header is created by a servlet filter that is activated by default in JBoss web configuration files (…/usr/java/jboss-4.2.2.GA/server/default/deploy/jboss-web.deployer/conf/web.xml). You can either disable this filter by commenting the following lines:
<filter>
<filter-name>CommonHeadersFilter</filter-name>
<filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
<init-param>
<param-name>X-Powered-By</param-name>
<param-value>Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5</param-value>
</init-param>
</filter>
Now update <param-value> at your wish 🙂
You find that It isn't in EPEL, and it isn't in Red Hat Optional Server 6 RHN channel, etc.
It seems that the new way forward with RHEL/Fedora world is to use mod_proxy_ajp. For example, the RH/Fedora project Spacewalk switched from mod_jk to mod_proxy_ajp.
Note that mod_proxy_ajp is a core module of Apache 2.2 and newer so this should be a rather definitive/final change in recommended connector for Tomcat and Apache.