Configurations (Linux) | Bots!

Nagios JBoss Plugin

June 25, 2012 by Rumi

Perl script to check thread and memory usage of a Jboss server.

I didn't like the Jboss checks that I've found which require Java or remote-run, so I wrote this. It's a simple check that looks at memory usage and busy threads. I did this with percentage thresholds to make it dynamic.

Usage: check_jboss_status.pl [-H ] [-P ] [-t ]
[-m ] [-a ]
[-h ]
-H The host to connect to (default: localhost)
-P The port to connect to (default: 8080)
-a The AJP ports to check for (default: 8009)
-h The HTTP ports to check for (default: 8080,8443)
-t The percentage of threads busy for warning
(default: 80,50)
-m The percentage of memory used for warning
(default: 80,50)

Icininga on SSL

June 25, 2012 by Rumi

This is intended to be an introduction for implementation of stronger authentication and server security focused around the CGI web interface.

There are many ways to enhance the security of your monitoring server and Icinga environment. This should not be taken as the end all approach to security. Instead, think of it as an introduction to some of the techniques you can use to tighten the security of your system. As always, you should do your research and use the best techniques available. Treat your monitoring server as it were the most important server in your network and you shall be rewarded.

Additional Techniques

Stronger Authentication using Digest Authentication . If you have followed the quickstart guides, chances are that you are using Apache's Basic Authentication. Basic Authentication will send your username and password in "clear text" with every http request. Consider using a more secure method of authentication such as Digest Authentication which creates a MD5 Hash of your username and password to send with each request.

Forcing TLS/SSL for all Web Communication . Apache provides TLS/SSL through the mod_ssl module. TLS/SSL provides a secure tunnel between the client and server that prevents eavesdropping and tampering using strong publickey/privatekey cryptography.

Locking Down Apache Using Access Controls . Consider locking down access to the Icinga box to your IP address, IP address range, or IP subnet. If you require access outside your network you could use VPN or SSH Tunnels. This is a easy and strong to limit access to HTTP/HTTPS on your system.

Nagios LDAP Monitoring (works for icinga as well)

June 20, 2012 by Rumi

on commands.cfg file

define command {

command_name check_ldaps

command_line $USER1$/check_ldap.pl -H 192.168.0.123 -p 389

}

on your <server.cfg> file-

define service{

use generic-service ; template name, available by default

host_name LDAP ; unique name of the host being defined

service_description LDAP Daemon ; description of the host

check_command check_ldaps

}

But this plugin requires Perl Net::LDAP modules installed. For installation of Net::LDAP perl CPAN module, you read this post

Download the check_ldap.pl from here.

Install Perl CPAN on CentOS troubleshooting Net::LDAP

June 20, 2012 by Rumi

First we need to make sure our perl modules are all there and up to date. We can do this easily by Running

perl -MCPAN -e –shell

Let it run. Answer “no” when it asks about Manual configuration.

Once it stops you'll be at the cpan prompt….type

install Bundle::CPAN

this will install many perl modules for you. Answer “yes” to any dependency questions. When you get to the question about “libnet”….answer “no”. Once you are finished…hit “enter” to exit….it'll run for a few seconds more and then bring you back to the cpan prompt. For good measure let's type

install Net::LDAP (it should be up to date)

Installing NRPE For Icinga on Ubuntu 10.10 & CentOS 5.5

June 11, 2012 by Rumi

I currently have Icigna 1.2 (classic, web, and mobile) running on Ubuntu 10.10. I have a few other Linux servers that I would like to monitor as well. There is a good amount of information on installing Nagios and things to accompany it but Icigna documentation and blogs are fewer.

The goal of this post is to document how to install NRPE on a Icinga server (Ubuntu 10.10 x64) and monitor a remote host (CentOS 5.5 x64).

I also want to give credit to two other blog posts I used to get my systems functional and for this post.

fishfood: http://www.fishfood.co.nz/2010/03/howto-install-nagios-nrpe-for-use-with.html

The Geek Stuff: http://www.thegeekstuff.com/2008/06/how-to-monitor-remote-linux-host-using-nagios-30/

Step by Step Zimbra 6.x installation on CetOS 5.x

June 11, 2012 by Rumi

First you need to install a fresh CentOS operating system, keeping almost everything as default state. In this installation note I'm assuming few things-

There is either a LARGE '/' partion or a LARGE '/opt' partition. Zimbra by default is installed on /opt directory
I'm also assuming that the server is not sitting beehind a firewall (for example if it's reched by port/ip forwarding from firewall, it won't work). But there are some additional tasks that can allow you to run it behind a firewall. But unfortunately, I won't cover that up here.
SELinux and Linux firewall, should be disabled for the time being.
You can install webmin, and from there you can create your custom firewall policy/rule- but you can always do this later, after post installation of Zimbra

Now let's start.

Now we need to shutoff some services that will interfere with ZCS.

Running Zimbra on HTTPS

June 11, 2012 by Rumi

1. First you need to su as 'zimbra' user

2. go to /opt/zimbra/bin/

3. Use the following commands to enable SSL:

./zmtlsctl https
./zmcontrol restart

Now it's working like a charm. For other readers:

I can only access to webclient by SSL now (but that's ok for me).

other options are:

[mixed|both|http|https|redirect]

Deploying a J2EE application behind an Apache server in a production environment

April 20, 2012 by Rumi

You have created a Web application using a JBoss application server and you are going to put it in production. Great!

But deploying your application with JBoss serving the Web requests directly may not be the optimal solution. First because the Tomcat web server embedded within JBoss is not the best server to serve static files and second because configuring Tomcat and JBoss for best performance and security is in general a complex and tedious task.

Instead, it is a good practice to use an Apache server (2.0 or 2.2) in front of your JBoss/Tomcat. This Apache server can serve static files, take care of your SSL security and manage for you all the details of HTTP headers (Expires and other headers) and more….

In a production environment, you should not put your JBoss application as a Web front-end. Instead, you should use an Apache server and configure it to redirect specific Web application requests to your J2EE server. There are many many advantages in doing this:

    The Apache server can serve static files (CSS, images, javascript files) faster than JBoss/Tomcat.
    When you need it, you can activate SSL on Apache without having to change your application.
    The Apache SSL implementation is faster compared to the Tomcat implementation (and a lot easier to configure!).
    You can have a better control of HTTP headers. No need to develop any servlet filter for that.
    You can get compression out of the box. No need to develop another servlet filter either (no need to configure Tomcat connector either!).

I assume here that the Apache server is already installed with the following modules and these modules are enabled.

Hiding X-Powered by on JBoss Application Server 4.22.x

April 20, 2012 by Rumi

JBoss can add headers in the HTTP response. The X-Powered-By header exposes what implementation is behind your site. This header is created by a servlet filter that is activated by default in JBoss web configuration files (…/usr/java/jboss-4.2.2.GA/server/default/deploy/jboss-web.deployer/conf/web.xml). You can either disable this filter by commenting the following lines:

   <filter>
      <filter-name>CommonHeadersFilter</filter-name>
      <filter-class>org.jboss.web.tomcat.filters.ReplyHeaderFilter</filter-class>
      <init-param>
         <param-name>X-Powered-By</param-name>
         <param-value>Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5</param-value>
      </init-param>
   </filter>

Now update <param-value> at your wish 🙂

mod_jk for RHEL6

April 20, 2012 by Rumi

If you have a RHEL6 box which ships both Apache and Tomcat6 you might want to connect the two together. You probably have looked around for mod_jk as a RHEL6 RPM or SRPM (src.rpm).

You find that It isn't in EPEL, and it isn't in Red Hat Optional Server 6 RHN channel, etc.

It seems that the new way forward with RHEL/Fedora world is to use mod_proxy_ajp. For example, the RH/Fedora project Spacewalk switched from mod_jk to mod_proxy_ajp.

Note that mod_proxy_ajp is a core module of Apache 2.2 and newer so this should be a rather definitive/final change in recommended connector for Tomcat and Apache.