Thursday, 3 November 2016

Install and Configure Nagios on Cent OS 7 with remote NRPE host

In this tutorial, we will set up a nagios server and a remote NRPE host.

Lets install the prerequisites first

$sudo yum install -y gcc glibc glibc-common gd gd-devel make net-snmp openssl-devel xinetd unzip mailx httpd php5 php5-gd postfix

We must create a user and group that will run the Nagios process. Create a "nagios" user and "nagcmd" group, then add the user to the group with these commands

$sudo useradd nagios
$sudo groupadd nagcmd
$sudo usermod -a -G nagcmd nagios

Install Nagios Core

$curl -L -O https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.1.1.tar.gz
$tar xvf nagios-*.tar.gz
$cd nagios-*
$./configure --with-command-group=nagcmd
$make all
$sudo make install
$sudo make install-commandmode
$sudo make install-init
$sudo make install-config
$sudo make install-webconf
$sudo usermod -G nagcmd apache

Now lets install the nagios plugins
$cd ..
$curl -L -O http://nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz
$tar xvf nagios-plugins-*.tar.gz
$cd nagios-plugins-*
$./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl
$make
$sudo make install

Now lets install NRPE
$cd ..
$curl -L -O http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz
$tar xvf nrpe-*.tar.gz
$cd nrpe-*
$./configure --enable-command-args --with-nagios-user=nagios --with-nagios-group=nagios --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu
$make all
$sudo make install
$sudo make install-xinetd
$sudo make install-daemon-config

Now lets edit the start-up script 
$sudo vi /etc/xinetd.d/nrpe

Modify the only_from line by adding the private IP address of the your Nagios server to the end (substitute in the actual IP address of your server):

only_from = 127.0.0.1 x.x.x.x

Restart the xinetd service to start NRPE:

$sudo service xinetd restart

Now let's perform the initial Nagios configuration. You only need to perform this section once, on your Nagios server.

$sudo vi /usr/local/nagios/etc/nagios.cfg

Now find an uncomment this line

#cfg_dir=/usr/local/nagios/etc/servers

Now create the directory that will store the configuration file for each server that you will monitor:

$sudo mkdir /usr/local/nagios/etc/servers

Open the Nagios contacts configuration in your favorite text editor. We'll use vi to edit the file:

$sudo vi /usr/local/nagios/etc/objects/contacts.cfg

Find the email directive, and replace its value (the highlighted part) with your own email address:

email                           nagios@localhost        ; <<***** CHANGE THIS TO YOUR EMAIL ADDRES

Let's add a new command to our Nagios configuration:

$sudo vi /usr/local/nagios/etc/objects/commands.cfg

Add the following to the end of the file:

define command{
        command_name check_nrpe
        command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}

For mail Notification

We have to change the command "notify-host-by-email" and "notify-service-by-email" as below inorder for the mail notification to work

$sudo vim /usr/local/nagios/etc/objects/commands.cfg

define command{
        command_name    notify-host-by-email
        command_line    /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
        }

# 'notify-service-by-email' command definition
define command{
        command_name    notify-service-by-email
        command_line    /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
        }


Configure Apache

Use htpasswd to create an admin user, called "nagiosadmin", that can access the Nagios web interface:

$sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

Enter a password at the prompt. Remember this login, as you will need it to access the Nagios web interface.

Nagios is ready to be started. Let's do that, and restart Apache:

$sudo systemctl start nagios.service
$sudo systemctl restart httpd.service

To enable Nagios to start on server boot, run this command:

$sudo systemctl enable nagios.service

Open your favorite web browser, and go to your Nagios server

http://nagios_server_ip/nagios


#################################################################################

Monitor a CentOS 7 Host with NRPE


On a server that you want to monitor, install the EPEL repository:

$sudo yum install epel-release

Now install Nagios Plugins and NRPE:

$sudo yum install nrpe nagios-plugins-all

Now, let's update the NRPE configuration file. Open it in your favorite editor (we're using vi):

$sudo vi /etc/nagios/nrpe.cfg

Find the allowed_hosts directive, and add the private IP address of your Nagios server to the comma-delimited list (substitute it in place of the highlighted example):

allowed_hosts=127.0.0.1,x.x.x.x

Restart NRPE to put the change into effect:

$sudo systemctl start nrpe.service
$sudo systemctl enable nrpe.service


Add Host to Nagios Configuration

On your Nagios server, create a new configuration file for each of the remote hosts that you want to monitor in /usr/local/nagios/etc/servers/. Replace the highlighted word, "yourhost", with the name of your host:

$sudo vi /usr/local/nagios/etc/servers/yourhost.cfg


Add in the following host definition, replacing the host_name value with your remote hostname ("web-1" in the example), the alias value with a description of the host, and the address value with the private IP address of the remote host:

define host {
        use                             linux-server
        host_name                       client1.example.com
        alias                           Monitor 1
        address                         x.x.x.x
        max_check_attempts              5
        check_period                    24x7
        notification_interval           30
        notification_period             24x7
contacts                        nagiosadmin
}


With the configuration file above, Nagios will only monitor if the host is up or down. If this is sufficient for you, save and exit then restart Nagios. If you want to monitor particular services, read on.

Add any of these service blocks for services you want to monitor. Note that the value of check_command determines what will be monitored, including status threshold values. Here are some examples that you can add to your host's configuration file:

Ping:

define service {
        use                             generic-service
        host_name                       yourhost
        service_description             PING
        check_command                   check_ping!100.0,20%!500.0,60%
}

SSH 

define service {
        use                             generic-service
        host_name                       yourhost
        service_description             SSH
        check_command                   check_ssh
        notifications_enabled           0
}


$sudo systemctl reload nagios.service

HTTP
define service {
        use                             generic-service
        host_name                       client1.example.com
        service_description             HTTP
        check_command                   check_http
        notifications_enabled           1
}

Port Check: We are going to check the availablility of port 80 with a check interval of 10 seconds

define service {
        use                             generic-service
        host_name                       client1.example.com
        service_description             HTTP_PORT_CHECK
        check_command                   check_tcp!80
        check_interval                  0.2
        notifications_enabled           1
}

Note:
check_interval 1 = 60 seconds
check_interval .5 = 30 seconds


To check memory utilization on the remote host

Download the Memory check Plugin

$wget https://raw.githubusercontent.com/justintime/nagios-plugins/master/check_mem/check_mem.pl

$sudo mv check_mem.pl /usr/lib64/nagios/plugins/check_mem
chmod +x /usr/lib64/nagios/plugins/check_mem

You can check whether the script generates output properly by manually running the following command on localhost. When used with NRPE, this command is supposed to check free memory, warn when free memory is less than 20%, and generate critical alarm when free memory is less than 10%.

$/usr/lib64/nagios/plugins/check_mem -f -w 20 -c 10

OK - 34.0% (2735744 kB) free.|TOTAL=8035340KB;;;; USED=5299596KB;6428272;7231806;; FREE=2735744KB;;;; CACHES=2703504KB;;;;

If you see something like the above as an output, that means the command is working okay.

Now that the script is ready, we define the command to check RAM usage for NRPE. As mentioned before, the command will check free memory, warn when free memory is less than 20%, and generate critical alarm when free memory is less than 10%.

$sudo vim /etc/nagios/nrpe.cfg
command[check_mem]=/usr/lib64/nagios/plugins/check_mem  -f -w 20 -c 10



Now in the Nagios server add the following section to the /usr/local/nagios/etc/servers/yourhost.cfg


define service{
        use                            generic-service
        host_name                      client1.example.com
        service_description            Check RAM
        check_command                  check_nrpe!check_mem
}


Restart the nrpe service in the remote host

Restart the nagios service in the Nagios server

Nagios should start checking RAM usage of a remote-server using NRPE. If you are having any problem, you could check the following.

Make sure that NRPE port is allowed all the way to the remote host. Default NRPE port is TCP 5666.
You could try manually checking NRPE operation by executing the check_nrpe command: /usr/local/nagios/libexec/check_nrpe -H remote-server
You could also try to run the check_mem command manually: /usr/local/nagios/libexec/check_nrpe -H remote-server –c check_mem



Tuesday, 25 October 2016

Use LFTP command line to transfer files from ftp server

Use LFTP command line to transfer files from ftp server


Example source server
Host: host.example.com
username: exampleuser
password: examplepass
Source folder: /public_html
To install lftp in ubuntu
#apt-get install lftp
Usage
To connect to the ftp server use
#lftp -u exampleuser,examplepass host.example.com -e ‘set ftp:ssl-allow no;’
Once your are connected you will see the below prompt
lftp exampleuser@host.example.com:~>
Use ls command to list files and directories
To copy the entire public_html directory use the following command
lftp exampleuser@host.example.com:~>mirror public_html /destination-path
Note: Lftp will not automatically create the destination-path. The destination path should exist

Monday, 29 August 2016

Kerberos-Based Apache SSO with Active Directory

Apache SSO with Active Directory


In this tutorial we will be setting up Active directory - Kerberos based sso with Apache.


Requirements

1. Active directory Server - Windows server 2008 R2
2. Apache server - Cent OS 7
3. mod_auth_kerb module in apache

Active Directory details

Domain Name : example.com
Domain Controller name: dc.example.com
IP address  : 192.168.0.100


Cent OS server details

Hostname : server.example.com
IP address: 192.168.0.101
DNS address: 192.168.0.100

Lets begin by installing apache with mod_auth_kerb module

#yum install httpd mod_auth_kerb krb5-workstation

Now lets configure and verify kerberos

#vim /etc/krb5.conf

------------------------------------------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac
 permitted_enctypes = rc4-hmac

[realms]
 EXAMPLE.COM = {
  kdc = dc.example.com
  admin_server = dc.example.com
 }

[domain_realm]
.example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

--------------------------------------------------------------------------


Now lets verify with the following command



For every kerberized host you have to create a service principal on the KDC. Lets create a service principle in the Command prompt on the windows server.

Before we create a service principal, we need to create a user account with any name which will be used for creating the service ticket. Le the name of the user be "krb5@example.com"

Use the below command to create the service principal

C:\>ktpass -princ HTTP/server.example.com@EXAMPLE.COM -mapuser krb5@EXAMPLE.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass long$longp2ass3word -out c:\temp\krb5.keytab


The ktpass command creates the pricipal HTTP/server.example.com@EXAMPLE.COM, maps it to AD account "krb5" and exports it's key to the keytabfile c:\temp\krb5.keytab. Copy that file to Centos server(apache server).


Check if the KDC sends correct tickets (kvno) by getting a serviceticket and using klist:

#kvno HTTP/server.example.com@EXAMPLE.COM
#klist -e

check this values against keytab krb5.keytab

#klist -e -k -t krb5.keytab

#kinit -k -t krb5.keytab HTTP/server.example.com

If this doesn't work then there is a problem with the Kerberos config.

Now lets create a test site with Apache and configure kerberos authentication

Copy the keytab file to /etc/httpd and change the ownership of the file to apache:apache

-------------------------------------------------
<VirtualHost *:80>

ServerName server.example.com

DocumentRoot /var/www/html/server.example.com

<Directory "/var/www/html/server.example.com">
AuthType  Kerberos
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP
Krb5Keytab /etc/httpd/krb5.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
require valid-user
</Directory>


</VirtualHost>
------------------------------------------------


Now lets enable Windows integrate authentication in Internet Explorer using the below link

https://docs.secureauth.com/display/KBA/Enable+Integrated+Windows+Authentication+(IWA)+in+Internet+Explorer


Now lets configure Firefox for sso

1. In the address bar of Firefox, type about:config to display the list of current configuration options.
2. In the Filter field, type negotiate to restrict the list of options.
3. Double-click the network.negotiate-auth.trusted-uris entry to display the Enter string value dialog box.
4. Enter the name of the domain against which you want to authenticate, for example, .example.com.
5. Repeat the above procedure for the network.negotiate-auth.delegation-uris entry, using the same domain.

Use the following link to enable Windows Integrated Authentication with chrome

https://www.specopssoft.com/configuring-chrome-and-firefox-for-windows-integrated-authentication/















High Availability with IREDMAIL Integrated with Active Directory

This is step by step guide for Centos 7. Server1 will be the Active node and Server2 will be the failover node. After failover when ...