Sunday, July 5, 2015

Nagios - Basic Tutorial

Nagios is a powerful monitoring system that enables organizations to identify and resolve Infrastructure problems before they affect the business process.

Nagios is a open source network monitoring solution. It can be used from simply checking to see if a network host is still up, all the way up to monitoring specific services on remote hosts, and even to trigger corrective action if a problem is detected. And nagios uses mail, phone, fax, pager etc to alert the issues that are seen.

Nagios periodically polls the agent on remote system using the plugins. NRPE (Nagios Remote Plugin Executor) allows you to remotely execute Nagios plugins on other Linux/Unix machines. This allows you to monitor remote machine metrics (disk usage, CPU load, etc.).
In this article we will see how to configure Nagios and perform the basic monitoring of a remote system.

1) Install Nagios from Source
  Download the latest nagios source from :  http://prdownloads.sourceforge.net/sourceforge/nagios
 extract the source and cd to the extracted location and execute the below commands in  sequence
 ./configure --with-nagios-group=nagios --with-command-group=nagcmd 
 make all
 make install
 make install-commandline
 make install-init
 make install-config
      make install-webconf   

Nagios uses GUI console using HTTP web server. We use the console to configure sources , hosts and monitor them.

The last "make install-webconf" will install the nagios.conf file into the /etc/httpd/conf location which will be used for nagios web console

Once the nagios configuration is done, we need to perform some basic post installation scripts,

Nagios Configuration Changes
Configure Nagios Config Directory for configuration files. Uncomment the cfg_dir in the nagios configuration file nagios.cfg ( installed in /usr/local/nagios/etc/nagios.conf)
cfg_dir=/usr/local/nagios/etc/servers

Once the uncommenting is done , create the directory for the above location
mkdir /usr/local/nagios/etc/servers

Apache Server Modifications
Nagios will need to set up a directory that requires authentication and some modifications to the cgi-scripts.  These changes will be found in a file located in the /etc/httpd/conf.d directory called nagios.conf. 
The following are the changes that need to be done to the nagios configuration,
1) Uncomment the Order, Deny and Allow elements in both directory listings
2) uncomment the AuthUserFile which helps in the authentication of the users to the web console. we configure the user in the next step
 AuthUserFile /usr/local/nagios/etc/htpasswd.users

Nagios User
The next step is to configure user ID for the nagios web console which we will use to login to the web console. Use the below command,
[root@localhost conf.d]# htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
New password:
Re-type new password:
Adding password for user nagiosadmin

We created the use nagiosadmin for logging to the the nagios web console. Once all the configuration is done , the nagios console can be accessed using
Access the Link using - http://<IP address>:<port>/nagios/

2) Install Nagios Plugins

In order to run Nagios , we need some more things like nagios plugins. Nagios plugins are stand-alone extensions to Nagios core that provide the low-level intelligence on how to monitor anything and everything with Nagios core.

Plugins process command-line arguments, go about the business of performing a specific type of check, and then return the results to Nagios Core for further processing. Plugins can either be compiled binaries (written in C, C++, etc) or executable scripts (shell, Perl, PHP, etc).

           Download the latest source of nagios plugin from http://nagios-plugins.org/download/
Extract and cd to the extracted location and run the below commands
./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl
make
make install
  

3) Install NRPE - Nagios Remote Plugin Executor

Lets take and instance, it is easy enough to monitor whether a HTTP or SMTP service are available or not  on a remote machine but how can we determine whether the disk is running out of space , or whether the load average was raised. These things cannot be easily determined without having local access to the system. One way to accomplish is to write our shell script likes check_by_ssh command, but an even better way to do so is with the Nagios Remote Plugin Executor (NRPE) daemon.

What NRPE does is run checks on a system remote from the central Nagios server, allowing Nagios to query it as if the checks were run locally. in generally Nagios talks to NRPE, asks it to run a specific check, waits for the response, and logs it along with everything else it watches. These are checks that could only be run locally: checking the number of users, load average, disk space usage, available memory, whether the local system can query DNS, and so on. In this case of  NRPE's function the overhead is much smaller, making it faster and more efficient.

Download the latest source of nagios nrpe from http://sourceforge.net/projects/nagios/files/
Extract and cd to the extracted location and run the below commands
./configure --enable-command-args --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu
make all
make install
make install-xinetd
make install-daemon-config

Configure Xinetd
We use xinetd (extended Internet daemon) is an open-source super-server daemon which runs on many Unix-like systems and manages Internet-based connectivity.
Once the installation of NRPE is done , we need to perform some basic post installation operations
Open the file "/etc/xinetd.d/nrpe"
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
         flags           = REUSE
         socket_type     = stream   
         port              = 5666   
        wait            = no
        user            = nagios
        group             = nagios
        server          = /usr/local/nagios/bin/nrpe
        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
        log_on_failure  += USERID
        disable         = no
        only_from       = 127.0.0.1 172.16.202.96
}

Add the current IP address to the only_from element after the 127.0.0.1
Next, open /etc/services file add the following entry for the NRPE daemon at the bottom of the file with the IP address like
nrpe            5666/tcp                 NRPE

Configure Firewall Rules

Make sure that the Firewall on the local machine will allow the NRPE daemon to be accessed from remote servers. To do this, run the following iptables command.

[root@tecmint]# iptables -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT

Run the following command to Save the new iptables rule so it will survive at system reboots.

[root@tecmint]# service iptables save

By this the installation is complete, we can now
service httpd restart
service xinetd restart
service nagios restart

Basic Checks
Once the starting of services is done with no issues , we can perform basics checks to make sure services are up and running fine

1) access the web console using http://<IP address>:<Port>/nagios to make sure we can enter the login credentials to access the nagios console

2) Make sure the nrpe port is active using
[root@localhost logs]# netstat -at | grep nrpe
tcp6       0      0 [::]:nrpe               [::]:*                  LISTEN    

3) verify the NRPE daemon is functioning properly. Run the “check_nrpe” command that was installed earlier for testing purposes.

[root@localhost logs]# /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1
NRPE v2.15

The above is the same location where nagios was installed.

4) Check the nagios HTTPD configuration using
 [root@localhost etc]# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

Nagios Core 4.1.0rc1
Copyright (c) 2009-present Nagios Core Development Team and Community Contributors
Copyright (c) 1999-2009 Ethan Galstad
Last Modified: 02-18-2015
License: GPL

Website: http://www.nagios.org
Reading configuration data...
   Read main config file okay...
   Read object config files okay...

Running pre-flight check on configuration data...

Checking objects...
          Checked 13 services.
          Checked 2 hosts.
          Checked 1 host groups.
          Checked 0 service groups.
          Checked 1 contacts.
          Checked 1 contact groups.
          Checked 25 commands.
          Checked 5 time periods.
          Checked 0 host escalations.
          Checked 0 service escalations.
Checking for circular paths...
          Checked 2 hosts
          Checked 0 service dependencies
          Checked 0 host dependencies
          Checked 5 timeperiods
Checking global event handlers...
Checking obsessive compulsive processor commands...
Checking misc settings...

Total Warnings: 0
Total Errors:   0

Things look okay - No serious problems were detected during the pre-flight check

Now if we access the nagios web-console which will look like this,



Customize NRPE commands

The default NRPE configuration file that got installed has several command definitions that will be used to monitor the local machine. The sample configuration file located at.

[root@localhsot]# vi /usr/local/nagios/etc/nrpe.cfg

from the file, we can use the commands like,

[root@localhost etc]# /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 -c check_users
USERS OK - 3 users currently logged in |users=3;5;10;0

[root@localhost etc] /usr/local/nagios/libexec/check_nrpe -H localhost -c check_load
OK - load average: 3.90, 4.37, 3.94|load1=3.900;15.000;30.000;0; load5=4.370;10.000;25.000;0; load15=3.940;5.000;20.000;0;

[root@localhost etc] /usr/local/nagios/libexec/check_nrpe -H localhost -c check_hda1
DISK OK - free space: /boot 154 MB (84% inode=99%);| /boot=29MB;154;173;0;193

[root@localhost etc]# /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 -c check_load
OK - load average: 0.03, 0.07, 0.12|load1=0.030;15.000;30.000;0; load5=0.070;10.000;25.000;0; load15=0.120;5.000;20.000;0;

[root@localhost etc]# /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 -c check_total_procs
PROCS WARNING: 198 processes | procs=198;150;200;0;

[root@localhost etc]# /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 -c check_zombie_procs
PROCS OK: 0 processes with STATE = Z | procs=0;5;10;0;

Verify NRPE Daemon Remotely

Make sure that the check_nrpe plugin can communicate with the NRPE daemon on the remote Linux host. Add the IP address in the command below with the IP address of your Remote Linux host.

[root@localhost etc]# /usr/local/nagios/libexec/check_nrpe -H 172.16.202.96
NRPE v2.15


Adding Remote Linux Host to Nagios Monitoring Server

To add a remote host you need to create a two new files “hosts.cfg” and “services.cfg” under “/usr/local/nagios/etc/” location.

[root@tecmint]# cd /usr/local/nagios/etc/
[root@tecmint]# touch hosts.cfg
[root@tecmint]# touch services.cfg

Now add these two files to main Nagios configuration file. Open nagios.cfg file with any editor.

[root@tecmint]# vi /usr/local/nagios/etc/nagios.cfg

Now add the two newly created files as shown below.

# You can specify individual object config files as shown below:
cfg_file=/usr/local/nagios/etc/hosts.cfg
cfg_file=/usr/local/nagios/etc/services.cfg

[root@localhost etc]# cat hosts.cfg
define host{
name                            linux-box               ; Name of this template
use                             generic-host            ; Inherit default values
check_period                    24x7       
check_interval                  5      
retry_interval                  1      
max_check_attempts              10     
check_command                   check-host-alive
notification_period             24x7   
notification_interval           30     
notification_options            d,r    
contact_groups                  admins 
register                        0                       ; DONT REGISTER THIS - ITS A TEMPLATE
}

## Default
define host{
use                             linux-box               ; Inherit default values from a template
host_name                       vx111a.jas.com          ; The name we're giving to this server
alias                           RHEL 7                  ; A longer name for the server
address                         172.16.202.96           ; IP address of Remote Linux host
}

  
[root@localhost etc]# cat services.cfg
define service{
        use                     generic-service
        host_name               vx111a.jas.com
        service_description     CPU Load
        check_command           check_nrpe!check_load
        }

define service{
        use                     generic-service
        host_name               vx111a.jas.com
        service_description     Total Processes
        check_command           check_nrpe!check_total_procs
        }

define service{
        use                     generic-service
        host_name               vx111a.jas.com
        service_description     Current Users
        check_command           check_nrpe!check_users
        }

define service{
        use                     generic-service
        host_name               vx111a.jas.com
        service_description     SSH Monitoring
        check_command           check_nrpe!check_ssh
        }

define service{
        use                     generic-service
        host_name               vx111a.jas.com
        service_description     FTP Monitoring
        check_command           check_nrpe!check_ftp
        }
Now NRPE command definition needs to be created in commands.cfg file.

[root@tecmint]# vi /usr/local/nagios/etc/objects/commands.cfg

define command{
        command_name check_nrpe
        command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
        }

Now we can see the remote machine is monitored from the nagios web console as

















While working with nagios , there were a couple of Packages needed for the internal working which are installed as

yum install openssl-devel*
yum install xinetd.x86_64*
yum install xinetd.x86_64*
yum install php.x86_64*

More to come, Happy Learning

Read More

Tuesday, June 30, 2015

Tomcat 7 Additional features

Here are the some of the additional features of Tomcat 7 with previous versions

1) Embeddeding tomcat has become more easier than 6. This helps in integration tests

2) Tomcat cache control - Tomcat 7 provides you a ExpiresFilter that will determine the caching behavior of the clients. This filter controls the setting of the Expires HTTP header and the max-age directive of the Cache-Control HTTP header in server responses.

3) Tomcat 7 has the Servlet 3 specs. This allows the programmatic configuration includeing for elements in web.xml

4) error-on-undeclared-namespace - The default behavior when a tag with unknown namespace is used in a JSP page (regular syntax) is to silently ignore it. If this is set to true then an error must be raised during the translation time.

5) MemoryLeak protection -  It’s implemented as a listener which tries to detect and fix the possible memory leaks whenever it can

6) Tomcat 7 provides new aliases that allow storing static content outside the WAR File.

7) A new security feature for Apache Tomcat 7 is Session Fixation Protection. Essentially, when a user authenticates their session, Tomcat will change the session ID. It does not destroy the previous session , rather it renames it so it is no longer found by that ID. 

8) One of the new features with Tomcat 7 is a replacement to the commons-dbcp connection pool. While the commons-dbcp connection pool works fine for small or low traffic applications, it is known to have problems in highly concurrent environments .It is a completely new connection pool which has been written from the ground up, with a focus on highly concurrent environments and performance.

9) The Apache JServ Protocol (AJP) , is a binary protocol that can proxy inbound requests from a web server. Typically used in load balanced web applications where the web server has to pass requests to multiple application servers. New I/O, usually shortened to NIO, is a set of Java APIs that allow for more scalable I/O operations. Among other things, NIO provides support for non-blocking of data connections which ensures a response from the application server. Without NIO, admins must configure their web servers and application servers to match the number of threads between the web server and application server.

10) Adding of Crawler Session Manager Valve

11) Parallel deployment is supported

14) Use a LockOutRealm. Now standard by default in Tomcat 7, this realm simply protects your application from brute force attacks by locking out the offending account after a number of unsuccessful attempts.

14) Access log enabled by default

15) Instead of using a path of "/foo" like Tomcat 6 did, Tomcat 7 will add a trailing slash to the cookie path, or "/foo/".  This can be disabled, it turns out, by setting the sessionCookiePathUsesTrailingSlash flag to "false" on the <Context> element –

16) Jarscanner element was added which will scan all the jars in the web application lib location. This can be disabled by adding scanpath=false in context.xml

17) useHttpOnly set to false in 6 and true in 7

18)  Tomcat 7 has File upload support will enable Tomcat users to use file upload functionality within their web applications with the need for additional libraries

19) Tomcat 7 manager application has a ‘find Leak’ Button which enables a Full GC and also finds the leaks.

20) Deploying from Command line is changed by adding a “text” like
http://{host}:{port}/manager/text/{command}?{parameters}


Hope this Helps, More to come.
Read More

Linux- Physical Cable Communication

Many cases we will try using google.com in order to find out about our network connections. Linux provides us various ways in order to check whether there exists a physical cable connection. In this article we will see how we can find out this

Check for the available networks,
[root@localhost work]# cat /sys/class/net/
enp2s0/ lo/     virbr0/

Check whether Physical connection is available,
[root@localhost work]# cat /sys/class/net/enp2s0/carrier
1

[root@localhost work]# cat /sys/class/net/lo/carrier
1
[root@localhost work]# cat /sys/class/net/virbr0/carrier
0

“1” indicates physical connection availability and “0” none.

We can also use the below commands to check the same
[root@localhost work]# cat /sys/class/net/enp2s0/operstate
up

[root@localhost work]# cat /sys/class/net/virbr0/operstate
down


Hope this tip helps,
Read More

Clone – Permissions in Linux

Security is one of the important features of linux. Linux allows us to clone permissions from one file to other. Lets see how we can clone permissions from one file to other

[root@localhost work]# touch hai1
[root@localhost work]# chmod -R 600 hai1 

[root@localhost work]# stat hai1
  File: ‘hai1’
  Size: 0             Blocks: 0          IO Block: 4096   regular empty file
Device: 807h/2055d    Inode: 432         Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:etc_runtime_t:s0
Access: 2015-06-29 16:37:24.768551308 +0530
Modify: 2015-06-29 16:37:24.768551308 +0530
Change: 2015-06-29 16:37:28.648463096 +0530

[root@localhost work]# touch hai2
[root@localhost work]# chmod -R 755 hai2

[root@localhost work]# stat hai2
  File: ‘hai2’
  Size: 0             Blocks: 0          IO Block: 4096   regular empty file
Device: 807h/2055d    Inode: 433         Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:etc_runtime_t:s0
Access: 2015-06-29 16:37:37.904252603 +0530
Modify: 2015-06-29 16:37:37.904252603 +0530
Change: 2015-06-29 16:37:43.383127957 +0530
 Birth: -

[root@localhost work]# chmod --reference=hai1 hai2

[root@localhost work]# stat hai2
  File: ‘hai2’
  Size: 0             Blocks: 0          IO Block: 4096   regular empty file
Device: 807h/2055d    Inode: 433         Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:etc_runtime_t:s0
Access: 2015-06-29 16:37:37.904252603 +0530
Modify: 2015-06-29 16:37:37.904252603 +0530
Change: 2015-06-29 16:38:46.278689779 +0530

Read More

Apache – SSL Configuration

SSL is a protocol for cryptographically securing transactions between a web browser and a web server. In most cases, only the server end is authenticated, which means that the client has a guarantee that the server is who it claims to be. However, once the connection is established, both ends are secure, as only the client and the server have access to the key material. This makes sense since for many transactions, the server doesn't care who the client is, as long as it stays the same client throughout the transaction. In this article we will see how we can configure Apache with SSL Configuration

1) Create the Server Key, CSR, and Certificate

[root@localhost work]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:AP
Locality Name (eg, city) [Default City]:HYD
Organization Name (eg, company) [Default Company Ltd]:NOVA
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:Common Name
Email Address []:common@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:jagadesh1982
An optional company name []:MOVA

Now we can see ca.csr, ca.key, domain.key created.

2) Create a Certificate

[root@localhost work]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=IN/ST=AP/L=HYD/O=NOVA/OU=IT/CN=Common Name/emailAddress=common@gmail.com
Getting Private key

Now we can ca.crt being created.

3) copy the files
[root@localhost work]# cp ca.crt /etc/pki/tls/certs/
[root@localhost work]# cp ca.key /etc/pki/tls/private/ca.key
[root@localhost work]# cp ca.key /etc/pki/tls/private/ca.csr

4) Now make the changes to the Apache configuration file httpd.conf as

https://myproject.local:2443/
Listen 2443

LoadModule ssl_module modules/mod_ssl.so
<VirtualHost *:2443>
 
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
  
    DocumentRoot /var/www/virtual/www.sam1.com/html/
    ServerName myproject.local
    ErrorLog logs/dummy-www.sam1.com-error_log
    CustomLog logs/dummy-www.sam1.com-access_log common

    <Directory "/var/www/virtual/www.sam1.com/html/">
        Options None
        Options -Indexes +FollowSymLinks +MultiViews
        AllowOverride All
        Require all granted
        Allow from all
    </Directory>

</VirtualHost>

The most important line below which tells Apache about the Key and certificate files.
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key

The other important lines are
LoadModule ssl_module modules/mod_ssl.so

Make sure we load the module before doing any thing. Now restart the Apache server and access https://myproject.local:2443/ Which will show for a Confirm Certificate on the Browser. Accept certificate to connect to the server.

Hope this helps, More to come
Read More