Reverse proxy:

A reverse proxy is a proxy server that is installed on a server network or on network equipment. Typically, reverse proxies are used in front of Web servers. All connections coming from the Internet addressed to one of the Web servers are routed through the proxy server, which may either deal with the request itself or pass the request wholly or partially to the main web servers. This is useful to hide the real origin server from the client for security reasons, or to dispatch in-bound network traffic to a set of servers, presenting a single interface to the caller, by making load balancing among a cluster of servers.

There are several reasons for installing reverse proxy servers: 1.Security-Reverse proxies provide an additional layer of defense by masking the web server behind the proxy. Reverse proxies can also provide Application firewall features, to protect against common web-based attacks.

2. Encryption / SSL acceleration: when secure websites are created, the SSL encryption is sometimes not done by the Web server itself, but offloaded to a reverse proxy that may be equipped with SSL acceleration hardware.

3.Load distribution: the reverse proxy can distribute the load to several servers, each server serving its own application area.

4.Caching: A reverse proxy can offload the Web servers by caching static content, such as images, as well as dynamic content, such as a web page rendered by PHP.

Configure the Reverse Proxying:

Suppose you have a live web server a.b.c.d and one or two web servers running in private network like (e.f.g.h and i.j.k.l), to access any application running on private server from Live ip procced the following procedure :

1.First be ensured that following modules are installed (come with default configuration of apache):

1(a).mod_proxy

1(b).mod_proxy_html

1(c).mod_proxy_ftp

1(d).mod_proxy_connect

2.Then change the directory to /etc/httpd/conf.d (of the live server) there you will find a file named proxy.conf , in that file append the following lines :

# create new

# a directory you’d like to foward

# a destination directory that is forwared

ProxyPass http://e.f.g.h/application/

ProxyPassReverse http://e.f.g.h/application/ ,

close the file and restart the apache service :

/etc/init.d/httpd restart

chkconfig httpd on

Check if above procedure works:

Browse the link: http://a.b.c.d/application/

Thanks

Ashish Nagar

For our software development we use Subversion – a powerful free tool for version control of files. Any file types are supported, even binary files. To be able to work with Subversion you have to setup a Subversion server. Then you can access the server from Subversion clients.

This blog entry shows one way to setup Subversion server on a Linux machine.

Everything you need to type in the same way as in the text is bold. Everything you can/should change is italic.

1. Install Subversion using a graphical package manager or with the following command:

sudo apt-get install subversion

Do not type the $ – this is just the prompt sign. For Ubuntu users:If your package manager can not find Subversion append the following line to the file /etc/apt/sources.list.

deb http://fr.archive.ubuntu.com/ubuntu hardy-backports main

You must be root to change the file.

2. Create a new user

Now create a new user on your Linux system. I recommend to call the user svn.

3. Create an empty repository

Login as svn. Type the following commands to create a new folder /home/svn/repositories.

cd /home/svn
mkdir repositories
cd repositories

Create a new repositoriy called myrepos:

svnadmin create myrepos

Nobody else than svn should be able to read/write the repository. So type:

chmod 700 myrepos

Start Subversion server as a daemon:

svnserve −−daemon −−root /home/svn/repositories

4. Subversion Server Configuration

Now we need to tell Subversion that it should use authorization to access it. I recommend the following settings.

cd /home/svn/repositories/myrepos/conf
nano svnserve.conf

Under [general] change the appropriate lines as followed:

Do not allow anonymous access at all.

anon-access = none

Authenticated write access is allowed.

auth-access = write

Uncomment the line below to use the default password file.

password-db = passwd

Now we have got an empty Suberversion repository. But in this state nobody can work with it. We need to allow at least one user to work with it.

5. Add a new user

Go to the conf folder with

cd /home/svn/repositories/myrepos/conf
nano passwd

Insert a new line with name and password of the new user like:
john = kdieu30975j

Take care that you use a different password and don’t use the example accidentally.

6. Check out the empty repository locally

Now the new user john can work with the repository. First he needs to check it out to his local machine. So do the following at the machine of the user; not at the server!

Go to the place you want to have the repository checked out. Let’s assume it is the following:

cd ~/code/

Let’s assume you want to have your repository in a folder called work. Check out the empty repository with:

svn checkout −−username john svn://www.server.com/myrepos work

Please don’t forget to use your server instead of the example. You can use an IP address as well.

7. First check in

Now you have got an empty repository. You can start to populate it with files. Just copy the files and folders you want to have into the new work folder. Go to your repository with:

cd /~/code/work

Assuming you added a folder www you can add it with:

svn add www

… and check it in with:

svn commit -m “initial files“

The option -m is followed by the check in comment. You should comment every check in.

eBox

eBox is a web framework used to manage server application configuration. The modular design of eBox allows you to pick and choose which services you want to configure using eBox.

Installation

The different eBox modules are split into different packages, allowing you to only install those necessary. One way to view the available packages is to enter the following from a terminal:

apt-cache rdepends ebox | uniq

To install the ebox package, which contains the default modules, execute the following command:

sudo apt-get install ebox

During the installation you will be asked to supply a password for the ebox user. After installing eBox the web interface can be accessed from: https://yourserver/ebox.

Configuration

An important thing to remember when using eBox is that when configuring most modules there is a Change button that implements the new configuration. After clicking the Change button most, but not all, modules will then need to be Saved. To save the new configuration click on the “Save changes” link in the top right hand corner.

Once you make a change that requires a Save, the link will change from green to red.

eBox Modules

By default all eBox Modules are not enabled, and when a new module is installed it will not be automatically enabled.

To enable a disabled module click on the Module status link in the left hand menu. Then check which modules you would like to enable and click the “Save” link.

Default Modules

This section provides a quick summary of the default eBox modules.

• System: contains options allowing configuration of general eBox items.
  • General: allows you to set the language, port number, and contains a change password form.
  • Disk Usage: displays a graph detailing information about disk usage.
  • Backup: is used to backup eBox configuration information, and the Full Backup option allows you to save all eBox information not included in the Configuration option such as log files.
  • Halt/Reboot: will shutdown the system or reboot it.
  • Bug Report: creates a file containing details helpful when reporting bugs to the eBox developers.
• Logs: allows eBox logs to be queried depending on the purge time configured.
• Events: this module has the ability to send alerts through rss, jabber, and log file.
  • Available Events:
    • Free Storage Space: will send alert if free disk space drops below a configured percentage, 10% by default.
    • Log Observer: unfortunately this event does not work with the eBox version shipped with Ubuntu 7.10.
    • RAID: will monitor the RAID system and send alerts if any issues arise.
    • Service: sends alerts if a service restarts multiple times in a short time period.
    • State: alerts on the state of eBox, either up or down.
  • Dispatchers:
    • Log: this dispatcher will send event messages to the eBox log file /var/log/ebox/ebox.log.
    • Jabber: before enabling this dispatcher you must first configure it by clicking on the “Configure” icon.
    • RSS: once this dispatcher is configured you can subscribe to the link in order to view event alerts.

Additional Modules

Here is a quick description of other available eBox modules:

• Network: allows configuration of the server’s network options through eBox.
• Firewall: configures firewall options for the eBox host.
• UsersandGroups: this module will manage users and groups contained in an OpenLDAP LDAP directory.
• DHCP: provides an interface for configuring a DHCP server.
• DNS: provides BIND9 DNS server configuration options.
• Objects: allow configuration of eBox Network Objects, which allow you to assign a name to an IP address or group of IPs.
• Services: displays configuration information for services that are available to the network.
• Squid: configuration options for the Squid proxy server.
• CA: configures a Certificate Authority for the server.
• NTP: set Network Time Protocol options.
• Printers: allows the configuration of printers.
• Samba: configuration options for Samba.
• OpenVPN: setup options for OpenVPN Virtual Private Network application.

vTiger is an open source Customer Relationship Management software with somewhat better features than SugarCRM. CRM is highly effective to automate the sales workforce and have better accountability on individual’s performance. Apart from sales and marketing modules, it also has features to generate Invoices, Purchase orders, sales orders, maintain inventory, etc. Installation of vTiger is very simple and straight.

Download Latest Source Code for vtiger from its official website. At the time of writing this document, version 5.1.0 is the latest one. Download it and save it one the server in the /tmp folder.

Change Directory and download the source.

cd /tmp
wget –c http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.1.0/vtigercrm-5.1.0.tar.gz

Uncompress the source file

tar xvzf vtigercrm-5.1.0.tar.gz

Move the folder to the webroot with the new folder name of your choice. In this case, vtiger is being configured on Ubuntu hence the default webroot is /var/www/, in Red Hat it would be /var/www/html/.

mv vtigercrm /var/www/zcrm

Change the permissions for the new folder with owner and group as www-data if its being done on Ubuntu Or apache as user and group if its being done on Red Hat.

chown www-data.www-data /var/www/zcrm –R

Start the installation wizard by typing below URL in the browser:

http://IP_ADDRESS_OF_THE_SERVER/zcrm

Once the wizard is started, you would find sequence of below screenshots. Follow the selected options, and enter the required parameters as per your setup.

Now login to mysql database to create new database and assign a username and password with all the privileges. It is insecure to use root mysql user for any web application to connect with database.

$mysql –p
mysql>create database zcrm;
mysql>GRANT ALL PRIVILEGES ON zcrm.* TO 'zcrm'@'localhost' IDENTIFIED BY 'some_pass' WITH GRANT OPTION;

Replace zcrm.* with the database name you have created, ‘zcrm’@’localhost’ with username, and ‘some_pass’ with the password of your choice.

Now continue with the wizard as below:

vTiger is now successfully installed.

OCS is an open source inventory management software to provide detailed statistics on hardware and software usage in any network. Official website for OCS is http://www.ocsinventory-ng.org. To install the OCS Inventory NG, we need to visit the download section from the OCS website. At the time of writing this document, version 1.3.2 is available. Download the package in /var/www/inv directory.

mkdir /var/www/inv
cd /var/www/inv/

Before we start with the OCS installation, we need to install few perquisite software using apt-get:

apt-get install mc openssh-server libxml-simple-perl libcompress-zlib-perl libdbi-perl libdbd-mysql-perl libapache-dbi-perl libnet-ip-perl libsoap-lite-perl php5-gd build-essential libapache2-mod-perl2

Another perl module XML::Entities that is required for SOAP communication can be installed using perl cpan. Execute cpan command and answer the sequence of questions to get the cpan prompt and then install XML::Entities module as shown below:

cpan
cpan> install XML::Entities

Download the OCS package from the website as shown below:

wget -c http://launchpad.net/ocsinventory-server/stable-1.3/1.3.2/+download/OCSNG_UNIX_SERVER-1.3.2.tar.gz

Uncompress the downloaded file:

tar xvzf OCSNG_UNIX_SERVER-1.3.2.tar.gz

Files will be uncompressed under the directory which needs to be moved to the base directory.

mv OCSNG_UNIX_SERVER-1.3.2/* .

Setup requires ocsagent.exe file to be located in “files” folder, so change the directory to ocsreports/files and download the agent file from the OCS official website and unzip the file as shown below:

cd /usr/share/ocsinventory-reports/ocsreports
cd files/
wget -c http://launchpad.net/ocsinventory-windows-agent/trunk/win32-agent-release-4061/+download/OCSNG_WINDOWS_AGENT_4061.1.zip
unzip OCSNG_WINDOWS_AGENT_4061.1.zip

Now start the setup of OCS using the setup.sh bash file. File will prompt for several questions before completing the installation. Once installed, restart the apache services.

/etc/init.d/apache2 restart

Now access the OCS reports from web console:

http://IP_Address/ocsreports/install.php

Put the root username and password for mysql database and the installer will initialize the database. Now login to the web console of OCS using default credentials, “admin”:”admin” (without quotes).

On the client side, unzip the agent component and in the installation wizard provide with the server IP address. Once the script is executed, software and hardware details from the client machine will be visible in OCS console.

Check the firewall settings in workstation/server if the data doesn’t get populated.

Article suggests the step-by-step procedure to install VirtualBox on Ubuntu 10.04 (Lucid Lynx), the latest version of Ubuntu as on date of writing this article. Similar procedure should work on other Ubuntu versions. VirtualBox is a virtualization software using which we would install other operating systems as guest operating systems on the top of host operating system, which is Ubuntu 10.04 server in this case.

Installing VirtualBox on Ubuntu 10.04 is fairly simple and straight forward. Firstly, install the pre-requisites on Ubuntu, these are the software required to compile VirtualBox on the system. Use apt-get to install these as shown below:

apt-get install bcc iasl xsltproc xalan libxalan110-dev uuid-dev zlib1g-dev libidl-dev libsdl1.2-dev libxcursor-dev libqt3-headers libqt3-mt-dev libasound2-dev linux-headers-`uname -r` build-essential libqt4-network libqt4-opengl libqtcore4 libqtgui4

It will take a while to install a long list of software. Once installation is completed successfully, download the VirtualBox software from its official website: http://www.virtualbox.org/wiki/Linux_Downloads. Pick the one as per your Linux version and processor type, in our case, we picked up the latest one for Lycid and i386 processors: http://download.virtualbox.org/virtualbox/3.2.6/virtualbox-3.2_3.2.6-63112~Ubuntu~lucid_i386.deb. Download and install it as shown below:

cd temp
wget -c http://download.virtualbox.org/virtualbox/3.2.6/virtualbox-3.2_3.2.6-63112~Ubuntu~lucid_i386.deb
dpkg -i virtualbox-3.2_3.2.6-63112~Ubuntu~lucid_i386.deb

It will display installation progress messages on the screen and will complete the installation. After successful installation, you may open the VirtualBox screen from below shown menu option:

Thats about it. Follow the VirtualBox documentation to learn on how to create virtual machines.

]]> http://linuxclub.zonixsystems.com/blog/technical-articles/virtualization/virtualbox-on-ubuntu-lucid/feed/ 0 http://linuxclub.zonixsystems.com/blog/technical-articles/network-management-system/network-monitoring-using-nagios/ http://linuxclub.zonixsystems.com/blog/technical-articles/network-management-system/network-monitoring-using-nagios/#comments Mon, 26 Jul 2010 07:47:44 +0000 zonixsystems http://linuxclub.zonixsystems.com/?p=34

Nagios is a popular network monitoring application that helps an administrator to detect the faults in network components. It can also send e-notifications on detection of any fault or outage. Nagios includes following features:

1. Service monitoring (like http, ftp, smtp, dns, ping, etc)
2. Resource monitoring on hosts (like CPU, RAM, HDD, etc.)
3. Users can design their own service checks
4. Sending e-notifications during faults or outage
5. Log rotation
6. Support for redundant monitoring hosts implementation
7. Web Monitoring Console

Licensing

Nagios is licensed under the terms of the GNU General Public License Version 2 as published by the Free Software Foundation. This gives you legal permission to copy, distribute and/or modify Nagios under certain conditions. Read the ‘LICENSE’ file in the Nagios distribution or read the online version of the license for more details.

Installation Environment

This document provides you with fair idea on installation of Nagios on CentOS 4 operating system. The configuration available in this document is to monitor our own servers, and readers may consider this as a quick help to configure more servers as per their monitoring scope and requirements.

“yum” is one of the favorite utilities for most of the administrators. And we are going to install Nagios using the same. Nagios is not available in the default repository of Centos and thereby firstly we need to install rpmforge-release, available at DAG’s rpm repository. Follow below steps to download and install rpmforge-release rpm for Centos 4 and install nagios using “yum”.

Installation

cd /tmp
wget -c http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3...
rpm -ivh rpmforge-release-0.3.6-1.el4.rf.i386.rpm
yum install nagios nagios-plugins nagios-plugins-nrpe nagios-devel

After successful installation of Nagios rpms, you will find “nagios.conf” file in “conf.d” directory of apache. By default, SSL and host based access control is commented in the configuration file. But you may uncomment that to enable further security. Next, we are going to configure a user “nagiosadmin” as a admin user that will have the rights to enter into web-console of Nagios.

htpasswd -c /etc/nagios/htpasswd.users nagiosadmin

Above command will prompt for the password as shown below:

New password:
Re-type new password:
Adding password for user nagiosadmin

Search for following parameters in “/etc/nagios/cgi.cfg” using ‘vi’ editor and replace them with below mentioned:
File: /etc/nagios/cgi.cfg

use_authentication=1
authorized_for_system_information=nagiosadmin
authorized_for_configuration_information=nagiosadmin
authorized_for_system_commands=nagiosadmin
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_host_commands=nagiosadmin

Move the file “localhost.cfg” in “/etc/nagios” to “localhost.cfg.org” as we won’t be using that and are going to monitor remote servers.
Move Default Config.

cd /etc/nagios
mv localhost.cfg localhost.cfg.org

Now edit “nagios.cfg” using ‘vi’ editor to match below lines and leave the rest of the lines intact.
File: /etc/nagios/nagios.cfg

#cfg_file=/etc/nagios/localhost.cfg #This is commented as we moved it to localhost.cfg.org
cfg_file=/etc/nagios/contactgroups.cfg
cfg_file=/etc/nagios/contacts.cfg
cfg_file=/etc/nagios/hostgroups.cfg
cfg_file=/etc/nagios/hosts.cfg
cfg_file=/etc/nagios/services.cfg
cfg_file=/etc/nagios/timeperiods.cfg
check_external_commands=1
command_check_interval=-1

Now create all the files which have been enabled in above configuration file. Also change the file permissions.
Create config Files

touch contactgroups.cfg contacts.cfg hostgroups.cfg hosts.cfg services.cfg timeperiods.cfg
chown nagios.nagios contactgroups.cfg contacts.cfg hostgroups.cfg hosts.cfg services.cfg timeperiods.cfg

We need to place the required contents into created files. Let us start from “timeperiods.cfg”. Open this file into ‘vi’ editor and configure the timing periods like business hours, off hours, weekends, etc. Below are the contents for the same.
File: /etc/nagios/timeperiods.cfg

# '24x7' timeperiod definition
define timeperiod{
timeperiod_name 24x7
alias 24 Hours A Day, 7 Days A Week
sunday 00:00-24:00
monday 00:00-24:00
tuesday 00:00-24:00
wednesday 00:00-24:00
thursday 00:00-24:00
friday 00:00-24:00
saturday 00:00-24:00
}

# 'workhours' timeperiod definition
define timeperiod{
timeperiod_name workhours
alias "Normal" Working Hours
monday 08:00-17:00
tuesday 08:00-17:00
wednesday 08:00-17:00
thursday 08:00-17:00
friday 08:00-17:00
}

# 'nonworkhours' timeperiod definition
define timeperiod{
timeperiod_name nonworkhours
alias Non-Work Hours
sunday 00:00-24:00
monday 00:00-09:00,17:00-24:00
tuesday 00:00-09:00,17:00-24:00
wednesday 00:00-09:00,17:00-24:00
thursday 00:00-09:00,17:00-24:00
friday 00:00-09:00,17:00-24:00
saturday 00:00-24:00
}

# 'none' timeperiod definition
define timeperiod{
timeperiod_name none
alias None
}

Configure contact information for the administrators and create administrator group (optional) who should receive the alerts during fault or outage.
File:/etc/nagios/contacts.cfg

define contact{
contact_name Aggi
alias Aggi
service_notification_period 24x7
host_notification_period 24x7
service_notification_options c,r
host_notification_options d,r
service_notification_commands notify-by-email
host_notification_commands host-notify-by-email
email nms_alerts@zonixsystems.com
}

define contact{
contact_name John
alias John
service_notification_period workhours
host_notification_period workhours
service_notification_options c,r
host_notification_options d,r
service_notification_commands notify-by-email
host_notification_commands host-notify-by-email
email nms_alerts@zonixsystems.com
}

File:/etc/nagios/contactgroups.cfg

define contactgroup{
contactgroup_name Zonix
alias Zonix
members Aggi,John
}

Now configure the hosts and hostgroups (optional) to be monitored in “/etc/nagios/hosts.cgi” and “/etc/nagios/hostgroups.cgi” respectively.
File:/etc/nagios/hosts.cfg

# Generic host definitions
define host{
name generic-host ; Generic template name
notifications_enabled 1 ; Host notifications are enabled
event_handler_enabled 1 ; Host event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information
retain_nonstatus_information 1 ; Retain non-status information
register 0 ; DONT REGISTER THIS DEFINITION
}

define host{
name Template1
use generic-host
check_command check-host-alive
max_check_attempts 5
notification_interval 5
notification_period 24x7
notification_options d,u,r
register 0
}

##### Begin Real Hosts #####

define host{
use Template1
host_name mail.zonixsystems.com
alias mail.zonixsystems.com
address 64.191.80.85
contact_groups Zonix
# notification_options d,r #overrides the basic-host option
}

File:/etc/nagios/hostgroups.cfg

define hostgroup{
hostgroup_name Zonix_Servers
alias Zonix_Servers
members mail.zonixsystems.com
}

Now configure the services you want to monitor and map the hosts with those services. There are few per-defined services in “/etc/nagios/commands.cfg” however you can also configure custom services. Edit “/etc/nagios/services.cfg” to define and map services with the hosts you want to configure.
File:/etc/nagios/services.cfg

define service{
name generic-service ; Generic service name
active_checks_enabled 1 ; Active service checks are enabled
passive_checks_enabled 1 ; Passive service checks are enabled/accepted
parallelize_check 1 ; Active service checks should be parallelized
obsess_over_service 1 ; We should obsess over this service
check_freshness 0 ; Default is to NOT check service 'freshness'
notifications_enabled 1 ; Service notifications are enabled
event_handler_enabled 1 ; Service event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information
retain_nonstatus_information 1 ; Retain non-status information
register 0 ; DONT REGISTER THIS DEFINITION
}

# Generic for all services
define service{
use generic-service
name basic-service
is_volatile 0
check_period 24x7
max_check_attempts 5
normal_check_interval 1
retry_check_interval 3
notification_interval 0
notification_period none
register 0
}

define service{
use basic-service
name ping-service
notification_options n
check_command check_ping!1000.0,20%!2000.0,60%
register 0
}

define service{
use basic-service
name www-service
notification_options n
check_command check_http
register 0
}
define service{
use basic-service
name mail-service
notification_options n
check_command check_smtp
register 0
}

define service{
use ping-service
service_description PING
contact_groups Zonix
hostgroup_name Zonix_Servers
# host_name one_client
}

define service{
use mail-service
service_description MAIL
contact_groups Zonix
hostgroup_name Zonix_Servers
# host_name one_client
}

define service{
use www-service
service_description WWW
contact_groups Zonix
hostgroup_name Zonix_Servers
# host_name one_client
}

In the above configuration, we have used check_ping, check_http and check_smtp commands to monitor servers under Zonix_Servers group. Groups are useful if we need to monitor multiple servers. In this configuration example, we could have used host_name parameter and there should have been no need to configure hostgroups. Now everything is setup and you can make a final testing by using below command to get similar output.

Verify Configuration

nagios -v nagios.cfg

It should result in below output

Nagios 2.10
Copyright (c) 1999-2007 Ethan Galstad (http://www.nagios.org)
Last Modified: 10-21-2007
License: GPL

Reading configuration data...

Running pre-flight check on configuration data...

Checking services...
Checked 3 services.
Checking hosts...
Checked 1 hosts.
Checking host groups...
Checked 1 host groups.
Checking service groups...
Checked 0 service groups.
Checking contacts...
Checked 2 contacts.
Checking contact groups...
Checked 1 contact groups.
Checking service escalations...
Checked 0 service escalations.
Checking service dependencies...
Checked 0 service dependencies.
Checking host escalations...
Checked 0 host escalations.
Checking host dependencies...
Checked 0 host dependencies.
Checking commands...
Checked 22 commands.
Checking time periods...
Checked 4 time periods.
Checking extended host info definitions...
Checked 0 extended host info definitions.
Checking extended service info definitions...
Checked 0 extended service info definitions.
Checking for circular paths between hosts...
Checking for circular host and service dependencies...
Checking global event handlers...
Checking obsessive compulsive processor commands...
Checking misc settings...

Total Warnings: 0
Total Errors: 0

Things look okay – No serious problems were detected during the pre-flight check

Incase of any errors, check the detailed message and fix them accordingly. Once you get “Things look okay” status start the nagios service. Start Nagios

/etc/init.d/nagios start

Now open your internet browser and open nagios web-console to monitor the configured servers. Link to nagios web-console will be http://NAGIOS_SERVER_IP/nagios

For more information: http://nagios.sourceforge.net/docs/2_0/toc.html

Squid is the most popular proxy server in the industry. Along with caching capabilities, squid includes access control lists (ACLs) to restrict users from accessing various internet resources. Although, IP address and MAC based ACLs are possible to configure in Squid. But its difficult to manage ACLs in DHCP environment because IP address keeps on changing with DHCP lease expiry. Secondly, IP address or MAC based restrictions can restrict the user on the basis of his source IP/MAC address. But in case, user logs-in from some different client machine then ACL will get changed as per the new source IP/MAC address. Similarly, if two users share the same machine then it would be hard to apply restrictions for individual user.

To tackle this problem, administrators can configure their squid proxy server to authentication with some central credential store. Credential store can be of basic authentication, similar to HTTP/apache. But with the increasing use of active directory servers in the companies, same credential store can be used by squid to authenticate its users. In this way, users will not have to remember multiple passwords and they will not receive an authentication prompt while accessing any internet website.

In addition to this, by configuring squid to authenticate users against active directory server, ACLs can be configured on group basis. This makes it easier for administrators to grant a user with more rights in squid. This can be done by simply moving his ID from one group to another in active directory, without making any changes to squid configuration. Moreover, administrator will be able to fetch user based reports rather IP address based reports.

Such setup requires configuration of kerberos, ntp, squid and winbind/samba. NTP is required to sync the time of proxy server with active directory server. If there is a time mismatch of more than 5 minutes, then squid will not be able to authenticate you aganist active directory. Following configuration steps needs to be followed in order to achieve squid integration with active directory.

Below configuration was carried out on RHEL 5.0 and active directory was running on Windows 2003 server:

Configure “/etc/hosts” file in proxy server to define its FQDN and also put FQDN of active directory server

127.0.0.1 localhost.localdomain localhost
192.168.1.2 proxy.zonixsystems.com PROXY
172.10.10.11 in-zonixdc.zonixsystems.com in-zonixdc

Now open up “/etc/krb5.conf” to configure few parameters as shown below:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = zonixsystems.com
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
zonixsystems.com = {
kdc = in-zonixdc.zonixsystems.com
admin_server = in-zonixdc.zonixsystems.com
default_domain = zonixsystems.com
kpasswd_server = in-zonixdc.zonixsystems.com
}

[domain_realm]
.zonixsystems.com = zonixsystems.com

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Now sync the clocks of both proxy and AD servers as below. Although, you may set the clocks manually and skip this step of synchronising clocks but its always better to leave your worries to NTP server. Let us sync clock or proxy server first:

Configure NTP on Proxy Server using below command:

ntpdate pool.ntp.org

And then, for windows server, configure NTP on Windows Server

C:\> net time /setsntp:pool.ntp.org
C:\> net stop w32time & net start w32time

Now edit samba configuration, /etc/samba/smb.conf, as shown below:

workgroup = zonixNET
server string = PROXY
security = ADS
auth methods = winbind
encrypt passwords = yes
idmap uid = 70001-90000
winbind enum users = yes
winbind gid = 70001-90000
winbind enum groups = yes
client use spnego = yes
winbind separator = \\
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = 172.10.10.11
realm = zonixsystems.com
dns proxy = no

[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

After saving the above file, start the samba and winbind services as shown below:

Start Samba and Winbind Services

/etc/init.d/smb start

The output will look like:

Starting SMB services: [ OK ]
Starting NMB services: [ OK ]

Now start winbind service as below:

/etc/init.d/winbind start

Output will look like:

Starting Winbind services: [ OK ]

Now join your proxy server to active directory domain. Join Proxy into Active Directory Domain using below command:

net join -S 172.10.10.11 -U aggi

Above command will prompt for password as shown below:

aggi's password:
Using short domain name -- ZONIX
Joined 'PROXY' to realm 'zonixsystems.com'

In case, you are trying this setup by putting proxy server behind the firewall in DMZ zone with your active directory server in LAN zone of firewall. Then be sure that proxy server can access active directory server at port number 88 (udp) for kerberos, 389 (udp & tcp) for LDAP, 53 (udp & tcp) for DNS, 445 (tcp) and 139 (tcp) for microsoft-ds and netbios respectively.

Verify Connections & Fetch user and group lists using below commands:

wbinfo -t #to verify connections
wbinfo -u #to display list of all the users in AD
wbinfo -g #to display list of all the groups in AD

Below is the final squid configuration, /etc/squid/squid.conf, with active directory authentication and ACLs based on AD groups.

cache_effective_user squid
cache_effective_group squid
error_directory /usr/share/squid/errors/English
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
pid_filename /var/run/squid.pid
coredump_dir /var/spool/squid
http_port 100
icp_port 3130
cache_mem 512 MB
maximum_object_size 40000 KB
ipcache_size 2048
fqdncache_size 2048
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_dir ufs /var/spool/squid 6000 14 256

#####For NTLM/AD Authentication###########
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid AD
auth_param basic credentialsttl 2 hours
authenticate_ip_ttl 600 seconds
############

request_body_max_size 5000 MB
refresh_pattern \.gif 240 90% 30240
refresh_pattern \.jpg 240 90% 30240
refresh_pattern \.jpeg 240 90% 30240
refresh_pattern \.exe 240 90% 30240
refresh_pattern \.zip 240 90% 30240
refresh_pattern \.pdf 240 90% 30240
refresh_pattern \.htm 240 50% 10080
refresh_pattern \.shtml 240 50% 10080
refresh_pattern \.asp 240 50% 10080
refresh_pattern . 240 50% 10080
quick_abort_pct 95
quick_abort_min 200 KB

####Start of ACLs######
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 660 #
acl Safe_ports port 389 # LDAP
acl CONNECT method CONNECT
acl ntlm proxy_auth REQUIRED

####External ACL authenticating with AD#####
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -b "ou=NOIDA,dc=zonixnet,dc=com" -D "cn=administrator,cn=users,dc=zonixnet,dc=com" -f "(&(cn=%a)(member=%v)(objectClass=group))" -F "(|(samAccountName=%s)(cn=%s))" -w ENTER_ADMINISTRATOR_PASSWORD -h 172.10.10.11 -v3 -S

# CGI
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

#####SNMP Configuration for MRTG Reports##########
snmp_port 3401
acl SNMP snmp_community ENTER_SNMP_COMMUNITY_STRING #Avoid "public"
snmp_access allow SNMP all
redirector_access deny CONNECT

#####AD Group based ACLs#######
acl test_group external ldap_group test
acl hr external ldap_group HR
acl vip external ldap_group VIP

#####Delay Pools#
delay_pools 1
delay_class 1 2
delay_parameters 1 500/4000000 250/2
acl SlowGroups proxy_auth test_group
delay_access 1 allow test_group !all

###URL based ACLs###
acl blocked_domains dstdomain "/etc/squid/domains/domains_blacklist"
acl blocked_urls dstdomain "/etc/squid/domains/urls_blacklist"
######Populate above files - We used Squidguard database#####
acl ADs dstdomain "/etc/squid/domains/adv_sources.txt"
acl filetype urlpath_regex "/etc/squid/domains/filetypes.txt"
####3#Above ACLs are to block Advertisements and various file types######

####Deny Access to all but only allow test_group to download filetypes#####
http_access deny all blocked_domains
http_access deny all ADs
http_access deny all blocked_urls
http_access allow test_group filetype
http_access deny all filetype

http_access allow manager all
http_access allow localhost
http_access allow ntlm
http_access allow all
http_reply_access allow all
icp_access allow all

To test out above set-up, open internet browser from some windows machine that is joined in active directory domain. And configure proxy settings into the internet brower. Now try to download some filetype that is blocked in “filetype.txt” file under squid ACLs. If your ID is not present in “test” group of AD, then you will hit an access denied page . Now, close the browser and move your ID from other group to “test” group (as per above example) and try the same procedure again. You should be able to download the file. Similar way, other ACLs can be tested out.

Samba can easily be integrated with most popular open source antivirus i.e. ClamAV. Below mentioned steps can do the job for you. Note that below steps were performed on CentOS 5 64 bit OS with samba version samba-3.0.25b-1.el5_1.4. Few changes might be required in other versions.

Install Samba server using below command, if not already installed

yum install samba

Download ClamAV packages from DAG repository.

wget -c http://dag.wieers.com/rpm/packages/clamav/clamav-db-0.92.1-1.el5.rf.x86_...
wget -c http://dag.wieers.com/rpm/packages/clamav/clamav-0.92.1-1.el5.rf.x86_64.rpm
wget -c http://dag.wieers.com/rpm/packages/clamav/clamd-0.92.1-1.el5.rf.x86_64.rpm

Install the downloaded packages

rpm -ivh clamav-db-0.92.1-1.el5.rf.x86_64.rpm
rpm -ivh clamav-0.92.1-1.el5.rf.x86_64.rpm
rpm -ivh clamd-0.92.1-1.el5.rf.x86_64.rpm

Download source code of samba and samba-vscan:

wget -c ftp://ftp.in2p3.fr/pub/samba/samba-3.0.25b.tar.gz
wget -c http://www.openantivirus.org/download/samba-vscan-0.3.6c-beta4.tar.gz

Uncompress both the packages

tar xvzf samba-vscan-0.3.6c-beta4.tar.gz
tar xvzf samba-3.0.25b.tar.gz

Change the directory to samba source directory

cd samba-3.0.25b/source/

Run autogen.sh file

./autogen.sh

Execute configure script and do make

./configure
make proto

Change directory to samba-vscan

cd ../../samba-vscan-0.3.6c-beta4

Configure samba-vscan by passing the samba source as an argument with configure script

./configure –with-samba-source=../samba-3.0.25b/source/

Execute make

make

If successful, you will find samba-vscan object for all the supported antivirus in the same directory. Copy clamav object to /usr/lib64/samba/vfs/. This would be /usr/lib/samba/vfs in case of 32 bit CentOS

cp vscan-clamav.so /usr/lib64/samba/vfs/

Copy default configuration of vscan-clamav.conf to samba configuration directory

cp clamav/vscan-clamav.conf /etc/samba/

Change dir to /etc/samba

cd /etc/samba/

Edit smb.conf file to add two lines under global section

vi smb.conf

Now copy below two lines to the file

vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

Now edit vscan-clamav.conf file and change the action to be taken if infected file is found and also change the socket of clamd. In our case, it was /tmp/clamd.sock

vi vscan-clamav.conf

Change two directives as shown below:

infected file action = quarantine
clamd socket name = /tmp/clamd.socket

Now start/restart clamd and samba services

/etc/init.d/clamd start
/etc/init.d/smb restart

Make sure that these services start automatically on system reboot

chkconfig smb on
chkconfig clamd on

TESTING:

Enable verbose logging from /etc/samba/vscan-clamav.conf and watch the log file /var/log/messages

Download some test virus from http://www.eicar.org/anti_virus_test_file.htm and paste that to some shared folder at samba server. You will receive a message via windows messenger service (if started) and also you wil notice that infected file will not be available in the shared folder

Instead of entering passwords at SSH login prompt, administrators can login to remote Linux servers using public/private key pair. It can help administrators in following ways:

1. Running commands on multiple server from a single console
2. Automated server backups using scripts
3. No need to remember passwords for multiple servers

Due to limitations in SSH protocol version 1, we recommend to use version 2 of SSH protocol.

Scenario

In this document, we will explain you on how to login from a client machine ‘C’ to a server ‘S’ without using password.

Configuration

Login to the client linux machine ‘C’ via ssh to run below command and press “ENTER” three times:

Generate Key Pair:

ssh-keygen -t dsa

Above command will prompt couple of questions and will generate the key as shown below:

Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is: 34:f3:6a:b4:c2:b8:c9:39:9c:14:3c:3a:70:07:5a:9e
root@test-client

Above command was executed as “root” user, and same can be done as a system user as well. Command will save a public/private key pair in .ssh directory located in HOME directory of the user. As in above case, command was executed as “root” so it will save the key pair in “/root/.ssh/”.

After this, you need to append pubilc key of client machine ‘C’ stored in id_dsa.pub to /root/.ssh/authorized_keys file of linux server ‘S’. To achieve that, run following command from linux client ‘C’. And on the password prompt, enter the user (in this case “root”) password for linux server ‘S’:

Copy Public Key to Server using below command:

scp /root/.ssh/id_dsa.pub root@IP_ADDRESS_OF_SERVER:/tmp root@IP_ADDRESS_OF_SERVER's password: id_dsa.pub 100% 606 0.6KB/s 00:00

Now login to the server machine ‘S’ and execute below command to append the pubilc file of client machine ‘C’ to authorized_keys file

Append Public Key to authorized_keys in server using below command:

cat /tmp/id_dsa.pub >> /root/.ssh/authorized_keys

Every thing has been setup now. For testing, run below command from client machine ‘C’ to verify that you are able to login to remote linux server ‘S’ without entering password.Login to Server using below command

And you would see the bash prompt of the server

[root@SERVER_HOSTNAME ~]#

ssh IP_ADDRESS_OF_SERVER Last login: Sun Dec 14 22:54:59 2007 from IP_ADDRESS 

Now, you can also copy files from serve to client and vice-versa using “scp” without being prompted for password.

WARNING:

Keep you private key (id_dsa) stored in client machine ‘C’ as secret. Anyone having access to the private key can use that for remote login to the server without any further authentication.