Home | Linuxmon.comhttps://linuxmon.com/2024-03-29T00:29:56+00:00HomeInstall and configure Postfix on Ubuntu 16.04 with Sendgrid as smarthost2018-12-03T14:41:08+00:002024-03-28T23:57:05+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/install-and-configure-postfix-on-ubuntu-1604-with-Sendgrid-as-smarthost/<p><a href="https://sendgrid.com/" target="_blank"><img alt="" height="40" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/sendgrid.png/sendgrid-162x40.png" width="162"/></a></p>
<p>SendGrid is cloud-based solution sends transactional and marketing emails instead of our email infrastructure.</p>
<p><span></span></p>
<p><span>How to use SendGrid for delivery emails to your customers.</span></p>
<p>We will use Postfix</p>
<p><strong>1. Install postfix and client for console</strong></p>
<p>Go to console and install postfix:</p>
<pre>$sudo apt-get update<br/>$sudo apt-get install mailutils</pre>
<p>it will install few necessary packages</p>
<p>When ask you what configuration do you need, just select Num 5 - Local Only.</p>
<pre>---------------------<br/>Please select the mail server configuration type that best meets your needs.<br/>No configuration:<br/> Should be chosen to leave the current configuration unchanged.<br/> Internet site:<br/> Mail is sent and received directly using SMTP.<br/> Internet with smarthost:<br/> Mail is received directly using SMTP or by running a utility such<br/> as fetchmail. Outgoing mail is sent using a smarthost.<br/> Satellite system:<br/> All mail is sent to another machine, called a 'smarthost', for delivery.<br/> Local only:<br/> The only delivered mail is the mail for local users. There is no network.<br/>1. No configuration 2. Internet Site 3. Internet with smarthost 4. Satellite system 5<strong>. Local only</strong><br/>General type of mail configuration:<br/><span>---------------------</span></pre>
<p>select 5 , we will modify postfix config file later</p>
<p></p>
<p><strong>2. Getting API Key</strong> </p>
<p>Goto sendgrid.com, login and goto Settings - > API Keys.</p>
<p>We need generate API Key for our host</p>
<p>Push Button "Create API Key"</p>
<p>Select "Restricted Access" - we need just send mails</p>
<p>Email Send - move bar to right</p>
<p><img alt="" height="99" src="https://linuxmon.com/static/media/uploads/.thumbnails/mailsend.png/mailsend-836x99.png" width="836"/></p>
<p>and Create</p>
<p>Api key will show ones and will not show again, just keep key in clipboard or to some safe place.</p>
<p>Click "Done" and go to terminal.</p>
<p></p>
<p>We need create file </p>
<pre class="language-text"><code class="language-text">$touch /etc/postfix/sasl_passwd</code></pre>
<p>with content:</p>
<pre class="language-text"><code class="language-text">[smtp.sendgrid.net]:587 <strong>yourSendGridUsername:yourSendGridPassword</strong></code></pre>
<p>- use 'apikey' as your username</p>
<p>- use your password as your API from previos step</p>
<pre class="language-text"><code class="language-text">[smtp.sendgrid.net]:587 <strong>apikey:ssdfsejsoudfs<fake apikey>7f98s7d9f8s6d9fsd</strong></code></pre>
<p>Note, put your correct api key</p>
<p><strong></strong></p>
<p><strong>3. Configure Postfix</strong></p>
<p>Edit main.cf</p>
<pre class="language-text"><code class="language-text">smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
relayhost = [smtp.sendgrid.net]:587</code></pre>
<p>modify permission of this file, need access only for root and update postfix hashtable to use this file </p>
<pre class="language-bash"><code class="language-bash">$ <span class="token function">sudo</span> <span class="token function">chmod</span> 600 /etc/postfix/sasl_passwd
$ <span class="token function">sudo</span> postmap /etc/postfix/sasl_passwd</code></pre>
<p>and restart postfix:</p>
<pre class="language-bash"><code class="language-bash">$ <span class="token function">sudo</span> systemctl restart postfix</code></pre>
<p>Check send email to real recipient address:</p>
<pre>$mail -s 'test message' <your email>@gmail.com<br/>Cc: <br/>test message </pre>
<p>Push Ctrl+D to send message.</p>
<p>Check log:</p>
<pre>$tailf /var/log/mail.log<br/><br/>Dec 3 11:00:47 web1 postfix/qmgr[21664]: CD5C41AA039F: from=<developer@your server.com>, size=379, nrcpt=1 (queue active)<br/>Dec 3 11:00:47 web1 postfix/smtp[27502]: CD5C41AA039F: to=<anyour name@gmail.com>, relay=smtp.sendgrid.net[167.89.115.18]:587, delay=0.1, delays=0.01/0.01/0.07/0.01, dsn=2.0.0, status=sent (250 Ok: queued as hus4UVF-QkqTM8e26rf0mw)<br/>Dec 3 11:00:47 web1 postfix/qmgr[21664]: CD5C41AA039F: removed</pre>
<p>Alright</p>
<p>Now your server/Web App can send any notifications to your customers through SendGrid</p>
<p>Links:</p>
<p><a href="https://sendgrid.com/docs/for-developers/sending-email/postfix/">https://sendgrid.com/docs/for-developers/sending-email/postfix/</a></p>
<p></p>Geoip and Nginx How to block visitors by country2018-04-05T17:03:04+00:002024-03-28T19:15:05+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/geoip-and-nginx/<p>Operating system: Ubuntu 16.04</p>
<p>First we need to know nginx has support Geoip:</p>
<pre>$ nginx -V<br/>nginx version: nginx/1.10.3 (Ubuntu)<br/>built with OpenSSL 1.0.2g 1 Mar 2016<br/>TLS SNI support enabled<br/>configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' <br/>--with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf <br/>--http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid <br/>--http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy <br/>--http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module <br/>--with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module <br/><strong>--with-http_geoip_module</strong> --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module <br/>--with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads</pre>
<p>yes, we have.</p>
<p>Install geoip packages:</p>
<pre>$ sudo apt-get install geoip-database</pre>
<p>place for database is:</p>
<p>/usr/share/GeoIP</p>
<p>GeoIP.dat - > for IPv4</p>
<p>GeoIPv6.dat - > for IPv4 and IPv6</p>
<p>Go to nginx config:</p>
<pre>$ cd /etc/nginx</pre>
<p>in section http add follow rows:</p>
<pre>http{
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allow_visit {<br/> default no;<br/> US yes; # enable USA IPs<br/> CA yes; # enable Canada IPs<br/>}
geo $exclusions {<br/> default 0;<br/> 10.0.1.126 1; # here comes allowed IP that is in blocked country list<br/> 10.0.0.0/24 1;<br/> 172.68.58.75 1;<br/> 10.0.0.7 1;
}
# Rest of config<br/><br/><span>#..... <br/>}</span></pre>
<p></p>
<p>save it and go to virtual server (dir sites-enabled)</p>
<p>add follow in section server</p>
<pre>server {
#.... some config
location / {<br/> if ($allow_visit = yes) {<br/> set $exclusions 1;<br/> }<br/> if ($exclusions = "0") {<br/> return 403;<br/> }
#...
# rest of config
}</pre>
<p>almost done</p>
<p>restart nginx</p>
<pre>sudo /etc/init.d/nginx reload<br/>[ ok ] Reloading nginx configuration (via systemctl): nginx.service.</pre>
<p>You can check availability your site from any place with online services.</p>
<p></p>
<p></p>Protect your web site with Fail2Ban!2017-05-23T12:07:46+00:002024-03-29T00:29:56+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/protect-site-fail2ban-ubuntu/<p><span><img alt="" height="124" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/fail2ban.jpg/fail2ban-124x124.jpg" width="124"/></span></p>
<p><span>from <a href="https://en.wikipedia.org/wiki/Fail2ban">WiKi</a>:</span></p>
<p><span>Fail2Ban operates by monitoring </span><a class="mw-redirect" href="https://en.wikipedia.org/wiki/Computer_data_logging" title="Computer data logging">log files</a><span> (e.g. </span><tt>/var/log/auth.log</tt><span>, </span><tt>/var/log/apache/access.log</tt><span>, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected </span><a href="https://en.wikipedia.org/wiki/IP_address" title="IP address">IP addresses</a><span> that may belong to </span><a href="https://en.wikipedia.org/wiki/Host_(network)" title="Host (network)">hosts</a><span> that are trying to breach the system's security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator. Fail2Ban is typically set up to unban a blocked host within a certain period, so as to not "lock out" any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being </span><a href="https://en.wikipedia.org/wiki/Denial-of-service_attack" title="Denial-of-service attack">flooded</a><span> by malicious connections, as well as reducing the likelihood of a successful </span><a href="https://en.wikipedia.org/wiki/Dictionary_attack" title="Dictionary attack">dictionary attack</a><span>.</span></p>
<p></p>
<h2>Install and Configure fail2ban on Ubuntu server</h2>
<p>Warning! all actions required root privileges!</p>
<p></p>
<div class="video-container"><iframe allowfullscreen="allowfullscreen" height="315" src="https://www.youtube.com/embed/haq_bHROWBE" width="560"></iframe></div>
<div></div>
<p>Update system:</p>
<pre>$sudo apt-get update<br/>$Install fail2ban<br/>$sudo apt-get install fail2ban</pre>
<p>go to /etc/fail2ban</p>
<pre>$cd /etc/fail2ban/</pre>
<p>need copy jail.conf to jail.local</p>
<pre>$sudo cp jail.conf jail.local</pre>
<p>it will be main config file for fail2ban</p>
<p>For first time fail2ban is ready to protect your server by default:</p>
<p>on port tcp 22 (ssh) </p>
<p>in file /etc/fail2ban/jail.local:</p>
<pre>[ssh]<br/>enabled = true<br/>port = ssh<br/>filter = sshd<br/>logpath = /var/log/auth.log<br/>maxretry = 6</pre>
<p>it means</p>
<p>listening log file /var/log/auth.log and fail2ban will look for errors attempts like this:</p>
<pre>May 14 20:43:12 exim auth worker: PASSV: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=test@lnxmon.com rhost=45.58.99.<hidden></pre>
<p>and after 6 attempts will be blocked by iptables</p>
<pre>filter = sshd</pre>
<p>it means:</p>
<p>used filter sshd</p>
<p>go to /etc/fail2ban/filter.d/</p>
<p>file sshd.conf is a filter</p>
<pre>find block reg exp in file:</pre>
<pre>failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$<br/> ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$<br/> ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$<br/> ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$<br/> ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$<br/> ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$<br/> ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$<br/> ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$<br/> ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$<br/> ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$<br/> ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$<br/> ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$<br/> ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$<br/> ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$<br/> ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$<br/> ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$</pre>
<p>these are all reg exp wich willl be catch in log file /var/log/auth.log</p>
<p>You can add yourself filtters and reg exp</p>
<p>For wordpress site you can create filter:</p>
<p>$sudo touch /etc/fail2ban/filter.d/wp-auth.conf</p>
<p>and copy and paster to it:</p>
<pre># WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:<br/>#<br/># Block IPs trying to auth wp wordpress<br/>#<br/># Matches e.g.<br/># pay attention in this raw:<br/># 12.34.33.22 - [07/Jun/2014:11:15:29] "POST /wp/wp-login.php HTTP/1.0" 200 4523<br/># 12.34.33.22 - [07/Jun/2014:11:15:29] "GET /wp-content HTTP/1.0" 200 4523</pre>
<pre><br/># fail2ban will scan log file and will be find like this and block ip address<br/><br/>[Definition]<br/><strong>failregex = ^<HOST> .* "GET \/(wp-login.php|xmlrpc.php)</strong><br/><br/>ignoreregex =</pre>
<p>fail2ban looking for regexp in log file:</p>
<pre>^<HOST> .* "GET \/(wp-login.php|xmlrpc.php)</pre>
<p>and create jail for it:</p>
<p>go to file /etc/fail2ban/jail.local and put it to the bottom of file:</p>
<pre>[wp-auth]<br/>enabled = true<br/>filter = wp-auth<br/>action = iptables-multiport[name=NoAuthFailures, port="http,https"]<br/>logpath = /var/www/mezzanine/logs/ssl_access.log # pls change to your log file<br/>bantime = 86400<br/>maxretry = 3</pre>
<p>after 3 attempts fail2ban will block ip address for 86400 secconds (24hs)</p>
<p>If you would like to enter in admin panel only from your IP address, add in section [DEFAULT] in file /etc/fail2ban/jail.local</p>
<pre>[DEFAULT]<br/>ignoreip = 127.0.0.1/8 <your ip_address> </pre>
<p># with no symbols '<>' </p>
<p>and save it</p>
<p>fail2ban will be ignore your ip ddresses </p>
<p>If you use your own filters you can check it by command:</p>
<pre>$fail2ban-regex ssl_access.log /etc/fail2ban/filter.d/wp-auth.conf<br/>Running tests<br/>=============<br/>Use failregex file : /etc/fail2ban/filter.d/wp-auth.conf<br/>Use log file : ssl_access.log<br/>Results<br/>=======<br/>Failregex: 5540 total<br/>|- #) [# of hits] regular expression<br/>| 1) [4686] ^<HOST> .* "GET \/(wp-login.php|xmlrpc.php)<br/>| 2) [854] ^<HOST> .* "GET \/(wp-content)<br/>`-<br/><br/>Ignoreregex: 0 total<br/><br/>Date template hits:<br/>|- [# of hits] date format<br/>| [19758] Day/MONTH/Year:Hour:Minute:Second<br/>`-<br/><br/>Lines: 19758 lines, 0 ignored, 5540 matched, 14218 missed<br/>Missed line(s):: too many to print. Use --print-all-missed to print all 14218 lines<br/><br/><br/></pre>
<p>all filters work fine.</p>
<p>After that you should restart fail2ban</p>
<pre>$sudo service fail2ban restart</pre>
<p>All detailed info you can see at </p>
<p>/var/log/fail2ban.log</p>
<p>Who banned or unbanned:</p>
<pre>.....<br/>2017-05-21 06:48:30,205 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11<br/>2017-05-22 01:42:51,534 fail2ban.actions: WARNING [wp-auth] Ban 60.241.112.205<br/><strong>2017-05-22 01:42:53,597 fail2ban.actions: INFO [wp-auth] 60.241.112.<hidden>. already banned</strong><br/><strong>2017-05-22 01:42:56,601 fail2ban.actions: INFO [wp-auth] 60.241.112.<hidden>. already banned</strong><br/><strong>2017-05-23 01:42:52,254 fail2ban.actions: WARNING [wp-auth] Unban 60.241.112.205</strong><br/>2017-05-23 09:37:02,946 fail2ban.actions: WARNING [wp-auth] Ban 185.119.81.24<br/>2017-05-23 10:07:06,785 fail2ban.server : INFO Stopping all jails<br/>2017-05-23 10:07:07,541 fail2ban.actions: WARNING [wp-auth] Unban 185.119.81.24<br/>.....</pre>
<p>also you can see status iptables:</p>
<pre>$sudo iptables -S<br/>-P INPUT ACCEPT<br/>-P FORWARD ACCEPT<br/>-P OUTPUT ACCEPT<br/>-N fail2ban-NoAuthFailures<br/>-N fail2ban-ssh<br/>-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-NoAuthFailures<br/>-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh<br/>-A FORWARD -i tun0 -j ACCEPT<br/>-A FORWARD -o tun0 -j ACCEPT<br/>-A FORWARD -o eth0 -j ACCEPT<br/>-A FORWARD -i eth0 -j ACCEPT<br/>-A fail2ban-NoAuthFailures -j RETURN<br/>-A fail2ban-ssh -j RETURN</pre>
<p>nobody banned yet )</p>
<p>Links:</p>
<p><a href="https://www.fail2ban.org/wiki/index.php/Main_Page">https://www.fail2ban.org/wiki/index.php/Main_Page</a></p>
<p></p>
<p></p>Configure IPMITOOL remotely over ssh2017-04-25T20:38:19+00:002024-03-28T13:25:52+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/configure-ipmitool-remotely-over-ssh/<p>IPMI - is an open-standart hardware management interface (<span>Intelligent Platform Management Interface</span>)</p>
<p>lets you control server remotely, read sensors, power circle, view system info</p>
<p>Install:</p>
<pre>$sudo apt-get install ipmitool</pre>
<p></p>
<p>list of commands:</p>
<pre># ipmitool</pre>
<pre>No command provided!<br>Commands:<br> raw Send a RAW IPMI request and print response<br> i2c Send an I2C Master Write-Read command and print response<br> spd Print SPD info from remote I2C device<br> <strong>lan Configure LAN Channels</strong><br> chassis Get chassis status and set power state<br> power Shortcut to chassis power commands<br> event Send pre-defined events to MC<br> mc Management Controller status and global enables<br> sdr Print Sensor Data Repository entries and readings<br> sensor Print detailed sensor information<br> fru Print built-in FRU and scan SDR for FRU locators<br> gendev Read/Write Device associated with Generic Device locators sdr<br> sel Print System Event Log (SEL)<br> pef Configure Platform Event Filtering (PEF)<br> sol Configure and connect IPMIv2.0 Serial-over-LAN<br> tsol Configure and connect with Tyan IPMIv1.5 Serial-over-LAN<br> isol Configure IPMIv1.5 Serial-over-LAN<br> user Configure Management Controller users<br> channel Configure Management Controller channels<br> session Print session information<br> dcmi Data Center Management Interface<br> sunoem OEM Commands for Sun servers<br> kontronoem OEM Commands for Kontron devices<br> picmg Run a PICMG/ATCA extended cmd<br> fwum Update IPMC using Kontron OEM Firmware Update Manager<br> firewall Configure Firmware Firewall<br> delloem OEM Commands for Dell systems<br> shell Launch interactive IPMI shell<br> exec Run list of commands from file<br> set Set runtime variable for shell and exec<br> hpm Update HPM components using PICMG HPM.1 file<br> ekanalyzer run FRU-Ekeying analyzer using FRU files<br> ime Update Intel Manageability Engine Firmware</br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></pre>
<p>Set lan configuration:</p>
<pre>#ipmitool lan</pre>
<pre>LAN Commands:<br> print [<channel number>]<br> <strong>set <channel number> <command> <parameter></strong><br> alert print <channel number> <alert destination><br> alert set <channel number> <alert destination> <command> <parameter><br> stats get [<channel number>]<br> stats clear [<channel number>]</br></br></br></br></br></br></pre>
<p><strong>!!! channel number - is usual - 1</strong></p>
<pre>#ipmitool lan print 1</pre>
<pre>Set in Progress : Set Complete<br>Auth Type Support : NONE MD2 MD5 PASSWORD <br>Auth Type Enable : Callback : MD2 MD5 <br> : User : MD2 MD5 <br> : Operator : MD2 MD5 <br> : Admin : MD2 MD5 <br> : OEM : MD2 MD5 <br>IP Address Source : Static Address<br>IP Address : 10.0.1.10<br>Subnet Mask : 255.255.255.0<br>MAC Address : 00:24:e8:7a:c6:bd<br>SNMP Community String : public<br>IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10<br>Default Gateway IP : 10.0.1.1<br>Default Gateway MAC : 00:00:00:00:00:00<br>Backup Gateway IP : 0.0.0.0<br>Backup Gateway MAC : 00:00:00:00:00:00<br>802.1q VLAN ID : Disabled<br>802.1q VLAN Priority : 0<br>RMCP+ Cipher Suites : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14<br>Cipher Suite Priv Max : aaaaaaaaaaaaaaa<br> : X=Cipher Suite Unused<br> : c=CALLBACK<br> : u=USER<br> : o=OPERATOR<br> : a=ADMIN<br> : O=OEM</br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></pre>
<p>lets change ip address for iptool interface:</p>
<pre># ipmitool lan set</pre>
<pre>usage: lan set <channel> <command> <parameter></pre>
<pre>LAN set command/parameter options:<br> <strong>ipaddr</strong> <x.x.x.x> Set channel IP address<br> <strong>netmask</strong> <x.x.x.x> Set channel IP netmask<br> macaddr <x:x:x:x:x:x> Set channel MAC address<br> defgw ipaddr <x.x.x.x> Set default gateway IP address<br> defgw macaddr <x:x:x:x:x:x> Set default gateway MAC address<br> bakgw ipaddr <x.x.x.x> Set backup gateway IP address<br> bakgw macaddr <x:x:x:x:x:x> Set backup gateway MAC address<br> password <password> Set session password for this channel<br> snmp <community string> Set SNMP public community string<br> user Enable default user for this channel<br> access <on|off> Enable or disable access to this channel<br> alert <on|off> Enable or disable PEF alerting for this channel<br> arp respond <on|off> Enable or disable BMC ARP responding<br> arp generate <on|off> Enable or disable BMC gratuitous ARP generation<br> arp interval <seconds> Set gratuitous ARP generation interval<br> vlan id <off|<id>> Disable or enable VLAN and set ID (1-4094)<br> vlan priority <priority> Set vlan priority (0-7)<br> auth <level> <type,..> Set channel authentication types<br> level = CALLBACK, USER, OPERATOR, ADMIN<br> type = NONE, MD2, MD5, PASSWORD, OEM<br> ipsrc <source> Set IP Address source<br> none = unspecified source<br> static = address manually configured to be static<br> dhcp = address obtained by BMC running DHCP<br> bios = address loaded by BIOS or system software<br> cipher_privs XXXXXXXXXXXXXXX Set RMCP+ cipher suite privilege levels<br> X = Cipher Suite Unused<br> c = CALLBACK<br> u = USER<br> o = OPERATOR<br> a = ADMIN<br> O = OEM</br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></pre>
<p></p>
<pre># ipmitool lan set 1 ipaddr 10.0.1.156<br>Setting LAN IP Address to 10.0.1.156</br></pre>
<p>done</p>
<pre>set netmask to 255.255.255.0</pre>
<pre># ipmitool lan set 1 netmask 255.255.255.0<br>Setting LAN Subnet Mask to 255.255.255.0</br></pre>
<p>and change default gateway </p>
<pre># ipmitool lan set 1 defgw ipaddr 10.0.1.1<br>Setting LAN Default Gateway IP to 10.0.1.1</br></pre>
<p>It shows only for example</p>
<p>now time for check:</p>
<pre>ping 10.0.1.156<br>PING 10.0.1.156 (10.0.1.156) 56(84) bytes of data.<br>64 bytes from 10.0.1.156: icmp_seq=1 ttl=64 time=48.7 ms<br>64 bytes from 10.0.1.156: icmp_seq=2 ttl=64 time=0.587 ms</br></br></br></pre>
<p></p>
<p>add ADMIN USER or change password fot it:</p>
<pre># ipmitool user<br>User Commands:<br> summary [<channel number>]<br> <strong>list</strong> [<channel number>] # - <strong>list of users for administration</strong><br> set name <user id> <username><br> set password <user id> [<password>]<br> disable <user id><br> enable <user id><br> priv <user id> <privilege level> [<channel number>]<br> test <user id> <16|20> [<password]></br></br></br></br></br></br></br></br></br></pre>
<pre>root@pf1:/opt/logs# ipmitool user list 1<br>ID Name Callin Link Auth IPMI Msg Channel Priv Limit<br>2 ADMIN true true true ADMINISTRATOR</br></br></pre>
<p>we have one user - ADMIN (<b>case sensitive</b>)</p>
<p>with ID - 2 </p>
<p>lets change password for him:</p>
<pre># ipmitool user set password 2 newpassword</pre>
<p>if no errors, we done</p>
<p></p>
<p>Now you can go to web browser :</p>
<p><a href="http://10.0.1.156">http://10.0.1.156</a> in case if you use DRAC (DELL servers)</p>
<p>or you can use IPMIViewer for Supermicro chassis</p>
<p>all docs in</p>
<p>man ipmitool</p>
<p></p>Reset MySQL database root password in Ubuntu 16.042017-04-21T21:04:07+00:002024-03-28T17:03:30+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/reset-mysql-root-password/<h3><a href="https://linuxmon.com/reset-mysql-root-password/"><img alt="" height="82" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/mysql.png/mysql-187x82.png" width="187"/></a></h3>
<p>Standart method of reseting password in Ubuntu 16.04 not working as usualy describe in WEB</p>
<p>- Ubuntu 16.04</p>
<p>- Mysql server 5.7.17 (after update).</p>
<p>dpkg-reconfigure mysql-<span>server 5.7 is not working - do nothing</span></p>
<p></p>
<p>Need to do something magic.</p>
<p>Steps for reset root password:</p>
<p>It takes few minutes or less</p>
<p><strong>Step 1:</strong></p>
<p>stop Mysql service</p>
<pre>$sudo /etc/init.d/mysql stop</pre>
<p><strong>Step 2:</strong></p>
<p>Start mysqld process with option <strong> --skip-grant-tables --skip-networking</strong></p>
<p></p>
<pre>$<strong>mysqld_safe --skip-grant-tables --skip-networking &</strong><br/>[1] 5728<br/>root@exim:/var/run/network# 2017-04-21T21:11:39.353719Z mysqld_safe Logging to syslog.<br/>2017-04-21T21:11:39.357852Z mysqld_safe Logging to '/var/log/mysql/error.log'.<br/>2017-04-21T21:11:39.362554Z mysqld_safe Logging to '/var/log/mysql/error.log'.<br/>2017-04-21T21:11:39.366645Z mysqld_safe Directory '/var/run/mysqld' for UNIX socket file don't exists.<br/><br/><strong>[1]+ Exit 1 mysqld_safe --skip-grant-tables --skip-networking</strong><br/> </pre>
<p>What????</p>
<p>try again with no '&'</p>
<pre>$sudo mysqld_safe --skip-grant-tables --skip-networking<br/>2017-04-21T21:14:21.092023Z mysqld_safe Logging to syslog.<br/>2017-04-21T21:14:21.095954Z mysqld_safe Logging to '/var/log/mysql/error.log'.<br/>2017-04-21T21:14:21.100310Z mysqld_safe Logging to '/var/log/mysql/error.log'.<br/>2017-04-21T21:14:21.104173Z mysqld_safe Directory <strong>'/var/run/mysqld' for UNIX socket file don't exists.</strong></pre>
<p>create dir for that:</p>
<pre>sudo mkdit /var/run/mysqld</pre>
<p>and give permissions:</p>
<pre>$sudo chown mysql.mysql /var/run/mysqld</pre>
<p>and try again start process:</p>
<p>You can start with no '&' just for make sure everything is OK and see output in console</p>
<pre>$sudo mysqld_safe --skip-grant-tables --skip-networking<br/>2017-04-21T21:19:34.770008Z mysqld_safe Logging to syslog.<br/>2017-04-21T21:19:34.773829Z mysqld_safe Logging to '/var/log/mysql/error.log'.<br/>2017-04-21T21:19:34.778261Z mysqld_safe Logging to '/var/log/mysql/error.log'.<br/>2017-04-21T21:19:34.801799Z mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql</pre>
<p>Good, </p>
<p>check if process started:</p>
<pre>$ ps ax |grep mysql<br/> <strong>7287 pts/1 S+ 0:00 /bin/sh /usr/bin/mysqld_safe --skip-grant-tables --skip-networking</strong><br/> 7671 pts/1 Sl+ 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --skip-grant-tables --skip-networking --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 --log-syslog=1 --log-syslog-facility=daemon --log-syslog-tag=</pre>
<p><strong>Step 3:</strong></p>
<p><span>open next terminal for reseting password</span></p>
<pre>$mysql -u root<br/>Welcome to the MySQL monitor. Commands end with ; or \g.<br/>Your MySQL connection id is 3<br/>Server version: 5.7.17-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its<br/>affiliates. Other names may be trademarks of their respective<br/>owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> flush privileges;<br/>Query OK, 0 rows affected (0.00 sec)<br/><strong>mysql>SET PASSWORD FOR root@'localhost' = PASSWORD('newpassword');</strong><br/>Query OK, 0 rows affected, 1 warning (0.01 sec)<br/>Ctrl+D<br/>$</pre>
<p><span></span>Now need restart mysql in normal node</p>
<p>$sudo /etc/init.d/mysql stop .. not working</p>
<p><strong>Step 4:</strong></p>
<p>try hard kill process:</p>
<pre>$ps ax |grep mysql<br/><strong>17842 pts/1 S+ 0:00 /bin/sh /usr/bin/mysqld_safe --skip-grant-tables --skip-networking</strong><br/>18226 pts/1 Sl+ 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --skip-grant-tables --skip-networking --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 --log-syslog=1 --log-syslog-facility=daemon --log-syslog-tag=
$sudo kill -9 17842<br/>$ps ax |grep mysql<br/>18388 pts/5 S+ 0:00 grep --color=auto mysql<br/>$<br/>$sudo systemctl start mysql<br/>$</pre>
<p></p>
<p>Done</p>
<p></p>
<p><span></span></p>Spamassassin2017-04-20T21:24:55+00:002024-03-27T18:13:04+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/spamassassin/<h3><a href="https://linuxmon.com/spamassassin/"><img alt="" height="71" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/spamassassin-logobar_.png/spamassassin-logobar_-569x71.png" width="569"/></a></h3>
<p></p>
<p></p>
<p>for spam guard we use spamassassin:</p>
<pre><span>$sudo apt-get install spamassassin</span></pre>
<p><span>By default after install spamassassin is turn off</span></p>
<p><span>Go to /etc/default/</span></p>
<pre><span>$sudo vim /etc/default/spamassassin</span></pre>
<p>find</p>
<pre><span>ENABLE=0</span></pre>
<p>replace</p>
<pre><span>ENABLE=1</span></pre>
<p><span>save and exit</span></p>
<pre><span>$sudo /etc/init.d/spamassassin start</span>
<span>[ ok ] Starting spamassassin (via systemctl): spamassassin.service</span></pre>
<p><span>check process:</span></p>
<pre><span>$ ps ax |grep spam<br/>26788 ? Ss 0:01 /usr/sbin/spamd -d --pidfile=/var/run/spamassassin.pid --create-prefs --max-children 5 --helper-home-dir<br/>26789 ? S 0:00 spamd child<br/>26790 ? S 0:00 spamd child<br/><br/>$sudo netstat -anp|grep spam<br/>tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 26788/spamassassin.<br/>tcp6 0 0 ::1:783 :::* LISTEN 26788/spamassassin.<br/><br/></span></pre>
<p><span><br/>all good</span></p>
<p><span>go to exim config file</span></p>
<p><span></span>find this section:</p>
<p></p>
<pre>spamd_address = 127.0.0.1 783</pre>
<p><span></span>#and next:</p>
<pre><strong># here check spam and get score</strong><br/>warn spam = Debian-exim:true<br/> !hosts = +relay_from_hosts<br/> add_header = X-Spam-Flag: YES\n\<br/> X-Spam_score: $spam_score\n\<br/> X-Spam_score_int: $spam_score_int\n\<br/> X-Spam_bar: $spam_bar\n\<br/> #X-Spam_report: $spam_report</pre>
<p>this is will include in mail letter as header</p>
<p>if needed restart exim.</p>
<p>---</p>
<p>links:</p>
<p><a href="http://spamassassin.apache.org/doc.html">Spamassassin Documentation</a></p>Install Mail Server Exim4 on Ubuntu Server 16.042017-04-17T18:45:13+00:002024-03-28T12:45:17+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/install-exim-on-ubuntu-server/<p><a href="https://linuxmon.com/install-exim-on-ubuntu-server/"><strong><img alt="" height="100" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/exim_logo.png/exim_logo-137x100.png" width="137"/></strong></a></p>
<h3><strong>Overview</strong></h3>
<p><a href="http://exim.org/" target="_blank">Exim</a> is MTA - SMTP Mail server</p>
<p>is opensource package.</p>
<h3><strong>Install</strong></h3>
<p>we will install exim with MySQL support (mail boxes, multidomain, etc.)</p>
<p>Today we will install Exim v4 on Ubuntu server 16.04</p>
<p>before we need update upgrade all necessary packages:</p>
<pre>$sudo apt-get update -y && apt-get upgrade -y && apt-get dist-upgrade -y</pre>
<p>Install dovecot as imap/pop3 services:</p>
<pre><code class="plain">$apt-get </code><code class="functions">install</code><span> </span><code class="plain">dovecot-common dovecot-imapd dovecot-pop3d</code></pre>
<p></p>
<p>Create system user with uid = 1150, username = vmail, in group = mail:</p>
<pre>$sudo useradd -r -u 1150 -g mail -d /var/vmail -s /sbin/nologin -c 'Virtual Mailbox' vmail</pre>
<p>create dir for store mails and get permissions vmail user:</p>
<pre>$sudo mkdir var/mail<br/>$sudo chwon vmail:mail /var/mail<br/>$sudo chmod 0770 /var/mail</pre>
<p>Now create Database for exim:</p>
<pre>$sudo apt-get install mysql-server</pre>
<p>in during installation MySQL server, provide password for root (root in this case mysql server's user) not root user Operating system Ubuntu server</p>
<pre>$mysqladmin -u root -p create exim_db<br/>
$Enter password: (Enter password)<br/>
$mysql -u root -p <br/>
mysql><span>GRANT ALL PRIVILEGES ON exim_db.* TO exim_user@localhost IDENTIFIED BY 'password';</span> <br/>
mysql>Ctrl+D</pre>
<p>we created database and user for it.</p>
<p>in this case user is - exim_user </p>
<p>password - "password" (you can change it and remember, we will use in exim's config file later)</p>
<p></p>
<p>Create self-signed certificate</p>
<pre><strong>$sudo openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/mail.pem -keyout /etc/ssl/certs/mail.pem</strong></pre>
<p></p>
<h3><strong>Configuration Dovecot</strong></h3>
<p><strong>$cat /etc/dovecot/dovecot.conf</strong></p>
<p></p>
<pre><strong>#change domain name!!!</strong><br/>auth_default_realm = domain.com<br/>auth_verbose = yes<br/>$for temp files<br/>base_dir = /var/run/dovecot/<br/>disable_plaintext_auth = no<br/>first_valid_gid = 8<br/>first_valid_uid = 118<br/>login_greeting = Dovecot ready<br/>log_path = /var/log/dovecot.log<br/>login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c<br/>mail_access_groups = mail<br/>mail_debug = yes<br/>mail_location = maildir:/var/mail/%d/%n<br/>passdb {<br/> args = /etc/dovecot/dovecot-sql.conf<br/> driver = sql<br/>}<br/>protocols = pop3 imap<br/>service auth {<br/> unix_listener auth-master {<br/> mode = 0600<br/> user = Debian-exim<br/> }<br/> user = root<br/>}<br/>service imap-login {<br/> chroot = login<br/> inet_listener imap {<br/> address = *<br/> port = 143<br/> }<br/> process_limit = 3<br/> process_min_avail = 3<br/> service_count = 1<br/> user = dovecot<br/> vsz_limit = 64 M<br/>}<br/>service pop3-login {<br/> chroot = login<br/> inet_listener pop3 {<br/> address = *<br/> port = 110<br/> }<br/> process_limit = 3<br/> process_min_avail = 3<br/> service_count = 1<br/> user = dovecot<br/> vsz_limit = 64 M<br/>}<br/>ssl = yes<br/>ssl_cert = </etc/ssl/certs/mail.pem<br/>ssl_key = </etc/ssl/certs/mail.pem<br/>userdb {<br/> args = /etc/dovecot/dovecot-sql.conf<br/> driver = sql<br/>}<br/>verbose_proctitle = yes<br/> <br/>#protocol imap {<br/># imap_client_workarounds = delay-newmail tb-extra-mailbox-sep<br/>#}<br/> <br/>protocol pop3 {<br/> pop3_client_workarounds = outlook-no-nuls oe-ns-eoh<br/> pop3_uidl_format = %08Xu%08Xv<br/>}<br/>protocol lda {<br/> auth_socket_path = /var/run/dovecot/auth-master<br/> postmaster_address = support@nixtalk.com<br/>}<br/><br/>## Dovecot configuration file<br/><br/># If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration<br/><br/># "doveconf -n" command gives a clean output of the changed settings. Use it<br/># instead of copy&pasting files when posting to the Dovecot mailing list.<br/><br/># '#' character and everything after it is treated as comments. Extra spaces<br/># and tabs are ignored. If you want to use either of these explicitly, put the<br/># value inside quotes, eg.: key = "# char and trailing whitespace "<br/><br/># Default values are shown for each setting, it's not required to uncomment<br/># those. These are exceptions to this though: No sections (e.g. namespace {})<br/># or plugin settings are added by default, they're listed only as examples.<br/># Paths are also just examples with the real defaults being based on configure<br/># options. The paths listed here are for configure --prefix=/usr<br/># --sysconfdir=/etc --localstatedir=/var<br/><br/># Enable installed protocols<br/>!include_try /usr/share/dovecot/protocols.d/*.protocol<br/><br/># A comma separated list of IPs or hosts where to listen in for connections. <br/># "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.<br/># If you want to specify non-default ports or anything more complex,<br/># edit conf.d/master.conf.<br/>#listen = *, ::<br/><br/># Base directory where to store runtime data.<br/>#base_dir = /var/run/dovecot/<br/><br/># Name of this instance. Used to prefix all Dovecot processes in ps output.<br/>#instance_name = dovecot<br/><br/># Greeting message for clients.<br/>#login_greeting = Dovecot ready.<br/><br/># Space separated list of trusted network ranges. Connections from these<br/># IPs are allowed to override their IP addresses and ports (for logging and<br/># for authentication checks). disable_plaintext_auth is also ignored for<br/># these networks. Typically you'd specify your IMAP proxy servers here.<br/>#login_trusted_networks =<br/><br/># Sepace separated list of login access check sockets (e.g. tcpwrap)<br/>#login_access_sockets = <br/><br/># Show more verbose process titles (in ps). Currently shows user name and<br/># IP address. Useful for seeing who are actually using the IMAP processes<br/># (eg. shared mailboxes or if same uid is used for multiple accounts).<br/>#verbose_proctitle = no<br/><br/># Should all processes be killed when Dovecot master process shuts down.<br/># Setting this to "no" means that Dovecot can be upgraded without<br/># forcing existing client connections to close (although that could also be<br/># a problem if the upgrade is e.g. because of a security fix).<br/>#shutdown_clients = yes<br/><br/># If non-zero, run mail commands via this many connections to doveadm server,<br/># instead of running them directly in the same process.<br/>#doveadm_worker_count = 0<br/># UNIX socket or host:port used for connecting to doveadm server<br/>#doveadm_socket_path = doveadm-server<br/><br/># Space separated list of environment variables that are preserved on Dovecot<br/># startup and passed down to all of its child processes. You can also give<br/># key=value pairs to always set specific settings.<br/>#import_environment = TZ<br/><br/>##<br/>## Dictionary server settings<br/>##<br/><br/># Dictionary can be used to store key=value lists. This is used by several<br/># plugins. The dictionary can be accessed either directly or though a<br/># dictionary server. The following dict block maps dictionary names to URIs<br/># when the server is used. These can then be referenced using URIs in format<br/># "proxy::<name>".<br/><br/>dict {<br/> #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext<br/> #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext<br/>}<br/><br/># Most of the actual configuration gets included below. The filenames are<br/># first sorted by their ASCII value and parsed in that order. The 00-prefixes<br/># in filenames are intended to make it easier to understand the ordering.<br/>!include conf.d/*.conf<br/><br/># A config file can also tried to be included without giving an error if<br/># it's not found:<br/>!include_try local.conf<br/><br/>
</pre>
<p><strong>$ sudo cat dovecot-sql.conf (access has only root )</strong></p>
<pre># This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/SQL
#
# For the sql passdb module, you'll need a database with a table that
# contains fields for at least the username and password. If you want to
# use the user@domain syntax, you might want to have a separate domain
# field as well.
#
# If your users all have the same uig/gid, and have predictable home
# directories, you can use the static userdb module to generate the home
# dir based on the username and domain. In this case, you won't need fields
# for home, uid, or gid in the database.
#
# If you prefer to use the sql userdb module, you'll want to add fields
# for home, uid, and gid. Here is an example table:
#
# CREATE TABLE users (
# username VARCHAR(128) NOT NULL,
# domain VARCHAR(128) NOT NULL,
# password VARCHAR(64) NOT NULL,
# home VARCHAR(255) NOT NULL,
# uid INTEGER NOT NULL,
# gid INTEGER NOT NULL,
# active CHAR(1) DEFAULT 'Y' NOT NULL
# );
# Database driver: mysql, pgsql, sqlite
driver = mysql<br/><br/><strong>#here you should put ip address server and credentials for MySQL server</strong>
<strong>connect=host=10.10.10.10 dbname=exim_db user=exim_user password=password</strong>
default_pass_scheme=PLAIN
password_query=select password from accounts where login='%n' and domain='%d'
user_query=select uid, gid from accounts where login='%n' and domain='%d'
# Database connection string. This is driver-specific setting.
#
# HA / round-robin load-balancing is supported by giving multiple host
# settings, like: host=sql1.host.org host=sql2.host.org
#
# pgsql:
# For available options, see the PostgreSQL documention for the
# PQconnectdb function of libpq.
# Use maxconns=n (default 5) to change how many connections Dovecot can
# create to pgsql.
#
# mysql:
# Basic options emulate PostgreSQL option names:
# host, port, user, password, dbname
#
# But also adds some new settings:
# client_flags - See MySQL manual
# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
# ssl_cert, ssl_key - For sending client-side certificates to server
# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
# option_file - Read options from the given file instead of
# the default my.cnf location
# option_group - Read options from the given group (default: client)
#
# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
# Note that currently you can't use spaces in parameters.
#
# sqlite:
# The path to the database file.
#
# Examples:
# connect = host=192.168.1.1 dbname=users
# connect = host=sql.example.com dbname=virtual user=virtual password=blarg
# connect = /etc/dovecot/authdb.sqlite
#
#connect =
# Default password scheme.
#
# List of supported schemes is in
# http://wiki2.dovecot.org/Authentication/PasswordSchemes
#
#default_pass_scheme = MD5
# passdb query to retrieve the password. It can return fields:
# password - The user's password. This field must be returned.
# user - user@domain from the database. Needed with case-insensitive lookups.
# username and domain - An alternative way to represent the "user" field.
#
# The "user" field is often necessary with case-insensitive lookups to avoid
# e.g. "name" and "nAme" logins creating two different mail directories. If
# your user and domain names are in separate fields, you can return "username"
# and "domain" fields instead of "user".
#
# The query can also return other fields which have a special meaning, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
#
# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
# for full list):
# %u = entire user@domain
# %n = user part of user@domain
# %d = domain part of user@domain
#
# Note that these can be used only as input to SQL query. If the query outputs
# any of these substitutions, they're not touched. Otherwise it would be
# difficult to have eg. usernames containing '%' characters.
#
# Example:
# password_query = SELECT userid AS user, pw AS password \
# FROM users WHERE userid = '%u' AND active = 'Y'
#
#password_query = \
# SELECT username, domain, password \
# FROM users WHERE username = '%n' AND domain = '%d'
# userdb query to retrieve the user information. It can return fields:
# uid - System UID (overrides mail_uid setting)
# gid - System GID (overrides mail_gid setting)
# home - Home directory
# mail - Mail location (overrides mail_location setting)
#
# None of these are strictly required. If you use a single UID and GID, and
# home or mail directory fits to a template string, you could use userdb static
# instead. For a list of all fields that can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#
# Examples:
# user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
# user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
#
#user_query = \
# SELECT home, uid, gid \
# FROM users WHERE username = '%n' AND domain = '%d'
# If you wish to avoid two SQL lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
# also have to return userdb fields in password_query prefixed with "userdb_"
# string. For example:
#password_query = \
# SELECT userid AS user, password, \
# home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
# FROM users WHERE userid = '%u'
# Query to get a list of all usernames.
#iterate_query = SELECT username AS user FROM users
</pre>
<p>$sudo systemctl restart dovecot.service</p>
<h3><strong>Configuration EXIM</strong></h3>
<p>Lets restore schema of database exim_db:</p>
<p></p>
<pre><strong># cat exim_db.sql</strong>
-- MySQL dump 10.13 Distrib 5.7.17, for Linux (x86_64)
--
-- Host: localhost Database: exim_db
-- ------------------------------------------------------
-- Server version 5.7.17-0ubuntu0.16.04.1
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Table structure for table `accounts`
--
DROP TABLE IF EXISTS `accounts`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `accounts` (
`login` varchar(128) COLLATE utf8_bin NOT NULL DEFAULT '',
`password` varchar(128) COLLATE utf8_bin NOT NULL DEFAULT '',
`uid` int(11) NOT NULL DEFAULT '118',
`gid` int(11) NOT NULL DEFAULT '8',
`domain` varchar(128) COLLATE utf8_bin NOT NULL DEFAULT 'nixtalk.com',
`quota` varchar(16) COLLATE utf8_bin NOT NULL DEFAULT '250M',
`status` int(11) NOT NULL DEFAULT '1',
PRIMARY KEY (`login`,`domain`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `accounts`
--
LOCK TABLES `accounts` WRITE;
/*!40000 ALTER TABLE `accounts` DISABLE KEYS */;
INSERT INTO `accounts` VALUES ('admin','password',118,8,'domain.com','250M',1);
/*!40000 ALTER TABLE `accounts` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `aliases`
--
DROP TABLE IF EXISTS `aliases`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `aliases` (
`address` varchar(128) COLLATE utf8_bin DEFAULT NULL,
`goto` varchar(128) COLLATE utf8_bin DEFAULT NULL,
`domain` varchar(128) COLLATE utf8_bin DEFAULT 'nixtalk.com'
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `aliases`
--
LOCK TABLES `aliases` WRITE;
/*!40000 ALTER TABLE `aliases` DISABLE KEYS */;
/*!40000 ALTER TABLE `aliases` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `blacklist`
--
DROP TABLE IF EXISTS `blacklist`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `blacklist` (
`senders` varchar(128) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `blacklist`
--
LOCK TABLES `blacklist` WRITE;
/*!40000 ALTER TABLE `blacklist` DISABLE KEYS */;
/*!40000 ALTER TABLE `blacklist` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `domains`
--
DROP TABLE IF EXISTS `domains`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `domains` (
`domain` varchar(128) COLLATE utf8_bin NOT NULL DEFAULT '',
`status` int(11) NOT NULL DEFAULT '1',
`relay` varchar(45) COLLATE utf8_bin DEFAULT NULL,
PRIMARY KEY (`domain`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `domains`
--
LOCK TABLES `domains` WRITE;
/*!40000 ALTER TABLE `domains` DISABLE KEYS */;
INSERT INTO `domains` VALUES ('domain.com',1,'l');
/*!40000 ALTER TABLE `domains` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `whitelist`
--
DROP TABLE IF EXISTS `whitelist`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `whitelist` (
`senders` varchar(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL DEFAULT 'support@nixtalk.com'
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `whitelist`
--
LOCK TABLES `whitelist` WRITE;
/*!40000 ALTER TABLE `whitelist` DISABLE KEYS */;
/*!40000 ALTER TABLE `whitelist` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2017-04-17 16:36:13
</pre>
<p>save it in file exim_db.sql (use copy/paste)</p>
<p>and restore in your database:</p>
<pre>$mysql -u root -p exim_db < exim_db.sql</pre>
<p>Add some stuff:</p>
<pre>$mysql -u root -p<br/>mysql>use exim_db;<br/>#add user mail box admin1@domain.com<br/>mysql>INSERT into exim_db.accounts (login, password, uid, gid, domain, quota, status) VALUES('admin1', 'password', 119, 8, 'domain.com', '250M', '1');<br/>#add domain, current - domain.com, you can add any domains<br/>mysql>INSERT into exim_db.domains (domain, status, relay) VALUES('domain.com', 1, 'l');<br/>Ctrl+D</pre>
<p></p>
<p>$cat /etc/exim4/exim4.conf.template</p>
<pre><strong>#your domain name, change it!</strong><br/>primary_hostname = domain.com
<strong># databasename and credentials</strong>
hide mysql_servers = 10.10.10.10/exim_db/exim_user/password
<strong>#local_domains is all domains in your mail server, in our case we have only one domain - domain.com</strong><br/>domainlist local_domains = ${lookup mysql{select domain from domains where domain='${domain}' AND relay='l'}}
<strong>#domains you can send mails (this server you can use as smart host for another mail server)</strong><br/>domainlist relay_to_domains = ${lookup mysql{select domain from domains where domain='${domain}' AND relay = 'r'}}
<strong># IP addresses from you can accept mails</strong><br/>hostlist relay_from_hosts = localhost : 127.0.0.1 :4.34.146.111
<br/><strong>#white list (we use mysql)</strong>
hostlist cool_senders = ${lookup mysql{SELECT ipaddr FROM whiteipaddr WHERE ipaddr='${quote_mysql:$sender_host_address}' LIMIT 1}}
<strong>#black list (we use file)</strong>
domainlist rbl_blacklist = lsearch;/etc/exim4/rblblacklist
acl_smtp_connect = acl_check_connect
acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
#disable_ipv6 = true
<strong>#you should create self-signed certificate</strong>
tls_certificate = /etc/ssl/certs/mail.pem
tls_privatekey = /etc/ssl/certs/mail.pem
<strong>#port smtp</strong>
daemon_smtp_ports = 25: 465
tls_on_connect_ports = 465
tls_advertise_hosts = *
qualify_domain = domain.com
qualify_recipient = domain.com
allow_domain_literals = false
exim_user = Debian-exim
exim_group = Debian-exim
never_users = root
host_lookup = * : !+relay_from_hosts
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2h
timeout_frozen_after = 14d
return_size_limit = 10K
split_spool_directory = true
syslog_timestamp = no
smtp_accept_max = 100
smtp_accept_max_per_connection = 50
smtp_accept_max_per_host = 20
smtp_accept_queue_per_connection = 30
remote_max_parallel = 15
av_scanner = clamd:/var/run/clamav/clamd.ctl
<strong>#spamassassin, you will install it later</strong><br/>spamd_address = 127.0.0.1 783
smtp_banner = $smtp_active_hostname ESMTP
#dns_again_means_nonexist = !+local_domains : !+relay_to_domains
dns_again_means_nonexist = *.in-addr.arpa
# Enable HELO verification in ACLs for all hosts
helo_try_verify_hosts = *: !+local_domains : !+relay_from_hosts
<strong>#structure of log file</strong>
log_selector = \
+all_parents \
+lost_incoming_connection \
+received_sender \
+received_recipients \
+smtp_confirmation \
+smtp_syntax_error \
+smtp_connection \
+smtp_protocol_error \
-queue_run
######### ACL ########
begin acl
acl_check_connect:
<strong># deny get mail from dynamic ip addresses</strong>
deny message = "Dynamic hosts is forbidden!"
condition = ${if match{$sender_host_name}\
{webcam|dsl|dial|dhcp|\.cable\.|static|dynamic|ppp} {yes}{no}}
<strong>#except white listed senders</strong><br/># !hosts = +cool_senders
!hosts = ${lookup mysql{SELECT ipaddr FROM whiteipaddr WHERE ipaddr='${quote_mysql:$sender_host_address}' LIMIT 1}}
accept
########################
acl_check_helo:
<strong># deny all senders who put own IP in HELO.</strong>
deny message = "The use of IP is forbidden in HELO!"
hosts = !+relay_from_hosts
log_message = The use of IP is forbidden in HELO!
condition = ${if eq{$sender_helo_name}\
{$sender_host_address}{true}{false}}
accept
########################
acl_check_rcpt:
accept hosts = :
<strong>#deny symbols in local part of email</strong><br/>deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
<strong>#deny local part 'spam'</strong><br/>deny domains = !+local_domains : !+relay_to_domains
local_parts = spam
#deny message = Rejected because $sender_fullhost is blacklisted locally
# log_message = Rejected because $sender_fullhost is blacklisted locally
# senders = /etc/exim4/rblblacklist
deny message = Rejected because $sender or $sender_helo_name in BL db
senders=${lookup mysql{SELECT senders FROM blacklist \
WHERE senders='${quote_mysql:$sender_address}' \
OR senders='*@${quote_mysql:$sender_address_domain}' LIMIT 1}}
################ WARN!!! ###############
<strong># accept emails from IP addresses in relay domains.</strong>
accept hosts = +relay_from_hosts
accept authenticated = *
<br/><strong># deny relay except relay_to_domains</strong>
deny message = relay not permitted to another domain
log_message = relay not permitted to another domain
domains = !+relay_to_domains: !+local_domains
hosts = !+relay_from_hosts
deny
message = Reverse DNS lookup failed for host $sender_host_address.
log_message = Reverse DNS lookup failed for host $sender_host_address
!verify = reverse_host_lookup
deny
message = Message was delivered by ratware
log_message = remote host used our name in HELO/EHLO greeting.
condition = ${if match_domain{$sender_helo_name}\
{$primary_hostname:+local_domains:+relay_to_domains}\
{true}{false}}
<strong># deny numbers in HELO except localhost</strong>
deny condition = ${if match{$sender_helo_name}{\N^\d+$\N}{yes}{no}}
log_message = There can not be only numbers in HELO
hosts = !127.0.0.1:!localhost:*
message = "There can not be only numbers in HELO!"
<strong># deny with no return address.</strong>
deny condition = ${if eq{$sender_address}{}{yes}{no}}
log_message = Your message have not return address
hosts = !+relay_from_hosts
message = "Your message have not return address"
<br/>deny message = HELO/EHLO required by SMTP RFC
log_message = HELO/EHLO required by SMTP RFC
hosts = !+relay_from_hosts
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
accept senders=${lookup mysql{SELECT senders FROM whitelist \
WHERE senders='${quote_mysql:$sender_address}' \
OR senders='*@${quote_mysql:$sender_address_domain}' LIMIT 1}}
<strong>#check IP addresses in black list</strong>
deny message = rejected because $sender_host_address \
is in a black list at $dnslist_domain\n$dnslist_text
hosts = !+relay_from_hosts
!authenticated = *
log_message = found in $dnslist_domain
dnslists = bl.spamcop.net : \
cbl.abuseat.org : \
dnsbl.njabl.org : \
pbl.spamhaus.org : \
zen.spamhaus.org
# tor.ahbl.org : \
#require verify = sender
drop message = Rejected - Sender Verify Failed
log_message = Rejected - Sender Verify Failed
hosts = !+relay_from_hosts
!verify = sender/no_details/callout=2m,defer_ok
!condition = ${if eq{$sender_verify_failure}{}}
condition = ${if match_ip{$sender_host_address}{${lookup dnsdb{>: defer_never,a=$sender_helo_name}}}{no}{yes}}
#warn !verify = sender
# log_message = sender verify failed: $acl_verify_message
accept domains = +local_domains
endpass
message = $acl_verify_message
verify = recipient
accept domains = +relay_to_domains
endpass
message = "Unrouteable address!"
verify = recipient/callout=30s,defer_ok,use_postmaster
#require message = Can't verify sender
# verify = sender
accept
##### Data #####
acl_check_data:
deny malware = *
message = This message contains a virus ($malware_name).
#accept
# hosts = +relay_from_hosts
<strong># check spam by spamassassin</strong>
warn spam = Debian-exim:true
!hosts = +relay_from_hosts
add_header = X-Spam-Flag: YES\n\
X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
#X-Spam_report: $spam_report
<strong># China symbols</strong>
deny message = This is spam - denied
!senders = :
condition = ${if match{$message_body}{105[-_]*51[-_]*86|778[-_]*98[-_]*94}{yes}{no}}
#Extensions
deny message = contains $found_extension file (blacklisted).
!senders = :
demime = com:vbs:bat:pif:scr:exe:wsb:pdf.zip
#Check MIME
deny message = This message contains a MIME error ($demime_reason)
!senders = :
hosts = !+relay_from_hosts
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
#Messages with NUL- symbols
deny message = This message contains NUL characters
!senders = :
log_message = NUL characters!
condition = ${if >{$body_zerocount}{0}{1}{0}}
# Headers
deny message = Incorrect headers syntax
hosts = !+relay_from_hosts:*
!senders = :
!verify = header_syntax
accept
############ Routers #########
begin routers
<strong>#route mail to relay_to_domains (exim in this case as smart host)</strong>
mailenable_router:
driver = manualroute
domains = +relay_to_domains
transport = remote_smtp
route_list = * <strong>10.10.10.148</strong>
no_more
dnslookup:
driver = dnslookup
domains = !+local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup mysql{select goto from aliases where address='${quote_mysql:$local_part}' and domain='${quote_mysql:$domain}'}}
user = Debian-exim
group = mail
file_transport = address_file
pipe_transport = address_pipe
userforward:
driver = redirect
check_local_user
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
data = ${lookup mysql{select goto from aliases where address='${quote_mysql:$local_part}' and domain='${quote_mysql:$domain}'}}
localuser:
driver = accept
domains = ${lookup mysql{select domain from domains where domain='${domain}' AND relay='l'}}
local_parts = ${lookup mysql{select login from accounts where login='${local_part}' and domain='${domain}'}}
transport = local_delivery
cannot_route_message = Unknown user
##### Transport #####
begin transports
remote_smtp:
driver = smtp
hosts_avoid_tls = 4.28.131.119: 10.0.1.148
local_delivery:
driver = appendfile
maildir_format
maildir_tag = ,S=$message_size
directory = /var/mail/$domain/$local_part
create_directory
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
no_mode_fail_narrower
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
auth_plain:
driver = plaintext
server_set_id = $2
server_prompts = :
public_name = PLAIN
server_condition = ${lookup mysql{select login from accounts where login='${quote_mysql:${local_part:$2}}' and password='${quote_mysql:$3}'}{yes}{no}}
auth_login:
driver = plaintext
public_name = LOGIN
server_set_id = $1
server_prompts = Username:: : Password::
server_condition = ${lookup mysql{select login from accounts where login='${quote_mysql:${local_part:$1}}' and password='${quote_mysql:$2}'}{yes}{no}}
auth_cram_md5:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup mysql{select password from accounts where login='${quote_mysql:${local_part:$1}}'}{$value}fail}
server_set_id = $1
</pre>
<p>try restart exim:</p>
<pre>$sudo systemctl restart exim4.service</pre>
<p>Tools for checking email delivery:</p>
<p>check routing</p>
<pre>$exim -v <a href="mailto:admin@domain.com">admin@domain.com</a></pre>
<p>check from fake IP address:</p>
<p><strong>$exim -bh <IP address></strong></p>
<p>test routing delivery mail:</p>
<p><strong>$exim -bt <a href="mailto:mail@domain.com">mail@domain.com</a><a href="mailto:mail@domain.com"></a></strong></p>
<p><strong></strong></p>
<p>See next</p>
<p><a href="https://linuxmon.com/spamassassin/">Install Spamassassin</a></p>
<p>---</p>
<p>links:</p>
<p><a href="http://exim.org/docs.html" target="_blank">Exim Documentation</a></p>
<p></p>Install HAProxy2017-04-04T20:00:17+00:002024-03-28T23:19:57+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/install-haproxy/<p><span></span><a href="https://linuxmon.com/install-haproxy/"><img alt="" height="78" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/ha-proxy.png/ha-proxy-154x78.png" width="154"/></a></p>
<p><span>How to install and configure HAproxy 1.5 on Ubuntu 12.04</span><br><a href="http://www.haproxy.org/" title="HAProxy">HAProxy</a><span> - The Reliable, High Performance TCP/HTTP Load Balancer</span></br></p>
<p></p>
<p></p>
<p><a href="https://linuxmon.com/static/media/uploads/Blog/haproxy-to-mysql1.png" target="_blank"><img alt="haproxy to -mysql" class="aligncenter size-full wp-image-379" height="226" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/haproxy-to-mysql1.png/haproxy-to-mysql1-343x226.png" width="343"/></a></p>
<p>HAProxy is a free, <b><i>very</i></b> fast and reliable solution offering <a href="http://en.wikipedia.org/wiki/High_availability">high availability</a>, <a href="http://en.wikipedia.org/wiki/Load_balancer">load balancing</a>, and proxying for TCP andHTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms. Since it does not advertise itself, we only know it's used when the <a href="http://www.haproxy.org/they-use-it.html">admins report it</a> :-)</p>
<p>Its mode of operation makes its integration into existing architectures very easy and riskless, while still offering the possibility not to expose fragile web servers to the net, such as below</p>
<p><!--more--></p>
<p>Servers:</p>
<pre>haproxy:
IP - 10.185.0.16
</pre>
<pre>Percona cluster Mysql server:
mysql1:
IP - 10.185.0.18
mysql2:
IP - 10.185.0.19
</pre>
<pre>#for future
web servers:
lamp1:
IP - 10.185.0.151
lamp2:
IP - 10.185.0.152
</pre>
<p>server haproxy:</p>
<p>We need to add repo to install haproxy 1.5</p>
<pre>$apt-get install python-software-properties
$add-apt-repository ppa:vbernat/haproxy-1.5
$sudo apt-get update
$sudo apt-get install haproxy
By default haproxy cannot start, we need edit file:
/etc/default/proxy to set 1:
ENABLE=1
$sudo service haproxy start
$haproxy -v
should :
HA-Proxy version 1.5.6 2014/10/18
Copyright 2000-2014 Willy Tarreau <w@1wt.eu>
</pre>
<p>edit new file /etc/haproxy/haproxy.cfg</p>
<pre>global
log 127.0.0.1 local0 notice
maxconn 2000
user haproxy
group haproxy
defaults
log global
mode http
# option httplog
option dontlognull
retries 3
option redispatch
timeout connect 70000
timeout client 50000
timeout server 50000
#
listen appname 0.0.0.0:80
mode http
stats enable
stats uri /haproxy?stats
stats realm Strictly\ Private
stats auth user:123
balance static-rr
option httpclose
option forwardfor
server lamp1 10.184.211.151:80 check
server lamp2 10.184.211.152:80 check
listen mysql-cluster
bind 0.0.0.0:3306 #you must change this ip to 10.185.0.15 after migrate from master mysql srv
mode tcp
balance roundrobin
maxconn 5200
option mysql-check user haproxy_check
server mysql1 10.185.0.19:3306 check port 3306
server mysql2 10.185.0.18:3306 check port 3306 backup
</pre>
<p>section global:<br> log 127.0.0.1 local0 notice<br> we can use rsyslog for logging, by default rsyslog runs but is not listennig, let's fixed it.</br></br></p>
<p>Edit or create file if it doesn't exist /etc/rsyslog.d/haproxy.conf:</p>
<pre># Create an additional socket in haproxy's chroot in order to allow logging via
# /dev/log to chroot'ed HAProxy processes
$AddUnixListenSocket /var/lib/haproxy/dev/log
# Send HAProxy messages to a dedicated logfile
if $programname startswith 'haproxy' then /var/log/haproxy.log
&~
</pre>
<p>in file:<br> /etc/rsyslog.conf<br> we should uncomment the following lines:</br></br></p>
<pre>$ModLoad imudp
$UDPServerRun 514
#add line
$UDPServerAddress 127.0.0.1
</pre>
<p>then restart rsyslog:<br> $sudo service rsyslog restart</br></p>
<p>check:</p>
<pre>$sudo netstat -anp|grep rsyslog
udp 0 0 0.0.0.0:514 0.0.0.0:* 1563/rsyslogd
</pre>
<p>Good.<br> Section<br> listen appname 0.0.0.0:80<br> for load balancing web servers<br> we have two servers:<br> lamb1<br> lamp2</br></br></br></br></br></br></p>
<p>also we have statistic:</p>
<pre> stats enable
stats uri /haproxy?stats
stats realm Strictly\ Private
stats auth user:123
</pre>
<p>in browser url:</p>
<pre>http://10.185.0.16/haproxy?stats
user: user
password: 123 #use complex password!!!
</pre>
<p>Load balancing for Mysql servers</p>
<p>section</p>
<pre>listen mysql-cluster
server mysql1 10.185.0.19:3306 check port 3306
server mysql2 10.185.0.18:3306 check port 3306 backup
</pre>
<p>all connections will be in mysql1<br> if mysql1 doens't work for any reason haproxy will switch all traffic to mysql2</br></p>
<p>option mysql-check user haproxy_check<br> needs to check active mysql server<br> we need to create user haproxy_check in mysql server which will allow permissions from the haproxy host only</br></br></p>
<pre>mysql -u root -p -e "INSERT INTO mysql.user (Host,User) values ('10.185.0.16','haproxy_check'); FLUSH PRIVILEGES;"
</pre>
<p>Should be work!</p>Install Percona cluster 5.6 on Ubuntu 12.042017-04-04T19:55:31+00:002024-03-27T16:00:14+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/percona-install-ubuntu-1204/<p><a href="https://linuxmon.com/percona-install-ubuntu-1204/" target="_blank"><img alt="percona1" class="aligncenter size-full wp-image-381" height="67" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/percona1.jpg/percona1-203x67.jpg" width="203"/></a></p>
<p><span><span>What is it Percona Cluster?</span></span></p>
<p><span><a href="http://www.percona.com/software/percona-xtradb-cluster" target="_blank" title="Open in new window">Percona XtraDB Cluster</a> is an active/active high availability and high scalability open source solution for MySQL</span><span>® </span><span>clustering. It integrates Percona Server and Percona XtraBackup with the Galera library of MySQL high availability solutions in a single package which enables you to create a cost-effective MySQL high availability cluster</span></p>
<p><!--more--></p>
<p>The Cluster we will be created on these nodes:</p>
<h5><strong>Node1:</strong></h5>
<h5>hostname:per1</h5>
<h5>IP: 10.185.0.20</h5>
<h5><strong>Node2:</strong></h5>
<h5>hostname:per2</h5>
<h5>IP: 10.185.0.42</h5>
<h4> </h4>
<p>To retrieve Percona Cluster packages you have to add a key:</p>
<pre>$ apt-key adv --keyserver keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A</pre>
<p><span>Add this to </span><tt class="file docutils literal"><span class="pre">/etc/apt/sources.list in end of file:</span></tt></p>
<pre>deb http://repo.percona.com/apt precise main
deb-src http://repo.percona.com/apt precise main</pre>
<p>First we need update and upgrade the ubuntu nodes, we need the same libraries on two or more nodes:</p>
<pre>$sudo apt-get update</pre>
<p>and may be:</p>
<pre>$sudo apt-get upgrade</pre>
<pre>$sudo apt-get dist-upgrade</pre>
<pre>$sudo reboot</pre>
<pre>$apt-cache search percona|grep full</pre>
<pre>percona-xtradb-cluster-full-55- Percona XtraDB Cluster with Galera
percona-xtradb-cluster-full-56- Percona XtraDB Cluster with Galera</pre>
<p>Lets install 56</p>
<pre>$sudo apt-get install percona-xtradb-cluster-full-56</pre>
<p>-----------------</p>
<p>After rebooting stop mysql, if it started:</p>
<pre>sudo /etc/init.d/mysql stop</pre>
<p><strong>Edit file my.cnf, if not exist, create it:</strong></p>
<p>-------------</p>
<h5>[mysqld]<br> datadir=/var/lib/mysql<br> user=mysql<br> wsrep_provider=/usr/lib/libgalera_smm.so<br> #wsrep_node_incoming_address=10.185.0.20</br></br></br></br></h5>
<h5>wsrep_cluster_address=gcomm://0.0.0.0 # important!!!! first running uncomment it for init cluster at first time<br> #wsrep_cluster_address=gcomm://10.185.0.20,10.185.0.42<br> binlog_format=ROW<br> default_storage_engine=InnoDB<br> innodb_autoinc_lock_mode=2</br></br></br></br></h5>
<h5>wsrep_node_address=10.185.0.20</h5>
<h5>wsrep_sst_method=xtrabackup<br> wsrep_cluster_name=my_cluster0<br> wsrep_sst_auth="root:passwd@"</br></br></h5>
<h5>#wsrep_debug=1</h5>
<h5># INNODB #<br> innodb_flush_method = O_DIRECT<br> innodb_log_files_in_group = 2<br> innodb_log_file_size = 256M<br> innodb_flush_log_at_trx_commit = 2<br> innodb_file_per_table = 1<br> #innodb_buffer_pool_size = 2G</br></br></br></br></br></br></h5>
<p>------</p>
<p>save it and try start mysql:</p>
<pre>$sudo service mysql start</pre>
<p>then check status:</p>
<pre>$mysql -u root -ppasswd@ -e "show status like 'wsrep%';"</pre>
<p>+------------------------------+--------------------------------------+<br> | Variable_name | Value |<br> +------------------------------+--------------------------------------+<br> | <strong>wsrep_local_state_uuid | b299724b-2ec5-11e4-baf7-4211948c6a81 |</strong></br></br></br></p>
<p>...</p>
<p>| <strong>wsrep_local_state_comment | Synced |</strong><br> | wsrep_cert_index_size | 0 |<br> | wsrep_causal_reads | 0 |<br> | wsrep_cert_interval | 0.000000 |<br> | <strong>wsrep_incoming_addresses |10.185.0.20:3306 |</strong></br></br></br></br></p>
<p>...</p>
<p>| <strong>wsrep_cluster_state_uuid | b299724b-2ec5-11e4-baf7-4211948c6a81 |</strong><br> | wsrep_cluster_status | Primary |<br> | wsrep_connected | ON |<br> | wsrep_local_bf_aborts | 0 |<br> | wsrep_local_index | 1 |<br> | wsrep_provider_name | Galera |<br> | wsrep_provider_vendor | Codership Oy <info@codership.com> |<br> | wsrep_provider_version | 3.6(r3a949e6) |<br> | <strong>wsrep_ready | ON |</strong><br> +------------------------------+--------------------------------------+</br></br></br></br></br></br></br></br></br></p>
<p>If it looks good.</p>
<p>Go to the second node</p>
<p>you have to do the same operations:</p>
<p>install percona (see above)</p>
<p>update & upgrade & dist-upgrade</p>
<p>file my.cnf is the same except:</p>
<p>#wsrep_cluster_address=gcomm:// #should be comment<br> wsrep_cluster_address=gcomm://10.185.0.20,10.185.0.42 #uncomment it</br></p>
<p>save it and try to start mysql:</p>
<pre>$sudo service mysql start</pre>
<p>if there are not any errors, you can check the status of the connection :</p>
<pre>$mysql -u root -ppasswd@ -e "show status like 'wsrep%';"</pre>
<p>+------------------------------+--------------------------------------+<br> | Variable_name | Value |<br> +------------------------------+--------------------------------------+<br> | wsrep_local_state_uuid | b299724b-2ec5-11e4-baf7-4211948c6a81 |<br> | wsrep_protocol_version | 6 |</br></br></br></br></p>
<p>...</p>
<p>| wsrep_local_send_queue_avg | 0.000000 |<br> | wsrep_local_recv_queue | 0 |<br> | wsrep_local_recv_queue_avg | 0.000000 |<br> | wsrep_commit_oooe | 0.000000 |<br> | wsrep_commit_oool | 0.000000 |<br> ...</br></br></br></br></br></p>
<p>wsrep_commit_window | 0.000000 |<br> | wsrep_local_state | 4 |<br> <strong>| wsrep_local_state_comment | Synced |</strong><br> | wsrep_cert_index_size | 0 |<br> | wsrep_causal_reads | 0 |<br> | wsrep_cert_interval | 0.000000 |<br> <strong>| wsrep_incoming_addresses | 10.185.0.42:3306,10.185.0.20:3306 |</strong><br> | wsrep_evs_repl_latency | 0/0/0/0/0 |<br> | wsrep_cluster_conf_id | 4 |<br> | wsrep_cluster_size | 2 |<br> <strong>| wsrep_cluster_state_uuid | b299724b-2ec5-11e4-baf7-4211948c6a81 |</strong><br> | wsrep_cluster_status | Primary |<br> | wsrep_connected | ON |<br> | wsrep_local_bf_aborts | 0 |<br> | wsrep_local_index | 0 |<br> | wsrep_provider_name | Galera |<br> | wsrep_provider_vendor | Codership Oy <info@codership.com> |<br> | wsrep_provider_version | 3.6(r3a949e6) |<br> | wsrep_ready | ON |<br> +------------------------------+--------------------------------------+</br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></br></p>
<p>-----------</p>
<p>status</p>
<p>wsrep_cluster_state_uuid | b299724b-2ec5-11e4-baf7-4211948c6a81</p>
<p>should be the same in first node</p>
<p>and</p>
<p>wsrep_incoming_addresses | 10.185.0.42:3306,10.185.0.20:3306</p>
<p>now we have two nodes in cluster.</p>
<p>Cluster can accept connection in both IP addresses:</p>
<p>10.185.0.42:3306 or 10.185.0.20:3306</p>
<p>Now we can edit the config file in node1:</p>
<p>#wsrep_cluster_address=gcomm:// #should be comment<br> wsrep_cluster_address=gcomm://10.185.0.20,10.185.0.42 #uncomment it</br></p>
<p>$sudo service mysql stop</p>
<p>$sudo service mysql start</p>
<p>After that you can check status again</p>
<pre>$mysql -u root -ppasswd@ -e "show status like 'wsrep%';"</pre>
<p>should works!</p>
<p> </p>Install OpenVPN server in Openvz container Ubuntu Server2017-04-04T19:49:41+00:002024-03-28T13:14:31+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/install-openvpn-server-in-openvz-container-ubuntu-server/<div><a href="https://linuxmon.com/installing-openvpn-server-in-openvz-container-ubuntu-server/" target="_blank"><img alt="openvpn" class="wp-image-383 alignleft" height="36" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/openvpn.png/openvpn-219x36.png" width="219"/></a></div>
<p> Today we are going to install OPENVPN Server in OpenVZ contaiter.</p>
<p>After create container for example 102, we need create tun/tap device in OpenVZ host :</p>
<pre>vzctl set 102 --devnodes net/tun:rw --save
vzctl set 102 --devices c:10:200:rw --save
vzctl set 102 --capability net_admin:on --save
vzctl exec 102 mkdir -p /dev/net
vzctl exec 102 mknod /dev/net/tun c 10 200</pre>
<!--more-->
<p>Then go to the container:</p>
<pre>vzctl enter 102</pre>
<p>installing Openvpn server: step 1:</p>
<pre>#apt-get update
#apt-get install openvpn
#mkdir /etc/openvpn/easy-rsa/
#cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
</pre>
<p>step 2: <span>Edit /etc/openvpn/easy-rsa/vars</span></p>
<pre>export KEY_COUNTRY="US"
<span class="anchor" id="line-2-4"></span>export KEY_PROVINCE="NY"
<span class="anchor" id="line-3-3"></span>export KEY_CITY="NY City"
export KEY_EMAIL="me@myhost.mydomain"</pre>
<p>step 3: <span>Setup the CA and create the first server certificate</span></p>
<pre>cd /etc/openvpn/easy-rsa/
sudo ln -s openssl-1.0.0.cnf openssl.cnf
source ./vars
./clean-all ##Deletes all keys
./build-dh
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../</pre>
<p>Configuring server.conf</p>
<pre>local 10.184.211.130 # <local ip address>
port 1194
proto udp
dev tun
;dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.184.212.0 255.255.255.0 # range ip address for clients
#ifconfig-pool-persist ipp.txt
#push "redirect-gateway def1"
push "route 10.184.211.0 255.255.255.0"
push "route 10.0.1.0 255.255.255.0" # you can delete it
push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DNS 10.184.211.131"
#push "dhcp-option DNS 208.67.220.220"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3
</pre>
<p>Then try to start OpenVPN</p>
<pre>#/etc/init.d/openvpn start</pre>
<p> Next step we will create keys for clients:</p>
<pre>#source ./vars
#./build-key client1</pre>
<p>after answer some questions in dir keys we will see 3 files: client1.key client1.crt client1.csr Wen need 3 files:</p>
<pre>ca.crt, client1.key, client1.crt</pre>
<p>and copy to client's host <strong>Configuring client access to VPN server</strong> installing openvpn:</p>
<pre>$sudo apt-get update
$sudo apt-get install openvpn
$cd /etc/openvpn
$sudo vim openvpn.conf</pre>
<pre> client
dev tun
proto udp
remote 10.184.211.130 1194 #this is ip address Opnevpn server
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert mah.crt
key mah.key
comp-lzo
verb 3</pre>
<p>keys should be here in this directory: /etc/openvpn/ Trying start service</p>
<pre>$sudo /etc/init.d/openvpn start</pre>
<pre>$ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.184.212.6 P-t-P:10.184.212.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:234452 errors:0 dropped:231992 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:349924494 (349.9 MB)</pre>
<p>interface tun0 is up , look's like good =============== links: <a href="https://help.ubuntu.com/community/OpenVPN">https://help.ubuntu.com/community/OpenVPN</a> #how to install OpenVPN in Ubuntu <a href="https://openvz.org/VPN_via_the_TUN/TAP_device">https://openvz.org/VPN_via_the_TUN/TAP_device</a> #VPN via the TUN/TAP device in OpenVZ container </p>Ubuntu bonding2017-04-04T19:46:11+00:002024-03-27T06:17:47+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/ubuntu-bonding/<p><a href="https://linuxmon.com/ubuntu-bonding/"><img alt="" height="116" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/bonding.png/bonding-207x116.png" width="207"/></a></p>
<p>If we need increase Bandwidth of the server we need to configure bond in ethernet card Bonding also calls port <strong>trunking</strong> this is combination someethernet card in one link with one IP address, for high- loaded systems:</p>
<ul>
<li>load balancing,</li>
<li>high-availability,</li>
<li>maximum throughput,</li>
<li>high-availability</li>
</ul>
<p>or combinations of these modes. We will setup in Ubunti 12.04 LTS</p>
<!--more-->
<p>Ubuntu 12.04.4 LTS <strong>Installation</strong> we need to install <strong>ifenslave-2.6</strong> ifenslave-2.6 used turn-off-turn-on slave ethernet cards in bond</p>
<pre>sudo apt-get install ifenslave-2.6</pre>
<p><b>Configuration ethernet cards</b> before configuring eth cards in bond, we need to check exist module bonding in core system and make autoload module:</p>
<pre class="brush: bash; gutter: true; first-line: 1">sudo vi /etc/modules
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored
loop
lp
rtc
bonding
</pre>
<p>stop networking: sudo /etc/init.d/networking stop</p>
<pre>sudo /etc/init.d/networking stop</pre>
<p>load module <strong>bonding</strong></p>
<pre>sudo modprobe bonding</pre>
<p>now we are ready to set up our ethernet cards:</p>
<pre>sudo vim /etc/network/interfaces</pre>
<p>for example, we have two eth card and we need bond its. eth0 and eth1 for bonding in mode ‘load balancing’.</p>
<pre class="brush: bash; gutter: true; first-line: 1">auto eth0
iface eth0 inet manual
bond-master bond0
auto eth1
iface eth1 inet manual
bond-master bond0
# bond0 is configured using static network information.
auto bond0
iface bond0 inet static
address 192.168.1.10
gateway 192.168.1.1
netmask 255.255.255.0
bond-mode balance-rr
bond-miimon 100
bond-slaves eth0 eth1</pre>
<p>start networking:</p>
<pre>sudo /etc/init.d/networking start</pre>
<p>verify ethernet card bond0:</p>
<pre>$cat /proc/net/bonding/bond0</pre>
<pre>Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: eth3
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:15:17:6a:65:f5
Slave queue ID: 0
Slave Interface: eth2
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:15:17:6a:65:f4
Slave queue ID: 0</pre>
<p>Everything are OK. --- Original <span style="text-decoration: underline;">here</span></p>Plugin for Nagios in Bash2017-04-04T19:42:46+00:002024-03-28T20:02:11+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/plugin-for-nagios-in-bash/<p><a href="https://linuxmon.com/plugin-for-nagios-in-bash/"><img alt="" height="37" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/nagios.png/nagios-157x37.png" width="157"/></a></p>
<p>Today we make simple plugin in Bash</p>
<p>We need to know that Nagios’ plugins should return code:</p>
<table border="0">
<tbody>
<tr>
<td><strong>Exit Code</strong></td>
<td><strong>Status</strong></td>
</tr>
<tr>
<td>0</td>
<td>OK</td>
</tr>
<tr>
<td>1</td>
<td>WARNING</td>
</tr>
<tr>
<td>2</td>
<td>CRITICAL</td>
</tr>
<tr>
<td>3</td>
<td>UNKNOWN</td>
</tr>
</tbody>
</table>
<p>For example, we need count of number something process in Linux</p>
<pre> #ps ax |grep collector | wc -l
33</pre>
<p><!--more--></p>
<p>we have 33 processes of ‘collector’ , we assume that is correct number of processes and if this value not much then plugin should return CRITICAL code</p>
<pre class="brush: bash; gutter: true; first-line: 1">#!/bin/bash
#do work#######
COUNT=`ps ax |grep collector | grep -v grep |grep -v check_collector| wc -l`
CNTSHOULDBE=$1
if
[ $COUNT -eq $CNTSHOULDBE ] ; then
echo "OK - $COUNT connections, should be $CNTSHOULDBE "
exit 0
elif
[ $COUNT -lt $CNTSHOULDBE ] ; then
echo "CRITICAL - $COUNT connections should be $CNTSHOULDBE "
exit 2
elif
[ $COUNT -ge $CNTSHOULDBE ] ; then
echo "CRITICAL - $COUNT connections should be $CNTSHOULDBE "
exit 2
else
echo "UNKNOWN - $COUNT connections"
exit 3
fi
</pre>
<p>argument for this plugin will be some number</p>
<p>save this code in</p>
<p><strong>/usr/local/nagios/libexec</strong></p>
<p>And make executable</p>
<p><strong>chmod +x check_collector</strong></p>
<p>We are ready to test</p>
<h2><b>Adding plugins in NRPE</b></h2>
<p>Add plugin in NRPE config file with argument for example</p>
<p><strong>command[check_collector]=/usr/local/nagios/libexec/check_collector 33</strong></p>
<p><b>33 - </b> in this case correct value for our system.</p>
<p>restart nrpe:</p>
<p><strong>#killall nrpe</strong></p>
<p><strong>#/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d</strong></p>
<p>go to the nagios host to set up for this plugin.</p>
<p>Add in config file :</p>
<pre>define service{
use generic-service ; Name of service template to use
host_name rec-1
service_description Check Collector
check_command check_nrpe!check_collector
}</pre>
<p>restart nagios:</p>
<p><strong>#server nagios restart</strong></p>
<p>in WEB interface nagios we should see:</p>
<p><a href="https://linuxmon.com/static/media/uploads/Blog/check_collector-300x7.png" target="_blank"><img alt="check_collector" class="aligncenter size-full wp-image-220" height="19" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/check_collector.png/check_collector-736x19.png" width="736"/></a></p>
<p>Setup plugin for Nagios done.</p>Install and setup Nagios. Part 12017-04-04T19:04:21+00:002024-03-28T00:53:22+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/nagios-part-1/<p><!--:en--></p>
<p><a href="https://linuxmon.com/nagios-part-1/"><img alt="nagios" class="alignnone size-full wp-image-22" height="37" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/nagios.png/nagios-157x37.png" width="157"/></a></p>
<p><strong>Tasks</strong></p>
<p>1. Install Nagios</p>
<p>2. Setup and add hosts Nagios for monitoring</p>
<p>3. Install and setup NRPE</p>
<h5> </h5>
<h5>---------------------------</h5>
<p><strong>Nagios</strong> is an open source computer system monitoring, network monitoring and infrastructure monitoring software application. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts the users when things go wrong and alerts them a second time when the problem has been resolved.<!--:--><!--:ru--></p>
<p> </p>
<h5><!--more--></h5>
<h5>---------------------------</h5>
<p>We will be install Nagios on server Ubuntu 12.04.2 LTS from repository</p>
<p><span>sudo apt-get udate</span></p>
<p><span>sudo apt-get install nagios3 nagios3-cgi</span></p>
<p>After input admin password <strong>nagiosadmin</strong> and after installation all depends we can log on by address:</p>
<p><span>http://192.168.0.1/nagios3</span></p>
<p>Input password nagiosadmin, then should be open website nagios</p>
<p></p>
<p>By default, nagios monitors localhost only, for monitoring any hosts, we need setup config file each host:</p>
<p>Go to the host by ssh consoleubder root to <strong>/etc/nagios3/conf.d</strong></p>
<p>We need explain about files in this directory:</p>
<p>contacts_nagios2.cfg - describes all contacts for notification, leave by default, and we can change email for notification</p>
<pre>define contact{
contact_name root
alias Root
service_notification_period 24x7
host_notification_period 24x7
service_notification_options w,u,c,r
host_notification_options d,r
service_notification_commands notify-service-by-email
host_notification_commands notify-host-by-email
email root@localhost
}</pre>
<p>generic-host_nagios2.cfg - General template for host</p>
<pre># Generic host definition template - This is NOT a real host, just a template!
define host{
name generic-host ; The name of this host template
notifications_enabled 1 ; Host notifications are enabled
event_handler_enabled 1 ; Host event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
failure_prediction_enabled 1 ; Fail prediction is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
check_command check-host-alive
max_check_attempts 10
notification_interval 0
notification_period 24x7
notification_options d,u,r
contact_groups admins
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REA HOST, JUST A TEMPLATE!
}</pre>
<p>This template leave as is. Based on this file we will generate files for hosts</p>
<p>generic-service_nagios2.cfg - General template for services</p>
<p>Object Definitions, wich used in config files , <span style="text-decoration: underline;">here</span></p>
<p style="text-align: left;">------------------</p>
<p style="text-align: left;">In <a href="http://lnxmon.com/nagios-part-2/">second part</a> we'll add host to nagios for monitoring</p>
<p><!--:--></p>Install and setup Nagios. Part 22017-04-04T15:35:16+00:002024-03-28T05:33:04+00:00mahhttps://linuxmon.com/author/mah/https://linuxmon.com/nagios-part-2/<address><a href="http://exchange.nagios.org/directory/Addons/Monitoring-Agents/NRPE--2D-Nagios-Remote-Plugin-Executor/details">NRPE - Nagios Remote Plugin Executor</a></address><address></address>
<p><a href="https://linuxmon.com/nagios-part-2/"><img alt="nrpe" class="aligncenter size-medium wp-image-121" height="74" src="https://linuxmon.com/static/media/uploads/Blog/.thumbnails/nrpe-300x74.png/nrpe-300x74-300x74.png" width="300"/></a></p>
<p></p>
<p>Tasks: 1. Install plugin NRPE Nagios 2. adding host to Nagios for remote monitor hosts, sometime instead SNMP better use <strong>Nagios plugins + NRPE</strong></p>
<address><a href="http://exchange.nagios.org/directory/Addons/Monitoring-Agents/NRPE--2D-Nagios-Remote-Plugin-Executor/details"></a>Allows remotely run plugins nagios in Linux/Unix hosts</address><!--more-->
<p>Download <a href="http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz?r=&ts=1363788540&use_mirror=hivelocity">NRPE 2.15</a> Download <a href="https://www.nagios-plugins.org/download/nagios-plugins-1.5.tar.gz">nagios-plugins-1.5.tar.gz</a> and extract it</p>
<pre>$tar -zxvf nagios-plugins-1.5.tar.gz
$tar zxvf nrpe-2.15.tar.gz
$cd nagios-plugins-1.5</pre>
<p> before compiling we need to create user for run daemon nrpe</p>
<pre>$sudo useradd nagios
$sudo passwd nagios (input strong password!)
$./configure
$make
$sudo make install
$cd /usr/local/nagios/libexec</pre>
<p>here should be a lot of files - plugins wich we can run remotely from nagios host , ??? ? ???? <strong>Compilling NRPE</strong> Go to the dir where extracted nrpe plugin We need OpenSSL for connection between nagios host and remote host</p>
<pre>$sudo apt-get install libssl-dev</pre>
<p>$./configure --with-ssl-lib=/usr/lib/x86_64-linux-gnu if need help:</p>
<pre>$./configure -help</pre>
<p>After success install we see:</p>
<pre>*** Configuration summary for nrpe 2.15 09-06-2013 ***:
General Options:
-------------------------
NRPE port: 5666
NRPE user: nagios
NRPE group: nagios
Nagios user: nagios
Nagios group: nagios
Review the options above for accuracy. If they look okay,
type 'make all' to compile the NRPE daemon and client.</pre>
<pre>$make all
$sudo make install-plugin
$sudo make install-daemon
$sudo make install-daemon-config</pre>
<p>We need edit config file</p>
<pre>/usr/local/nagios/etc/nrpe.cfg</pre>
<p>looking for the line:</p>
<pre>#server_address=127.0.0.1 # change to remote host ip</pre>
<p>this is host with nrep plugin, change on actual IP, uncomment it and change to nagios host IP:</p>
<pre> <strong>allowed_hosts=127.0.0.1 #change to nagios IP </strong></pre>
<p>Go to bottom :</p>
<pre>command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
<strong>command[check_hda1]</strong>=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p <strong>/dev/hda1</strong>
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200</pre>
<p>in <strong>[ .. ] </strong>this is command witch used in nagios host in config file. we can use any plugins in this directory <strong>/usr/local/nagios/libexec</strong> also we can use own plugins. we can change values as we want: <strong>/dev/sda6</strong> <strong>/dev/sdb3 </strong> are in our server</p>
<pre><strong>command[check_sda6]</strong>=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p <strong>/dev/sda6
</strong><strong>command[check_sdb3]</strong>=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p <strong>/dev/sdb3
</strong></pre>
<p>here should be your disks run nrpe as daemon in remote host: <strong>$sudo /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d</strong> check nrpe on 5666 port:</p>
<pre>$ sudo netstat -anp |grep nrpe
<strong>tcp 0 0 127.0.0.1:5666 0.0.0.0:* LISTEN 27377/nrpe</strong></pre>
<p>All are OK. Go to in nagios host console and check connectivity with remote host</p>
<pre>/usr/local/nagios/libexec/check_nrpe -H <ip remote host></pre>
<pre>NRPE v2.15</pre>
<p>OK. Configure config file for using nrpe for this remote host</p>
<pre>define host{
use linux-server ; Name of host template to use
; This host definition will inherit all variables that are defined
; in (or inherited by) the linux-server host template definition.
host_name rec-1
alias rec-1
address 192.168.1.28 #here ip address remote host with nrpe plugin
}
define service{
use generic-service ; Name of service template to use
host_name rec-1
service_description Total Processes
check_command check_nrpe!check_total_procs
}
define service{
use generic-service ; Name of service template to use
host_name rec-1
service_description Current Load
check_command check_nrpe!check_load
}
define service{
use generic-service ; Name of service template to use
host_name rec-1
service_description Free Space /lasxdays2
check_command check_nrpe!check_sda6
}
define service{
use generic-service ; Name of service template to use
host_name rec-1
service_description Free Space /lastxdays3
check_command check_nrpe!check_sdb3
}</pre>
<p>Then restart nagios: #service nagios restart Now we check available space in remote host <strong>/dev/sda6</strong> <strong>/dev/sdb3</strong> if something wrong alerts to admins. End.</p>