centostricks

Just another WordPress.com site

Monthly Archives: August 2011

VNC Server/Client


 

What is VNCserver?
VNC stands for Virtual Network Computing. It was originally developed by AT&T as a way to administer machines without using the console.

Why use VNCserver?
In Linux, everything can be done from a shell. However, there may be a time when you need to access the machine as if you were at the console.

Getting Started
You will need several things to get started:

• root privledges
• VNC client software (tightVNC)
• A good password!

As I mentioned above, this example is done with RHEL, which comes standard with VNCserver installed. To start the vncserver simply invoke the following commands:
[root@test etc]# service vncserver start
Starting VNC server: [ OK ]
[root@test etc]#
[root@test etc]# vncpasswd
Password:
Verify:
[root@test etc]# vncserver

New ‘test:1 (root)’ desktop is test:1

Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/test:1.log

So what did we do there? First, we started the vncserver service. It may or may not have already been running on your system. Next we set a password to access the VNC desktop. When you set the password, you will not see any characters on the screen, and you must enter the password twice. You will only need to do this the very first time you run vncserver. The password will be saved in the Linux filesystem, and you can change it at any time by invoking the vncpasswd command again. Last, to activate the VNC desktop, we simply invoked the vncserver command.
Notice the output; the desktop is named “test:1” which can also be replaced via the machines IP address.
Connecting
Assuming you already installed VNC client, enter the desktop name:

# vncviewer test:1

You can replace the server name with an IP address if you are logging in from outside your LAN. Remember, if you are using nat port 5900 must be forwarded to your VNCserver.

Upon successful connection, you will be prompted for a password. You will then see a terminal screen that will allow you to execute commands

_________________________________________________________________________________________________________

VNCserver in Runlevel 5 (KDE or Gnome)

If you are new to linux, running VNC server with a terminal isn’t going to do you much good. You might want to have a menu-driven GUI like Windows. No problem. Follow these steps:

First, we are going to assume that VNCserver is running under the root user, as shown with the example above. For this example, I will be editing my VNCserver to enter Gnome. You can specify a KDE desktop if you have KDE installed on your server. Make sure you are in the root directory.

[root@test ~]# cd .vnc
[root@test .vnc]# ls
passwd         test:1.pid  test:2.pid  test:3.pid  test:4.pid  test:5.pid             test.area51.lan:1.pid test:1.log  test:2.log  test:3.log  test:4.log  test:5.log  test.area51.lan:1.log  test.area51.lan:2.log xstartup
[root@test .vnc]# vi xstartup

Using vi (vim) to edit the xstartup file, make sure your file matches this one:

#!/bin/sh

# Uncomment the following two lines for normal desktop:

unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
startx &

Notice that the last line is “startx &” as this command will launch Gnome upon login via VNCserver. If you are using a KDE desktop, the line “startkde &” should replace the last line.

Logging in, you will be presented with a Gnome or KDE desktop.

 

External Links :

http://bobpeers.com/linux/vnc

Advertisements

Network Card Settings in CentOS/RHEL


How to create Virtual (alias) Interface for Ethernet in Linux

 Why do we need multiple Alias Interfaces?

Ex :  Let me consider hosting multiple Website/FTP sites on a Single server and each website to be accessed using a different IP address. In this case, let me consider we need to host 10 websites each one to be access with a different IP address,  then we need 10 NIC cards with one IP address each on the Card which results in increased cost, space and maintenance. This can be overcome with a single Physical Network card with multiple Virtual Interfaces. Here all virtual NIC will share the MAC address of eth0 physical interface.

Case 1 :

To create a range of alias interfaces

Create the following /etc/sysconfig/network-scripts/ifcfg-eth0-range0:

IPADDR_START=<start ip address>
IPADDR_END=M<end IP address>
CLONENUM_START=0
NETMASK=<network mask>

Example :

IPADDR_START=192.168.10.20
IPADDR_END=192.168.10.30
CLONENUM_START=0
NETMASK=255.255.255.0

 Here alias interfaces will be created starting from eth0:0 to eth0:10, eth0:0 will be having 192.168.10.20 to eth0:10 will be having ip address 192.168.10.30

/etc/rc.d/init.d/network restart

Case 2:

Let me consider a requirement with only one alias network card.

Here we can follow the below steps

# cp /etc/sysconfig/network-scripts/ifcfg-eth0  /etc/sysconfig/network-scripts/ifcfg-eth0:0

# vi /etc/sysconfig/network-scripts/ifcfg-eth0:0

Replace line DEVICE=eth0 to DEVICE=eth0:0 and change the IPADDRESS as per the requirement and

# /etc/init.d/network restart

If you want the virtual IP address come up on boot, you need to replace

 ONBOOT=YES 

 to

 ONPARENT=YES

 This makes the interface only come up when the parent interface comes up, while ONBOOT=YES would pull up the parent interface even if that is configured to not come up on boot.

To make the changes take effect please restart the network services using:

# /etc/init.d/network restart

 

Setup Speed/Duplex settings on a network card in CentOS/Redhat 5.x

 Verify the required packages are installed

# rpm –qa ethtool net-tools
If not already installed, follow the below command

#yum install ethtool net-tools

Add line to the configuration file of the network card, like /etc/sysconfig/network-scripts/ifcfg-eth0

ETHTOOL_OPTS=”autoneg off speed 1000 duplex full”

Execute the below commands to make the changes take effect.

Note : Before doing this change, verify if your switch supports this configuration. Else your network cards will not function anymore.

#ifdown eth0

#ifup eth0

To verify the changes

# ethtool eth0   

For temporary change with ethtool, execute the below command:

# ethtool -s eth0 speed 1000 duplex full

For temporary change with mii-tool, execute the below command:

Disable auto-negotiation, and force the MII to 1000baseTx-FD

# mii-tool -F 1000baseTx-FD

Hardening RHEL/CentOS 5.x


Hardening RHEL/CentOS

1. System and Network Services 

1.1 The Default Run level to be set to 3 in /etc/inittab 

id:3:initdefault:

1.2 The Below System and Network Services in the table can be enabled 

System and Network Services
ntpd
network
sshd
syslog
auditd
acpid
cpuspeed
crond
anacron
irqbalance
iptables
And All other services specific to the server
Disable All other services in all runlevels which is not needed

To enable the services on the runlevels; chkconfig –level 345 <servicename> on

To disable all other services on the runlevels; chkconfig –level 345 <servicename> off

2. Default Permissions

2.1 Umask must be set to 0027 in /etc/login.defs and /etc/profile

Edit /etc/login.defs  and /etc/profile and set umask 027

3. Password Policies

3.1 Minimum password length must be set to 8 characters.

 Edit /etc/login.defs and set  PASS_MIN_LEN   8

3.2 Password triviality checking must be enforced.

Edit /etc/pam.d/system-auth and set password    requisite     pam_cracklib.so try_first_pass retry=3 minlength=10 difok=2 lcredit=1 ucredit=1 dcredit=1 ocredit=2

3.3 Maximum age of the password must be 90 days.

Edit /etc/login.defs and set  PASS_MAX_DAYS   45

3.4 Minimum age of the password must be 15 days.

Edit /etc/login.defs and set PASS_MIN_DAYS   3

3.5 Set Password Warning age to 7 days.

Edit /etc/login.defs and set PASS_WARN_AGE   7

3.6 User account to be locked after 90 days of inactivity.

Edit /etc/default/useradd and set INACTIVE=90

3.7 Remove encrypted password from /etc/shadow for unused users.

4. Account Policies(PAM)

4.1 Account Lockout policies (lock account after three attempts)

Edit /etc/pam.d/system-auth and add auth        required      pam_tally.so onerr=fail deny=3 unlock_time=360 

The above line should be immediate after pam_env and before the pam_unix.so line in configuration file

Accounts can be unlocked by running faillog –r –u <username>

faillog –u <username> to display the number of attempts and failures

5. Disable unnecessary accounts

5.1 Change the default shell to /sbin/nologin to users in the below table

Make use of command usermod –s /sbin/nologin to change the shell to /sbin/nologin

Below table holds a list of users whose shell has to be disabled

Users Shell
Bin /sbin/nologin
Daemon /sbin/nologin
Adm /sbin/nologin
Lp /sbin/nologin
Uucp /sbin/nologin
Operator /sbin/nologin
Nobody /sbin/nologin
Dbus /sbin/nologin
Avahi /sbin/nologin
Smmsp /sbin/nologin
Mail /sbin/nologin
Ntp /sbin/nologin
Haldaemon /sbin/nologin
Sshd /sbin/nologin
Gdm /sbin/nologin
Xfs /sbin/nologin
Sabayon /sbin/nologin
Sync /sbin/nologin
Shutdown /sbin/nologin
Halt /sbin/nologin
News /sbin/nologin
Games /sbin/nologin
Gopher /sbin/nologin
ftp /sbin/nologin
Nscd /sbin/nologin
Distcache /sbin/nologin
Vcsa /sbin/nologin
Pcap /sbin/nologin
Apache /sbin/nologin
Rpc /sbin/nologin
Nfsnobody /sbin/nologin
Webalizer /sbin/nologin
Dovecot /sbin/nologin
Squid /sbin/nologin
Mailnull /sbin/nologin
Hsqldb /sbin/nologin
Dbus /sbin/nologin
Named /sbin/nologin
Avahi-autoipd /sbin/nologin
Gdm /sbin/nologin

5.2 Check the Group members

Only root should be the member of root group, no other users should be the member of root group

Check the /etc/group and /etc/gshadow file for the group information

Proper group/owner permissions for the application need to be maintained

6. Auditing

6.1 Enabling the Auditd Service.

chkconfig –level 345 auditd on

7. Login Banner to be used

Add a banner as per your company policy

Edit /etc/ssh/sshd_config and set Banner /etc/ssh/sshd.banner

8. SSH Server Settings.

8.1 sshd must be present and configured according to your company accepted practices

Set the following environment variables to be accepted by sshd:

LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES LC_IDENTIFICATION LC_ALL LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

Display the above mentioned warning banner

Require password-based authentication at a minimum

Do not permit empty passwords

Do not permit root login (Permit Root Logon no)

Configure sshd to bind to 22/tcp for incoming connections

Configure sshd to bind to a different port for incoming connections

Require shell login with RSA Key.

Require minimum version 2 of the ssh protocol

Enable X11 forwarding

The SyslogFacility must be set to AUTHPRIV when logging messages from sshd.

Configure the file transfer subsystem to be /usr/libexec/openssh/sftp-server

Use PAM for authentication

8.2 Configuration as per the details in 8.1

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL

Banner /etc/ssh/sshd.banner

PasswordAuthentication yes

PermitEmptyPasswords no

PermitRootLogin yes

Port 22

Protocol 2

RSAAuthentication yes

X11Forwarding  yes

SyslogFacility AUTHPRIV

Subsystem  sftp   /usr/libexec/openssh/sftp-server

UsePAM  yes

8.3 Remove Network applications that compromise servers

wget (Remove wget package, rpm –e wget)

nmap ( Remove nmap package, rpm –e nmap)

finger (Remove finger package, rpm –e finger)

rlogin, rsh,rcp (Remove rsh package, rpm –e rsh)

remove all email clients

ftp (Remove ftp package, rpm –e ftp)

9. Set User Identity(SUID) and Set Group Identity (SGID) Permission Adjustment

SUID programs (particularly those that are SUID root) are frequent targets of attack. By disabling unnecessary SUID programs, its more difficult for system users to obtain unauthorized privilege

SGID programs (particularly those that are SGID root) are frequent targets of attack. By disabling unnecessary SGID programs, its more difficult for system users to obtain unauthorized privilege

The following programs’ SUID permissions may remain enabled and others as required

/usr/sbin/rhnsd

/usr/sbin/rhn-profile-sync

/usr/sbin/rhn_register

/usr/sbin/rhn_check

/usr/sbin/rhnreg_ks

/usr/bin/passwd

/usr/bin/curl

/bin/ping

/bin/su

/usr/bin/sudo

/usr/bin/sudoedit

All other SUID permissions must be disabled.

All SGID permissions must be disabled.

chmod u-s, g-s <filename> can be used to disable the permissions

10. Host-based Intrusion Detection System (HIDS) Solution

All production servers must have some form of host intrusion detection agent installed onto the system. This is to ensure that monitors are put in place for file integrity, system configuration, application activity, root kit detection, and to report on alerting. Such as: tripwire, aide or another Open Source product

Tools that can be used  atmu and aide

Abstract Machine Test utility – atmu

Memory, network, disk, cpu security tests

Can be run as cron job to repeatedly assure basic security assumptions

Results sent to audit system

Aide – File Integrity testing utility

Configured by /etc/aide.conf

–init snapshots the disksystem to /var/lib/aide/aide.db.new.gz

Copy snapshot to immutable or safe location

Rename snapshot to /var/lib/aide/aide.db.gz before doing comparison

–check will compare current with snapshot for differences, Summary sent to audit system

11. Setup Routing

Routing must be configured according to the approved detail design document and accepted practices. IP forwarding must be disabled.

12. Concord Configuration

Simple Network Management Protocol (SNMP) daemon community strings must be configured according to the detailed design document

13. Remove Crtl+Alt+ Delete Trap

Remove the CTRL-ALT-DELETE trap out of /etc/inittab by commenting out the following line:

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

14. Disable Interactive Boot

Remove Interactive boot by changing the line in /etc/sysconfig/init

PROMPT=no

15. Sysclt Parameter tuning

Modify the ipv4 to improve security and protect against denial of service attacks by hard coding in /etc/sysctl.conf. The following changes must be made

net.ipv4.ip_forward=0

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.lo.log_martians = 0

net.ipv4.conf.eth0.log_martians = 0

kernel.sysrq = 0

net.ipv4.tcp_fin_timeout = 15

net.ipv4.tcp_keepalive_time = 1800

net.ipv4.tcp_window_scaling = 0

net.ipv4.tcp_sack = 0

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_syncookies = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1

net.ipv4.conf.all.log_martians = 1

net.ipv4.tcp_max_syn_backlog = 1024

net.ipv4.ip_local_port_range = 16384 65536

16. Network Service Access Control

ü       /etc/hosts.allow and /etc/hosts.deny configurations must be configured according to the current NSA approved list of hosts which are  allowed to use local network services (as decided by the tcpd service) and/or the ssh daemon (the sshd service).

17. Apache Server Hardening Doc

17.1 Apache Banner Linux Distribution Disclosure

Edit /etc/httpd/conf/httpd.conf Change the ServerTokens OS to ServerTokens Prod

17.2 HTTP server type and version revealed

Edit /etc/httpd/conf/httpd.conf Change ServerSignature On to ServerSignature Off

17.3 Disable Trace – telnet to port 80 shows TRACE is enabled or not.

How ever we can add the following line to the httpd.conf for disabling TRACE if its enabled

<Directory />
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]
</Directory>

17.4 SSL Medium Strength Cipher Suites Supported

Edit /etc/httpd/conf.d/ssl.congSet the line SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Confirm by typing the following line in the concosle openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP(Make sure Open ssl installed)

18. Configure Iptables.

18.1 Block all the traffic by default and create a white list traffic.

IPTABLES

To flush all the rules in all the tables, chains of iptables.

#iptables –F

#iptables –t nat –F

#iptables –t mangle –F

#iptables –t  raw –F

By default all the chain policy will be accept. If not required chains policy can be changed to accept as shown below.

#iptables -P OUTPUT ACCEPT

#iptables -t nat -P PREROUTING ACCEPT

#iptables -t nat -P POSTROUTING ACCEPT

#iptables -t mangle -P POSTROUTING ACCEPT

#iptables -t mangle -P PREROUTING ACCEPT

#iptables -t mangle -P FORWARD ACCEPT

Setting the default policy to DROP to drop all the connection to the System

Drops all the packets entering the local system from the network

iptables –P INPUT DROP

Drops all the packets passing(routed) through the system. Will, be applicable if the system is configured as firewall.

iptables –P FORWARD DROP

I am creating a chain called whitelist all the rules will be added to this chain. This chain will contain all the whitelist rules

#iptables –N whitelist

This will create link to the whitelist chain from INPUT chain. So, all the rules in the whitelist chain will be applicable for the packets entering into INPUT chain. This rules are to be configured on the end server and not on the router.(For router the rules should be put into the FORWARD chain as well)

#iptables –A INPUT –j whitelist

#iptables –A INPUT –j Log

#iptables –A INPUT –j Limit

As all the packets to the system is dropped by default. We are going to implement a Stateful Inspection Firewall.

The below rule is going to allow all the packets that are related to established and related connections.  All other type of connections are dropped (ex : new, invalid, etc.,)

#iptables –A whitelist –m state –state ESTABLISHED, RELATED –j ACCEPT

Here we are going to allow new connection only to the required services that are to be accessed over the network/ internet.

To allow connections to HTTP protocol(change the port numbers if it is customized)

#iptables –A whitelist –p tcp –m state –state NEW –d <destination ip/usually the server ip> –dport 80 –j ACCEPT

#iptables –A whitelist –p tcp –m state –state NEW –d <destination ip/usually the server ip> –dport 8080 –j ACCEPT

To allow connections to HTTPS protocol (change the port numbers if it is customized)

#iptables –A whitelist –p tcp –m state –state NEW –d <destination ip/usually the server ip> –dport 443 –j ACCEPT

OR

We can even added one rule for allowing multiple ports

#iptables -A whitelist -p tcp –m comment –comment “To allow HTTP, HTTPS access”  -m multiport –destination-port 80,8080,443 –j ACCEPT

To allow access to the SSH server.

#iptables –A whitelist –p tcp –m state –state NEW –d <destip/serverip> –dport 22 –j ACCEPT

Note : Same type of rules can be configured to provide access to other services that are running

To provide access to services that are using loopback interface

#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

To provide access to multicast address if needed from lan

#iptables –A whitelist –m iprange –iprange 224.0.0.0-239.255.255.255 –j ACCEPT

To log all the Bad packets. I am creating a separate chain called log and link to the built in chains later, Here all the bad packets can be seen in /var/log/messages.

#iptables  -N Log

#iptables –A Log –m limit --limit 5/m --limit-burst 7 –j LOG –log-level 4  –log-prefix “Bad packets”

Log Nmap Scans

#iptables –N Antihacker_log

Null-scan

#iptables –A Antihacker_log -p tcp –tcp-flags ALL NONE -j LOG –log-prefix “Null Scan Detected”

Xmas-scan

#iptables –A Antihacker_log -p tcp –tcp-flags ALL ALL -j LOG –log-prefix “XMAS Scan Detected”

Syn fin-scan

#iptables –A Antihacker_log  -p tcp –tcp-flags ALL SYN,FIN -j LOG –log-prefix “SYNFIN-Scan Detected “

nmap-xmas-scan

#iptables –A Antihacker_log -p tcp –tcp-flags ALL URG,PSH,FIN -j LOG –log-prefix “NMAP-XMAS-SCAN Detected”

fin-scan

iptables –A Antihacker_log -p tcp –tcp-flags ALL FIN -j LOG –log-prefix “FIN-SCAN detected”

Link the User Defined Chain to Build-in chain

Iptables –A INPUT –j Antihacker

#iptables –N Limit

Will limit the ping packets to 4, 1 per second. Packet size with a range of 84 to 102

#iptables –A Limit –p icmp  –icmp-type  echo-reply –m comment –comment “limit 4 echoreply to the server” –m limit –limit 1/s –limit-burst 4 –m length –length 84:102 –j ACCEPT

#iptables –A Limit –p icmp  –icmp-type echo-request –m comment –comment “limit 4 echorequest to the server” –m limit –limit 1/s –limit-burst 4 –m length –length 84:102 –j ACCEPT

19. Selinux Configuration for securing files and services

# Edit /etc/sysconfig/selinux

Do the changes as show below

SELINUX=enforcing  (will enable the Selinux)

SELINUXTYPE=targeted (this provides security to the daemon and the processes that are running. Under the targeted policy, interactive processes are given the type unconfined t, so interactive users are not constrained by SELinux even if they attempt to take strange or malicious actions.)

Can stop attacks before they become complete system breaches

Alternate is yum install selinux-policy-strict (the specified package has to be installed)

SELINUXTYPE=strict ( full protection for all daemons, Security contexts are defined for all subjects and objects, and every single action is processed by the policy enforcement server)

Or

# setenforce 1 ( Modifies in real-time the mode Selinux is running. Here selinux is put into enforcing mode)

20. Password policies

20.1 Enabling Password History

Enabling Password history will not allow users to use there old password again. Procedure for mainintaing a password History

#touch /etc/security/opasswd

#chown root:root /etc/security/opasswd

#chmod 600 /etc/security/opasswd

This opasswd file will maintain the password history

password sufficient pam_unix.so md5 remember=12 use_authtok

This entry should be added to /etc/pam.d/system-auth file

20.2 Password Complexity

The Below specified line should be added to /etc/pam.d/system-auth file.

password required pam_cracklib.so retry=3 minlength=10 difok=2 lcredit=1 ucredit=1 dcredit=1 ocredit=2

Here the password minimum length to be 10 characters(some passwords can be 8 characters too) with 1 lowercase 1 uppercase 1 digit and 2 special characters.

Note: Any misconfiguration in system-auth file will lock all users access including Root User. (this can be fixed by running authconfig command from Single user mode

20.3 Lock account after certain number of failed login attempts

Configuration Follows below

auth        required      pam_env.so

auth        required      pam_tally.so onerr=fail deny=3 unlock_time=60

The above line as to be added to  /etc/pam.d/system-auth file

# faillog –u <username> will display number of failed login attempts.

#faillog –r –u  <username> will reset the counter for the specified  user and unlocks the account

This Line in the bold will configure account lockout after 3 failed login attempts. The account will be locked for 1 minute

All the Best 🙂

Troubleshooting Nagios/Nrpe Issues


Troubleshooting NRPE (Nagios Remote Plugin Executor) Client

Nagios Server communicates with nrpe via SSL. So, all the communication is encrypted.

Common Errors while configuring NRPE

1. CHECK_NRPE: Error – Could not complete SSL handshake

Solution: 

This error message could be due to several problems:

1. SSL is disabled. Make sure both the NRPE daemon and the check_nrpe plugin were compiled with SSL support (During ./configure)

2. Incorrect file permissions. Make sure the NRPE config file (nrpe.cfg) is readable by the user (i.e. nagios) that executes the NRPE binary from inetd/xinetd.

3. The command that the NRPE daemon was asked to run took longer than 10 seconds to execute. This is the most likely cause if the error message was “CHECK_NRPE: Socket timeout after 10 seconds”. Use the –t command line option to specify a longer timeout for the check_nrpe plugin. The following example will increase the timeout to 30 seconds:
/usr/local/nagios/libexec/check_nrpe -H localhost -c somecommand -t 30

4. The NRPE daemon is not installed or not running on the remote host. Verify that the NRPE daemon is running as a standalone daemon or under inetd/xinetd with one of the following commands:

# ps -ef | grep nrpe
# netstat -at | grep nrpe
5. There is a firewall that is blocking the communication between the monitoring host (which runs the check_nrpe plugin) and the remote host (which runs the NRPE daemon). Verify that the firewall rules ( Eg : iptables) that are running on the remote host allow for communication and make sure there isn’t a physical firewall that is located between the monitoring host and the remote host.

6. There could be a network issue. Check ping on the remote IP address on which you are trying to connect

2. The check_nrpe plugin returns “CHECK_NRPE: Received 0 bytes from daemon”

Solution :

First thing you should do is check the remote server logs for an error message. Seriously. 🙂 This error could be due to the following problem:

1.  The check_nrpe plugin was unable to complete an SSL handshake with the NRPE daemon. An error message in the logs should indicate whether or not this was the case. Check the versions of OpenSSL that are installed on the monitoring host and remote host. If you’re running a commercial version of SSL on the remote host, there might be some compatibility problems.

3. The check_nrpe plugin returns “NRPE: Unable to read output”

Solution :

This error indicates that the command that was run by the NRPE daemon did not return any character output.  This could be an indication of the following problems:

1. An incorrectly defined command line in the command definition. Verify that the command definition in your NRPE configuration file is correct.

2. The plugin that is specified in the command line is malfunctioning. Run the command line manually to make sure the plugin returns some kind of text output.

3. There should be file permission issue. You need to grant read and execute privileges to the user which runs the nrpe daemon (this can be found in your nrpe config file).

For example : Your plugins are located under /usr/local/nagios/libexec/check_*

You can do this with

# chmod ug+rx /usr/local/nagios/libexec/check_*

# chown  nagios:nagios /usr/local/nagios

# chown –R nagios:nagios /usr/local/nagios/libexec

4. Check the /var/log/messages to find any errors related to host.allow/host.deny file. If there was any permission issue with this file will also result in above error

4. Unable to read output  due to Sudo Issues in CentOS when configuring an nrpe plugin with sudo:

[root@system ~]# /usr/lib/nagios/plugins/check_nrpe -H 3.3.3.3 -c check_dns

NRPE: Unable to read output

Given that check_dns is defined as follows, in nrpe.conf:

command[check_dns]=sudo /usr/local/nagios/libexec/check_dns

Solution :

You should also add its relative /etc/sudoers line as follows:

nagios ALL=(ALL) NOPASSWD:/usr/local/nagios/libexec/check_dns

Then the problem is in the requiretty options in /etc/sudoers, enabled by default on CentOS. Simply comment it as follows:

#Defaults requiretty

Now the plugin should work as expected:

[root@system ~]# /usr/lib/nagios/plugins/check_nrpe -H 3.3.3.3 -c check_dns

DNS Ok

5. NPRE Daemon not shown when checked with netstat –ta

Solution :

Add a line to your /etc/services file as follows (modify the port number as you see fit)

nrpe 5666/tcp # NRPE

6. ERROR: Could not fetch information from server

The most logical first step is to re-verify the Nagios server config file.  Check to make sure DNS resolution is correct.  Second, take a look at the NSC.log on the client system.  In my case, I saw:

2009-03-30 10:52:23: error:.\NSClientListener.cpp:307: Unauthorized access from: 192.168.1.25

Well, that could definitely be a problem.  The allowed_hosts line of:

Edit nsc.ini file and added the below lines

allowed_hosts=192.168.1.25/32

Sometime you should have added the server ip address in the allowed_hosts directive, but still the connection is not happening, Even if the local firewall is allowing you. This may be still the same due to some blockage at firewall or may be your nagios server is coming through a load balancer to your client network to access the client which inturn will result in hitting your client with the load balancer ip which is not allowed in allowed_hosts directive in nsc.ini. Please have a check on nsclient.log or nsc.log file to check what is the issue and added the IP. Once you verify it’s a trusted IP address. You should be all set J

Nagios Client Nsclient++ Installation (Applies for Windows Clients)


1.0 Nagios Client Nsclient++

NSClient++ is an open source windows service that allows performance metrics to be gathered by Nagios for windows services. 

 1.1. Overview

Following three steps will happen on a very high level when Nagios (installed on the nagios-server) monitors a service (for e.g. disk space usage) on the remote Windows host.

  •       Nagios will execute check_nt command on nagios-server and request it to monitor disk usage on remote windows host.
  •       The check_nt on the nagios-server will contact the NSClient++ service on remote windows host and request it to execute the USEDDISKSPACE on the remote host.
  •       The results of the USEDDISKSPACE command will be returned back by NSClient++ daemon to the check_nt on nagios-server.

Following flow summarizes the above explanation:

Nagios Server (check_nt) —–> Remote host (NSClient++) —–> USEDDISKSPACE

Nagios Server (check_nt) <—– Remote host (NSClient++) <—– USEDDISKSPACE (returns disk space usage)

1.2. Setup nagios on remote windows host

1.2.1. Install NSClient++ on the remote windows server

Download NSclient++ from NSClient++ Project.

Once you download the Nsclient++, Click on the msi file to start installation

Go through the following 5 NSClient++ installation steps to get the installation completed.

(1) NSClient++ Welcome Screen

(2) License Agreement Screen


(3) Select Installation option and location. Use the default option and click next. > S

(4) Specify  the Allowed IP list, this will be the nagios server ip from which connection should be allowed

(5) Ready to Install Screen. Click on Install to get it started.

(6) Installation completed Screen. 

 1.2.2 Modify the NSClient++ Service

Go to Control Panel -> Administrative Tools -> Services. Double click on the “NSClient++ service and select the check-box that says “Allow service to interact with desktop” as shown below.

1.2.3 Start the NSClient++ Service

Start the NSClient++ service either from the Control Panel -> Administrative tools -> Services -> Select “NSClient++″ and click on start (or) Click on “Start -> All Programs -> NSClient++ -> Start NSClient++. Please note that this will start the NSClient++ as a windows service.

Later if you modify anything in the NSC.ini file, you should restart the “NSClient++″ from the windows service.

1.2.4 Whitelist the Nsclient++ Service in the Windows Firewall

1.3. Configuration steps on Nagios Server

1.3.1. Verify check_nt command and windows-server template

Verify that the check_nt is enabled under

/usr/local/nagios/etc/objects/commands.cfg

# ‘check_nt’ command definition

define command{

command_name    check_nt

command_line    $USER1$/check_nt -H $HOSTADDRESS$ -p 12489 -v $ARG1$ $ARG2$

}
Verify that the windows-server template is enabled under /usr/local/nagios/etc/objects/templates.cfg

# Windows host definition template – This is NOT a real host, just a template!

define host{

name                    windows-server  ; The name of this host template

use                     generic-host    ; Inherit default values from the generic-host template

check_period            24×7            ; By default, Windows servers are monitored round the clock

check_interval          5               ; Actively check the server every 5 minutes

retry_interval          1               ; Schedule host check retries at 1 minute intervals

max_check_attempts      10              ; Check each server 10 times (max)

check_command           check-host-alive        ; Default command to check if servers are “alive”

notification_period     24×7            ; Send notification out at any time – day or night

notification_interval   30              ; Resend notifications every 30 minutes

notification_options    d,r             ; Only send notifications for specific host states

contact_groups          admins          ; Notifications get sent to the admins by default

hostgroups              windows-servers ; Host groups that Windows servers should be a member of

register                0               ; DONT REGISTER THIS – ITS JUST A TEMPLATE

}

4.3.2 . Uncomment windows.cfg in /usr/local/nagios/etc/nagios.cfg

# Definitions for monitoring a Windows machine

cfg_file=/usr/local/nagios/etc/objects/windows.cfg

4.3.3. Modify /usr/local/nagios/etc/objects/windows.cfg

By default a sample host definition for a windows server is given under windows.cfg, modify this to reflect the appropriate windows server that needs to be monitored through nagios.

# Define a host for the Windows machine we’ll be monitoring

# Change the host_name, alias, and address to fit your situation

define host{

use             windows-server              ; Inherit default values from a template

host_name   remote-windows-host      ; The name we’re giving to this host

alias            Remote Windows Host     ; A longer name associated with the host

address       192.168.1.4                   ; IP address of the remote windows host

}

4.3.4. Define windows services that should be monitored.

Following are the default windows services that are already enabled in the sample windows.cfg. Make sure to update the host_name on these services to reflect the host_name defined in the above step.

define service{

use                     generic-service

host_name               remote-windows-host

service_description     NSClient++ Version

check_command           check_nt!CLIENTVERSION

}

define service{

use                     generic-service

host_name               remote-windows-host

service_description     Uptime

check_command           check_nt!UPTIME

}

define service{

use                     generic-service

host_name               remote-windows-host

service_description     CPU Load

check_command           check_nt!CPULOAD!-l 5,80,90

}

define service{

use                     generic-service

host_name               remote-windows-host

service_description     Memory Usage

check_command           check_nt!MEMUSE!-w 80 -c 90

}

define service{

use                     generic-service

host_name               remote-windows-host

service_description     C:\ Drive Space

check_command           check_nt!USEDDISKSPACE!-l c -w 80 -c 90

}

1.3.5. Verify Configuration and Restart Nagios.

Verify the nagios configuration files as shown below.

[nagios-server]# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

Total Warnings: 0

Total Errors:   0

Things look okay – No serious problems were detected during the pre-flight check
Restart nagios as shown below.

[nagios-server]# /etc/rc.d/init.d/nagios stop

Stopping nagios: .done.

[nagios-server]# /etc/rc.d/init.d/nagios start

Starting nagios: done.
Verify the status of the various services running on the remote windows host from the Nagios web

Disk increase with parted in CentOS 5.5 (Physical Disk)


Steps to Increase Disk Size with Parted with Sectors as an unit

 

Here we are starting to increase the partition size with parted Tools ( BE CAUTIOUS, CHANGES TAKES PLACE IMMEDIATELY)

 

In this case, we have a physical disk capacity of 177GB. But we have used only 80GB of space, which are further managed via LVM. Now, below steps shows how to allocate (Increase) the remaining 96 GB to /var partition.

 

[root@system~]# parted /dev/sda

GNU Parted 1.8.1

Using /dev/sda

Welcome to GNU Parted! Type ‘help’ to view a list of commands.

(parted) print

 

Disk /dev/sda: 177GB

Sector size (logical/physical): 512B/512B

Partition Table: msdos

 

Number  Start   End     Size    Type     File system  Flags

1      32.8kB  107MB   107MB   primary  ext3

2      107MB   80.5GB  80.4GB  primary               lvm

 

(parted) u s                                                        ( Changing the Default Unit to Sectors)

(parted) print

 

Disk /dev/sda: 346030079s

Sector size (logical/physical): 512B/512B

Partition Table: msdos

 

Number  Start    End         Size        Type     File system  Flags

1      64s      208895s     208832s     primary  ext3

2      208896s  157276349s  157067454s  primary               lvm

 

(parted) rm 2                                     ( Here we are deleting the partition and recreating with new size, In this we are requested to increase the second partition to the new size. So we are deleting it)

(parted) print

 

Disk /dev/sda: 346030079s

Sector size (logical/physical): 512B/512B

Partition Table: msdos

 

Number  Start  End         Size          Type       File system  Flags

1                64s    208895s 208832s  primary  ext3

 

(parted) mkpart primary 208896s 346030079s      ( Here we are recreating the second partition which was deleted in the previous step, We are passing the Partition type, Starting sector(Starting sector will be next sector of the last partition i.e., if the sector of last partition ends at  208895s and the starting sector of the new partition should be 208896s) and ending sector. Here the Ending sector is the max sectors available on this respective disk which can found from line Disk in the print command, changed to color )

 

(parted) print

 

Disk /dev/sda: 346030079s

Sector size (logical/physical): 512B/512B

Partition Table: msdos

 

Number  Start    End         Size        Type     File system  Flags

1      64s      208895s     208832s     primary  ext3

2      208896s  346030079s  345821184s  primary

 

(parted) toggle 2 lvm                                     ( This commands set this partition to be of LVM Type)

(parted) print

 

Disk /dev/sda: 346030079s

Sector size (logical/physical): 512B/512B

Partition Table: msdos

 

Number  Start    End         Size        Type     File system  Flags

1      64s      208895s     208832s     primary  ext3

2      208896s  346030079s  345821184s  primary               lvm

 

(parted) quit                                      ( Exit from Parted)

Information: Don’t forget to update /etc/fstab, if necessary.

 

[root@system~]# fdisk -l

 

Disk /dev/sda: 177.1 GB, 177167400960 bytes

255 heads, 63 sectors/track, 21539 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

 

  Device Boot      Start         End      Blocks   Id  System

/dev/sda1               1          14      104416   83  Linux

Partition 1 does not end on cylinder boundary.

/dev/sda2              14       21540   172910592   8e  Linux LVM

 

[root@system~]# echo 1 > /sys/block/sda/device/rescan   ( To rescan the changes done on block device)

[root@system~]# reboot             (Please reboot the box to make changes take effect)

 

[root@system~]# fdisk -l

 

Disk /dev/sda: 177.1 GB, 177167400960 bytes

255 heads, 63 sectors/track, 21539 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

 

   Device Boot      Start         End      Blocks   Id  System

/dev/sda1               1          14      104416   83  Linux

Partition 1 does not end on cylinder boundary.

/dev/sda2              14       21540   172910592   8e  Linux LVM

 

[root@system~]# pvscan

  PV /dev/sda2   VG VG_00   lvm2 [74.88 GB / 0    free]

  Total: 1 [74.88 GB] / in use: 1 [74.88 GB] / in no VG: 0 [0   ]

 

[root@system~]# pvresize /dev/sda2   ( Increase the Physical Volume. Prior to this step we need to reboot the OS)

  Physical volume “/dev/sda2” changed

  1 physical volume(s) resized / 0 physical volume(s) not resized

 

[root@system~]# pvscan

  PV /dev/sda2   VG VG_00   lvm2 [164.88 GB / 90.00 GB free]

  Total: 1 [164.88 GB] / in use: 1 [164.88 GB] / in no VG: 0 [0   ]

 

[root@system~]# lvscan

  ACTIVE            ‘/dev/VG_00/LV_root’ [10.00 GB] inherit

  ACTIVE            ‘/dev/VG_00/LV_opt’ [28.03 GB] inherit

  ACTIVE            ‘/dev/VG_00/LV_tmp’ [2.00 GB] inherit

  ACTIVE            ‘/dev/VG_00/LV_var’ [29.03 GB] inherit

  ACTIVE            ‘/dev/VG_00/LV_swap’ [5.81 GB] inherit

 

[root@system~]# lvextend -l +100%FREE /dev/VG_00/LV_var    (Extend the requested partition with the new size. In this case it is /var)

  Extending logical volume LV_var to 119.03 GB

  Logical volume LV_var successfully resized

 

[root@system~]# lvscan

  ACTIVE            ‘/dev/VG_00/LV_root’ [10.00 GB] inherit

  ACTIVE            ‘/dev/VG_00/LV_opt’ [28.03 GB] inherit

  ACTIVE            ‘/dev/VG_00/LV_tmp’ [2.00 GB] inherit

  ACTIVE            ‘/dev/VG_00/LV_var’ [119.03 GB] inherit

  ACTIVE            ‘/dev/VG_00/LV_swap’ [5.81 GB] inherit

 

[root@system~]# resize2fs /dev/VG_00/LV_var                   (Resize the filesystem)

resize2fs 1.39 (29-May-2006)

Filesystem at /dev/VG_00/LV_var is mounted on /var; on-line resizing required

Performing an on-line resize of /dev/VG_00/LV_var to 31203328 (4k) blocks.

The filesystem on /dev/VG_00/LV_var is now 31203328 blocks long.

 

 [root@system~]# df -h

Filesystem            Size  Used Avail Use% Mounted on

/dev/mapper/VG_00-LV_root

                      9.7G  3.6G  5.7G  39% /

/dev/mapper/VG_00-LV_opt

                       28G 1008M   25G   4% /opt

/dev/mapper/VG_00-LV_tmp

                      2.0G  418M  1.5G  23% /tmp

/dev/mapper/VG_00-LV_var

                      116G   23G   88G  21% /var

/dev/sda1              99M   26M   69M  28% /boot

tmpfs                 2.0G     0  2.0G   0% /dev/shm

 

 You should be ALL SET 🙂

 

Nagios Client Installation


3.0 Nagios Client Configuration (Linux Clients)

3.1 Now configure NRPE for clients:

Login to the linux box and start installing the nrpe which should be added to monitoring

# groupadd nagios

# useradd –g nagios nagios

# mkdir /home/nagios/downloads

# cd /home/nagios/downloads

3.2 Download nagios-plugins and NRPE for clients

#  wget  http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.14.tar.gz

# wget http://prdownloads.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz

Before installing nagios plugin, do have pre-check 

#rpm -qa gcc

#rpm -qa openssl-devel

If the packages are installed we are good to continue else please install the below packages

#yum install gcc

#yum install openssl-devel

3.3 Install and configure nagios plugin

# tar zxvf  nagios-plugins-1.4.14.tar.gz

#  cd nagios-plugins-1.4.14

#  ./configure –with-nagios-user=nagios –with-nagios-group=nagios

#  make

#  make install

# chown  nagios:nagios /usr/local/nagios

# chown –R nagios:nagios /usr/local/nagios/libexec

# yum install xinetd

3.4 Install and configure NRPE daemon

# cd /home/nagios/downloads

# tar zxvf nrpe-2.12.tar.gz

# cd nrpe-2.12

#  ./configure –enable-ssl

# make all

# make install-plugin

# make install-daemon

# make install-daemon-config

#  make install-xinetd

3.5 Edit nrpe under xinetd and add following

# vi /etc/xinetd.d/nrpe

Only_from = 127.0.0.1 <Nagios Server – IP>

Also the same ip should be defined in /usr/local/nagios/etc/nrpe.cfg

Allowed_hosts = 127.0.0.1, <Nagios Server – IP>

3.5.1 Add entry for nrpe in /etc/services

 vi /etc/services

nrpe                 5666/tcp                      #nrpe

3.5.2 Start are Reload the Xinetd Daemon

 # service xinetd start/reload

# chkconfig –level 345 xinetd on

3.5.3 Test NRPE Daemon Install

# /usr/local/nagios/libexec/check_nrpe -H localhost  (From Client)

NRPE v2.12

# /usr/local/nagios/libexec/check_nrpe -H <ip address of monitored box> (from server to client IP)

NRPE v2.12

3.5.4 Adding Rules to Iptables to open port on 5666/tcp on client

# iptables –A INPUT –p tcp –m state –state NEW –-dport 5666 –j ACCEPT

# /etc/init.d/iptables save –– > to make changes permanent

Now communication has been established between Server and Client. 🙂

3.6 Configuration to be done on the Nagios Server for client to be Monitored

Here I have created a template called linux-box-remote.cfg

  1. /usr/local/nagios/etc/nagios.cfg   Main configuration file
  2. /usr/local/nagios/etc/cgi.cfg         This the file file where we do configuration changes.
  3. /usr/local/nagios/etc/objects directory will be having server scripts.
  4. add the linux-box-remote.cfg line into nagios.cfg once the file is filled with below entries.

3.6.1 linux-box-remote.cfg contains

define host{

name                  linux-box-remote             ; Name of this template

use                     generic-host          ; Inherit default values

check_period          24×7

check_interval        5

retry_interval        1

max_check_attempts    10

check_command         check-host-alive

notification_period   24×7

notification_interval 30

notification_options  d,r

contact_groups        admins

register              0          ; DONT REGISTER THIS – ITS A TEMPLATE

}

define host{

use       linux-box-remote     ; Inherit default values from a template

host_name <Hostname>    ; The name we’re giving to this server

alias     Centos5 ; A longer name for the server

address   <ip address> ; IP address of the server

}

define service{

use                 generic-service

host_name           <hostname>

service_description CPU Load

check_command       check_nrpe!check_load

}

define service{

use                 generic-service

host_name           <hostname>

service_description Current Users

check_command       check_nrpe!check_users

}

define service{

use                 generic-service

host_name            <hostname>

service_description /dev/hda1 Free Space

check_command       check_nrpe!check_hda1

}

define service{

use                 generic-service

host_name            <hostname>

service_description Total Processes

check_command       check_nrpe!check_total_procs

}

define service{

use                 generic-service

host_name            <hostname>

service_description Zombie Processes

check_command       check_nrpe!check_zombie_procs

}

3.6.2 Save the template and add the line into nagios.cfg

# vi /usr/local/nagios/etc/nagios.cfg

Cfg_file=/usr/local/nagios/etc/objects/linux-box-remote.cfg

3.6.3 Now verify the configuration file

# /usr/local/nagios/bin/nagios –v /usr/local/nagios/etc/nagios.cfg

 If configuration is good, nagios page will display the configured host

Nagios Server Installation


1.0 Installing and Configuring Nagios Server

1.1  Nagios Requirement

  •       Apache
  •       Gcc Compiler
  •       GD development libraries
  •       User  and Group nagios
  •       nagcmd group
  •       Openssl-devel
  •       xinetd

1.2 User and Group

# useradd  nagios

# groupadd nagcmd

#  usermod -G nagcmd nagios

# usermod -G nagcmd apache

# chown –R nagios:nagios /home/nagios

1.3 Installing Apache

# yum install httpd

# yum install php

# yum install mod_ssl

1.4 Installing GCC

# yum install gcc  ( This will installs  glibc,  glibc-common also)

1.5 Installing GD Tools

# yum install gd gd-devel

1.6 Installing Openssl

# yum install openssl-devel

1.7 Installing xinetd if not already installed

# rpm -qa xinetd   — > to verify if xinetd is already  installed , if the command doesn’t return anything we need to install it!

# yum install xinetd

2.0 Download  Nagios  and plugins on Nagios Server

# mkdir /home/nagios/downloads

# cd /home/nagios/downloads

# wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.0.tar.gz

# wget  http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.14.tar.gz

2.1 Installing the Nagios Package

# tar zxvf nagios-3.2.0.tar.gz

# cd nagios-3.2.0

# ./configure –with-command-group=nagcmd

# make all

#  make install

# make install-init

# make install-config

# make install–commandmode

# make install-webconf

2.2 Now create nagiosadmin account for logging into nagios through web.

# htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

2.3 Compile and Install the Nagios Plugins

# cd /home/nagios/downloads

# tar zxvf nagios-plugins-1.4.14.tar.gz

# cd nagios-plugins-1.4.14

# ./configure –with-nagios-user=nagios –with-nagios-group=nagios

# make

# make install

2.4 Configuring Nagios to Start at Bootup

# chkconfig  –add nagios

# chkconfig –level 345 nagios on

2.5 Editing Contacts in Contacts.cfg

# vi /usr/local/nagios/etc/objects/contacts.cfg  ( Change the e-mail address)

define contact{

contact_name       nagiosadmin             ; Short name of user

use                             generic-contact         ; Inherit default values from generic-contact template (defined above)

alias                           Nagios Admin            ; Full name of user

email                          <Email ID>      ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******

}

2.6 Customizing the Subject Line in Nagios Alerts

vi /usr/local/nagios/etc/objects/command.cfg (change the Subject Format as highlighted)

notify-host-by-email /usr/bin/printf “%b” “***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n” | /bin/mail -s “NAG_$ HOSTALIAS$ is $HOSTSTATE$” $CONTACTEMAIL$
notify-service-by-email /usr/bin/printf “%b” “***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$” | /bin/mail -s “NAG_$HOSTALIAS$_$SERVICEDESC$ is $SERVICESTATE$” $CONTACTEMAIL$

2.7 Verify nagios configuration for any errors

# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If you don’t find any errors start nagios daemon

# service nagios start  or /etc/init.d/nagios start

2.8 Accessing the Login Page

Check the nagios URL in web browser and login with nagiosadmin.

http://servername/nagios (Example: http://nagiosserver/nagios)

Login using nagiosadmin user and its associated password.

2.9 Installing NRPE on Nagios server

NRPE  is an client plugin, which will communicate server through 5666. Nagios server also requires NRPE plugin.

# cd /home/nagios/downloads

# wget  http://prdownloads.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz

# tar zxvf nrpe-2.12.tar.gz

# cd nrpe-2.12

# ./configure –enable-ssl

# make all

# make install-plugin

# make install-daemon

# make install-daemon-config

# make install-xinetd

2.9.1 Edit /etc/service and add following

nrpe                       5666/tcp                               # NRPE

2.9.2 Edit  /etc/xinetd.d/nrpe and add nagios server IP or name

only_from = 127.0.0.1 <nagios_ip_address>

2.9.3 Restart xinetd and set to start at boot

#chkconfig –level 345 xinetd on

# service xinetd restart

2.9.4 Add the following in /usr/local/nagios/etc/objects/commands.cfg


##################################################################
# NRPE CHECK COMMAND
#
# Command to use NRPE to check remote host systems
##################################################################

define command{
        command_name check_nrpe
        command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
        }

2.9.5 Test NRPE daemon install and function:

# netstat –at |grep nrpe

tcp    0    0 *:nrpe    *.*    LISTEN

# /usr/local/nagios/libexec/check_nrpe -H localhost

NRPE v2.12

2.9.6 Now check for local host in nagios server url

You should be all set with you new Nagios Server 🙂

Disk resize with parted in Centos 5.5 (Virtual Machines)


Steps to Increase Disk Size with Parted with Sectors as an unit (Recommended on Virtual Machines)

See the Next Article to find steps to increase space on physical Disk

Below are the steps which should be followed to perform disk increase.

First increase the VMDK size on Virtual Machine then follow the below steps, In My case here , I am extending +90GB more and increasing the same @ OS level adding to /var partition.

Here we are starting to increase the partition size with parted Tools ( BE CAUTIOUS, CHANGES TAKES PLACE IMMEDIATELY)

Please take a look at this page too https://centostricks.wordpress.com/2012/05/01/disk-resize-steps-when-we-see-partitions-as-a-separate-disk-in-fdisk/

[root@personal ~]# parted /dev/sda

GNU Parted 1.8.1

Using /dev/sda

Welcome to GNU Parted! Type ‘help’ to view a list of commands.

(parted) print

Model: VMware Virtual disk (scsi)

Disk /dev/sda: 177GB

Sector size (logical/physical): 512B/512B

Partition Table: msdos

Number  Start   End     Size    Type     File system  Flags

1      32.8kB  107MB   107MB   primary  ext3

2      107MB   80.5GB  80.4GB  primary               lvm

(parted) u s                                                        ( Changing the Default Unit to Sectors)

(parted) print

Model: VMware Virtual disk (scsi)

Disk /dev/sda: 346030079s

Sector size (logical/physical): 512B/512B

Partition Table: msdos

Number  Start    End         Size        Type     File system  Flags

1      64s      208895s     208832s     primary  ext3

2      208896s  157276349s  157067454s  primary               lvm

(parted) rm 2                                     ( Here we are deleting the partition and recreating with new size, In this we are requested to increase the second partition to the new size. So we are deleting it first)

(parted) print

Model: VMware Virtual disk (scsi)

Disk /dev/sda: 346030079s

Sector size (logical/physical): 512B/512B

Partition Table: msdos

Number  Start  End         Size          Type       File system  Flags

1                64s    208895s 208832s  primary  ext3

(parted) mkpart primary 208896s 346030079s      ( Here we are recreating the second partition which was deleted in the previous step, We are passing the Partition type, Starting sector(Starting sector will be next sector of the last partition i.e., if the sector of last partition ends at  208895s and the starting sector of the new partition should be 208896s) and ending sector. Here the Ending sector is the max sectors available on this respective disk which can found from line Disk in the print command, changed to color )

(parted) print

Model: VMware Virtual disk (scsi)

Disk /dev/sda: 346030079s

Sector size (logical/physical): 512B/512B

Partition Table: msdos

Number  Start    End         Size        Type     File system  Flags

1      64s      208895s     208832s     primary  ext3

2      208896s  346030079s  345821184s  primary

(parted) toggle 2 lvm                                     ( This commands set this partition to be of LVM Type)

(parted) print

Model: VMware Virtual disk (scsi)

Disk /dev/sda: 346030079s

Sector size (logical/physical): 512B/512B

Partition Table: msdos

Number  Start    End         Size        Type     File system  Flags

1      64s      208895s     208832s     primary  ext3

2      208896s  346030079s  345821184s  primary               lvm

(parted) quit                                              ( Exit from Parted)

Information: Don’t forget to update /etc/fstab, if necessary.

[root@personal ~]# fdisk -l

Disk /dev/sda: 177.1 GB, 177167400960 bytes

255 heads, 63 sectors/track, 21539 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System

/dev/sda1               1          14      104416   83  Linux

Partition 1 does not end on cylinder boundary.

/dev/sda2              14       21540   172910592   8e  Linux LVM

[root@personal ~]# echo 1 > /sys/block/sda/device/rescan   ( To rescan the changes done on block device)

[root@personal ~]#

[root@personal ~]# reboot    ( To make changes take effect)

[root@personal ~]# fdisk -l

Disk /dev/sda: 177.1 GB, 177167400960 bytes

255 heads, 63 sectors/track, 21539 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System

/dev/sda1               1          14      104416   83  Linux

Partition 1 does not end on cylinder boundary.

/dev/sda2              14       21540   172910592   8e  Linux LVM

[root@personal ~]# pvscan

PV /dev/sda2   VG VG_00   lvm2 [74.88 GB / 0    free]

Total: 1 [74.88 GB] / in use: 1 [74.88 GB] / in no VG: 0 [0   ]

[root@personal ~]# pvresize /dev/sda2   ( Increase the Physical Volume. Prior to this step we need to reboot the OS)

Physical volume “/dev/sda2” changed

1 physical volume(s) resized / 0 physical volume(s) not resized

[root@personal ~]# pvscan

PV /dev/sda2   VG VG_00   lvm2 [164.88 GB / 90.00 GB free]

Total: 1 [164.88 GB] / in use: 1 [164.88 GB] / in no VG: 0 [0   ]

[root@personal ~]# vgscan

Reading all physical volumes.  This may take a while…

Found volume group “VG_00” using metadata type lvm2

[root@personal ~]# vgdisplay “VG_00”

— Volume group —

VG Name               VG_00

System ID

Format                lvm2

Metadata Areas        1

Metadata Sequence No  20

VG Access             read/write

VG Status             resizable

MAXLV                0

CurLV                5

OpenLV               5

Max PV                0

Cur PV                1

Act PV                1

VG Size               164.88 GB

PE Size               32.00 MB

Total PE              5276

AllocPE/ Size       2396 / 74.88 GB

  Free  PE / Size       2880 / 90.00 GB

VG UUID               KWCu75-D0E1-lmAm-AAiq-t6vA-ISuh-93ISaF

[root@personal ~]# lvscan

ACTIVE            ‘/dev/VG_00/LV_root’ [10.00 GB] inherit

ACTIVE            ‘/dev/VG_00/LV_opt’ [28.03 GB] inherit

ACTIVE            ‘/dev/VG_00/LV_tmp’ [2.00 GB] inherit

ACTIVE            ‘/dev/VG_00/LV_var’ [29.03 GB] inherit

ACTIVE            ‘/dev/VG_00/LV_swap’ [5.81 GB] inherit

[root@personal ~]# lvextend -l +100%FREE /dev/VG_00/LV_var    (Extend the requested partition with the new size. In this case it is /var)

Extending logical volume LV_var to 119.03 GB

Logical volume LV_var successfully resized

[root@personal ~]#

[root@personal ~]#

[root@personal ~]# lvscan

ACTIVE            ‘/dev/VG_00/LV_root’ [10.00 GB] inherit

ACTIVE            ‘/dev/VG_00/LV_opt’ [28.03 GB] inherit

ACTIVE            ‘/dev/VG_00/LV_tmp’ [2.00 GB] inherit

ACTIVE            ‘/dev/VG_00/LV_var’ [119.03 GB] inherit

ACTIVE            ‘/dev/VG_00/LV_swap’ [5.81 GB] inherit

[root@personal ~]# resize2fs /dev/VG_00/LV_var          (Resize the filesystem)

resize2fs 1.39 (29-May-2006)

Filesystem at /dev/VG_00/LV_var is mounted on /var; on-line resizing required

Performing an on-line resize of /dev/VG_00/LV_var to 31203328 (4k) blocks.

The filesystem on /dev/VG_00/LV_var is now 31203328 blocks long.

[root@personal ~]#

[root@personal ~]#

[root@personal ~]#

[root@personal ~]# df -h

Filesystem            Size  Used Avail Use% Mounted on

/dev/mapper/VG_00-LV_root

9.7G  3.6G  5.7G  39% /

/dev/mapper/VG_00-LV_opt

28G 1008M   25G   4% /opt

/dev/mapper/VG_00-LV_tmp

2.0G  418M  1.5G  23% /tmp

/dev/mapper/VG_00-LV_var

116G   23G   88G  21% /var

/dev/sda1              99M   26M   69M  28% /boot

tmpfs                 2.0G     0  2.0G   0% /dev/shm

You should be ALL SET 🙂

Somecases, you need to extend the Extended partition to allocate space to Logical Partition, In that case, you need to resize the extended partition and then resize the logical partition

Please follow the below steps to resize the extended partition whose partition number is 4

# resize 4 <start sector> <end sector>  (End sector will the last sector of the Harddisk which is seen in Disk line of parted tool)

Now all other steps you followed the recreate the primary partition has to be applied on the last available logical partition in parted. thanks