Archive for April, 2010

Linux:How to configure logrotate for ModSecurity(source install)

Monday, April 26th, 2010

Problem: When you install Mod-security from source , by default log-rotate will not rotate those logs file as the path for log files are not defined logrotate configuration file by default. So if you want to allow logo-ratate to rotate your modsecurity log files. here is the steps:

1. Create a file modsecurity under /etc/logrotate.d

 cd /etc/logrotate.d/
touch modsecurity

2. Copy and past bellow lines in their

#Bellow is my modsecurity log file (/opt/modsecurity/var/log/audit.log)
 
/opt/modsecurity/var/log/audit.log {
    missingok
    notifempty
    postrotate
 ##Restart the apache daemon
       /usr/local/apache/bin/apachectl graceful > /dev/null 2>/dev/null || true
    endscript
}

Now you can forcefully rotate log files by executing bellow commands:

 
logrotate -f /etc/logrotate.conf

Linux:How to create multiple OpenVPN instances

Monday, April 26th, 2010

Problem :
How to configure openvpn to create multiple instances and listen more then 2 ports(1194,1195) ??
Solution:
you need more then 2 openvpn configuration file. example : openvpn.conf and openvpn1.conf

Now you need to define different port , Server Ip address,ifconfig-pool-persist, and log files

For openvpn.conf :

port 1194
proto tcp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
log         openvpn.log
log-append  openvpn.log

For openvpn1.conf :

 
port 1195
proto tcp
dev tun
server 192.168.1.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/config2/ipp.txt
log         /etc/openvpn/config2/openvpn.log
log-append  /etc/openvpn/config2/openvpn.log

Now start openvpn daemon with these 2 config file separately

shell> openvpn –config /etc/openvpn/openvpn.conf &
shell> openvpn –config /etc/openvpn/openvpn1.conf &

Or add this into /etc/rc.local file so that when computer will reboot , it will start automatically.

so now if you take ifconfig output , it will show like this

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
 
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.1.1  P-t-P:192.168.1.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Nagios script to monitor memory uses

Friday, April 23rd, 2010

Purpose:
###########################################
Develop a nagios script, which will monitor Linux memory uses.
###########################################

This script will check following :
#############################################
#1.If free memory is more then the defined memory as free: Status Done
#2.If System is using swap memory : Status:Done
##############################################

#!/bin/bash
 
#Version 1.0
#######################################
#Nagios scrept to check memory status##
#Commands : fre -m#####################
#######################################
 
 
#Status check for nagios script
 
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4
 
 
#Define All the variables for commands
 
declare -rx SCRIPT=${0##*/}
declare -rx CMD_AWK="/bin/awk"
declare  -rx CMD_CAT="/bin/cat"
declare  -rx CMD_FREE="/usr/bin/free"
declare  -rx CMD_VMSTAT="/usr/bin/vmstat"
declare  -rx CMD_GREP="/bin/grep"
 
#####Section 1.1 :Definning function for free memory checking########
#Definning function to check free memory status#####################
##########################################
 
function FUNC_FREE_CMD
 
{
 
MEM_STATUS=$( $CMD_FREE -m | grep buffers/cache | awk '{print $4}')
 
 
########Checking if Current memory is critial or normal ######
 
if [ $MEM_STATUS -le 325 ]
then
 
#echo "Critical,Memory Level: $MEM_STATUS"
echo "Critical,Memory Level: $MEM_STATUS|Memory_level=$MEM_STATUS;350;325;0"
exit $STATE_CRITICAL
fi
 
if [ $MEM_STATUS -le 350 ]
then
 
echo "Warnings,Memory Level: $MEM_STATUS|Memory_level=$MEM_STATUS;350;325;0"
exit $STATE_WARNING
 
else
echo "Memory Seems Ok,Total Memory is: $MEM_STATUS|Memory_level=$MEM_STATUS;350;325;0"
#echo "Critical,Memory Level: $MEM_STATUS|Memory_level=$MEM_STATUS"
#exit $STATE_OK
fi
 
}
 
#####Section 2.1 Definning function for checking swap uses###########
#### Commands: free -m | grep Swap | awk '{print $3}################
###################################################################
 
function FUNC_FREE_SWAP_CMD
{
 
SWAP_STATUS=$( $CMD_FREE -m | grep Swap | awk '{print $3}')
 
if [ $SWAP_STATUS -ne 0 ]
then
echo "System is using swap:$SWAP_STATUS"
echo "Lets Try to find out how much swap system using by using vmstat output"
 
fi
 
}
 
######Section 3.1, Definning funtion , to check how much swap in and swap out for  5 seconds####
#####Commands : vmstat
###############################################################################################
 
 
 
function FUNC_VMSTAT_CMD
{
 
#echo $( $CMD_VMSTAT 3 5 | $CMD_GREP "^[ ][0-9]"|  $CMD_AWK 'BEGIN{for(n=1;n<=8;n++){printf("%s ", "Average Uses:" [3]/5)}}')
echo $( $CMD_VMSTAT 3 5 | $CMD_GREP "^[ ][0-9]"|  $CMD_AWK 'BEGIN{for(n=1;n<=8;n++){printf("Average Uses:" s[3]/5)}}')
 
}
 
 
#############Section 3.1 calling  all  functions###############
###Function from section 1.1:To Calculate Free memory##############
###Funciton from section 2.1:To calucate  Swap uses ###############
FUNC_FREE_CMD
FUNC_FREE_SWAP_CMD
FUNC_VMSTAT_CMD

configure nrpe(nagios) to listen on different port

Thursday, April 15th, 2010

Purpose : Some times Isp Or vps provider they block port 5666 Or for any reason if you want to configure nrpe to listen different port example 15666, follow as bellow:

On the Remote host(linux-vps) :

1. Change the Port number in : /etc/xinetd.d/nrpe

# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
        flags           = REUSE
        socket_type     = stream
       port            = 15666
        wait            = no
        user            = nagios
        group           = nagios
        server          = /usr/local/nagios/bin/nrpe
        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
        log_on_failure  += USERID
        disable         = no
        only_from       = 127.0.0.1 ip.of.nagios.server
}

2. Change port number : vi /etc/services

nrpe            15666/tcp                        # NRPE

3. Change port number in : /usr/local/nagios/etc/nrpe.cfg

server_port=15666

4 . Restart nrpe daemon : service xinetd restart

On the server(nagiosserver) :
Purpose : Example, I have more then 10 linux server. 9 of them listen port 5666 , but only one of them listen port 15666 . So I need to create a different set of commands for nagios server to connect that nrpe client on different port.

1. Create a command in command.cgi file ( /usr/local/nagios/etc/objects/commands.cgi)

#This is slightly modified from check_nrpe command
#Because Vps company they blocked port 5666
#So i had to configure linuxvps server to listen on port  15666, So
#I need to create a different command to connect to different port
 
define command{
command_name check_nrpe_vps
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 15666 -c $ARG1$
}

2. Now call this check_nrpe_vps commands from host definition file
Example : host definition file for linuxvps is : linuxvps.cgi ( /usr/local/nagios/etc/objects/linuxvps.cgi)

   define service{
   use generic-service
   host_name linuxvps
   service_description CPU Load
  check_command check_nrpe_vps!check_load
}

3. now Call this linuxvps.cgi from nagios.cfg file

  cfg_file=/usr/local/nagios/etc/objects/linuxvps.cfg

4. restart the nagios.
So now this nagios server will connect to nrpe client via 15666 port.

Cisco:Basic commands to setup a cisco switch

Monday, April 12th, 2010

Privileges mode password :

enable , configure t, enable secret test

How to lock down telnet port :

enable, configure t , line vty 0 15 , login , password test

How to lock down console port :

enable , configure t, line console 0 , login, password test

How to set logoin banner

enable, configure t, banner motd ) , Please dont log on )

How to setup host name :

enable, configure t , hostname MasterSwitch

HOw to setup logigin synchronous

enable, configure t, line console 0 , logging synchronous 
also
line vty 0 15 , logging synchronous

How to setup Time out :

configure t, line console 0, exec-timeout 800 0

How to stop domain lookup :

configure t , no ip domain-lookup

How to set-up Ip into vlan :

configure t, interface vlan 1, ip address 192.168.1.10 255.255.255.0 , no shutdown

How to setup a default gateway

configure t , ip default-gateway 192.168.1.1

How to create short cut of commands/ :

do show ip interface brief   ( From any where)

how to view what ports are connected to what’s :

show cdp neighbors
show cdp neighbors detail

How to view mac address table :

show mac-address-table

How to save config file

configure terminal
service password-encryption

How to encrypt all the password :

configure terminal
service password-encryption

Linux :file and directory permission

Thursday, April 8th, 2010

Octal Permission:

0 — 000 All types of access are denied
1 –x 001 Execute access is allowed only
2 -w- 010 Write access is allowed only
3 -wx 011 Write and execute access are allowed
4 r– 100 Read access is allowed only
5 r-x 101 Read and execute access are allowed
6 rw- 110 Read and write access are allowed
7 rwx 111 Everything is allowed