Upload
jh0n-fredy-h
View
272
Download
0
Embed Size (px)
Citation preview
7/22/2019 configuring centos and installing and configuring cacti monitoring system
1/28
With a MINIMAL INSTALATION of CentOS we now perform the basic configuration.
Lets start now :D
First to all we need to configure the TCP/IP stack for the interface eth1with a static IP address, for do
this edit the file name ifcfg-eth1 locate on: /etc/sysconfig/network-scripts/ and add the following lines.
ONBOOT=yesNM_CONTROLLED=noBOOTPROTO=noneIPADDR=192.168.180.3PREFIX=24PEERDNS=yesDEFROUTE=yesDNS1=8.8.8.8DNS2=8.8.4.4DOMAIN=lab.local
Then edit the file name network locate on /etc/sysconfig/ with the following lines:
NETWORKING=yesHOSTNAME=host nameGATEWAY=192.168.180.2
Issue the command service network restartto load the new configuration for the interface eth1
Issue the command ifconfig eth1to check that the change has been in place.
7/22/2019 configuring centos and installing and configuring cacti monitoring system
2/28
Updating the installation and enhancing the minimal install with additional
administration and development tools
Issue the next commands from the TERMINAL to update the system that is, kernel and new security
features to name but a few
yum -y updatereboot
After reboot issue the next commands from the TERMINAL to install useful features that can use in the
future.
yum -y groupinstall "Base" "Development Libraries" "Development Tools"reboot
Adding the GNOME desktop environment, changing the runlevel, and installing
additional software
Issue the following commands to install the GNOME desktop environment
yum groupinstall "Desktop" "X Window System" "Fonts" "Desktop Platform"
To specify at what level run the GNOME desktop you must edit the file inittab locate on /etc/ A runlevel
is a preset operating state that determines which programs are executed at system startup.
id:3:initdefault: # To specify that is not run when the system boot, ifyou select this configuration you need issue the command startX from theTerminal to initiate the desktop environmentid:5:initdefault: # To specify that the Desktop Environment start when thesystem startup (graphic mode)
Here an example:
Issue the following commands in order to install additional packages that help to enjoy the Desktop
environment experience
7/22/2019 configuring centos and installing and configuring cacti monitoring system
3/28
yum groupinstall "General Purpose Desktop" "Graphical AdministrationToolsreboot
Creating an administrative user and becoming root with the switch user
command
In this session we will to create the administrative user to do the daily tasks and to permit to this user to
use the su command also called switch user command in order to perform certain tasks that require
privilege level such as install a packet.
useradd [USERNAME]passwd [USERNAME] [PASSWORD]
The next task is to modify the user's attributes and to add them to the wheel group like so:
usermod -a -G wheel [YOUR NEW USERNAME]
We need ensure that wheel module is activated in PAM that provides us a global method of
authentication users across the system as a whole without any individual program being required to
know which authentication system will be used.
In order to permit that our user can use the sucommand we need to uncomment a line in the file su
locate at /etc/pam.d/
# uncomment to permit the su command to the userauth required pam_wheel.so use_uid
Note:sudothat enables a user to execute a single command as root, suis a very powerful commandthat will enable the user to become any other user (including root).
The sudo command represents a flexible way of providing administrative powers without making a
specific user or user group an administrator. Of course, we know that sudowill allow you to disseminate
elevated privileges without revealing any details regarding the rootuser and a sudocommand-based
user can do most things, but not everything. They can assume some administrative powers, but they are
not an administrator in the fullest sense of the word.
To switch to the user root type su -and if you want to become to other user different to the root you
can use su - [USERNAME]
To know what user you are using issue the command whoami
7/22/2019 configuring centos and installing and configuring cacti monitoring system
4/28
It is important to remember that sudoes not keep a record of what actions are completed when an
administrative user has become root. For these reasons you should reference your enquiries to
/var/log/messages.
Now we can launch our Desktop Environment with the command startX from the terminal as user
admin
A useful command is tzselectwe can use it to specify the time zone for a specific user.
yum install tzdatatzselect
In order to configure the time zone for a specific user you need to add the line generated from
tzselectoutput command into the file .bash_profile locate at /home/[USERNAME]/
Here an example:
TZ='America/Bogota'; export TZ
In order to check the changes you need logout the session and after the log in success issue the
following command from the Terminal
date
7/22/2019 configuring centos and installing and configuring cacti monitoring system
5/28
To check the time and date you can do the following:
To change the date by typing:
date --set="YYYYMMDD"
You can change the time by typing:
date +%T -s "HH:MM:SS"
Now, we can synchronize the system with your hardware clock by typing:
Hwclock --systohc
Now, we can confirm the status of your hardware clock with the followingcommand:
Hwclock --show
The same, we can view the current operating system date and time by typingthe following command:
date
Is often a good idea to ensure if the correct time zone information is linked to your server's local time
settings
rm /etc/localtime
ln -sf /usr/share/zoneinfo/XXX /etc/localtimereboot
Here an example:
7/22/2019 configuring centos and installing and configuring cacti monitoring system
6/28
Synchronizing the system clock with NTP
Issue the commands:
yum y install ntp
In order to personalize the ntpservice edit the file ntp.conf locate at /etc/ and add and confirm a
network range in order that we can determine who can and who cannot receive time service-based
requests.
server 192.168.1.1 iburstlogfile /var/log/ntpd.log
The iburst option, this feature is designed to tell the NTP service to issue a burst of eight packets to the
remote server instead of one in order to offer an improved approach to the time synchronization
process.
If your network does not have Internet connection or the Internet connection is intermittent, then afallback solution is often required. In such cases you can implement a process known as reflective
synchronization. Uncomment the following lines.
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
7/22/2019 configuring centos and installing and configuring cacti monitoring system
7/28
chkconfig ntpd onservice ntpd restart
reboot
ntpq p # to check ntp association
7/22/2019 configuring centos and installing and configuring cacti monitoring system
8/28
How to change the hostname of the server, please do the following.
Edit the file network locate at /etc/sysconfig/ and add the following line
HOSTNAME=CENTOS-SERVER
Edit the file hosts locate at /etc/ and add the following line
192.168.180.3 CACTI-SERVER.lab.local CACTI-SERVER
To check issue the following commands from Terminal
hostname
hostname -f
hostname --fqdn
7/22/2019 configuring centos and installing and configuring cacti monitoring system
9/28
How to configure SSH
First to all we need to back up the configuration file of SSH
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bakvi /etc/ssh/sshd_config
After execute viadd and/or modify the following lines:
Port 2202# Authentication:AllowUsers adminLoginGraceTime 60PermitRootLogin noX11Forwarding no#X11Forwarding yesPrintMotd yes
PrintLastLog yesClientAliveInterval 60ClientAliveCountMax 5TCPKeepAlive yes
Save the file and edit the file motd locate at /etc/ in order to configure the banner Message Of The Day
(MOTD)
vi /etc/motd
Edit the IPTABLES rule in order to permit the new port assigned to SSH (2202) to do this edit the file
iptables locate at /etc/sysconfig/
Here an example
Service iptables restart
7/22/2019 configuring centos and installing and configuring cacti monitoring system
10/28
Using logrotate to manage logfiles
The logrotate utility is designed to simplify the administration of log files on a system which generates a
lot of log files. Logrotate allows for the automatic rotation compression, removal and mailing of log files.
Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size.
In order to configure logrotatewe need to edit the file logrotate.conf located at /etc/ and add/modify
the following lines:
vi /etc/logrotate.conf
monthlyrotate 7compresssize 500M
logrotate -vfd /etc/logrotate.conf
vi /etc/logrotate.d/ntp
/var/log/ntpd.log {missingoknotifemptysize 50Mrotate 5weeklycreate 0600 root rootpostrotate/sbin/service ntpd restartendscript
}
logrotate -vfd /etc/logrotate.conf
# This option specifies if there is no log file do not issue an error orwarningmissingok# This option specifies not to rotate an empty log.notifempty# This option rotates the logs over 50M.size50M# This option specifies the need to keep 5 log files at a time.rotate 5
# This option rotates the logs weekly.weekly# This option sets the permissions for the newly created log files.create 0600 root root# This option specifies the need to restart the NTP service.# You have two options prerotate or postrotate.postrotate
/sbin/service ntpd restartEndscript
7/22/2019 configuring centos and installing and configuring cacti monitoring system
11/28
Note
By using the previous command to test our settings we have implied the use of several flags:
v: Logrotate reports on what is happening and when it happens
f: Logrotate is asked to process the request regardless of the current cron status
d: Logrotate is asked to process the request without actually rotating them
Evaluating current memory usage with the free and top commands and clearing
the memory cache
In order to check the status of the server regarding MEMORY you can issues the utilities free and top
Here an example
free -m
7/22/2019 configuring centos and installing and configuring cacti monitoring system
12/28
top
In order to release the cache of the memory you can issue the following commands form the terminal
syncecho 3 > /proc/sys/vm/drop_caches
Managing Packages with Yum
yum check-updateyum -y updatereboot
yum provides your_filename_here
These files are very useful, but over time they will accumulate in size to such an extent that you may find
that Yum is acting erratically or not as intended. The frequency of this happening can vary from system
to system but it generally implies that the Yum cache system requires your immediate attention.
In order to clean yum please issue the following commands.
yum clean packagesyum clean metadatayum clean dbcacheyum clean allyum makecache
7/22/2019 configuring centos and installing and configuring cacti monitoring system
13/28
Removing packages with YUM
You can use the following command
yum remove package_name
yum search keyword
yum info package_name
yum deplist package_name
yum list all
yum list all | less
yum list installed | less
Installing Yum Priorities to support additional repositories
In order to use other repositories issues the following commands and edit the proper files
yum install yum-plugin-priorities
Make sure that priorities is enable, we can do this check the file priorities.conf locate at
/etc/yum/pluginconf.d/
vi /etc/yum/pluginconf.d/priorities.conf
Then, add the directive priority=1to the [base], [updates], [extras]
vi/etc/yum.repos.d/CentOS-Base.repo
[base]priority=1
[updates]priority=1
[extras]priority=1
yum update
In order to add additional repositories we need to have the files that permit us install the repo (EPEL and
REMI)
yum install wget
7/22/2019 configuring centos and installing and configuring cacti monitoring system
14/28
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpmwget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
Edit the following files and change as see below
vi /etc/yum.repos.d/remi.repoenable=1priority=10
vi /etc/yum.repos.d/epel.repoenable=1priority=10
yum update
Protecting SSH with fail2ban
Fail2ban is designed to monitor users who repeatedly fail to log in correctly on your server and its main
purpose is to mitigate attacks designed to crack passwords and steal user credentials. It works by
continuously reading logfiles, and if a logfile contains a pattern indicating a number of failed attempts,
then it will proceed to act against the offending IP address.
Install fail2ban from terminal
yum install fail2ban
To do this add/modify the following lines in the file fail2ban locate at /etc/fail2ban/
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
ignoreip = 192.168.180.1/24
bantime = 3600
findtime = 900
maxretry = 5
logtarget = /var/log/fail2ban.log
chkconfig fail2ban on
service fail2ban start
7/22/2019 configuring centos and installing and configuring cacti monitoring system
15/28
bantimevalue, represents the total number of seconds a host will be blocked from accessing the server
if they are found to be in violation of the rules.
findtime means that if the user fails to log in within the maximum number of attempts during the
designated period, then they are banned
Running antivirus scans with ClamAV
Fast, free, and efficient, ClamAV is an open source antivirus engine that can be employed by CentOS to
detect trojans, viruses, and other malicious software, malware, or threats.
yum install clamdchkconfig clamd onservice clamd startfreshclamclamscanclamscan --infected --remove --recursive /DIRECTORYNAME
/var/log/clamav/clamd.log
SELinux
Security-Enhanced Linuxis a very robust security mechanism that is enabled by default. It is designed to
improve the security of your server but on occasion it has been the case that you have been required to
disable it in order to install a new package or to speed up the process of server management.
SELinux has three possible states:
enforcing: Choose this value to determine that SELinux security policy is enforced. To set thiscondition, type SELINUX=enforcing. This level enforces security and access policies around both
files and processes.
permissive: Choose this value to determine that SELinux prints warnings instead of enforcing. Toset this condition, type SELINUX=permissive. This level allows operations that would otherwise
be blocked by SELinux security policies. In this state SELinux will report messages to
/var/log/audit/audit.log indicating which operations would have been blocked. You should also
be aware that in this state the mechanism that labels files and processes according to SELinux
policies is still active in this enforcement mode.
disabled: Choose this value to determine that no SELinux policy is loaded. To set this condition,type SELINUX=disabled. This level completely disables SELinux, thereby permitting all operationsand disabling logging and file/process labeling.
In order to disable SELinux edit the file selinux locate at /etc/sysconfig/ and add/modify the following
lines
SELINUX=disabled
7/22/2019 configuring centos and installing and configuring cacti monitoring system
16/28
reboot
To determine the current state of SELinux, we can issue the command:
getenforce
Note:
When SELinux is running, you can use the setenforce command. However, this will only affect the server
if you are switching between enforcing or permissive mode.
Here an example:
FTP with VSFTPD
In order to install FTP issue the command from the terminal.
yum install vsftpd
Edit the file vsftpd.conf locate at /etc/vsftpd/ and add/modify the following lines:
vi /etc/vsftpd/vsftpd.conf
anonymous_enable=NOxferlog_std_format=NOascii_upload_enable=YES
ascii_download_enable=YESchroot_local_user=YESchroot_list_enable=YES# (default follows)chroot_list_file=/etc/vsftpd/chroot_listidle_session_timeout=600data_connection_timeout=120
# to the bottom of the file and add the following lines
7/22/2019 configuring centos and installing and configuring cacti monitoring system
17/28
use_localtime=YESlocal_root=/home/admin/public_ftp # makes sure that this folder exist
Next, add the users that will have part of chrootprocess creating the chroot_list file and locate it at
/etc/vsftpd/
vi /etc/vsftpd/chroot_listadmin
chkconfig vsftpd on
service vsftpd start
The chrootjail represents an essential security feature, and having done this, all users will be restricted
to access the files in their own home directory only.
yum install ncftp
ncftp -u admin localhost # in order to test the ftp server
Here an example:
7/22/2019 configuring centos and installing and configuring cacti monitoring system
18/28
Secure connection to VSFTP with SSL/TLS using OpenSSL encryption
We need to create the key pair or digital certificate and configure the VSFTPD to use TLS and to force
the users to login secure to the FTP service
cd /etc/vsftpd/
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout/etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
chmod 600 vsftpd.pem
vi /etc/vsftpd/vsftpd.conf
# add this line at the bottom to the file
ssl_enable=YES
force_local_data_ssl=YESforce_local_logins_ssl=YESssl_tlsv1=YESssl_sslv2=NOssl_sslv3=NOrsa_cert_file=/etc/vsftpd/vsftpd.pem
service vsftpd restart
Now with this done, we can test the connection with a client that support the ftp service secure such as
WINSCP.
Here an example:
7/22/2019 configuring centos and installing and configuring cacti monitoring system
19/28
Make sure that the port specified in the Port number: boxis the same used for the process SSH (2202)
7/22/2019 configuring centos and installing and configuring cacti monitoring system
20/28
Now we can see that the connection is secured
7/22/2019 configuring centos and installing and configuring cacti monitoring system
21/28
Cacti
Cacti (cacti.net) is a network monitoring tool that graphs system and network information over time
(time-series data) and provides a comprehensive Web interface for browsing and examining the ongoing
performance of the devices on a network.
We can configure Cacti to monitor the network traffic passing through the network ports on local
servers and the switch and router ports on the local network. Cacti graphs provide information on traffic
levels on the various parts of the network. When the network is slow, for example, we can refer to the
historical graphs and see if anything out of the ordinary has occurred. In addition to network traffic
levels, Cacti can collect data on CPU utilization, disk space usage, page views on a Web server, and
almost any other data points available on the local network.
Prerequisites
Install the following packages:
cacti (Fedora only; download cacti for RHEL from fedoraproject.org/wiki/EPEL) mysql (page 635) mysql-server (page 635) php (installed with cacti) httpd (Apache; page 917; installed with cacti) rrdtool (installed with cacti) net-snmp (optional; needed only to monitor the local system) net-snmp-utils (optional)
Cacti Configuration
Data retrieval
Cacti retrieves data through poller. It's an application executed at a constant time interval as a schedule
service under different operating systems. It is set in the operating system scheduler. In Unix, it is set
under crontab.
Cacti uses cmp.phpby default. But if a faster poller is required due to a large infrastructure, then youcan use spine, formally known as cactid, a very fast poller written in C that makes use of POSIX threads
and links directly to Net-SNMP library for minimal SNMP polling overhead.
Presently, network infrastructure contains lot of different devices such as routers, switches, servers,
UPS, and different computer and network appliances. To retrieve data from these remote devices, Cacti
7/22/2019 configuring centos and installing and configuring cacti monitoring system
22/28
use SNMP (Simple Network Management Protocol). Devices that are capable of using SNMP can be
monitored by Cacti.
Data storage
There are lot of options to do this task, such as SQL database and flat file database. Cacti uses RRDToolto store data. RRD is a system to store and show time series data collected from different SNMP-capable
devices. It consolidates historical data based on consolidation functions such as AVERAGE, MINIMUM,
MAXIMUM, and so on to keep the storage size minimum. That's why it's fast and easy to create graphs
and reports from RRD files.
Data presentation
The most important feature of the RRDTool is a built-in graphing function. Cacti uses this built-in
graphing function to deploy customized graphing reports based on time series data collected from
different SNMP-capable devices. This built-in graphing function supports auto-scaling and logarithmic y-axis. It is possible to graph one or many items in one graph, also adding different legends denoting
characteristics such as maximum, average, minimum, etc.
Net-SNMP is a suite of software for using and deploying SNMP protocol (version v1, v2c, and v3) and
AgentX subagent protocol. It supports IPv4, Ipv6, IPX, AAL5, UNIX domain sockets and others. The suite
includes:
Command line applications A generic client library A graphical MIB browser using Perl/TK A daemon application for receiving SNMP notifications (snmptrapd) An extensible SNMP agent to respond to management queries (snmpd) Perl, C, and Python modules and sets of APIs to build external applications
RRDToolis developed by Tobi Oeticker, also known for his famous creation MRTG. RRDTool is written
in C language and stores its data in .rddfiles. The number of records in a single .rrdfile never increases,
meaning that old records are frequently removed, and it presents useful graphs by processing the data
to enforce a certain data density. RRDTool offers several command line switches to access and
manipulate .rddfiles:
create update updatev graph dump restore fetch
7/22/2019 configuring centos and installing and configuring cacti monitoring system
23/28
tune last info rrdresize xport rrdcgi
How does the RRDTool work?
RRDTool follows a logical design to acquire and process data collected from data sources (DS). The
following is a brief discussion of the different steps in the logical process:
Data acquisition:When monitoring a device or system, it is necessary to receive data on a constant
time interval. Manually, it is not possible to maintain such activity as a system administrator. In such
situations, the RRDTool comes in handy. It stores the data in a round-robin database, which is received
on a constant time interval set by the system administrator, using the poller application set as schedulerin the operating system.
Data consolidation:The system administrator may log the data in a five-minute interval, but he/she
might be interested in knowing the accumulated update over the last month. In this case, simply storing
the data in a five-minute interval for the whole month will solve the problem. But this will require huge
disk space and a considerable amount of time to analyse the data, as in a network environment,
administrators are not monitoring only a single device. RRDTool solves this problem with the data
consolidation feature. When creating a round-robin database, the administrator can define at which
interval data consolidation should occur using consolidation functions (CF) such as MAXIMIUM,
AVERAGE, MINIMUM, and others.
Round Robin Archives of consolidated data:Data values of consolidation setup are stored in Round
Robin Archives (RRA). In this way, the RRDTool stores data in the most efficient way for a certain time
period defined by the system administrator. This process keeps the database file at a constant size for
faster processing and analyzing.
Unknown data:RRDTool stores data at a constant interval in a round-robin database. Sometimes, this
data might not be available to store in RRD due to device failure or other causes. In this case, the
RRDTool stores the RRD file with *UNKNOWN* data value. This *UNKNOWN* value is supported by all
RRDTool functions.
Graphing:RRDtool allows system administrator to generate reports in graphical and numerical forms
based on data stored in the round-robin database (RDD) by using its built-in graph processing functions.
Customization of these graphics is possible based on color, size, and contents
7/22/2019 configuring centos and installing and configuring cacti monitoring system
24/28
Lets start installing CACTI
yum install httpd # To install APACHE WEB SERVER
chkconfig --list httpdchkconfig httpd onservice httpd start
vi /etc/sysconfig/iptables # permit http request to the server-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
service iptables restartnetstat -taniptables -nL
vi /etc/httpd/conf.d/welcome.conf # Comment all lines within this filevi /etc/httpd/conf/httpd.conf
Options -Indexes FollowSymLinksAllow from 192.168.180.0/255.255.255.0# Modify the word Indexes for Indexes in order to disable the listingdirectory
yum install php
service httpd restart
# WITH THIS CODE WE CAN CREATE A PAGE TO THE PHP AND THE MODULESTHAT HAS BEEN LOADED TO PHP7/22/2019 configuring centos and installing and configuring cacti monitoring system
25/28
http://192.168.180.3/phpinfo.php # output to check if Apache has loadedthe php module
yum install mysql-serveryum instal php-mysqlservice httpd restart
# test phpinfo.php output to check if php has loaded the mysql module
yum install net-snmp net-snmp-utils php-snmpservice httpd restart
# test phpinfo.php output to check if php has loaded the snmp module
yum install rrdtool
# enable the services mysql and snmp to start when the system startup
chkconfig snmpd on
chkconfig mysqld on
service snmpd startservice mysqld startmysqladmin -u root password 'PASSWORD' # Change the root password
# Now let's download and install cacti
# First download the source file to manually install cacti and copy thefile to the server through SFTP
7/22/2019 configuring centos and installing and configuring cacti monitoring system
26/28
tar -xzvf /home/admin/Desktop/cacti-0.8.8b.tar.gz
mysql u root p # in order to access to MYSQL ENGINE
CREATE DATABASE cacti;GRANT ALL ON cacti.* \TO cactiuser@localhost \IDENTIFIED BY '[SPECIFYCACTIPASS]';flush privileges;exit
7/22/2019 configuring centos and installing and configuring cacti monitoring system
27/28
mysql -u root -p cacti < /home/admin/Desktop/cacti-0.8.8b/cacti.sql
mv /home/admin/Desktop/cacti-0.8.8b /var/www/html/cacti
cd /var/www/html/cacti
vi include/config.php$database_password = "cactiuser";
vi /etc/cron.d/cacti
*/5 * * * * admin /usr/bin/php /var/www/html/cacti/poller.php > /dev/null2>&1
# We have to change the ownership of rra and log folder to admin user andadmin group
chown -R admin:admin /var/www/html/cacti/log
chown -R admin:admin /var/www/html/cacti/rrachmod 775 /var/www/html/cacti/rrachmod 775 /var/www/html/cacti/log
vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT-A INPUT -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT
Ok, now only we need to access from a web browser like Internet Explorer, you must change the default
Username : adminPassword : admin
7/22/2019 configuring centos and installing and configuring cacti monitoring system
28/28