Engineering and technology notes

How to Install & Configure Nagios 4 on Ubuntu 18.04 for Server Monitoring

Jovan Stosic March 20, 2020

Prerequisites

To follow this tutorial we assume the following:

  • You’re using a machine running Ubuntu or Debian. This tutorial is for Ubuntu 18.04, but it should work on Ubuntu 16.4, 14.04 and Debian systems.
  • You’re acting as a non-root sudo user. If you don’t have one set up, you can follow our tutorial on creating a sudo user on Ubuntu 18.04

Get a High RAM VPS at Entry-level Pricing

Starting with 2GB RAM at $6.99/month

Take your pick from our KVM VPS that offer a generous amount of RAM at an affordable price. We’ve got 5 plans for you to choose from, our smallest featuring 2GB RAM at $6.99/mo.

[Main Features] – SSD Drives
– KVM Virtualization
– 1Gbps Shared Uplink
– Location: Chicago, IL

Pick one of our KVM plans

GET STARTED NOW

Step 1 – Install PHP & Apache

We’ll first update our package index and install PHP and Apache.

Step 2 – Create a User and Group for Nagios

Next, create a new user for Nagios, and assign them a password:

Now we’ll create a group for Nagios, which we’ll call nagcmd and we’ll add the user we just created to this group.

We’ll also add the user to the Apache group.

Step 3 – Install Nagios Binaries

To install Nagios, we’ll first have to download the latest Nagios release. To do this, retrieve the tar.gz download link from the Github Releases page. The latest one at the time of writing is nagios-4.4.3.tar.gz.

We’ll first change our directory into /opt, download the release, and extract the archive.

After extracting the archive, navigate into the source directory and install Nagios along with some additional requirements using the make command:

Now we’ll need to copy event handlers scripts to the libexec directory. These provide multiple event triggers for the Nagios Web Interface.

Step 4 – Set Up Apache with an Authentication Gateway

We’ll now set up Apache Virtual Hosts for Nagios, and to secure our web interface, we’ll set up an authentication gateway to prevent unauthorized access.

To do this, we’ll create an Apache configuration file for Nagios:

And paste the following content into the file.

Save and close the file when you’re done.

Now we can set up the authentication gateway. We’ll use the user nagiosadmin. This is the default user that we can use to authenticate, and to use a different one would require further configuration.

Now enable the Apache configuration and restart it so the changes take effect:

Step 5 – Install Nagios Plugins

Once Nagios is installed and configured, we can download and install the latest nagios-plugins. To do this, retrieve the latest nagios-plugins release link from here. The latest version at the time of writing is nagios-plugins-2.2.1.tar.gz. After which, change the directory into /opt, download it, extract it, and navigate into it’s folder.

Now we compile and install nagios-plugins:

Step 6 – Verify & Start Nagios

After installing and configuring Nagios, we can verify if Nagios has been successfully installed, start it, and configure it to start on system boot.

Verify the installation:

Example Output

Start Nagios:

Configure to start on system boot:

Step 7 – Access the Nagios Web Interface

Now you can access the Nagios Web Interface by visiting your hostname or IP address in your browser followed by /nagios:

Source: How to Install & Configure Nagios 4 on Ubuntu 18.04 for Server Monitoring

Jenůfa

Jovan Stosic March 20, 2020

(Czech) (help·info) (Její pastorkyňa, “Her Stepdaughter” in Czech) is an opera in three acts by Leoš Janáček to a Czech libretto by the composer, based on the play Její pastorkyňa by Gabriela Preissová. It was first performed at the National Theatre, Brno on 21 January 1904. Composed between 1896 and 1902, it is among the first operas written in prose.

The first of Janáček’s operas in which his distinctive voice can clearly be heard, it is a grim story of infanticide and redemption. Like the playwright’s original work, it is known for its unsentimental realism. While today it is heard in the composer‘s original version, Jenůfa’s early popularity was due to a revised version by Karel Kovařovic, altering what was considered its eccentric style and orchestration. Thus altered, it was well-received, first in Prague, and particularly after its Vienna première also worldwide. More than 70 years passed before audiences again heard it in Janáček’s original version.

Janáček wrote an overture to the opera, but decided not to use it. It was partly based on a song called Žárlivec (The jealous man). It is now performed as a concert piece under the title Žárlivost (Jealousy).

The composer dedicated the work to the memory of his daughter Olga (d. 1903), as he did his choral composition the Elegy on the Death of Daughter Olga.

https://en.m.wikipedia.org/wiki/Jen%C5%AFfa

SSL/DovecotConfiguration – Dovecot Wiki

Jovan Stosic March 18, 2020

The certificate file can be world-readable, since it doesn’t contain anything sensitive (in fact it’s sent to each connecting SSL client). The key file’s permissions should be restricted to only root (and possibly ssl-certs group or similar if your OS uses such). Dovecot opens both of these files while still running as root, so you don’t need to give Dovecot any special permissions to read them (in fact: do not give dovecot user any permissions to the key file).

It’s possible to keep the certificate and the key both in the same file:

# Preferred permissions: root:root 0400
ssl_cert = </etc/ssl/dovecot.pem
ssl_key = </etc/ssl/dovecot.pem

It’s also possible to use different certificates for IMAP and POP3. However its important to note that “ssl = yes” must be set globally if you require SSL for any protocol (or dovecot will not listen on the SSL ports), which in turn requires that a certificate and key are specified globally even if you intend to specify certificates per protocol. The per protocol certificate settings override the global setting.:

protocol imap {
  ssl_cert = </etc/ssl/certs/imap.pem
  ssl_key = </etc/ssl/private/imap.pem
}
protocol pop3 {
  ssl_cert = </etc/ssl/certs/pop3.pem
  ssl_key = </etc/ssl/private/pop3.pem
}

There are a couple of different ways to specify when SSL/TLS is required:

  • ssl=no: SSL/TLS is completely disabled.

  • ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the client, but the client isn’t required to use it. The client is allowed to login with plaintext authentication even when SSL/TLS isn’t enabled on the connection. This is insecure, because the plaintext password is exposed to the internet.

  • ssl=yes and disable_plaintext_auth=yes: SSL/TLS is offered to the client, but the client isn’t required to use it. The client isn’t allowed to use plaintext authentication, unless SSL/TLS is enabled first. However, if non-plaintext authentication mechanisms are enabled they are still allowed even without SSL/TLS. Depending on how secure they are, the authentication is either fully secure or it could have some ways for it to be attacked.

  • ssl=required: SSL/TLS is always required, even if non-plaintext authentication mechanisms are used. Any attempt to authenticate before SSL/TLS is enabled will cause an authentication failure.

  • NOTE: If you have only plaintext mechanisms enabled (e.g. auth { mechanisms = plain login } ), ssl=yes and ssl=required are completely equivalent because in either case the authentication will fail unless SSL/TLS is enabled first.

  • NOTE2: With both ssl=yes and ssl=required it’s still possible that the client attempts to do a plaintext authentication before enabling SSL/TLS, which exposes the plaintext password to the internet. Dovecot attempts to indicate this to the IMAP clients via the LOGINDISABLED capability, but many clients still ignore it and send the password anyway. There is unfortunately no way for Dovecot to prevent this behavior. The POP3 standard doesn’t have an equivalent capability at all, so the POP3 clients can’t even know if the server would accept a plaintext authentication.

  • The main difference between ssl=required and disable_plaintext_auth=yes is that if ssl=required, it guarantees that the entire connection is protected against eavesdropping (SSL/TLS encrypts the rest of the connection), while disable_plaintext_auth=yes only guarantees that the password is protected against eavesdropping (SASL mechanism is encrypted, but no SSL/TLS is necessarily used). Nowadays you most likely should be using SSL/TLS anyway for the entire connection, since the cost of SSL/TLS is cheap enough. Using both SSL/TLS and non-plaintext authentication would be the ideal situation since it protects the plaintext password even against man-in-the-middle attacks.

Note that plaintext authentication is always allowed (and SSL not required) for connections from localhost, as they’re assumed to be secure anyway. This applies to all connections where the local and the remote IP addresses are equal. Also IP ranges specified by login_trusted_networks setting are assumed to be secure.

Source: SSL/DovecotConfiguration – Dovecot Wiki

Serverless computing

Jovan Stosic March 18, 2020

Serverless computing is a cloud computing execution model in which the cloud provider runs the server, and dynamically manages the allocation of machine resources. Pricing is based on the actual amount of resources consumed by an application, rather than on pre-purchased units of capacity. It can be a form of utility computing.

Serverless computing can simplify the process of deploying code into production. Scaling, capacity planning and maintenance operations may be hidden from the developer or operator. Serverless code can be used in conjunction with code deployed in traditional styles, such as microservices. Alternatively, applications can be written to be purely serverless and use no provisioned servers at all.

This should not be confused with computing or networking models that do not require an actual server to function, such as peer-to-peer (P2P).

Serverless runtimes

Most, but not all, serverless vendors offer compute runtimes, also known as function as a service (FaaS) platforms, which execute application logic but do not store data. The first “pay as you go” code execution platform was Zimki, released in 2006, but it was not commercially successful. In 2008, Google released Google App Engine, which featured metered billing for applications that used a custom Python framework, but could not execute arbitrary code. PiCloud, released in 2010, offered FaaS support for Python.

AWS Lambda, introduced by Amazon in 2014, was the first public cloud infrastructure vendor with an abstract serverless computing offering. It is supported by a number of additional AWS serverless tools such as AWS Serverless Application Model (AWS SAM) Amazon CloudWatch, and others.

Google Cloud Platform offers Google Cloud Functions since 2016.

IBM offers IBM Cloud Functions in the public IBM Cloud since 2016.

Microsoft Azure offers Azure Functions, offered both in the Azure public cloud or on-premises via Azure Stack.

https://en.wikipedia.org/wiki/Serverless_computing

Pigeonhole/ManageSieve/Troubleshooting – Dovecot Wiki

Jovan Stosic March 17, 2020

ManageSieve Troubleshooting

Like Dovecot itself, the ManageSieve service always logs a detailed error message if something goes wrong at the server (refer to Dovecot Logging for more details): the logs are the first place to look if you suspect something is wrong. To get additional debug messages in your log file, you should set mail_debug=yes in dovecot.conf (inside protocol sieve {...} if you want to enable this for ManageSieve only).

If the client commits protocol violations or sends invalid scripts, an error response is provided to the client which is not necessarily logged on the server. A good ManageSieve client presents such error messages to the user.

Keep in mind that the the ManageSieve service only provides the Sieve protocol, which may be somewhat confusing. This protocol can only be used to upload Sieve scripts and activate them for execution. Performing the steps below therefore only verifies that this functionality is working and not whether Sieve scripts are correctly being executed upon delivery. The execution of Sieve scripts is performed by the Dovecot Local Delivery Agent (LDA) or its LMTP service using the LDA Sieve plugin. If you have problems with Sieve script execution upon delivery, you are referred to the Sieve Troubleshooting page.

Manual Login and Script Upload

If you fail to login or upload scripts to the server, it is not necessarily caused by Dovecot or your configuration. It is often best to test your ManageSieve server manually first. This also provides you with the direct error messages from the server without intermission of your client. If you do not use TLS, you can connect using a simple telnet or netcat connection to the configured port (typically 4190 or 2000 for older setups). Otherwise you must use a TLS-capable text protocol client like gnutls-cli as described below. Upon connection, the server presents the initial greeting with its capabilities:

"IMPLEMENTATION" "dovecot"
"SASL" "PLAIN"
"SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify include envelope body relational regex subaddress copy"
"STARTTLS"
OK "Dovecot ready."

Note that the reported STARTTLS capability means that the server accepts TLS, but, since you are using telnet/netcat, you cannot use this (refer to Manual TLS Login below). The SASL capability lists the available SASL authentication mechanisms. If this list is empty and STARTTLS is available, it probably means that the server forces you to initiate TLS first (as dictated by ‘disable_plaintext_auth=yes‘ in dovecot.conf).

Now you need to log in. Although potentially multiple SASL mechanisms are available, only PLAIN is described here. Authentication is performed using the ManageSieve AUTHENTICATE command. This command typically looks as follows when the PLAIN mechanism is used:

AUTHENTICATE "PLAIN" "<base64-encoded credentials>"

The credentials are the base64-encoded version of the string "\0<username>\0<password" (in which \0 represents the ASCII NUL character). Generating this is cumbersome and a bit daunting for the novice user, so for convenience a simple Perl script is provided to generate the AUTHENTICATE command for you. It is available here and used as follows:

sieve-auth-command.pl <username> <password>

The command is written to stdout and you can paste this to your protocol session, e.g.:

AUTHENTICATE "PLAIN" "AHVzZXJuYW1lAHBhc3N3b3Jk"
OK "Logged in."

Now that you are logged in, you can upload a script. This is done using the PUTSCRIPT command. Its first argument is the name for the script and its second argument is a string literal. A string literal starts with a length specification '{<bytes>+}' followed by a newline. Thereafter the server expects <bytes> bytes of script data. The following uploads a trivial 6 byte long sieve script that keeps every message (6th byte is the newline character):

PUTSCRIPT "hutsefluts" {6+}
keep;
OK "Putscript completed."

Upon successful upload, you should find a file called hutsefluts.sieve in your sieve_dir directory. The script should also be listed by the server as follows when the LISTSCRIPTS command is issued:

LISTSCRIPTS
"hutsefluts"
OK "Listscripts completed."

You can check whether your script is uploaded correctly by downloading it using the GETSCRIPT command. This command accepts the name of the downloaded script as its only parameter:

GETSCRIPT "hutsefluts"
{6}
keep;
OK "Getscript completed."

To let the Sieve plugin use your newly uploaded script, you must activate it using the SETACTIVE command (only one script can be active at any time). The active script is indicated ACTIVE in the LISTSCRIPTS output, e.g.:

SETACTIVE "hutsefluts"
OK "Setactive completed."
LISTSCRIPTS
"hutsefluts" ACTIVE
OK "Listscripts completed.

The symbolic link configured with the sieve setting should now point to the activated script in the sieve_dir directory. If no script is active, this symbolic link is absent.

Manual TLS Login

When TLS needs to be used during manual testing, gnutls-cli provides the means to do so. This command-line utility is part of the GNUTLS distribution and on most systems this should be easy to install. It is used to connect to ManageSieve as follows:

gnutls-cli --starttls -p <port> <host>

This starts the client in plain text mode first. As shown in the previous section, the server presents a greeting with all capabilities of the server. If STARTTLS is listed, you can issue the STARTTLS command as follows:

STARTTLS
OK "Begin TLS negotiation now."

If an OK response is given by the server you can press Ctrl-D to make gnutls-cli start the TLS negotiation. Upon pressing Ctrl-Dgnutls-cli will show information on the negotiated TLS session and finally the first response of the server is shown:

"IMPLEMENTATION" "dovecot"
"SASL" "PLAIN"
"SIEVE" "comparator-i;ascii-numeric fileinto reject vacation imapflags notify include envelope body relational regex subaddress copy"
OK "TLS negotiation successful."

Hereafter, you can continue to authenticate and upload a script as described in the previous section.

Client Problems

If manual efforts to upload a script are successful, but your client still fails, you need to obtain a view on what the client communicates with the server. A common method is to sniff the client protocol session using a tool like ngrep. However, this will not work when TLS is active. If the problem is not specific to TLS, you are advised to temporarily turn off TLS and sniff the plain text protocol. If TLS is part of the issue, you can use Dovecot’s rawlog facility to see what is going on if the client is logged in. If the authentication is the problem, there is no real nice way to obtain a transcript of the protocol. One way is to run managesieve from inetd, wrapping it into a script that writes the protocol messages somewhere (FIXME: This needs some checking and explanation). Alternatively, if possible, the client can be altered to write its protocol messages somewhere.

Refer to the ManageSieve Clients page for information on known client problems.

Known Server Issues and Protocol Deviations

  • The ANONYMOUS authentication mechanism is currently not supported and explicitly denied.

NOTE: If you add new issues to this list, notify the author or send an e-mail to the Dovecot mailing list. In any case, you must make sure that the issue is properly explained and that the author can contact you for more information.

Source: Pigeonhole/ManageSieve/Troubleshooting – Dovecot Wiki

Install Fail2ban intrusion prevention framework on Ubuntu

Jovan Stosic March 17, 2020

Installing Fail2ban

It operates by monitoring log files for certain type of entries and runs predetermined actions based on its findings. You can install the software with the following

sudo apt-get install fail2ban

Once installed, copy the default jail.conf file to make a local configuration with this command

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then open the new local configuration file for edit with your favourite text editor, for example

sudo nano /etc/fail2ban/jail.local

Scroll down to go through some of the settings available in the configuration file.

First up are the basic defaults for ignoreip, which allows you to exclude certain IP addresses from being banned, for example if your own computer has a fixed IP you can enter it here. Next set the bantime which determines how long an offending host will remain blocked until automatically unblocked. Lastly check the findtime and maxretry counts, of which the find time sets the time window for the max retry attempts before the host IP attempting to connect is blocked.

[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 3600 
findtime = 600
maxretry = 3

If you have a sendmail service configured on your cloud server, you can enable the email notifications from Fail2ban by entering your email address to the parameter destemail and changing the action = %(action_)s to action = %(action_mw)s.

Once you’ve done the basic configurations, check the different jails available in the configuration options. Jails are the rules which fail2ban applies to any given application or log file. SSH jail settings, which you can find at the top of the jails list, are enabled by default.

[sshd]
enabled = true

You can enable any other jail module in the same fashion by editing the enabled parameter to true.

When you’ve enabled all the jails you wish, save the configuration file and exit the editor. Then you’ll need to restart the monitor with the following command

sudo service fail2ban restart

With that done, you should now check your iptable rules for the newly added jail sections on each of the application modules you enabled.

sudo iptables -L

Any banned IP addresses will appear in the specific chains that the failed login attempts occurred at. You can also manually ban and unban IP addresses from the services you defined jails for with the following commands.

sudo fail2ban-client set <jail> banip/unbanip <ip address>
# For example
sudo fail2ban-client set sshd unbanip 83.136.253.43

Fail2ban is a handy addition to the iptables and firewall access control in general, feel free to experiment with the configuration and don’t worry if you get your own IP address banned,

 

Source: Install Fail2ban intrusion prevention framework on Ubuntu – UpCloud

MQTT

Jovan Stosic March 17, 2020

MQTT (MQ Telemetry Transport) is an open OASIS and ISO standard (ISO/IEC PRF 20922) lightweight, publish-subscribe network protocol that transports messages between devices. The protocol usually runs over TCP/IP; however, any network protocol that provides ordered, lossless, bi-directional connections can support MQTT. It is designed for connections with remote locations where a “small code footprint” is required or the network bandwidth is limited.

https://en.m.wikipedia.org/wiki/MQTT