Install and configure cockpit with SSL (debian)

1. Edit /etc/apt/sources.list file or create new file /etc/apt/sources.list.d/Backports.list and add below lines

        #deb http://ftp.debian.org/debian/ stretch-backports main contrib non-free
        #deb http://packages.prosody.im/debian stretch main
        #deb https://apt.dockerproject.org/repo debian-stretch main

2.  Install cockpit package
        #sudo apt-get update
        #sudo apt-get install cockpit

3. Manage SSL certificate for cockpit (by using existing SSL certifcates) 
        #cat /etc/cockpit/ws-certs.d/cockpit.base.cert > /etc/cockpit/ws-certs.d/0-self-signed.cert 
        #cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /etc/cockpit/ws-certs.d/0-self-signed.cert 
        #systemctl reload cockpit

4.  Configure apache2 for SSL certificate and redirection
        Create a file /etc/apache2/sites-available/cockpit.conf and and put the entries given below

           <VirtualHost *:80>
           ServerName cockpit.mydomain.com
           Redirect permanent / https://cockpit.mydomain.com/
           </VirtualHost>

          <IfModule mod_ssl.c>
          <VirtualHost *:443>
           ServerName cockpit.mydomain.com
           SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
           SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
           Include /etc/letsencrypt/options-ssl-apache.conf
           ProxyPreserveHost On
           ProxyRequests Off

          # allow for upgrading to websockets
           RewriteEngine On
           RewriteCond %{HTTP:Upgrade} =websocket [NC]
           RewriteRule /(.*) ws://127.0.0.1:9090/$1 [P,L]
           RewriteCond %{HTTP:Upgrade} !=websocket [NC]
           RewriteRule /(.*) http://127.0.0.1:9090/$1 [P,L]

           # Proxy to your local cockpit instance
           ProxyPass / http://127.0.0.1:9090/
           ProxyPassReverse / http://127.0.0.1:9090/

           </VirtualHost>
           </IfModule>

 



5. Configure IPTables to drop requests on 9090 from world
        #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 9090 -j ACCEPT
        #iptables -A INPUT -p tcp --dport 9090 -j DROP

 6. Enable Apache Configuration 
        #ln -s /etc/apache2/sites-available/cockpit.conf /etc/apache2/sites-enabled/cockpit.conf
        #systemctl reload apache2

          

Summary:
After this setup web terminal cockpit will be available only on https://cockpit.mydomain.com and https://cockpit.mydomain.com:9090 will not work                          

create swap partition using swapfile

  1. On the server there is 4GB memory and 4GB swap file on TEST server which is not enough.
  2. Now the existing swap partition is created in lvm and there is no scope to increase the size
    
    
  3. To overcome this problem create a swapfile using dd command with permission 0600
    
  4. Change the file permission to 0600
  5. Set the file as swap area
  6. Test by enabling the swap on swapfile
  7. Make this boot persistent by adding the entry in fstab
  8. Always run mount -a command to check if any error in fstab file
  9. Now disable swap on /swapfile which we have enabled manually and check swap partitions
    
    
  10. Now check boot persistence by swapon command 

ssh jailing with all commands

Steps for ssh jailing

  1. Create a user for jailing environment and set password if user doesn't exist.
    
    #useradd -m testuser
    #passwd testuser 
  2. Create a Directory Structure for Secure environment.
    
    ( In our case we are creating secure environment in /home directory. You can change it according to requirement)
    #cd /home
    #mkdir -p secure/home
    #cd /home/secure/home
    #mkdir testuser
    #chown testuser:testuser testuser
    
    
  3. Enable commands for the user in chrooted environment.
    
    #cp -pr /bin /home/secure/
    #cp -fr /lib /home/secure/
    #cp -fr /lib64 /home/secure/
    #mkdir /home/secure/usr
    #cp -pr /usr/lib /home/secure/usr/
    #cp -pr /usr/bin /home/secure/usr/
    #mkdir -p /home/secure/etc/
    #cp -p /etc/environment /home/secure/etc/ 
  4. Configuration for jailing.
    
    Edit the file sshd_config
    #vi /etc/ssh/sshd_config
    
      #SSH JAILING                     
      Match User testuser
      chrootdirectory /home/secure
      #ForceCommand internal-sftp   (If you uncomment this line it will restrict ssh connection and  only sftp connections will be allowed )
    
    
  5. # service sshd reload 
    
    
  6. After logging in from another server /home/secure will become your / partition over ssh connection.
           #ssh testuser@<ip>
Chroot Configuration for Group:
  1. Suppose there are multiple users which needs to be restricted using chroot. 
    Then create a group chroot and add users to the group
     #groupadd chroot
     #usermod -aG chroot testuser
    
  2. change sshd config like given below
     #SSH JAILING                     
     Match Group chroot 
     chrootdirectory /home/secure 
       #ForceCommand internal-sftp (If you uncomment this line it will restrict ssh connection and  only sftp connections will be allowed ) # service sshd reload 
  3. # service sshd reload 

Things to remember:
  1. The chroot directory should alway have root ownership and permission 755 
    otherwise you will get below error
    packet_write_wait: Connection to x.x.x.x port 22: Broken pipe
     
  2. Don't forget to copy /etc/environment
    otherwise you will get below error while changing shell to bash
    bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

					

Configure a simple chat server using ejabberd ( on Debian)

Hi, To create  a chat server without ldap and mysql for small organization follow the steps below ( same procedure will be for CentOS but you have to install ejabberd using yum) (Prerequisites : A DNS must be configured for server otherwise you will have to use IP instead of doamin name for configuration) Install the ejabberd package on server # apt-get install ejabberd

Check the service is running or not to register a admin user

Create admin user by typing below command #ejabberdctl register admin localhost passwordforadminuser

Edit /etc/ejabberd/ejabberd.yml file for admin user access and domain for which we are creating service

Edit default  entry like given below

Add host like given below Register admin user as admin for domain

Go to the browser and open the admin panel https://<your ip or domain >:5280/admin and login as user admin@localhost

Console will be like given below. click on Virtual Hosts

Select domain (in my case its  geekonline.in)  by clicking it.

Click on users to create / edit users

Add users like given below

Configure pidgin as below  

Nagios ( over ssh )

Configuring Nagios ( My Os is Ubuntu )

Before configuring nagios server configure the server as mail server/relay server

A. INSTALLATION

1) Download Source in /usr/local/src/

#wget http://liquidtelecom.dl.sourceforge.net/project/nagios/nagios-4.x/nagios-4.2.3/nagios-4.2.3.tar.gz
#wget --no-check-certificate https://nagios-plugins.org/download/nagios-plugins-2.1.4.tar.gz

tar -zxvf nagios-plugins-2.1.4.tar.gz

2) Add user and group

#useradd nagios
#groupadd nagcmd
#usermod -a -G nagcmd nagios
#usermod -a -G nagios,nagcmd www-data
 (* for centos this will be #usermod -a -G nagios,nagcmd apache)

3) Configuring and compiling source code nagios core:

#tar -zxvf nagios-4.2.3.tar.gz
#tar -zxvf nagios-plugins-2.1.4.tar.gz

#cd nagios-4.2.3

Install essential packages

#apt-get install snmp
#apt-get install snmpd
#apt-get install mrtg

(*for centos 
# yum install net-snmp-5.3.2.2-22.el5_10.1
#yum install net-snmp-libs-5.3.2.2-22.el5_10.1)

#./configure --with-command-group=nagcmd --with-mail=/usr/bin/sendmail –with-httpd-conf=/etc/apache2/sites-available/

(* for centos this will be #./configure --with-command-group=nagcmd )

#make all
#make install
#make install-init
#make install-config
#make install-commandmode
#make install-webconf
#cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/
#chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers
#/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

4) Configuring Apache

#sudo a2ensite nagios
#sudo a2enmod rewrite cgi ( enable mod rewrite in httpd for centos)
#service apache2 reload / restart

(* for centos it will be #/etc/init.d/httpd restart /reload)

#/etc/init.d/nagios start
#htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

5) Configuring and compiling source code nagios plugins

#cd ../nagios-plugins-2.1.4/
#./configure --with-nagios-user=nagios --with-nagios-group=nagios
#make
#make install
#sudo update-rc.d nagios defaults

(* for centos it will be 
#chkconfig --add nagios
#chkconfig --level 35 nagios on )

B. CONFIGURATION

On Client

#apt-get install libmysqlclient*-dev ( for check_mysql plugin its required )
(*For CentOS #yum install mysql51-mysql-libs.x86_64 )
#useradd nagios
#groupadd nagcmd
#usermod -a -G nagcmd nagios

#cd /usr/local/src
#wget --no-check-certificate https://nagios-plugins.org/download/nagios-plugins-2.1.4.tar.gz
#tar -zxvf nagios-plugins-2.1.4.tar.gz
#cd nagios-plugins-2.1.4
#./configure --with-nagios-user=nagios --with-nagios-group=nagios
#make
#make install

On Server

#su - nagios
#ssh-keygen

copy the content of the file id_rsa.pub to the file /home/nagios/.ssh/authorized_keys

#cd /usr/local/nagios/etc/objects

(write your own commands for remote servers which we are going to monitor via ssh agent. )

#vi remote-commands.cfg ( for example see my remote-commands.cfg at the end of the document.)

#cd /usr/local/nagios/etc

#vi nagios.cfg and add the below line

cfg_file=/usr/local/nagios/etc/objects/remote-eommands.cfg

#cd /usr/local/nagios/etc/objects

#vi hostgroups.cfg ( create your hostgroups. In localhost.cfg you can find how hostgrup is written. Sample files are at the end of the document )

cd /usr/local/nagios/etc

#vi nagios.cfg and add the below line

cfg_file=/usr/local/nagios/etc/objects/hostgroups.cfg

mkdir /usr/local/nagios/etc/objects/{Linux-Workstations,Windows-Workstations,Laptops,DRBL-Workstations,Local-Servers,Remote-Servers)

cd /usr/local/nagios/etc

#vi nagios.cfg and add the below lines

cfg_dir=/usr/local/nagios/etc/objects/Local-Servers

cfg_dir=/usr/local/nagios/etc/objects/Linux-Workstations

cfg_dir=/usr/local/nagios/etc/objects/Windows-Workstations

cfg_dir=/usr/local/nagios/etc/objects/Laptops

cfg_dir=/usr/local/nagios/etc/objects/Remote-Servers

copy the localhost.cfg to /usr/local/nagios/etc/objects/Linux-Workstations/<system-to-monitor-ip>.cfg ( for example I have 192.168.100.199 ip so i copied file as 192.168.100.199.cfg)

vim 192.168.100.199.cfg
 remove all hostgroup entries and make the changes accordingly




For remote system monitoring write the file /usr/local/nagios/etc/objects/remote-commands.cfg like below

define command{
 command_name check_remote_disk
 # command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_disk -w $ARG1$ -c $ARG2$ -e'
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_disk -w $ARG2$ -c $ARG3$ -A -I "/run/*" -I "/sys/*" -I "/dev/shm" -I "/dev" -I "/lib/*" -I "/var/lock" -I "/Thecus/*"'
 }

define command{
 command_name check_remote_load
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_load -w $ARG2$ -c $ARG3$'
 }

define command{
 command_name check_remote_swap
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_swap -w $ARG2$ -c $ARG3$'
 }

define command{
 command_name check_remote_users
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_users -w $ARG2$ -c $ARG3$'
 }

define command{
 command_name check_remote_procs
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_procs -w $ARG2$ -c $ARG3$'
 }

define command{
 command_name check_remote_ssh
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_ssh -H $HOSTADDRESS$ $ARG1$'
 }

#define command{
 # command_name check_remote_mysql
 # command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_mysql -H $HOSTADDRESS$ $ARG1$'
 #}

define command{
 command_name check_remote_pgsql
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_pgsql -H $HOSTADDRESS$ -l $ARG2$ -p $ARG3$'
 }

define command{
 command_name check_remote_http
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_http -H $HOSTADDRESS$'
 }

define command{
 command_name check_remote_ldap
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_ldap -H $HOSTADDRESS$ $ARG1'
 }

define command{
 command_name show_remote_users
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/show_users'
 }

define command{
 command_name check_remote_mysql
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_mysql -u $ARG2$ -p $ARG3$'
 }

define command{
 command_name check_remote_asterisk
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_asterisk'
 }

define command{
 command_name check_remote_ping
 command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $HOSTADDRESS$ -C '/usr/local/nagios/libexec/check_ping -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5'
 }

define command{ command_name show_logged_users command_line /usr/local/nagios/libexec/check_by_ssh -p $ARG1$ -l nagios -t 30 -o StrictHostKeyChecking=no -H $ARG2$ -C '/usr/local/nagios/libexec/logged_users' }

For host write files like given (sample configuration geekonline.cfg )

define host{
 use                     remote-linux-server            ; Name of host template to use
 ; This host definition will inherit all variables that are defined
 ; in (or inherited by) the linux-server host template definition.
 host_name               GEEKHOST
 alias                   GeekHost
 address                 23.250.32.8
 }

define service{
 use                             local-service         ; Name of service template to use
 host_name                       GEEKHOST
 service_description             PING
 check_command            check_remote_ping!22!100.0,20%!500.0,60%
 }

define service{
 use                             local-service         ; Name of service template to use
 host_name                       GEEKHOST
 service_description             Partitions
 check_command            check_remote_disk!22!20%!10%!/
 }

define service{
 use                             local-service         ; Name of service template to use
 host_name                       GEEKHOST
 service_description             Current Users
 check_command            check_remote_users!22!20!50
 }

define service{
 use                             local-service         ; Name of service template to use
 host_name                       GEEKHOST
 service_description             Total Processes
 check_command            check_remote_procs!22!250!400!RSZDT
 }

define service{
 use                             local-service         ; Name of service template to use
 host_name                       GEEKHOST
 service_description             Current Load
 check_command            check_remote_load!22!5.0,4.0,3.0!10.0,6.0,4.0
 }

define service{
 use                             local-service         ; Name of service template to use
 host_name                       GEEKHOST
 service_description             Swap Usage
 check_command            check_remote_swap!22!20!10
 }

define service{
 use                             local-service         ; Name of service template to use
 host_name                       GEEKHOST
 service_description             SSH
 check_command            check_ssh
 notifications_enabled        0
 }

define service{
 use                             local-service         ; Name of service template to use
 host_name                       GEEKHOST
 service_description             Logged in Users
 check_command                   show_remote_users!22!
 notifications_enabled           0
 }

define service{
 use                             local-service         ; Name of service template to use
 host_name                       GEEKHOST
 service_description             MYSQL
 check_command                   check_remote_mysql!22!root!<rootPassword>
 notifications_enabled           0
 }p

#/etc/init.d/nagios/restart

Open Nagions in browser
http://<ip>/nagios