Ranting, Technically Speaking

In an earlier post , I mentioned Nagios as a system monitoring tool. It’s simple, it’s flexible, and out of the box, you can monitor network services without any software installed on the monitored systems.

Now if you want to monitor other aspects of a system, like it’s disk usage, you can either make that information generically visible on the network (say with SNMP) or you can install an agent for Nagios. The most common agent is NRPE.

Like everything else in Nagios, you first need a plugin for Nagios to be able to check nrpe and there’s a standard package available called, well, check_nrpe. Use your package manager of choice to install this plugin (nagios-plugins-nrpe in Fedora). I found that although this installed the Nagios plugin, it did not create a command definition so I created one myself. First run the check_nrpe command manually to see what arguments it takes and then add your command definition to your Nagios configuration. It should look something like this:

# 'check-nrpe' command definition
define command{
        command_name    check_nrpe
        command_line    $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ $ARG2$
        }

The command definition specifies the name of the command and then simply it’s invocation. The macros given ($USER1$, etc) are pretty generic and it’s pretty easy to work from existing command definitions or the Nagios documentation.

Now once you get NRPE installed on a client, the service definition is going to look something like this:

define service{
        use                             generic-service
        host_name                       Hudson
        service_description             DISK_ROOT
        check_command                   check_nrpe!check_root
        }

You should be able to get the NRPE agent installed on many “Linux” distros from the package manager. The agent can either run under inetd (preferred) or as a stand-alone daemon. If you are using xinetd (which you should), make sure you specify the Nagios server in the only_from line, enable the service and then kick xinetd. Since you’re using xinetd, basically all the service configuration is there leaving really only the command definitions in NRPE’s main config file (/etc/nagios/nrpe.cfg). In the main config file, you are going to specify the commands that can be run. Here’s the definition for the check_root command:

command[check_root]=/usr/lib64/nagios/plugins/check_disk -w 20% -c 10% -p /

As you can see, the command definition provides all the arguments needed such that the Nagios server should not ever have to pass any arguments to NRPE. This is for both safety and simplicity.

Now you’re done! Reload your NRPE and Nagios processes and check back in a few minutes to ensure your service check is working. If it’s not, typical issues are that the port is firewalled (TCP 5666 by default) or the Nagios host was not specified correctly in the only_from line (or the allowed_hosts line if not using a xinetd).

Next up is to monitor a Windows host. Since Microsoft doesn’t have a convenient software repository of third-party applications, you get to go download and install an agent yourself. There are a handful of choices but generally, NSC++ (NSCP) will be the one you want. It supports a variety of protocols including NRPE and NSCA (NSCA is for submitting passive checks). When you install NSCP, the installer will let you enable NRPE and should handle setting up NRPE as a service and opening the firewall for it. The one thing you have to do is either enable external scripts (preferred) or enable arguments. There are a handful of stock scripts and aliases provided which get you most of the basic functionality like checking disk usage etc.

One last note is that you can always quickly check if the NRPE (or NSCP) process is talking to the server okay by simply running the check_nrpe plugin manually giving it only the host. It will report OK if NRPE is working or an error if it is not:

[root@alma nagios]# /usr/lib/nagios/plugins/check_nrpe -H hudson
Connection refused by host
[root@alma nagios]# /usr/lib/nagios/plugins/check_nrpe -H hudson
NRPE v2.12

- Arch

The nice thing about programs like Firefox and Thunderbird is that you can get a lot of community-created plugins to make the program look and do what you want. The downside of programs like Firefox and Thunderbird, is there is (at least for me) a few plugins that have to be installed before they work well. So to that end, I’ve started building up a list of essential plugins.

The plugin model isn’t perfect, but it far exceeds the alternative which is that your applications all suck (Microsoft, I mean you). Heck, Nagios at the core doesn’t do anything at all for you, it’s all from plugins and I can’t rave enough about how great an application Nagios is.

- Arch

Battery backup at home went off today BEEEEEEEEEEEEEEEEEEEEEEP BEEEEEEEEEEEEEEEP! Everything shuts itself down and I go to reboot the UPS when *sniff* *sniff* ah yes, the distinctive smell of burned electronics. So that’s it finally. Adios APC BackUPS 350. You will torture us no more with your intermittent failures!

Now I have to look for a new UPS. Preferrably small in size (it has to go under my desk) and monitored. APC’s successor to the UPS model I had wasn’t monitored last time I checked, maybe they’ve got a newer model that is though. If not, I’ll have to look at other manufacturers and then that means looking at software support, etc.

Oh well, out with the old! Happy New Year’s!

- Arch

LiveUSB Creator, it’s a wonderful thing. Connect a USB key, get the LiveUSB Creator on your PC (Windows or “Linux”), point it either to a local .iso file for a Fedora live CD or let it download the version you want for you, click go, and shazzam! (yes, “shazzam”) You’ve now got a bootable Fedora USB key. And if you gave it a block of persistent storage, you’ve got, well, persistent storage to use in this OS for data files etc.

- Arch

For anyone who’s had to cleanup some mail problems with Postfix configuration (or more often with other things, like anti-spam, tied in but not part of postfix), it may be common enough that a large spool of mail gets queued up and needs to be pushed out. The easy way to do this is to do either “postfix flush” or “postqueue -f” which basically force Postfix to re-process pending messages (actually “deferred” usually) and send them out.

However, if either the queue is huge, or you don’t really know if you have your problems resolved and want to try a few messages before unleashing the masses, I found it was not clear how this can be done. There is a straight-forward way to do this which is to put everything on hold using “postsuper -h ALL deferred”, and then un-hold whichever messages you do want processed with “postsuper -H “.

Tres handy

I’ve had some problems in the somewhat recent past where my UPS goes into panic mode and because the battery was old / crappy, this made things “very bad”. I’ve had no issues since replacing the battery, but now I’m getting a picture of why it was so awful from apcupsd:

Mon Aug 31 11:13:36 PDT 2009  Power is back. UPS running on mains.
Mon Aug 31 11:13:34 PDT 2009  Power failure.
Thu Aug 27 11:20:20 PDT 2009  Power is back. UPS running on mains.
Thu Aug 27 11:20:18 PDT 2009  Power failure.
Sat Aug 22 16:59:32 PDT 2009  Power is back. UPS running on mains.
Sat Aug 22 16:59:29 PDT 2009  Power failure.
Sat Aug 22 16:56:29 PDT 2009  Power is back. UPS running on mains.
Sat Aug 22 16:56:27 PDT 2009  Power failure.
Fri Aug 21 00:12:33 PDT 2009  Power is back. UPS running on mains.
Fri Aug 21 00:12:31 PDT 2009  Power failure.
Fri Aug 21 00:11:52 PDT 2009  Power is back. UPS running on mains.
Fri Aug 21 00:11:50 PDT 2009  Power failure.
... etc

There are a lot of power events going on. Given that the time of the “power failure” is always 2 seconds, my guess is that this just means power is fluctuating. I’ve lived in places where this happened a bit and where it happened not at all, but this is the worst I’ve seen.

The only thing I can say is: get a UPS if you don’t have one! You may not need battery backup per se, but this is the kind of stuff that will send the power supply unit in your PC to an early grave. And if you’re unlucky, the PSU may just take other components of your PC with it.

- Archangel

One of the cool services that Google offers is the hosting of various services for your domain. Basically, you can brand Google with your own domain including mail, calendar, chat, docs, sites and “mobile” (I haven’t used “mobile”, but it includes sync services). The service is called Google Apps.

The “standard edition” is pretty much the standard services and limits you to 50 user accounts. And 50 people is quite a few for a personal domain or even a small business. Once you need more features or more accounts, its $50 / year per account. Which, truth be told, is pretty cheap since even just paying for anti-spam/anti-virus filtering is about $30 / year for pretty basic service from Symantec of whomever.

At any rate, I found it a bit confusing at first but mostly because I was setting this up in a sub-domain (dl.thenibble.org) on GoDaddy. But once I got in, it’s pretty easy. You get this dashboard which shows you which services are activated and you can just click on whichever ones you want and if DNS changes are required, it will tell you and give you pretty specific instructions. But there’s a lot. You have to do one just to activate the domain, add aliases for all your services (unless you want to use google.com/apps/mydomain or whatever), and then for email, there’s 5 MX records and for chat there’s about 10 SRV records.

But now that it’s all setup, it’s pretty fancy. You can create email groups, use docs, publish calendars, etc. I tried poking around a bit and really all that Google does for stuff like “sites” when you create an alias under your domain is it just redirects the user to sites.google.com/domain/whatever … So it won’t be a replacement for having a web host. But for email, it will just accept mail at your domain so it’s a full email service.

And standard edition is free. Did I mention that? Yeah, it’s ad-supported, but otherwise free.

Fun!
- Arch

Hardening a server takes two general activities: Reducing the number of services that can be attacked and protecting any services that are still required.

There are a lot of discussions on how to do this for various operating systems including RedHat Linux. RedHat’s Deployement Guide is a good resource.

The NSA also has documents on securing your operating system. However, they’re a little hard to get. I tried searching for RHEL5 on their site and had some difficulty access the documents in the search results:

Now it’s a little hard to access the documents on the NSA’s E drive, but I was able to eventually find them by getting in another way ;) … Okay, I didn’t breakin to the NSA to get on their E drive, I found the page that actually good links: NSA/CSS Operating Systems.

There’s a longer document (about 170 pages) and also a short reference (2 pages) which gives lots of good things to secure.

There are a lot of other good resources Online as well, so I won’t ramble further. Just turn off anything you don’t need, update what you do need frequently, and secure your system with a firewall, and other security tools (PortSentry, fail2ban, DenyHosts, anti-virus software, rootkit detection, etc, etc, etc).

- Arch

Under Debian (Ubuntu), there’s a helper script which does a lot of the work for adding a new blog. You need to create a hostname, add it as an alias in your apache config, and a database. Then use this helper script to setup the database and config:

/usr/share/doc/wordpress/examples/setup-mysql

Now if you want rename your blog say from “inaction.example.com” to “takeaction.example.com”, it’s pretty simple.

1. Create the new hostname in DNS,
2. Add it as an alias to your apache config,

<

3. Create a soft-link to the current config using the new name,
4. Edit the settings for your blog and give the new URL.

Edit: You can easily change the settings (from the last step) in the the db. If something goes terribly wrong, just poke around in there and update anything with the wrong URL.

- Arch

This actually a ret-con repost since I managed to mung my database again (hooray)… Anyhow, some time last month I finally did get everything moved off of Jessica (a VirtualBox VM) and onto Alia (actual hardware). It’s all good.