Keypairing and Keychain - Linux

What is Key paring:

     Normally we used to login to the respective linux system with their username and credentials.Consider if we have around 50 systems,we can't able to login with username and password every login,this will be somewhat boring.In order to make it simple we go for key paring.

How we can do key paring:

•    Generate a key in your local machine from the respective user and copy the key to the dest server by using below command

                     ssh-keygen

                     ssh-copy-id user@server _ip_address or hostname

• After the public key is transferred to the server, you can now go and disable password logon via SSH.Next, logon to the server and open the configuration file for SSH. To do that, run the commands below.

                    vi /etc/ssh/sshd_config

• Then make sure these lines are uncomment and value are set as shown below.

                   PubkeyAuthentication yes
                  AuthorizedKeyFile    .ssh/authorized_keys
                  PasswordAuthentication no

• Restart the ssh server once your are done 

                  /etc/init.d/ssh restart

What is Keychain:

    keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys.

keychain is a manager for ssh-agent, typically run from your local ~/.bash_profile.By Default,If you run longer scripts like DB snapshot may your ssh login will get broke off.

     But with the help of keychain we can allows our shells and cron jobs to share a single ssh-agent process.By default,the ssh-agent started by keychain is long-running and will continue to run, even after you have logged out from the system.

Where Keychain helps us as in security:

     If attacker broken into server with passphrase-free keys, all other servers / workstation linked with your keys are also under security risk (they can be easily breached). With keychain or ssh-agent attacker won’t able to touch your remote systems(servers) without breaking your passphrase. 

     Another example, if your laptop or hard disk stolen, an attacker can simply copy your key and use it anywhere as it is not protected by a passphrase.

How to set up keychain:  

Install Keychain on CentOS / RHEL / Fedora Linux

     # yum install keychain

Install Keychain on Debian / Ubuntu Linux

     # apt-get update && apt-get install keychain

Install Keychain on FreeBSD

     # portsnap fetch update

     # cd /usr/ports/security/keychain

     # make install clean

How Do I Use Keychain:

     Once OpenSSH keys are configured with a pass phrase, Do the keyparing to the remote server. Login and verify.Once you are fine.Then update your local $HOME/.bash_profile file which is your personal initialization file, executed for login BASH shells:

# vi $HOME/.bash_profile or $ vi $HOME/.bashrc

Append the following code:

     ### START-Keychain ###

     # Let  re-use ssh-agent and/or gpg-agent between logins

     /usr/bin/keychain $HOME/.ssh/id_dsa

     source $HOME/.keychain/$HOSTNAME-sh

     ### End-Keychain ###

Now you’ve keychanin configured to call keychain tool every login. Just log out and log back in to server from your desktop to test your setup:

$ ssh root@xxx.yyy.in

Sample output:

 * keychain 2.7.1 ~ http://www.funtoo.org

 * Found existing ssh-agent: 10017

 * Found existing gpg-agent: 20605

 * Known ssh key: /home/techops/.ssh/id_rsa

[root@xxx.yyy.in ~]#

Testing the keychain:

Once logged in and verfied.Remove the local id_rsa file in your local system and try to login.Yeah you can able to login into the server without your id_rsa pass phrase file.Now you are protected.

So crackers can't able to penetrate to your remote servers with your passphrase keys.

How to Delete/Clear the ssh-agent's key:

Then how to clear the ssh-key which you generated,here is the command you can execute in your local.

# keychain --clear

Removing unwanted spaces using tr cmd in linux

     Everyone will like to get a pearl in an ocean but it's not so easy.Same way grepping a exact string from the selected content is a tricky task. I spent much time to get the exact command in internet ,so i am sharing the information here that it might helpful for all of you.

Example:

   Suppose I would like to get the exact domain from the system information using below command.While i use awk or cut command it will provide the result but it will also includes the extra spaces along the result to us.It might not helpful to us while passing such result into scripts like perl/shell etc.

      So trimming the space here is much more important to us.To achieve this we can follow final command which given here.

Commands:

1.Grepping domain name from your system:

# facter domain - xxx.yyyyyy.com

2.Need to get the xxx value from the above domain name:

# facter domain | cut -d "." -f 1 - xxx ( partial success ) this result will provide unwanted space along with this

3.Finally By using below command we can remove unwanted spaces:

# facter domain | cut -d "." -f 1 | tr -d '[:space:]' -- xxx

Brief Explanation of above command:

What is Facter:

     Facter is small program that gathers system information such as hardware details, network settings, virtualisation type and kernel/OS information. Facter was created for Puppet to gather system information, but is also available as a standalone command.

Cut:

Cut will perform cut operation,d - used as a delimiter, f - field

tr:

translate or delete characters, d - delete, [:space:] - all horizontal or vertical spaces.

Configuring Network Alias IP in centos

1.What is IP Alias:

     IP alias / IP aliasing is associating more than one IP address to a physical network interface. With this, one node on a network can have multiple connections to a network, each serving a different purpose.Alias network interface is configured on top of existing physical network interface.

2.What needs to IP alias:
Physical Network Interface Connectivity in server.
Available Multiple IP Addresses

Limitations of IP alias:
Subnet Aliasing (alias network interface IP address is preffered to be in the same network subnet as physical network interface below – if not proper network infrastructure configuration is needed)
DHCP (alias interfaces do not support DHCP)
Example: If physical network interface is named eth0, alias interfaces on top of this one are named eth0:0, eth0:1, … and if physical network interface is named eth1, alias interfaces on top of this one are names eth1:0, eth1:1 … and so on.

IP Alias Network Interface

2. Non-Persistent IP Alias Configuration

Non-persistent IP aliases do not survive linux server reboot. This means IP alias is only configured for the time the server is up and running and will dissapear if our linux server is rebooted. The following is the linux command line syntax to configure non-persistent alias network interface where X numbers the configured physical network interface, Y numbers the desired alias interface starting with 0 and IPADDRESS is the IP address we want to assign to our alias network interface:

[root@foo1 ~]# ifconfig ethX:Y IPADDRESS up


We can check if alias network interface is up and running with the following linux command (look for the ethX:Y interface):

[root@foo1 ~]# ifconfig


Example: In the following example a physical interface eth0 is properly configured with tested network connectivity and has an IP address 192.168.1.100. We can configure an alias network interface called eth0:0 and IP address 192.168.1.101 with the following command:

[root@foo1 ~]# ifconfig eth0:0 192.168.1.101 up


We can check if alias network interface is up with ifconfig, looking for the eth0:0 and IP address 192.168.1.101:

[root@foo1 ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:A9:01:61
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fea9:161/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4726 errors:0 dropped:0 overruns:0 frame:0
          TX packets:732 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:542695 (529.9 KiB)  TX bytes:115702 (112.9 KiB)

eth0:0    Link encap:Ethernet  HWaddr 08:00:27:A9:01:61
          inet addr:192.168.1.101  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:140 errors:0 dropped:0 overruns:0 frame:0
          TX packets:140 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11760 (11.4 KiB)  TX bytes:11760 (11.4 KiB)

3. Persistent IP Alias Configuration

Persistent IP aliases survive linux server reboot and are configured in alias network configuration file. Network configuration files are stored in /etc/sysconfig/network-scripts/ directory and are named ifcfg-ethX, where X is a number of the physical network interface. Alias network configuration files are named ifcfg-ethX:Y, where X is the number of the physical network interface and Y is the number of the alias network interface.



The quickest and easiest way to create alias network interface configuration file is to copy an existing physical network interface configuration file with working network connectivity by running the following command:

[root@foo1 ~]# cp /etc/sysconfig/network-scripts/ifcfg-ethX /etc/sysconfig/network-scripts/ifcfg-ethX:Y


…where X is the number of the physical network interface and Y is the number of the alias network interface.

Next we need to edit the newly created file /etc/sysconfig/network-scripts/ifcfg-ethX:Y with the preferred file editor and replace the following physical network interface (ethX) entries with the desired new alias network interface (ethX:Y) entries.

Replace:

DEVICE=ethX
With:

DEVICE=ethX:Y
Find the IPADDR line of your ethX physical network interface:

IPADDR=XXX.XXX.XXX.XXX
And replace it with the desired alias network interface IP address:

IPADDR=YYY.YYY.YYY.YYY
When alias network interface configuration file is configured, we can bring the alias network interface up by running the following command:

[root@foo1 ~]# ifup ethX:Y


We can check if alias network interface is up with ifconfig command (look for the ethX:Y interface):

[root@foo1 ~]# ifconfig


Example: This is a working example of the physical network interface configuration file (eth0:0):

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.1.100
NETMASK=255.255.255.0
GATEWAY=192.168.1.1


And a working example of the alias network interface (eth0:0) on top of physical network interface (eth0):

/etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.1.149
NETMASK=255.255.255.0
GATEWAY=192.168.1.1


By running ifup command, we bring alias network interface up and running:

[root@foo1 ~]# ifup eth0:0


Checking for alias network interface eth0:0 with the IP address 192.168.1.101 with ifconfig command:

[root@foo1 ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:A9:01:61
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fea9:161/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4726 errors:0 dropped:0 overruns:0 frame:0
          TX packets:732 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:542695 (529.9 KiB)  TX bytes:115702 (112.9 KiB)

eth0:0    Link encap:Ethernet  HWaddr 08:00:27:A9:01:61
          inet addr:192.168.1.101  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:140 errors:0 dropped:0 overruns:0 frame:0
          TX packets:140 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11760 (11.4 KiB)  TX bytes:11760 (11.4 KiB)

step by step installation for NRPE and PNP4nagios

NRPE allows you to remotely execute Nagios plugins on other Linux/Unix machines. This allows you to monitor remote machine metrics (disk usage, CPU load, etc.). NRPE can also communicate with Windows agent addons like NSClient++, so you can check metrics on remote Windows machines as well.

Download the required plugin from the below url’s,

Download link for NRPE : 

http://exchange.nagios.org/directory/Addons/Monitoring-Agents/NRPE--2D-Nagios-Remote-Plugin-Executor/details

Download link for Nagios plugins:

http://www.nagios.org/download/plugins

NRPE INSTALLATION STEPS

1. To install Nagios plugins

Nagios user is needed for every end system so that the nagios server will prompt the end systems to execute the commands/plugins as the nagios user, 

Note:  Please  follow the below steps as a root user 

         #sudo su (or) su - root 

# useradd nagios  

# passwd nagios 

ssl libraries are required as a dependency to nrpe addon, and we can install it by providing the below command

# yum install openssl openssl-devel

Traverse to the downloaded plugin directory, and follow the steps

# cd nagios-plugins-2.*/

# ./configure

# make

# make install

# chown nagios:nagios /usr/local/nagios

# chown nagios:nagios /usr/local/nagios/libexec/ -R

# yum install xinetd

2. To Install NRPE addon

Traverse to the downloaded nrpe directory, and follow the steps

# cd nrpe-2.15

# ./configure

# make all

# make install-plugin

# make install-daemon

# make install-daemon-config

# make install-xinetd

Open the below file and add the nagios server ip to allow the nrpe request:

# vim /etc/xinetd.d/nrpe 

Add the following entry for the NRPE daemon to the /etc/services file:

nrpe 5666/tcp # NRPE

Restart the xinetd service:

# service xinetd restart (or) /etc/init.d/xinetd restart

check whether the nrpe port (5666) is listening 

# netstat -at | grep nrpe 

Verify the NRPE add-on it should provide output like below:

# /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1

NRPE v2.15

After all that,  configure your own scripts to monitor the instances or download the checks from nagios exchange

After Downloading and editing the scripts, you can edit /usr/local/nagios/etc/nrpe.cfg file to add monitoring for the services

PNP4NAGIOS INSTALLATION STEPS

PNP is an addon to nagios which analyzes performance data provided by plugins and stores them automatically into RRD-databases.

Prerequisites:

# yum -y install rrdtool rrdtool-perl php-gd

Downloading and compiling pnp4nagios:

# cd ~/Downloads

# wget http://sourceforge.net/projects/pnp4nagios/files/PNP-0.6/pnp4nagios-0.6.21.tar.gz

Installation of pnp4nagios:

# tar -zxvf pnp4nagios-0.6.21.tar.gz

# cd pnp4nagios-0.6.21

# ./configure

# ./configure --with-rrdtool=/usr/local/rrdtool/bin/rrdtool --with-perl_lib_path=/usr/local/rrdtool/lib/perl/5.10.1/x86_64-linux-thread-multi

# make all

# make install

# make install-webconf

# make install-config

Change the Main Configuration file nagios.cfg to work with pnp4nagios:

# vim /usr/local/nagios/etc/nagios.cfg

1.Add the below lines in nagios.cfg

process_performance_data=1

#

# service performance data

#

service_perfdata_file=/usr/local/pnp4nagios/var/service-perfdata

service_perfdata_file_template=DATATYPE::SERVICEPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tSERVICEDESC::$SERVICEDESC$\tSERVICEPERFDATA::$SERVICEPERFDATA$\tSERVICECHECKCOMMAND::$SERVICECHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$\tSERVICESTATE::$SERVICESTATE$\tSERVICESTATETYPE::$SERVICESTATETYPE$

service_perfdata_file_mode=a

service_perfdata_file_processing_interval=15

service_perfdata_file_processing_command=process-service-perfdata-file

#

# host performance data starting with Nagios 3.x

#

host_perfdata_file=/usr/local/pnp4nagios/var/host-perfdata

host_perfdata_file_template=DATATYPE::HOSTPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tHOSTPERFDATA::$HOSTPERFDATA$\tHOSTCHECKCOMMAND::$HOSTCHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$

host_perfdata_file_mode=a

host_perfdata_file_processing_interval=15

host_perfdata_file_processing_command=process-host-perfdata-file

2.Add commands in object configuration.

# vim usr/local/nagios/etc/objects/commands.cfg

define command{

command_name process-service-perfdata-file

command_line /bin/mv /usr/local/pnp4nagios/var/service-perfdata /usr/local/pnp4nagios/var/spool/service-perfdata.$TIMET$

}

define command{

command_name process-host-perfdata-file

command_line /bin/mv /usr/local/pnp4nagios/var/host-perfdata /usr/local/pnp4nagios/var/spool/host-perfdata.$TIMET$

}

To create shortcut for pnp near host with popup  in Web UI

Prerequisites:

PNP is installed

Copy the file status-header.ssi from the contrib/ssi/ folder of the PNP package to /usr/local/nagios/share/ssi/.

Attention: This file must NOT be executable. Otherwise it will be treated as a CGI which will result in an error.

Add action_url directive to the templates

# vim /usr/local/nagios/etc/objects/templates.cfg

For Host templates:

action_url /pnp4nagios/index.php/graph?host=$HOSTNAME$&srv=_HOST_'class='tips'rel='/pnp4nagios/index.php/popup?host=$HOSTNAME$&srv=_HOST_

For Service Templates:

action_url

/pnp4nagios/index.php/graph?host=$HOSTNAME$&srv=$SERVICEDESC$'class='tips'rel='/pnp4nagios/index.php/popup?host=$HOSTNAME$&srv=$SERVICEDESC$

Run the below command to collect the data:

/usr/local/pnp4nagios/bin/npcd -d -f /usr/local/pnp4nagios/etc/npcd.cfg

Restart apache and nagios to run with new changes:

# /etc/init.d/nagios restart

# /etc/init.d/httpd restart

Open pnp4nagios web page by entering

http://localhost/pnp4nagios/

After your environment passed all requirements . You need to delete install.php file.

# rm -rf /usr/local/pnp4nagios/share/install.php

You have successfully installed NRPE addon and PNP4Nagios.

Step by Step Nagios Core installation in Centos

Nagios is one of the User friendly monitoring tool and it is a boon for devops to monitor the servers.Around 60% users were using nagios world wide.Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure.It states on all sorts of hosts, and one of its primary advantages is that the configuration can be as simple or as complex as required.

• Nagios offers monitoring and alerting services for servers, switches, applications and services. 
• Nagios was originally designed to run under Linux, but it also runs well on other Unix variants.
• Nagios will send PING requests to the hosts and will notify us when it fails.
• It alerts users when things go wrong and alerts them a second time when the problem has been resolved.
• Nagios will collect the slave data through NRPE.
• Default Update interval for Nagios core is 90 Seconds.
• Alert states - OK,WARNING,CRITICAL,UNKNOWN.

Prerequisites:

Package requirements may vary depending on what type of installation platform Nagios is being installed.

# yum install wget httpd php
# yum install gcc glibc glibc-common
# yum install gd gd-devel make net-snmp
# yum install openssl-server openssl-devel

Download Nagios Core and Plugins:

Note: Please find the latest stable version from the below link,

Download link for Nagios core:
http://www.nagios.org/download/core/thanks/?t=1385616648

Download link for Nagios plugins:

http://www.nagios.org/download/plugins


Extract the tar files:

# mkdir ~/Downloads &&  cd ~/Downloads
# tar xzf nagios-*.tar.gz
# tar xzf nagios-plugins-*.tar.gz

Creating the Nagios User and Group:-

 i) Create a new nagios user account and a new nagcmd group
ii) Add both the nagios user and the apache user to the group

# useradd nagios
# groupadd nagcmd
# usermod -a -G nagcmd nagios

Nagios Core Installation:

# cd ~/Downloads/nagios*

Run the Nagios configure script:

# ./configure --with-nagios-user=nagios --with-nagios-group=nagcmd

Compile the Nagios source code:

# make all

Install binaries, init script, sample config files:

# make install
# make install-init
# make install-config
# make install-commandmode

Install the Nagios web config file in the Apache conf.d directory:

# make install-webconf

Create a Default User for Web Access:

# htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin


Nagios Plugin Installation:

# cd ~/Downloads/nagios-plugins*

Compile and install the plugins:

# ./configure --with-command-group=nagcmd

Install the Nagios Plugins:

# make
# make install


Copy the Event handlers and change the permissions to nagios user:

# cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/
# chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers

Set the system to startup nagios and httpd at startup time:

# chkconfig nagios --level 235 on
# chkconfig httpd --level 235 on

Verify the sample Nagios configuration files:

# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

Note:

To avoid “Error: Could not open command file ‘/var/nagios/rw/nagios.cmd’ for update!”

# chown nagios.nagcmd /usr/local/nagios/var/rw
# chmod g+rwx /usr/local/nagios/var/rw
# chmod g+s /usr/local/nagios/var/rw
# usermod -G nagcmd apache

If it is seems to be ok ,then start Nagios and httpd:

# /etc/init.d/httpd start
# /etc/init.d/nagios start

Nagios Web Interface

http://localhost/nagios/

If you able to load the above url,then you have successfully installed nagios core.