How to Protect Linux Against the Shellshock Bash Vulnerability

The Shellshock vulnerability can be exploited on systems that are running Services or applications that allow unauthorized remote users to assign Bash environment variables.

Examples of exploitable systems include the following:

Apache HTTP Servers that use CGI scripts (via mod_cgi and mod_cgid) that are written in Bash or launch to Bash subshells
Certain DHCP clients
OpenSSH servers that use the ForceCommand capability
Various network-exposed services that use Bash

On each of your systems that run Bash, you may check for Shellshock vulnerability by running the following command at the bash prompt:

env VAR='() { :;}; echo Bash Linux has Bugs ' bash -c "echo Bash Linux is save"

The highlighted echo Bash is vulnerable! portion of the command represents where a remote attacker could inject malicious code; arbitrary code following a function definition within an environment variable assignment. Therefore, if you see the following output, your version of Bash is vulnerable and should be updated:

Bash Linux has Bugs
Bash Linux is save

Otherwise, if your output does not include the simulated attacker’s payload, i.e. “Bash Linux has Bugs ” is not printed as output, your version of bash is not vulnerable. It may look something like this:

bash: warning: VAR: ignoring function definition attempt
bash: error importing function definition for `VAR’
Bash Linux is save

If your version of Bash is vulnerable, read on to learn how to update Bash and fix the vulnerability.
Test Remote Sites

Debian / Ubuntu – Open a terminal and type in:

sudo apt-get update && sudo apt-get install --only-upgrade bash

CentOS / Red Hat / Fedora – Open a terminal and type in:

su
yum update bash

Now check your system vulnerability again by running this command :

env VAR='() { :;}; echo Bash Linux has Bugs ' bash -c "echo Bash Linux is save"

Be sure to update all of your affected servers to the latest version of Bash!

How to reset forgotten mac password

If you forgot your Mac password, you’ll need to reset the forgotten password and there’s several ways to do this,.

If the Mac runs OS X 10.4, then you only need the installation CD. Insert it into the computer, reboot. When it starts up, select UTILITIES > RESET PASSWORD.

Choose a new password and then use that to log in.

If the Mac runs OS X 10.5, restart the computer and press COMMAND + S. When at the prompt, type in terminal:

fsck -fy
mount -uw /
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
dscl . -passwd /Users/UserName newpassword

That’s it. Now that the password is reset, you can login.

How to fix unstable wifi connection after 14.04 upgrade

After upgrade the computer from 13.10 to Ubuntu 14.04, the connection has been really unstable. The connection frequently drops, fails to connect, or is very slow.

You should deactivate the N-mode of the driver.

Open a Terminal “CTRL+ALT+T” and type this command line:

# sudo apt-update 
# echo "options iwlwifi 11n_disable=1" | sudo tee /etc/modprobe.d/iwlwifi.conf 
# sudo modprobe -rfv iwlwifi
# sudo modprobe -v iwlwifi

 

Note:

Additionally you can deactivate the power management of the card:

 # sudo iwconfig wlan0 power off

How to Securing your Linux Server

Securing your environment starts during the ordering process when you are deploying server resources. If you want to deploy a quick server without putting it behind an extra hardware firewall layer or deploying it with an APF (Advanced Policy Firewall).

There are a couple of security hardening tips. I  set my servers to have a solid base level of security when I deploy a Linux system.

 

Limit physical access and booting capabilities

• Enable BIOS password
• Disable floppy and usb booting
• Set a LILO or GRUB password (/etc/lilo.conf or /boot/grub/menu.lst, respectively)
• check that the LILO or GRUB configuration file is read-protected.

 

Disable Root Login

When you need super-user permissions, use sudo instead of su. Sudo is more secure than using su: When a user uses sudo to execute root-level commands, all commands are tracked by default in /var/log/secure. Furthermore, users will have to authenticate themselves to run sudo commands for a short period of time.

Note:
You should Stop Using Root!

 

Partitioning

• Separate user-writable data, non-system data, and rapidly changing run-time data to their own partitions
• Set nosuid,noexec,nodev mount options in /etc/fstab on ext2 partitions such as /tmp

 

Limiting the network access

• Install and configure ssh (suggest PermitRootLogin No in /etc/ssh, PermitEmptyPasswords No; note other suggestions in text also)
• Consider disabling or removing in.telnetd
• Generally, disable gratuitous services in /etc/inetd.conf using update-inetd –disable (or disable inetd altogether, or use a replacement such as xinetd or rlinetd)
• Disable other gratuitous network services; mail, ftp, DNS, www etc should not be running
• if you do not need them and monitor them regularly.
• For those services which you do need, do not just use the most common programs, look for more secure versions shipped with Debian (or from other sources). Whatever you end up running,make sure you understand the risks.
• Set up chroot jails for outside users and daemons.
• Configure firewall and tcpwrappers (i.e. hosts_access); note trick for /etc/hosts.deny in text
• If you run ftp, set up your ftpd server to always run chrooted to the user’s home director
• If you run X, disable xhost authentication and go with ssh instead; better yet, disable remote X if you can (add -nolisten tcp to the X command line and turn off XDMCP in /etc/X11/xdm/xdm-config by setting the requestPort to 0)
• Disable outside access to printers
• Tunnel any IMAP or POP sessions through SSL or ssh; install stunnel if you want to provide this service to remote mail users Set up a loghost and configure other machines to send logs to this host (/etc/syslog.conf)
• Secure BIND, Sendmail, and other complex daemons (run in a chroot jail; run as non-root pseudo-user)
• Install snort or a similar logging tool.
• Do without NIS and RPC if you can (disable portmap).

 

Password hygiene and login security

• Do not choose passwords less than 8 characters “Create complexity with upper and lower-case of letters ,Special character and numbers e.g Qu4DL1nux*I0″
• Enable password shadowing and MD5
• Install and use PAM – Add MD5 support to PAM and make sure that (generally speaking) entries in /etc/pam.d/ files which grant access to the machine have the second field in the pam.d file set to “requisite” or “required”.
• Tweak /etc/pam.d/login so as to only permit local root logins.
• Also mark authorized tty:s in /etc/security/access.conf and generally set up this file to limit root logins as much as possible.
• Add pam_limits.so if you want to set per-user limits
• Tweak /etc/pam.d/passwd: set minimum length of passwords higher (6 characters maybe) and enable md5
• Add group wheel to /etc/group if desired; add pam_wheel.so group=wheel entry to /etc/pam.d/su
  For custom per-user controls, use pam_listfile.so entries where appropriate
• Have an /etc/pam.d/other file and set it up with tight security
• Set up limits in /etc/security/limits.conf (note that /etc/limits is not used if you are using PAM)
• Tighten up /etc/login.defs; also, if you enabled MD5 and/or PAM, make sure you make the corresponding

Note:
Disable root ftp access in /etc/ftpusers
Disable network root login; use su or sudo.

Policy issues

• Educate users about the whys and hows of your policies. When you have prohibited something which is regularly available on other systems, provide documentation which explains how to accomplish similar results using other, more secure means.
• Prohibit use of protocols which use cleartext passwords (telnet, rsh and friends; ftp, imap, http)
• Prohibit programs which use SVGAlib.
• Use disk quotas.

Update Kernel and Software

Ensure your kernel and software patches are up to date. I like to make sure my Linux kernel and software are always up to date because patches are constantly being released with corrected security flaws and exploits. Remember you have access to SoftLayer’s private network for updates and patches, so you don’t have to expose your server to the public network to get updates. Run this with sudo to get updates in RedHat or CentOS: yum update.

How to protecting linux server against denial of service “DOS” attacks

Denial Of Service “DOS” attack is according to Wikipedia:

In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.[1]

One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

But most of the times this kind of attacks are attempted against web servers, and that is the one I’m going to show you how  to protecting linux server against denial of service “DOS” attacks using fail2ban.

What is Fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Installation

Open a Terminal “CTRL+ALT+T” and type this command line:

Debian / Ubuntu

# sudo -i 
# apt-get install fail2ban

Red Hat / CentOS

# su
# yum install fail2ban

Configuration

Depending on the distribution you are using, now to configure it, consider that there are two main configuration files.

/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf

Make a ‘local’ copy the jail.conf  or fail2ban.conf file in /etc/fail2ban

cd /etc/fail2ban
cp jail.conf jail.local

Now edit the file:

nano jail.local

Basic configurations are listed under the [DEFAULT] heading in the configuration file for fail2ban.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

 

Protect SSH/SFTP

After the basic settings in conf file, you can find the section for SSH [ssh-iptables]. Update the section and restart the fail2ban service.

Example:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 3

# service fail2ban restart

Protect your FTP server:

Example:

[proftpd-iptables]

enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 5

# service fail2ban restart

 

How to Setup iptables on LInux Debian / Ubuntu

A firewall is a system or router that sits between an external network (i.e. the Internet) and an internal network. This internal network can be a large LAN at a business or your networked home PCs. The firewall in it’s simplest form is like a one-way street. It allows people on the internal network to access the external network (the Intenet), but it restricts traffic so that no one can use the external network to access the systems or files on the internal network.

A firewall has two network connections, one for the external network and one for the internal network. Traffic that is allowed to flow between the two networks is internally “bridged” (using a FORWARD rule) between these two connections. Disallowed traffic is not. This decision-based bridging of traffic between two connections is called “routing” or “IP forwarding”. What this means is that any firewall, by its very nature, is a router (but not all routers block traffic, so not all routers are firewalls).

Login as root

Login as root user either by opening the Terminal or login over the ssh based session. Type the following command:

sudo -i

Install UFW

“This software is used for managing a Linux firewall and aims to provide an easy to use interface for the user”.

Type this command line:

apt-get install ufw

Find status of firewall

Type the following command:

ufw status verbose

Sample outputs:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

Enable firewall

Type the following command to enables firewall on boot:

ufw enable

Sample outputs:

Firewall is active and enabled on system startup

Disable firewall

Type the following command to disables firewall on boot:

ufw disable

Sample outputs:

Firewall stopped and disabled on system startup

 

Restart firewall

Type the following command to restart firewall:

ufw reload

Sample outputs:

Firewall reloaded

Note: that by default, deny is being applied to incoming. There are exceptions, which can be found in the output of this command:

ufw show raw

 You can also read the rules files in /etc/ufw (the files whose names end with .rules).

Allow and Deny (specific rules)

 Allow

ufw allow <port>/<optional: protocol>

example: To allow incoming tcp and udp packet on port 53

• ufw allow 53

   

example: To allow incoming tcp packets on port 53

• ufw allow 53/tcp

   

example: To allow incoming udp packets on port 53

• ufw allow 53/udp

   

Deny

ufw deny <port>/<optional: protocol>

example: To deny tcp and udp packets on port 53

• ufw deny 53

   

example: To deny incoming tcp packets on port 53

• ufw deny 53/tcp

   

example: To deny incoming udp packets on port 53

• ufw deny 53/udp

   

Delete Existing Rule

To delete a rule, simply prefix the original rule with delete. For example, if the original rule was:

deny 80/tcp

Use this to delete it:

ufw delete deny 80/tcp

Services

You can also allow or deny by service name since ufw reads from /etc/services To see get a list of services:

less /etc/services

Allow by Service Name

ufw allow <service name>

example: to allow ssh by name

• ufw allow ssh

   

Deny by Service Name

ufw deny <service name>

example: to deny ssh by name

ufw deny ssh

Logging

To enable logging use:

ufw logging on

To disable logging use:

ufw logging off

Advanced Syntax

You can also use a fuller syntax, specifying the source and destination addresses, ports and protocols.

Allow Access

This section shows how to allow specific access.

Allow by Specific IP

ufw allow from <ip address>

example:To allow packets from 107.46.232.182:

• ufw allow from 107.46.232.182

   

Allow by Subnet

You may use a net mask :

ufw allow from 192.168.1.0/24

Allow by specific port and IP address

ufw allow from <target> to <destination> port <port number>

example: allow IP address 192.168.0.4 access to port 22 for all protocols

• ufw allow from 192.168.0.4 to any port 22

   

Allow by specific port, IP address and protocol

ufw allow from <target> to <destination> port <port number> proto <protocol name>

example: allow IP address 192.168.0.4 access to port 22 using TCP

• ufw allow from 192.168.0.4 to any port 22 proto tcp

   

Enable PING

Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.

In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

or change the “ACCEPT” to “DROP”

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

Deny Access

Deny by specific IP

ufw deny from <ip address>

example:To block packets from 107.46.232.182:

• ufw deny from 107.46.232.182

   

Deny by specific port and IP address

ufw deny from <ip address> to <protocol> port <port number>

example: deny ip address 192.168.0.1 access to port 22 for all protocols

• ufw deny from 192.168.0.1 to any port 22

Working with numbered rules

Listing rules with a reference number

You may use status numbered to show the order and id number of rules:

ufw status numbered

Editing numbered rules

Delete numbered rule

You may then delete rules using the number. This will delete the first rule and rules will shift up to fill in the list.

ufw delete 1

Insert numbered rule

ufw insert 1 allow from <ip address>

Advanced Example

Scenario: You want to block access to port 22 from 192.168.0.1 and 192.168.0.7 but allow all other 192.168.0.x IPs to have access to port 22 using tcp

ufw deny from 192.168.0.1 to any port 22
ufw deny from 192.168.0.7 to any port 22
ufw allow from 192.168.0.0/24 to any port 22 proto tcp

How to install Nessus vulnerability scanner on Linux

This blog describes the installation and configuration of Tenable Network Security’s

Nessus 5.2 vulnerability scanner.

Tenable Network Security, Inc. is the author and maintainer of the Nessus vulnerability scanner. In addition to constantly improving the Nessus engine, Tenable writes most of the plugins available to the scanner, as well as compliance checks

and a wide variety of audit policies.

 

Prerequisites, deployment options, and a walk through of an installation

are described in this document. A basic understanding of Unix and vulnerability scanning is assumed.

Installation

Download Nessus package under link below:

Debian 6.0 (32 bits):
Nessus-5.2.6-debian6_i386.deb

Debian 6.0 (64 bits):
Nessus-5.2.6-debian6_amd64.deb

Red Hat ES 4 / CentOS 4:
Nessus-5.2.6-es4.i386.rpm

Red Hat ES 5 (32 bits) / CentOS 5 / Oracle Linux 5 (including Unbreakable Enterprise Kernel):
Nessus-5.2.6-es5.i386.rpm

Red Hat ES 5 (64 bits) / CentOS 5 / Oracle Linux 5 (including Unbreakable Enterprise Kernel):
Nessus-5.2.6-es5.x86_64.rpm

Red Hat ES 6 (32 bits) / CentOS 6 / Oracle Linux 6 (including Unbreakable Enterprise Kernel):
Nessus-5.2.6-es6.i386.rpm

Red Hat ES 6 (64 bits) / CentOS 6 / Oracle Linux 6 (including Unbreakable Enterprise Kernel):
Nessus-5.2.6-es6.x86_64.rpm

Fedora 19,20 (32 bits):
Nessus-5.2.6-fc16.i386.rpm

Fedora 19,20 (64 bits):
Nessus-5.2.6-fc16.x86_64.rpm

SuSE 10 Enterprise (64 bits):
Nessus-5.2.6-suse10.x86_64.rpm

SuSE 11 Enterprise (32 bits):
Nessus-5.2.6-suse11.i586.rpm

SuSE 11 Enterprise (64 bits):
Nessus-5.2.6-suse11.x86_64.rpm

Ubuntu 9.10 / Ubuntu 10.04 (32 bits):
Nessus-5.2.6-ubuntu910_i386.deb

Ubuntu 9.10 / Ubuntu 10.04 (64 bits):
Nessus-5.2.6-ubuntu910_amd64.deb

Ubuntu 11.10 / Ubuntu 12.04 (32 bits):
Nessus-5.2.6-ubuntu1110_i386.deb

Ubuntu 11.10 / Ubuntu 12.04 (64 bits):
Nessus-5.2.6-ubuntu1110_amd64.deb

 

Open a Terminal “CTRL+ALT+T” and type this command line:

Red Hat  / CentOS

su
chmod a+x <Nessus package>.rpm
rpm -ivh <Nessus package>.rpm

Debian / Ubuntu

sudo -i
chmod a+x <Nessus package>.deb
dpkg -i <Nessus package>.deb

When the installation is completed, start the nessusd daemon as instructed in the next section depending on the distribution. Once Nessus is installed, you must visit the scanner URL provided to complete the registration process.

Note: Unix-based installations may provide a URL containing a relative host name that is not in DNS (e.g.,https://ip-address:8834/).
If the host name is not in DNS, you must connect to the Nessus server using an IP address or a valid DNS name. 

After that process is complete, it is recommended that you authenticate and customize the configuration options for your
environment as described in the “Feed Registration and GUI Configuration” section

Note: Nessus must be installed to /opt/nessus, although a symbolic link pointing to /opt/nessus is acceptable.

Starting | Stop the Nessus Daemon

Open a Terminal “CTRL+ALT+T” and type this command line:

Red Hat / CentOS

su

/sbin/service nessusd  {start|stop}

Debian / Ubuntu

sudo -i

/etc/init.d/nessusd {start|stop}

or

sudo services nessusd {start|stop}

 

For further information about  Nessus configuration documentation please click link below:
 nessus_5.2_installation_guide

 

Nessus Screen shots

 

 

 

 

 

 

How to install Monitoring agent on Linux

Check_MK includes not only its famous checking and configuration engine but also MK Livestatus – a Nagios event broker module that allows quick, direct and comfortable access to your status data -, Multisite – a full featured status GUI for Nagios based on Livestatus, which natively supports distributed monitoring, WATO – a configuration GUI for Check_MK and many other components.

Check_MK is also contained in OMD – the Open Monitoring Distribution. For customers with a support contract we provide officially-supported ready-to-use OMD builds for every available Check_MK version – including precompiled Nagios, NagVis, PNP4Nagios and many other addons. The lastest stable Check_MK version is also contained in the community edition of OMD.

NOTE: If you are updating from earlier versions you might need to adapt your configuration. Please carefully read the migration notes!

check_mk-1.2.4p3.tar.gz	Complete tarball including all agents and MK Livestatus
check_mk-agent-1.2.4p3-1.noarch.rpm	RPM package of linux agent (SuSE, RedHat, ESX)
check_mk-agent-logwatch-1.2.4p3-1.noarch.rpm	RPM package of logwatch extension for agent
check_mk-agent-oracle-1.2.4p3-1.noarch.rpm	RPM package of oracle extension for agent
check_mk-agent-scriptless-1.2.4p3-1.noarch.rpm	RPM package of linux agent (Without RPM scripts)
check-mk-agent_1.2.4p3-2_all.deb	DEB package of linux agent (Debian, Ubuntu)
check-mk-agent-logwatch_1.2.4p3-2_all.deb	DEB package of logwatch extension for agent
check-mk-agent-1.2.4p3.exe	Windows agent installer
mk-livestatus-1.2.4p3.tar.gz	Standalone source code of MK Livestatus
mkeventd-1.2.4p3.tar.gz	Standalone source code of MK Event Console

Note :

All packages are platform independent. The source codes are only contained in the complete tarball.

The complete tarball contains one Windows executable: The check_mk_agent.exe. It is needed for monitoring Windows hosts. We are not aware of any virus or other malware in that file – even if some scanners report possible infections.If you don’t trust us, you can recompile it yourself. The source code and a Makefile is included. You need to install the MinGW compiler on Windows (which is free).

We apologize for no longer providing DEB and RPM packages of Check_MK. We suggest using OMD instead. Packages for these agents are still available.

Installing the Agent via RPM or DEB is very easy. All you have to do is to make sure xinetd is installed first and then install the package. Usually, you’ll also want to install the logwatch extension.

Debian / ubuntu

sudo apt-get install xinetd
sudo dpkg -i check-mk-agent_1.1.18-2_all.deb
sudo dpkg -i check-mk-agent-logwatch_1.1.18-2_all.deb

Red Hat / CentOS

su
yum install xinetd
rpm -i check_mk-agent-1.1.18-1.noarch.rpm
rpm -i check_mk-agent-logwatch-1.1.18-1.noarch.rpm

 

How to install OMD “The Open Monitoring Distribution” on linux Debian/Ubuntu

 

OMD “Open Monitoring Distribution”  is an extension to the Nagios monitoring system that allows creating rule-based configuration using Python and offloading work from the Nagios core to make it scale better, allowing more systems to be monitored from a single Nagios server.

OMD avoids the tedious work of manually compiling and integrating Nagios addons while at the same time avoiding the problems of pre-packaged installations coming with your Linux distribution, which are most times outdated and provide no regular updates.

OMD bundles Nagios together with many important addons and can easily be installed on every major Linux distribution. We provide prebuilt packages for all enterprise Linux distributions and also for some other, such as Ubuntu.

Features

multiple instances per host: OMD supports multiple but separated Nagios instances on the same machine – so called sites, i.e. for one production usage and one test environment..

separate omd user per instance: each site has its own operating user. No root permissions are needed for administration.

script based tarball building: if you decide to compile omd for yourself, you get a single tarball with all neccessary paths and binaries. Installing this tarball on hosts is as simple as extracting a common tar file.

simple creation of new sites: omd create mysite create the site and omd start starts all stuff.

supporting different omd version at the same time: you can install different versions in parallel, i.e. running your production instance with the last hard rock version and using the most current version in your test environment. There is an omd upgrade available, but at this time don’t rely on it, it is experimental!

plattform independent paths: omd installs to /opt/omd on all plattforms. If you don’t like this, you can symlink omd to every location you want.

speed optimizations: using ncpdmod (NEB module) for processing performance data, rrdcached to speed up rrdtools, tmpfs for check results and livestatus for some webfrontends we try to reduce the disk I/O.

What OMD contains

OMD currently comes with the following software:

• Nagios
  • Monitoring Plugins (Former known as Nagios-Plugins)
  • nsca
  • check_nrpe
• Icinga
• Shinken
• NagVis
• pnp4nagios
• rrdtool/rrdcached
• Check_MK
• MK Livestatus
• Multisite
• Dokuwiki
• Thruk
• Mod-Gearman
• check_logfiles
• check_oracle_health
• check_mysql_health
• jmx4perl
• check_webinject
• check_multi

How to Install

Download a current binary package

Download the most current binary package from the download page.

Installation (for GNOME-based systems)

If you are using GNOME, you most probably have installed the package gdebi, which provides the easiest way of how to install OMD on Debian/Ubuntu. Just call gdebi with the name of the OMD package:

sudo apt-get install gdebi
sudo gdebi omd-0.43_0.43lucid1_amd64.deb

That will automatically install all packages, OMD needs for proper operation and then OMD itself.

Installation (without gdebi)

If you are not using gdebi you have to manually install the packages OMD depends on. You can find out those packages with:

sudo dpkg-deb –info <omd-package>

gives you some information like this:

...
 Depends: debconf (>= 0.5) | debconf-2.0, libapache2-mod-python, libapache2-mod-php5, php5-sqlite, php5-mcrypt, libgd2-xpm, libdbi0, libapache2-mod-proxy-html
 Recommends: xinetd, mysql-server, graphviz, dnsutils, snmp, fping, smbclient, unzip, libnet-snmp-perl, libxml-simple-perl
...

Install all neccessary packages from the line Depends:, i.e.

sudo apt-get install libapache2-mod-python libapache2-mod-php5 php5-sqlite php5-mcrypt libgd2-xpm libdbi0 libapache2-mod-proxy-html

Just a copy and paste, but remove the ”,”. Then install the omd package:

sudo dpkg -i 

Apache basics

OMD needs two apache proxy modules: mod_proxy and mod_proxy_http. You have to enable both:

sudo a2enmod proxy_http

Apache configuration for each site will be placed in /omd/apache, so this directory has to be included. The Debian/Ubuntu packages create the file /etc/apache2/conf.d/zzz_omd.conf with the following content:

 sudo Include /opt/omd/apache/*.conf

If the directory is empty (i.e. you have omd installed, no site created and the dummy file /omd/apache/empty.conf deleted) you get an error if you try to start/restart apache. Create a site or recreate the dummy file /omd/apache/empty.conf.

Last, but not least restart apache:

sudo service apache2 restart

Create a site and start OMD

Create a site as user root (or use sudo on Ubuntu). For example mysite:

omd create mysite

Start omd globally as user root (or use sudo):

 omd start

Now you can play around with a very basic configuration and the web frontend:

http://myhost/mysite	base url of the site mysite
http://myhost/mysite/nagios	classic web frontend
http://myhost/mysite/check_mk	check_mk multisite frontend
http://myhost/mysite/pnp4nagios	pnp4nagios start page
http://myhost/mysite/nagvis	nagvis start page

Configuration Basics

After installing OMD you will find all the stuff within /opt/omd. There is also a symlink in the root directory: /omd points to the physical location of OMD. In /opt/omd exists three directories:

apache contains one config file for each created site.

versions is the base for the site independent stuff. Each version get its own subdirectory. versions/default is a symlink to the current default version directory.

sites contains later a the sites you have created. The directory is empty after the first installation of omd.

The command ”omd create” and what you get

To create a new site just call omd create <mysite> as user root (or use sudo on Ubuntu). What you get is:

a site directory with preconfigured configuration files.

a new user “mysite” and a new group “mysite” (identical with the name of your site). The new user is also member of the group omd, which is created at installation time.

Explore the site directory

In our example the name of the created site will be “mysite”. Change your user to “mysite” which home is /omd/site/mysite:

sudo su - mysite

ls -l will show you the following directories or links:

etc/
tmp/
var/
bin -> version/bin/
include -> version/include/
lib -> version/lib/
share -> version/share/
version -> ../../versions/0.42/

Only the the first three directories are site specific, the rest is symlinked to your OMD version.

tmp is a tmpfs (for speed up processing nagios checks) and contains temporary files.

var contains variable stuff as logfiles, configs created from web frontends and so on.

etc hosts all your configuration files needed for running the site “mysite”.

There is no need to change things in var or tmp.

How To add a DNS server via resolv.conf

Static IP-Address

Type the following command:

sudo gedit /etc/resolvconf/resolv.conf.d/base

edit /etc/resolvconf/resolv.conf.d/base to fit your needs. Here’s an example:

domain ch.domain.com
search ch.domainsearch.com
nameserver 10.10.10.107
nameserver 10.10.131.106
nameserver 10.10.192.1

Dynamic IP-Address “Automatic (DHPC)”

sudo dpkg-reconfigure resolvconf

Before that, use Network Manager to change DNS adress and change Method to

Automatic (DHPC) adresses only

Then run the command above and reboot. That did the solution for me.