Find unused IP’s on a subnet

nmap -v -sn -oG - 172.21.0.0/24 | egrep "(Up|Down)" --color
Advertisements
Find unused IP’s on a subnet

Basic rsyslog server

systemctl enable rsyslog
systemctl start rsyslog
firewall-cmd --add-service=syslog --permanent
firewall-cmd --reload

/etc/rsyslog.d/00modules.conf

$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad immark # provides --MARK-- message capability 
$ModLoad imudp # Provides UDP syslog reception 
$ModLoad imtcp # Provides TCP syslog reception 

$UDPServerRun 514 # UDP Port to listen on 

$InputTCPServerRun 514 # TCP Port to listen on

$ActionFileEnableSync on 
#$EscapeControlCharactersOnReceive off 
$PreserveFQDN on

/etc/rsyslog.d/01templates.conf

#$umask 0000
#$DirCreateMode 0750
#$DirGroup logs
#$FileCreateMode 0640
#$FileGroup logs

$template RemoteHosts,"/var/log/remote/%fromhost-ip%/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%/%syslogfacility-text%.log"

if ($fromhost-ip != "127.0.0.1" and $fromhost-ip != "::1") then ?RemoteHosts
Basic rsyslog server

chrooted sftp backup destination

Environment: Stock install of Centos 7 minimal, SELinux, yum-cron.

Data directory: /mnt/backup. XFS filesystem on a logical volume.

Mount with systemd unit similar to:

[Unit]
 Description = Backup logical volume
[Mount]
 What = UUID="coffee40-dead-beef-1234-ffffff1c2a34"
 Where = /mnt/backup
 Type = xfs
 Options = nodev,nosuid,noexec
[Install]
 WantedBy = multi-user.target

Add the users:

useradd backup-user-1 -d /mnt/backup/backup-user-1/ -s /sbin/nologin
useradd backup-user-2 -d /mnt/backup/backup-user-2/ -s /sbin/nologin

Create users .ssh directory:

mkdir /mnt/backup/.ssh/
chown root:root /mnt/backup/.ssh/

Add users keys:

echo 'ssh-rsa AAAA[...]' > /mnt/backup/.ssh/authorized_keys-backup-user-1
chown backup-user-1:backup-user-1 /mnt/backup/.ssh/authorized_keys-backup-user-1
echo 'ssh-rsa AAAA[...]' > /mnt/backup/.ssh/authorized_keys-backup-user-2
chown backup-user-2:backup-user-2 /mnt/backup/.ssh/authorized_keys-backup-user-2

Apply the following ACL’s recursively to /mnt/backup/.ssh/:

Notes: You could also put all remote users in a group and apply a group ACL instead. Use setfacl –set-file=file to read these acl’s from a file.

# file: .ssh/
# owner: root
# group: root
user::rwx
user:backup-user-1:r-x
user:backup-user-2:r-x
group::r-x
mask::r-x
other::---
default:user::rwx
default:user:backup-user-1:r-x
default:user:backup-user-2:r-x
default:group::r-x
default:mask::r-x
default:other::---

Apply the following ACL’s recursively to /mnt/backup/backup-user-1/:

# file: backup-user-1
# owner: backup-user-1
# group: root
user::rwx
group::---
other::---
default:user::rwx
default:user:backup-user-1:rwx
default:group::---
default:mask::rwx
default:other::---

Apply the following ACL’s recursively to /mnt/backup/backup-user-2/:

# file: backup-user-2
# owner: backup-user-2
# group: root
user::rwx
group::---
other::---
default:user::rwx
default:user:backup-user-2:rwx
default:group::---
default:mask::rwx
default:other::---

SELinux contexts:

semanage fcontext -at root_t /mnt/backup/
semanage fcontext -at home_root_t /mnt/backup/
semanage fcontext -at user_home_dir_t /mnt/backup/backup-user-1
semanage fcontext -at user_home_dir_t /mnt/backup/backup-user-2
semanage fcontext -at ssh_home_t /mnt/backup/.ssh
semanage fcontext -at ssh_home_t /mnt/backup/.ssh/authorized_keys-backup-user-1
semanage fcontext -at ssh_home_t /mnt/backup/.ssh/authorized_keys-backup-user-2
restorecon -Rv /mnt/backup/

SSH config:

# override default of no subsystems
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match User backup-user-1,backup-user-2
 PasswordAuthentication no
 X11Forwarding no
 AllowTcpForwarding no
 PermitTTY no
 ForceCommand internal-sftp
 ChrootDirectory /mnt/backup/
 AuthorizedKeysFile /mnt/backup/.ssh/authorized_keys-%u
chrooted sftp backup destination

Keeping Naemon or Nagios running at all times with a systemd drop-in unit

Due to a silly bug in Naemon 1.0.4, I looked into ways to make sure it always restarts if it dies or is killed. Turns out it’s rather easy thanks to systemd.

Create a naemon.service.d directory in /etc/systemd/system/

cd /etc/systemd/system/
mkdir naemon.service.d
cd naemon.service.d

Create the file 10-restart.conf with the following contents:

[Service]
RestartSec=10s
Restart=always

Now reload systemd:

systemctl daemon-reload

And make sure the unit is overridden:

[root@manage naemon.service.d]# systemd-delta | grep naemon
[EXTENDED] /usr/lib/systemd/system/naemon.service -> /etc/systemd/system/naemon.service.d/10-restart.conf

Then try killing naemon and watch it restart

killall naemon
watch systemctl status naemon
Keeping Naemon or Nagios running at all times with a systemd drop-in unit

Upgrading from naemon. 1.0.3 to 1.0.4

Important: First of all, back up /etc/naemon/ before updating.

rsync /etc/naemon/ /etc/naemon-bak/ -av
yum update -y

Note: If you’ve already upgraded and don’t have a backup, you can copy the config from nagios (if installed):

Skip this step if you have a backup of /etc/naemon/!

cp /etc/nagios/objects/templates.cfg /etc/naemon/conf.d/templates/
cp /etc/nagios/objects/contacts.cfg /etc/naemon/conf.d/
cp /etc/nagios/objects/timeperiods.cfg /etc/naemon/conf.d/
cp /etc/nagios/objects/commands.cfg /etc/naemon/conf.d/

Verify the naemon config:

naemon -vp /etc/naemon/naemon.cfg
Error in configuration file '/etc/naemon/naemon.cfg' - Line 344 (Warning: Failed to open check_result_path '/var/cache/naemon/checkresults': No such file or directory)
 Error processing main config file!

check_result_path is deprecated and you can safely remove it from the config.

sed -i '/check_result_path=/d' /etc/naemon/naemon.cfg

Verify the config again:

naemon -vp /etc/naemon/naemon.cfg
Reading configuration data...
Warning: enable_environment_macros is deprecated and will be removed.
Warning: use_large_installation_tweaks is deprecated and will be removed. Naemon should always be fast
Warning: daemon_dumps_core is deprecated and will be removed. Use system facilities to control coredump behaviour instead
Warning: max_check_result_file_age is deprecated and will be removed. Support for processing check results from disk will be removed
Warning: max_check_result_reaper_time is deprecated and will be removed. Support for processing check results from disk will be removed
Warning: check_result_reaper_frequency is deprecated and will be removed. Support for processing check results from disk will be removed
Warning: naemon_group is deprecated and will be removed. Naemon is compiled to be run as naemon:naemon
Warning: naemon_user is deprecated and will be removed. Naemon is compiled to be run as naemon:naemon
 Read main config file okay...
Error: Template 'generic-host' specified in host definition could not be found (config file '/usr/share/okconfig/templates/misc/hosts.cfg', starting on line 3)
Error: Template 'generic-service' specified in service definition could not be found (config file '/usr/share/okconfig/templates/linux/services.cfg', starting on line 4)
Error: Template 'generic-service' specified in service definition could not be found (config file '/usr/share/okconfig/templates/http/services.cfg', starting on line 41)
Error: Template 'generic-service' specified in service definition could not be found (config file '/usr/share/okconfig/templates/nagios/services.cfg', starting on line 29)
Error: Template 'generic-service' specified in service definition could not be found (config file '/usr/share/okconfig/templates/nagios/services.cfg', starting on line 20)
Error: Template 'generic-service' specified in service definition could not be found (config file '/usr/share/okconfig/templates/nagios/services.cfg', starting on line 11)
Error: Template 'generic-service' specified in service definition could not be found (config file '/usr/share/okconfig/templates/nagios/services.cfg', starting on line 2)
Error: Template 'generic-service' specified in service definition could not be found (config file '/usr/share/okconfig/templates/misc/services.cfg', starting on line 53)
Error: Template 'generic-service' specified in service definition could not be found (config file '/usr/share/okconfig/templates/wmi/wmi.cfg', starting on line 6)
 Error processing object config files!

Rsync the templates directory from the backup and remove the deprecated attributes:

rsync naemon-bak/conf.d/templates/ naemon/conf.d/templates/ -av
sed -i '/enable_environment_macros/d' /etc/naemon/naemon.cfg
sed -i '/use_large_installation_tweaks/d' /etc/naemon/naemon.cfg
sed -i '/daemon_dumps_core/d' /etc/naemon/naemon.cfg
sed -i '/max_check_result_file_age/d' /etc/naemon/naemon.cfg
sed -i '/max_check_result_reaper_time/d' /etc/naemon/naemon.cfg
sed -i '/check_result_reaper_frequency/d' /etc/naemon/naemon.cfg
sed -i '/naemon_group/d' /etc/naemon/naemon.cfg
sed -i '/naemon_user/d' /etc/naemon/naemon.cfg

Verify the config again:

naemon -vp /etc/naemon/naemon.cfg
Reading configuration data...
 Read main config file okay...
Error: Could not find member group 'admins' specified in contactgroup 'default' (config file '/etc/naemon/okconfig//groups/default.cfg', starting on line 11)
 Error processing object config files!

Rsync the contacts config from the backup:

rsync naemon-bak/conf.d/contacts.cfg naemon/conf.d/ -av

Verify the config again:

naemon -vp /etc/naemon/naemon.cfg
Reading configuration data...
 Read main config file okay...
Error: Service notification period '24x7' specified for contact 'naemonadmin' is not defined anywhere!
Error: Could not register contact (config file '/etc/naemon/conf.d/contacts.cfg', starting on line 24)
 Error processing object config files!

Rsync the timeperiods config from the backup:

rsync naemon-bak/conf.d/timeperiods.cfg naemon/conf.d/ -av

Verify the config again:

naemon -vp /etc/naemon/naemon.cfg
Reading configuration data...
 Read main config file okay...
Error: Host check command 'check-host-alive' specified for host 'monitor-01' is not defined anywhere!
Error: Could not register host (config file '/etc/naemon/okconfig//hosts/default/monitor-01-host.cfg', starting on line 3)
 Error processing object config files!

Rsync the commands config from the backup:

rsync naemon-bak/conf.d/commands.cfg naemon/conf.d/ -av

Verify the config again:

naemon -vp /etc/naemon/naemon.cfg
Reading configuration data...
 Read main config file okay...
 Read object config files okay...

Either make sure that if you have defined broker_module=/usr/lib64/naemon/naemon-livestatus/livestatus.so[…] or the module-conf.d include:

echo 'include_dir=module-conf.d' >> /etc/naemon/naemon.cfg

Next:

Due to a bug in naemon 1.0.4 you need to configure automatic restarting for the service with a drop-in config for the systemd unit. See: Keeping Naemon or Nagios running at all times with a systemd drop-in unit

Upgrading from naemon. 1.0.3 to 1.0.4