Difference between revisions of "NetStat Setup Process"
From CSLabsWiki
(Added Piwik information) |
|||
| Line 1: | Line 1: | ||
| + | {{archived}} |
||
| + | |||
This page summarizes how the virtual machine [[netstat]] was set up in Spring 2009. |
This page summarizes how the virtual machine [[netstat]] was set up in Spring 2009. |
||
Latest revision as of 13:24, 3 September 2015
 |
This is an archived article or section. This page is a legacy practice, project, or tutorial, and the information may not be up to date. See the talk page for more information about the page's status. |
This page summarizes how the virtual machine netstat was set up in Spring 2009.
Contents
- 1 Install
- 2 Configuration
- 2.1 Updated System
- 2.2 Created User
- 2.3 Configured Sudo
- 2.4 Configured Networks
- 2.5 Configured IPtables
- 2.6 Configured SSH
- 2.7 Configured Password Requirements
- 2.8 Added Custom PATH Variables
- 2.9 Configured Aliases
- 2.10 Disabled Various Kernel Modules
- 2.11 Installed & Configured SNMP
- 2.12 Increased Detail of Logwatch Reports
- 2.13 Disabled Unneeded Services
- 2.14 Modified Cron Weekly Execution Time
- 3 Installed Nagios
- 4 Installed AWStats
- 5 Installed & Configured Cacti
- 6 Installed and Configured Piwik
Install
- Installed CentOS 5.2 x64.
- Partition Scheme
- 15 GB /
- 3.9 GB /var
- 1024 MB swap
- Partition Scheme
Configuration
Updated System
- Added Extra Repositories
- RPMForge Yum Repository
- Fedora EPEL Yum Repository
- Configured Yum Priorities & to use our mirror
- Edited
/etc/yum.repos.d/CentOS-Base.repo
- Edited
# CentOS-Base.repo
#
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
exclude=nmap
#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
exclude=nmap
#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
- Edited
/etc/yum.repos.d/rpmforge.repo
- Edited
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
priority=15
- Edited
/etc/yum.repos.d/epel.repo
- Edited
[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=30
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30
[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30
- Edited
/etc/yum.repos.d/epel-testing.repo
- Edited
[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=40
[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40
[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/testing/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40
- Disabled Yum FastestMirror since using local mirror
sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf
- Installed Yum Priorities (Note: This must be installed prior to installing the packages below.)
yum install yum-priorities
- Configured Yum Priorities to check for obsoletes
echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf
yum install vim-enhanced gcc emacs-nox screen nmapyum update
Created User
- Created user mccarrms
/usr/sbin/useradd -m mccarrms
- Set password for mccarrms
passwd mccarrms
Configured Sudo
/usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
#User_Alias ADMINS =
## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe
## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su
## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl
Defaults requiretty
Defaults env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
#ADMINS ALL=(root) ALL, !SHELLS, !USERS, !DELEGATING
Configured Networks
- Configured hostname in
/etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=netstat
- Verified eth0 configuration for Clarkson Network in
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
BROADCAST=128.153.145.255
HWADDR=00:16:3E:1B:DA:CA
IPADDR=128.153.145.16
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
GATEWAY=128.153.145.1
TYPE=Ethernet
- Verified eth1 configuration for the Server Room Network in
/etc/sysconfig/network-scripts/ifcfg-eth1
# Xen Virtual Ethernet
DEVICE=eth1
BOOTPROTO=none
BROADCAST=10.0.1.255
HWADDR=00:16:3E:70:AA:10
IPADDR=10.0.1.55
NETMASK=255.255.255.0
NETWORK=10.0.1.0
ONBOOT=yes
TYPE=Ethernet
- Verified eth2 configuration for the Internal Network in
/etc/sysconfig/network-scripts/ifcfg-eth2
# Xen Virtual Ethernet
DEVICE=eth2
BOOTPROTO=none
BROADCAST=10.0.0.255
HWADDR=00:16:3E:78:CF:CD
IPADDR=10.0.0.21
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes
TYPE=Ethernet
Configured Hosts
- Edited
/etc/hosts
127.0.0.1 localhost.localdomain localhost
128.153.145.16 netstat.cslabs.clarkson.edu netstat.cslabs netstat
10.0.1.55 netstat.sr.cslabs.clarkson.edu netstat.sr.cslabs netstat.sr
10.0.0.21 netstat.int.cslabs.clarkson.edu netstat.int.cslabs netstat.int
- Edited
/etc/hosts.allow
For security purposes, this information has been intentionally left off.
- Edited
/etc/hosts.deny
ALL: ALL
Configured DNS Servers
- Edited
/etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4
Disabled IP v6
- Appended the following to
/etc/modprobe.conf
install ipv6 /bin/true
- Disabled IP v6 firewall
/sbin/chkconfig ip6tables off
Configured IPtables
- Edited
/etc/sysconfig/iptables
Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Configured SSH
- Edited
/etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
- Restarted sshd
/etc/init.d/sshd restart
Set Up SSH Login Banner
- Edited
/etc/issue.net
__ __ __
___ ___ / /____ / /____ _/ /_
/ _ \/ -_) __(_-</ __/ _ `/ __/
/_//_/\__/\__/___/\__/\_,_/\__/
Configured Password Requirements
- Edited
/etc/login.defs
MAIL_DIR /var/spool/mail
PASS_MAX_DAYS 360
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 60
UID_MIN 500
UID_MAX 60000
GID_MIN 500
GID_MAX 60000
CREATE_HOME yes
UMASK 077
USERGROUPS_ENAB yes
MD5_CRYPT_ENAB yes
ENCRYPT_METHOD MD5
Added Custom PATH Variables
- Added the following to
/etc/profile
PATH=$PATH:/usr/sbin:/sbin
export PATH
Configured Aliases
- Edited
/etc/aliases
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: logwatch@cslabs.clarkson.edu
# General redirections for pseudo accounts.
bin: logwatch@cslabs.clarkson.edu
daemon: logwatch@cslabs.clarkson.edu
adm: logwatch@cslabs.clarkson.edu
lp: logwatch@cslabs.clarkson.edu
sync: logwatch@cslabs.clarkson.edu
shutdown: logwatch@cslabs.clarkson.edu
halt: logwatch@cslabs.clarkson.edu
mail: logwatch@cslabs.clarkson.edu
news: logwatch@cslabs.clarkson.edu
uucp: logwatch@cslabs.clarkson.edu
operator: logwatch@cslabs.clarkson.edu
games: logwatch@cslabs.clarkson.edu
gopher: logwatch@cslabs.clarkson.edu
ftp: logwatch@cslabs.clarkson.edu
nobody: logwatch@cslabs.clarkson.edu
radiusd: logwatch@cslabs.clarkson.edu
nut: logwatch@cslabs.clarkson.edu
dbus: logwatch@cslabs.clarkson.edu
vcsa: logwatch@cslabs.clarkson.edu
canna: logwatch@cslabs.clarkson.edu
wnn: logwatch@cslabs.clarkson.edu
rpm: logwatch@cslabs.clarkson.edu
nscd: logwatch@cslabs.clarkson.edu
pcap: logwatch@cslabs.clarkson.edu
apache: logwatch@cslabs.clarkson.edu
webalizer: logwatch@cslabs.clarkson.edu
dovecot: logwatch@cslabs.clarkson.edu
fax: logwatch@cslabs.clarkson.edu
quagga: logwatch@cslabs.clarkson.edu
radvd: logwatch@cslabs.clarkson.edu
pvm: logwatch@cslabs.clarkson.edu
amanda: logwatch@cslabs.clarkson.edu
privoxy: logwatch@cslabs.clarkson.edu
ident: logwatch@cslabs.clarkson.edu
named: logwatch@cslabs.clarkson.edu
xfs: logwatch@cslabs.clarkson.edu
gdm: logwatch@cslabs.clarkson.edu
mailnull: logwatch@cslabs.clarkson.edu
postgres: logwatch@cslabs.clarkson.edu
sshd: logwatch@cslabs.clarkson.edu
smmsp: logwatch@cslabs.clarkson.edu
postfix: logwatch@cslabs.clarkson.edu
netdump: logwatch@cslabs.clarkson.edu
ldap: logwatch@cslabs.clarkson.edu
squid: logwatch@cslabs.clarkson.edu
ntp: logwatch@cslabs.clarkson.edu
mysql: logwatch@cslabs.clarkson.edu
desktop: logwatch@cslabs.clarkson.edu
rpcuser: logwatch@cslabs.clarkson.edu
rpc: logwatch@cslabs.clarkson.edu
nfsnobody: logwatch@cslabs.clarkson.edu
ingres: logwatch@cslabs.clarkson.edu
system: logwatch@cslabs.clarkson.edu
toor: logwatch@cslabs.clarkson.edu
manager: logwatch@cslabs.clarkson.edu
dumper: logwatch@cslabs.clarkson.edu
abuse: logwatch@cslabs.clarkson.edu
newsadm: news
newsadmin: news
usenet: news
ftpadm: ftp
ftpadmin: ftp
ftp-adm: ftp
ftp-admin: ftp
www: webmaster
webmaster: logwatch@cslabs.clarkson.edu
noc: logwatch@cslabs.clarkson.edu
security: logwatch@cslabs.clarkson.edu
hostmaster: logwatch@cslabs.clarkson.edu
info: postmaster
marketing: postmaster
sales: postmaster
support: postmaster
# trap decode to catch security attacks
decode: logwatch@cslabs.clarkson.edu
# Person who should get roots's mail
root: logwatch@cslabs.clarkson.edu
- Updated aliases
/usr/bin/newaliases
Disabled Various Kernel Modules
- Added the following to
/etc/modprobe.conf
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true
Installed & Configured SNMP
- Installed needed packages
yum install net-snmp ntp
- Configured SNMP Daemon
/etc/snmp/snmpd.conf
rocommunity <passphrase> 127.0.0.1
rocommunity <passphrase> <ipsallowed>
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
disk /var
proc nagios
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime
- Deployed
ntp_checkscript- Copied over
/usr/local/sbin/ntp_checkfrom Isengard to /usr/local/sbin/ chown root.root /usr/local/sbin/ntp_check
- Copied over
- Configured SNMP to start at specific run levels
/sbin/chkconfig --levels 2345 snmpd on
- Started daemon
/etc/init.d/snmpd start
Increased Detail of Logwatch Reports
- Set detail level to be high
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf
Disabled Unneeded Services
- Referenced this page
chkconfig nfs off
/etc/init.d/nfs stop
chkconfig nfslock off
/etc/init.d/nfslock stop
chkconfig rpcgssd off
/etc/init.d/rpcgssd stop
chkconfig rpcidmapd off
/etc/init.d/rpcidmapd stop
chkconfig rpcsvcgssd off
/etc/init.d/rpcsvcgssd stop
chkconfig portmap off
/etc/init.d/portmap stop
chkconfig netfs off
/etc/init.d/netfs stop
chkconfig anacron off
/etc/init.d/anacron stop
chkconfig autofs off
/etc/init.d/autofs stop
chkconfig avahi-daemon off
/etc/init.d/avahi-daemon stop
chkconfig avahi-dnsconfd off
/etc/init.d/avahi-dnsconfd stop
chkconfig bluetooth off
/etc/init.d/bluetooth stop
chkconfig hidd off
/etc/init.d/hidd stop
chkconfig cups off
/etc/init.d/cups stop
chkconfig firstboot off
/etc/init.d/firstboot stop
chkconfig gpm off
/etc/init.d/gpm stop
chkconfig haldaemon off
/etc/init.d/haldaemon stop
chkconfig irda off
/etc/init.d/irda stop
chkconfig kudzu off
/etc/init.d/kudzu stop
chkconfig messagebus off
/etc/init.d/messagebus stop
chkconfig microcode_ctl off
/etc/init.d/microcode_ctl stop
chkconfig pcscd off
/etc/init.d/pcscd stop
chkconfig readahead_early off
/etc/init.d/readahead_early stop
chkconfig readahead_later off
/etc/init.d/readahead_later stop
chkconfig ypbind off
/etc/init.d/ypbind stop
Modified Cron Weekly Execution Time
This was done to reduce load spikes that produce Nagios alerts around 4:30 AM every Sunday. In the event that this VM get moved off of righteous, this should be changed back to the default setting of 4:22 AM.
- Modified the following line in
/etc/crontab
02 5 * * 0 root run-parts /etc/cron.weekly
Installed Nagios
- To install a bare installation of Nagios, see Install Nagios on CentOS 5.
Installed & Configured Prerequisites
Installed Apache with SSL
yum install httpd mod_ssl openssl-devel net-snmp net-snmp-libs net-snmp-perl net-snmp-perl net-snmp-utils net-snmp-devel mysql php-suhosin
- Modified Apache Config
/etc/httpd/conf/httpd.conf
ServerTokens Prod
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 30
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
TraceEnable Off
<IfModule prefork.c>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
ServerLimit 50
MaxClients 50
MaxRequestsPerChild 0
</IfModule>
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
Listen 80
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so
Include conf.d/*.conf
User apache
Group apache
ServerAdmin web-admin@cslabs.clarkson.edu
UseCanonicalName Off
DocumentRoot "/var/www/html"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_userdir.c>
UserDir disable
</IfModule>
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
TypesConfig /etc/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
# MIMEMagicFile /usr/share/magic.mime
MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off
ErrorLog logs/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log combined
ServerSignature Off
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DAVLockDB /var/lib/dav/lockdb
</IfModule>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw
LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW
ForceLanguagePriority Prefer Fallback
AddDefaultCharset UTF-8
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddHandler type-map var
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Alias /error/ "/var/www/error/"
<IfModule mod_negotiation.c>
<IfModule mod_include.c>
<Directory "/var/www/error">
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
</Directory>
</IfModule>
</IfModule>
#ErrorDocument 404 /error/404.html
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
RedirectMatch permanent ^/$ http://admin.cslabs.clarkson.edu/
- Disabled
/etc/httpd/conf.d/welcome.conf
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
# Options -Indexes
# ErrorDocument 403 /error/noindex.html
#</LocationMatch>
- Disabled
/etc/httpd/conf.d/proxy_ajp.conf
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#
# When loaded, the mod_proxy_ajp module adds support for
# proxying to an AJP/1.3 backend server (such as Tomcat).
# To proxy to an AJP backend, use the "ajp://" URI scheme;
# Tomcat is configured to listen on port 8009 for AJP requests
# by default.
#
#
# Uncomment the following lines to serve the ROOT webapp
# under the /tomcat/ location, and the jsp-examples webapp
# under the /examples/ location.
#
#ProxyPass /tomcat/ ajp://localhost:8009/
#ProxyPass /examples/ ajp://localhost:8009/jsp-examples/
- Configured Apache to start on boot
/sbin/chkconfig --levels 345 httpd on
Installed & Configured Nagios
- Install Nagios & Plugins
yum install nagios nagios-plugins nagios-plugins-setuid
- Customized the default Nagios Apache conf
/etc/httpd/conf.d/nagios.conf
ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi"
<Directory "/usr/lib64/nagios/cgi">
SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "CS Labs Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
Alias /nagios "/usr/share/nagios"
<Directory "/usr/share/nagios">
SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "CS Labs Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
- Removed the last line of
/etc/httpd/conf/httpd.conf
# Include /etc/httpd/conf.d/nagios.conf
- Put previous Nagios config files from former installation in
/etc/nagios/
- Customized
/etc/nagios/nagios.cfg,/etc/nagios/cgi.cfg, &/etc/nagios/resource.cfgto use the correct config files and locations
Installed NRPE Plugin
- Downloaded nrpe
- Extracted nrpe
tar xzf nrpe-2.12.tar.gz
- Compiled & Installed Plugin
cd nrpe-2.12./configuremake allmake install-pluginmv /usr/local/nagios/libexec/check_nrpe /usr/lib64/nagios/plugins/rm -r /usr/local/nagios
Started Nagios
- Started Nagios
/etc/init.d/nagios start
- Started Apache
/etc/init.d/httpd start
Installed AWStats
- To install a bare installation of AWStats, see Install AWStats on CentOS 5.
Installed & Configured AWStats
- Installed AWStats
yum install awstats
- Created a needed directory
mkdir /var/www/awstats/webstats/
- Modified AWStats Apache Configuration
- Edited
/etc/httpd/conf.d/awstats.conf
- Edited
Alias /webstats /var/www/awstats/webstats/
Alias /awstats/icon /var/www/awstats/icon/
Alias /awstats/docs /usr/share/doc/awstats-6.9/
ScriptAlias /awstats /var/www/awstats/
<Directory /var/www/awstats/>
SSLRequireSSL
Options ExecCGI
Order allow,deny
Allow from all
AuthName "CS Labs AWStats Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
<Directory /var/www/awstats/webstats/>
SSLRequireSSL
Order allow,deny
Allow from all
AuthName "CS Labs AWStats Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
<Directory /usr/local/awstats/docs/>
SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "CS Labs AWStats Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
- Removed default update script
rm /etc/cron.hourly/00awstats
- Created new update script
/usr/local/bin/awstats_update.sh
#!/bin/bash
/usr/bin/awstats_updateall.pl now -confdir="/etc" -awstatsprog="/var/www/awstats/awstats.pl" >/dev/null
- Added script to crontab
crontab -e
# Used to get all httpd logs for AWStats
0 0,6,12,18 * * * /usr/bin/ionice -c2 -n4 /usr/local/awstats/get_logs.sh >/dev/null 2>&1
# Used to update AWStats
0 1,7,13,19 * * * /usr/local/bin/awstats_update.sh >/dev/null 2>&1
- Moved over logs, configuration files, etc. from previous installation
- Modified .conf files in
/etc/awstats/to use the correct config files and locations
- Updated Statistics
/usr/bin/awstats_updateall.pl now -confdir="/etc" -awstatsprog="/var/www/awstats/awstats.pl"
- Restarted Apache
/etc/init.d/httpd restart
Important Notes
- Upon upgrading AWStats, the docs link on the AWStats page on Netstat will need to point to the new directory.
Installed & Configured Cacti
- Installed Cacti & Required Dependencies
yum install cacti mysql-server liberation-fonts
- Configured
mysqldto start on boot/sbin/chkconfig --levels 345 mysqld on
- Started
mysqld/etc/init.d/mysqld start
- Set the password for the MySQL root user
/usr/bin/mysqladmin -u root password 'PASSWORD-GOES-HERE'
- Created the MySQL cacti database
/usr/bin/mysqladmin -u root -p create cacti
- Logged into the MySQL database and granted the
cactiuseraccess to the cacti database/usr/bin/mysql -u root -p
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 46
Server version: 5.0.77 Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> GRANT ALL ON cacti.* TO 'cactiuser'@'localhost' IDENTIFIED BY 'CACTIUSER-PASSWORD-GOES-HERE';
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
- Populated the cacti database
/usr/bin/mysql cacti -u cactiuser -p < /var/www/cacti/cacti.sql
- Modified
/var/www/cacti/include/config.phpto have the correct password for the cacti database
$database_password = "CACTIUSER-PASSWORD-GOES-HERE";
- Modified root's crontab to update Cacti every five minutes
crontab -e
# Used to update Cacti
*/5 * * * * /usr/bin/php /var/www/cacti/poller.php >> /var/log/cacti 2>&1
- Modified
/etc/httpd/conf.d/cacti.confto fix url and allow access from anywhere
Alias /cacti /var/www/cacti/
<Directory /var/www/cacti/>
DirectoryIndex index.php
Options -Indexes
SSLRequireSSL
AllowOverride all
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc on
php_flag track_vars on
</Directory>
- Restarted Apache
/etc/init.d/httpd graceful
- Went to
http://netstat.cslabs.clarkson.edu/cacti/& went through the following screens
Important Notes
- Upon upgrading
rrdtoolgraphs will stop displaying properly. This can be fixed by logging into Cacti and adjusting the rrdtool version.
Installed and Configured Piwik
Unpacking the Files
- Navigate to /var/www
- Download and unpack the files
wget http://piwik.org/latest.zipunzip latest.zip
- Give Piwik Permission to Access its Folder
chmod -R g+w piwik/chgrp -R apache piwik/
- Install the following packages: php-json, php-dom, php-gd, and php-mbstring
- Configure Apache to recognize the piwik directory
- Open /etc/httpd/conf.d/piwik.conf
- Paste in the following:
Alias /piwik /var/www/piwik/ <Directory /var/www/piwik/> Options ExecCGI Order allow,deny Allow from all AddType application/x-httpd-php .php php_flag magic_quotes_gpc on php_flag track_vars on </Directory>
- Restart httpd
/etc/init.d/httpd restart
Configure MySQL for Piwik Installation
- Create the piwik database, user, and allow the piwik user to access the database
CREATE DATABASE piwik;CREATE USER 'piwik'@'localhost' IDENTIFIED BY 'insert password here';GRANT ALL ON piwik.* TO 'piwik'@'localhost';
- Exit MySQL
Install Piwik
- Piwik Installation Guide
- Navigate to netstat.cslabs.clarkson.edu/piwik
- Follow the prompts in the installation screens
- Note: the php time zone detection support will give a warning; this is OK as time zones can be set manually
- For the database setup, use the following:
- database server: localhost
- login: piwik
- password: whatever you set while configuring MySQL
- database name: piwik
- table prefix: piwik_
- adapter: PDO_MYSQL
- The create a super user step of installation creates the administrator for piwik
- Set up the first website during installation and paste the tracking code into the page (note: each site you monitor will need different tracking code)
- To set forced SSL during login (note: forcing SSL via Apache configuration files will break Piwik's visitor tracking):
- Open /var/www/piwik/config/config.ini.php
- Under the username, email, and password for the superuser, add the following:
[General] force_ssl_login=1
