NetStat Setup Process

From CSLabsWiki
Jump to: navigation, search


This page summarizes how the virtual machine netstat was set up in Spring 2009.

Install

  • Installed CentOS 5.2 x64.
    • Partition Scheme
      • 15 GB /
      • 3.9 GB /var
      • 1024 MB swap

Configuration

Updated System

  • Configured Yum Priorities & to use our mirror
    • Edited /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
exclude=nmap

#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1
exclude=nmap

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
    • Edited /etc/yum.repos.d/rpmforge.repo
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
priority=15
    • Edited /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=30

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30

[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30
    • Edited /etc/yum.repos.d/epel-testing.repo
[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=40

[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40

[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/testing/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40
  • Disabled Yum FastestMirror since using local mirror
    • sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf
  • Installed Yum Priorities (Note: This must be installed prior to installing the packages below.)
    • yum install yum-priorities
  • Configured Yum Priorities to check for obsoletes
    • echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf
  • yum install vim-enhanced gcc emacs-nox screen nmap
  • yum update

Created User

  • Created user mccarrms
    • /usr/sbin/useradd -m mccarrms
  • Set password for mccarrms
    • passwd mccarrms

Configured Sudo

  • /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

#User_Alias ADMINS =

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl

Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%wheel  ALL=(ALL)       ALL
#ADMINS ALL=(root) ALL, !SHELLS, !USERS, !DELEGATING

Configured Networks

  • Configured hostname in /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=netstat
  • Verified eth0 configuration for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
BROADCAST=128.153.145.255
HWADDR=00:16:3E:1B:DA:CA
IPADDR=128.153.145.16
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
GATEWAY=128.153.145.1
TYPE=Ethernet
  • Verified eth1 configuration for the Server Room Network in /etc/sysconfig/network-scripts/ifcfg-eth1
# Xen Virtual Ethernet
DEVICE=eth1
BOOTPROTO=none
BROADCAST=10.0.1.255
HWADDR=00:16:3E:70:AA:10
IPADDR=10.0.1.55
NETMASK=255.255.255.0
NETWORK=10.0.1.0
ONBOOT=yes
TYPE=Ethernet
  • Verified eth2 configuration for the Internal Network in /etc/sysconfig/network-scripts/ifcfg-eth2
# Xen Virtual Ethernet
DEVICE=eth2
BOOTPROTO=none
BROADCAST=10.0.0.255
HWADDR=00:16:3E:78:CF:CD
IPADDR=10.0.0.21
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes
TYPE=Ethernet

Configured Hosts

  • Edited /etc/hosts
127.0.0.1       localhost.localdomain   localhost
128.153.145.16  netstat.cslabs.clarkson.edu netstat.cslabs netstat
10.0.1.55       netstat.sr.cslabs.clarkson.edu netstat.sr.cslabs netstat.sr
10.0.0.21       netstat.int.cslabs.clarkson.edu netstat.int.cslabs netstat.int
  • Edited /etc/hosts.allow
For security purposes, this information has been intentionally left off.
  • Edited /etc/hosts.deny
ALL: ALL

Configured DNS Servers

  • Edited /etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4

Disabled IP v6

  • Appended the following to /etc/modprobe.conf
install ipv6 /bin/true
  • Disabled IP v6 firewall
    • /sbin/chkconfig ip6tables off

Configured IPtables

  • Edited /etc/sysconfig/iptables
Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Configured SSH

  • Edited /etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
  • Restarted sshd
    • /etc/init.d/sshd restart

Set Up SSH Login Banner

  • Edited /etc/issue.net
            __      __       __ 
  ___  ___ / /____ / /____ _/ /_
 / _ \/ -_) __(_-</ __/ _ `/ __/
/_//_/\__/\__/___/\__/\_,_/\__/ 
                                

Configured Password Requirements

  • Edited /etc/login.defs
MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   360
PASS_MIN_DAYS   0
PASS_MIN_LEN    8
PASS_WARN_AGE   60

UID_MIN                   500
UID_MAX                 60000

GID_MIN                   500
GID_MAX                 60000

CREATE_HOME     yes

UMASK           077

USERGROUPS_ENAB yes

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

Added Custom PATH Variables

  • Added the following to /etc/profile
PATH=$PATH:/usr/sbin:/sbin
export PATH

Configured Aliases

  • Edited /etc/aliases
#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#       >>>>>>>>>>      The program "newaliases" must be run after
#       >> NOTE >>      this file is updated for any changes to
#       >>>>>>>>>>      show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:  postmaster
postmaster:     logwatch@cslabs.clarkson.edu

# General redirections for pseudo accounts.
bin:            logwatch@cslabs.clarkson.edu
daemon:         logwatch@cslabs.clarkson.edu
adm:            logwatch@cslabs.clarkson.edu
lp:             logwatch@cslabs.clarkson.edu
sync:           logwatch@cslabs.clarkson.edu
shutdown:       logwatch@cslabs.clarkson.edu
halt:           logwatch@cslabs.clarkson.edu
mail:           logwatch@cslabs.clarkson.edu
news:           logwatch@cslabs.clarkson.edu
uucp:           logwatch@cslabs.clarkson.edu
operator:       logwatch@cslabs.clarkson.edu
games:          logwatch@cslabs.clarkson.edu
gopher:         logwatch@cslabs.clarkson.edu
ftp:            logwatch@cslabs.clarkson.edu
nobody:         logwatch@cslabs.clarkson.edu
radiusd:        logwatch@cslabs.clarkson.edu
nut:            logwatch@cslabs.clarkson.edu
dbus:           logwatch@cslabs.clarkson.edu
vcsa:           logwatch@cslabs.clarkson.edu
canna:          logwatch@cslabs.clarkson.edu
wnn:            logwatch@cslabs.clarkson.edu
rpm:            logwatch@cslabs.clarkson.edu
nscd:           logwatch@cslabs.clarkson.edu
pcap:           logwatch@cslabs.clarkson.edu
apache:         logwatch@cslabs.clarkson.edu
webalizer:      logwatch@cslabs.clarkson.edu
dovecot:        logwatch@cslabs.clarkson.edu
fax:            logwatch@cslabs.clarkson.edu
quagga:         logwatch@cslabs.clarkson.edu
radvd:          logwatch@cslabs.clarkson.edu
pvm:            logwatch@cslabs.clarkson.edu
amanda:         logwatch@cslabs.clarkson.edu
privoxy:        logwatch@cslabs.clarkson.edu
ident:          logwatch@cslabs.clarkson.edu
named:          logwatch@cslabs.clarkson.edu
xfs:            logwatch@cslabs.clarkson.edu
gdm:            logwatch@cslabs.clarkson.edu
mailnull:       logwatch@cslabs.clarkson.edu
postgres:       logwatch@cslabs.clarkson.edu
sshd:           logwatch@cslabs.clarkson.edu
smmsp:          logwatch@cslabs.clarkson.edu
postfix:        logwatch@cslabs.clarkson.edu
netdump:        logwatch@cslabs.clarkson.edu
ldap:           logwatch@cslabs.clarkson.edu
squid:          logwatch@cslabs.clarkson.edu
ntp:            logwatch@cslabs.clarkson.edu
mysql:          logwatch@cslabs.clarkson.edu
desktop:        logwatch@cslabs.clarkson.edu
rpcuser:        logwatch@cslabs.clarkson.edu
rpc:            logwatch@cslabs.clarkson.edu
nfsnobody:      logwatch@cslabs.clarkson.edu

ingres:         logwatch@cslabs.clarkson.edu
system:         logwatch@cslabs.clarkson.edu
toor:           logwatch@cslabs.clarkson.edu
manager:        logwatch@cslabs.clarkson.edu
dumper:         logwatch@cslabs.clarkson.edu
abuse:          logwatch@cslabs.clarkson.edu

newsadm:        news
newsadmin:      news
usenet:         news
ftpadm:         ftp
ftpadmin:       ftp
ftp-adm:        ftp
ftp-admin:      ftp
www:            webmaster
webmaster:      logwatch@cslabs.clarkson.edu
noc:            logwatch@cslabs.clarkson.edu
security:       logwatch@cslabs.clarkson.edu
hostmaster:     logwatch@cslabs.clarkson.edu
info:           postmaster
marketing:      postmaster
sales:          postmaster
support:        postmaster


# trap decode to catch security attacks
decode:         logwatch@cslabs.clarkson.edu

# Person who should get roots's mail
root:           logwatch@cslabs.clarkson.edu
  • Updated aliases
    • /usr/bin/newaliases

Disabled Various Kernel Modules

  • Added the following to /etc/modprobe.conf
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true

Installed & Configured SNMP

  • Installed needed packages
yum install net-snmp ntp
  • Configured SNMP Daemon /etc/snmp/snmpd.conf
rocommunity     <passphrase>  127.0.0.1
rocommunity     <passphrase>  <ipsallowed>
 
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
disk /var
proc nagios
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime
  • Deployed ntp_check script
    • Copied over /usr/local/sbin/ntp_check from Isengard to /usr/local/sbin/
    • chown root.root /usr/local/sbin/ntp_check
  • Configured SNMP to start at specific run levels
/sbin/chkconfig --levels 2345 snmpd on
  • Started daemon
/etc/init.d/snmpd start

Increased Detail of Logwatch Reports

  • Set detail level to be high
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf

Disabled Unneeded Services

chkconfig nfs off
/etc/init.d/nfs stop
chkconfig nfslock off
/etc/init.d/nfslock stop
chkconfig rpcgssd off
/etc/init.d/rpcgssd stop
chkconfig rpcidmapd off
/etc/init.d/rpcidmapd stop
chkconfig rpcsvcgssd off
/etc/init.d/rpcsvcgssd stop
chkconfig portmap off
/etc/init.d/portmap stop
chkconfig netfs off
/etc/init.d/netfs stop
chkconfig anacron off
/etc/init.d/anacron stop
chkconfig autofs off
/etc/init.d/autofs stop
chkconfig avahi-daemon off
/etc/init.d/avahi-daemon stop
chkconfig avahi-dnsconfd off
/etc/init.d/avahi-dnsconfd stop
chkconfig bluetooth off
/etc/init.d/bluetooth stop
chkconfig hidd off
/etc/init.d/hidd stop
chkconfig cups off
/etc/init.d/cups stop
chkconfig firstboot off
/etc/init.d/firstboot stop
chkconfig gpm off
/etc/init.d/gpm stop
chkconfig haldaemon off
/etc/init.d/haldaemon stop
chkconfig irda off
/etc/init.d/irda stop
chkconfig kudzu off
/etc/init.d/kudzu stop
chkconfig messagebus off
/etc/init.d/messagebus stop
chkconfig microcode_ctl off
/etc/init.d/microcode_ctl stop
chkconfig pcscd off
/etc/init.d/pcscd stop
chkconfig readahead_early off
/etc/init.d/readahead_early stop
chkconfig readahead_later off
/etc/init.d/readahead_later stop
chkconfig ypbind off
/etc/init.d/ypbind stop

Modified Cron Weekly Execution Time

This was done to reduce load spikes that produce Nagios alerts around 4:30 AM every Sunday. In the event that this VM get moved off of righteous, this should be changed back to the default setting of 4:22 AM.

  • Modified the following line in /etc/crontab
02 5 * * 0 root run-parts /etc/cron.weekly

Installed Nagios

Installed & Configured Prerequisites

Installed Apache with SSL

  • yum install httpd mod_ssl openssl-devel net-snmp net-snmp-libs net-snmp-perl net-snmp-perl net-snmp-utils net-snmp-devel mysql php-suhosin
  • Modified Apache Config /etc/httpd/conf/httpd.conf
ServerTokens Prod
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 30
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
TraceEnable Off

<IfModule prefork.c>
StartServers       5
MinSpareServers    5
MaxSpareServers   10
ServerLimit       50
MaxClients        50
MaxRequestsPerChild  0
</IfModule>

<IfModule worker.c>
StartServers         2
MaxClients         150
MinSpareThreads     25
MaxSpareThreads     75
ThreadsPerChild     25
MaxRequestsPerChild  0
</IfModule>

Listen 80

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so

Include conf.d/*.conf

User apache
Group apache

ServerAdmin web-admin@cslabs.clarkson.edu

UseCanonicalName Off

DocumentRoot "/var/www/html"

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<IfModule mod_userdir.c>
    UserDir disable
</IfModule>

DirectoryIndex index.html index.html.var

AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

TypesConfig /etc/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
#   MIMEMagicFile /usr/share/magic.mime
    MIMEMagicFile conf/magic
</IfModule>

HostnameLookups Off

ErrorLog logs/error_log
LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access_log combined

ServerSignature Off

Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<IfModule mod_dav_fs.c>
    # Location of the WebDAV lock database.
    DAVLockDB /var/lib/dav/lockdb
</IfModule>

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html
HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

ForceLanguagePriority Prefer Fallback

AddDefaultCharset UTF-8

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

AddHandler type-map var

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

Alias /error/ "/var/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
    <Directory "/var/www/error">
        AllowOverride None
        Options IncludesNoExec
        AddOutputFilter Includes html
        AddHandler type-map var
        Order allow,deny
        Allow from all
        LanguagePriority en es de fr
        ForceLanguagePriority Prefer Fallback
    </Directory>
</IfModule>
</IfModule>

#ErrorDocument 404 /error/404.html

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

RedirectMatch permanent ^/$ http://admin.cslabs.clarkson.edu/
  • Disabled /etc/httpd/conf.d/welcome.conf
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

  • Disabled /etc/httpd/conf.d/proxy_ajp.conf

#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

#
# When loaded, the mod_proxy_ajp module adds support for
# proxying to an AJP/1.3 backend server (such as Tomcat).
# To proxy to an AJP backend, use the "ajp://" URI scheme;
# Tomcat is configured to listen on port 8009 for AJP requests
# by default.
#

#
# Uncomment the following lines to serve the ROOT webapp
# under the /tomcat/ location, and the jsp-examples webapp
# under the /examples/ location.
#
#ProxyPass /tomcat/ ajp://localhost:8009/
#ProxyPass /examples/ ajp://localhost:8009/jsp-examples/


  • Configured Apache to start on boot
    • /sbin/chkconfig --levels 345 httpd on

Installed & Configured Nagios

  • Install Nagios & Plugins
    • yum install nagios nagios-plugins nagios-plugins-setuid
  • Customized the default Nagios Apache conf /etc/httpd/conf.d/nagios.conf
ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi"

<Directory "/usr/lib64/nagios/cgi">
   SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "CS Labs Nagios Access"
   AuthType Basic
   AuthUserFile /etc/nagios/htpasswd.users
   Require valid-user
</Directory>

Alias /nagios "/usr/share/nagios"

<Directory "/usr/share/nagios">
   SSLRequireSSL
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "CS Labs Nagios Access"
   AuthType Basic
   AuthUserFile /etc/nagios/htpasswd.users
   Require valid-user
</Directory>
  • Removed the last line of /etc/httpd/conf/httpd.conf
# Include /etc/httpd/conf.d/nagios.conf
  • Put previous Nagios config files from former installation in /etc/nagios/
  • Customized /etc/nagios/nagios.cfg, /etc/nagios/cgi.cfg, & /etc/nagios/resource.cfg to use the correct config files and locations

Installed NRPE Plugin

  • Extracted nrpe
    • tar xzf nrpe-2.12.tar.gz
  • Compiled & Installed Plugin
    • cd nrpe-2.12
    • ./configure
    • make all
    • make install-plugin
    • mv /usr/local/nagios/libexec/check_nrpe /usr/lib64/nagios/plugins/
    • rm -r /usr/local/nagios

Started Nagios

  • Started Nagios
    • /etc/init.d/nagios start
  • Started Apache
    • /etc/init.d/httpd start

Installed AWStats

Installed & Configured AWStats

  • Installed AWStats
    • yum install awstats
  • Created a needed directory
    • mkdir /var/www/awstats/webstats/
  • Modified AWStats Apache Configuration
    • Edited /etc/httpd/conf.d/awstats.conf
Alias /webstats /var/www/awstats/webstats/
Alias /awstats/icon /var/www/awstats/icon/
Alias /awstats/docs /usr/share/doc/awstats-6.9/
ScriptAlias /awstats /var/www/awstats/

<Directory /var/www/awstats/>
  SSLRequireSSL
  Options ExecCGI
  Order allow,deny
  Allow from all
  AuthName "CS Labs AWStats Access"
  AuthType Basic
  AuthUserFile /etc/nagios/htpasswd.users
  Require valid-user
</Directory>

<Directory /var/www/awstats/webstats/>
  SSLRequireSSL
  Order allow,deny
  Allow from all
  AuthName "CS Labs AWStats Access"
  AuthType Basic
  AuthUserFile /etc/nagios/htpasswd.users
  Require valid-user
</Directory>

<Directory /usr/local/awstats/docs/>
  SSLRequireSSL
  Options None
  AllowOverride None
  Order allow,deny
  Allow from all
  AuthName "CS Labs AWStats Access"
  AuthType Basic
  AuthUserFile /etc/nagios/htpasswd.users
  Require valid-user
</Directory>
  • Removed default update script
    • rm /etc/cron.hourly/00awstats
  • Created new update script /usr/local/bin/awstats_update.sh
#!/bin/bash

/usr/bin/awstats_updateall.pl now -confdir="/etc" -awstatsprog="/var/www/awstats/awstats.pl" >/dev/null
  • Added script to crontab
    • crontab -e
# Used to get all httpd logs for AWStats
0 0,6,12,18 * * * /usr/bin/ionice -c2 -n4 /usr/local/awstats/get_logs.sh >/dev/null 2>&1
# Used to update AWStats
0 1,7,13,19 * * * /usr/local/bin/awstats_update.sh >/dev/null 2>&1
  • Moved over logs, configuration files, etc. from previous installation
  • Modified .conf files in /etc/awstats/ to use the correct config files and locations
  • Updated Statistics
    • /usr/bin/awstats_updateall.pl now -confdir="/etc" -awstatsprog="/var/www/awstats/awstats.pl"
  • Restarted Apache
    • /etc/init.d/httpd restart

Important Notes

  • Upon upgrading AWStats, the docs link on the AWStats page on Netstat will need to point to the new directory.

Installed & Configured Cacti

  • Installed Cacti & Required Dependencies
    • yum install cacti mysql-server liberation-fonts
  • Configured mysqld to start on boot
    • /sbin/chkconfig --levels 345 mysqld on
  • Started mysqld
    • /etc/init.d/mysqld start
  • Set the password for the MySQL root user
    • /usr/bin/mysqladmin -u root password 'PASSWORD-GOES-HERE'
  • Created the MySQL cacti database
    • /usr/bin/mysqladmin -u root -p create cacti
  • Logged into the MySQL database and granted the cactiuser access to the cacti database
    • /usr/bin/mysql -u root -p
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 46
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> GRANT ALL ON cacti.* TO 'cactiuser'@'localhost' IDENTIFIED BY 'CACTIUSER-PASSWORD-GOES-HERE';
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye
  • Populated the cacti database
    • /usr/bin/mysql cacti -u cactiuser -p < /var/www/cacti/cacti.sql
  • Modified /var/www/cacti/include/config.php to have the correct password for the cacti database
$database_password = "CACTIUSER-PASSWORD-GOES-HERE";
  • Modified root's crontab to update Cacti every five minutes
    • crontab -e
# Used to update Cacti
*/5 * * * * /usr/bin/php /var/www/cacti/poller.php >> /var/log/cacti 2>&1
  • Modified /etc/httpd/conf.d/cacti.conf to fix url and allow access from anywhere
Alias /cacti /var/www/cacti/
<Directory /var/www/cacti/>
    DirectoryIndex index.php
    Options -Indexes
    SSLRequireSSL
    AllowOverride all
    AddType application/x-httpd-php .php
    php_flag magic_quotes_gpc on
    php_flag track_vars on
</Directory>
  • Restarted Apache
    • /etc/init.d/httpd graceful

Cacti-Install-1.png


Cacti-Install-2.png


Cacti-Install-3.png

Important Notes

  • Upon upgrading rrdtool graphs will stop displaying properly. This can be fixed by logging into Cacti and adjusting the rrdtool version.

Installed and Configured Piwik

Unpacking the Files

  • Navigate to /var/www
  • Download and unpack the files
  • Give Piwik Permission to Access its Folder
    • chmod -R g+w piwik/
    • chgrp -R apache piwik/
  • Install the following packages: php-json, php-dom, php-gd, and php-mbstring
  • Configure Apache to recognize the piwik directory
    • Open /etc/httpd/conf.d/piwik.conf
    • Paste in the following:
Alias /piwik /var/www/piwik/

<Directory /var/www/piwik/>
  Options ExecCGI
  Order allow,deny
  Allow from all
  AddType application/x-httpd-php .php
  php_flag magic_quotes_gpc on
  php_flag track_vars on
</Directory>
  • Restart httpd
    • /etc/init.d/httpd restart

Configure MySQL for Piwik Installation

  • Create the piwik database, user, and allow the piwik user to access the database
    • CREATE DATABASE piwik;
    • CREATE USER 'piwik'@'localhost' IDENTIFIED BY 'insert password here';
    • GRANT ALL ON piwik.* TO 'piwik'@'localhost';
  • Exit MySQL

Install Piwik

  • Piwik Installation Guide
  • Navigate to netstat.cslabs.clarkson.edu/piwik
  • Follow the prompts in the installation screens
    • Note: the php time zone detection support will give a warning; this is OK as time zones can be set manually
    • For the database setup, use the following:
      • database server: localhost
      • login: piwik
      • password: whatever you set while configuring MySQL
      • database name: piwik
      • table prefix: piwik_
      • adapter: PDO_MYSQL
  • The create a super user step of installation creates the administrator for piwik
  • Set up the first website during installation and paste the tracking code into the page (note: each site you monitor will need different tracking code)
  • To set forced SSL during login (note: forcing SSL via Apache configuration files will break Piwik's visitor tracking):
    • Open /var/www/piwik/config/config.ini.php
    • Under the username, email, and password for the superuser, add the following:
[General]
force_ssl_login=1