About Me

My photo
Kalyan Kumar Pasupuleti B-Tech(Information Technology). • RedHat Certified Engineer(RHCE) • Directory Services and Authentication Certificate of Expertise(LDAP) • Red Hat SELinux Policy Administration Certificate of Expertise(SELinux) • Network Services Security Certificate of Expertise (Network Services) • RedHat Certified Virtualization Administrator(RHCVA) • Red Hat Certified Security Specialist (RHCSS) Working as Cloud DevOps engineer

Monday, October 28, 2013

Redirect port 8080 traffic to port 80 How To?

Install Tomcat


These instructions will explain How to install Tomcat and configuring the web server to act as a proxy server to redirect port 8080 traffic to port 80:
If the following packages are not installed, install them:
  • yum install tomcat6
  • yum install java-1.6.0-openjdk
  • yum install httpd
How to check if they are installed or not:
  • rpm -qa |grep
Start the tomcat6 service:
  • /etc/init.d/tomcat6 start
Now Make this service to be run after restarting the Linux box as well by doing chkconfig:
  • chkconfig tomcat6 on
  • chkconfig --list tomcat6
tomcat6 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Now access the tomcat home page using below URL:
  • http://localhost:8080

Create a sample test page

Create a directory called dev in the tomcat’s webapps folder
  • mkdir /var/lib/tomcat6/webapps/dev
Create a test page in the dev directory
  • vim /var/lib/tomcat6/webapps/dev/test.html
  • Welcome to sample test page
  • Save and exit.
Now access the test page using below URL:
  • http://localhost:8080/dev/test.html
If you want to access/see the directory listing from dev directory using a browser, Then we need to enable the listings in the web.xml file
Open the web.xml file and change(/etc/tomcat6/web.xml)
<param-name>listings</param-name>
<param-value>false</param-value>
To
<param-name>listings</param-name>
<param-value>true</param-value>
Note: You can place all your required content in the webapps/dev directory and access them using http://localhost:8080/dev

Redirecting port 8080 traffic to port 80

Configure your copy of Apache so that it includes the mod_proxy module. If you are building from source, the easiest way to do this is to include the --enable-module=proxydirective on the ./configure command line.
By default mod_proxy module will be installed and enabled when you install httpd using yum (yum install httpd). We need to verify whether the module is loaded or not in the httpd.conf file.
After httpd installation, Check whether the module mod_proxy is installed or not. Generally the module location is:
  • /usr/lib/httpd/modules/mod_proxy.so
Check if the module is loaded in the httpd.conf file. If not already added for you, make sure that you are loading the mod_proxy module at Apache startup time, by using the following directives in your httpd.conf file:
  • LoadModule proxy_module modules/mod_proxy.so
Include two directives in your httpd.conf file for each web application that you wish to forward to Tomcat. For example, to forward an application at context path /dev:
  • ProxyPass /dev http://<ip address or URL>:8080/dev
  • ProxyPassReverse /dev http://<ip address or URL>:8080/dev
Which tells Apache to forward URLs of the form http://<ip address or URL>/dev/* to the Tomcat connector listening on port 8080
Now save the httpd.conf file and restart/reload the service to effect the changes.
  • /etc/init.d/httpd restart/reload
Configure your Tomcat to include a special <Connector> element, with appropriate proxy settings.
Edit the file /etc/tomcat6/server.xml as:
<Connector port="8080" className="org.apache.catalina.connector.http.HttpConnector" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
proxyName="<IP address>"
proxyPort="80" />
Which will cause servlets inside this web application to think that all proxied requests were directed to server IP address on port 80.
Save the file and exit.
Restart tomcat6 service to effect the changes - /etc/init.d/tomcat6 restart
Now access the dev directory content using below URL:
  • http://localhost/dev (Instead of http://localhost:8080/dev)

Securing the tomcat webapp

We need to enable the MemoryRealm. We can do so by adding below line to the server.xml file inside our tomcat’s conf directory.
  • vim /etc/tomcat6/server.xml
<Realm className="org.apache.catalina.realm.MemoryRealm" />
Save and exit the file.
We need to add a user and a role for our webapp inside the tomcat-users.xml file, which can be found in the same directory.
Edit the file as shown below:
  • # vim /etc/tomcat6/tomcat-users.xml
<role rolename="admin-gui"/>
<user username="<user>" password="<password" roles="admin-gui"/>
Save and exit
The next step will be to add the login information inside the webapp we want to protect. Open webapp’s web.xml file. Write the following lines in our web.xml (located inside the web-app element).
  • # vim /etc/tomcat6/web.xml
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>dev</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin-gui</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>dev</realm-name>
</login-config>
</web-app>
Save and exit the file.
Restart tomcat6 - /etc/init.d/tomcat6 restart.
Now access below URL, So that it will prompt you for credentials:
  • http://localhost/dev
Enter below credentials which were entered in the tomcat-users.xml file earlier:
  • UserName: <user>
  • Password: <password>

Saturday, May 11, 2013

How to disable HTTP Trace & Track methods?

The TRACE and TRACK protocols are HTTP methods used in the debugging of webserver connections.

Although these methods are useful for legitimate purposes, they may compromise the security of your server by enabling cross-site scripting attacks (XST). By exploiting certain browser vulnerabilities, an attacker may manipulate the TRACE and TRACK methods to intercept your visitors’ sensitive data. The solution for this is to disable these methods on your webserver.

By default this method is enabled in Apache.


Verification

Here is an example on how to check your webserver if HTTP TRACE is enabled.

[root@cluster2 ~]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 127.0.0.1
Here Press ENTER twice!

HTTP/1.1 200 OK
Date: Sat, 11 May 2013 14:46:59 GMT
Server: Apache/2.2.3 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http

25
TRACE / HTTP/1.1
Host: 127.0.0.1


0

Connection closed by foreign host.

























To disable TRACE and TRACK HTTP methods on your Apache-powered webserver, add the following directives to your main configuration file /etc/httpd/conf/httpd.conf


RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

These directives disable the TRACE and TRACK methods via the following process:

RewriteEngine on — enables Apache’s rewrite module (this directive is not required if already present in your htaccess file)

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) — targets all TRACE and TRACK request methods for the following rule

RewriteRule .* - [F] — return a 403 Forbidden error response for all matched conditions (i.e., all TRACE and TRACK methods)

With these rules in place, your site is protected against one more potential security vulnerability

So add these 3 lines as shown below:

# vim /etc/httpd/conf/httpd.conf


<VirtualHost www.example.com>
...
# disable TRACE in the www.example.com virtual host
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>

Save & Exit











Note:
If you have N number of Virtual Hosts configured, Then you need to do the same for all Virtual Hosts.
mod_rewrite must be active for these directives to be accepted.



Now restart your apache service /etc/init.d/httpd restart

Here is an example on how to check your webserver if HTTP TRACE is disabled:


[root@cluster2 ~]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 127.0.0.1
Here Press ENTER twice!

HTTP/1.1 403 Forbidden
Date: Sat, 11 May 2013 15:08:59 GMT
Server: Apache/2.2.3 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3985
Connection: close















Also verify the apache access log file:

Before TRACE disable:

127.0.0.1 - - [11/May/2013:07:31:49 -0700] "TRACE / HTTP/1.1" 200 37 "-" "-"

After TRACE disable

127.0.0.1 - - [11/May/2013:08:04:51 -0700] "TRACE / HTTP/1.1" 403 3985

So Now your site is protected against one more potential security vulnerability...... :)


Wednesday, April 24, 2013

How to install JDK-1.6 and Tomcat 7 on RHEL/CentOS?

This is a small article describes how to install JDK-1.6 and Tomcat 7 on a Linux box.

Prerequisites

1. jdk-6u39-linux-i586.bin
2. apache-tomcat-7.0.39.tar.gz

Download the files using below URLs

http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
http://tomcat.apache.org/download-70.cgi#7.0.39

According to my configuration I have downloaded both the files to /opt folder.

After downloading install JDK as shown below:


[root@cluster1 ~]# cd /opt/
[root@cluster1 opt]# ls -l

-rw-r--r-- 1 root root 71756435 Apr 24 06:18 jdk-6u39-linux-i586.bin

Provide the execute permission to the bin file

[root@cluster1 opt]# chmod +x jdk-6u39-linux-i586.bin




[root@cluster1 opt]# ls -l jdk-6u39-linux-i586.bin
-rwxr-xr-x 1 root root 71756435 Apr 24 06:18 jdk-6u39-linux-i586.bin

Now execute the below command to install JDK:

[root@cluster1 opt]# ./jdk-6u39-linux-i586.bin

[root@cluster1 opt]# ./jdk-6u39-linux-i586.bin
Unpacking...
        .
        .
        .

Press Enter to continue..... (Press enter key here to complete the unpacking)

Now You observe there is a folder created in /opt folder with the name jdk1.6.0_39

[root@cluster1 opt]# ll
drwxr-xr-x 8 root root     4096 Apr 24 06:23 jdk1.6.0_39
-rwxr-xr-x 1 root root 71756435 Apr 24 06:18 jdk-6u39-linux-i586.bin

Now download and install tomcat using below URL:


[root@cluster1 opt]# wget http://apache.techartifact.com/mirror/tomcat/tomcat-7/v7.0.39/bin/apache-tomcat-7.0.39.tar.gz

Now extract the tar ball using below command:

[root@cluster1 opt]# tar -zxvf apache-tomcat-7.0.39.tar.gz

Now check the folder apache-tomcat-7.0.39 in /opt directory.

[root@cluster1 opt]# ls -l
total 77824
drwxr-xr-x 9 root root     4096 Apr 24 06:25 apache-tomcat-7.0.39
-rw-r--r-- 1 root root  7831716 Apr 24 06:24 apache-tomcat-7.0.39.tar.gz

The tomcat startup and shutdown scripts are located in below paths:

Startup script path: /opt/apache-tomcat-7.0.39/bin/startup.sh
Shutdown script path: /opt/apache-tomcat-7.0.39/bin/shutdown.sh

Now one more step ahead to complete this configuration.
You need to setup Tomcat to run as a service. So create a service (file) as shown below:

[root@cluster1 opt]# vim /etc/init.d/tomcat7

#!/bin/bash
# description: Tomcat Start Stop Restart
# processname: tomcat
# chkconfig: 234 20 80
JAVA_HOME=/opt/jdk1.6.0_39/   # This is your java home path
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
CATALINA_HOME=/opt/apache-tomcat-7.0.39 # This is your tomcat home directory

case $1 in
start)
sh $CATALINA_HOME/bin/startup.sh
;;
stop)
sh $CATALINA_HOME/bin/shutdown.sh
;;
restart)
sh $CATALINA_HOME/bin/shutdown.sh
sh $CATALINA_HOME/bin/startup.sh
;;
esac
exit 0


Save and exit.

Now provide the execute permission to this service.

[root@cluster1 opt]# chmod +x /etc/init.d/tomcat7

Now Make this service to be run after restarting the Linux box as well by doing chkconfig:

[root@cluster1 opt]# chkconfig tomcat7 on
[root@cluster1 opt]# chkconfig --list tomcat7
tomcat7         0:off   1:off   2:on    3:on    4:on    5:on    6:off

Now all is set and it is the time to start your tomcat service and verify the site.

[root@cluster1 opt]# /etc/init.d/tomcat7 start
Using CATALINA_BASE:   /opt/apache-tomcat-7.0.39
Using CATALINA_HOME:   /opt/apache-tomcat-7.0.39
Using CATALINA_TMPDIR: /opt/apache-tomcat-7.0.39/temp
Using JRE_HOME:        /opt/jdk1.6.0_39/
Using CLASSPATH:       /opt/apache-tomcat-7.0.39/bin/bootstrap.jar:/opt/apache-tomcat-7.0.39/bin/tomcat-juli.jar

Verify the service is running or not:

[root@cluster1 opt]# ps -ef | grep java
root      8873     1  8 07:05 pts/3    00:00:02 /opt/jdk1.6.0_39//bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-7.0.39/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/opt/apache-tomcat-7.0.39/endorsed -classpath /opt/apache-tomcat-7.0.39/bin/bootstrap.jar:/opt/apache-tomcat-7.0.39/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-7.0.39 -Dcatalina.home=/opt/apache-tomcat-7.0.39 -Djava.io.tmpdir=/opt/apache-tomcat-7.0.39/temp org.apache.catalina.startup.Bootstrap start


We can now access the Tomcat Manager page at:

http://yourdomain.com:8080 or http://yourIPaddress:8080 and we should see the Tomcat home page.


All the best.

Thursday, April 4, 2013

How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)



This tutorial describes how to give users chrooted SSH and/or chrooted SFTP access on linux environment.
Using this setup, the users cannot see your whole system. Your users will be jailed in a specific directory which they will not be able to break out off.

If you want to setup an account on your system that will be used only to transfer files (and not to ssh to the system), you should setup SFTP Chroot Jail.

In a typical sftp scenario when chroot sftp is not setup, if you use sftp, you can see whole file system based on the permissions assigned to you.

If you want to give sftp access on your system to outside vendors to transfer files, you should not use standard sftp. Instead, you should setup Chroot SFTP Jail as explained below.

Non-Chroot SFTP Environment

In the following example (a typical sftp environment), user1 can sftp to the system, and view /etc folder and download the files from there:

# sftp user1@station1.example.com
user1@station1.example.com's password:
sftp> pwd
Remote working directory: /home/user1

sftp> ls
file1  abc.txt data 

sftp> cd /etc
sftp> ls -l passwd
-rw-r--r--    0 0        0            3750 Dec 29 23:09 passwd

sftp> get passwd
Fetching /etc/passwd to passwd
/etc/passwd     100% 2600     2.9KB/s   00:00

Chroot SFTP Environment

In the following example, user1 can sftp to the system, and view only the directory that you've designated for user1 to perform sftp (i.e /incoming).

When user1 tries to perform ‘cd /etc’, it will give an error message. Since SFTP is setup in an chroot environment, user1 cannot view any other files in the system.

# sftp user1@station1.example.com
user1@station1.example.com's password:
sftp> pwd
Remote working directory: /home/user1

sftp> ls
sftp> cd /etc
Couldn't canonicalise: No such file or directory

So I believe you all understood what is Chroot SFTP environment is, let us see how to configure this.

Creating a New Group

Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.

# groupadd sftpusers

Create a new User or Modify an Existing User

Let us say you want to create an user user1 who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.

Now create a new user and give password as shown below:

# useradd -g sftpusers -d /incoming -s /sbin/nologin user1
# passwd user1

Verify that the user got created properly or not
# grep user1 /etc/passwd
user1:x:520:520::/incoming:/sbin/nologin

If you want to modify an existing user user2 and make him an sftp user only and put him in the chroot sftp jail, do the following:

# usermod -g sftpusers -d /incoming -s /sbin/nologin user2

Configure sftp-server

Modify the the /etc/ssh/sshd_config file and comment out the below line:

# vim /etc/ssh/sshd_config
#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Next, add the following line to the /etc/ssh/sshd_config file
Subsystem       sftp    internal-sftp
Save and exit the file

Specify Chroot Directory for a Group

You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

# tail /etc/ssh/sshd_config
Match Group sftpusers
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp

Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers

ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for user1, this will be /sftp/user1.

ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.

NOTE: The Match keyword is not supported in older versions (<5) on SSH so an upgrade of openssh will be necessary.

Create sftp Home Directory

Since we’ve specified /sftp as ChrootDirectory above, create this directory (which is equivalent of your  /home directory)

# mkdir /sftp
# mkdir /sftp/user1

So, /sftp/user1 is equivalent to / for the user1. When user1 sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/user1” (and not the real / of the system). This is how the chroot works

So, under this directory /sftp/user1, create any sub directory that you like user to see. For example, create a incoming directory where users can sftp their files.

# mkdir /sftp/user1/incoming

Setup Appropriate Permissions

For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.

Set the ownership to the user, and group to the sftpusers group as shown below.

# chown user1:sftpusers /sftp/user1/incoming

Now check the permissions of the directories as shown below:

# ls -ld /sftp/user1/incoming
drwxr-xr-x 2 user1 sftpusers 4096 Apr 04 18:31 /sftp/user1/incoming

# ls -ld /sftp/user1
drwxr-xr-x 3 root root 4096 Apr 04 18:31 /sftp/user1

# ls -ld /sftp
drwxr-xr-x 3 root root 4096 Apr 04 18:31 /sftp

Now restart sshd and check/test your Chroot SFTP configuration

# /etc/init.d/sshd restart

Now you can observe that when user1 does sftp, and does “cd /”, he can only see incoming directory.

# sftp user1@station1.example.com
user1@station1.example.com's password:

sftp> pwd
Remote working directory: /incoming

sftp> cd /
sftp> ls
incoming

When user1 transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/user1/incoming directory on the system.

Good Luck..... :)

Sunday, March 3, 2013

Monitoring Windows Machines using Nagios


This article describes how you can monitor "private" services and attributes of Windows machines like:
  • CPU load
  • Disk usage
  • Memory usage
  • Service states
  • Running processes, etc …
Monitoring private services or attributes of a Windows machine requires an agent to be installed on the windows box. This agent acts as a proxy between the Nagios plugin that does the monitoring and the actual service or attribute of the Windows machine. Without installing an agent on the Windows box, Nagios would be unable to monitor private services or attributes of the Windows box.


Now install the NSClient++ addon on the Wndows machine and using the check_nt plugin nagios will communicate with the NSClient++ addon.
Now follow the below procedure:
Edit the main Nagios config file on the Nagios server:

# vi /usr/local/nagios/etc/nagios.cfg

Remove the leading pound (#) sign from the following line in the main configuration file: 
#cfg_file=/usr/local/nagios/etc/objects/windows.cfg (Remove the # symbol)

Save the file and exit.

Now install the agent NSClient++ on the remote windows box

You can download the agent from http://sourceforge.net/projects/nscplus/


  • Unzip the NSClient++ files into a new C:\NSClient++ directory
  • Open a command prompt and change to the C:\NSClient++ directory
  • Register the NSClient++ system service with the following command:

                     nsclient++ /install
  •  Install the NSClient++ systray with the following command ('SysTray' is case-sensitive):
                     nsclient++ SysTray
  •  Open the services manager and make sure the NSClientpp service is allowed to interact with the desktop (see the 'Log On' tab of the services manager). If it isn't already allowed to interact with the desktop,
check the box to allow it to.

NSClientpp

Edit the NSC.INI file (located in the C:\NSClient++ directory) and make the following changes:
  • Uncomment all the modules listed in the [modules] section, except for CheckWMI.dll and RemoteConfiguration.dll
  • Optionally require a password for clients by changing the 'password' option in the [Settings] section.
  • Uncomment the 'allowed_hosts' option in the [Settings] section. Add the IP address of the Nagios server to this line, or leave it blank to allow all hosts to connect.
  • Make sure the 'port' option in the [NSClient] section is uncommented and set to '12489' (the default port).
Start the NSClient++ service with the following command:

                    nsclient++ /start

If installed properly, a new icon should appear in your system tray. It will be a yellow circle with a black 'M' inside.

Success! The Windows server can now be added to the Nagios monitoring configuration...
Now it is the time for the configuration in the Nagios server

Open the windows.cfg file for editing.

Add a new host definition for the Windows machine that you're going to monitor. If this is the *first* Windows machine you're monitoring, you can simply modify the sample host definition in windows.cfg. Change the host_name,alias, and address fields to appropriate values for the Windows box.
 
define host{
 
                    use                                 windows-server        ; Inherit default values from a Windows server template                                                                                                        (make sure you keep this line!)
                     host_name                winserver (Your server name)
                     alias                              My Windows Server
                     address                       XX.XX.XX.XX (Your server IP)
                     }

Now you can add some service definitions (to the same configuration file) in order to tell Nagios to monitor different aspects of the Windows machine. If this is the first Windows machine you're monitoring, you can simply modify the sample service definitions in windows.cfg.
Add the following service definition to monitor the uptime of the Windows server.
define service{
 
                    use                                                      generic-service
                    host_name                                      winserver (Your windows server name as defined in the                                                                                                                              define host section)
                     service_description                    Uptime
                     check_command                          check_nt!UPTIME
                     }
 
Add the following service definition to monitor the CPU utilization on the Windows server and generate a CRITICAL alert if the 5-minute CPU load is 90% or more or a WARNING alert if the 5-minute load is 80% or greater.
 
define service{
                     use                                                      generic-service
                     host_name                                      winserver (Your windows server name as defined in the define                                                                                                                host section)
                     service_description                     CPU Load
                     check_command                          check_nt!CPULOAD!-l 5,80,90
                     }
 
 
Add the following service definition to monitor memory usage on the Windows server and generate a CRITICAL alert if memory usage is 90% or more or a WARNING alert if memory usage is 80% or greater.
 
define service{
                     use                                                      generic-service
                     host_name                                      winserver (Your windows server name as defined in the define                                                                                                                 host section)
                     service_description                     Memory Usage
                     check_command                          check_nt!MEMUSE!-w 80 -c 90
                     }
 
Add the following service definition to monitor usage of the C:\ drive on the Windows server and generate a CRITICAL alert if disk usage is 90% or more or a WARNING alert if disk usage is 80% or greater.
 
define service{
                     use                                                      generic-service
                     host_name                                      winserver (Your windows server name as defined in the define                                                                                                                host section)
                     service_description                     C:\ Drive Space
                     check_command                          check_nt!USEDDISKSPACE!-l c -w 80 -c 90
                     }

Now save and exit the file.

Verify the sample Nagios configuration files(Syntax verification)

# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If there are no errors, start Nagios.

# service nagios start

Now check the Nagios GUI to check newly added host and services.



How to Monitoring Linux/Unix Machines using Nagios

Install Nagios using URL: http://boosturfuture.blogspot.in/2013/02/installation-and-configuration-of.html

After installation follow below procedure:


First define the contacts in the file /usr/local//nagios/etc/objects/contacts.cfg


define contact{
        contact_name                    nagiosadmin
        use                                     generic-contact
        alias                                   Nagios Admin
        email                           <enter the notifying email ids separated by commas>
        }


define contactgroup{
        contactgroup_name       admins
        alias                               Nagios Administrators
        members                       nagiosadmin
        }

The notification will be sent to members mentioned in the nagiosadmin contacts.

 

There are 2 ways to define services:

1.    Service definition for local machine.

2.    Service definition for remote host

Service definition for local machine

Before proceeding first you need to define a hostgroup as shown below:

define hostgroup{
        hostgroup_name      groupname1
        members                  server1,server2
}

Now define a host:

define host {
               use                         generic-host
               host_name             server1                  ; IP address/hostname of the machine
               alias                       server1                  ; A longer name associated with the host
               address                  XX.XX.XX.XX        ; IP address of the host
               hostgroups             groupname1          ; Host groups this host is associated with
               }

 

Now it is the time for defining services to be monitored on the defined host:

Service definition for PING
define service{
        use                             generic-service,srv-pnp         ; Name of service template to use
        hostgroup_name        groupname1
        service_description    PING
        check_command        check_ping!100.0,20%!500.0,60%
        contact_groups           admins
        }

Service definition for website check

define service{
       use                              generic-service,srv-pnp
       host_name                  server1
       contact_groups           admins
       service_description     www.your website.com
       check_command         check_website! www.your website.com '
        }

Service definition for remote host
Before proceeding you need to install a NRPE plugin on the remote host.

NRPE is an addon that allows you to execute plugins on remote Linux/Unix hosts. This is useful if you need to monitor local resources/attributes like disk usage, CPU load, memory usage, etc. on a remote host. Similiar functionality can be accomplished by using the check_by_ssh plugin, although it can impose a higher CPU load on the monitoring machine - especially if you are monitoring hundreds or thousands of hosts.
Download the NRPE plugin on the Remote Host using below URL:

http://prdownloads.sourceforge.net/sourceforge/nagios/nrpe-2.13.tar.gz

Now extract the tar ball: tar xvfz nrpe-2.13.tar.gz

# cd nrpe-2.13
# ./configure
# make all
# make install-plugin
Now I want to check the remote machine disk space.
Remote Host Configuration after installing NRPE

1.    Define a NRPE command in the config file /usr/local/nagios/etc/nrpe.cfg as shown below:
command[check_disk]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /

2.    Save and quit.



Configuration on the Nagios server


Now define the host and the service as shown below:


define Remote hostgroup{
        hostgroup_name      Remote Host Groupname1
        members                  Remote server1,Remote server2
}



define host {
               use                         generic-host
               host_name             Remote Host1       ; IP address/hostname of the machine
               alias                       Remote Host1       ; A longer name associated with the host
               address                  XX.XX.XX.XX        ; IP address of the host
               hostgroups             Remote Host Groupname1  ; Host groups this host is associated with
               }


define service{
        use                             generic-service,srv-pnp         ; Name of service template to use
        hostgroup_name        Remote Host Groupname1
        service_description    Disk Size-Root
        check_command        check_nrpe!check_disk!20%!10%!/
        contact_groups           admins
        }

The above service definition confirms that we are checking the desk space for the members of the Remote Host Groupname1 group.
You can also define the service for a individual hosts instead of using groups.

Now check for the configuration errors using below command
# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
If there are no errors restart the Nagios service
# /etc/init.d/nagiosd restart

Now Login to the Web Interface using the below URL:

http://<nagios server IP>/Nagios

You'll be prompted for the username (nagiosadmin) and password you specified earlier.
Observe the defined hosts and services in the GUI.