Smokes your problems, coughs fresh air.

Author: halfgaar (Page 20 of 26)

Halfgaar is Wiebe. Wiebe is a contributing author on this weblog. He also has a lot of stuff (such as long, in-depth articles) on his personal website.

Wiebe's day job is as a senior software developer and system administrator at YTEC.

In his free time, he built the free, open-source FlashMQ software. Together with Jeroen and Rowan, he is now building a managed MQTT hosting business around his open masterpiece.

Configuring Nagios to check a HTTP host

Nagios is an elaborate piece of software to monitor hosts and services. I will explain a bit how you can configure nagios to monitor an HTTP service. I’m assuming your nagios setup already has the default config files generic-host_nagios2.cfg and generic-service_nagios2.cfg, which tell nagios how to monitor hosts and services.

Most configuration is done in /etc/nagios3/conf.d. For some reason, the standard config files all end with _nagios2.cfg, so I guess this is old syntax. But, I don’t really know why these files are named that way.

Nagios comes with a bunch of default files to which you can add your hosts, services, etc.

First you have to define a host. If you’re monitoring on the machine itself, you could add a host to localhost_nagios2.cfg. Using the default localhost doesn’t work, because you need to access the machine using the address of the virtual host.

define host{
        use                     generic-host            ; Name of host template to use
        host_name               my-site
        address                 www.halfgaar.net
}

Then you need to define a hostgroup for your HTTP servers. A default HTTP hostgroup is probably already defined, so you can add your host to http-servers in hostgroups_nagios2.cfg

define hostgroup {
        hostgroup_name  http-servers        
        members         localhost, my-site # comma separated
}

Lastly, you need to configure a service. Nagios comes with a default one for the hostgroup http-servers so you should be done, but just in case:

define service {
        hostgroup_name                  http-servers
        service_description             HTTP
        check_command                   check_http
        use                             generic-service
        notification_interval           0 ; set > 0 if you want to be renotified
}

Disable Zimbra’s duplicate mail detection

Zimbra can discard duplicates of incoming mail. This has certain advantages, but for us, where different people use the same account with different identities, this prevents a message from being delivered to multiple virtual inboxes.

To disable this, do this as user zimbra:

zmprov mcf zimbraMessageIdDedupeCacheSize 0
zmmailboxdctl restart

Unfortunately, this has the annoying problem that conversations aren’t detected for duplicates of a message. See this forum thread for more info.

Lowering Bayes score for Zimbra’s Spamassassin config

The Spamassassin config in Zimbra has a very high default score for bayes matching of 99, 95, 90, etc, percent. A mail with subject and body “test” or “asdfaewf a” is often marked as 99% bayes, even though the spamfilter has seen no training mail. This is absurd.

To amend this, I put this in /opt/zimbra/conf/spamassassin/local.cf:

score BAYES_99 2.500
score BAYES_95 2.000
score BAYES_90 1.500
score BAYES_85 1.000
score BAYES_80 0.500

Configuring fetchmail to deliver to Zimbra with custom header added

I needed to fetch mail from a POP3 account and deliver it to a Zimbra account. Because I’m doing this for multiple POP3 accounts, I want to add a header which I can use in Zimbra to filter. This is what we made:

poll server user "user" pass "secret" mda "formail -A 'X-Zimbra-To: user@domain.org'| /opt/zimbra/postfix/sbin/sendmail -i -t service@sicirec.org"

The -i tells sendmail to ignore a single dot on a line, because that would normally mean end of mail. The -t is “to” (not the header “To:“).

It is a bit unclear why postfix delivers locally to Zimbra, since doing mail user@ourdomain.org routes through an external SMTP server, which is configured in Zimbra to be used as MTA for outgoing mail. It is configured as ‘webmail MTA’.

Fixing spamassassin rule in Zimbra

Spamassassin has had a bug for a while, marking any mail from 2010 and later as spam because it’s from “far into the future”. This was very crudely done as this regexp: /20[1-9][0-9]/. Because of that, almost all mail from 2010 onward is marked as spam.

I Changed the regex to match for 2020 or later, but that’s not really a fix. Even the spamassassin maintainers ‘fixed’ it that way.

What I have to look out for though, is that this file may get overwritten when I upgrade zimbra. sa-update doesn’t seem to work on zimbra, so I don’t really know what the best way of getting new rules is.

Set proper origin domain for Zimbra server

(This turned out not to be how I fixed it. I just configured exim and /etc/mailname as I do always and that fixed it. However, exim does not run as the SMTP server listening on port 25, that is the postfix installed by Zimbra. I don’t know how and if this exim configuration conflicts with zimbra.)

I have a zimbra server fooled into thinking it hosts a particular domain. Part of the fooling involves setting a different SMTP server than localhost for all outgoing mail. Luckily, Zimbra can do that.

The downside of that is that when you send mail to “root”, the other SMTP server qualifies it with its domain and the mail appears to be coming from the wrong server.

To fix it, specify this in the /opt/zimbra/postfix/conf/main.cf:

myorigin = example.com

This seems to work without caveats. However, I don’t know if zimbra overwrites this config file at some point.

As always, pick a domain that exists, otherwise a lot of mailservers won’t accept it. You don’t even need an MX record, A or CNAME if enough.

Changing lost MySQL root password

When you don’t know the current mysql root password and you want to change it, do this:

/etc/init.d/mysql stop
mysqld --skip-grant-tables &
mysql -p
use mysql;
update user set password=PASSWORD("NEW-ROOT-PASSWORD") where User='root';
flush privileges;
quit;
killall mysqld
/etc/init.d/mysql start

Source.

Convenient iptables rules

Here are some convenient iptables rules.

This first list is for not allowing anything in, accept packets that come back from outgoing connections, complicated related traffic like FTP, everything from the localhost, ICMP (ping and stuff) and SSH. It also sets the default policy to DROP. This you would use on a machine connected directly to the internet.

iptables -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT --match comment --comment "Accept traffic from outgoing connections and stuff like FTP."
iptables -A INPUT -p icmp -j ACCEPT --match comment --comment "Allow ICMP"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT --match comment --comment "Allow SSH"
iptables -A INPUT --in-interface lo -j ACCEPT --match comment --comment "Allow everything on the localhost"
iptables -P INPUT DROP
Here are some rules to allow certain MAC addresses to access everything. Simplifies things on a LAN (even though it’s not attacker-proof, it keeps unwanted people out of my SMB and stuff):
iptables -A INPUT --match mac --mac-source xx:xx:xx:xx:xx:xx --match comment --comment "Allow everything from [computer]" -j ACCEPT

Besides computers you want to grant full access to a machine, don’t forget to include the MACs of the router and the machine’s own ethernet interface.

When the machine acts as a masquerading SNAT server, use this to forward ports to LAN hosts (be sure to have the –to after the -j):

iptables -t nat -A PREROUTING --in-interface eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.1:22 --match comment --comment "forwards incoming port 80 to port 22 on 10.0.0.1"

To allow everything for a samba server:

iptables -A INPUT -p tcp --dport 139 -m comment --comment "Allow Netbios-ssn" -j ACCEPT 
iptables -A INPUT -p tcp --dport 445 -m comment --comment "Allow microsoft-ds" -j ACCEPT 
iptables -A INPUT -p udp --dport 137 -m comment --comment "Allow netbios-ns" -j ACCEPT 
iptables -A INPUT -p udp --dport 138 -m comment --comment "Allow netbios-dgm" -j ACCEPT

My custom Linux environment

On every machine that I install, I need a custom environment. At the very basic, I need screen and bash customizations. I will attempt to keep this blog post up-to-date with my most recent config.

/etc/bash.bashrc_halfgaar (naming scheme depends on distro):

prompt_command {
  XTERM_TITLE="\e]2;\u@\H:\w\a"
 
  BGJOBS_COLOR="\[\e[1;30m\]"
  BGJOBS=""
  [ "$(jobs | head -c1)" ]; BGJOBS=" $BGJOBS_COLOR(bg:\j)";
 
  DOLLAR_COLOR="\[\e[1;32m\]"
  [[ ${EUID} == 0 ]] ; DOLLAR_COLOR="\[\e[1;31m\]";
  DOLLAR="$DOLLAR_COLOR\\\$"
 
  USER_COLOR="\[\e[1;32m\]"
  [[ ${EUID} == 0 ]]; USER_COLOR="\[\e[41;1;32m\]";
 
  PS1="$XTERM_TITLE$USER_COLOR\u\[\e[1;32m\]@\H:\[\e[m\] \[\e[1;34m\]\w\[\e[m\]\n\
$DOLLAR$BGJOBS \[\e[m\]"
} PROMPT_COMMAND=prompt_command
 EDITOR=vim
 ls='ls --color=auto' ll='ls -l' lh='ls -lh' grep='grep --color=auto'

Don’t forget to source the file in ~/.bashrc

~/.screenrc:

caption always "%{= kB}%-Lw%{=s kB}%50>%n%f* %t %{-}%+Lw%<"
vbell off
startup_message off
term linux
« Older posts Newer posts »

© 2024 BigSmoke

Theme by Anders NorenUp ↑