Veröffentlichung 15. August 2018 @ 19:43
Letzte Änderung 3. Juni 2021 @ 6:40
Überblick
- IT-Infrastruktur-Monitoring über Weboberfläche
- Anpassung der php.ini-Datei für mod_php und der Default-Pool-Konfigurationsdatei für FPM
- Security through obscurity durch komplizierten Hostnamen und abweichenden HTTPS-Port
- Wildcard-Zertifikat, damit Hostname nicht extern bekannt wird
- (Zusätzliche) Absicherung über Apache-Basis-Authentifizierung mit kompliziertem Benutzernamen
Voraussetzungen
Netzwerk
- Administrator-E-Mail admin@example.com
- Administrator-Host admin.example.com
- Benutzer nagios
- Gruppe nagios
- Host pSh6v5zB86J20Ll3Wiv6.example.com
- htpasswd-Benutzer K1MHJaHAIDaLiTDmtkjm
- HTTPS-Port 42443
Software
- Apache 2.4.18 #apache2 -v
- Nagios Core 4.4.1 #https://pSh6v5zB86J20Ll3Wiv6.example.com:42443
- PHP 7.0.30 #php –version
- Ubuntu Server 16.04.04 LTS #lsb_release -a
Ordner und Dateien
- Installation /usr/local/nagios
- Konfiguration /etc/apache2/sites-available/nagios.conf, /etc/php/7.0/fpm/pool.d/default.conf.disabled, /etc/php/7.0/fpm/pool.d/nagios.conf, /usr/local/nagios/etc
- Log /usr/local/nagios/var/nagios.log, /var/log/apache2/access-nagios.log, /var/log/apache2/error.log, /var/log/apache2/error-nagios.log, /var/log/php7.0-fpm.log
- systemd /lib/systemd/system/nagios.service
- Zertifikate und Schlüssel /etc/letsencrypt/live/example.com/*.pem
Nagios installieren
Erforderliche Pakete installieren
apt install autoconf gcc libc6 libgd2-xpm-dev make unzip wget
Quelltexte herunterladen
cd /tmp wget --output-document=nagioscore.tar.gz https://github.com/NagiosEnterprises/nagioscore/archive/nagios-4.4.1.tar.gz tar --extract --file=nagioscore.tar.gz --gzip
Kompilieren
cd /tmp/nagioscore-nagios-4.4.1/ ./configure --with-httpd-conf=/etc/apache2/sites-enabled make all
Benutzer und Gruppe nagios erstellen und Nutzer www-data zu Gruppe nagios hinzufügen
make install-groups-users usermod -aG nagios www-data
Binärdateien, CGIs und HTML-Dateien installieren
make install
Service installieren und für Autostart einrichten
make install-daemoninit
Command Mode installieren
make install-commandmode
Beispiel-Konfigurationsdateien anlegen
make install-config
Apache-Konfigurationsdateien erstellen und Module aktivieren
make install-webconf a2enmod rewrite a2enmod cgi
Benutzerdatei für Basis-Authentifizierung anlegen
Benutzernamen mit Passwortgenerator z. B. KeePass generieren
K1MHJaHAIDaLiTDmtkjm
Benutzerdatei mit Bcrypt-Passwort-Hash neu erstellen
htpasswd -B -c /usr/local/nagios/etc/htpasswd.users K1MHJaHAIDaLiTDmtkjm
Nagios-CGI-Konfigurationsdatei anpassen
... #authorized_for_system_information=nagiosadmin authorized_for_system_information=K1MHJaHAIDaLiTDmtkjm ... #authorized_for_configuration_information=nagiosadmin authorized_for_configuration_information=K1MHJaHAIDaLiTDmtkjm ... #authorized_for_system_commands=nagiosadmin authorized_for_system_commands=K1MHJaHAIDaLiTDmtkjm ... #authorized_for_all_services=nagiosadmin #authorized_for_all_hosts=nagiosadmin authorized_for_all_services=K1MHJaHAIDaLiTDmtkjm authorized_for_all_hosts=K1MHJaHAIDaLiTDmtkjm ... #authorized_for_all_service_commands=nagiosadmin #authorized_for_all_host_commands=nagiosadmin authorized_for_all_service_commands=K1MHJaHAIDaLiTDmtkjm authorized_for_all_host_commands=K1MHJaHAIDaLiTDmtkjm ...
Nagios-Konfiguration testen, Service starten und Status abfragen
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg systemctl start nagios systemctl status nagios.service
Quelltexte löschen
rm --recursive /tmp/nagios*
Virtuellen Host mit Basis-Authentifizierung einrichten
Muster /etc/apache2/sites-enabled/nagios.conf
Hostnamen mit Passwortgenerator z. B. KeePass generieren
pSh6v5zB86J20Ll3Wiv6
Vorinstallierte Apache-Konfiguration löschen
rm /etc/apache2/sites-enabled/nagios.conf
Apache-Konfigurationsdatei anlegen
<VirtualHost *:42443> #eigene Subdomain statt in Unterordner nagios: #Alias /nagios /usr/local/nagios/share CustomLog ${APACHE_LOG_DIR}/access-nagios.log vhost_combined DocumentRoot /usr/local/nagios/share ErrorLog ${APACHE_LOG_DIR}/error-nagios.log ScriptAlias /nagios/cgi-bin /usr/local/nagios/sbin ServerAdmin webmaster@example.com ServerName pSh6v5zB86J20Ll3Wiv6.example.com SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLEngine on <Directory /usr/local/nagios/sbin> Options ExecCGI <RequireAll> AuthBasicProvider file AuthName "Nagios" AuthType Basic AuthUserFile /usr/local/nagios/etc/htpasswd.users #Require all granted Require host admin.example.com Require valid-user </RequireAll> </Directory> <Directory /usr/local/nagios/share> <RequireAll> AuthBasicProvider file AuthName "Nagios" AuthType Basic AuthUserFile /usr/local/nagios/etc/htpasswd.users php_admin_value open_basedir /usr/local/nagios/share/ #Require all granted Require host admin.example.com Require valid-user </RequireAll> </Directory> </VirtualHost>
Konfiguration aktivieren
a2ensite nagios.conf
Nagios-CGI-Konfigurationsdatei anpassen
... #eigene Subdomain statt in Unterordner nagios: #url_html_path=/nagios url_html_path=/ ...
[Optional] FPM-Pool-Konfiguration aus Default-Konfiguration erstellen und virtuellen Host anpassen
FPM-Konfigurationsdatei anlegen
cp /etc/php/7.0/fpm/pool.d/default.conf.disabled /etc/php/7.0/fpm/pool.d/nagios.conf
;[default] [nagios] ... ;listen = /run/php/php7.0-fpm-default.sock listen = /run/php/php7.0-fpm-nagios.sock ... ;php_admin_value[open_basedir] = nonexistent php_admin_value[open_basedir] = /usr/local/nagios/share/ ...
Konfiguration testen und PHP-FPM neustarten
php-fpm7.0 --test systemctl reload php7.0-fpm #systemctl status php7.0-fpm.service
Apache-Konfigurationsdatei modifizieren
<VirtualHost *:42443> ... <Directory /usr/local/nagios/share> ... #php_admin_value open_basedir /usr/local/nagios/share/ ... </Directory> <FilesMatch "\.php$"> <If "-f %{REQUEST_FILENAME}"> SetHandler "proxy:unix:/run/php/php7.0-fpm-nagios.sock|fcgi://localhost/" </If> </FilesMatch> <Proxy "fcgi://localhost/" enablereuse=on max=10> </Proxy> </VirtualHost>
Konfiguration testen, Apache neustarten und Status abfragen
apache2ctl configtest systemctl reload apache2 systemctl status apache2.service
Nagios-Plugins installieren
Erforderliche Pakete installieren
apt install autoconf bc build-essential gawk gcc gettext dc libc6 libmcrypt-dev libnet-snmp-perl libssl-dev make snmp wget
Quelltexte herunterladen
cd /tmp wget --no-check-certificate --output-document=nagios-plugins.tar.gz https://github.com/nagios-plugins/nagios-plugins/archive/release-2.2.1.tar.gz tar --extract --file=nagios-plugins.tar.gz --gzip
Kompilieren und installieren
cd /tmp/nagios-plugins-release-2.2.1/ ./tools/setup ./configure make make install
Quelltexte löschen
rm --recursive /tmp/nagios*
Nagios konfigurieren
Sendmail ohne Option -s nutzen
... command_name notify-host-by-email #/usr/local/nagios/var/nagios.log "[xxx] wproc: stderr line 01: sendmail: invalid option -- 's'": #command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/sbin/sendmail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$ command_line /usr/bin/printf "%b" "Subject: ** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **\n***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /usr/sbin/sendmail $CONTACTEMAIL$ ... command_name notify-service-by-email #/usr/local/nagios/var/nagios.log "[xxx] wproc: stderr line 01: sendmail: invalid option -- 's'": #command_line /usr/bin/printf "%b" "***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/sbin/sendmail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$ command_line /usr/bin/printf "%b" "Subject: ** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **\n***** Nagios *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$\n" | /usr/sbin/sendmail $CONTACTEMAIL$ ...
E-Mail-Adresse hinterlegen
... #email nagios@localhost ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ****** email admin@example.com ; ...
Benachrichtigungen für HTTP-Test aktivieren
... check_command check_http #notifications_enabled 0 notifications_enabled 1 ...
[Optional] localhost 127.0.0.1 in OpenSSH-Server-Konfiguration eintragen
... #Zugriff nur auf bestimmte Netzwerkschnittstelle: ListenAddress xxx.xxx.xxx.xxx ListenAddress 127.0.0.1 ...
systemctl reload ssh
Befehl für SSH-Test auf Port 42022 statt Standardport 22 ändern und Benachrichtigungen aktivieren
... #check_command check_ssh check_command check_ssh!--port=42022 #notifications_enabled 0 notifications_enabled 1 ...
Nagios-Konfiguration testen, Service neustarten und Status abfragen
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg systemctl reload nagios systemctl status nagios.service
Quellen
https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/cgiauth.html
https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/index.html
https://httpd.apache.org/
https://httpd.apache.org/docs/2.4/howto/auth.html
https://keepass.info/
http://manpages.ubuntu.com/manpages/xenial/man8/php-fpm7.0.8.html
https://nagios-plugins.org/doc/man/
https://secure.php.net/manual/de/install.fpm.php
https://support.nagios.com/kb/article/nagios-core-installing-nagios-core-from-source-96.html#Ubuntu
https://wiki.apache.org/httpd/PHP-FPM
https://www.nagios.org/