LOCALHOST

Install Nagios on Localhost (Nagios Server):

sudo apt-get install nagios3

Postfix Configuration:

choose "Internet Site"

Install VIM:

sudo apt-get install vim

Chage Nagios Username:

sudo vim /etc/nagios3/cgi.cfg

hit shift and colon, then type: % s/nagiosadmin/nagios/g

hit shift and colon, then type: wq

Set user "nagios" password:

cd /etc/nagios3/
sudo htpasswd -c htpasswd.users nagios

Restart Nagios:

sudo /etc/init.d/nagios3 restart

##########Modify Localhost Configuration:##########

sudo nano /etc/nagios3/conf.d/localhost_nagios2.cfg

replace:
define service{
use generic-service ; Name of service template to
use
host_name localhost
service_description Disk Space
check_command check_all_disks!20%!10%!
}

with:
define service{
use generic-service ; Name of service template to
use
host_name localhost
service_description Disk Space
check_command check_disk!20%!10%!/dev/sda1
}

Set up mail alerts:

sudo nano /etc/hosts

127.0.1.1 danger.oss.homelinux.com danger

sudo apt-get install sasl2-bin procmail

General type of configuration? Internet Site

Where should mail for root go? NONE
Mail name? dnsname.com
Other destinations to accept mail for? (blank for none) oss.homelinux.com,
danger.oss.homelinux.com, localhost
Force synchronous updates on mail queue? No
Local networks? 127.0.0.0/8
Use procmail for local delivery? Yes
Mailbox size limit?0
Local address extension character? +
Internet protocols to use? all

sudo postconf -e 'smtpd_recipient_restrictions =

permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

sudo postconf -e 'inet_interfaces = all'

sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo -s
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

sudo /usr/lib/ssl/misc/CA.pl -newca

Once you launch the script you should see this:

CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.......++++++
...................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:

At this point you will have to pick a password

Following the initial creation of the CA file, it will ask you some questions to uniquely
identify this certificate. This is what you should see:

You are about to be asked to enter information that will be incorporated

into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

You can make up all this info, but make sure you can remember it as you will need to
know it later on. All you need to fill in is the country code, the state (if you are from the
US), your city, and the organization name (if it is a multi word name, use underscores
for spaces). When you see it ask for your common name, just enter the domain name
you used in the postfix configuration (it does not matter what you enter really as long as
you enter something), Finally, enter an e-mail when it asks. Everything else can be left
blank.

This is what you should see on the screen:

Country Name (2 letter code) [US]:US
State or Province Name (full name) [Pennsylvania]:Texas
Locality Name (eg, city) []:Houston
Organization Name (eg, company) []:Open_Source_Solutions

If you screw up, you can re-run the CA.pl script but make sure to delete the demoCA
directory which will be located in the directory you are doing all this work.

Now that we have created a Certificate Authority file we can make the server certificate
and the public key used in the authentication process. To make the server certificate run
this command replacing the information in the single quotes with the information you put
into your CA file:

sudo openssl req -new -nodes -subj '/CN=oss.homelinux.com/

O=Open_Source_Solutions/C=US/ST=Texas/L=Houston/
emailAddress=osshoustontx@gmail.com' -keyout FOO-key.pem -out FOO-req.pem -
days 3650

CN is the place you put the common name you used, O is the organization name, C is
the country, ST is the state, L is the city, emailAddress is... well.. the email address
you used. Make sure you enter those items in EXACTLY the way you did above or your
key will not authenticate.

What this command does is it creates a certificate key file called FOO-key.pem and a req
file called FOO-req.pem. The second file will be used to create the certificate file we will
need.

To create the certificate file we issue the command:

sudo openssl ca -out FOO-cert.pem -infiles FOO-req.pem

This create a signed certificate file that will be used to verify your identity as the
originating server. Simply answer yes to the prompts that follow.

Finally copy the certificate files to /etc/postfix and give them the needed permissions:

sudo cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix

sudo chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
sudo chmod 400 /etc/postfix/FOO-key.pem

Change directories and edit main.cf

cd /etc/postfix
sudo nano /etc/postfix/main.cf

Past the following into the file:

## TLS Settings
#
# For no logs set = 0
smtp_tls_loglevel = 1
#
# smtp_enforce_tls = yes
# Above is commented because doing it site by site below
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
#
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
## SASL Settings
# This is going in to THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd
## Gmail Relay
relayhost = [smtp.gmail.com]:587
## Good for Testing
# sender_bcc_maps = hash:/etc/postfix/bcc_table
# Disable DNS Lookups
disable_dns_lookups = yes
#
# Great New feature Address Mapping
# for example may mchirico@localhost to mchirico@gmail.com
smtp_generic_maps = hash:/etc/postfix/generic
#
#
transport_maps = hash:/etc/postfix/transport

Setting up the sasl_passwd file and hash is necessary to log into gmail. Remaining in
the /etc/postfix directory issue the command:

sudo nano sasl_passwd

This creates a new file in /etc/postfix called sasl_passwd.

Place into that file the following:

[smtp.gmail.com]:587 osshoustontx@gmail.com:password

The smtp info needs to remain, but you must change the email address and the
password to match your own.

Next we need to make a hash file out of this.

sudo postmap sasl_passwd

Next create the generic file and hash using the same methods in the last section with
this inside:

sudo nano generic

replace bms@bob.com with your username on your linux box before the '@' sign and
your hostname after the '@'. Similarly, replace 'bms@gmail.com' with your gmail
address.

daniel@oss.homelinux.com osshoustontx@gmail.com (this assumes we're still using

oss.homelinux.com domain)

sudo postmap generic

Now we need to make the transport file and hash. This is the file that tells postfix how to
rout emails it gets.

Open a new text file called transport and enter into it:

sudo nano transport

# This sends mail to Gmail

gmail.com smtp:[smtp.gmail.com]:587
#
# Except mail going to the tape and closet server
#comp1.bob.com relay:[comp1.bob.com]
#comp2.bob.com relay:[comp2.bob.com]

What this tells postfix is to send all mail to gmail except for two cases.
On my network I have two other computers. One called comp1 the other called
comp2. I am telling postfix to send email meant for those two computers
directly to them.
Remember to make the hash for the transport file.

sudo postmap transport

sudo nano tls_per_site

smtp.gmail.com MUST
#comp1.bob.com MUST
#comp2.bob.com MUST

sudo postmap tls_per_site

Open master.cf using $sudo gedit master.cf and find the line that reads relay unix
- - n - - smtp. It will be a little ways down. Beneath that line, you will probably see a
few settings that start with '-o', we will be adding one more. Enter -o
smtp_generic_maps= right below the relay line. This entry tells postfix to send out your
emails with your gmail address as the originating address rather than your Ubuntu
account and domain.

sudo nano master.cf

-o smtp_generic_maps=

When ever you edit the master.cf file you need to reload postfix. To do this simply issue
the command

sudo postfix reload

Install NRPE Plugin:

sudo apt-get install nagios-nrpe-plugin

Test it - from locahost, run:

/usr/lib/nagios/plugins/check_nrpe -H remotehost (this should output remote NRPE
version)
/usr/lib/nagios/plugins/check_nrpe -H remotehost -c check_total_procs (outputs #procs)
/usr/lib/nagios/plugins/check_nrpe -H remotehost -c check_load (outputs load)

Create Customer Host Definition:

sudo nano /etc/nagios3/customer-host_nagios2.cfg

#Customer host definition

define host{
name customer-host ; The name of this host template
notifications_enabled
event_handler_enabled
flap_detection_enabled
failure_prediction_enabled
process_perf_data
retain_status_information
restarts
retain_nonstatus_information 1
program restarts
check_command
max_check_attempts
notification_interval
status change
notification_period
notification_options
contact_groups
register 1
}
1 ; Host notifications are enabled
1 ; Host event handler is enabled
1 ; Flap detection is enabled
1 ; Failure prediction is enabled
1 ; Process performance data
1 ; Retain status information across program
; Retain non-status information across
check-host-alive
10
0 ;(minutes) Zero is only send notifications on
24x7
d,u,r
admins

Create Customer Service Definition:

# customer service template definition

define service{
name customer-service ; The 'name' of this service template
active_checks_enabled 1 ; Active service checks are enabled
passive_checks_enabled 1 ; Passive service checks are enabled/accepted
parallelize_check 1 ; Active service checks should be parallelize$
obsess_over_service 1 ; We should obsess over this service (if nece$
check_freshness 0 ; Default is to NOT check service 'freshness'
notifications_enabled 1 ; Service notifications are enabled
 event_handler_enabled 1 ; Service event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
failure_prediction_enabled 1 ; Failure prediction is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program
re$
retain_nonstatus_information 1 ; Retain non-status information across
progra$
notification_interval 5 ; (minutes) Zero is only send$
is_volatile 0
check_period 24x7
normal_check_interval 5
retry_check_interval 1
max_check_attempts 4
notification_period 24x7
notification_options w,u,c,r
contact_groups admins
register 1
}

Create Remote Host File: (Still need to monitor swap)

sudo nano /etc/nagios3/remotehostname_nagios2.cfg

define host{
use customer-host ; Name of host template to use
host_name watchman
alias cta
address cta.homelinux.com
}

define service{
use customer-service
host_name watchman
service_description Current Load
check_command check_nrpe_1arg!check_load
}

define service{
use customer-service
host_name watchman
service_description Check Users
check_command check_nrpe_1arg!check_users
}

define service{
use customer-service
host_name watchman
service_description Software Updates
check_command check_nrpe_1arg!check_apt

define service{
use customer-service
host_name watchman
service_description Total Processes
check_command check_nrpe_1arg!check_total_procs
}
define service{
use customer-service
host_name watchman
service_description Zombie Processes
check_command check_nrpe!check_zombie_procs
}

define service {
use customer-service
host_name watchman
service_description HTTP
check_command check_http
}

define service {
use customer-service
host_name watchman
service_description SSH
check_command check_ssh
}

REMOTE HOST
Install NRPE on Remote Host:

ssh daniel@remotehost.com
sudo apt-get install nagios-nrpe-server

Add Nagios Server to Allowed Hosts:

cc

replace:
allowed_hosts=tonytonychopper.homelinux.com
with:
allowed_hosts=tonytonychopper.homelinux.com

Create check_sda1 Definition:

replace:
command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p
/dev/hda1
with (for a 1TB Drive, 500GB use 8%, 2%):
command[check_sda1]=/usr/lib/nagios/plugins/check_disk -w 4% -c 1% -p /dev/
sda1

Create check_swap Definition:

add definitions:
command[check_swap]=/usr/lib/nagios/plugins/check_swap -w 90% -c 70%
command[check_apt]=/usr/lib/nagios/plugins/check_apt -t 60
Restart NRPE:

sudo /etc/init.d/nagios-nrpe-server restart