Monday, February 26, 2007

MRTG Configuration in Linux Servers

MRTG Configuration

Before configuring MRTG

Step # 1 : Make sure snmp server installed
Please note that snmpd configuration does not require using mrtg with remote network devices such as Routers and switches. If you just want mrtg graphs for router or switch then please refer to step # 4 (as all these devices comes preconfigured with snmpd software).
Run rpm commands query option to find out snmp server installed or not:
# rpm -qa | grep snmp
If snmp installed then please refer step # 2; otherwise snmp server and utils were not present and your need to install them using following steps (login as a root user):
(a) Visit rpmfind.net to get snmp server and utilities rpms. If you are fedora user then use yum command as follows to install it:
# yum install net-snmp-utils net-snmp
(b) If you are RHEL subscriber then use up2date command as follows to install:
#up2date -v -i net-snmp-utils net-snmp

Step # 2 : Determine if snmp server is running or not
Run 'ps' command to see if snmp server is running or not:
# ps -aux | grep snmp
Output:
root 5512 0.0 2.3 5872 3012 pts/0 S 22:04 0:00 /usr/sbin/snmpd
Alternatively, you can try any of the following two commands as well:
# lsof -i :199
Output:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
snmpd 5512 root 4u IPv4 34432 TCP *:smux (LISTEN)
OR try out netstat command:
# netstat -natv | grep ':199'
Output:
tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN
If you found service is running or listing on port 199 then please see step #3; otherwise start service using following command:
# service snmpd start
Make sure snmpd service starts automatically, when linux comes us (add snmpd service):
# chkconfig --add snmpd

Step # 3 : Make sure snmp server configured properly
Run snmpwalk utility to request for tree of information about network entity. In simple words query snmp server for your IP address (assigned to eth0, eth1, lo etc):
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex
Output:
ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.127.0.0.1 = 1
ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.192.168.0.3 = 2
If you can see your IP address then please proceed to step 4; else it is a time to configure snmp server as follows (by default RHEL and RH 8/9 are not configured for snmp server for security reason):
Configure SNMP
(1) Edit file /etc/snmp/snmpd.conf using text editor:
# vi /etc/snmp/snmpd.conf
Change/Modify line(s) as follows:
Find following Line:
com2sec notConfigUser default public
Replace with (make sure you replace 192.168.0.0/24 replace with your network IPs) following lines:
com2sec local localhost public
com2sec mynetwork 192.168.0.0/24 public
Scroll down bit and change:
Find Lines:
group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser
Replace with:
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
group MyROGroup v1 mynetwork
group MyROGroup v2c mynetwork
group MyROGroup usm mynetwork
Again scroll down bit and locate following line:
Find line:
view systemview included system
Replace with:
view all included .1 80
Again scroll down bit and change:
Find line:
access notConfigGroup "" any noauth exact systemview none none
Replace with:
access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all all none
Scroll down bit and change:
Find lines:
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root (configure /etc/snmp/snmp.local.conf)
Replace with (make sure you supply appropriate values):
syslocation Linux (RH3_UP2), Home Linux Router.
syscontact Vivek G Gite
For your convenient, here is my /etc/snmp/snmpd.conf file. Feel free to use this file. Make sure you make backup of your existing file if you use this file as it is.
Start your snmp server and test it:
(a) Make sure when linux comes up snmpd always starts:
# chkconfig snmpd on
(b) Make sure service start whenever Linux comes up (after reboot):
# service snmpd start
(c) Finally test your snmp server:
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

Step # 4 : Install mrtg if not installed
Mrtg software may install during initial installation; you can verify if MRTG installed or not with following RPM command:
rpm -qa | grep mrtg
If mrtg already installed please see step # 5; else use rpmfind.net to find MRTG rpm or up2date command to install MRTG software:
# up2date -v -i mrtg
Fedora Linux user can use yum command as follows to install MRTG:
# yum install mrtg

Step # 5 : Commands to Configure mrtg
(a) Create document root to store mrtg graphs/html pages:
# mkdir -p /var/www/html/mymrtg/
(b) Run any one of the following cfgmaker command to create mrtg configuration file:
#cfgmaker --global 'WorkDir: /var/www/html/mymrtg' --output /etc/mrtg/mymrtg.cfg public@localhost
OR (make sure your FQDN resolves, in following example i'm using rh9.test.com which is my router FQDN address)
# cfgmaker --global 'WorkDir: /var/www/html/mymrtg' --output /etc/mrtg/mymrtg1.cfg public@rh9.test.com
(c) Create default index page for your MRTG configuration:
# indexmaker --output=/var/www/html/mymrtg/index.html /etc/mrtg/mymrtg.cfg
(d) Copy all tiny png files to your mrtg path:
# cp -av /var/www/html/mrtg/*.png /var/www/html/mymrtg/

Step # 6 First test run of mrtg
(a) Run mrtg command from command line with your configuration file:
# mrtg /etc/mrtg/mymrtg.cfg

Step # 7 Create crontab entry so that mrtg graph / images get generated every 5 minutes
(a) Login as a root user or login as a mrtg user and type following command:
# crontab -e
(b) Add mrtg cron job entry to configuration file (append following line to it):
*/5 * * * * /usr/bin/mrtg /etc/mrtg/mymrtg.cfg --logging /var/log/mrtg.log
Save file and you are done with MRTG config issues :)
Step # 8 Point to DNS Server
In local server :
1.# vi /etc/httpd/conf/httpd.conf
In DNS Server :
1.# vi /var/named.conf
2.# cd /var/named/domains

Thursday, February 22, 2007

Monday, February 5, 2007

Smarter Password Management

Your dog’s name... your anniversary... your childrens’ initials, birthday, or birth weight... your favorite hobby, or the name of your boat. Which one do you use for your password? Network Administrators and hackers know that most people choose passwords like these to protect anything from logging into web-based bulletin boards to buying things online.

Why does it matter? Identity theft... corporate espionage... loss of your data, or digital images. Do you want to risk these things? In many cases, a weak password is all that separates your data from anyone who wants to impersonate you online, or worse.

The problem with weak passwords

Passwords that are simply names of pets, names of children, common names of any type, are called “weak passwords.” Basically any word you can find in a dictionary or list of names makes for a weak password.

I don’t like to use fear to motivate people, but practicing safe password management is as important as locking your house when you leave. Only whenever you’re connected to the internet, it’s like having a house in the worst neighborhood in the biggest city around and if you don’t put a good lock on the door, you will get broken into, even if you’re home.

Practicing safe password management is as important as locking your house when you leave

The problem with strong passwords

If you work at a large company, they may not allow you to have a simple password based on any word you can find in a dictionary. E-Commerce sites that have good security require passwords at least 8 characters long. They group the characters you type into four groups: capital letters, lowercase letters, numbers, and symbols, and then require you to have at least three out of the four groups represented in your password. And then they make you change your password every two or three months. This type of password is called a strong password.

The problem is that you soon end up with many more passwords than you can possibly keep track of. You either forget your new password, requiring the administrator to reset it for you, or you start writing them down. Far too many people have their current passwords scribbled on a yellow sticky note attached to their monitor where anyone can see it.

With weak passwords, all an attacker needs to do to obtain them is go through your trash, or engage you in innocent conversation. With strong passwords, all he needs to do is visit your office. In either case, the attacker is engaging in a type of attack called Social Engineering, which is the easiest way to break into a system.

A strong password, if you write it down somewhere insecure, is not much safer than a weak password

Do I always need a strong password?

No. Strong passwords provide far more protection against different types of attacks, especially those considered Brute Force attacks. An example is something called a Dictionary Attack, where the attacker takes a list of words, sometimes an entire dictionary, and uses a special cracking program to try each word on your account. The dictionary used includes common animal and people names.

Many systems defeat these types of attacks by locking you out after a few failed attempts. But the real concern is what an attacker can do once they break into any particular system.

A weak password is all that separates your data from anyone who wants to impersonate you online, or worse

Assess your risks

There are low risk, and high risk computer systems. To avoid having 30 different passwords to remember, you can group together systems that have the same level of risk, and reuse your passwords. Many security experts would argue that this approach reduces security, but let’s be realistic here: if you don’t remember the password for a particular system, and then type in all of your “standard” passwords to try to log into it, you may have just compromised all of the systems that use any of those passwords.

There are many ways of grouping systems, but here’s what I recommend:

Low risk systems

If you never give your credit card, drivers license, social security number, or any other sensitive information to a web site, you probably don’t need to use a strong password. For sites like the New York Times, online bulletin boards, and the myriad of places that ask you to create an account before allowing you to post, use a throw-away, easy-to-remember password. The worst an attacker could do is impersonate you on a web site, a mild form of harassment, but nothing more serious than that.

You should realize that any time you type a password into a system that doesn’t immediately take you to an encrypted site, your password could be intercepted by all kinds of unknown people. Look for the lock or key icon in your browser’s status bar, and “https” in the web address. If these things don’t appear, or there’s a warning, don’t trust the site. Use a weak password, and consider it public. As long as you trust a site as being legitimate, I consider it fine to reuse the same weak password for all of these types of sites.

Medium risk systems

You might not agree, but I consider credit card information to be medium risk. To purchase things using a credit card at all, you have to take some risk: the waiter at the restaurant could copy your card when taking your payment; somebody could eavesdrop on your cordless phone when you give the number to the pizza delivery place; or somebody could look over your shoulder in line at a store.

Credit Card companies provide you with protection here—you’re usually only liable for the first $50 of any misuse of your credit card. For many credit cards, the bank takes full risk for online payments. You have to report charges you did not make in writing within 60 days, and these guarantees don’t apply to debit cards, but overall loss of your credit card amounts to a bigger hassle but not devastation to your identity. So I recommend grouping all web sites you use a credit card for into a “medium risk” group. If you give a web site a credit card, you’re already trusting them to not make bogus charges so you can probably trust them to not try to use your strong password on other sites.

Some cautions here:

  • Never send a credit card number, or any more sensitive information, through an email system that is not encrypted. If your email system is encrypted, you’ll know it: you’ll have to do quite a bit of work on both the sending and receiving end, so assume your mail is completely insecure, because it is.
  • Always make sure the web site is encrypted before typing in your password. Look for the lock or key icon in your browser window. In Firefox, the address bar (where you type the web address) will turn yellow if it’s properly encrypted.
  • Never use a public computer to make web transactions. Even if the web site is encrypted, there could be snooping software installed on the computer that could get your user account and password as you type it. Only conduct sensitive transactions on computers you trust and get the spyware off first!
  • Just because a web site is encrypted, doesn’t mean your data is protected. Many smaller companies have not invested in proper security to protect your password and credit card information.

As a general rule, never give your password to anyone, especially not a password you use in other medium or high-risk systems

High risk systems

Any system that contains your social security number, drivers license number, or other financial account numbers should be considered high risk. Systems that contain sensitive business information should be protected with a strong password, and if they’re connected to the internet, that password should be changed frequently.

For the most part, this means treating your laptop or workstation as a high-risk system so use a different password to log into it than you use for e-commerce or general use.

In most cases, you can get by with three passwords, using them on the appropriate level of system: a weak password for general, low risk systems; a strong password for e-commerce and medium risk systems, and a different strong password for any computer you use that has business or sensitive information on it. In some cases, this isn’t enough. If you have critical systems that contain personally identifiable customer data, or administrative access on customer machines, you may need to manage dozens of passwords. We'll cover how to securely manage dozens of passwords, as well as create strong ones, next month.

As a general rule, never give your password to anyone, especially not a password you use in other medium or high-risk systems. If you’re getting help from somebody who administers a service for you, they will be able to set your password to something else without knowing your password.


Regards
Shanker J
Linux & Oracle DBA Administrator
RHCE, MCSA, MCA.