cacti 安裝 plugin – monitor – CentOS

參考網頁:
Cacti 0.8.8b 安裝及設定Monitor & thold Plugin:::iThome Download-你要的軟體在這裡:::

1.0.x 版無法安裝,顯示 Plugin Not Compatible

Cacti monitor 下載網站:
http://docs.cacti.net/plugin:monitor#monitor
1. 下載 monitor plugin
# wget http://docs.cacti.net/_media/plugin:monitor-v1.3-1.tgz
2. 更改檔案名稱
# mv plugin:monitor-v1.3-1.tgz plugin_monitor-v1.3-1.tgz
3. 解壓縮
# tar xvzf plugin_monitor-v1.3-1.tgz -C /usr/share/cacti/plugins[@more@]
4. 登入 Cacti 後,選擇 Plugin Management

5. 選擇 Install Plugin

6. 選擇 Enable Plugin

7. 上方會出現 monitor 頁面

8. 選擇 Settings

9. 選擇 Misc 頁面

10. 進行設定

11. 觀看成果!

在 CentOS 7.x 下安裝 Cacti

1. 安裝 epel 套件庫
# yum install epel-release
# yum update

2. 安裝 LAMP
# yum install httpd mariadb-server php php-mysql php-pear php-gd php-mbstring net-snmp net-snmp-utils rrdtool

3. 安裝 cacti
# yum install cacti[@more@]
4. 啟動相關服務並開機時啟動
# systemctl enable httpd.service
# systemctl enable mariadb.service
# systemctl start httpd.service
# systemctl start mariadb.service

5. 設定 MariaDB SQL Server
# /usr/bin/mysql_secure_installation

6. 建立資料庫並設定管理帳號及密碼
# /usr/bin/mysql -u root -p
MariaDB [(none)]> create database cacti;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on cacti.* to cacti@localhost identified by ‘password’;
Query OK, 0 rows affected (0.00 sec)

# For 1.0.x
MariaDB [(none)]> grant select on mysql.time_zone_name to cacti@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit

7. 匯入資料 版本會變動
# /usr/bin/mysql -u cacti -p cacti < /usr/share/doc/cacti-0.8.8h/cacti.sql
# /usr/bin/mysql -u cacti -p cacti < /usr/share/doc/cacti-1.0.4/cacti.sql

8. 修改 /etc/httpd/conf.d/cacti.conf 限制瀏覽的 IP 來源
# sed -i “/# httpd 2.4/attRequire ip 192.168.1.0/24” /etc/httpd/conf.d/cacti.conf
# cat /etc/httpd/conf.d/cacti.conf
Alias /cacti    /usr/share/cacti

<Directory /usr/share/cacti/>
        <IfModule mod_authz_core.c>
                # httpd 2.4
                Require ip 192.168.1.0/24
                Require host localhost
        </IfModule>
        <IfModule !mod_authz_core.c>
                # httpd 2.2
                Order deny,allow
                Deny from all
                Allow from localhost
        </IfModule>
</Directory>

9. 重新啟動 Web Server
# systemctl restart httpd.service

10. 修改 cacti 資料庫設定  /etc/cacti/db.php
# sed -i -e ‘s/database_username = “cactiuser”/database_username = “cacti”/’ -e ‘s/database_password = “cactiuser”/database_password = “password”/’ /etc/cacti/db.php
For 1.0.x
# sed -i -e “s/database_username = ‘cactiuser’/database_username = ‘cacti’/” -e “s/database_password = ‘cactiuser’/database_password = ‘password’/” /etc/cacti/db.php

11. 修改 cacti 工作排程設定 /etc/cron.d/cacti
# sed -i -e ‘s/^#//’ /etc/cron.d/cacti

12. 進行安裝設定 http://Server’IP/cacti

13.安裝過程 0.8.8 版本

預設帳號密碼:admin / admin

安裝完成!

1.0.x 版


解決 ERROR: Your Cacti database login account does not have access to the MySQL TimeZone database. Please provide the Cacti database account “select” access to the “time_zone_name” table in the “mysql” database, and populate MySQL’s TimeZone information before proceeding.

# /usr/bin/mysql_tzinfo_to_sql /usr/share/zoneinfo | /usr/bin/mysql -u root -p mysql
Enter password:

更改目錄擁有者及權限
# chown -R apache:apache /usr/share/cacti
# chmod -R 777 /usr/share/cacti/resource

進行安裝 http://Server’IP/cacti

有一些 Warn,先跳過

Next

程式路徑

目錄權限

安裝完成

預設帳號及密碼:admin / admin

重設密碼,密碼強度要求很高

Save 更改密碼

登入完成畫面

LDAP over TLS

參考網頁:
CentOS 7 : Create SSL Certificates : Server World
CentOS 7 : OpenLDAP : LDAP over TLS : Server World

1. 切換目錄
# cd /etc/pki/tls/certs
2. 建立 server.key
# make server.key
umask 77 ;
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
…………….+++
…………………………………………………………+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying – Enter pass phrase:[@more@]
3. 去除密碼從 server.key
# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key

4. 建立 server.csr
# make server.csr
umask 77 ;
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [LDAP Server]:
Common Name (eg, your name or your server’s hostname) []:xxxx.tces.ilc.edu.tw
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

5. 建立馮證
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=TW/ST=Yilan/L=TouCheng/O=Elementary School/OU=LDAP Server/CN=xxxx.tces.ilc.edu.tw
Getting Private key

6. 複製檔案到 /etc/openldap/certs 目錄
# cp /etc/pki/tls/certs/server.key /etc/pki/tls/certs/server.crt /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs

7. 更改檔案擁有者及群組
# chown ldap:ldap /etc/openldap/certs/server.* /etc/openldap/certs/ca-bundle.crt

8. 建立 mod_ssl.ldif
# cat mod_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt

replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt

replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

9. 匯入
ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “cn=config”

10. 修改 /etc/sysconfig/slapd 加入 ldaps:///
# cp /etc/sysconfig/slapd /etc/sysconfig/slapd.$(date +%F)
# sed -i ‘/SLAPD_URLS/s@ldapi:/// ldap:///@ldapi:/// ldap:/// ldaps:///@’ /etc/sysconfig/slapd

11. 重新啟動 LDAP Server
# systemctl restart slapd.service

12. 檢查是否有正常執行
# netstat -antulp | egrep ‘389|636’
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      1933/slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      1933/slapd
tcp6       0      0 :::636                  :::*                    LISTEN      1933/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      1933/slapd

13. 防火牆設定
# firewall-cmd –permanent –add-service=ldap
# firewall-cmd –permanent –add-service=ldaps
# firewall-cmd –reload

# iptables -A INPUT -p tcp -s 192.168.1.0/24 –syn -m state –state NEW –dport 389 -j ACCEPT
# iptables -A INPUT -p tcp -s 192.168.1.0/24 –syn -m state –state NEW –dport 636 -j ACCEPT

LDAP over TLS – 失敗

為了安全的因素,LDAP 可以走 TLS/SSL 加密協定。
參考網頁:
Linux . 無限: 在 CentOS7/RHEL7 上安裝設定 LDAP Server(一)

1. 安裝 openssl 套件
# yum install openssl

2. 修改 /etc/pki/tls/openssl.cnf
# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.$(date +%F)
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = TW
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Yilan

localityName                    = Locality Name (eg, city)
localityName_default            = TouCheng

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Elementary School

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = LDAP Server[@more@]
3. 製作金鑰
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 3650
Generating a 2048 bit RSA private key
………+++
……………+++
writing new private key to ‘/etc/openldap/certs/priv.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [LDAP Server]:
Common Name (eg, your name or your server’s hostname) []:
Email Address []:

4. 改變目錄擁有者及群組和檔案權限
# chown -R ldap:ldap /etc/openldap/certs
# chmod 600 /etc/openldap/certs/priv.pem
# ls -l /etc/openldap/certs/*
-rw-r–r– 1 ldap ldap 65536 Mar  8 17:46 /etc/openldap/certs/cert8.db
-rw-r–r– 1 ldap ldap  1391 Mar 10 14:14 /etc/openldap/certs/cert.pem
-rw-r–r– 1 ldap ldap 16384 Mar  8 17:46 /etc/openldap/certs/key3.db
-r–r—– 1 ldap ldap    45 Dec  7 10:22 /etc/openldap/certs/password
-rw——- 1 ldap ldap  1704 Mar 10 14:14 /etc/openldap/certs/priv.pem
-rw-r–r– 1 ldap ldap 16384 Dec  7 10:22 /etc/openldap/certs/secmod.db

5. 建立 tlsc.ldif
# cat tlsc.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

6. 匯入
# /bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f tlsc.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “cn=config”

modifying entry “cn=config”

7. 重新啟動 LDAP Server
# systemctl restart slapd.service

似乎沒有成功,嘗試其它方法!

Firefox 53.0.3 & ESR 52.1.2 版


直接下載最新版本安裝
Windows
x86
http://ftp.mozilla.org/pub/firefox/releases/53.0.3/win32/zh-TW/Firefox%20Setup%2053.0.3.exe
ESR 52.1.2 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.2esr/win32/zh-TW/Firefox%20Setup%2052.1.2esr.exe

x64
http://ftp.mozilla.org/pub/firefox/releases/53.0.3/win64/zh-TW/Firefox%20Setup%2053.0.3.exe
ESR 52.1.2 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.2esr/win64/zh-TW/Firefox%20Setup%2052.1.2esr.exe

Mac
http://ftp.mozilla.org/pub/firefox/releases/53.0.3/mac/zh-TW/Firefox%2053.0.3.dmg
ESR 52.1.2 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.2esr/mac/zh-TW/Firefox%2052.1.2esr.dmg

ss 網路管理工具

ss 的功能和 netstat 相近。
主要參數有:

說明
-a顯示所有的 socket !
-n以數字來取代介面名稱與 port 號!
-t顯示使用 TCP 的 socket !
-u顯示使用 UDP 的 socket !
-l只顯示監聽中的 socket !
-p顯示 socket 執行序的 ID 號碼!

[@more@]# ss -antulp
Netid State      Recv-Q Send-Q                                                          Local Address:Port                                                                         Peer Address:Port
udp   UNCONN     0      0                                                                           *:161                                                                                     *:*                   users:((“snmpd”,pid=52,fd=6))
tcp   LISTEN     0      128                                                                 127.0.0.1:199                                                                                     *:*                   users:((“snmpd”,pid=52,fd=7))
tcp   LISTEN     0      128                                                                         *:22                                                                                      *:*                   users:((“sshd”,pid=72,fd=3))
tcp   LISTEN     0      128                                                                        :::22                                                                                     :::*                   users:((“sshd”,pid=72,fd=4))

# netstat -antulp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:199           0.0.0.0:*               LISTEN      52/snmpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      72/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      72/sshd
udp        0      0 0.0.0.0:161             0.0.0.0:*                           52/snmpd

還是比較習慣使用 netstat

ip 網路管理工具

ip 指令和 ifconfig 的功能有些類似,但命令可以更加簡短

1. 列出所有網路介面 IP
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
112: eth0@if113: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 9e:5b:bb:11:35:a7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.17/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever[@more@]2. 單獨列出某一網路介面
# ip addr show eth0
# ip a s eth0
112: eth0@if113: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 9e:5b:bc:14:35:a7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.17/24 brd 192.168.1.255 scope global eth0

3. 列出網路路由
# ip route
# ip r
default via 192.168.1.254 dev eth0
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.17

取出 IP
# ip a s eth0 | grep ‘inet ‘ | awk ‘{print $2}’ | awk -F’/’ ‘{print $1}’
192.168.1.17
# ip r | grep src | awk ‘{print $9}’
192.168.1.17

取出 mac address
# ip a s eth0 | grep ‘link/ether’ | awk ‘{print $2}’
9e:5b:bb:11:35:a7

CentOS 7.x 網路管理工具 nmcli

nmcli 是 CentOS 7.x 預設的網路管理工具,不過之前一直習慣使用 ifconfig,所以並沒有特別去研究。
# which nmcli
/usr/bin/nmcli

如果找不到,請安裝 NetworkManager 套件
# yum install NetworkManager
# systemctl start NetworkManager.service

參考網頁:
2.3. 使用 NetworkManager 命令行工具 nmcli
RHEL / CentOS 7 網路管理工具 — nmcli – Linux 技術手札[@more@]1 顯示所有連線:
# nmcli connection show
# nmcli c s
NAME     UUID                                  TYPE            DEVICE
enp0s25  d28b1a52-51d3-482c-b36e-37b7b80d7ded  802-3-ethernet  enp0s25
enp1s0   6d31aafd-1033-4853-ba71-e062608189b0  802-3-ethernet  enp1s0
enp1s1   6af9cc1f-4fac-40e8-80e6-6bda5b66886b  802-3-ethernet  enp1s1

只顯示 active 的連線:
# nmcli connection show –active
# nmcli connection show -a
# nmcli c s -a
NAME     UUID                                  TYPE            DEVICE
enp0s25  d28b1a52-51d3-482c-b36e-37b7b80d7ded  802-3-ethernet  enp0s25
enp1s0   6d31aafd-1033-4853-ba71-e062608189b0  802-3-ethernet  enp1s0
enp1s1   6af9cc1f-4fac-40e8-80e6-6bda5b66886b  802-3-ethernet  enp1s1

顯示所有 NetworkManager 辨識到的裝置及它們目前的狀態:
# nmcli device status
# nmcli d s
DEVICE   TYPE      STATE      CONNECTION
enp0s25  ethernet  connected  enp0s25
enp1s0   ethernet  connected  enp1s0
enp1s1   ethernet  connected  enp1s1
lo       loopback  unmanaged  —

停用網卡:
# nmcli device disconnect enp1s1
# nmcli d d enp1s1
Device ‘enp1s1’ successfully disconnected.

啟用網卡:
# nmcli device connect enp1s1
# nmcli d c enp1s1
Device ‘enp1s1’ successfully activated with ‘6af9cc1f-4fac-40e8-80e6-6bda5b66886b’.

加入固定 IP:
# nmcli connection add type ethernet con-name test-lab ifname enp1s1 ip4 10.10.10.10/24 gw4 10.10.10.254
# nmcli con add type ethernet con-name test-lab ifname enp1s1 ip4 10.10.10.10/24 gw4 10.10.10.254
Connection ‘test-lab’ (‘6af9cc1f-4fac-40e8-80e6-6bda5b66886b) successfully added.
# nmcli con add type ethernet con-name test-lab ifname enp1s1 ip4 10.10.10.10/24 gw4 10.10.10.254 ip6 abbe::cafe gw6 2001:db8::1

設定使用的 Dns Servers:
# nmcli connection modify test-labipv4.dns “168.95.1.1 140.111.66.1 8.8.8.8”
# nmcli con mod test-lab ipv4.dns “168.95.1.1 140.111.66.1 8.8.8.8”
# nmcli con mod test-lab ipv6.dns “2001:b000:168::2 2001:288:a201::66:1 2001:4860:4860::8888”

啟動新連結線:
# nmcli connection up  test-lab ifname enp1s1
# nmcli con up  test-lab ifname enp1s1

使用 diff / patch 來修正檔案

diff 可以產生二個檔案之間的差異對照,然後利用 patch 來進行修正。

1.產生二個檔案間差異
-a 將所有檔案都視為文字檔
-u 輸出預設三行的相同文字行
-r 遞迴比較所有的子目錄
-N 將缺少的檔案視為空檔案
# diff -Naur server.conf.2017-02-20 server.conf > /root/server.diff

2. 將差異檔和待修正的檔案放在一起
# cp /etc/openvpn/server.conf.2017-02-20 /root/server.conf

3. 利用 patch 進行修正
# cd /root
# patch -i server.diff

4. 比較二者間是否有差異
# diff /root/server.conf /etc/openvpn/server.conf

如果執行完後沒有任何訊息,代表二個檔案完全相同

免密碼登入 SSH Server

有一些 Linux 已經預設不能以 root 身份登入,或是不允許 root 以輸入密碼登入。
# grep RootLogin /etc/ssh/sshd_config
PermitRootLogin prohibit-password

PermitRootLogin without-password

如果還是習慣使用 root 身份登入,可以修改成
PermitRootLogin yes

重新啟動 SSH Server
# /etc/init.d/sshd restart
# systemctl restart sshd.service

或直接改用 SSH Key 的方式,來達成免密碼直接登入[@more@]Server A:192.168.1.10
Server B:192.168.1.101

1. 在 Server A 上執行
# ssh-keygen -t rsa

2. 產生的 key,id_rsa 私鑰 / id_rsa.pub 公鑰
# ls -l ~/.ssh/
-rw——- 1 root root 1675 Mar  9 19:17 id_rsa
-rw-r–r– 1 root root  390 Mar  9 19:17 id_rsa.pub
-rw-r–r– 1 root root 1330 Mar  9 14:41 known_hosts

3. 將公鑰複製到 Server B
# scp ~/.ssh/id_rsa.pub root@192.168.1.101:/root

4. 登入到 Server B,並將從 Server A 複製過來的 id_rsa 公鑰 附加入到 ~/.ssh/authorized_keys
# ssh root@192.168.1.101
# cat id_rsa >> ~/.ssh/authorized_keys
# rm -rf id_rsa

5. 更改權限
# chmod 700 ~/.ssh
# chmod 600 ~/.ssh/authorized_keys

6. 測試從 Server A 以 ssh 連線 Server B 是不是不用輸入密碼