作者: t850008

OpenNMS 是一套 OpenSource 的網路管理軟體，可以利用 Ping 及 SNMP 的方式來偵測網路設備或服務的啟動狀態。
OpenNMS 官方網站：http://www.opennms.org/
本篇文章參考：浮雲雅築: [研究] OpenNMS 1.12.3 快速安裝程式 (yum)(CentOS 6.5 x64)

[@more@]
下載 OpenNMS 套件庫 rpm
# wget http://yum.opennms.org/repofiles/opennms-repo-stable-rhel6.noarch.rpm

進行安裝
# rpm -Uvh opennms-repo-stable-rhel6.noarch.rpm

安裝 PostgreSQL 資料庫
# yum install postgresql postgresql-server

PostgreSQL 初始化資料庫
# service postgresql initdb
正在初始化資料庫：                                         [  確定  ]

啟動 PostgreSQL Server
# service postgresql start
正在啟動 postgresql 服務：                                 [  確定  ]

如果沒有先初始化資料庫，而直接啟動，則會出現下面的錯誤訊息
# service postgresql start

/var/lib/pgsql/data is missing. Use “service postgresql initdb” to initialize the cluster first.
                                                           [失敗]

設定開機時啟動
# chkconfig –level 3 postgresql on

先備份設定檔，再進行修改
# cp /var/lib/pgsql/data/pg_hba.conf /var/lib/pgsql/data/pg_hba.conf.$(date +%F)

將 70 行後的 ident 取代成 trust
# sed -i ’70,$s/ident/trust/’ /var/lib/pgsql/data/pg_hba.conf

重新啟動 PostgreSQL Server
# service postgresql restart                                               
正在停止 postgresql 服務：                                 [  確定  ]
正在啟動 postgresql 服務：                                 [  確定  ]

檢查是否有正常啟動 PostgreSQL Server
# netstat -antulp | grep 5432
tcp        0      0 127.0.0.1:5432              0.0.0.0:*                   LISTEN      8092/postmaster
tcp        0      0 ::1:5432                    :::*                        LISTEN      8092/postmaster

安裝 Oracle Java JDK
Oracle Java JDK 下載網頁：
http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
# rpm -ivh jdk-7u45-linux-x64.rpm

進行 Oracle Java JDK 設定
# alternatives –install /usr/bin/java  java  /usr/java/jdk1.7.0_45/bin/java  100
# alternatives –set  java /usr/java/jdk1.7.0_45/bin/java
# echo ‘export JAVA_HOME=/usr/java/jdk1.7.0_45’ >> /etc/profile
# echo ‘export PATH=$PATH:$JAVA_HOME/bin’ >> /etc/profile
# echo ‘export CLASSPATH=$JAVA_HOME/jre/lib/ext:$JAVA_HOME/lib/tools.jar’ >> /etc/profile
# source /etc/profile

檢查 Java 版本
# java -version
java version “1.7.0_45”
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

安裝 OpenNMS
# yum -y install opennms opennms-plugins opennms-remote-poller mib2opennms iplike
 *** Installation complete.  You must still run the installer at
 *** $OPENNMS_HOME/bin/install to be sure your database is up
 *** to date before you start OpenNMS.  See the install guide at
 *** http://www.opennms.org/wiki/Installation:RPM and the
 *** release notes for details.

設定 OpenNMS 環境變數
# export OPENNMS_HOME=/opt/opennms
# echo ‘export PATH=$PATH:$OPENNMS_HOME/bin’ >> /etc/profile

設定 OpenNMS 使用的 Java
# /opt/opennms/bin/runjava -S /usr/java/latest/bin/java
runjava: checking specified JRE: “/usr/java/latest/bin/java”…
runjava: specified JRE is good.
runjava: value of “/usr/java/latest/bin/java” stored in configuration file

# $OPENNMS_HOME/bin/runjava -s
runjava: Looking for an appropriate JRE…
runjava: Checking for an appropriate JRE in JAVA_HOME…
runjava: found: “/usr/java/jdk1.7.0_45/bin/java” is an appropriate JRE
runjava: value of “/usr/java/jdk1.7.0_45/bin/java” stored in configuration file

建立 OpenNMS 需要的資料庫
# $OPENNMS_HOME/bin/install -dis

最後會出現
Upgrade completed successfully!

啟動 OpenNMS
# service opennms start
Starting OpenNMS: Started OpenNMS, but it has not finished starting up
                                                           [失敗]

設定開機時啟動
# chkconfig –level 3 opennms on

雖然最後的訊息出現失敗，但有正常執行
# netstat -antulp | grep 8980
tcp        0      0 :::8980                     :::*                        LISTEN      8956/java
tcp        0      0 :::18980                    :::*                        LISTEN      8956/java

如果不放心，可以檢查 log 檔的訊息
# cat /opt/opennms/logs/daemon/output.log
[DEBUG] System property ‘opennms.library.jicmp’ set to ‘/usr/lib64/libjicmp.so.  Attempting to load jicmp library from this location.
[INFO] Successfully loaded jicmp library.
[DEBUG] System property ‘opennms.library.jicmp6’ set to ‘/usr/lib64/libjicmp6.so.  Attempting to load jicmp6 library from this location.
[INFO] Successfully loaded jicmp6 library.

顯示 OpenNMS 執行狀態
# /opt/opennms/bin/opennms -v status
OpenNMS.Eventd         : running
OpenNMS.Trapd          : running
OpenNMS.Queued         : running
OpenNMS.Actiond        : running
OpenNMS.Notifd         : running
OpenNMS.Scriptd        : running
OpenNMS.Rtcd           : running
OpenNMS.Pollerd        : running
OpenNMS.PollerBackEnd  : running
OpenNMS.Ticketer       : running
OpenNMS.Collectd       : running
OpenNMS.Discovery      : running
OpenNMS.Vacuumd        : running
OpenNMS.EventTranslator: running
OpenNMS.PassiveStatusd : running
OpenNMS.Statsd         : running
OpenNMS.Provisiond     : running
OpenNMS.Reportd        : running
OpenNMS.Alarmd         : running
OpenNMS.Ackd           : running
OpenNMS.JettyServer    : running
opennms is running

開啟瀏覽器，在網址列上輸入 http://Server’IP:8980/opennms
預設帳號和密碼都是 admin，可以在 Web 介面中更改密碼

設定 OpenNMS 要偵測的網段，也可以在 Web 介面設定
# vim /opt/opennms/etc/discovery-configuration.xml
<discovery-configuration threads=”1″ packets-per-second=”1″
        initial-sleep-time=”30000″ restart-sleep-time=”86400000″
        retries=”1″ timeout=”2000″>

    <include-range>
        <begin>192.168.1.1</begin>
        <end>192.168.1.254</end>
    </include-range>

</discovery-configuration>

在網段中所偵測到的主機及服務

在防火牆中設定
iptables -A INPUT -p tcp  -m state –state NEW –dport 389 -j ACCEPT

# mkdir /mnt/cdrom
# mount /dev/cdrom /mnt/cdrom
mount: block device /dev/sr0 is write-protected, mounting read-only
# cd /mnt/cdrom
# ls
manifest.txt     VMwareTools-9.6.1-1378637.tar.gz  vmware-tools-upgrader-64
run_upgrader.sh  vmware-tools-upgrader-32
# cp VMwareTools-9.6.1-1378637.tar.gz /var/tmp/
# cd /var/tmp
# tar xvzf VMwareTools-9.6.1-1378637.tar.gz

SELinux 設定檔
# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing – SELinux security policy is enforced.
#     permissive – SELinux prints warnings instead of enforcing.
#     disabled – No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted – Targeted processes are protected,
#     mls – Multi Level Security protection.
SELINUXTYPE=targeted

顯示目前 SELinux 狀態
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

# sestatus
SELinux status:                 disabled
[@more@]
改變 SELinux 模式
# getenforce
Enforcing
# setenforce 0
# getenforce
Permissive
# setenforce 1
# getenforce
Enforcing
# setenforce –help
usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]

Display SELinux Contexts
# ls -Z /root/anaconda-ks.cfg
-rw——-. root root system_u:object_r:admin_home_t:s0 /root/anaconda-ks.cfg
# ls -dZ /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Set SELinux Contexts
# touch index-1.html
# touch /var/www/html/index.html
# mv index-1.html /var/www/html/
# ls -Z /var/www/html/*.html
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/index-1.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
# chcon -t httpd_sys_content_t /var/www/html/index-1.html
# ls -Z /var/www/html/*.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index-1.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html

# touch index-2.html
# mv index-2.html /var/www/html
# ls -Z /var/www/html/*.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index-1.html
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/index-2.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
# restorecon -v /var/www/html/index-2.html
restorecon reset /var/www/html/index-2.html context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
# ls -Z /var/www/html/*.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index-1.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index-2.html
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html

Get SELinux booleans
# getsebool -a | head -10
abrt_anon_write –> off
abrt_handle_event –> off
allow_console_login –> on
allow_cvs_read_shadow –> off
allow_daemons_dump_core –> on
allow_daemons_use_tcp_wrapper –> off
allow_daemons_use_tty –> on
allow_domain_fd_use –> on
allow_execheap –> off
allow_execmem –> on

# getsebool -a | grep ftp
allow_ftpd_anon_write –> off
allow_ftpd_full_access –> off
allow_ftpd_use_cifs –> off
allow_ftpd_use_nfs –> off
ftp_home_dir –> off
ftpd_connect_db –> off
ftpd_use_fusefs –> off
ftpd_use_passive_mode –> off
httpd_enable_ftp_server –> off
tftp_anon_write –> off
tftp_use_cifs –> off
tftp_use_nfs –> off

# getsebool ftp_home_dir
ftp_home_dir –> off

Set SELinux booleans
# setsebool ftp_home_dir 1
# getsebool ftp_home_dir
ftp_home_dir –> on
# setsebool ftp_home_dir 0
# getsebool ftp_home_dir
ftp_home_dir –> off

讓設定永遠生效
# setsebool -P ftp_home_dir 1

# yum install policycoreutils-python

取得相關資訊
# semanage boolean -l | grep ftp_home_dir
ftp_home_dir                   (開啟   ,   開啟)  Allow ftp to read and write files in the user home directories

Nagios 是一套功能非常強大的網路監控系統，可以協助網管人員即時監控系統服務的狀態，並且在系統服務發生異狀時，以 email 通知管理者。
Nagios 官方網站：http://www.nagios.org/
安裝 Nagios
# yum install nagios nagios-plugins-all nagios-plugins-nrpe nrpe –enablerepo=epel
啟動 Nagios
# service nagios start
Starting nagios: done.

設定開機時啟動 Nagios
# chkconfig –level 3 nagios on
[@more@]
設定 Nagios 的管理帳號及密碼 nagiosadmin / 123456
# htpasswd -cb /etc/nagios/passwd nagiosadmin 123456
Adding password for user nagiosadmin

開啟瀏覽器，在網址列輸入 http://Server’IP/nagios

啟動 NRPE 服務
# service nrpe start
Starting nrpe:    
                                        [  確定  ]

設定開機時啟動
# chkconfig –level 3 nrpe on

檢查是否有正常啟動
# netstat -antulp | grep nrpe
tcp        0      0 0.0.0.0:5666                0.0.0.0:*                   LISTEN      57902/nrpe

Monitorix 官方網站：http://www.monitorix.org/

安裝 Monitorix 所須套件
# yum install perl-Config-General perl-HTTP-Server-Simple perl-MIME-Lite perl-MailTools perl-XML-Simple rrdtool rrdtool-perl

下載 Monitorix
# wget http://www.monitorix.org/monitorix-3.4.0-1.noarch.rpm
進行安裝
# rpm -ivh monitorix-3.4.0-1.noarch.rpm

或
# yum install monitorix –enablerepo=epel

啟動 Monitorix 服務
# service monitorix start
正在啟動 monitorix：                                       [  確定  ]

設定開機時啟動
# chkconfig –level 3 monitorix on

檢查 Monitorix 服務是否有正常啟動
# netstat -antulp | grep monitorix
tcp        0      0 0.0.0.0:8080                0.0.0.0:*                   LISTEN      47040/monitorix-htt
[@more@]
開啟瀏覽器，輸入 http://Server’IP:8080/monitorix

限制可以連線的範圍 192.168.1.0/24
# sed -i ‘s/hosts_deny =/hosts_deny = all/’ /etc/monitorix.conf
# sed -i ‘s/hosts_allow =/hosts_allow = 192.168.1.0/24/’ /etc/monitorix.conf

設定連線時須要輸入密碼
# sed -i ’34s/enabled = n/enabled = y/’ /etc/monitorix.conf
設定可以連線的使用者 admin 密碼 123456
# htpasswd -cb /var/lib/monitorix/htpasswd admin 123456
Adding password for user admin

# mkdir /mnt/{Ubuntu-12.04.3-amd64,Ubuntu-12.04.3-i386,Ubuntu-13.10-amd64,Ubuntu-13.10-i386}
# mount -o loop /var/ftp/pub/ubuntu-13.10-server-amd64.iso /mnt/Ubuntu-13.10-amd64
# mount -o loop /var/ftp/pub/ubuntu-13.10-server-i386.iso /mnt/Ubuntu-13.10-i386

# mkdir -p /var/lib/tftpboot/Ubuntu/{1310,1204}/{amd64,i386}

# cp /mnt/Ubuntu-13.10-amd64/install/netboot/ubuntu-installer/amd64/linux /var/lib/tftpboot/images/Ubuntu/1310/amd64
# cp /mnt/Ubuntu-13.10-amd64/install/netboot/ubuntu-installer/amd64/initrd.gz /var/lib/tftpboot/images/Ubuntu/1310/amd64

# vim /var/lib/tftpboot/pxelinux.cfg/Ubuntu_Server
LABEL Install Ubuntu 13.10 Server amd64
        MENU LABEL Install Ubuntu 13.10 Server amd64
        kernel images/Ubuntu/1310/amd64/linux
        append initrd=images/Ubuntu/13.10/amd64/initrd.gz ramdisk_size=65535 vga=normal url=http://192.168.1.6/us1310-amd64/preseed.cfg

# mkdir /var/www/html/us1310-amd64
# vim /var/www/html/us1310-amd64/preseed.cfg
# Components to use for loading installer components (options).
d-i mirror/udeb/components multiselect main
# Apt Setup
d-i apt-setup/restricted boolean false
d-i apt-setup/universe boolean false
d-i apt-setup/backports boolean false
d-i apt-setup/non-free boolean false
d-i apt-setup/contrib boolean false
# Don’t want to use a network mirror
d-i apt-setup/use_mirror boolean false
d-i apt-setup/services-select multiselect none
d-i apt-setup/security-updates boolean false
d-i apt-setup/another boolean false
# Soultion for could not find any live images
d-i live-installer/net-image string

http://192.168.1.6/Ubuntu-13.10-amd64/install/filesystem.squashfs

# mount –bind /mnt/Ubuntu-13.10-amd64 /var/www/html/Ubuntu-13.10-amd64

主要是在 PXE Server 的功能表，使用 Samba 和 Clonezilla 做自動的備份及還原，另外因為要做到自動化，所以 Samba Server 是設定成不用密碼就可以使用，但在防火牆上要限定連線來源。

修改 PXE Server 功能表，因為執行的時候會覆蓋原有的備份檔和把 Windows 系統磁碟還原，所以在選項上加上了密碼，避免誤觸
要注意的是 append initrd 到後面算是一行
# vim /var/lib/tftpboot/pxelinux.cfg/Backup_Restore
LABEL Clonezilla Livei Samba AutoBackup
        MENU LABEL Clonezilla Live Samba ^AutoBackup
        MENU PASSWD CloneZilla
        kernel images/Clonezilla/live/vmlinuz
        append initrd=images/Clonezilla/live/initrd.img boot=live config username=user quiet noswap edd=on nomodeset noeject locales=”zh_TW.UTF-8″ keyboard-layouts=”NONE” ocs_live_run=”/usr/sbin/ocs-sr -q2 -j2 -z1p -p true saveparts Win7Backup sda1″ ocs_live_extra_param=”” ocs_live_batch=”yes” ocs_prerun=”mount -t cifs //192.168.1.6/public /home/partimag” vga=788 ip=frommedia nosplash fetch=tftp://192.168.1.6/images/Clonezilla/live/filesystem.squashfs

LABEL Clonezilla Livei Samba AutoRestore
        MENU LABEL Clonezilla Live Samba ^AutoRestore
        MENU PASSWD CloneZilla
        kernel images/Clonezilla/live/vmlinuz
        append initrd=images/Clonezilla/live/initrd.img boot=live config username=user quiet noswap edd=on nomodeset noeject locales=”zh_TW.UTF-8″ keyboard-layouts=”NONE” ocs_live_run=”/usr/sbin/ocs-sr –batch -g auto -e1 auto -e2 -r -j2 -p reboot restoreparts Win7Backup sda1″ ocs_live_extra_param=”” ocs_live_batch=”yes” ocs_prerun=”mount -t cifs //192.168.1.6/public /home/partimag” vga=788 ip=frommedia nosplash fetch=tftp://192.168.1.6/images/Clonezilla/live/filesystem.squashfs

主要是在 PXE Server 的功能表，使用 NFS 和 Clonezilla 做自動的備份及還原

修改 PXE Server 功能表，因為執行的時候會覆蓋原有的備份檔和把 Windows 系統磁碟還原，所以在選項上加上了密碼，避免誤觸
要注意的是 append initrd 到後面算是一行
# vim /var/lib/tftpboot/pxelinux.cfg/Backup_Restore
LABEL Clonezilla Livei nfs AutoBackup
        MENU LABEL Clonezilla Live nfs ^AutoBackup
        MENU PASSWD CloneZilla
        kernel images/Clonezilla/live/vmlinuz
        append initrd=images/Clonezilla/live/initrd.img boot=live config username=user quiet noswap edd=on nomodeset noeject locales=”zh_TW.UTF-8″ keyboard-layouts=”NONE” ocs_live_run=”/usr/sbin/ocs-sr -q2 -j2 -z1p -p true saveparts Win7Backup sda1″ ocs_live_extra_param=”” ocs_live_batch=”yes” ocs_prerun=”mount -t nfs4 192.168.1.6:/var/lib/tftpboot/Backup /home/partimag” vga=788 ip=frommedia nosplash netboot=nfs nfsroot=192.168.1.6:/var/lib/tftpboot/images/Clonezilla

LABEL Clonezilla Livei nfs AutoRestore
        MENU LABEL Clonezilla Live nfs ^AutoRestore
        MENU PASSWD CloneZilla
        kernel images/Clonezilla/live/vmlinuz
        append initrd=images/Clonezilla/live/initrd.img boot=live config username=user quiet noswap edd=on nomodeset noeject locales=”zh_TW.UTF-8″ keyboard-layouts=”NONE” ocs_live_run=”/usr/sbin/ocs-sr –batch -g auto -e1 auto -e2 -r -j2 -p reboot restoreparts Win7Backup sda1″ ocs_live_extra_param=”” ocs_live_batch=”yes” ocs_prerun=”mount -t nfs4 192.168.1.6:/var/lib/tftpboot/Backup /home/partimag” vga=788 ip=frommedia nosplash netboot=nfs nfsroot=192.168.1.6:/var/lib/tftpboot/images/Clonezilla

生在這個資訊化爆炸的時代，每天如果認真的話，有讀不完的資料，辜且不去評斷這些資料的優劣，值得值得花那個時間。如果有心，且想要這麼做的人，可能會覺得時間不夠用，因為這些資料可能散落在不同的網站，這時候可能要藉助 RSS 閱讀器的協助，會節省一部分的時間。
網頁型的 RSS 閱讀器，均可以用 Google 或 Facebook 帳號直接登入
Feedly
http://feedly.com
[@more@]Digg Reader
http://digg.com/reader

桌機版本
QuiteRSS
http://quiterss.org/

FeedDemon
http://www.feeddemon.com/

在 Firefox 上，目前是使用 NewsFox 和 Sage
NewsFox：https://addons.mozilla.org/zh-tw/firefox/addon/newsfox/

Sage：https://addons.mozilla.org/zh-tw/firefox/addon/sage/

Rootkit Hunter 是一套能偵測 Linux /BSD 作業系統是不是有中木馬、惡意程式、或是病毒的程式，也可以偵測系統是不是有一些不安全的設定，系統管理者可以安裝，用來檢測系統是否有問題，做為防護上的參考。
由於 Rootkit Hunter 不是官方套件庫中的套件，所以要利用 epel 套件庫來安裝
1. 安裝 Rootkit Hunter
# yum install rkhunter –enablerepo=epel

2. 更新 Rootkit Hunter
# rkhunter –update
[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files…
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]

3. 使用方式 -c 代表 –check –lang 後面是顯示的語系，預設是英文
# rkhunter -c –lang zh.utf8
[ Rootkit Hunter 版本 1.4.0 ]

檢查系統命令…

  執行 ‘字串’ 命令檢查
    檢查 ‘字串’ 命令                                   [ 正常 ]

  執行 ‘函式庫’ 的檢查
    檢查預先載入的變數                              [ 沒發現 ]
    檢查預先載入的檔案                              [ 沒發現 ]
    檢查 LD_LIBRARY_PATH 變數                            [ 沒發現 ]

  執行檔案屬性檢查
    檢查重要的基本程式                              [ !注意! ]
    /sbin/chkconfig                                          [ 正常 ]
    /sbin/depmod                                             [ 正常 ]
    /sbin/fsck                                               [ 正常 ]
    /sbin/fuser                                              [ 正常 ]
    /sbin/ifconfig                                           [ 正常 ]
    /sbin/ifdown                                             [ 正常 ]
    /sbin/ifup                                               [ 正常 ]
    /sbin/init                                               [ 正常 ]
    /sbin/insmod                                             [ 正常 ]
[@more@]4. 加入到工作排程 cron
# vim /usr/local/bin/rkhunter_check.sh
#!/bin/bash
(
/usr/bin/rkhunter –update
/usr/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘Rootkit Hunter Daily Run (PutYourServerNameHere)’ your@email.com

給檔案執行權限
# chmod 700 /usr/local/bin/rkhunter_check.sh

加入工作排，每天早上 3 點執行
# crontab -e
加入下面一行
0 3 * * * /usr/local/bin/rkhunter_check.sh

5. 更多的執行參數
# /usr/bin/rkhunter -h