D-link switches and .. "martians packets" ??

Device: Dlink DGS-1224T
Firmware: 4.21.01
IP addr: 10.2.2.8

I have a VLAN interface on my linux router built on eth2 with VID 6

eth2 = 10.2.2
eth2.6 = 10.6.6 (VLAN)

This VLAN is configured on my Dlink switch as well with untagged VLAN ports. My Dlink management interface is set on 10.2.2

Since we use shorewall as iptables interface, we have found this on syslog:

Sep 10 10:03:56 lurch kernel: [2651431.667008] martian source 10.2.2.1 from 10.2.2.8, on dev eth2.6
Sep 10 10:03:56 lurch kernel: [2651431.667011] ll header: ff:ff:ff:ff:ff:ff:00:15:63:45:05:c5:08:04

Martians ??

A possible explanation:
Packets with 10.2.2 as source reach the Dlink management interface on 10.2.2.8 (for management or just a nagios ping); as reply, the Dlink perform an ARP request like "Who has 10.2.2.x" on every ports, even on the VLAN 10.6.6 ones. As result, the Linux kernel see those 10.2.2 source packets on its eth2.6 interface and complains consequently.

A possible fixaround:
Force Dlink management interface being reachable from one network only, in my case 10.2.2, on "Configuration/802.1Q Management VLAN" tab.

Nagios: check_http with --extra-opts

We have to check a https page which needs a login.

We want to store our login informations in a nagios only-readable file.

root@lurch:~# touch /etc/nagios/private/custom.ini
root@lurch:~# chown root.nagios /etc/nagios/private/custom.ini
root@lurch:~# chmod 640 /etc/nagios/private/custom.ini

In this example Im going to create an [https] section which includes the credentials for my login web page. This file, which will be passed to --extra-opts= plugin argument, could contains all the options listed by ./check_http -h command in the literally form. For instance:

./check_http -h
...
-a, --authorization=AUTH_PAIR
    Username:password on sites with basic authentication
...

Then:

root@lurch:~# su - nagios
nagios@lurch:~$ vim /etc/nagios/private/custom.ini

[https]
authorization = *user*:*password*

Let's write the 'commands' section. I want to call this command like 'check_https_auth'

nagios@lurch:~$ vim /etc/nagios/objects/commands.cfg

# zmo: check_https_auth 
define command{
	command_name    check_https_auth
	command_line    $USER1$/check_http -H $ARG1$ -I $HOSTADDRESS$ -s $ARG2$ --ssl -c $ARG3$ -u $ARG4$ --extra-opts=https@/etc/nagios/private/custom.ini
	}

Nagios: check remote hosts via SSH with command validation

Nagios server: Fedora release 16 (Verne)
Nagios remote node: Debian GNU/Linux testing (wheezy)


Basic SSH Configuration
Let's allow the access from the nagios server to the nagios node creating a ssh key passphrase-less:

zmo@nagiosSer:~$ cd .ssh/
zmo@nagiosSer:~/.ssh$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/zmo/.ssh/id_dsa): nagios     
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in nagios.
Your public key has been saved in nagios.pub.
The key fingerprint is:
....

.. so that you will have nagios and nagios.pub from the others

zmo@nagiosSer:~/.ssh$ ls
id_rsa id_rsa.pub nagios nagios.pub

On the remote node create the nagios user and the necessary file

root@nagiosNod:~# adduser nagios
Adding user `nagios' ...
Adding new group `nagios' (1006) ...
Adding new user `nagios' (1006) with group `nagios' ...
...
Enter new UNIX password: xxxxxxxx
Retype new UNIX password: xxxxxxxx
...
root@nagiosNod:~# su - nagios
nagios@nagiosNod:~$ mkdir .ssh
nagios@nagiosNod:~$ touch .ssh/authorized_keys

Paste your pub key, from the nagios server, into the remote nagios authorized_keys file

zmo@nagiosSer:~/.ssh$ cat nagios.pub | ssh nagios@nagiosNod.remote.com 'cat >> /home/nagios/.ssh/authorized_keys'
nagios@nagiosNod.remote.com's password: xxxxxxxx

Have a try

zmo@nagiosSer:~$ ssh -i .ssh/nagios nagios@nagiosNod 
Last login: Tue Aug 28 20:44:54 2012 from nagiosSer
nagios@nagiosNod:~$

On the nagios server

root@nagiosSer:~# yum install nagios-plugins-by_ssh.i686

On the nagios remote node
Install the nagios plugins

root@nagiosNod:~# apt-get install nagios-plugins-basic

NOTE: you can find where the plugins have been stored by

root@nagiosNod:~# dpkg -L nagios-plugins-basic
...
/usr/lib/nagios/plugins/check_apt
/usr/lib/nagios/plugins/check_tcp
/usr/lib/nagios/plugins/check_dummy
/usr/lib/nagios/plugins/check_ntp
/usr/lib/nagios/plugins/check_nwstat
/usr/lib/nagios/plugins/check_load
/usr/lib/nagios/plugins/check_procs
...

On the nagios server
Let's write a SSH config file

root@nagiosSer:~# cd /etc/nagios
root@nagiosSer:~/etc/nagios# vim check_by_ssh_config

Host nagiosNod 84.68.x.x
	User nagios
	Hostname nagiosNod.remote.com
	IdentityFile /home/zmo/.ssh/nagios

This file will be passed as ssh configuration to check_by_ssh. You can obviously add others hosts.

Configure the commands.cfg

root@nagiosSer:~/etc/nagios# vim objects/commands.cfg

# Check Remote Disk
define command {
        command_name    check_remote_disk
        command_line    $USER1$/check_by_ssh -H $HOSTADDRESS$ -F /etc/nagios/check_by_ssh_config -C "/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$"
}

A little explanation:
* $USER$ - the user which nagios run (nagios)
* $HOSTADDRESS$ - the numeric IP address definied in the server configuration file (/etc/nagios/objects/nagiosNod.cfg), mapped on "address" field
* -F /etc/nagios/check_by_ssh_config - The SSH configuration file previously written
* -C /usr/lib/nagios/.. - The command will execute on the remote node

Its better (not mandatory) to put that services in a different group. So, open /etc/nagios/objects/templates.cfg (or services.cfg) and append:

# Remote service
define service{
	name				remote-service
	use				generic-service
        max_check_attempts              4
        normal_check_interval           5
        retry_check_interval            1
        register                        0
	}

Now in /etc/nagios/objects/nagiosNod.cfg file we could append:

define service {
        use                             remote-service
	host_name			nagiosNod
        service_description             Home Partition
        check_command                   check_remote_disk!20%!10%!/home
	}

SSH validation
This step is for allow just the check_* commands execution from the nagios server on the nagios nod; not other commands, not a login or whatever else.

Create a validation commands file:

nagios@nagiosNod:~# touch /usr/local/bin/validate-nagios-check
nagios@nagiosNod:~# chown nagios.nagios /usr/local/bin/validate-nagios-check
nagios@nagiosNod:~# su - nagios
nagios@nagiosNod:~$ vim /usr/local/bin/validate-nagios-check
#!/bin/sh
# Ensure 
case "$SSH_ORIGINAL_COMMAND" in
	*\&*)
		echo "Rejected"
		;;
	*\;*)
		echo "Rejected"
		;;
	/usr/lib/nagios/plugins/check_*)
		exec $SSH_ORIGINAL_COMMAND
		;;
	*)
		echo "Rejected"
		;;
esac

A little explanation: $SSH_ORIGINAL_COMMAND is our /usr/lib/nagios/plugins/check_* . Using exec here, will prevent to open a shell for the command execution but just to exec the command.

Let's back to our authorized_keys. We have to append in the beginnin of the key definition (ssh-dss or ssh-rsa) the string to execute our validate-nagios-check script from the nagios server.

nagios@nagiosNod:~$ vim .ssh/authorized_keys
from="73.224.x.x",command="/usr/local/bin/validate-nagios-check" 
ssh-dss AAAAB3NzaC1kc3MAAACBAKK3jM9O+cmjPufrn9Ie7q+iJJu+1B0bHH6lhfYC8KandEIWP0gMGz4v...
...

You can test the validation script from the nagios server to the node.

root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com
Rejected
Connection to nagiosNod.remote.com closed.
root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com /bin/ls
Rejected
root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com /usr/lib/nagios/plugins/check_http -hcheck_http v1.4.16 (nagios-plugins 1.4.16)
Copyright (c) 1999 Ethan Galstad 
Copyright (c) 1999-2011 Nagios Plugin Development Team
...

Dnsmasq and the network "pushing" on CentOS

This simple post shows you how tu push networks to your clients using the Dnsmasq DHCP server.

A possible scenario would be, your DHCP server (192.168.0.1) gives you 192.168.0.x address but you also need to reach 172.16.x.x and 10.0.x x networks, for access to (for instance) some VPN resources in your LAN. Those networks are NOT handled by your DHCP server. The quick solution is to make your DHCP server "pushing" that networks. And that is possibile thanks to "121" dhcp-option.

Let's assume our network id may be "vicinet" (you can also miss the network id, of course):

dhcp-option = vicinet, 121, 10.0.0.0/16, 192.16.0.1, 172.16.0.0/16, 192.168.0.1

The format will always be:

dhcp-option = 'id_net', 121, NETWORK, GATEWAY

Shorewall and Pptp VPN on Ubuntu

~# apt-get install shorewall linux-pptp

PPP
Let's create a ppp peer file:

~# vim /etc/ppp/peers/zmo

I ve successfully tried these options

# Zmo PPTP VPN configuration
remotename zmo
linkname zmo
ipparam zmo
pty "pptp 149.79.X.X --nolaunchpppd" (remote VPN endpoint)
name username
require-mppe-128
refuse-eap
noauth
lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
persist
mtu 1400
mru 1400

Compile the chap-secret file

# Secrets for authentication using CHAP
# client server secret IP addresses
username zmo 2023n5t-w0re *

Network Interface
Fill the /etc/network/interfaces file. You can use the "unit x" parameter. This blessy option allows you to enumerate your ppp device (like ppp0, ppp1, ppp5 ..).

# Zmo Pptp VPN
auto ppp5
iface ppp5 inet ppp
provider zmo
unit 5

Try to get up the link, just giving

~# ifup ppp5

I raccomand to use this file (/etc/network/interfaces) even in the case you wanna add some route/net rules to your VPN device. Use the "post-up" options here.

# Zmo Pptp VPN
auto ppp5
iface ppp5 inet ppp
provider zmo
unit 5
post-up /sbin/route add 149.88.X.X gw 149.19.X.X
post-up /sbin/route add -net 150.84.X.X netmask 255.255.255.0 gw 150.84.X.X

Shorewall
Define a zone for the vpn on shorewall. I will define "zmo"

~# vim /etc/shorewall/interfaces

It should be looks like:

# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
wan eth0 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
dmz eth1 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
lan eth2 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
# VPN pptp
zmo ppp5 detect tcpflags,nosmurfs,routefilter,logmartians

Allow the vpn to be reached just by the lan

~# vim /etc/shorewall/policy

...
# Zmo Pptp VPN
lan zmo ACCEPT
all zmo REJECT
...

Masquerade the VPN traffic from that interface:

~# vim /etc/shorewall/masq

# For information about entries in this file, type "man shorewall-masq"
##############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
ppp5 - -

NOTE: an IP wont be needed here; shorewall will be masquerade the traffic with the interface IP address. Then we just can put a "-" in SOURCE/ADDRESS fields. The IP address would be needed if you would masquerade the traffic with a different IP address.

In the end, compile the "tunnels" shorewall file. You can retrieve a tunnels template file from the doc

~# cp /usr/share/doc/shorewall/default-config/tunnels /etc/shorewall

It should be looks like:

###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpclient zmo 0.0.0.0/0

Convert HG to Git repository

On Ubuntu:

~# ls
repository.hg
~# apt-get install hg-fast-export
~# git init new_repository.git

~# ls
repository.hg new_repository.git
~# cd new_repository.git
~/new_repository.git# hg-fast-export -r ../repository.hg

You will recieve a summary text in the end, like

git-fast-import statistics:
---------------------------------------------------------------------
Alloc'd objects: 5000
Total objects: 478 ( 14 duplicates )
blobs : 133 ( 14 duplicates 54 deltas of 133 attempts)
trees : 216 ( 0 duplicates 194 deltas of 196 attempts)
commits: 129 ( 0 duplicates 0 deltas of 0 attempts)
tags : 0 ( 0 duplicates 0 deltas of 0 attempts)
Total branches: 4 ( 1 loads )
marks: 1024 ( 129 unique )
atoms: 16
Memory total: 2344 KiB
pools: 2110 KiB
objects: 234 KiB
---------------------------------------------------------------------
pack_report: getpagesize() = 4096
pack_report: core.packedGitWindowSize = 1073741824
pack_report: core.packedGitLimit = 8589934592
pack_report: pack_used_ctr = 901
pack_report: pack_mmap_calls = 215
pack_report: pack_open_windows = 1 / 1
pack_report: pack_mapped = 331971 / 331971
---------------------------------------------------------------------

In the end do:

~/new_repository.git# git checkout HEAD

Test your repo with git log.

Migrate PhpBB3 on Ubuntu server

PhpBB version: 3.0.9
Backend: Mysql
Mode: Fcgi



Dump the database

ubuntu~# mysqldump -u root -p phpbb3 > /tmp/phpbb3.sql

On the new machine

new~# apt-get update && apt-get install phpbb3

During the installation, choose to configure mysql/phpbb3 via debconf and answer about passwords in this order
* Mysql root password
* Phpbb3 database password
* Phpbb3 admin interface password

Afterwords, setup the web server. You have a configuration example in /etc/phpbb3/apache2.conf; you can directly copy this file in your /etc/apache2/sites-available directory and run

new:/etc/phpbb3# cp apache2.conf /etc/apache2/sites-available/phpbb3
new:/etc/phpbb3# cd /etc/apache2/sites-available/
new:/etc/apache2/sites-available# a2ensite phpbb3 && service apache2 reload

Try to login and surf the admin interface (APC). If you had a custom theme in the previous server, do the follow:

ubuntu~# scp -r /srv/phpbb3/theme/ (or wherever it is) new:/usr/share/phpbb3/styles

Important , make a sym link in /etc/phpbb3/styles directory to make phpbb see the custom theme

new~# cd /etc/phpbb3/styles
new:/etc/phpbb3/styles# ln -s /usr/share/phpbb3/styles/theme theme

Once the link is ok, configure the new theme in the APC (administrative panel)

If everything seems to be fine, move on and restore the database

new~# mysql -u root -p phpbb3 < phpbb3.sql

Configure FCGI

new~# apt-get install php5-cgi
new~# cd /etc/apache2/
new:/etc/apache2/# a2dismod php5
new:/etc/apache2/# service apache2 restart

Setup fcgi environment

new~# cd /srv (or wherever you'll locate it)
new:/srv# mkdir php-fcgi
new:/srv# cd (alt+.)
new:/srv/php-fcgi# ls
phpbb.fcgi
phpbbrc -> /etc/php5/cgi/

phpbb.fcgi

#!/bin/sh
PHP_FCGI_MAX_REQUESTS=10000
PHP_FCGI_CHILDREN=0
export PHPRC=/srv/php-fcgi/php53rc
export PHP_FCGI_MAX_REQUESTS PHP_FCGI_CHILDREN
# Replace with the path to your FastCGI-enabled PHP executable
exec /usr/bin/php-cgi

NOTE: phpbbrc is a link to /etc/php5/cgi/ directory

The virtualhost section should be something like

<VirtualHost *:80>
    ServerName forum.example.org
    DocumentRoot /usr/share/phpbb3/www
    ErrorLog /var/log/apache2/forum_error.log
    CustomLog /var/log/apache2/forum_access.log combined
    Alias / /usr/share/phpbb3/www/

   <Directory>
      Order allow,deny
      Allow from all
      Options +ExecCGI
      AddHandler fcgid-script .php
      FcgidWrapper /srv/php-fcgi/phpbb.fcgi .php
   </Directory>
</VirtualHost>

Try to load a forum page and check with

new~# ps ax | grep cg[i]
2248 ? S 0:00 /usr/bin/php-cgi

that php-cgi is running ..