0

Apache High Performance Server

 

This is my starting point setup for high performance Web Server, Which supposed to handle heavy load, This shows single server setup and configuration.  No load balancing. Load balancing will be defined in future posts,

This Document assume you have working knowledge of installing and configuring Apache and MySql, Below defines Packages used by my setup. Configuring VirtualHost and Mysql is up to person reading this.. This tutorial assumes site is optimized by Dev.

Server Info

OS = Ubuntu 14.04.5 LTS Server (AWS)

Ram = 4 GB

Processor = 2 x 2.4ghz

HardDisk = 30GB (ssd)

Software Used

  • Apache Server version: Apache/2.4.7 (Ubuntu)
  • mysql  Ver 14.14 Distrib 5.5.53
  • ModPageSpeed by Google
  • Memcached (ModPageSpeed and mysql)
  • OSSEC (IDS system)
  • Scripts(backup and keepalive)

 

Install Apache

sudo apt-get update
sudo apt-get install apache2

 

Install MySql

 sudo apt-get install mysql-server php5-mysql
 sudo mysql_install_db
 sudo mysql_secure_installation

Install PHP

sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt

 

Download and install ModPageSpeed by Google

Install memcached

apt-get install memcached

Sudo vim /etc/memcached.conf
-m 2048 (change the value from 64M to 2GB)

Start Services

 sudo service mysql restart
 sudo service memcached restart
 sudo service apache2 restart

Check Open Ports find which port Memcached is running default is (127.0.0.1:11211)

Configure ModPageSpeed

sudo  vim  /etc/apache2/mods-available/pagespeed.conf

Change accordingly, (Extensive Documentation)

 ModPagespeed on

 ModPagespeedMemcachedServers localhost:11211
 ModPagespeedCreateSharedMemoryMetadataCache "/var/cache/mod_pagespeed/" 51200
 ModPagespeedFileCacheInodeLimit        500000
 ModPagespeedJsPreserveURLs on
 ModPagespeedImagePreserveURLs on
 ModPagespeedCssPreserveURLs on
 ModPagespeedJpegRecompressionQuality -1
 ModPagespeedJpegRecompressionQualityForSmallScreens 70
 ModPagespeedAvoidRenamingIntrospectiveJavascript
 ModPagespeedEnableFilters canonicalize_javascript_libraries
 ModPagespeedMessageBufferSize 100000
 ModPagespeedEnableFilters prioritize_critical_css
 ModPagespeedEnableFilters sprite_images
 ModPagespeedEnableFilters rewrite_images
 ModPagespeedEnableFilters recompress_png
 ModPagespeedEnableFilters convert_png_to_jpeg,convert_jpeg_to_webp
 ModPagespeedEnableFilters collapse_whitespace,remove_comments
 ModPagespeedEnableFilters extend_cache
 ModPagespeedEnableFilters convert_gif_to_png
 ModPagespeedEnableFilters convert_jpeg_to_progressive
 ModPagespeedEnableFilters convert_jpeg_to_webp
 ModPagespeedEnableFilters responsive_images,resize_images
 ModPagespeedEnableFilters responsive_images_zoom
 ModPagespeedEnableFilters inline_images
 ModPagespeedEnableFilters recompress_images
 sudo service apache2 restart

Removing Not Used Modules from apache2

This is what my setup active modules look like.. You can remove modules using apt, Or better if you prefer and have time you can compile apache from source and enable only required modules then.

apache2ctl -M

Loaded Modules:
core_module (static)
log_config_module (static)
logio_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
auth_basic_module (shared)
authn_file_module (shared)
authz_host_module (shared)
authz_user_module (shared)
deflate_module (shared)
dir_module (shared)
expires_module (shared)
geoip_module (shared)
headers_module (shared)
jk_module (shared)
mime_module (shared)
version_module (shared)
pagespeed_module (shared)
php5_module (shared)
rewrite_module (shared)
setenvif_module (shared)
ssl_module (shared)
status_module (shared)

Securing The Webserver Tips

  • Developers are in a really bad habit of putting 777 on WebRoot directory and files.
chown www-data:www-data  -R * # Let Apache be owner
find . -type d -exec chmod 755 {} \;  # Change directory permissions rwxr-xr-x
find . -type f -exec chmod 644 {} \;  # Change file permissions rw-r--r--
  • Configure and Install Fail2Ban, Which give greater protection with iptables support

OSSEC standalone install

Ossec gives us better control over server it can protect your server using default rules or you can create your own rules

apt-get install build-essential inotify-tools

Download Latest(checksum if needed) OSSEC,

tar -zxf ossec-hids-2.8.xx.tar.gz

cd into extracted directory

./install.sh
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:
OSSEC HIDS v2.8 Installation Script - http://www.ossec.net

 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).

  - System: Ubuntu  14.04.5
  - User: root
  - Host: example.com

  -- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? local
  - Local installation chosen.

2- Setting up the installation environment.

  - Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]:
- What's your e-mail address? sammy@example.com
- We found your SMTP server as: mail.example.com.
  - Do you want to use it? (y/n) [y]:

--- Using SMTP server:  mail.example.com.
  3.2- Do you want to run the integrity check daemon? (y/n) [y]:

- Running syscheck (integrity check daemon).
  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

- Running rootcheck (rootkit detection).
  3.4- Active response allows you to execute a specific command based on the events received.  

   Do you want to enable active response? (y/n) [y]:

   Active response enabled.
  Do you want to enable the firewall-drop response? (y/n) [y]:

- firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:
      - 8.8.8.8
      - 8.8.4.4

   - Do you want to add more IPs to the white list? (y/n)? [n]:
3.6- Setting the configuration to analyze the following logs:
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/dpkg.log

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .


   --- Press ENTER to continue ---
- System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
                /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
                /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

    ---  Press ENTER to finish (maybe more information below). ---

Check OSSEC Status

sudo /var/ossec/bin/ossec-control start

sudo /var/ossec/bin/ossec-control status
Starting OSSEC HIDS v2.8 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
sudo cp /var/ossec/etc/ossec.conf /var/ossec/etc/ossec.conf_bkp
sudo vim /var/ossec/etc/ossec.conf

Change accordingly to your setup

<global>
    <email_notification>yes</email_notification>
    <email_to>sammy@example.com</email_to>
    <smtp_server>mail.example.com.</smtp_server>
    <email_from>ossecm@ossec_server</email_from>
</global>

Directory and file change

<!-- Directories to check  (perform all possible verifications) -->
<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>

<directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home/asura,/var/www</directories>
sudo cp /var/ossec/rules/local_rules.xml /var/ossec/rules/local_rules.xml.bak
sudo vim /var/ossec/rules/local_rules.xml

Add this to the End of File

<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
/var/ossec/bin/ossec-control restart

OSSEC is extensive, There is a lot of well defined documents online, To get better understanding please google yourself. You Should know what you are doing here..

 

KeepAlive Scripts

Use this template from nixCraft

Script is simple it check to connect to mysql using localhost and given username/password, If cannot connect will check for PID file, If server is down will reload the Mysql, Use this with crontab to get desired effect(only give least permission need for this process)

Backup Scripts

There is a lot of backup scripts readily available online, I personally prefer bash scripts(backup doesn’t need complex process to accomplish this, keep it simple),

Syncing the backup to backup machine , Some use local mounted backup(NFS) other use rsync to get a synchronized backup, I use combination of both, Depends upon nature of backup and location of backup, Lot of criteria to be considered, Bandwidth available, Local network or remote network, Security of backup transfer, Use your administrative know how to get a desired script.

Recommended Scripts

Mysql :-(this is also available on repo) AutoBackupMysql

Apache :-  Use gzip and combine it with rsync in a bash script (backup webroor and also configuration) :- duckduckgo is your friend.

Full server backup:-  This is aws we have snapshot option available. Xen and Kvm has snapshot options. Physical server dd your partition and compress(not recommended huge cpu cycle needed and storage , you could dos your own network if transferred through wire)

 

Recomendation

  • Increase the max connection for Apache worker, Use trial and error method to get desire result for your server and its resources.
  • Use less redirects on WebServer as possible (http to https)
  • Optimize and compress images on webroot (imagemagik, jpegoptim, OptiPNG) every kb matters
  • Configure logging for Apache so we could understand whats happening(logs are secret to understand whats wrong)
  • On OSSEC email notification, Its better to add auth to your email server rather than allowing the ip to relay(dont open unwanted security concerns)
  • Use Iptables to block all ports which is not needed(aws firewall is basic),  dont save the rules let it run for few days to see if there is any problem, If you get locked out you can reboot and clear the iptable (use iptable-persistant to save the rules in Ubuntu). Whitelist your static ip if you have one
  • Use Mysql optimization scripts to get better performance for mysql Script1, Script2
  • Keep and eye on fail2ban and Ossec notification email, This will start to fill up as your server gets known and scanned by script kiddies and try to use there tools to access to server. Give extra care to alert level2 from ossec email.
  • Ftp access given to dev, Chroot jail the access.
  • CDN
0

Nagios Apache2

Nagios Monitoring the Apache Web Server

 

Nagios Apache2

Nagios have extensive list of plugin to monitor different service, Nagios even gives the ability to restart troubled service. In this we will be monitoring Apache2 Webserver, This is basic monitoring of web server, Should work with most of webservers out there

Server Info

OS = Ubuntu 12.04.5 LTS Server

Ram = 14 GB

Processor = 4 x 3ghz

Nagios Client Configuration (Ubuntu)

Installing NRPE-server as root

apt-get install nagios-nrpe-server nagios-plugins nagios-plugins-contrib

Securing NRPE Server

vim /etc/nagios/nrpe.cfg

Change allowed Host to Nagios Server ip address

iptables -N NRPE
iptables -I INPUT -s 0/0 -p tcp --dport 5666 -j NRPE
iptables -I NRPE -s nagios-serverip -j ACCEPT
iptables -A NRPE -s 0/0 -j DROP
 apt-get install iptables-persistent

Save the iptables rules (on installing iptables-persistent it will give an option to save current iptables rules)

Monitoring WebServer

Adding Command

vim /etc/nagios/nrpe.cfg

allowed_hosts= (nagios server ip)

hash(#) out all the other command defined we and add these(change w(warn) c(critical) accourding to the environment)

command[check_dns]=/usr/lib/nagios/plugins/check_dns -H google.com
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10%
command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 500 -c 600
command[check_swap]=/usr/lib/nagios/plugins/check_swap -w 50% -c 25%
command[check_memory]=/usr/lib/nagios/plugins/check_memory
 /etc/init.d/nagios-nrpe-server restart

Server Side Template Creation(Log into Nagios Server)

 

define host {
use generic-host
host_name WebServer-S1
alias Primary Webserver
address 127.0.0.1(change to WebServer Private IP)
}

define service{
 use generic-service ; Name of service template to use
 host_name WebServer-S1
 service_description Disk Space
 check_command check_all_disks!20%!10%
 }

define service{
 use generic-service ; Name of service template to use
 host_name WebServer-S1
 service_description Current Users
 check_command check_users!20!50
 }

define service{
 use generic-service ; Name of service template to use
 host_name WebServer-S1
 service_description Current Load
 check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0
 }

define service {
 use generic-service
 host_name WebServer-S1
 service_description NFS Backup Disk
 check_command check_nrpe_1arg!check_nfsmount
}

define service {
 host_name WebServer-S1
 service_description Swap
 check_command check_nrpe_1arg!check_swap
 use generic-service
 notification_interval 0
}

define service{
 use generic-service ; Name of service template to use
 host_name WebServer-S1
 service_description Total Processes
 check_command check_nrpe_1arg!check_total_procs
 }

define service{
 use generic-service ; Name of service template to use
 host_name WebServer-S1
 service_description Total Zombie Processes
 check_command check_nrpe_1arg!check_zombie_procs

define service {
 use generic-service
 host_name WebServer-S1
 service_description DNS Resolution
 check_command check_nrpe_1arg!check_dns
}
define service {
 host_name WebServer-S1
 hostgroup_name http-servers
 service_description HTTP
 check_command check_http
 use generic-service
 event_handler check_nrpe_1arg!restart_apache2
 notification_interval 0 ; set > 0 if you want to be renotified
}
 /etc/init.d/nagios3 restart

Check For error, And login to webconsole of nagios and check

Installing Nagios Server in Ubuntu

0

Nagios Wildfly (9 and 8)

Nagios Monitoring the WildFly Server

 

Wildfly8 Nagios

 

Nagios have extensive list of plugin to monitor different service, Nagios even gives the ability to restart troubled service. In this we will be monitoring wildfly server, I am configuring this on Wildfly 8, should work with Jboss7 and Wildfly 9

Server Info

OS = Ubuntu 12.04.5 LTS Server

Ram = 14 GB

Processor = 4 x 3ghz

Nagios Client Configuration (Ubuntu)

Installing NRPE-server as root

apt-get install nagios-nrpe-server nagios-plugins nagios-plugins-contrib

Securing NRPE Server

vim /etc/nagios/nrpe.cfg

Change allowed Host to Nagios Server ip address

iptables -N NRPE
iptables -I INPUT -s 0/0 -p tcp --dport 5666 -j NRPE
iptables -I NRPE -s nagios-serverip -j ACCEPT
iptables -A NRPE -s 0/0 -j DROP
 apt-get install iptables-persistent

Save the iptables rules (on installing iptables-persistent it will give an option to save current iptables rules)

 

Nagios Plugin to Check Wildfly

Download latest jboss2nagios from here

unzip jboss2nagios-1.3.1.zip
cd jboss2nagios/mbean/
chown wildfly.wildfly collector.sar
cp collector.sar  /{replace with path to wildflyhome}/standalone/deployments/
cd  ../../jboss2nagios/plugins
vim check_mbean_collector (make sure lib path is correct, Ubuntu = /usr/lib/nagios/plugins)
chmod +x check_mbean_collector
cp check_mbean_collector /usr/lib/nagios/plugins/

Check if plugin works

service wildfly restart (this will open port 5566, make sure its bound to loopback ip)
su - wildfly
cd  /usr/lib/nagios/plugins/
./check_mbean_collector -H 127.0.0.1 -p 5566  -m java.lang:type=Memory -a NonHeapMemoryUsage -w 30000 -c 40000


Adding Command

vim /etc/nagios/nrpe.cfg

allowed_hosts= (nagios server ip)

hash(#) out all the other command defined we and add these(change w(warn) c(critical) accourding to the environment)

command[check_dns]=/usr/lib/nagios/plugins/check_dns -H google.com
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10%
command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 500 -c 600
command[check_swap]=/usr/lib/nagios/plugins/check_swap -w 50% -c 25%
command[check_memory]=/usr/lib/nagios/plugins/check_memory
command[check_mbean_thread]=/usr/lib/nagios/plugins/check_mbean_collector -H 127.0.0.1 -p 5566 -m java.lang:type=Threading -a ThreadCount -w 200 -c 400
command[check_mbean_nonheap]=/usr/lib/nagios/plugins/check_mbean_collector -H 127.0.0.1 -p 5566 -m java.lang:type=Memory -a NonHeapMemoryUsage -w 268435456 -c 536870912
command[check_mbean_heap]=/usr/lib/nagios/plugins/check_mbean_collector -H 127.0.0.1 -p 5566 -m java.lang:type=Memory -a HeapMemoryUsage -w 3758096384 -c 4080218931

/etc/init.d/nagios-nrpe-server restart

Server Side Template Creation(Log into Nagios Server)

define host {
use generic-host
host_name Wildfly-loadbalancer
alias Wildfly S1 HA
address 127.0.0.1(change to wildfly/jboss server Ip)
}

define service{
 use generic-service ; Name of service template to use
 host_name wildfly-loadbalancer
 service_description Disk Space
 check_command check_all_disks!20%!10%
 }

define service{
 use generic-service ; Name of service template to use
 host_name wildfly-loadbalancer
 service_description Current Users
 check_command check_users!20!50
 }

define service{
 use generic-service ; Name of service template to use
 host_name wildfly-loadbalancer
 service_description Current Load
 check_command check_load!5.0!4.0!3.0!10.0!6.0!4.0
 }

define service {
 use generic-service
 host_name wildfly-loadbalancer
 service_description WildFly Active Threads
 check_command check_nrpe_1arg!check_mbean_thread
 }

define service {
 use generic-service
 host_name wildfly-loadbalancer
 service_description WildFly Heap Memory
 check_command check_nrpe_1arg!check_mbean_heap
 }

define service {
 use generic-service
 host_name wildfly-loadbalancer
 service_description WildFly Non Heap Memory
 check_command check_nrpe_1arg!check_mbean_nonheap
 }
 /etc/init.d/nagios3 restart

Check For error, And login to webconsole of nagios and check

Installing Nagios Server in Ubuntu

 

0

Migrating LastPass to KeePass

LastPassLogoKeePass Logo

 

 

 

LastPass is a great place to store your password , it support most of browser and devices (IOS and ANDROID). It has a built in “Auto Form Fill” option, also it has option to save your credit card.

These options have made the online life little easier and more secure..

Lately the hack happened with LastPass although they say breach didn’t disclose any user data, But it opened up whole new problems regarding my password security. Also LastPass had made certain changes to there security which was starting to bring down availability of my password.

LastPass free support one device either your desktop or mobile, If you want to use them both you will have to purchase premium

KeePass is opensource password manager its cross platform and also it has wide range of plugins.

Installing KeePass (ArchLinux)

I use yaourt can use pacman also – KeePass is available on most of the distribution repo

yaourt -S keepass

Exporting password from LastPass

Login to lastpass. under tools click on export, this will export LastPass database to cvs format. Copy save the file using CVS extenstion

Lastpass Export

 

 

 

 

Now open up keepass drop-down file and click on import select lastpass CVS and import.

keepass

 

This will import all your password to keepass now save your new database, Better to save it to a cloud server (Dropbox, Owncloud etc), Highly recommended to use key file to decrypt the database also

Plugins for Firefox and chrome are available I use CKP (Chrome).. Also android app is available… Apart from ugly mono interface keepass is a next best alternative for me

 

KeePass Featutes

 

This is all you, Make sure your database is secure don’t share master key or password with any one..

0

Nagios Tomcat

Nagios Monitoring the Tomcat server.

Nagios Tomcat

 

Nagios have extensive list of plugin to monitor different service, Nagios even gives the ability to restart troubled service. In this we will be monitoring Tomcat Server, with advanced tomcat and JMX monitoring..

Server Info

OS = Ubuntu 12.04.5 LTS Server

Ram = 14 GB

Processor = 4 x 3ghz

 

Nagios Client Configuration (Ubuntu)

Installing NRPE-server as root

apt-get install nagios-nrpe-server nagios-plugins nagios-plugins-contrib

Securing NRPE Server

vim /etc/nagios/nrpe.cfg

Change allowed Host to Nagios Server ip address

iptables -N NRPE
iptables -I INPUT -s 0/0 -p tcp --dport 5666 -j NRPE
iptables -I NRPE -s nagios-serverip -j ACCEPT
iptables -A NRPE -s 0/0 -j DROP
 apt-get install iptables-persistent

Save the iptables rules (on installing iptables-persistent it will give an option to save current iptables rules)

 Nagios Plugin to Check JVM

cd /usr/local/bin/
wget https://fidanov.net/c0d3/nagios-plugins/jvminspector/JvmInspector.jar
chmod +x JvmInspector.jar

cd /usr/lib/nagios/plugins/
wget https://fidanov.net/c0d3/nagios-plugins/jvminspector/check_jvm
chmod +x check_jvm
su - tomcat(6-7) -s /bin/bash (Tomcat is running as tomcat user)

Check

java -jar /usr/local/bin/JvmInspector.jar all (This will display all the information regarding JMX under tomcat user)

Enabling the Nagios user to run this check from Nagios server

visudo

And add 

nagios    ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/check_jvm

Adding Command

vim /etc/nagios/nrpe.cfg
allowed_hosts= (nagios server ip)
hash(#) out all the other command defined we and add these(change w(warn) c(critical) accourding to the environment)
command[check_dns]=/usr/lib/nagios/plugins/check_dns -H google.com
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10%
command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 500 -c 600
command[check_swap]=/usr/lib/nagios/plugins/check_swap -w 50% -c 25%
command[check_memory]=/usr/lib/nagios/plugins/check_memory
command[tomcat_heap]=/usr/bin/sudo -u tomcat7 /usr/lib/nagios/plugins/check_jvm -n org.apache.catalina.startup.Bootstrap -p heap -w 3758096384 -c 4080218931
command[tomcat_nonheap]=/usr/bin/sudo -u tomcat7 /usr/lib/nagios/plugins/check_jvm -n org.apache.catalina.startup.Bootstrap -p non-heap -w 268435456 -c 536870912
command[tomcat_classes]=/usr/bin/sudo -u tomcat7 /usr/lib/nagios/plugins/check_jvm -n org.apache.catalina.startup.Bootstrap -p classes -w 25000 -c 30000
command[tomcat_threads]=/usr/bin/sudo -u tomcat7 /usr/lib/nagios/plugins/check_jvm -n org.apache.catalina.startup.Bootstrap -p threads -w 300 -c 600
command[tomcat_sessions]=/usr/bin/sudo -u tomcat7 /usr/lib/nagios/plugins/check_jvm -n org.apache.catalina.startup.Bootstrap -p sessions -w 300 -c 600
/etc/init.d/nagios-nrpe-server restart

Server Side Template Creation(Log into Nagios Server)

define host {
use generic-host
host_name Tomcat Server
alias Tomcat Load Balancer
address 127.0.0.1(change to tomcat server Ip)
}
define service {
use generic-service
host_name Tomcat Server
service_description PING
check_command check_ping!100.0,20%!500.0,60%
}
define service{
use generic-service ; Name of service template to use
host_name Tomcat Server
service_description Disk Space
check_command check_nrpe_1arg!check_all_disks
}
define service {
host_name Tomcat Server
service_description Swap
check_command check_nrpe_1arg!check_swap
use generic-service
notification_interval 0
}
define service{
use generic-service ; Name of service template to use
host_name Tomcat Server
service_description Current Load
check_command check_nrpe_1arg!check_load
}
define service{
use generic-service ; Name of service template to use
host_name Tomcat Server
service_description Current Users
check_command check_nrpe_1arg!check_users
}
define service{
use generic-service ; Name of service template to use
host_name Tomcat Server
service_description Total Processes
check_command check_nrpe_1arg!check_total_procs
}
define service{
use generic-service ; Name of service template to use
host_name Tomcat Server
service_description Total Zombie Processes
check_command check_nrpe_1arg!check_zombie_procs
}
define service {
use generic-service
host_name Tomcat Server
service_description Tomcat threads count
check_command check_nrpe_1arg!tomcat_threads
}
define service {
use generic-service
host_name Tomcat Server
service_description Tomcat loaded classes count
check_command check_nrpe_1arg!tomcat_classes
}
define service {
use generic-service
host_name Tomcat Server
service_description Tomcat heap memory used
check_command check_nrpe_1arg!tomcat_heap
}
define service {
use generic-service
host_name Tomcat Server
service_description Tomcat non-heap memory used
check_command check_nrpe_1arg!tomcat_nonheap
}
define service {
use generic-service
host_name Tomcat Server
service_description Tomcat total active sessions
check_command check_nrpe_1arg!tomcat_sessions
}
 /etc/init.d/nagios3 restart

Check For error, And login to webconsole of nagios and check

Installing Nagios Server in Ubuntu

0

Nagios Monitoring

Nagios

 

Nagios Monitoring

This is not Going to Be descriptive Documentation. Nagios is really Extensive and flexible

Environment

CPU = 2 x 2.7 ghz (xen vm)

Ram = 3gb

OS = Ubuntu 12.04 64 Server

Number of Server to monitor = 20

 

Install Nagios

sudo apt-get install nagios3 nagios-nrpe-plugin

Install Extra Plugins

sudo apt-get install nagios-plugins-extra nagios-plugins-standard nagios-plugins-contrib

Important Location Plugins = /usr/lib/nagios/plugins/

Configuration = /etc/nagios3/

Host Specific Configuration = /etc/nagios3/conf.d/

Things to Do

  • Add htaccessuser to access Nagios webadmin
  • Setup nagios server to use https(snakeoil)

 

Modify apache2.cfg in  /etc/nagios3/

Add User for Web

htpasswd /etc/nagios3/htpasswd.users monitor

Modify  /etc/nagios3/cgi.cfg to give new user appropriate permission

Restart Nagios

/etc/init.d/nagios3 restart

If the restart fail, the nagios init script will give info regarding which config file is causing problem fix and restart

Next Post Client Specific Nagios Configuration

Client monitoring in coming Posts

 

 

0

Bash Keyboard Shortcuts

Bash Keyboard Shortcuts

i-love-bin-bash

Moving the cursor:

  Ctrl + a   Go to the beginning of the line (Home)
  Ctrl + e   Go to the End of the line (End)
  Ctrl + p   Previous command (Up arrow)
  Ctrl + n   Next command (Down arrow)
   Alt + b   Back (left) one word      or use Option+Right-Arrow
   Alt + f   Forward (right) one word  or use Option+Left-Arrow
  Ctrl + f   Forward one character
  Ctrl + b   Backward one character
  Ctrl + xx  Toggle between the start of line and current cursor position Editing:
 Ctrl + L   Clear the Screen, similar to the clear command

  Alt + Del Delete the Word before the cursor.
  Alt + d   Delete the Word after the cursor.
 Ctrl + d   Delete character under the cursor
 Ctrl + h   Delete character before the cursor (backspace)

 Ctrl + w   Cut the Word before the cursor to the clipboard.
 Ctrl + k   Cut the Line after the cursor to the clipboard.
 Ctrl + u   Cut/delete the Line before the cursor position.

  Alt + t   Swap current word with previous
 Ctrl + t   Swap the last two characters before the cursor (typo).
 Esc  + t   Swap the last two words before the cursor.

 ctrl + y   Paste the last thing to be cut (yank)
  Alt + u   UPPER capitalize every character from the cursor to the end of the current word.
  Alt + l   Lower the case of every character from the cursor to the end of the current word.
  Alt + c   Capitalize the character under the cursor and move to the end of the word.
  Alt + r   Cancel the changes and put back the line as it was in the history (revert).
 ctrl + _   Undo
 
 TAB        Tab completion for file/directory names

For example, to move to a directory ‘sample1’; Type cd sam ; then press TAB and ENTER.
type just enough characters to uniquely identify the directory you wish to open.

History:

  Ctrl + r   Recall the last command including the specified character(s)
             searches the command history as you type.
             Equivalent to : vim ~/.bash_history. 
  Ctrl + p   Previous command in history (i.e. walk back through the command history)
  Ctrl + n   Next command in history (i.e. walk forward through the command history)
   Alt + .   Use the last word of the previous command
  Ctrl + s   Go back to the next most recent command.
            (beware to not execute it from a terminal because this will also launch its XOFF).
  Ctrl + o   Execute the command found via Ctrl+r or Ctrl+s
  Ctrl + g   Escape from history searching mode

Process control:

 Ctrl + C   Interrupt/Kill whatever you are running (SIGINT)
 Ctrl + l   Clear the screen
 Ctrl + s   Stop output to the screen (for long running verbose commands)
 Ctrl + q   Allow output to the screen (if previously stopped using command above)
 Ctrl + D   Send an EOF marker, unless disabled by an option, this will close the current shell (EXIT)
 Ctrl + Z   Send the signal SIGTSTP to the current task, which suspends it.
            To return to it later enter fg 'process name' (foreground).

 

Source

 

0

MyISAM To InnoDB for Galera

How to Convert MyISAM Tables to InnoDB

innodb-to-myisam

Using mysqldump

 

NOTE :- mysqldump creates a sql file, which is a text file, we can change the MyISAM to InnoDB using text editor. Recommended way of doing is defined bellow

Screenshot from 2015-01-23 09:27:07

PURPOSE :- galera mysql cluster doesnot support MyISAM, If database is on MyISAM engine we need to change it to InnoDB

 

IMP :- FULLTEXT is not supported by innoDB, make sure you dont have FULLTEXT, if any do convert manually, And follow the bellow steps

 

 

On the source database

mysqldump -uroot -p --no-data  -R --triggers databasename > database-schema.sql

Above will import schema of tables 

 

 

edit dump file i am using sed

sed -i.bak 's#MyISAM#InnoDB#g' database-schema.sql

Now dump the data

mysqldump -uroot -p --no-create-info  -R --triggers databasename > database-data.sql

 

On Destination Database

Create database

mysql -uroot -p -e "create database databasename"

Restore schema

mysql -uroot -p databasename < database-schema.sql

Restore data

mysql -uroot -p databasename < database-data.sql

 

That should Do it..

0

Mysql cluster with Galera Ubuntu 12.04.5

Mysql Cluster with galera in Ubuntu 12.04.5

galera-overview

Galera currently only support innodb fully, Make sure your tables use innodb engine, MyIsam will not replicate row level changes, We can force Galera to replicate changes but it is not recommended for production environment.

Ubuntu 12.04.5

My Environment

  • 4 x Xenserver 6.2 (on ssd with 6 cores per server)
  • Operating system Used = ubuntu Server 12.04.5 LTS(14.04 still not supported officially by Citrix XenServer)
  • Ubuntu Server Base Install with SSH
  • 12 Gb ram per mysql server with 4 cores of 3 ghz

Install Dependency’s

sudo apt-get install libaio1 libssl0.9.8
sudo apt-get install build-essential

(not mandatory but i do practice  installing the build library)

sudo apt-get dist-upgrade
sudo apt-get install mysql-client

(install the client from repository )

Download the Patched Mysql

Download the latest Galera wsrep provider and MySQL server

Version At The Time of writing

Galera Wsrep = 25.3.5

MySQL server = 5.6.16-25.5

dpkg -i mysql-server-wsrep-5.6.16-25.5-amd64.deb
dpkg -i  galera-25.3.5-amd64.deb

Default mysql Data directory

/var/lib/mysql/ (i have mounted a 100gb partition with xfs filesystem)

IMP :- default log directory wont be created and there will be error on starting mysql server,

mkdir /var/log/mysql
chown -R mysql.mysql /var/log/mysql/
/etc/init.d/mysql restart

Above steps are same for all the mysql server in the cluster, Because of this  i have cloned the current m-node1 to m-node2 and m-node3

Screenshot from 2015-01-13 11:44:25

Note :- update the machine hostname and ip address accordingly and update the /etc/hosts file so the server can communicate with name rather than ip

m-node1 – 10.0.1.2

m-node2 – 10.0.1.3

m-node3 – 10.0.1.4

 

 

Configuring Galera Change on all servers approriately(steps to be done on all servers)

vim /etc/mysql/my.cnf

bind-address            = 10.0.1.2(3)(4) ( bind to local address ) (make sure to secure your installation)

Login to MySql database

SET wsrep_on=OFF; DELETE FROM mysql.user WHERE user='';
SET wsrep_on=OFF; GRANT ALL ON *.* TO wsrep_sst@'%' IDENTIFIED BY 'wspass';

You can change username and password to desired

 SHOW STATUS LIKE 'wsrep%';

 

vim /etc/mysql/conf.d/wsrep.cnf

Append or change

bind-address=0.0.0.0

wsrep_provider=/usr/lib/galera/libgalera_smm.so

wsrep_provider_options=”gcache.size=2048M; gcache.page_size=256M”

wsrep_cluster_address=”gcomm://”

Optional

wsrep_node_name=m-node1

wsrep_node_address=10.0.1.2

wsrep_slave_threads=1 (default is 1 can increase to speed up replication might increase chance of redundancy between cluster, If so the case revert to 1 and restart the cluster, Data will be in sync)

wsrep_node_incoming_address=10.0.1.2
wsrep_sst_receive_address=10.0.1.2

wsrep_sst_method=rsync

wsrep_sst_auth=wsrep_sst:wspass (change accordingly to created user and password in above step)

Now start the server in a bootstrap process

wsrep_cluster_address=”gcomm://”

This in configuration tells the galera this is boot strap and other servers will be joining, Remember this step for future .

/etc/init.d/mysql restart

Check if server is up

Screenshot from 2015-01-13 12:04:10

Other server/node configuration

Assuming all configuration is the same in wsrep.cnf

change the IP and host-name mapping accordingly

wsrep_cluster_address=”gcomm://10.0.1.2,10.0.1.3,10.0.1.4″ (you can use host-name as mapped in hosts file or ip address here, i have added the local address also but it is not required )

Starting the cluster

Checks to do before starting

  • All nodes host files are updated accordingly
  • Galera bootstrap node configured with(m-node1) = wsrep_cluster_address=”gcomm://”
  • All tables are innodb
  • Mysql and wsrep bind to local address rather than loopback address

 

m-node1

service mysql start

check for error in logs  /var/log/mysql/ also in /var/log/syslog

m-node2

service mysql start

check for error in logs  /var/log/mysql/ also in /var/log/syslog

m-node3

service mysql start

check for error in logs  /var/log/mysql/ also in /var/log/syslog

Check if cluster is working properly

eg:- adding database and tables rows , check thoroughly that the data is getting replicated properly

Reassigning bootstrap node(m-node1)

change this wsrep_cluster_address=”gcomm://”

to

wsrep_cluster_address=”gcomm://10.0.1.2,10.0.1.3,10.0.1.4″

if this is not done if we restart the m-node1 it will not connect to cluster. Can find more information on wsrep documentation

That’s it your done, Next maintenance of galera cluster and fine tuning

0

LoadBancing Multiwan pfsense

In this i am assuming you have configured interface with public ip , each public ip has his own gate way configured..

 

go to system —> routing

systemrouting

 

Select Groups

groups

on groups tab select + button on the bottom

 

lb

 

Same tier load-balance, different tier acts as a fail-over , lower the tier higher the priority. trigger level is configured for packet loss or high latency.

Save the changes

savech

Firewall: Rules: lan

firewallrule

 

Edit default lan rule which was added by pfsense installation

Scroll down to advance feature, click on gateway and select the new group we created.

gateway

 

Go to

System: Advanced: Miscellaneous

Click use sticky Connections

sticky

 

Other thing to do is to change gateway monitoring, Default monitoring address will be interface gateway we have given while configuring the interace can be changed to any other.. i use google dns server..