Archive for August, 2009

squid basic option

August 27, 2009

http_port 192.168.[98|106].64:port
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
dns_timeout 1 minutes
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl [se|fx]-net src 192.168.[98|106].0/24
acl safe_urls dstdomain .xxx.com
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port
acl Safe_ports port http_port https_port # http, https
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny !safe_urls
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access allow [se|fx]-net
http_access deny all
http_reply_access allow all
cache_mgr someone@some.com
coredump_dir /usr/local/squid/var/cache

Binding NRPE with inetd/xinetd On Solaris 10

August 23, 2009

Modify the nrpe.cfg file with your settings:

vi /usr/local/nagios/etc/nrpe.cfg

With Solaris 10, we don’t use either inetd or xinetd, but SMF. Thankfully, we can convert inetd entires into the SMF repository with the inetconv command. So first, add the following entry to /etc/services:

nrpe 5666/tcp # NRPE

Then add the following line to the end of /etc/inet/inetd.conf:

nrpe stream tcp nowait nagios /usr/sfw/sbin/tcpd /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -i

Next, we need to convert it to SMF:

# inetconv
nrpe -> /var/svc/manifest/network/nrpe-tcp.xml
Importing nrpe-tcp.xml …Done
# inetconv -e
svc:/network/nrpe/tcp:default enabled

Check to make sure it went online:

# svcs svc:/network/nrpe/tcp:default
STATE STIME FMRI
online 15:53:39 svc:/network/nrpe/tcp:default
# netstat -a | grep nrpe
*.nrpe *.* 0 0 49152 0 LISTEN

Check the default installed parameters:

# inetadm -l svc:/network/nrpe/tcp:default
SCOPE NAME=VALUE
name=”nrpe”
endpoint_type=”stream”
proto=”tcp”
isrpc=FALSE
wait=FALSE
exec=”/usr/sfw/sbin/tcpd -c /usr/local/nagios/etc/nrpe.cfg -i”
arg0=”/usr/local/nagios/bin/nrpe”
user=”nagios”
default bind_addr=””
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=FALSE
default tcp_wrappers=FALSE
default connection_backlog=10

Change it so that it uses tcp_wrappers:

# inetadm -m svc:/network/nrpe/tcp:default tcp_wrappers=TRUE

And check to make sure it took effect:

# inetadm -l svc:/network/nrpe/tcp:default
SCOPE NAME=VALUE
name=”nrpe”
endpoint_type=”stream”
proto=”tcp”
isrpc=FALSE
wait=FALSE
exec=”/usr/sfw/sbin/tcpd -c /usr/local/nagios/etc/nrpe.cfg -i”
arg0=”/usr/local/nagios/bin/nrpe”
user=”nagios”
default bind_addr=””
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=FALSE
tcp_wrappers=TRUE
default connection_backlog=10

[Optional but security concern]Modify your hosts.allow and hosts.deny to only allow your nagios server access to the NRPE port. Note that tcpd always looks at hosts.allow first, so even though we specify that everyone is rejected in the hosts.deny file, the ip addresses specified in hots.allow are allowed.
/etc/hosts.allow:

nrpe: LOCAL, 10.0.0.45

/etc/hosts.deny:

nrpe: ALL

Finally, check to make sure you have everything installed correctly (should return version information):

/usr/local/nagios/libexec/check_nrpe -H localhost
NRPE v2.12
You may get CHECK_NRPE: Error – Could not complete SSL handshake. A quick solution to this either Download and install the SUNWcry and SUNWcryr packages, but they are export controled. (You are looking for the /usr/sfw/lib/libssl_extras.so.X.Y.Z library) or change line 222 of src/nrpe.c like this: – SSL_CTX_set_cipher_list(ctx,”ADH”); + SSL_CTX_set_cipher_list(ctx,”ADH:-ADH-AES256-SHA”); and recompile.

Optionally, modify any firewalls between your nagios server and the remote host to allow port 5666.
Don’t forget to configure your nagios server to check your new service.

issues while compiling NRPE on Sparc Solaris

August 21, 2009

Normally at this point we would just run `cd nrpe-2.12; ./configure`. Unfortunately, the configure script can not find the SSH headers and libraries on Solaris 10. You get errors like this:

checking for SSL headers… configure: error: Cannot find ssl headers

checking for SSL libraries… configure: error: Cannot find ssl libraries

The answer to this is, of course, to tell configure where to find them:

cd nrpe-2.12
./configure –with-ssl=/usr/sfw/ –with-ssl-lib=/usr/sfw/lib/

Currently there is a bug in 2.12 that it assumes that all systems have 2 syslog facilities that Solaris doesn’t have, so if you try and compile it generates the following errors:

nrpe.c: In function `get_log_facility’:
nrpe.c:617: error: `LOG_AUTHPRIV’ undeclared (first use in this function)
nrpe.c:617: error: (Each undeclared identifier is reported only once
nrpe.c:617: error: for each function it appears in.)
nrpe.c:619: error: `LOG_FTP’ undeclared (first use in this function)
*** Error code 1
make: Fatal error: Command failed for target `nrpe’
Current working directory /usr/local/src/nrpe-2.12/src
*** Error code 1
make: Fatal error: Command failed for target `all’

Unfortunately, the fix at this time is to comment out the code that calls these two facilities, lines 616-619, in src/nrpe.c:

/*else if(!strcmp(varvalue,”authpriv”))
log_facility=LOG_AUTHPRIV;
else if(!strcmp(varvalue,”ftp”))
log_facility=LOG_FTP;*/

UPDATE: You no longer need to comment out these lines, just replace them with the following:

else if(!strcmp(varvalue,”authpriv”))
log_facility=LOG_AUTH;
else if(!strcmp(varvalue,”ftp”))
log_facility=LOG_DAEMON;

Now it will compile:

# make all
cd ./src/; make ; cd ..
gcc -g -O2 -I/usr/sfw//include/openssl -I/usr/sfw//include -DHAVE_CONFIG_H -o nrpe nrpe.c utils.c -L/usr/sfw/lib/ -lssl -lcrypto -lnsl -lsocket ./snprintf.o
gcc -g -O2 -I/usr/sfw//include/openssl -I/usr/sfw//include -DHAVE_CONFIG_H -o check_nrpe check_nrpe.c utils.c -L/usr/sfw/lib/ -lssl -lcrypto -lnsl -lsocket

*** Compile finished ***
NB:
More over if you want to compile other than default user and group (nagios and nagios) you need to change this on Makefile(primary one) and src/Makefile by your hand with the user you want.

Open-Solaris VPNC

August 18, 2009

Connecting Opensolaris to a Cisco VPN, (thanks for the head start!) but some changes were needed for my system. (2008.11)

pkg install sunstudioexpress
export CC=/opt/SunStudioExpress/bin/cc

Download the tun/tap driver from Kazuyoshi.

run ./configure and then you will need to edit the Makefile (for x64 only!)

Change these options

modules: tun.o tap.o
$(LD) -r -o tun tun.o
$(LD) -r -o tap tap.o

to

modules: tun.o tap.o
$(LD) -melf_x86_64 -r -o tun tun.o
$(LD) -melf_x86_64 -r -o tap tap.o

Now you can run make & make install, or you can (at your own risk, they work for me!) download the pkg of both 32 and 64 bit kernels.

tuntap-0.2.5-opensolaris-i386.pkg.gz (http://www.mediafire.com/?ny0wqzsmyct)
tuntap-0.2.5-opensolaris-x86_64.pkg.gz (http://www.mediafire.com/?ny0wqzsmyct)

Next you need to get vpnc, I grabbed vpnc-0.5.3

pkg install SUNWgmake

Now edit the Makefile and change install to ginstall (on each cmd line), for example:

install -m600 vpnc.conf $(DESTDIR)$(ETCDIR)/default.conf

to

ginstall -m600 vpnc.conf $(DESTDIR)$(ETCDIR)/default.conf

Optionally change PREFIX from /usr/local to /usr

0.5.3 will not compile correct until you modify tunip.c changing (1061)

openlog(“vpnc”, LOG_PID | LOG_PERROR, LOG_DAEMON);

to

openlog(“vpnc”, LOG_PID, LOG_DAEMON);

Now you can run gmake & gmake install, or you can (at your own risk, they work for me!) download the pkg for vpnc.

vpnc-0.5.3-opensolaris-i386.pkg.gz(http://www.mediafire.com/?0tcwnx3e4xy)

edits to the vpnc-script (included in above package), to facilitate a working vpn..

commented out line 62 #IPROUTE=…

ADDED:

route add `echo “$INTERNAL_IP4_ADDRESS” | awk ‘{ printf “%s\n”,$1}’ FS=.`.0.0.0 “$INTERNAL_IP4_ADDRESS” -interface

to the end of the set_network_route() function (lets say your ip on the vpn is 192.168.0.140, this will route all 192.* through the vpn..

ADDED:

route $route_syntax_del default “$INTERNAL_IP4_ADDRESS”

to the end of the reset_default_route() function (disconnecting left some rouge route entries, it still leaves a few…but this gets things back to working order)
Now I have full vpn access to the cisco networks I normally connect to!