tag:blogger.com,1999:blog-26724444902632162712024-03-19T00:57:29.035-07:00AWSAnonymoushttp://www.blogger.com/profile/05126397584375476550noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-2672444490263216271.post-73823192374185702412013-10-23T08:37:00.001-07:002013-10-24T06:21:32.462-07:00LinuxAMI motdI wanted some more info when logging into my LinuxAMI in AWS, here is my motd-script:<br />
<br />
<pre style="background-color: #f9f9f9; border: 1px dashed rgb(47, 111, 171); padding: 1em;"><span style="line-height: 14.296875px;">wget https://raw.github.com/peterromfeldhk/AWS/master/sysstats-motd-v2 -O - > /usr/local/bin/dynmotd
chmod +x /usr/local/bin/dynmotd
echo "
# Dynamic Sysstats at each login
/usr/local/bin/dynmotd
" >> /etc/profile</span><span style="line-height: 14.296875px;">
</span><span style="line-height: 14.296875px;">unlink /etc/motd</span><span style="line-height: 14.296875px;">
</span></pre>
<br />
Remove cronjob for motd which is not needed anymore. Disable Printmotd in sshd_config and make sure pam.d has pam_motd.so disabled. In a new LinuxAMI these commands do the job:<br />
<br />
<pre style="background-color: #f9f9f9; border: 1px dashed rgb(47, 111, 171); padding: 1em;"><span style="line-height: 14.296875px;">rm -f /etc/cron.daily/update-motd
sed -i 's/#PrintMotd\ yes/PrintMotd\ no/g' /etc/ssh/sshd_config</span></pre>
<br />
Now you can use figlet for example and change you Bannertext in <span style="background-color: #f9f9f9; line-height: 14.296875px;">/usr/local/bin/dynmotd<br />You could also use this instead of "echo 'TEXT'" in your /usr/local/bin/dynmotd</span><br />
<span style="background-color: #f9f9f9; line-height: 14.296875px;"><br /></span>
<br />
<pre style="background-color: #f9f9f9; border: 1px dashed rgb(47, 111, 171); padding: 1em;"><span style="line-height: 14.296875px;">figlet `hostname -s`</span></pre>
Anonymoushttp://www.blogger.com/profile/05126397584375476550noreply@blogger.com0tag:blogger.com,1999:blog-2672444490263216271.post-40619887843115558742013-09-23T00:48:00.000-07:002013-09-23T00:48:42.199-07:00Cross-Region: Redundant VPN between Regions with Openswan and Nagios NRPEIntroduction:<br />
<br />
I am new to scripting so you will most likely be able to improve my scripts :)<br />
<br />
I am working on a interesting cross-region project right now. We will have 1 ELB with 4 ejabberd-nodes in each region. With Route 53 latency based Records I want to redirect the mobile app to the nearest region.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir9tHY12y1A9e3ZqgDZ6RAdvJJXty-8sTp43DE48eW10vhMwsjFXWgW5v9osPqiL-StO61jwdyR1LqGH0275nIWaE_yLnHGRXXe7gich5Sx89srAZgDkRlMlC8rfu-JSs3DlsN5QVwfBKA/s1600/show.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir9tHY12y1A9e3ZqgDZ6RAdvJJXty-8sTp43DE48eW10vhMwsjFXWgW5v9osPqiL-StO61jwdyR1LqGH0275nIWaE_yLnHGRXXe7gich5Sx89srAZgDkRlMlC8rfu-JSs3DlsN5QVwfBKA/s1600/show.png" height="171" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It's a ejabberd chat app which needs of course to be in the same private subnet for clustering and replication. So I will setup 2 openswan vpn servers and 1 vpn-watcher in each region. Additional I also setup a ejabberd-watcher which will monitor and event-handle the ejabberd cluster + the watchers will monitor and event-handle each other.</div>
<div class="separator" style="clear: both; text-align: left;">
If 1 tunnel goes down the vpn-watcher will check which route is active and replace it if needed.</div>
<div class="separator" style="clear: both; text-align: left;">
Because I am lazy, and ill make health-checks every 5 seconds, I want to keep the configuration as simple as possible and the health-checks as few as possible. So ill handle the VPN tunnels as 2 tunnel-groups, instead of handling every tunnel itself</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS1a7CVy86WXnTOWDLhAQMu0jy6jZxFOv3dbSqHyM_Xcut6zLIRaltYBL05zJ7XVrw_V6oHCHZKzTrzQJLQqjToFC80Ph9F3k7BsD03PiDqMPJ7FdOmqsRo_jyRntsdsHr80skNKEV6dts/s1600/show3.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS1a7CVy86WXnTOWDLhAQMu0jy6jZxFOv3dbSqHyM_Xcut6zLIRaltYBL05zJ7XVrw_V6oHCHZKzTrzQJLQqjToFC80Ph9F3k7BsD03PiDqMPJ7FdOmqsRo_jyRntsdsHr80skNKEV6dts/s1600/show3.png" /></a></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGJ3Nj1rvuFr8cVf5p9Fyg6dSKx3fYK6Fnz3POVXr1lLQYIVY-EQh7NOD8Bx-JP-9R_j01kXlOsSLyqkP-ED3Yz-x2Yo2xQw67EltNEW4RhUIJLGQvMQymJkZRfYgOAvIiD7z3mqJnP_qY/s1600/show2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGJ3Nj1rvuFr8cVf5p9Fyg6dSKx3fYK6Fnz3POVXr1lLQYIVY-EQh7NOD8Bx-JP-9R_j01kXlOsSLyqkP-ED3Yz-x2Yo2xQw67EltNEW4RhUIJLGQvMQymJkZRfYgOAvIiD7z3mqJnP_qY/s1600/show2.png" height="200" width="174" /></a><br />
<div class="separator" style="clear: both; text-align: left;">
Security Rules:</div>
<div class="separator" style="clear: both; text-align: left;">
Ports: From:</div>
<div class="separator" style="clear: both; text-align: left;">
project-vpn 500, 4500 region{a,b,c}-vpn{1,2}</div>
<div class="separator" style="clear: both; text-align: left;">
project-watcher ECHO REQUEST, 5666 project-watcher</div>
<div class="separator" style="clear: both; text-align: left;">
project-replication ports needed for replication project-replication</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Servers:</div>
<div class="separator" style="clear: both; text-align: left;">
Security-Groups</div>
<div class="separator" style="clear: both; text-align: left;">
VPN project-vpn, project-watcher, project-replication</div>
<div class="separator" style="clear: both; text-align: left;">
WATCHER project-watcher</div>
<div class="separator" style="clear: both; text-align: left;">
APP-SERVER project-replication, project-watcher</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This excellent HowTo will explain how to setup the openswan vpn tunnel:</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://aws.amazon.com/articles/5472675506466066" target="_blank">AWS Region-Region VPN</a></div>
<div class="separator" style="clear: both; text-align: left;">
I also added additionally in /etc/sysctl.conf</div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"><br /></span></span>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"># protect routing table from ICMP redirect packets
net.ipv4.conf.all.accept_redirects = 0
# Enable Logging
net.ipv4.conf.all.log_martians = 1
# Openswan
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0</span></span><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
VPN-Watcher:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>Create a IAM Role and only give permissions for describe-routes and replace-route:</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWhP_gA9yGvL1UIptFvyFo3g7mMBciOk62b4kF6a1PqIWB4Rs6m_WD0o5SZt9RRjGF8OLPmrByLAwP7vr1CoVJLELI1U9zWNst0A3NMP2umLYZ-zXHDFfnVzRvhNcjaAkKf0urGCbiUmhR/s1600/create-role.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWhP_gA9yGvL1UIptFvyFo3g7mMBciOk62b4kF6a1PqIWB4Rs6m_WD0o5SZt9RRjGF8OLPmrByLAwP7vr1CoVJLELI1U9zWNst0A3NMP2umLYZ-zXHDFfnVzRvhNcjaAkKf0urGCbiUmhR/s1600/create-role.png" height="120" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
- EC2</div>
<div class="separator" style="clear: both; text-align: left;">
- Use the Generator for Permissions, only select describe-routes and replace-route</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>Launch a AWS-Linux Instance with the watcher role and attach a EIP to it</li>
<li>Install Nagios and NRPE:</li>
</ul>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ sudo yum -y install nagios nagios-plugins-all nagios-plugins-nrpe nrpe php httpd</span><br />
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ sudo sh -c "</span></span><span style="background-color: whitesmoke; color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">chkconfig httpd on && chkconfig nagios on && chkconfig nrpe on && </span><span style="background-color: whitesmoke; color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">chkconfig postfix on</span><span style="background-color: whitesmoke; color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">"</span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>Configure postfix</li>
</ul>
<div>
<a href="http://docs.aws.amazon.com/ses/latest/DeveloperGuide/postfix.html" target="_blank">postfix SES configuration</a></div>
<ul>
<li>Configure Nagios</li>
</ul>
<div>
add your mail address in contacts.cfg and you also should delete the line about notifications for linux-servers in templates.cfg<br />
<br />
change the health_check interval, you can either change the interval_length nagios.cfg or define it on the service or both. Here is a good explanation:<br />
<a href="http://serverfault.com/questions/329125/nagios-check-service-frequency-based-on-service-status" target="_blank">nagios-check-service-frequency-based-on-service-status</a><br />
<br />
add some commands in commands.cfg</div>
<div>
<br /></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"># nrpe
define command{
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}
</span></span><br />
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"><br /></span></span>
<br />
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">define command{</span></span><br />
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px;"><span class="Apple-tab-span" style="white-space: pre;"> </span>command_name<span class="Apple-tab-span" style="white-space: pre;"> </span>vpn1-handler</span></span><br />
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px;"><span class="Apple-tab-span" style="white-space: pre;"> </span>command_line<span class="Apple-tab-span" style="white-space: pre;"> </span>/usr/lib64/nagios/plugins/eventhandlers/event_handler_ipsec_01 $SERVICESTATE$ $SERVICESTATETYPE$ $SERVICEATTEMPT$</span></span><br />
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"> }</span></span><br />
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"><br /></span></span>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">define command{</span></span><br />
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"> command_name vpn2-handler</span></span><br />
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"> command_line /usr/lib64/nagios/plugins/eventhandlers/event_handler_ipsec_02 $SERVICESTATE$ $SERVICESTATETYPE$ $SERVICEATTEMPT$</span></span><br />
<span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"><span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"></span></span><br />
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"> }</span></span><br />
<br />
Add your Hosts</div>
<div>
<div>
/etc/nagios/conf.d/region-vpn-01.cfg</div>
<div>
<br /></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">define host {
use linux-server
host_name region-vpn-01
alias region-vpn-01
address 999.99.99.999
}
define service {
use generic-service
host_name region-vpn-01
service_description IPSEC
check_command check_nrpe!check_ipsec
max_check_attempts 4
event_handler vpn1-handler
}
define service {
use generic-service
host_name region-vpn-01
service_description Current Load
check_command check_local_load!5.0,4.0,3.0!10.0,6.0,4.0
}</span></span></div>
<div>
<br /></div>
<div>
Add the event_handler scripts</div>
</div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"><br /></span></span></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ wget https://raw.github.com/peterromfeldhk/nagios/master/change_vpn-tunnel</span></span> <div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ </span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">for i in `seq 1 2`; do cp change_vpn-tunnel /usr/lib64/nagios/plugins/change_tunnel$i; done</span></span></div>
</div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ wget https://raw.github.com/peterromfeldhk/nagios/master/handler_nrpe
</span></span></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ for i in `seq 1 2`; do cp handler_nrpe /usr/lib64/nagios/plugins/</span></span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">eventhandlers/event_handler_ipsec_0$i; done</span></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ sed -i "s/change_tunnel1/change_tunnel2/g" </span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">/</span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">usr/lib64/nagios/plugins/</span></span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">eventhandlers/event_handler_ipsec_02</span></div>
<div>
<br /></div>
<div>
edit change_tunnel scripts, i use them hardcoded without variables so you may need to adjust them a bit more, i always use +x in the first line to troubleshoot scripts :)</div>
<div>
<br /></div>
<div>
Example:</div>
<div>
<br /></div>
<div>
Like I already said I am using 2 Tunnelgroups. Here is a Roadmap, example routing and example config:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIrMrbKM7sAGGGFf_uHueCu_aa6e87CLpH3Za9uC9KHrCe6i72j9vqzeEtI9OBgED2HJTybVK8gsriHchgUIGGxSRVj4KCfabb5yIjYTIx5Fg14b73COkTrLVpwaEELQVCAkmRoqMlFmnz/s1600/legend.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIrMrbKM7sAGGGFf_uHueCu_aa6e87CLpH3Za9uC9KHrCe6i72j9vqzeEtI9OBgED2HJTybVK8gsriHchgUIGGxSRVj4KCfabb5yIjYTIx5Fg14b73COkTrLVpwaEELQVCAkmRoqMlFmnz/s1600/legend.png" height="228" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAhwQEayX_g7mGACLF87JfRZXTkgR2xI45odTImx-y4ESYog-id48sgHMOR5fafuOiJg3UdObbRARk3JxQKPRAcjxSg-QJs7jEP00NZB7Y_wdlHBOWxP1CibzALSDxQ3O2PvvOH58nPzrZ/s1600/tunnelgroup1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAhwQEayX_g7mGACLF87JfRZXTkgR2xI45odTImx-y4ESYog-id48sgHMOR5fafuOiJg3UdObbRARk3JxQKPRAcjxSg-QJs7jEP00NZB7Y_wdlHBOWxP1CibzALSDxQ3O2PvvOH58nPzrZ/s1600/tunnelgroup1.png" height="80" width="320" /></a></div>
<div>
<div>
<br /></div>
<div>
Example for handling “region1-vpn1”:</div>
<div>
<br /></div>
<div>
MYREGION=us-east-1</div>
<div>
OTHERREG=eu-west-1</div>
<div>
THIRDREG=ap-northeast-1</div>
<div>
OTHERIID=iid-12</div>
<div>
SECIID=iid-22</div>
<div>
THIRDIID=iid-32</div>
<div>
MYIP=”10.1.0.1”</div>
<div>
MYCIDR=”10.1.0.0/16”</div>
<div>
OTHERCIDR=”10.2.0.0/16”</div>
<div>
THIRDCIDR=”10.3.0.0/16”</div>
<div>
MYTABLEID=rtb-1</div>
<div>
OTHERTABLE=rtb-2</div>
<div>
THIRDTABLE=rtb-3</div>
</div>
<div>
<br /></div>
<div>
Hope this explanation is good enought, please email me if not!</div>
<div>
<br /></div>
<div>
<ul>
<li>configure NRPE on VPN-servers</li>
</ul>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ sudo yum install nagios-plugins-all nagios-plugins-nrpe nrpe</span></div>
</div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ sudo </span><span style="background-color: whitesmoke; color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">chkconfig nrpe on</span></div>
<div>
<span style="background-color: whitesmoke; color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ </span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">wget https://raw.github.com/peterromfeldhk/nagios/master/check_ipsec</span></span></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ sudo mv check_ipsec /usr/lib64/nagios/plugins/</span></span></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ sudo sh -c "echo 'tunnalname1 rightip1' > </span></span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">/usr/lib64/nagios/plugins/gateways.txt && </span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">echo 'tunnalname2 rightip2' >> </span></span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">/usr/lib64/nagios/plugins/gateways.txt"</span></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ sudo sed -i "s/</span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">allowed_hosts=127.0.0.1/allowed_hosts=IP.OF.VPN.WATCHER/g" /etc/nagios/nrpe.cfg</span></span></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ sudo sh -c "echo 'command[check_ipsec]=sudo /usr/lib64/nagios/plugins/check_ipsec --tunnels 2' >> /etc/nagios/nrpe.cfg"</span></span></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;">$ sudo sh -c "echo 'command[restart_ipsec]=sudo /etc/init.d/ipsec restart' >> </span></span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">/etc/nagios/nrpe.cfg"</span></div>
<div>
<br /></div>
<div>
As Root:</div>
<div>
command out "Defaults requiretty" in /etc/sudoers to allow remote commands</div>
<div>
and create a nopassword for nrpe</div>
<div>
<br /></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"># vim /etc/sudoers.d/nrpe</span></span></div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, Courier New, monospace;"><span style="font-size: 12px; line-height: 16px; white-space: pre-wrap;"><div>
Cmnd_Alias IPSEC = /usr/lib64/nagios/plugins/check_ipsec </div>
<div>
Cmnd_Alias RESEC = /etc/init.d/ipsec restart</div>
<div>
nrpe ALL=NOPASSWD:IPSEC, RESEC</div>
<div>
# chmod 400 !$</div>
</span></span></div>
<div>
<ul>
<li>testing and troubleshooting</li>
</ul>
<div>
check if nrpe works without args, eq </div>
<div>
<span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">/usr/lib64/nagios/plugins</span><span style="color: #333333; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; font-size: 12px; line-height: 16px; white-space: pre-wrap;">/check_nrpe -H ip.of.target.x</span></div>
</div>
<div>
<div>
if it works it should give you the version, else its most likely port 5666</div>
</div>
<div>
if it works, but with args not, then its most likely the sudoers config</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/05126397584375476550noreply@blogger.com1