Install Pandora fms monitoring system on Centos

So for many years i use nagios to monitor my server and now im would say i can handle nagios config files good. But I fund pandora fms monitoring and this i must try.

From the pandora console its mutch easy to from the webbrowser setup new task and tweek task so you alarms realy are correct. Doing this in nagios then i had to change config files and restart nagios and nrpe.

 

So here is i small guide to install and set up i basic pandora fms monitoring,

 

 

Download the console, server client AND wsdi

wget http://downloads.sourceforge.net/project/pandora/Pandora%20FMS%205.0/FinalSP3/RHEL_CentOS/pandorafms_agent_unix-5.0SP3-1.noarch.rpm?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fpandora%2Ffiles%2FPandora%2520FMS%25205.0%2FFinalSP3%2FRHEL_CentOS%2F&ts=1395336652&use_mirror=heanet
wget http://downloads.sourceforge.net/project/pandora/Pandora%20FMS%205.0/FinalSP3/RHEL_CentOS/pandorafms_server-5.0SP3-1.noarch.rpm?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fpandora%2Ffiles%2FPandora%2520FMS%25205.0%2FFinalSP3%2FRHEL_CentOS%2F&ts=1395336686&use_mirror=freefr
wget http://downloads.sourceforge.net/project/pandora/Pandora%20FMS%205.0/FinalSP3/RHEL_CentOS/pandorafms_console-5.0SP3-1.noarch.rpm?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fpandora%2Ffiles%2FPandora%2520FMS%25205.0%2FFinalSP3%2FRHEL_CentOS%2F&ts=1395336727&use_mirror=skylink
wget http://downloads.sourceforge.net/project/pandora/Tools%20and%20dependencies%20%28All%20versions%29/RPM%20CentOS%2C%20RHEL/wmic-4.0.0SVN-2.1.el5.centos.noarch.rpm?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fpandora%2Ffiles%2FTools%2520and%2520dependencies%2520%28All%2520versions%29%2FRPM%2520CentOS%2C%2520RHEL%2F&ts=1395337829&use_mirror=garr

 

Move them so they have the .rpm name ate the end

 

mv pandorafms_console-5.0SP3-1.noarch.rpm\?r\=http\:%2F%2Fsourceforge.net%2Fprojects%2Fpandora%2Ffiles%2FPandora%20FMS%205.0%2FFinalSP3%2FRHEL_CentOS%2F pandorafms_console-5.0SP3-1.noarch.rpm
mv pandorafms_server-5.0SP3-1.noarch.rpm\?r\=http\:%2F%2Fsourceforge.net%2Fprojects%2Fpandora%2Ffiles%2FPandora%20FMS%205.0%2FFinalSP3%2FRHEL_CentOS%2F pandorafms_server-5.0SP3-1.noarch.rpm
mv pandorafms_agent_unix-5.0SP3-1.noarch.rpm\?r\=http\:%2F%2Fsourceforge.net%2Fprojects%2Fpandora%2Ffiles%2FPandora%20FMS%205.0%2FFinalSP3%2FRHEL_CentOS%2F pandorafms_agent_unix-5.0SP3-1.noarch.rpm
mv wmic-4.0.0SVN-2.1.el5.centos.noarch.rpm\?r\=http\:%2F%2Fsourceforge.net%2Fprojects%2Fpandora%2Ffiles%2FTools%20and%20dependencies%20\(All%20versions\)%2FRPM%20CentOS\,%20RHEL%2F wmic-4.0.0SVN-2.1.el5.centos.noarch.rpm

So now we have the 4 packaged that we need lets install them IMPORTANT that you do this in the correct order.

 

1.

sudo yum localinstall pandorafms_console-5.0SP3-1.noarch.rpm

2.

sudo yum localinstall wmic-4.0.0SVN-2.1.el5.centos.noarch.rpm

3.

sudo yum localinstall pandorafms_server-5.0SP3-1.noarch.rpm

4

sudo yum localinstall pandorafms_agent_unix-5.0SP3-1.noarch.rpm

 

Config Pandora console

Now we have the packages install its time to set up pandora console server and client.
Start i webbrowser and go to you pandora_console http://hostname/pandora_console

There setup you mysql details and let pandora install it self into you mysql.

Config Pandora Server

Next up is to setup the pandora server.
Open the file

vi /var/www/html/pandora_console/include/config.php

And COPY the mysql password from that file

Open the file

vi /etc/pandora/pandora_server.conf

And PAST in the mysql password on the correct place.

Restart you pandora server

/etc/init.d/pandora_server restart
/etc/init.d/tentacle_serverd restart

Pandora Client

Open the file

vi /etc/pandora/pandora_agent.conf

Change the ip to your pandora server ip.

Restart the pandora client and pandora server deamon.

Then for every new host you would like to add only install the pandora client and chnage the ip. then all of you server will show up in the pandora_console.

 

Protecting you web with ModSecurity On Centos

So it you worry about you webb then modsecurity is rely nice to have on your webbserver. I have it installed on my apache server with the regular rules from OWAS and also some rules for my own sites.
But here is also how to install it.

 

1. Download and build modsec on your server

Add some packages

yum install gcc make
yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel

Go to http://www.modsecurity.org/ and get the latest packages

wget https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7.tar.gz
tar zxvf modsecurity-apache_2.7.7.tar.gz
cd modsecurity-apache_2.7.7

And build it and copy config

./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
cp /tmp/modsecurity-apache_2.7.7/unicode.mapping /etc/httpd/conf.d

Add the to the top of the file /etc/httpd/conf.d/modsecurity.conf

LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
<IfModule security2_module>

And change

SecRuleEngine On

Also at the buttom of the file close the module

</IfModule>

Ok now we should have a working modsecurity up and running. But we dont have any rules yet.

2. Adding rules

Go to https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

Download the rule and untar the file
Copy the content of the folder into /etc/httpd/modsec

wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
tar zxvf master
mv SpiderLabs-owasp-modsecurity-crs-7528b8b/ /etc/httpd/modsec
mv /etc/httpd/modsec/modsecurity_crs_10_setup.conf.example /etc/httpd/modsec/activated_rules/modsecurity_crs_10_setup.conf

Now activate you modsec folder again open the file /etc/httpd/conf.d/modsecurity.conf

and add ad the bottom INSIDE the IfModule

Include modsec/activated_rules/*.conf

Now you we have a working modsec installations with some basic rules.
To add rules link them into the activate_rules folder

like this

One rule

 ln -s /etc/httpd/modsec/base_rules/modsecurity_crs_35_bad_robots.conf /etc/httpd/modsec/activated_rules/

alla rules in the folder

 ln -s /etc/httpd/modsec/base_rules/* /etc/httpd/modsec/activated_rules/

don’t forget some rules need the .data file as well

Build you first syco Module

SO from the last post you can install syco but you also need to build and update your own plugins in syco.
Here is a small guide how to build you first plugin.

Here om building some syco commands for controlling apache and glassfish server.
the commands are run from our syco-chuck release commands center so for adding them to syco i can controll the script from sudo and do some extra test before starting and stopping the service.

 

In syco/bin/public create I new file called  sycochuck.py

Add some basic python rules

#!/usr/bin/env python
'''
Sycp chuck commands to be translated to service commands.
The commands are then matched to syco-chuck release system.
'''

__author__ = "matte@elino.se"
__copyright__ = "Copyright 2014, The System Console project"
__maintainer__ = "Daniel Lindh"
__email__ = "syco@cybercow.se"
__credits__ = ["Mattias Hemmingsson"]
__license__ = "???"
__version__ = "1.0.0"
__status__ = "Production"

from general import x

So now lets start making some functions

def build_commands(commands):
 commands.add("httpd-stop", httpd_stop, help="Stopping the apache webbserver.")

This will be our build commands http-stop is the command we will call from syco.
And httpd_stop is the function is this file that we want to run when we call the syco command. So lets make the function that we want to run.

def httpd_stop(args):
 '''
 Stopping the apache webbserver
 '''
 x("service httpd stop")

And now we have all the things we need and your first syco function is done

Run syco

[root@localhost ~]# syco

In the list now this show up

hardening-ssh - Hardening SSH server and client. 
httpd-stop - stopping httpd server. 
httpd-toggle-mod-sec - Turn mod security on or off.

and if we run

[root@localhost ~]# syco httpd-stop
 System Console 0.3.0
 Command: service httpd restart
 Error: httpd: okänd tjänst
[root@localhost ~]#

As you can se we run my small funtion and the x command is i common function that run the command in bash.
Now in this server i did not have httpd server installed but you see how it works.

Now fork and start making you own scripts

 

 

Setup SYCO on you centos box

So if you care about security and stability you must have syco installed on your server.
Read more about syco on the github project https://github.com/systemconsole

Im staring to use syco not only production but also on my “Own” server.
So more of you should really start using it and here is i guide for you to start using syco

1. Installing and setting up centos

yum install git

 

Gettings syco

cd /opt/
git clone https://github.com/systemconsole/syco.git

Getting you own custom settings (USE THE default one)

cd /opt/syco/syco-private
ln -s mod-template/ syco-private
cd /opt/syco/etc/
ln -s ../usr/syco-private/etc/install.cfg .
cd /opt/syco/bin/
./syco.py install-syco

Run the local installations

./syco.py install-local
 System Console 0.3.0
Enter the SYCO master password: 
Enter the SYCO master password: (again) 
Enter password for service "linux" with username "root":
Enter password for service "linux" with username "root":(again) 
Enter password for service "svn" with username "syscon":
Enter password for service "svn" with username "syscon":(again) 
Enter password for service "ldap" with username "admin":
Enter password for service "ldap" with username "admin":(again) 
Enter password for service "ldap" with username "sssd":
Enter password for service "ldap" with username "sssd":(again) 
Enter password for service "glassfish" with username "master":
Enter password for service "glassfish" with username "master":(again) 
Enter password for service "glassfish" with username "admin":
Enter password for service "glassfish" with username "admin":(again) 
Enter password for service "linux" with username "glassfish":
Enter password for service "linux" with username "glassfish":(again) 
Enter password for service "switch" with username "snmp":
Enter password for service "switch" with username "snmp":(again) 
Enter password for service "mysql" with username "root":
Enter password for service "mysql" with username "root":(again) 
Enter password for service "mysql" with username "monitor":
Enter password for service "mysql" with username "monitor":(again) 
Enter password for service "mysql" with username "backup":
Enter password for service "mysql" with username "backup":(again) 
Enter password for service "mysql" with username "integration":
Enter password for service "mysql" with username "integration":(again) 
Enter password for service "mysql" with username "stable":
Enter password for service "mysql" with username "stable":(again) 
Enter password for service "mysql" with username "uat":
Enter password for service "mysql" with username "uat":(again) 
Enter password for service "mysql" with username "production":
Enter password for service "mysql" with username "production":(again) 
 Install all commands defined in install.cfg for host localhost.localdomain.
 Error: No commands for this host.

As you see I have NOT define any commands for my host so lets do that

2. Setup syco to to its magic

Open the file /opt/syco/etc/install.cfg this file set you settings for system.
And you should have this file in a secret locations 🙂

So for this test I will set up my virtual test box I added this to the end of my file se below with comments on what it does.

[localhost.localdomain.]
desc:My localhost virtual host
type: host
command01: syco iptables-setup
command02: syco hardening
command03: syco install-ntp-client
command04: syco install-mail-relay-client
#command05: syco install-clam
#command20: syco install-kvmhost
#command21: syco install-dhcp-server
#command22: syco install-guest install-sc
#command23: syco remote-install install-sc
#command24: syco install-guests
#command30: syco install-sssd
#command31: syco hardening-ssh

 

[localhost.localdomain.] <--- name syco will take the host name and i math run the commands
desc:My localhost virtual host
type: host <-- its i host if this is guest then vhen you run setup guest it will be created
command01: syco iptables-setup <-- first command to run and commands that dont need server to be up.
command02: syco hardening
command03: syco install-ntp-client
command04: syco install-mail-relay-client
#command05: syco install-clam
#command20: syco install-kvmhost <--- commands start with 20 are host uniq commands tex kvmhost yuu dont want all you server to be kvm host. This would be uniq on every host tex ldap-server,ntp-server and so on
#command21: syco install-dhcp-server
#command22: syco install-guest install-sc
#command23: syco remote-install install-sc
#command24: syco install-guests
#command30: syco install-sssd  <--- the commands run now will install services that need the server to be up. Ore are waiting for servers to be up.
#command31: syco hardening-ssh

So now I setup som syco will run the syco command 1-4 on my server so lets run it.

[root@localhost bin]# ./syco.py install-local
 System Console 0.3.0
Verify the SYCO master password: 
 Install all commands defined in install.cfg for host localhost.localdomain.
 Command: su -c 'syco iptables-setup'
 Command: su -c 'syco hardening'
 Command: su -c 'syco install-ntp-client'
 Command: su -c 'syco install-mail-relay-client'
[root@localhost bin]#

3 FORK !!!

And now you have the start of syco up and running. Now go to the syco github project and fork syco and start wrinting you own plugins.

 

 

 

 

Blocking unwanted traffic (ddos,scrapers) Apache, Iptables

So spent last evning blocking ip comming from packetflip to our server. Looks in our Apache access log that there was some evil scraping going on so we started blocking. But its not that funny to block many ip manually so time for some scripts.

 

First some info to use 

Packetflip user agent was

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022

And the request was hitting the link

POST /search/22122/station?requestId

First 

Some taling and grepping to get out the ip that matches or request url and user agent.

tail -n 1000  apache_access_log  |grep "POST /search/22122/station?requestId" | grep "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022" | awk '{print $1}' | sort | uniq -c | awk '{print $2}'

 

Step two

Lets make some output that we can use

tail -n 1000  apache_access_log  |grep "POST /search/22122/station?requestId" | grep "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022" | awk '{print $1}' | sort | uniq -c | awk '{system ("iptables -I INPUT 1 -s " $2 " -j DROP")}'

This will generate some Iptables output that you can run to block the ip

Step tree

No the last one i test with some tail -f  but did not work. So i made i bash loop.
I put the following content in i file and the run the file

vi block.sh

Content

while sleep 40;
do tail -n 300 apache_access_log |grep "POST /search/22122/station?requestId" | grep "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022" | awk '{print $1}' | sort | uniq -c | awk '{system ("iptables -I INPUT 1 -s " $2 " -j DROP")}';
done

This will run and every 40 sec it will tail the logs and block the ip that matches the url and user agent.

Done do some looks in iptables to see that new ip are added.