windows

Use DISM and Powershell to strip Win2k12r2 Installation

Standard
icinga, linux, monitoring, nconf, pnp4nagios

Monitoring Part 1 (icinga, nconf, pnp4nagios)

Handling a good and reliable monitoring infrastructure with icinga/nagios configuration files could be pain in the ass. When you finished part 1 of this tutorial you are able to configure your icinga infrastructure with a nice web interface called NConf.

Requirements:

  • Debian Wheezy
  • Icinga from Wheezy Backports repository
  • Percona Server 5.5 from the official Percona Repository
  • Of course general Linux Skills

Topics:

  • setting up repositories
  • install all neccessary packages
  • enable idoutils and pnp4nagios
  • configure nagios user and create ssh key
  • install and configure nconf
  • switch from default icinga configuration to nconf compiled configuration
  • generate and deploy your first icinga config with the nconf web interface

Let’s start:

setting up repositories

install all neccessary packages

 enable idoutils and pnp4nagios

configure nagios user and create ssh key (we do not use nrpe or any other daemons on the clients, all checks should be invoked via ssh)

install and configure nconf

swtich from default icinga configuration to nconf compiled configuration

generate and deploy your first icinga config with the nconf web interface
open a web browser and go to http://your.ip/nconf
blog.bashpipe.org_nconf
click „Generate Nagios config”
blog.bashpipe.org_nconf_generate
execute the „deploy_prod.sh“ script to deploy your new config

open a web browser and go to http://your.ip/icinga
genaral overview:
blog.bashpipe.org_icinga_1
click on „Host Detail”
blog.bashpipe.org_icinga_2
click on „Service Detail”
blog.bashpipe.org_icinga_3
click on the icon next to „check_ping“, it will open the pnp4nagios page for this check
blog.bashpipe.org_icinga_4

Thats it:

Now you are able to add hosts, services etc. to your icinga installation. Keep in mind to press the „Generate Nagios config“ button and execute the deploy script after modifying anything in nconf. 

Standard
dhcp, linux

do not set default route even the dhcp server offers one

here is a small hint if you ever face a configuration where you have to configure multiple internet providers using different default routes. this disables setting a default route.

Standard
nginx, ssl

SSL with nginx

This blog receives a 100%/A+ score at ssllabs.com ssl tests

blog.bashpipe.org_aplus

 

To get this score follow some simple rules:

  • generate your csr with the openssl -sha256 option (you need a sha256, otherwise you will get a warning)
  • disable all protocols except TLSv1.2 (you have to disable all other protocols to get a 100% score in „protocol support“)
  • use a webserver (this blog uses nginx) which is capable of handling dhparam files (you need this to get a 100% score in „key exchange“)
  • use the following cipher suite to receive 100% score in „cipher strength“ (AES256+EECDH:AES256+EDH:!aNULL)
  • add an HSTS Header with a long max-age to get A+ (add_header Strict-Transport-Security max-age=63072000;)
Standard
cryptsetup, linux

setting up an encrypted root server

Never trust anyone if it comes to protecting your private data. If you plan to rent a server and store sensitive data on it you should not trust preinstalled operating systems. So i decided to write a guide for setting up an encrypted root server.

Requirements:

  • rent a root server (e.g www.hetzner.de)
  • choose Debian GNU/Linux Wheezy 64bit as preinstalled Operating System
  • your ssh public key
  • linux skills

Topics:

  • install and configure grml-rescueboot to boot grml in to ram
  • partitioning with parted
  • setting up LUKS for the root and swap file system
  • boostrapping Debian GNU/Linux Wheezy 64bit
  • configure the bootstrapped Operating System
  • connect to initramfs and decrypt/mount the root device

Let’s start:

Connect to your fresh installed server via ssh

Install and configure grml-rescueboot to boot grml in to ram

partitioning with parted

setting up LUKS for the root and swap filesystem

bootstrapping Debian GNU/Linux Wheezy 64bit

configure the bootstrapped Operating System

connect to initramfs and decrypt/mount the root device

Thats it:

Enjoy your fresh encrypted root server!

Standard