Nagios Installation and Configuration: Part One

NagiosNagios is an open source computer system monitoring, network monitoring and infrastructure monitoring software application. It enables organizations to identify and resolve IT infrastructure problems before they affect critical business processes, and offers monitoring and alerting services. It alerts the users when things go wrong, and alerts them a second time when the problem has been resolved.

Nagios was originally designed to run under Linux, but it also runs well on other Unix variants. It is licensed under the terms of the GNU GPL version 2. It was originally created under the name NetSaint, and was written and maintained by Ethan Galstad along with a group of developers who are actively maintaining both the official (and unofficial) plugins. The name of NetSaint was changed in response to a legal challenge by owners of a similar trademark; Nagios is a recursive acronym which stands for “Nagios Ain’t Gonna Insist On Sainthood”.

Nagios includes the following capabilities, among others:

  • Monitoring of network services
  • Monitoring of host resources (processor load, disk usage, system logs) on a majority of network operating systems (including Microsoft Windows)
  • Monitoring of anything else like probes which have the ability to send collected data via a network to specifically written plugins
  • Monitoring via remotely run scripts via Nagios Remote Plugin Executor
  • Remote monitoring supported through SSH or SSL encrypted tunnels

Nagios Installation

The process of installing Nagios under Linux is fairly straightforward. First, you need to install some prerequisites, which you can get from the repositories. First, install Apache 2 and the Apache PHP libraries:

sudo apt-get install apache2
sudo apt-get install libapache2-mod-php5

Next, install the GCC compiler and development libraries:

sudo apt-get install build-essential

Finally, you need to install the GD 2 development libraries. With some distributions, you install it like this:

sudo apt-get install libdg2-dev

But with some newer distros (including Ubuntu 7.10 and above), the name of the gd2 library has changed:

sudo apt-get install libgd2-xpm-dev

Next, you need to set up the Nagios account. Start by becoming the root user:

sudo -s

Now create a new user and give it a password:

/usr/sbin/useradd -m -s /bin/bash/nagios
passwd nagios

On some distros, you may need to add a group, but on newer server versions of Ubuntu, you can skip this step:

/usr/sbin/groupadd nagios
/usr/sbin/usermod -G nagios nagios

In either case, you will need to create a new nagcmd group for allowing external commands to be submitted through the web interface, and to add the nagios user and the Apache user to the group:

/usr/sbin/groupadd nagcmd
/usr/sbin/usermod -a -G nagcmd nagios
/usr/sbin/usermod -a -G nagcmd www-data

Now you need to download the nagios souce code tarball from the download section of the official Nagios web site. You probably also want to download the plugins tarball as well. Unpack the tarball:

tar xzf nagios-4.0.8.tar.gz
cd nagios-4.0.8

Then run the configure script, passing the name of the group you created earlier:

./configure –with-command-group=nagcmd

Compile the source code:

make all

Next, install the binaries, init script, sample config files and set permissions on the external command directory:

make install
make install-init
make install-config
make install-commandmode

This takes care of Nagios installation. In the next article, we will cover installation of the plugins and configuration.

External Links:

The official Nagios site

Nagios on Wikipedia

Apache Server Hardening: Part Two

Apache server hardeningAfter you’ve patched and hardened your OS, you’ll need to accomplish a couple quick tasks prior to obtaining, compiling and installing the Apache software. A critical part of installing Apache is to provide a user account and group that will run the web server. It is important that the user and group you select to be unique and unprivileged to reduce exposure to attack.

It is important not to run your Apache web server as the user Nobody. Although this is often a system administrator favorite and seemingly unprivileged account for running Apache and other services, the Nobody account has historically been used for root-like operations in some OSes and should be avoided.

Configuring Accounts

Choose and configure a user and group account using the following Unix OS steps. In this example, we will use wwwusr and wwwgrp as the Apache username and group, respectively.

  1. As root from the command line, type groupadd wwwgrp to add a group.
  2. Type useradd -d /usr/local/apache/htdocs -g wwwgrp -c “Apache Account” -m wwwusr to add the user.

The second step creates the user account but also creates a home directory for the user in /usr/local/apache/htdocs.

After creating the user and group accounts, you’ll need to lock down the wwwusr user account for use with Apache. By locking the account and providing an unusable shell, this action ensures that no one can actually log into the Web server using the Apache account:

  1. As root from the command line, type passwd -l wwwusr to lock the Apache account.
  2. Type usermod -s /bin/false wwwusr to configure an unusable shell account for the Apache account.

Now you’re ready to get the Apache software and begin installation.

Downloading and Verifying Apache

Because Apache is open-source software, you can freely download the binaries or source code and get going with your installation. Although there are many locations from which you could download the software, it is always best to obtain the Apache software directly from an approved Apache Foundation mirror listed at the mirror list page of official Apache site.

You’ll need to decide whether to install the server using precompiled binaries or to compile the source code yourself. From a security and functionality perspective, it is usually better to obtain the source code and compile the software, since doing so permits fine-tuning of security features and business functionality. perspective, it is usually better to obtain the source code and compile the software, since doing so permits fine-tuning of security features and business functionality. Here we will discuss compiling the Apache server from source code, starting with verifying the integrity of your download.

To verify the checksum, you will need additional software called md5sum that might be part of your OS distribution. If it is not, you can download the software as part of GNU Coreutils available at the Coreutils page of the official GNU Operating System website. To verify the Apache checksum, perform the following steps. In this example, we’ll use Apache version 2.4.9:

  1. As root from the command line, change directories to where you downloaded the Apache source code tarball and checksum file.
  2. Type cat httpd-2.4.9.tar.gz.md5 to see the exact md5 checksum string. You should see something like f72fb1176e2dc7b322be16508isl39d httpd-2.4.9.tar.gz.
  3. from the same directory, type md5sum httpd-2.4.9.tar.gz.md5 to obtain the checksum from the tarball. You should see the identical string shown in Step 2. If you do, the software you downloaded is authentic.

In the next article, we’ll cover compiling Apache.

External Links:

The Official Apache site

The official GNU Operating System site

© 2013 David Zientara. All rights reserved. Privacy Policy