Nagios Core 4 on CentOS 7: Part 4 – Installation of V-Shell 2

For V-Shell2 to work for Nagios Core 4 on CentOS 7, we’ll need to make some modifications to the configuration file before running the installer. (I used nagiosvshell-2.x.zip for my installation.)

First, we’ll install dependencies.

yum install -y unzip

Download or FTP, then extract the V-Shell2 zip.

cd ~
unzip nagiosvshell-2.x.zip

We’re going to need to edit the configuration file here before installation.

cd nagiosvshell-2.x
vi config.php

Press the I key to begin editing then make sure to update the “htpasswd_file” location as seen below under the “redhat” defaults array.

$defaults['redhat'] = array(
        'targetdir'       => '/usr/local/vshell2',
        'apacheconfdir'   => '/etc/httpd/conf.d',
        'apacheconffile'  => 'vshell2.conf',
        'apacheuser'      => 'apache',
        'apachegroup'     => 'apache',
        'etc_conf'        => 'vshell2.conf',
        'htpasswd_file'   => '/usr/local/nagios/etc/htpasswd.users',
        'vshell_baseurl'  => 'vshell2',
        'nagios_coreurl'  => 'nagios',
        'TTL'             => '90',
        'update_interval' => '90',
        'lang'            => 'en_GB',
);

Press the Escape key and then type “:wq!” without the quotes to save and exit.

:wq!

Install V-Shell2 and restart the web service.

./install.php
service httpd restart

You should be able to navigate to and view the V-Shell2 web page now.

https://serverip/vshell2/

If everything worked properly, you should remove the VShell-2 installation files.

cd ~ 
rm-rf nagiosvshell*

This post is only one part of a series of Nagios documentation I am be preparing.

Nagios Core 4 on CentOS 7: Part 1 – Installation

Nagios Core 4 on CentOS 7: Part 2 – Installation and Configuration of PNP4Nagios

Nagios Core 4 on CentOS 7: Part 3 – Installation and Configuration of Grafana over HTTPS

Nagios Core 4 on CentOS 7: Part 4 – Installation of V-Shell 2

Continue Reading

Nagios Core 4 on CentOS 7: Part 3 – Installation and Configuration of Grafana over HTTPS

Install Dependencies.

yum install initscripts fontconfig freetype* urw-fonts -y

Download or FTP, then install Grafana. (I used grafana-5.0.3-1.x86_64.rpm.)

cd ~
yum install grafana-5.0.3-1.x86_64.rpm –y

Start the Grafana Server and configure the service.

sudo service grafana-server start
sudo /sbin/chkconfig --add grafana-server
systemctl daemon-reload
systemctl start grafana-server
systemctl status grafana-server
systemctl enable grafana-server.service

Add firewall rule and restart the service.

firewall-cmd --zone=public --add-port=3000/tcp –permanent
service firewalld restart

Create a Grafana certificate.

cd /etc/grafana/
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout grafana.key -out grafana.crt

Modify the Grafana Config file to set HTTPS as the standard.

vi grafana.ini

Press the I key to begin editing, remove the “;” comment characters and update the protocol and cert information as seen in the two pieces below.

[server]
# Protocol (http, https, socket)
protocol = https
# https certs & key file
cert_file = /etc/grafana/grafana.crt
cert_key = /etc/grafana/grafana.key

Press the Escape key and then type “:wq!” without the quotes to save and exit.

:wq!

Restart the Grafana Service and the web service.

service grafana-server restart
service httpd restart

Navigate to the Grafana web interface.

https://serverip:3000/

If this worked, you’ve successfully installed Grafana and can start configuring the rest.

Now, we’ll remove the Grafana installer.

cd ~
rm -rf grafana-5.0.3-1.x86_64.rpm

This post is only one part of a series of Nagios documentation I am be preparing.

Nagios Core 4 on CentOS 7: Part 1 – Installation

Nagios Core 4 on CentOS 7: Part 2 – Installation and Configuration of PNP4Nagios

Nagios Core 4 on CentOS 7: Part 3 – Installation and Configuration of Grafana over HTTPS

Nagios Core 4 on CentOS 7: Part 4 – Installation of V-Shell 2

Continue Reading

Nagios Core 4 on CentOS 7: Part 2 – Installation and Configuration of PNP4Nagios

A quick foreword, I am not a native Linux SA. If there are corrections to terminology needed or if I have mislabeled something, please, let me know so I can update this page. It took me quite a while to figure out how to allow things to work properly without having to disable SELinux. Thank you!

Beginning from a fresh installation of Nagios Core 4 from Part 1.

Note: Any time you modify a Nagios configuration file, you can restart that Nagios service with command below to see if that step is where something broke.

service nagios restart

Now that that has been established, we’ll temporarily enable Root SSH Access by editing the SSH config file.

vi /etc/ssh/sshd_config

Press the I key to begin editing. Note: for the rest of this document, if edits are required, you will likely need to remember this.

Remove the # from before PermitRootLogin Yes.

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Next, you’ll write quite. Note: to do this you wil need to ress the Escape key and then type “:wq!” without the quotes to save and exit. (As above with the I key, you will need to remember this.)

:wq!

Restart SSH.

service sshd restart

Open Putty or your favorite SSH method and connect to the device and login as root. If you’re using DHCP, you may need to run the command below to get the IP Address.

ip addr show

Now, to start, we’ll install dependencies.

yum install gd gd-devel php-gd rrdtool rrdtool-perl ruby xorg-x11-fonts-Type1 -y

4. Download or SFTP necessary file, the version I successfully used is listed below.

pnp4nagios-0.6.26.tar.gz

Now, we’ll extract and install PNP4Nagios.

tar zxfv pnp4nagios-0.6.26.tar.gz
cd pnp4nagios-0.6.26
./configure
make all
make fullinstall
make install-init

Now we’ll prep and restart the web service.

chkconfig --add npcd && chkconfig --level 35 npcd on
systemctl reload httpd.service

Browse to the PNP4Nagios web page and make sure it passed the checks.

https://serverip/pnp4nagios/

Now, we’ll rename the file mentioned on the web page if all checks were passed.

mv /usr/local/pnp4nagios/share/install.php /usr/local/pnp4nagios/share/install.php.ORI

Now, we’re going to need to modify the Nagios configuration files.

vi /usr/local/nagios/etc/nagios.cfg

Press the I key to begin editing and update each item as seen below.

host_perfdata_command=process-host-perfdata
service_perfdata_command=process-service-perfdata
process_performance_data=1
enable_environment_macros=1
service_perfdata_file=/usr/local/pnp4nagios/var/service-perfdata
service_perfdata_file_template=DATATYPE::SERVICEPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tSERVICEDESC::$SERVICEDESC$\tSERVICEPERFDATA::$SERVICEPERFDATA$\tSERVICECHECKCOMMAND::$SERVICECHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$\tSERVICESTATE::$SERVICESTATE$\tSERVICESTATETYPE::$SERVICESTATETYPE$
service_perfdata_file_mode=a
service_perfdata_file_processing_interval=15
service_perfdata_file_processing_command=process-service-perfdata-file
host_perfdata_file=/usr/local/pnp4nagios/var/host-perfdata
host_perfdata_file_template=DATATYPE::HOSTPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tHOSTPERFDATA::$HOSTPERFDATA$\tHOSTCHECKCOMMAND::$HOSTCHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$
host_perfdata_file_mode=a
host_perfdata_file_processing_interval=15
host_perfdata_file_processing_command=process-host-perfdata-file

Next, you’ll write quite. Press the Escape key and then type “:wq!” without the quotes. (You may want to restart the Nagios service to see if you broke anything.)

:wq!

Now, we’ll need to append the commands configuration file for Bulk with NPCD Mode.

vi /usr/local/nagios/etc/objects/commands.cfg

Press the I key to begin editing and add this to the bottom.

#
# Bulk with NPCD mode
#
define command {
       command_name    process-service-perfdata-file
       command_line    /bin/mv /usr/local/pnp4nagios/var/service-perfdata /usr/local/pnp4nagios/var/spool/service-perfdata.$TIMET$
}

define command {
       command_name    process-host-perfdata-file
       command_line    /bin/mv /usr/local/pnp4nagios/var/host-perfdata /usr/local/pnp4nagios/var/spool/host-perfdata.$TIMET$
}

Press the Escape key and then type “:wq!” without the quotes to save and exit. (You may want to restart the Nagios service to see if you broke anything.)

:wq!

Now, we’ll need to append the templates configuration file. These will be the link identifiers for future monitoring. (Adds graph icons next to either the host or service depending on how it’s implemented later in this documentation.)

vi /usr/local/nagios/etc/objects/templates.cfg

These new host and service objects need to be appended to this configuration file. (Press the I key to begin editing.)

define host {
        name            host-pnp
        action_url      /pnp4nagios/index.php/graph?host=$HOSTNAME$&srv=_HOST_' class='tips' rel='/pnp4nagios/index.php/popup?host=$HOSTNAME$&srv=_HOST_
        register        0
}
define service {
        name            srv-pnp
        action_url      /pnp4nagios/index.php/graph?host=$HOSTNAME$&srv=$SERVICEDESC$' class='tips' rel='/pnp4nagios/index.php/popup?host=$HOSTNAME$&srv=$SERVICEDESC$
        register        0
}

Press the Escape key and then type “:wq!” without the quotes to save and exit. (You may want to restart the Nagios service to see if you broke anything.)

:wq!

Option 1: Configure all hosts and/or services to be monitored. (Skip to Option 2 for individual host or server configuration.)

a. Configuration of All Hosts Example:

For implementing this, we’ll need to edit the core templates configuration file.

vi /usr/local/nagios/etc/objects/templates.cfg

You will need to make sure that under the “generic-host” host definition template, you add the “use host-pnp” line as seen below.

define host{
        name                            generic-host    ; The name of this host template
        use                             host-pnp
        notifications_enabled           1               ; Host notifications are enabled
        event_handler_enabled           1               ; Host event handler is enabled
        flap_detection_enabled          1               ; Flap detection is enabled
        process_perf_data               1               ; Process performance data
        retain_status_information       1               ; Retain status information across program restarts
        retain_nonstatus_information    1               ; Retain non-status information across program restarts
        notification_period             24x7            ; Send host notifications at any time
        register                        0               ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!
        }

Now, you’ll press Escape, followed by “:wq!” to save and quit vi. (You may want to restart the Nagios service to see if you broke anything.)

:wq!

For any update to a configuration file to take effect, you will need to restart the Nagios service.

service nagios restart

b. Configuration of All Services Example:

For implementing this, we’ll need to edit the core templates configuration file.

vi /usr/local/nagios/etc/objects/templates.cfg

You will need to make sure that under the “generic-service” service definition template, you add the “use srv-pnp” line as seen below.

define service{
        name                            generic-service         ; The 'name' of this service template
        use                             srv-pnp                 ; <----
        active_checks_enabled           1                       ; Active service checks are enabled
        passive_checks_enabled          1                       ; Passive service checks are enabled/accepted
        parallelize_check               1                       ; Active service checks should be parallelized (disabling this can lead to major performance problems)
        obsess_over_service             1                       ; We should obsess over this service (if necessary)
        check_freshness                 0                       ; Default is to NOT check service 'freshness'
        notifications_enabled           1                       ; Service notifications are enabled
        event_handler_enabled           1                       ; Service event handler is enabled
        flap_detection_enabled          1                       ; Flap detection is enabled
        process_perf_data               1                       ; Process performance data
        retain_status_information       1                       ; Retain status information across program restarts
        retain_nonstatus_information    1                       ; Retain non-status information across program restarts
        is_volatile                     0                       ; The service is not volatile
        check_period                    24x7                    ; The service can be checked at any time of the day
        max_check_attempts              3                       ; Re-check the service up to 3 times in order to determine its final (hard) state
        check_interval                  2                       ; Check the service every 10 minutes under normal conditions
        retry_interval                  2                       ; Re-check the service every two minutes until a hard state can be determined
        contact_groups                  admins                  ; Notifications get sent out to everyone in the 'admins' group
        notification_options            w,u,c,r                 ; Send notifications about warning, unknown, critical, and recovery events
        notification_interval           60                      ; Re-notify about service problems every hour
        notification_period             24x7                    ; Notifications can be sent out at any time
        register                        0                       ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE!
}

Now, you’ll press Escape, followed by “:wq!” to save and quit vi. (You may want to restart the Nagios service to see if you broke anything.)

:wq!

For any update to a configuration file to take effect, you will need to restart the Nagios service.

service nagios restart

Option 2: Configure a single host and/or single service to be monitored. (Return to Option 1 for monitoring of all hosts or all services.)

a. Individual Host Configuration Example:

For this example, we’ll be using the Nagios localhost monitoring configuration file.

vi /usr/local/nagios/etc/objects/localhost.cfg

You’ll press the I key and append “,host-pnp” after “linux-server” to add host monitoring as seen below.

define host{
        use                     linux-server,host-pnp
        host_name               localhost
        alias                   localhost
        address                 127.0.0.1
        }

Now, you’ll press Escape, followed by “:wq!” to save and quit vi. (You may want to restart the Nagios service to see if you broke anything.)

:wq!

For any update to a configuration file to take effect, you will need to restart the Nagios service.

service nagios restart

b. Individual Service Configuration Example:

For this example, we’ll be using the Nagios localhost monitoring configuration file.

vi /usr/local/nagios/etc/objects/localhost.cfg

You’ll press the I key and append “,srv-pnp” after “local-service” to add service monitoring as seen below.

define service{
        use                             local-service,srv-pnp
        host_name                       localhost
        service_description             PING
        check_command                   check_ping!100.0,20%!500.0,60%
        }

Now, you’ll press Escape, followed by “:wq!” to save and quit vi. (You may want to restart the Nagios service to see if you broke anything.)

:wq!

For any update to a configuration file to take effect, you will need to restart the Nagios service.

service nagios restart

Next, we’ll copy ssi files then restart NPCD and Nagios.

cd /root/pnp4nagios-0.6.26/
cp contrib/ssi/status-header.ssi /usr/local/nagios/share/ssi/
service npcd restart && service nagios restart

Remove PNP4Nagios Installer

cd ~
rm -rf pnp4nagios-0.6.26*

And now you should be ready to start using PNP4Nagios on your server.

If everything worked well, you should return and disable root SSH access.

vi /etc/ssh/sshd_config

Add # before PermitRootLogin yes.

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Save and quit vi.

:wq!

Restart SSH.

service sshd restart

This post is only one part of a series of Nagios documentation I am be preparing.

Nagios Core 4 on CentOS 7: Part 1 – Installation

Nagios Core 4 on CentOS 7: Part 2 – Installation and Configuration of PNP4Nagios

Nagios Core 4 on CentOS 7: Part 3 – Installation and Configuration of Grafana over HTTPS

Nagios Core 4 on CentOS 7: Part 4 – Installation of V-Shell 2

Continue Reading

Nagios Core 4 on CentOS 7: Part 1 – Installation

A quick foreword, I am not a native Linux SA. If there are corrections to terminology needed or if I have mislabeled something, please, let me know so I can update this page. It took me quite a while to figure out how to allow things to work properly without having to disable SELinux. Thank you!

Beginning from a fresh installation of CentOS 7.

First, we’ll temporarily enable Root SSH Access by editing /etc/ssh/sshd_config.

vi /etc/ssh/sshd_config

Press the I key to begin editing. Note: for the rest of this document, if edits are required, you will likely need to remember this.

Remove the # from before PermitRootLogin Yes.

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Next, you’ll write quite. Note: to do this you will need to press the Escape key and then type “:wq!” without the quotes to save and exit. (As above with the I key, you will need to remember this.)

:wq!

Restart SSH.

service sshd restart

Open Putty or your favorite SSH method and connect to the device. If you’re using DHCP, you may need to run the command below to get the IP Address.

ip addr show

Next we’ll install dependencies.

yum install -y wget httpd php gcc glibc glibc-common gd gd-devel make net-snmp mod_ssl unzip

Download or SFTP necessary files, the versions I successfully used are listed below.

monitoring-plugins-2.2.tar.gz
nagios-4.3.4.tar.gz
nagios-plugins-2.2.1.tar.gz
nagios-selinux-4.3.4-2.el7.nuxref.x86_64.rpm
nagios-plugins-selinux-2.2.1-1.el7.nuxref.x86_64.rpm

(Nagios SELinux RPMs can be found using this link.)

Next we’ll create the nagios user and groups. (You will be prompted for a password on the next command.)

useradd nagios && passwd nagios
groupadd nagcmd
usermod -a -G nagcmd nagios
usermod -a -G nagcmd apache

Now that everything’s prepared, we’ll extract and install Nagios Core 4.

tar xvf nagios-4.3.4.tar.gz
cd nagios-4.3.4
./configure -with-command-group=nagcmd
make all
make install
make install-init
make install-commandmode
make install-config
make install-webconf

Now, we’ll copy the Event Handlers and apply proper ownership.

cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/
chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers

Next, we’ll test the config.

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

On to creation of the web user for Nagios and prepping the web service. (You will be asked to set a password after the next command.)

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
systemctl restart httpd.service
chkconfig --add nagios && chkconfig --level 35 nagios on
systemctl enable httpd.service

Next, we’re going to add a permanent firewall rule for HTTPS, you can change this to HTTP if you would prefer and then we’re restarting the service.

firewall-cmd --zone=public --permanent --add-service=https
systemctl restart firewalld.service

Return to root user directory and remove installer files for Nagios Core 4.

cd ~
rm -rf nagios-4.3.4*

Install Nagios SELinux packages to allow it to run in Enforcing mode then restart Nagios.

yum install nagios-selinux-4.3.4-2.el7.nuxref.x86_64.rpm –y
rm -rf nagios-selinux-4.3.4-2.el7.nuxref.x86_64.rpm
service nagios restart

Extract and Install Nagios Monitoring Plugins.

tar -xvf nagios-plugins-2.2.1.tar.gz
cd nagios-plugins-2.2.1
./configure --prefix=/usr/local/nagios --with-cgiurl=/nagios/cgi-bin
make
make install
make install-root

Remove Nagios Monitoring Plugins installer files.

cd ~
rm -rf nagios-plugins-2.2.1*

Extract and install the monitoring plugins.

cd ~
tar xvf monitoring-plugins-2.2.tar.gz
cd monitoring-plugins-2.2
./configure -with-nagios-user=nagios -with-nagios-group=nagios --prefix=/usr/local/nagios
make
make install

Remove the monitoring plugins installer files.

cd ~
rm -rf monitoring-plugins-2.2*

Install SELinux policy for Plugins.

yum install nagios-plugins-selinux-2.2.1-1.el7.nuxref.x86_64.rpm –y
rm -rf nagios-plugins-selinux-2.2.1-1.el7.nuxref.x86_64.rpm

Change context of Nagios directories for SELinux.

chcon -R --reference=/var/www/html /usr/local/nagios/share
chcon -R --reference=/var/www/html /usr/local/nagios/var
chcon -R --reference=/var/www/cgi-bin /usr/local/nagios/sbin
chcon -R -t httpd_sys_rw_content_t /usr/local/nagios/var/rw

Restart the Nagios service.

service nagios restart

From here you should be able to navigate to your server and make sure everything is working properly.

https://serverip/nagios/

If everything worked well, you should return and disable root SSH access.

vi /etc/ssh/sshd_config

Add # before PermitRootLogin yes.

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Save and quit vi.

:wq!

Restart SSH.

service sshd restart

And now you’re ready to start configuring your Nagios server.

This post is only one part of a series of Nagios documentation I am be preparing.

Nagios Core 4 on CentOS 7: Part 1 – Installation

Nagios Core 4 on CentOS 7: Part 2 – Installation and Configuration of PNP4Nagios

Nagios Core 4 on CentOS 7: Part 3 – Installation and Configuration of Grafana over HTTPS

Nagios Core 4 on CentOS 7: Part 4 – Installation of V-Shell 2

Continue Reading

Let’s Encrypt: Without Using Port 80 (Windows/IIS)

I wasn’t able to find quick and easy documentation for how to configure Let’s Encrypt with an ISP that blocks port 80. So, this is my attempt at hopefully saving you the time that I spent figuring it out for myself.

Unfortunately, I haven’t figured out how to automate updating my DNS TXT records just yet, so this will need to be done every quarter.

Also, this document was a quick write up, don’t currently have time to make it look as clean as I would like at the moment. My apologies.

In my example, I am preparing a wildcard domain.

First, you will need to download the ZeroSSL Let’s Encrypt client.

Next, you will need to open IIS and begin the process of requesting a certificate.

Click on Your Server in the left bar.

Select Server Certificates under Management.

On the Actions panel, select Create Certificate Request.

Common Name : *.domain.com
(The rest of the info is up to you.)

Click Next.

Select RSA and 2048.
(Or whatever you want to use.)

Click Next.

Save a copy of the key to the location below.

C:\cert\req.txt

Click Finish.

Update the command below with your domain and run it in an elevated PowerShell window.

.\le64.exe -key account.key -csr c:\cert\req.txt - csr-key domain.key -crt domain.crt -domains "*.domain.com" -generate-missing -handle-as dns -api 2 –live

You will be prompted to update a TXT DNS record for _acme-challenge.domain.com.

(Note, this is not a new sub-domain, you’re just updating the DNS of domain.com)

Example response from the command run above.

Host: _acme-challenge.domain.com, type: TXT, value: EDCerddvTxxxxxxxxx2alFy0_Ag8gDlSnMSzWC_ztI

Go to your DNS settings for your primary domain and add a TXT record with your value.

Update and run the command below in a new PowerShell or Command Prompt Window to verify the DNS record is appearing properly.

Nslookup –q=TXT _acme-challenge.domain.com

When you get the TXT DNS entry you entered back, return to the original elevated PowerShell window and press Enter to finish generating your certificate.

You can now return to your DNS settings and remove the TXT entry if everything proceeded properly.

Return to IIS.

Click Complete Certificate Request under Actions.

Select the file that was generated.

(It is where you ran your Let's Encrypt application, and you may need to switch to *.* to find it.)

Set your friendly name to *.domain.com.

You may need to update bindings or create new sites to attach this SSL certificate properly.

Continue Reading

XenServer: Unknown Error Occurred Connecting with XenCenter

When connecting to XenServer 5.5 from XenCenter on up to date Windows devices, you get an Unknown Error. To fix this, we need to generate a stronger SSL certificate. The logs below show the errors and locations to verify that this is the issue.

I couldn’t find all of this information easily consolidated into once place and hopefully this will save someone time if they come across the same issues.

XenCenter Logs

Location: %appdata%\Citrix\XenCenter\logs\XenCenter.log

2017-10-17 13:05:08,154 DEBUG XenAdmin.Network.XenConnection [Connection to xxx.xxx.xxx.xxx] - XenConnection: trying to connect to 192.168.10.24
2017-10-17 13:05:08,661 DEBUG XenAdmin.Network.XenConnection [Connection to xxx.xxx.xxx.xxx] - The request was aborted: Could not create SSL/TLS secure channel.
2017-10-17 13:05:08,661 WARN  XenAdmin.Network.XenConnection [Connection to xxx.xxx.xxx.xxx] - XenConnection: failed to connect to 192.168.10.24: The request was aborted: Could not create SSL/TLS secure channel.
2017-10-17 13:05:08,661 DEBUG XenAdmin.Actions.Action [Connection to xxx.xxx.xxx.xxx] - The request was aborted: Could not create SSL/TLS secure channel.

(Source: Citrix: XenCenter Event Log)

XenServer Logs

Location: /var/log/secure

Oct 17 13:06:29 xen-105519 stunnel: LOG5[15145:3085974416]: xapi connected from xxx.xxx.xxx.xxx:55170
Oct 17 13:06:29 xen-105519 stunnel: LOG3[15145:3085974416]: SSL_accept: Peer suddenly disconnected
Oct 17 13:06:29 xen-105519 stunnel: LOG5[15145:3085974416]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

(Source:Xencenter 6.5 and 7 “unknown error” while connecting to XenServer 5.6.0)

Fix :

Through SSH or Console Access do the following
Verify the key is 512

openssl x509 -in /etc/xensource/xapi-ssl.pem -text

Because the file that generates it is read only, create a copy in the temp directory.

cp /opt/xensource/libexec/generate_ssl_cert /tmp

Use vi to edit the new file.

vi /tmp/generate_ssl_cert

Update the following line to look like the one below it by pressing i to insert text.

openssl genrsa > privkey.rsa
openssl genrsa 1024 > privkey.rsa

Press escape followed by k, then type !wq to write changes to the file and quit without prompting.

Backup the existing cert.

cp /etc/xensource/xapi-ssl.pem /etc/xensource/xapi-ssl.pem.backup

Stop the xapissl service.

/etc/init.d/xapissl stop

Generate the new SSL cert.

/tmp/generate_ssl_cert /etc/xensource/xapi-ssl.pem ‘hostname -f’

Start the xapissl service.

/etc/init.d/xapissl start

(Source: WebbosWorld: XenCenter Could not create SSL/TLS Secure Channel)

Continue Reading

XenServer: Alternate Auto-Start VM Option

Create the boot script

Method 1: Auto-start all servers

vi /etc/rc.d/init.d/RunVMonBoot.sh
#!/bin/bash
xe vm-list power-state=halted | grep uuid | cut -c 24- | xargs -I {Var} xe vm-start uuid={Var}

Method 2: Auto-start selected servers

vi /etc/rc.d/init.d/RunVMonBoot.sh
#!/bin/bash
xe vm-start uuid=SERVERUUIDHERE 

Note: Repeat “xe vm-start uuid=” line as many times as needed.

Press Escape followed by K to stop editing.

Press : followed by wq! to save changes and quit editing.

Run the following command to add execute privileges to the script.

chmod +x /etc/init.d/RunVMonBoot.sh

Run to add execute privileges to the startup script.
chmod +x /etc/rc.d/rc.local

Run the following to edit the startup script.
vi /etc/rc.d/rc.local

Append these lines to the script. (Press I to allow inserting.)

Sleep 180
/etc/rc.d/init.d/RunVMonBoot.sh

Press Escape followed by K to stop editing.

Press : followed by wq! to save changes and quit editing.

Continue Reading

PowerShell: Disabling and Moving Inactive Users

While this isn’t my cleanest work, it did the job fairly well.

Also, I assume you’ve already added the Active Directory module, I believe command below will add it.

import-module activedirectory

This script will go through an OU, searching it’s contained OU’s, find inactive users then disable and move them into their own ‘Disabled’ sub OU.

This comes in handy when you have a bunch of client sites that are organized and you want to maintain organization.

Foreach ($i in (Get-ADOrganizationalUnit -Filter * -SearchBase "OU=MyOU,DC=mydomain,DC=local" -SearchScope OneLevel | foreach { $_.DistinguishedName })){
    Echo "-------------------------------------------"
    Echo $i
    Echo "-------------------------------------------"
    ForEach ($xx in (Get-ADUser -SearchBase $i -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp)){
        [DateTime]::FromFileTime($xx.lastLogonTimestamp)
        Echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        Echo "Disabling User"
        Echo $xx.Name
        Disable-ADAccount -Identity $xx.ObjectGUID
        Echo "Moving User"
        Echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        $DisabledPart1 = "OU=Disabled,"
        $DisabledOU = $DisabledPart1+$i
        Move-ADObject -Identity $xx.ObjectGUID -TargetPath $DisabledOU
    }
    Echo "-------------------------------------------"
}

Below is a script that creates the ‘Disabled’ OUs.

Foreach ($i in (Get-ADOrganizationalUnit -Filter * -SearchBase "OU=MyOU,DC=mydomain,DC=local" -SearchScope OneLevel | foreach { $_.DistinguishedName })){
 echo $i
 New-ADOrganizationalUnit -Name Disabled -Path $i -Description "Disabled Accounts" -PassThru
}

Update


I combined everything into a PowerShell application as seen below and can be downloaded here.

Note: This application will only search through enabled accounts.

Continue Reading

Terminal Server Gateways and PCI Compliance

Before starting, every Windows 7/Server 2008 R2 OS will need to have a specific patch (KB3080079) to be able to use TLS 1.1+ to connect to the Gateway properly after following the directions below.

To begin, download the IISCrypto software from Nartac onto the gateway server.

Upon opening, accept the agreement if it appears.

Click on the Templates section.

Select “PCI 3.1” in the drop down.

Click Apply.

Reboot the server.

It’s possible that at this point you might encounter and inability to connect and you’ll get the following error in the event log.

A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

To fix this error, open the Control Panel, click Administrative Tools, and then open Local Security Policy.

In Local Security Settings, expand Local Policies, and then click Security Options.

Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

You may or may not need to run gpupdate /force

Continue Reading

XenServer Security: Clearing CIFS/SMB Passwords

XenServer stores the passwords to any CIFS/SMB share you are currently using or have used in the past even if the share was removed. (Tested this up to XenServer 7.)

Now, this can be a concern because these credentials might be to a domain account, domain administrator account, or have privileged access to a specific system. I wrote the following command to go through and clear all of the stored CIFS/SMB shares.

xe secret-list | grep uuid | cut -c 17- | xargs -I {Var} xe secret-destroy uuid={Var}

This query’s all existing passwords, removes the unnecessary text, and removes the saved passwords.

Breakdown

xe secret-list

Lists all passwords and UUIDs.

xe secret-list | grep uuid

Lists just the UUIDs of existing CIFS passwords

cut -c 17-

Removes the excess characters of the “xe secret-list | grep uuid” command.

xargs -I {Var}

Passes the results of the previous command to the next one with a set variable, in this case “{Var}”

xe secret-destroy uuid=

Removes the password from “xe secret-list”

Continue Reading