分类目录归档:运维 & 基础架构

operations & infrastructure

Zabbix通过Smokeping检测网络质量并告警

(一)Smokeping概述
(1) Smokeping是一款用于网络性能监测的开源监控软件,主要用于对IDC的网络状况,网络质量,稳定性等做检测,通过rrdtool制图方式,图形化地展示网络的时延情况,进而能够清楚的判断出网络的即时通信情况。

(2)SmokePing的特点
SmokePing keeps track of your network latency:
Best of breed latency visualisation.(最佳图形展示功能,延时丢包等可以很直观的可视化展现)
Interactive graph explorer.(交互式浏览器图表)
Wide range of latency measurement plugins.(丰富的网络状况测量插件)
Master/Slave System for distributed measurement.(支持主从的分布式部署模式)
Highly configurable alerting system.(自定义报警功能)
Live Latency Charts with the most ‘interesting’ graphs.(漂亮、免费、开源)
Free and OpenSource Software written in Perl written by Tobi Oetiker, the creator of MRTG and RRDtool

(二)技术概述
使用zabbix通过smokeping来检测网络质量zabbix官方论坛有推荐,可以登陆查看下,具体地址如下:https://www.zabbix.com/forum/showthread.php?t=31147
技术关键点有三点:
1,zabbix-trapper:这是一种数据传递方式,不同于zabbix-agent,这种方式定义的item需要使用zabbix-sender来发送数据给zabbix-server

2,zabbix-sender需要的参数:

-z - 指定zabbix server的IP
-p - 指定zabbix server的端口,默认为10051
-s - 指定目标主机,主机名必须是配置中的hostname而不是visible name,切记
-k - 指定key,我们定义的trapper的key,这边便是我们前面定义的trap
-o - 指定要传递的数据

3,使用fping探测各节点丢包率

fping的参数:
-b ping包大小
-c ping的次数   
-p ping间隔,单位ms

(三)具体步骤

(一)在zabbix_server端的配置
1,放开zabbix_server.conf中ExternalScripts的配置并设置为:ExternalScripts=/usr/local/zabbix/externalscripts

[root@localhost externalscripts]# vim /usr/local/zabbix/etc/zabbix_server.conf

### Option: AlertScriptsPath
#       Full path to location of custom alert scripts.
#       Default depends on compilation options.
#
# Mandatory: no
# Default:
# AlertScriptsPath=${datadir}/zabbix/alertscripts
 AlertScriptsPath=/usr/local/zabbix/alertscripts

### Option: ExternalScripts
#       Full path to location of external scripts.
#       Default depends on compilation options.
#
# Mandatory: no
# Default:
# ExternalScripts=${datadir}/zabbix/externalscripts
ExternalScripts=/usr/local/zabbix/externalscripts

2,把zabbix官方推荐的脚本放到ExternalScripts=/usr/local/zabbix/externalscripts/目录下,http://www.mbs-it.pl/inne/zbxsmokeping

[root@localhost externalscripts]# cat zbxsmokeping
#!/bin/bash
# Where is your zabbix server
ZBXSERVER=172.20.66.110
# where is fping tool?
FPING=/usr/sbin/fping
# where is zabbix_sender tool?
ZBXSENDER=/usr/local/zabbix/bin/zabbix_sender
# Where to send ping
IP=$1
# How many ping to send
COUNT=$2
# What interval between ping [ms]
INTERVAL=$3
# How many bytes in one ping
BYTES=$4
# 'Hostname' of the host which will collect data
HOSTNAME=$5

if [ $# -lt 5 ]
 then
     echo
     echo " Not enough parameters"
     echo " Usage: zbxsmokeping <HOST_IP> <NUMBERS_OF_PINGS> <INTERVAL> <BYTES> <TO_WHICH_HOST_SEND_DATA_IN_ZABBIX>"
     echo " Zabbix External Check Item ex.: zbxsmokeping[{HOST.IP},6,1000,68,{HOST.HOST}]"
  exit 2
fi
# debug
# echo $FPING -b $BYTES -c $COUNT -q -p $INTERVAL $IP 2>&amp;1

OUTPUT=`$FPING -b $BYTES -c $COUNT -q -p $INTERVAL $IP 2>&amp;1 | awk '{print $5,$8}' | tr -d "%|," | tr -s " " "/" | awk -F"/" '{print $3,$4,$5,$6}'`
tab=( $OUTPUT )
# debug
#echo $ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLoos -o ${tab[0]}
#echo $ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyMin -o ${tab[1]}
#echo $ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyMax -o ${tab[3]}
#echo $ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyAvg -o ${tab[2]}

$ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLoos -o ${tab[0]}  -v | grep "Failed 1"
$ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyMin -o ${tab[1]} -v | grep "Failed 1"
$ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyMax -o ${tab[3]} -v | grep "Failed 1"
$ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyAvg -o ${tab[2]} -v | grep "Failed 1"
echo 1

3,给该脚本执行权限,并重启下zabbix_server服务。

[root@localhost externalscripts]# chmod +x zbxsmokeping

[root@localhost externalscripts]

# ll zbxsmokeping -rwxr-xr-x 1 root root 1649 Dec 27 17:38 zbxsmokeping

[root@localhost externalscripts]

# /etc/init.d/zabbix_server restart

至此zabbix_server端配置完成。

Zabbix通过Smokeping检测网络质量并告警
Zabbix通过Smokeping检测网络质量并告警

(二)在浏览器端配置。
1,把官方推荐的模板导入进来,http://www.mbs-it.pl/inne/zbx_export_templates_smokeping.xml

2,把模板链接到需要检测网络质量的站点上

Zabbix通过Smokeping检测网络质量并告警

至此zabbix通过smokeping监控网络质量完成。

puppet-external_ip




External IP fact(s)

Sage Imel sage@sagenite.net

Provides an external_ip4 fact that shows your ipv4 IP address as returned by http://ipv4.icanhazip.com. Provides and an external_ip6 fact that shows your ipv6 IP address as returned by http://ipv6.icanhazip.com.

Useful if you have a host with a dynamic IP address.

Limitations

Ruby doesn’t seem to let you specify which interface Web::HTTP uses, so on a box with multiple interfaces your milage may very.

https://raw.githubusercontent.com/nightfly19/puppet-external_ip/master/lib/facter/external_ip4.rb

require 'net/http'

Facter.add("external_ip4") do
  setcode do
    begin
      target = URI.parse('http://ipv4.icanhazip.com/')
      Net::HTTP.get_response(target.host, target.path).body.chomp
    rescue
      nil
    end
  end
end
require 'net/http'

https://raw.githubusercontent.com/nightfly19/puppet-external_ip/master/lib/facter/external_ip6.rb
Facter.add("external_ip6") do
  setcode do
    begin
      target = URI.parse('http://ipv6.icanhazip.com/')
      Net::HTTP.get_response(target.host, target.path).body.chomp
    rescue
      nil
    end
  end
end

Optimizing Nginx for serving files bigger than 1GB

Yesterday I faced a strange issue, I realize that nginx was not serving files larger than 1GB. After investigation I found that it was due to the proxy_max_temp_file_size variable, that is configured by default to serve up to 1024 MB max.

This variable indicates the max size of a temporary file when the data served is bigger than the proxy buffer. If it is indeed bigger than the buffer, it will be served synchronously from the upstream server, avoiding the disk buffering.
If you configure proxy_max_temp_file_size to 0, then your temporary files will be disabled.

In this fix it was enough to locate this variable inside the location block, although you can use it inside server and httpd blocks. With this configuration you will optimize nginx for serving more than 1GB of data.

location / {
...
proxy_max_temp_file_size 1924m;
...
}

Restart nginx to take the changes:

service nginx restart

Smart and Efficient Byte-Range Caching with NGINX & NGINX Plus

When correctly deployed, caching is one of the quickest ways to accelerate web content. Not only does caching place content closer to the end user (thus reducing latency), it also reduces the number of requests to the upstream origin server, resulting in greater capacity and lower bandwidth costs.

The availability of globally distributed cloud platforms like AWS and DNS‑based global load balancing systems such as Route 53 make it possible to create your own global content delivery network (CDN).

In this article, we’ll look at how NGINX and NGINX Plus can cache and deliver traffic that is accessed using byte‑range requests. A common use case is HTML5 MP4 video, where requests use byte ranges to implement trick‑play (skip and seek) video playback. Our goal is to implement a caching solution for video delivery that supports byte ranges, and minimizes user latency and upstream network traffic.

Editor – The cache‑slice method discussed in Filling the Cache Slice‑by‑Slice was introduced in NGINX Plus R8. For an overview of all the new features in that release, see Announcing NGINX Plus R8 on our blog. 继续阅读

Nginx配置WebService、MySQL、SQL Server、ORACLE等代理

nginx配置webservice

#user  nobody;
worker_processes  4;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    upstream esbServer {   
        server 127.0.0.1:8083 weight=1 max_fails=2 fail_timeout=30s;   
    }

    #gzip  on;

    server {
        listen       8081;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /ladder_web {
            proxy_set_header X-real-ip $remote_addr;
            proxy_pass http://esbServer;
        }

       
    }

}

nginx 配置mysql代理 — 基于nginx1.9以上 stream module 继续阅读

ZAP介绍

Zed Attack Proxy简写为ZAP,是一个简单易用的渗透测试工具,是发现Web应用中的漏洞的利器,更是渗透测试爱好者的好东西。

ZAP下载地址:https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

ZAP中国:http://www.owasp.org.cn/

BackTrack5R3中集成了ZAP,下面我来演示了一下ZAP的简单实用。

打开方式:

1.

cd /pentest/web/owasp-zap
./zap.sh

2.

Applications|BackTrack|Vulnerability Assessment|Web Application Assessment|Web Vulnerability Scanners|owasp-zap

使用方法:

1.设置

ZAP像Burp suite一样使用代理的方式来截取网站。

ZAP介绍

在Tools|Local proxy中设置相关选项。

ZAP介绍

默认已经设置好了,如果端口冲突就自己改。

在Firefox中设置代理。

Edit|Preferences|Advanced|Network|Setting

选择Manual proxy configuration单选项。

ZAP介绍

浏览目标机器,这里使用Metasploitable2来示例。

用Firefox访问后,在ZAP中出现了Sites。

2.Spider site

右键选择Attack|Spider site

ZAP介绍

扫描要很久,因为是示例所以就先停了。

3.Brute Force

在Site选择目标,在List中选择字典。有big medium small等类型的字典。

ZAP介绍

4.Port Scanner

ZAP介绍

虽然扫描速度很快,但是不够Nmap准确。

5.Active Scan

主动扫描是ZAP最强大的功能之一。

ZAP介绍

6.Alerts

扫描出来的漏洞就在这里了。

ZAP介绍

7.插件

Adjusting child processes for PHP-FPM (Nginx)

Problem:

The following warning message appears in the logs:

[26-Jul-2012 09:49:59] WARNING: [pool www] seems busy (you may need to increase pm.start_servers, or pm.min/max_spare_servers), spawning 32 children, there are 8 idle, and 58 total children
[26-Jul-2012 09:50:00] WARNING: [pool www] server reached pm.max_children setting (50), consider raising it

It means that there are not enough PHP-FPM processes. 继续阅读

How to enable SNMP monitoring for VMWare ESXi 6.0/6.5

You can do a lot of configuration of ESXi through the GUI, but one thing I’ve found that you cannot do is configure SNMP.

I can see in  the GUI that SNMP service is stopped, and that’s about it:

 

  • Even if you can manage to get the service started from the GUI, you’ll still have to set your community string somehow. I couldn’t exactly find a place to set that, so it’s off to the CLI we go.

So here’s how to enable SNMP and configure the community string/firewall on ESXi 6.0 or 6.5:
继续阅读

fail2ban安装配置与使用

注意:如果重启了防火墙,请同时将fail2ban服务重启,不然fail2ban不能生效,fail2ban的过滤表是在iptables启动后再添加的

安装配置:

安装epel源

# yum -y install fail2ban

配置文件

在/etc/fail2ban/目录下,标注红色的为我们添加的

即:

[root@s108c fail2ban]# ll /etc/fail2ban/jail.d/jail.local
-rw-r–r– 1 root root 174 Sep 12 10:27 /etc/fail2ban/jail.d/jail.local
[root@s108c fail2ban]# ll /etc/fail2ban/filter.d/authdaemond.conf
-rw-r–r– 1 root root 962 Sep 12 10:08 /etc/fail2ban/filter.d/authdaemond.conf

日志文件:

将/etc/fail2ban/fail2ban.conf配置中logtarget 指向日志要保存的文件

logtarget = /var/log/fail2ban.log 继续阅读

Nessus

The Most Widely Deployed Vulnerability Assessment Solution

Nessus® has been deployed for vulnerability, configuration and compliance assessments by more than one million users across the globe. Nessus prevents network attacks by identifying the vulnerabilities and configuration issues that hackers use to penetrate your network.

Nessus Workflow

  1. Ensure that your setup meets the minimum system requirements:
  2. Obtain the proper Activation Code for Nessus.
  3. Follow the installation steps depending on your Nessus software and operating system:
  4. Perform the initial configuration steps for Nessus in the web front end.
  5. Create a user account.
  6. Create a scan.