Monitoring vSphere/ESX in nagios is fairly easy. For FreeBSD users, you’ll need to do the following:

1. Install nagios:

cd /usr/ports/net-mgmt/nagios-devel && make install clean

• Note: nagios-devel is only required until 3.2.4 is released as there is a servicedependency fix that will be incorporated into 3.2.4 that makes it easy to do the type of servicedependency that is used in vsphere.cfg.

2. Install the vmware-vsphere-cli port:

cd /usr/ports/net/vmware-vsphere-cli && make install clean

3. Download the check_esx3.pl plugin from op5 and place it in /usr/local/libexec/nagios

4. Configure any remaining components of nagios for your environment.

5. Use vicfg-user from the vmware-vsphere-cli port to add a nagios user to each of your ESXi hosts:

vicfg-user -server esxihost -username root -e user -o add -l nagios -p securepassword -r read-only

6. Create a file called vmware_authfile in /usr/local/libexec/nagios (and make sure it’s only readable by the nagios user) with the following contents:

username=nagios
password=securepassword

7. Add the vSphere configuration/dependency config file into your nagios config files and edit as needed. You’ll want to add your own hosts, just follow the existing format. The magic will automatically add the required tests/dependencies as long as the additional hosts follow the same format as the sample esxihost.

8. Add the vSphere checkcommands for nagios to your config as well.

9. Reload nagios and you should end up with vSphere monitoring!

Sample Output

• Note: check_esx3.pl also includes additional ability to monitor VMs and other information by having it connect to vCenter. You should easily be able to add in these additional tests if you want them by following the existing samples.

Tried to configure snort to log to a remote MySQL box and came to the rapid realization that snort did not support doing so via SSL.

The attached diff(1) will force snort to require SSL for MySQL connections. You may find it here.

NOTES:

• If you’re chrooting snort, you’ll need to have devfs mounted therein for /dev/urandom. Under FreeBSD, you would simply edit /etc/fstab and add a line similar to the following:
  none /path/to/snort/chroot/dev devfs rw 0 0
  • Then run ‘mount -a’ to mount it.
• You’ll need to copy your certificates into the root.
• If you wish to make a non-SSL connection, you’ll need to undo the patch.
• Make sure you did not leave the private key world readable.

UPDATE:

• Database output functionality is being deprecated in snort in favor of utilizing unified2 with barnyard2.

An experimental port of TrueCrypt has been added to the FreeBSD ports tree. Additional details can be found here.

Improve reliability with CARP and redundant DNS on two boxes. Almost everyone already has (at least) two nameservers, so why not add CARP into the mix to make it appear as if they’re always available?

This setup assumes two nameservers. Both nameservers will have a total of 3 IPs assigned to them, two of which are the floating CARP IPs and one of which is a unique management IP for each box. Each nameserver will be the CARP backup for the other nameservers primary nameserver IP. If one goes down, the other will assume responsibility for the IP.

You’ll need to assign your nameservers two new IPs (to be used for management) and take the original pair of IPs and we’ll use those for the carp interfaces.

1. Rebuild/install your kernel with:
device carp

2. Edit /etc/rc.conf to add:
cloned_interfaces=“carp0 carp1”
ifconfig_carp0=“create”
ifconfig_carp1=“create”

3. Setup the CARP interfaces:

I set the vhid’s to be the last octet of the floaty IP, however, you can set them to be whatever you want as long as they match on both boxes.

On ns1:
Create /etc/start_if.carp0 with the following:
#!/bin/sh
ifconfig carp0 vhid XX advbase 1 advskew 10 pass supersecretpasswordhere netmask

Create /etc/start_if.carp1 with the following:
#!/bin/sh
ifconfig carp1 vhid YY advbase 2 advskew 10 pass othersupersecretpasswordhere netmask

Then run:
chmod go-rwx /etc/start_if.carp*;chmod +x /etc/start_if.carp*

On ns2:
Create /etc/start_if.carp0 with the following:
#!/bin/sh
ifconfig carp0 vhid YY advbase 1 advskew 10 pass supersecretpasswordhere netmask

Create /etc/start_if.carp1 with the following:
#!/bin/sh
ifconfig carp1 vhid XX advbase 2 advskew 10 pass othersupersecretpasswordhere netmask

Then run:
chmod go-rwx /etc/start_if.carp*;chmod +x /etc/start_if.carp*

• carp0 on both boxes will be its PRIMARY IP whereas carp1 will be the SECONDARY IP on both. In a non-failover scenario, this means that carp0 on both boxes should show up as MASTER and carp1 should show up as BACKUP.

4. Ensure named is configured to bind to the management IP (for zone transfers, etc.), ns1.ip and ns2.ip (on both boxes!) or ensure that it listens on *.

5. Add net.inet.carp.log=2 to /etc/sysctl.conf for some extra logging info.

6. Reboot. Your primary box should come up with ns1.ip as MASTER and ns2.ip as BACKUP. Your secondary box should come up with ns2.ip as MASTER and ns1.ip as BACKUP. Check ifconfig and dmesg to confirm.

• Note: CARP traffic is multicast and you may need to alter firewalls as appropriate to allow it. The destination is VRRP.MCAST.NET/224.0.0.18.
  For defining masters/slaves, etc. in bind you will want to reference the management IPs of the boxes, not the floating CARP addresses.

• Note: You can actually skip using the start_if.* files if you elect to put the ifconfig statements into rc.conf. In order to limit access to your CARP authentication key, you would need to change the permissions on rc.conf which could be bad in certain situations.

• ESX Note: If you’re trying to do this with a box in VMware, you’ll need to disable the vSwitch security features (accept: promisc, forged transmits, mac changes). This is not advisable in production as any VM on that switch can sniff traffic from any other VM. For my setup at home, I simply allocated a second NIC and a second vSwitch and made the security changes on the dedicated vSwitch. No other VMs should share this other vSwitch where the security features have been disabled.

One may find it necessary to configure sendmail to authenticate and relay via another SMTP server, such as one provided by your ISP. In order to do this under FreeBSD, sendmail needs to be rebuilt with support for SASL and a few config changes are required.

1. cd /usr/ports/security/cyrus-sasl2 && make install clean
Untick AUTHDAEMOND, OTP and NTLM.
2. Edit /etc/make.conf and add:

SENDMAIL_CFLAGS=-I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

3. Rebuild/reinstall sendmail:

cd /usr/src/lib/libsmutil;make cleandir && make obj && make
cd /usr/src/lib/libsm;make cleandir && make obj && make
cd /usr/src/usr.sbin/sendmail;make cleandir && make obj && make && make install

4. Create /etc/mail/authinfo with the following content (assuming your SMTP server supports PLAIN auth within TLS):

AuthInfo:smtp.server.host “I:username” “P:password” “M:PLAIN”

5. cd /etc/mail && makemap hash authinfo<authinfo;chgrp smmsp authinfo*;chmod o-rwx authinfo*
6. cp freebsd.submit.mc `hostname`.submit.mc;cp freebsd.mc `hostname`.mc
7. Edit /etc/mail/`hostname`.submit.mc and /etc/mail/`hostname`.mc and add the following before the msp line:

FEATURE (`authinfo’)
define(`SMART_HOST’, `smtp.server.host’)

8. /etc/rc.d/sendmail stop && /etc/rc.d/sendmail start
9. Profit!

• Note: If you upgrade the cyrus-sasl port, you may need to rebuild/reinstall/restart sendmail as indicated in step 3.
  src-all is required. See http://www.freebsd.org/doc/handbook/cvsup.html for details.