Install LibreNMS on CentOS

Posted on January 27, 2018 by admin

Install prerequisites

yum install -y epel-release 
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install -y policycoreutils-python cronie fping git httpd ImageMagick jwhois mariadb mariadb-server mtr MySQL-python net-snmp net-snmp-utils nmap php71w php71w-cli php71w-common php71w-curl php71w-gd php71w-mcrypt php71w-mysql php71w-process php71w-snmp php71w-xml php71w-zip python-memcached rrdtool

Setup LibreNMS user

useradd librenms -d /opt/librenms -M -r
usermod -a -G librenms apache

Install LibreNMS

cd /opt
git clone https://github.com/librenms/librenms.git librenms

Configure MySQL

Start MySQL

systemctl start mariadb
mysql -u root

Create the Database and database user. Change password to a different password

CREATE DATABASE librenms CHARACTER SET utf8 COLLATE utf8_unicode_ci;
CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
FLUSH PRIVILEGES;
exit

Disable MySQL strict mode

vi /etc/my.cnf

Add the following in the [mysqld] section

innodb_file_per_table=1
sql-mode=""
lower_case_table_names=0

Enable and restart mariadb i.e.(MySQL)

systemctl enable mariadb
systemctl restart mariadb

Configure PHP. Set Timezone

You can go here to figure out which time zone you need.

vi  /etc/php.ini

Find the [Date] Section and change the timezone

Example:

date.timezone = America/New_York

Configure Apache

vi /etc/httpd/conf.d/librenms.conf

Add the following, change the server name.

<VirtualHost *:80>
  DocumentRoot /opt/librenms/html/
  ServerName  librenms.example.com

  AllowEncodedSlashes NoDecode
  <Directory "/opt/librenms/html/">
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
  </Directory>
</VirtualHost>

Enable and restart apache

systemctl enable httpd
systemctl restart httpd

Allow fping

cd /opt/librenms
vi http_fping.tt

Add the following

module http_fping 1.0;

require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}

#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };

Configure SELinux

You can disable SELinux completely in the /etc/selinux/config file or run these commands to make LibreNMS and SELinux play together.

semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/logs(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/logs(/.*)?'
restorecon -RFvv /opt/librenms/logs/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/rrd(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.*)?'
restorecon -RFvv /opt/librenms/rrd/
setsebool -P httpd_can_sendmail=1
checkmodule -M -m -o http_fping.mod http_fping.tt
semodule_package -o http_fping.pp -m http_fping.mod
semodule -i http_fping.pp

Configure Firewall

firewall-cmd --zone public --add-service http
firewall-cmd --permanent --zone public --add-service http
firewall-cmd --zone public --add-service https
firewall-cmd --permanent --zone public --add-service https

Configure snmpd

cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf

Edit the snmpd file and change RANDOMSTRINGGOESHERE to your community string

vi /etc/snmp/snmpd.conf

Enable and restart snmpd

curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
chmod +x /usr/bin/distro
systemctl enable snmpd
systemctl restart snmpd

Setup Cron Job and Cycle logs

cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms

cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms

Set Permisions

chown -R librenms:librenms /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs

Finish Install

Finish the install by

http://your-server-ip/install.php

Change timezone in CentOS, Fedora, RedHat

Posted on January 27, 2018 by admin

The file /etc/localtime is a symbolic link to the timezone. All the timezones are listed in /usr/share/zoneinfo/

Replace America/New_York with the appropriate timezone.

ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime

You can view the current time zone with the following command

timedatectl

or with date

date +"%Z %z"

Setup SNMP on XenServer

Posted on January 22, 2018 by admin

log into the Xenserver via SSH, or get a console through XenCenter.

Open up the snmpd.conf file with your favorite text editor, nano, vi etc.

vi /etc/snmp/snmpd.conf

Find the line the following line

com2sec notConfigUser default public

and change the source “default” to the allowed IP ranges and the community “public” to whatever you want your new community string to be.

Example:

com2sec notConfigUser 192.168.1.0/24 privateString

Save, exit and start snmpd

service snmpd start

Add the following line in your iptables config. It needs to be above the COMMIT line.

-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m udp -p udp --dport 161 -j ACCEPT

Restart iptables

service iptables restart

You should be good to go.

LibreNMS not able to ping device and can’t change device name

Posted on January 22, 2018 by admin

If your having issues in the LibreNMS web interface changing a devices IP address or you can’t add a new one because it says it can’t ping the device, it is probably because SELinux is causing issues.

As far as changing a devices ip address, it looks like SELinux is not allowing Apache write access to the /opt/librenms/rrd directory

Temporary fix is to run

setenforce 0

You can permenatly disable SElinux by opening up “/etc/selinux/config” and changing “SELINUX=enforcing” to “SELINUX=disabled” and rebooting.

Renaming of x.x.x.x failed . Does your web server have permission to modify the rrd files?

It looks like there may be a bug where you’ll try to change the IP of a device and get the above error. It looks like the issue has something to do with the ip address. If your trying to change the IP on a router that has multiple IP addresses, try a different address in LibreNMS.

Allow WHM/cPanel ssh logins from specific IP addresses using iptables

Posted on January 20, 2018 by admin

For some reason the hosts.allow and hosts.deny files don’t seem to work on cPanel. One of the alternative methods to limit ssh logins to specific addresses is to use iptables.

Allow access from specific IP addresses.

Replace 192.168.1.0/24 and 192.168.0.0/24 with your addresses. You can add more addresses using the “,”. Also if your ssh port is not the default port, be sure to change it.

iptables -A INPUT -s 192.168.1.0/24,192.168.0.0/24 -p tcp --dport 22 -j ACCEPT

Reject access from everywhere else

iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j REJECT

You can see your rules with

 iptables -L --line-numbers

If you need to add another rule after the fact, you’ll need to make sure that it is above the REJECT rule. you can use the “-I” to insert it between rules.

Example: inserts rule as the second rule in the INPUT chain

iptables -I INPUT 2 -s 192.168.42.0/24 -p tcp --dport 22 -j ACCEPT

Add, List, and Delete iptable rules

Posted on January 20, 2018 by admin

Add iptable rule

The following rule rejects access to port 22 on all devices except ones on the 192.168.1.0/24 network. Note the “!”. This command can be useful for a WHM/cPanel server to limit ssh access.

iptables -A INPUT ! -s 192.168.1.0/24 -p tcp --dport 22 -j REJECT

List iptable rules with line numbers

iptables -L --line-numbers

Example output

root@localhost [~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT tcp -- !192.168.1.11 anywhere tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mailman
2 cpanel-dovecot-solr all -- anywhere anywhere

Chain cpanel-dovecot-solr (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match cpanelsolr

Remove iptable rule

To delete a rule use the -D option with the Chain and the line number. So to delete the first rule in the example output above, we would specify the INPUT chain and the the line number 1

 iptables -D INPUT 1

Auto mount CIFS mount point on system startup on Ubuntu

Posted on December 29, 2017 by admin

Install CIFS utils

sudo apt-get install -y cifs-utils

You can manually test it with the following command. Change the ip address, mount points, username, and password.

mount.cifs /192.168.1.102/mount/point /mnt -o user=john,pass=password3,uid=john

Note that specifying the uid in the options, allows the user to add, delete, and modify the files and folders of that specific mount point.

To auto mount on system startup, add the following line to /etc/fstab. Change the appropriate lines.

//192.168.1.102/mount/point   /mnt  auto   user=john,pass=password3,uid=john   0   0

You can test it by mounting everything in fstab

sudo mount -a

Setup SNMPv3 on ESXI VMware server

Posted on December 7, 2017 by admin

SSH into the VMware server

ssh root@vmwareserver

Set the auth and priv types

esxcli system snmp set -a MD5 -x AES128

Generate hashes

The hashes are needed to create the user. Replace authpass and privhash to the password you want.

esxcli system snmp hash --auth-hash authpass --priv-hash privhash --raw-secret

Create user

Replace authhash and privhash with the auth and priv hashes returned from the above command.

esxcli system snmp set -e yes -C contact@incredigeek.com -u snmpuser/authhash/privhash/priv

Single line Command

Change authpassword and privpassword to your authentication and private passwords.

authpass="authpassword" && privpass="privpassword" && esxcli system snmp set -a MD5 -x AES128 && esxcli system snmp hash --auth-hash ${authpass} --priv-hash ${privpass} --raw-secret && esxcli system snmp set -e yes -C ${contact} -u snmpuser/${authhash}/${privhash}/priv

View SNMP Configuration

esxcli system snmp get

Basic MongoDB commands

Posted on November 23, 2017 by admin

Connect to Mongo database

mongo

Connect to Mongo on a different port (May be needed. Port is for UniFi server)

mongo -port 27117

Show Databases

show dbs

Use database

use dbname

Show tables/collections

show collections

show tables

List contents of table/collection

db.collection.find()

Example: (This example prints everything in the “admin” collection)

db.admin.find()

Find info that line that whose name is admin

 db.admin.find({name : "admin" })

Find everything in a table, but only print columns that are named “name, email, and x_shadow”

db.admin.find({ }, { name : "", email : "", "x_shadow" : "" })

List users

show users

Authenticate

db.auth("username","password")

Insert into table/collection

d = {"data":"data"}
db.collection.insert(d)

Update a line, for example a users password. Swap out the ObjectId for the ID that mongo gives you when you list the admins or users. You will need to swap out the hash for the hash of the password you want.

db.admin.update({"_id" : ObjectId("a328bf90547ehc429a03ed85")}, {$set: { "x_shadow" : "$6$XB32GMXr$8dUt9huJzzL6O.gGZbs7QH1npldbzBzNDt/uUO1bI3b7Ij3YipgubtVHwincUUZjnDLh.KDI36uh2gUCID9yb1"}});

Example:

d = {"name":"admin","lang":"en_US","x_password":"password","time_created":"","last_site_name":"default"}
db.admin.insert(d)

Delete line from table/collection

db.collection.remove()

Example: (This will look for all the “rows” where the “name” contains “admin” and remove it)

db.admin.remove({ name: "admin"})

UniFI Specific

The following commands are specifically for a UniFi server.

Show UniFi Sites

db.site.find().forEach(printjson);

mongo --port 27117 ace --eval "db.site.find().forEach(printjson);"

Show UniFi admins

db.admin.find().forEach(printjson);

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

Add extra drive to UniFi Video Controller

Posted on November 17, 2017 by admin

Find your disk drive using fdisk or some other utility. More info here.

fdisk -l

Example:

steve@ubuntu:~$ sudo fdisk -l
Disk /dev/sda: 32 GiB, 34359738368 bytes, 67108864 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe96d30af

Device     Boot    Start      End  Sectors Size Id Type
/dev/sda1  *        2048 58720255 58718208  28G 83 Linux
/dev/sda2       58722302 67106815  8384514   4G  5 Extended
/dev/sda5       58722304 67106815  8384512   4G 82 Linux swap / Solaris


Disk /dev/sdb: 557 GiB, 598074195968 bytes, 1168113664 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
steve@ubuntu:~$

The drive is the 500GiB drive /dev/sdb

Create a partition on the drive. Warning! Be careful when formatting drives and make sure you don’t format the wrong one!

echo ';' | sfdisk /dev/sdb

You should now see the partition when you run fdisk -l again. If you run into issues mounting the drive, try formating the drive with a different utility i.e.(fdisk, cfdisk, gparted etc.)

steve@ubuntu:~$ sudo fdisk -l
Disk /dev/sdb: 557 GiB, 598074195968 bytes, 1168113664 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x717f99ba

Device     Boot Start        End    Sectors  Size Id Type
/dev/sdb1        2048 1168113663 1168111616  557G 83 Linux   <--New Partition
steve@ubuntu:~$

Create mount point

mkdir -p /video/mount/point

Now mount the partition

mount /dev/sdb1 /video/mount/point

Allow unifi-video user to own the mount point

chown -R video/mount/point

Add the drive to /etc/fstab to auto mount on system bootup. More info here.

Change /dev/sdXx to your drive and /MOUNTLOCATION to your mount location.

sudo echo "/dev/sdXx /MOUNTLOCATION ext4 rw,defaults 0 0 " >> /etc/fstab

Example:

sudo echo "/dev/sdb1 /video/mount/point ext4 rw,defaults 0 0 " >> /etc/fstab

If you have issues running the above command, you can manually add it to the file with

sudo vi /etc/fstab

add the following line to the bottom of the file. Change sdXx to your drive and /MOUNTLOCATION to the mount location of the drive.

/dev/sdXx /MOUNTLOCATION ext4 rw,defaults 0 0

You can reboot the system to make sure that the drive mounts properly.

Now you can log into the UniFi Video controller and set the Recording Path by going to Settings>SYSTEM CONFIGURATION>CONFIGURE and set the Recording Path to /video/mount/point

Tip. In the SYSTEM CONFIGURATION menu you can hover over the Disk and it’ll show you your total amount of recording space.