AMD Phreak
Premium
join:2003-12-14
1 edit |  CactiEZ w/Nagios
To anyone that is attempting to run Nagios from the latest CactiEZ bundle:
You need to add the user apache to the group nagios in order to allow Nagios to process your commands. For example if you are acknowledging a service is down, or forcing a check, disabling a check and so on. Failure to do this will result in errors being generated.
--
"No job is so important, and no service is so urgent that we cannot take the time to do it safely."
-- AT&T |
|
IntraLink
Premium,MVM
join:2002-08-14
Utah Valley | Thanks, we are thinking of setting this up.
Is this on Linux image or Windows?
We're thinking linux in VM. |
|
AMD Phreak
Premium
join:2003-12-14
| This is Linux. I had a machine that was kicking around so I just downloaded the ISO from the Cacti site. The base OS is CentOS, aka Red Hat.
--
"No job is so important, and no service is so urgent that we cannot take the time to do it safely."
-- AT&T |
|
dusty1300
join:2007-02-20
Mason City, IA
| reply to AMD Phreak
Just a heads up, if you put up a Cacti site, make sure it isn't addressable from the outside world. I made this mistake and twice my server running Cacti got hacked before I ever knew about the security breaches with it. Don't make the same mistake I did.
I'm in the process of setting up a vmware machine using Nagios and Groundwork. So far it is pretty good. I used CentOS as the host for the VMware. This is my first venture into virtualization, so it is taking me a while, but it seems like the way to go.
Tom |
|
AMD Phreak
Premium
join:2003-12-14 | Can you speak of the security problems that you had with the site being publicly acesssable? |
|
dusty1300
join:2007-02-20
Mason City, IA
| reply to AMD Phreak
Here is the latest one that I have:
»www.securityfocus.com/bid/21799
I stopped using it, I was kinda upset. I was hacked, and the next day I got the security report.
Tom |
|
AMD Phreak
Premium
join:2003-12-14
| Looks like the exploit is just a php exploit. I already saw this once before (the security bulletin). The latest release of CactiEZ already includes the most recent release of Cacti which has been patched to prevent this problem. You should be ok running CactiEZ on a public box.
As always, firewall your machine. CactiEZ has a firewall on by default. It can be managed by using the webmin interface for those not comfortable dealing with the shell.
--
"No job is so important, and no service is so urgent that we cannot take the time to do it safely."
-- AT&T |
|
dusty1300
join:2007-02-20
Mason City, IA
| reply to AMD Phreak
This was not the first exploit of Cacti and I would have to assume it won't be the last. I got burned on the first one as well. My problem is that I had it on a public web server with other sites. I didn't password protect the site using htaccess or anything, and the firewall had to let port 80 through for the other sites. In hindsight, I could have given it a private ip address to use in my apache config and it wouldn't have been a problem. Live and learn. Just make sure it isn't publicly addressable by those you don't want to have access to it.
I second the webmin interface. I wouldn't be without it for years now.
Tom |
|
AMD Phreak
Premium
join:2003-12-14 | So you did not use the normal authentication screen that came with Cacti? |
|
dusty1300
join:2007-02-20
Mason City, IA
| reply to AMD Phreak
The exploit didn't require a login to do it. It would happen by putting in a long injection type command. The main screen was password protected. They have fixed the exploit, but they seem to happen all the time for lots of products. I would make sure to subscribe to security focus and look at the list when it comes out and see if you have products on it. I would be cautious of any site that runs on php. At least that is my experience.
Tom |
|
Keithb
join:2003-09-16
US | Yea, we've run into sql injection issues with forms or login forms. They can be very dangerous if not coded properly. |
|
AMD Phreak
Premium
join:2003-12-14
| reply to dusty1300
Sounds good. I am familiar with injection exploits. When I was in school we played around with sql and php injection during class one night.
--
"No job is so important, and no service is so urgent that we cannot take the time to do it safely."
-- AT&T |
|
AMD Phreak
Premium
join:2003-12-14
4 edits | reply to AMD Phreak
Forgot to add in after setting permissions like I stated, you need to do the following:
chown nagios.nagios /var/log/nagios/rw
chmod u+rwx /var/log/nagios/rw
chmod g+rwx /var/log/nagios/rw
chmod g+s /var/log/nagios/rw
Change the Nagios admin password:
htpasswd /etc/nagios/htpasswd.users nagiosadmin
It will prompt you for a new password. Enter it now, twice
Create a user that you can use to log into nagios with:
htpasswd -c /etc/nagios/htpasswd.users
Again, it will prompt for a password.
Update the access in the cgi.cfg file to add the new users so that they can view/change things as you want. Search the file for the main account, nagiosadmin and you will find the places where you need to look.
I have created a script automating this, because i will not remember it 3 months down the road! 
#! /bin/bash
#
# This script creates a new user for Nagios.
# It can only be run by root.
# Lets first take input and put it into a variable
echo -n "Enter new user name for Nagios:"
# This puts it into the variable theUserName
read theUserName
# Now lets do some error checking. If the user does not input
# anything, i.e. its a blank user, then it errors out.
if ["$theUserName" = ""]; then
echo "You must not have a blank user name. Try again!"
else
# If its anything but blank, then the user name is put into the variable
# and it is passed on to processing.
# the dollar sign is used to call the variable.
htpasswd -c /etc/nagios/htpasswd.users $theUserName
# And now we finish!
fi
save this in /usr/bin so that when you ascend into root (you su) you have access to it.
now change ownership to root:
chown root
and set permissions:
chmod 100
Special thanks to my buddy doubleG for explaining how to take input from a user when writing a shell script.
--
"No job is so important, and no service is so urgent that we cannot take the time to do it safely."
-- AT&T |
|
AMD Phreak
Premium
join:2003-12-14
| Update:
On the configuration of Cacti:
Had some issues getting the dBm to graph. A search over at Motorola's site came up with the following:
Console -> Graph Templates -> Motorola Canopy power level (dbm) ->
Delete the "1" from Unit Grid Value and make sure the box is not checked. Click save.
Reference Link:»motorola.canopywireless.com/supp···ht=cacti
--
"No job is so important, and no service is so urgent that we cannot take the time to do it safely."
-- AT&T
--Safety One Tower Rescue Certified |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to AMD Phreak
An excellent way to protect your Cacti installation is to add .htaccess auth in front of the whole thing, which requires the user pass an HTTP authentication test before getting anywhere near possibly-buggy PHP code. Then you will be completely immune from drive-by autobots.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
AMD Phreak
Premium
join:2003-12-14
1 edit | Actually I had my original cacti machine secured that way
You had to auth using the .htaccess and then it opened a page giving you the option to view cacti or nagios. With cactiez, I can't get that done. Probably my ineptitude with apache stuff. I move the cacti stuff (as i did on my other cacti machine that was debian based) to a folder further in the html folder and it hoses the graphs. |
|
