Pages

Monday, December 16, 2013

Exim cheat sheet

Exim is a powerful mail transfer agent (MTA) used on many Linux servers. When emails can't be delivered immediately, they get put into a "queue." Managing this queue is crucial for server health and ensuring mail delivery. This guide provides quick commands for common Exim queue tasks.


CLEARING THE EXIM MAIL QUEUE

Sometimes, you need to clear out stuck or unwanted emails from the queue.

  • Remove All Mails: This command directly deletes all files from the input directory of the Exim spool, effectively clearing the entire queue. rm -rf /var/spool/exim/input/*

  • Delete All Frozen Mails: Frozen emails are those that Exim has temporarily stopped trying to deliver due to issues. exim -bpr | grep frozen | awk {'print $3'} | xargs exim -Mrm Alternatively, a more concise command: exiqgrep -z -i | xargs exim -Mrm

  • Delete Frozen Mails Older Than a Day: This is useful for clearing old, stalled messages without affecting newer ones. The 86400 represents seconds (1 day). exiqgrep -zi -o 86400 | xargs exim -Mrm You can change 86400 to any number of seconds for a different time frame.

  • Clear Spam Mails: If your logs indicate messages are marked as [SPAM]. grep -R -l [SPAM] /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

  • Clear Frozen Mails (Based on Log Entry): grep -R -l '*** Frozen' /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

  • Clear Mails for Unverified Recipients: grep -R -l 'The recipient cannot be verified' /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

  • Remove Mails from a Specific Sender (e.g., 'root'): Replace "" with the sender's email address or username, for example, root@yourhostname. exim -bp |grep ""|awk '{print $3}'|xargs exim -Mrm

  • Remove 'nobody' Mails: These often come from scripts. Replace HOSTNAME with your server's hostname.

    • From a specific sender (nobody@HOSTNAME): exiqgrep -i -f nobody@HOSTNAME | xargs exim -Mrm

    • For a specific recipient/domain (nobody@HOSTNAME): exiqgrep -i -r nobody@HOSTNAME | xargs exim -Mrm

  • Delete Mails for a Specific Domain: Replace yourdomain.com with the actual domain. exim -bp | grep "yourdomain.com" | awk {'print $3'} | xargs exim -Mrm


DELIVERING MAILS FROM THE QUEUE

If emails are stuck but should be delivered, you can force a delivery attempt.

  • Force Deliver All Mails: This command attempts to deliver all messages in the queue. The -P 40 option attempts 40 deliveries in parallel. exim -bpru |awk '{print $3}' | xargs -n 1 -P 40 exim -v -M

  • Flush the Mail Queue (Force Another Run): This tells Exim to process the queue again. exim -qff Alternatively: /usr/sbin/exim -qff exim -qf

  • Force Deliver Mails of a Particular Domain: Replace domain.com with the target domain. exim -v -Rff domain.com

  • Force Deliver a Specific Message: Replace MSGID with the message's unique ID. exim -M MSGID To view the transaction during delivery: exim -v -M MSGID


CHECKING THE EXIM MAIL QUEUE STATUS

These commands help you monitor the queue and inspect individual messages.

  • Exim Queue Summary: Provides details like count, volume, oldest, newest message, and domain breakdown. exim -bp | exiqsumm

  • Number of Frozen Mails: exim -bpr | grep frozen | wc -l

  • Total Number of Mails in Queue: exim -bpr | grep "<" | wc -l A simpler alternative: exim -bpc

  • View Mail in Queue for a User/Sender: Replace $name with the username or email address. exim -bp|grep $name

  • Check All Mails in the Queue: This lists all messages and their IDs. exim -bp

  • View Log for a Message: Replace message ID with the actual ID. exim -Mvl message ID

  • View Message Header: Replace $MSGID with the message ID. exim -Mvh $MSGID

  • View Message Body: Replace $MSGID with the message ID. exim -Mvb $MSGID


ADVANCED EXIM TOOLS

  • Simulate SMTP Transaction: This command helps debug Exim's checks, ACLs (Access Control Lists), and filters without actually sending a mail. Replace 127.0.0.1 with the IP you want to simulate from. exim -bh 127.0.0.1

  • Most Used Mailing Script Locations: This can help identify scripts sending a lot of mail. grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

  • Check Syntactic Errors in Configuration: Use this when modifying Exim's configuration file. exim -C /config/file.new -bV

Wednesday, December 11, 2013

Understanding Mod_Security Database Connection Issues

You've encountered an error stating that the Mod_Security plugin can't connect to its database. Specifically, it's an "Access denied" error for the user 'modsec'@'localhost', even though a password was provided. This usually means the password Mod_Security is using to connect to the database is incorrect or the database user doesn't have the right permissions.


WHY THIS MATTERS

Mod_Security is a web application firewall that helps protect your website from various attacks. If it can't connect to its database, it might not be able to log security events or function correctly, leaving your website vulnerable.


HOW TO FIX IT

There are two main steps to resolve this, focusing on ensuring the 'modsec' user can properly access the 'modsec' database.

  1. Find the Correct Password Mod_Security is Using:

    The error indicates Mod_Security is trying to connect with a specific password. You need to find out what password it's actually configured to use.

    • Action: Run the following command in your server's terminal:

      grep dbpassword /etc/cron.hourly/modsecparse.pl
      
    • Explanation: This command searches a common Mod_Security configuration file (modsecparse.pl) for the line containing dbpassword. This line will reveal the password that Mod_Security is currently trying to use for its database connection. Let's say the output of this command shows the password is 'odu6lGYKAIyP'.

  2. Grant the Correct Permissions to the Database User:

    Once you know the password Mod_Security is configured with, you need to ensure the 'modsec' database user has the correct password and permissions in MySQL.

    • Action: Log into your MySQL server (as a root user or a user with sufficient privileges) and execute the following command. Replace 'odu6lGYKAIyP' with the actual password you found in the previous step.

      SQL
      GRANT ALL ON modsec.* TO 'modsec'@localhost IDENTIFIED BY 'odu6lGYKAIyP';
      FLUSH PRIVILEGES;
      
    • Explanation:

      • GRANT ALL ON modsec.*: This gives the 'modsec' user all permissions on all tables within the modsec database.

      • TO 'modsec'@localhost: Specifies that these permissions apply to the user 'modsec' when connecting from the 'localhost' (meaning from the same server).

      • IDENTIFIED BY 'odu6lGYKAIyP': Sets or updates the password for the 'modsec' user to 'odu6lGYKAIyP'. It's crucial that this password matches what Mod_Security is configured to use.

      • FLUSH PRIVILEGES;: This command reloads the grant tables in MySQL, applying the new permissions immediately.

Tuesday, December 10, 2013

Nagios- Setting up

This guide explains how to set up a client server to be monitored by Nagios. We'll cover installing the necessary Nagios plugins and the NRPE (Nagios Remote Plugin Executor) agent, which allows the Nagios server to run checks on the client.


PREREQUISITES

Before you start, make sure you have:

  • A Linux-based client server.

  • Root access or sudo privileges.

  • Basic understanding of the Linux command line.


INSTALLING NAGIOS PLUGINS

Nagios plugins are scripts that perform checks on various aspects of your server, like disk space, CPU usage, or running services.

  1. Prepare the Environment:

    • Navigate to a temporary directory: cd /usr/local/src/

    • Create a directory for Nagios files: mkdir nagios

    • Move into the new directory: cd nagios

    • Create a nagios user: useradd nagios

  2. Download and Extract Plugins:

    • Download the plugins: wget http://pkgs.fedoraproject.org/repo/pkgs/nagios-plugins/nagios-plugins-1.4.16.tar.gz/862f5e44fb5bc65ce7e5d86d654d4da0/nagios-plugins-1.4.16.tar.gz

    • Extract the downloaded file: tar -xzf nagios-plugins-1.4.16.tar.gz

    • Change into the extracted directory: cd nagios-plugins-1.4.16

  3. Compile and Install Plugins:

    • Set a required environment variable: export LDFLAGS=-ldl

    • Configure the installation: ./configure --with-nagios-user=nagios --with-nagios-group=nagios --enable-redhat-pthread-workaround --enable-ssl

    • Compile the plugins: make

    • Install them: make install

    • Go back to the parent directory: cd ..


INSTALLING NRPE (NAGIOS REMOTE PLUGIN EXECUTOR)

NRPE allows your Nagios server to execute the plugins you just installed on this client.

  1. Download and Extract NRPE:

    • Download NRPE: wget http://sourceforge.net/projects/nagios/files/nrpe-2.x/nrpe-2.13/nrpe-2.13.tar.gz/download

    • Extract the file: tar -xzf nrpe-2.13.tar.gz

    • Change into the extracted directory: cd nrpe-2.13

  2. Compile and Install NRPE:

    • Configure NRPE: ./configure

    • Compile all components: make all

    • Install the NRPE plugin for the Nagios server (even though this is a client, it's good practice): make install-plugin

    • Install the NRPE daemon (the service that runs on the client): make install-daemon

    • Install the default NRPE configuration file: make install-daemon-config

    • Install NRPE to run under xinetd (a service that manages other services): make install-xinetd


CONFIGURE XINETD AND NRPE

NRPE often runs through xinetd, which listens for incoming connections and starts the NRPE daemon when needed.

  1. Install and Restart Xinetd:

    • Install xinetd if it's not already present: yum install xinetd (or apt-get install xinetd for Debian/Ubuntu)

    • Restart xinetd to apply changes: service xinetd restart

  2. Add NRPE Service to System Services:

    • Add the NRPE service and its default port (5666) to the /etc/services file: echo "nrpe 5666/tcp # NRPE" >> /etc/services


FIREWALL CONFIGURATION

You need to open port 5666 on the client's firewall so the Nagios server can communicate with NRPE.

  • For CSF (Config Server Firewall) Users:

    • Edit the CSF configuration file: /etc/csf/csf.conf

    • Find the TCP_IN section and add 5666 to the list of allowed incoming TCP ports.

    • Restart CSF: This usually involves csf -r or service csf restart.


NRPE CONFIGURATION AND SECURITY

You must specify which Nagios servers are allowed to connect to this NRPE agent.

  • Allow Nagios Server IP:

    • Edit the xinetd configuration for NRPE: /etc/xinetd.d/nrpe

    • Edit the main NRPE configuration file: /usr/local/nagios/etc/nrpe.cfg

    • In both files, locate the allowed_hosts directive and add the IP address of your Nagios monitoring server. For example: allowed_hosts = 127.0.0.1, <YOUR_NAGIOS_SERVER_IP>


SETTING A PASSWORD FOR THE NAGIOS USER (Optional but Recommended)

It's good practice to set a password for the nagios user created earlier.

  • Set password: passwd nagios


NAGIOS SERVER CONFIGURATION EXAMPLE (for MySQL Monitoring)

This section shows an example of how you would configure a service check on your Nagios server to monitor a MySQL database on this client. This is done on the Nagios server, not the client.

define service{
    use                     local-service       ; Name of service template to use
    host_name               sample.example.com  ; The hostname of your client server
    service_description     mySQL               ; A description of the service being monitored
    is_volatile             0
    check_period            24x7
    max_check_attempts      20
    normal_check_interval   5                   ; Check every 5 minutes
    retry_check_interval    1                   ; Retry every 1 minute on failure
    notification_options    w,u,c,r             ; Notify on warning, unknown, critical, recovery
    notification_interval   960                 ; Notify every 960 minutes (16 hours)
    notification_period     24x7
    check_command           check_mysql!nagios!password@666# ; The command to run, 
                    ;including username and password
}

Note: Replace sample.example.com with your client's hostname and adjust nagios and password@666# if your MySQL user or password differs.