Setup Linux ODBC database connections into Microsoft SQL  

Setup Linux ODBC database connections into Microsoft SQL:

In this example I am using CentOS6_64x to connect to my Microsoft SQL database server

yum install php php-odbc wget gcc php-pear php-pecl-apc php-xml php-xmlrpc php-intl php-tidy php-imap php-pecl-memcache

 

Grab the client from Microsoft

wget http://download.microsoft.com/download/6/A/B/6AB27E13-46AE-4CE9-AFFD-406367CADC1D/Linux6/sqlncli-11.0.1790.0.tar.gz

tar xvf sqlncli-11.0.1790.0.tar.gz

cd sqlncli-11.0.1790.0
 ./build_dm.sh

 

After that:

cd /tmp/unixODBC.5996.21582.3453/unixODBC-2.3.0

make install

cd /path_do_sql_client_download/sqlncli-11.0.1790.0

./install.sh install --lib-dir=/usr/local/lib64 --accept-license

 

Now I have to installed the Microsoft ODBC Client I edit the /etc/odbc.ini file and setup proper DSNName values

 

nano /etc/odbc.ini

[MyDSNName]
 Driver=ODBC Driver 13 for SQL Server
 Description=Database
 Trace=Yes
 Server=172.17.17.234
 Port=1433
 Database=database1
 MSSqlUser=sa
 MSSqlUserPassword=PASSWORDHERE
 MARS_Connection=yes

Test

isql -v MyDSNName MSSqlUser MSSqlUserPassword

I also had to restart apache for the new modules to be loaded for database access via my web page

service httpd restart

Cisco ASA site to site VPN

Setup ASA Site to Site VPN:

This is a guide to setup Cisco ASA site to site VPN, I am connection out to a remote peer of 1.1.1.1. In reality this will be your remote public IP

Setup your crypto ipsec proposal’s

crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
 crypto ipsec security-association pmtu-aging infinite

!
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

 

Now create your access list for the remote local network, in this case i’ve called access-list WAN_cryptomap_3

access-list WAN_cryptomap_3 extended permit ip object 192.168.1.0 object 192.168.17.0_24

Now create the Site to Site policy, enter the public address you want to setup your tunnel to. In this case I am using a dummy IP of 1.1.1.1 as i don’t want to give out my real public addresses.
1.1.1.1 is the public address of the peer. You need to reference the access-list you created before hand (WAN_cryptomap_3)

crypto map WAN_map 3 match address WAN_cryptomap_3
 crypto map WAN_map 3 set peer 1.1.1.1
 crypto map WAN_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
 crypto map WAN_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

Now create the IPSEC polices for the pre-shared key and connection attributes, i.e encryption, lifetime ect…

group-policy GroupPolicy_1.1.1.1 internal
 group-policy GroupPolicy_1.1.1.1 attributes
  vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.1.1.1 type ipsec-l2l
 tunnel-group 1.1.1.1 general-attributes
  default-group-policy GroupPolicy_1.1.1.1
 tunnel-group 1.1.1.1 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****

 crypto ca trustpool policy
 crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400

Lastly you need to create a NAT rule to tell the firewall NOT to NAT the traffic for the remote destination network

nat (WAN,WAN) source static 192.168.1.0 192.168.1.0 destination static 192.168.17.0_24 192.168.17.0_24 no-proxy-arp route-lookup

Setup SSH to Cisco router / switch / ASA

Using your Telnet session or Console session do the following:

cisco(config)# hostname <name>
 cisco(config)# ip domain-name <domain>
 cisco(config)# crypto key generate rsa 2048
 cisco(config)# ip ssh version 2

 

Now the SSH keys have been generated you can assign SSH to a VTY (Virtual Teminal Lines), I have also set the login to ‘login local’ so make sure you have setup a local user for access.

line vty 0 4
 transport input ssh
 login local

 

RESET RS SSH KEYS

There maybe times when you need to reset the SSH keys, this command will remove the current keys so you can generate new ones

cisco(config)# crypto key zeroize rsa

 

How to create a sub-interface on ASA firewall

How to create a sub-interface on ASA firewall

This is handy when you run out of physical interfaces but need more network subnets, you can carve one interface into separate virtual interfaces using VLAN tagging

ASA Config:

interface GigabitEthernet0/1
 duplex full
 no nameif
 no security-level
 no ip address

interface GigabitEthernet0/1.205
 description Department1
 vlan 205
 nameif 205
 security-level 100
 ip address 10.1.1.254 255.255.255.0

interface GigabitEthernet0/1.200
 description Department2
 vlan 200
 nameif 200
 security-level 95
 ip address 10.2.2.254 255.255.255.0

interface GigabitEthernet0/3
 duplex full
 no nameif
 no security-level
 no ip address

interface GigabitEthernet0/3.201
 description Department3
 vlan 201
 nameif 201
 security-level 90
 ip address 10.3.3.254 255.255.255.0

interface GigabitEthernet0/3.202
 description Department4
 vlan 202
 nameif 202
 security-level 85
 ip address 10.4.4.254 255.255.255.0

I then link the firewall interfaces to the Cisco switch using trunk links, tagging all the VLANS I need

ASA – interface GigabitEthernet0/1 >> Cisco Switch interface GigabitEthernet1/0/47

ASA – interface GigabitEthernet0/3 >> Cisco Switch interface GigabitEthernet1/0/48

Switch config:

!
 interface GigabitEthernet1/0/47
  switchport trunk allowed vlan 200,205
  switchport mode trunk
  spanning-tree portfast
 !
 interface GigabitEthernet1/0/48
  switchport trunk allowed vlan 201,202
  switchport mode trunk
  spanning-tree portfast
 !

Assign end points to the correct VLAN

!
 interface GigabitEthernet2/0/3
  switchport access vlan 200
  spanning-tree portfast
 !
 interface GigabitEthernet2/0/4
  switchport access vlan 202
  spanning-tree portfast
 !

Change any Native VLAN you may need on the trunks links, remember to add  the native to the ‘allowed vlan’ aswell

! 
interface GigabitEthernet2/0/22  
switchport trunk native vlan 1010  
switchport trunk allowed vlan 200-205,1010  
switchport mode trunk  
spanning-tree portfast 
!

restart postfix

#!/bin/bash

OUR_QUEUE_LIMIT=150
 START_QUEUE=$((test -d $(postconf -h queue_directory)/active && find $(postconf -h queue_directory)/active -type f) | wc -l)

if [ $START_QUEUE -lt $OUR_QUEUE_LIMIT ]; then
 exit 0
 fi

sleep 120

CURR_QUEUE=$((test -d $(postconf -h queue_directory)/active && find $(postconf -h queue_directory)/active -type f) | wc -l)
 if [ $CURR_QUEUE -ge $START_QUEUE ]; then
 /usr/sbin/restart-mail-services()
 fi
 exit 0

 

#!/bin/bash

# Stop postfix (mail stops coming in and out when you do this)
 service postfix stop

# Run a cleanup after 30 seconds - this gives postfix time to finish any email it was busy with
 sleep 30

# Stop Amavis
 service amavis stop

# Purge old temporary files that are left over after system or software crashes
 postsuper -p

# Structure check and structure repair
 postsuper -s

# Restart Amavis
 service amavis start

# Give Amavis time to start - 15 seconds should do it
 sleep 15

# Now start postfix#
 service postfix start

check_mk remote plugin – mrpe

  • Put the script on the remote server
  • install the check_mk_agent
  • create the dir /etc/check_mk
  • create the file /etc/check_mk/mrpe.cfg

in the mrpe.cfg file give the check a name then what check to run with parameters

 Postfix_Active_Q /usr/lib/check_mk_agent/postfix_queue -w 20 -c 100 -q active

That should be it !

Now do an I on the Nagios server and it should pick up the check

Mondo Setup

Mondo is a great Linux backup utility, here are my installation and usage notes

Install Mondo

[root@server1-imetal ~]# cat /scripts/runbackup-full
 #!/bin/bash

mkdir -p /mnt/backup-share/`date +%F`-full
 mondoarchive -Oi -F -d /mnt/backup-share/`date +%F`-full -S /home/mondo-scratch -T /home/mondo-scratch -E '/mnt/backup-share' -s 4300m -p imetal-full
 [root@server1-imetal ~]# cat /scripts/runbackup-differential
 #!/bin/bash

mkdir -p /mnt/backup-share/`date +%F`-differential
 mondoarchive -D -Oi -F -d /mnt/backup-share/`date +%F`-differential -S /home/mondo-scratch -T /home/mondo-scratch -E '/mnt/backup-share' -s 4300m -p imetal-differential

[root@server1-imetal ~]#

Cron

###### MONDO BACKUPS

0 19 * * 0 root /scripts/runbackup-differential
 0 19 * * 6 root /scripts/runbackup-differential
 0 19 * * 5 root /scripts/runbackup-full
 0 19 * * 4 root /scripts/runbackup-differential
 0 19 * * 3 root /scripts/runbackup-differential
 0 19 * * 2 root /scripts/runbackup-differential
 0 19 * * 1 root /scripts/runbackup-differential
 [root@server1-imetal ~]#

mailq – delete domain

mailq|awk ' /^[0-9A-F][0-9A-F]*.*error.mag2.com$/ {print $1}'|tr -d '*'| xargs -rn1 postsuper -d

 

Where error.mag2.com is the domain, or from address you wish to delete. This works pretty well. I may whip up a bash script to handle this in the future.

For reference, the worst offenders are:

  1. magerr.combzmail.jp
  2. prjapanmail.jp
  3. error.mag2.com
  4. accessmail.jp
  5. mayld.net

Also, to delete items from the queue(s) based on the to address:

mailq | tail -n+2 | awk ‘BEGIN { RS = “” } { if ($8 == “toaddy@domain.com” && $9 == “”)print $1 }’ | tr -d ‘*!’ | postsuper -d -

Add multisite backends to Nagvis

nano /usr/sbin/nagvis/etc/nagvis.ini.php

; ----------------------------
 ; Backend definitions
 ; ----------------------------

; Example definition of a livestatus backend.
 ; In this case the backend_id is live_1
 ; The path /usr/local/nagios/var/rw has to exist
 [backend_live_1]
 backendtype="mklivestatus"
 ; The status host can be used to prevent annoying timeouts when a backend is not
 ; reachable. This is only useful in multi backend setups.
 ;
 ; It works as follows: The assumption is that there is a "local" backend which
 ; monitors the host of the "remote" backend. When the remote backend host is
 ; reported as UP the backend is queried as normal.
 ; When the remote backend host is reported as "DOWN" or "UNREACHABLE" NagVis won't
 ; try to connect to the backend anymore until the backend host gets available again.
 ;
 ; The statushost needs to be given in the following format:
 ; "<backend_id>:<hostname>" -> e.g. "live_2:nagios"
 ;statushost=""
 socket="unix:/var/spool/nagios/cmd/live"

[backend_live_2]
 backendtype="mklivestatus"
 socket="tcp:site1:6558"

[backend_site2_1]
 backendtype="mklivestatus"
 socket="tcp:site2:6558"

 

postfix aliases

if the aliases is not working then check the following. Most likely a domain has been set in the postfix configuration and the mail is not going to root: james@domain.net it going to root@serversdomain.com. If this is the case you need to set a few things in the postfix main.cf

 

The issue was i had  this set

 

# other configuration parameters.
 #
 myhostname = companyltd.co.uk
 #myhostname = virtual.domain.tld

# The mydomain parameter specifies the local internet domain name.
 # The default is to use $myhostname minus the first component.
 # $mydomain is used as a default value for many other configuration
 # parameters.
 #
 mydomain = companyltd.co.uk

# SENDING MAIL
 #

But this did not contain the domain so it didn't know to send it locally



#
 # Specify a list of host or domain names, /file/name or type:table
 # patterns, separated by commas and/or whitespace. A /file/name
 # pattern is replaced by its contents; a type:table is matched when
 # a name matches a lookup key (the right-hand side is ignored).
 # Continue long lines by starting the next line with whitespace.
 #
 # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
 #
 mydestination = localhost, companyltd.co.uk

#mydestination = $myhostname, localhost.$mydomain, localhost
 #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
 #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
 # mail.$mydomain, www.$mydomain, ftp.$mydomain

# REJECTING MAIL FOR UNKNOWN LOCAL USERS