Setup Linux ODBC database connections into Microsoft SQL  

Setup Linux ODBC database connections into Microsoft SQL:

In this example I am using CentOS6_64x to connect to my Microsoft SQL database server

yum install php php-odbc wget gcc php-pear php-pecl-apc php-xml php-xmlrpc php-intl php-tidy php-imap php-pecl-memcache


Grab the client from Microsoft


tar xvf sqlncli-11.0.1790.0.tar.gz

cd sqlncli-11.0.1790.0


After that:

cd /tmp/unixODBC.5996.21582.3453/unixODBC-2.3.0

make install

cd /path_do_sql_client_download/sqlncli-11.0.1790.0

./ install --lib-dir=/usr/local/lib64 --accept-license


Now I have to installed the Microsoft ODBC Client I edit the /etc/odbc.ini file and setup proper DSNName values


nano /etc/odbc.ini

 Driver=ODBC Driver 13 for SQL Server


isql -v MyDSNName MSSqlUser MSSqlUserPassword

I also had to restart apache for the new modules to be loaded for database access via my web page

service httpd restart

Cisco ASA site to site VPN

Setup ASA Site to Site VPN:

This is a guide to setup Cisco ASA site to site VPN, I am connection out to a remote peer of In reality this will be your remote public IP

Setup your crypto ipsec proposal’s

crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
 crypto ipsec security-association pmtu-aging infinite

 crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport


Now create your access list for the remote local network, in this case i’ve called access-list WAN_cryptomap_3

access-list WAN_cryptomap_3 extended permit ip object object

Now create the Site to Site policy, enter the public address you want to setup your tunnel to. In this case I am using a dummy IP of as i don’t want to give out my real public addresses. is the public address of the peer. You need to reference the access-list you created before hand (WAN_cryptomap_3)

crypto map WAN_map 3 match address WAN_cryptomap_3
 crypto map WAN_map 3 set peer
 crypto map WAN_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
 crypto map WAN_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

Now create the IPSEC polices for the pre-shared key and connection attributes, i.e encryption, lifetime ect…

group-policy GroupPolicy_1.1.1.1 internal
 group-policy GroupPolicy_1.1.1.1 attributes
  vpn-tunnel-protocol ikev1 ikev2

tunnel-group type ipsec-l2l
 tunnel-group general-attributes
  default-group-policy GroupPolicy_1.1.1.1
 tunnel-group ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****

 crypto ca trustpool policy
 crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400

Lastly you need to create a NAT rule to tell the firewall NOT to NAT the traffic for the remote destination network

nat (WAN,WAN) source static destination static no-proxy-arp route-lookup

Setup SSH to Cisco router / switch / ASA

Using your Telnet session or Console session do the following:

cisco(config)# hostname <name>
 cisco(config)# ip domain-name <domain>
 cisco(config)# crypto key generate rsa 2048
 cisco(config)# ip ssh version 2


Now the SSH keys have been generated you can assign SSH to a VTY (Virtual Teminal Lines), I have also set the login to ‘login local’ so make sure you have setup a local user for access.

line vty 0 4
 transport input ssh
 login local



There maybe times when you need to reset the SSH keys, this command will remove the current keys so you can generate new ones

cisco(config)# crypto key zeroize rsa


How to create a sub-interface on ASA firewall

How to create a sub-interface on ASA firewall

This is handy when you run out of physical interfaces but need more network subnets, you can carve one interface into separate virtual interfaces using VLAN tagging

ASA Config:

interface GigabitEthernet0/1
 duplex full
 no nameif
 no security-level
 no ip address

interface GigabitEthernet0/1.205
 description Department1
 vlan 205
 nameif 205
 security-level 100
 ip address

interface GigabitEthernet0/1.200
 description Department2
 vlan 200
 nameif 200
 security-level 95
 ip address

interface GigabitEthernet0/3
 duplex full
 no nameif
 no security-level
 no ip address

interface GigabitEthernet0/3.201
 description Department3
 vlan 201
 nameif 201
 security-level 90
 ip address

interface GigabitEthernet0/3.202
 description Department4
 vlan 202
 nameif 202
 security-level 85
 ip address

I then link the firewall interfaces to the Cisco switch using trunk links, tagging all the VLANS I need

ASA – interface GigabitEthernet0/1 >> Cisco Switch interface GigabitEthernet1/0/47

ASA – interface GigabitEthernet0/3 >> Cisco Switch interface GigabitEthernet1/0/48

Switch config:

 interface GigabitEthernet1/0/47
  switchport trunk allowed vlan 200,205
  switchport mode trunk
  spanning-tree portfast
 interface GigabitEthernet1/0/48
  switchport trunk allowed vlan 201,202
  switchport mode trunk
  spanning-tree portfast

Assign end points to the correct VLAN

 interface GigabitEthernet2/0/3
  switchport access vlan 200
  spanning-tree portfast
 interface GigabitEthernet2/0/4
  switchport access vlan 202
  spanning-tree portfast

Change any Native VLAN you may need on the trunks links, remember to add  the native to the ‘allowed vlan’ aswell

interface GigabitEthernet2/0/22  
switchport trunk native vlan 1010  
switchport trunk allowed vlan 200-205,1010  
switchport mode trunk  
spanning-tree portfast 

restart postfix


 START_QUEUE=$((test -d $(postconf -h queue_directory)/active && find $(postconf -h queue_directory)/active -type f) | wc -l)

if [ $START_QUEUE -lt $OUR_QUEUE_LIMIT ]; then
 exit 0

sleep 120

CURR_QUEUE=$((test -d $(postconf -h queue_directory)/active && find $(postconf -h queue_directory)/active -type f) | wc -l)
 if [ $CURR_QUEUE -ge $START_QUEUE ]; then
 exit 0



# Stop postfix (mail stops coming in and out when you do this)
 service postfix stop

# Run a cleanup after 30 seconds - this gives postfix time to finish any email it was busy with
 sleep 30

# Stop Amavis
 service amavis stop

# Purge old temporary files that are left over after system or software crashes
 postsuper -p

# Structure check and structure repair
 postsuper -s

# Restart Amavis
 service amavis start

# Give Amavis time to start - 15 seconds should do it
 sleep 15

# Now start postfix#
 service postfix start

check_mk remote plugin – mrpe

  • Put the script on the remote server
  • install the check_mk_agent
  • create the dir /etc/check_mk
  • create the file /etc/check_mk/mrpe.cfg

in the mrpe.cfg file give the check a name then what check to run with parameters

 Postfix_Active_Q /usr/lib/check_mk_agent/postfix_queue -w 20 -c 100 -q active

That should be it !

Now do an I on the Nagios server and it should pick up the check

Mondo Setup

Mondo is a great Linux backup utility, here are my installation and usage notes

Install Mondo

[root@server1-imetal ~]# cat /scripts/runbackup-full

mkdir -p /mnt/backup-share/`date +%F`-full
 mondoarchive -Oi -F -d /mnt/backup-share/`date +%F`-full -S /home/mondo-scratch -T /home/mondo-scratch -E '/mnt/backup-share' -s 4300m -p imetal-full
 [root@server1-imetal ~]# cat /scripts/runbackup-differential

mkdir -p /mnt/backup-share/`date +%F`-differential
 mondoarchive -D -Oi -F -d /mnt/backup-share/`date +%F`-differential -S /home/mondo-scratch -T /home/mondo-scratch -E '/mnt/backup-share' -s 4300m -p imetal-differential

[root@server1-imetal ~]#



0 19 * * 0 root /scripts/runbackup-differential
 0 19 * * 6 root /scripts/runbackup-differential
 0 19 * * 5 root /scripts/runbackup-full
 0 19 * * 4 root /scripts/runbackup-differential
 0 19 * * 3 root /scripts/runbackup-differential
 0 19 * * 2 root /scripts/runbackup-differential
 0 19 * * 1 root /scripts/runbackup-differential
 [root@server1-imetal ~]#

mailq – delete domain

mailq|awk ' /^[0-9A-F][0-9A-F]*.*$/ {print $1}'|tr -d '*'| xargs -rn1 postsuper -d


Where is the domain, or from address you wish to delete. This works pretty well. I may whip up a bash script to handle this in the future.

For reference, the worst offenders are:


Also, to delete items from the queue(s) based on the to address:

mailq | tail -n+2 | awk ‘BEGIN { RS = “” } { if ($8 == “” && $9 == “”)print $1 }’ | tr -d ‘*!’ | postsuper -d -

Add multisite backends to Nagvis

nano /usr/sbin/nagvis/etc/nagvis.ini.php

; ----------------------------
 ; Backend definitions
 ; ----------------------------

; Example definition of a livestatus backend.
 ; In this case the backend_id is live_1
 ; The path /usr/local/nagios/var/rw has to exist
 ; The status host can be used to prevent annoying timeouts when a backend is not
 ; reachable. This is only useful in multi backend setups.
 ; It works as follows: The assumption is that there is a "local" backend which
 ; monitors the host of the "remote" backend. When the remote backend host is
 ; reported as UP the backend is queried as normal.
 ; When the remote backend host is reported as "DOWN" or "UNREACHABLE" NagVis won't
 ; try to connect to the backend anymore until the backend host gets available again.
 ; The statushost needs to be given in the following format:
 ; "<backend_id>:<hostname>" -> e.g. "live_2:nagios"




postfix aliases

if the aliases is not working then check the following. Most likely a domain has been set in the postfix configuration and the mail is not going to root: it going to If this is the case you need to set a few things in the postfix


The issue was i had  this set


# other configuration parameters.
 myhostname =
 #myhostname = virtual.domain.tld

# The mydomain parameter specifies the local internet domain name.
 # The default is to use $myhostname minus the first component.
 # $mydomain is used as a default value for many other configuration
 # parameters.
 mydomain =


But this did not contain the domain so it didn't know to send it locally

 # Specify a list of host or domain names, /file/name or type:table
 # patterns, separated by commas and/or whitespace. A /file/name
 # pattern is replaced by its contents; a type:table is matched when
 # a name matches a lookup key (the right-hand side is ignored).
 # Continue long lines by starting the next line with whitespace.
 # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
 mydestination = localhost,

#mydestination = $myhostname, localhost.$mydomain, localhost
 #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
 #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
 # mail.$mydomain, www.$mydomain, ftp.$mydomain