ICO wiki - User contributions [en]

Security monitoring solution Zabbix

2018-05-31T11:33:22Z

Malyhass:

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎31 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from.png|thumb|center| Zabbix MySQL database]]

Setting the password for the administrator user

<code> update zabbix.users set passwd=md5('verystrongpassword') where alias='Admin'; </code>

[[File:Zabbixpassword.png|thumb|center| Zabbix setting the password]]

[[File:ZabbixpasswordCraked.png|thumb|center| Zabbix password hash cracked]]


Avoiding the issue by using strong complex password and administrator must update it every week

<code> update zabbix.users set passwd=md5('VeryComplexp@ss0rd') where alias='Admin'; </code>

The attacker will not be able to obtain the password or even to crack it.

Another issue could cause a problem that when the solution administrator will enable the LDAP authentication the password will be saved in the Zabbix database as a plain text

[[File:ZabbixpasswordPlaintext.png|thumb|center| Zabbix Enable LDAP]]

[[File:ZabbixpasswordPlaintext2.png|thumb|center| Zabbix LDAP passwords saved as a plain text]]

Downright dangerous, system administrator need to be aware when enable the LDAP in Zabbix server.

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-31T11:33:02Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from.png|thumb|center| Zabbix MySQL database]]

Setting the password for the administrator user

<code> update zabbix.users set passwd=md5('verystrongpassword') where alias='Admin'; </code>

[[File:Zabbixpassword.png|thumb|center| Zabbix setting the password]]

[[File:ZabbixpasswordCraked.png|thumb|center| Zabbix password hash cracked]]


Avoiding the issue by using strong complex password and administrator must update it every week

<code> update zabbix.users set passwd=md5('VeryComplexp@ss0rd') where alias='Admin'; </code>

The attacker will not be able to obtain the password or even to crack it.

Another issue could cause a problem that when the solution administrator will enable the LDAP authentication the password will be saved in the Zabbix database as a plain text

[[File:ZabbixpasswordPlaintext.png|thumb|center| Zabbix Enable LDAP]]

[[File:ZabbixpasswordPlaintext2.png|thumb|center| Zabbix LDAP passwords saved as a plain text]]

Downright dangerous, system administrator need to be aware when enable the LDAP in Zabbix server.

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

File:ZabbixpasswordPlaintext2.png

2018-05-31T11:30:36Z

Malyhass:

Security monitoring solution Zabbix

2018-05-31T11:30:25Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from.png|thumb|center| Zabbix MySQL database]]

Setting the password for the administrator user

<code> update zabbix.users set passwd=md5('verystrongpassword') where alias='Admin'; </code>

[[File:Zabbixpassword.png|thumb|center| Zabbix setting the password]]

[[File:ZabbixpasswordCraked.png|thumb|center| Zabbix password hash cracked]]


Avoiding the issue by using strong complex password and administrator must update it every week

<code> update zabbix.users set passwd=md5('VeryComplexp@ss0rd') where alias='Admin'; </code>

The attacker will not be able to obtain the password or even to crack it.

Another issue could cause a problem that when the solution administrator will enable the LDAP authentication the password will be saved in the Zabbix database as a plain text

[[File:ZabbixpasswordPlaintext.png|thumb|center| Zabbix Enable LDAP]]

[[File:ZabbixpasswordPlaintext2.png|thumb|center| Zabbix LDAP passwords saved as a plain text]]

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

File:ZabbixpasswordPlaintext.png

2018-05-31T11:28:24Z

Malyhass:

Security monitoring solution Zabbix

2018-05-31T11:28:03Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from.png|thumb|center| Zabbix MySQL database]]

Setting the password for the administrator user

<code> update zabbix.users set passwd=md5('verystrongpassword') where alias='Admin'; </code>

[[File:Zabbixpassword.png|thumb|center| Zabbix setting the password]]

[[File:ZabbixpasswordCraked.png|thumb|center| Zabbix password hash cracked]]


Avoiding the issue by using strong complex password and administrator must update it every week

<code> update zabbix.users set passwd=md5('VeryComplexp@ss0rd') where alias='Admin'; </code>

The attacker will not be able to obtain the password or even to crack it.

Another issue could cause a problem that when the solution administrator will enable the LDAP authentication the password will be saved in the Zabbix database as a plain text

[[File:ZabbixpasswordPlaintext.png|thumb|center| Zabbix LDAP passwords saved as a plain text]]

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-31T11:12:26Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from.png|thumb|center| Zabbix MySQL database]]

Setting the password for the administrator user

<code> update zabbix.users set passwd=md5('verystrongpassword') where alias='Admin'; </code>

[[File:Zabbixpassword.png|thumb|center| Zabbix setting the password]]

[[File:ZabbixpasswordCraked.png|thumb|center| Zabbix password hash cracked]]


Avoiding the issue by using strong complex password and administrator must update it every week

<code> update zabbix.users set passwd=md5('VeryComplexp@ss0rd') where alias='Admin'; </code>

The attacker will not be able to obtain the password or even to crack it

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

File:ZabbixpasswordCraked.png

2018-05-31T11:04:05Z

Malyhass:

Security monitoring solution Zabbix

2018-05-31T11:03:56Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from.png|thumb|center| Zabbix MySQL database]]

Setting the password for the administrator user

<code> update zabbix.users set passwd=md5('verystrongpassword') where alias='Admin'; </code>

[[File:Zabbixpassword.png|thumb|center| Zabbix setting the password]]

[[File:ZabbixpasswordCraked.png|thumb|center| Zabbix password hash cracked]]

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-31T11:02:23Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from.png|thumb|center| Zabbix MySQL database]]

Setting the password for the administrator user

<code> update zabbix.users set passwd=md5('verystrongpassword') where alias='Admin'; </code>

[[File:Zabbixpassword.png|thumb|center| Zabbix setting the password]]

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

File:Zabbixpassword.png

2018-05-31T11:02:00Z

Malyhass:

Security monitoring solution Zabbix

2018-05-31T11:01:07Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from.png|thumb|center| Zabbix MySQL database]]

Setting the password for the administrator user

<code> update zabbix.users set passwd=md5('verystrongpassword') where alias='Admin'; </code>

[[File:Screenshot|thumb|center| Zabbix setting the password]]

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-31T10:48:19Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from.png|thumb|center| Zabbix MySQL database]]

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

File:Screenshot from.png

2018-05-31T10:47:23Z

Malyhass:

Security monitoring solution Zabbix

2018-05-31T10:47:05Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from |thumb|center| Zabbix MySQL database]]

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-31T10:46:50Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix MySQL database]]

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-31T10:46:31Z

Malyhass: /* Security VS Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

[[File:|thumb|right| Zabbix MySQL database]]

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-31T10:45:03Z

Malyhass: /* Solution Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Security VS Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

First of all Securing the database necessary. Starting with the issue Zabbix server using MySQL database and using MD5 hash. The first step is to use the strong password because the hash can be cracked by effortless way.

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-31T10:36:39Z

Malyhass: /* Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Solution Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-31T10:34:40Z

Malyhass: /* Vulnerabilities */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

= Vulnerabilities =

The following information about the solution vulnerabilities and how to avoid them.

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-31T10:33:20Z

Malyhass: /* Enable the encryption Front-end Web */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

= Vulnerabilities =

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-15T06:07:29Z

Malyhass: /* Zabbix-Agent */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-15T06:07:07Z

Malyhass: /* Setting up Zabbix */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt update </code>

<code> apt install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt-get update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt-get install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Nagios

2018-05-07T06:04:02Z

Malyhass: /* Prerequisites */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command

<code> sudo apt update</code>

<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>

<code> groupadd nagcmd </code>

<code> usermod -a -G nagcmd nagios </code>

<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>

<code> make all </code>

<code> make install </code>

<code> make install-commandmode </code>

<code> make install-init </code>

<code> make install-config </code>

<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>

<code> make </code>

<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>

<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>

<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>

<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>

<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>

<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>


* To make the handshake:

<code> nano /usr/local/nagios/etc/services </code>

* add the following next to the chech_nrpe services
<code> -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl//client_certs/client_cert.pem -K /usr/local/nagios/etc/ssl/client_certs/client_cert.key </code>

<code> service nagios restart </code>

To check the logs from the agent side

<code> tail -f /var/log/syslog </code>

Make sure that server IP address in the nrpe.cfg

<code> cd /usr/local/nagios/etc </code>
<code> nano nrpe.cfg </code>

In line 106
Put the server IP address

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

7- [https://support.nagios.com/kb/article/nrpe-check_nrpe-error-could-not-complete-ssl-handshake-615.html NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake]

=Security part=

Nagios encryption by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

2- [https://www.youtube.com/watch?v=MnG8Embgfgw&t=506s How to secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.youtube.com/watch?v=EpzTJH85y8Y&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios installation 4.2.0 (Ubuntu Server 16.04.1 LTS) - Step one]

6- [https://www.youtube.com/watch?v=4vZELdYa7O4&index=2&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios-Agent configuration using NRPE plugin - Step two]

7- [https://www.youtube.com/watch?v=TzlYyzj7BkQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=3 Nagios-Agent send checks to Nagios-Server - Step three]

8- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

9- [https://www.youtube.com/watch?v=jg_zan7f_YQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=6 How to send checks to Nagios-Server & How to create own script]

10- [https://www.youtube.com/watch?v=MnG8Embgfgw&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=10 Secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

11- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

------

[[Category:Monitoring]]

Security monitoring solution Nagios

2018-05-07T06:03:53Z

Malyhass: /* Prerequisites */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>

<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>

<code> groupadd nagcmd </code>

<code> usermod -a -G nagcmd nagios </code>

<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>

<code> make all </code>

<code> make install </code>

<code> make install-commandmode </code>

<code> make install-init </code>

<code> make install-config </code>

<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>

<code> make </code>

<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>

<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>

<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>

<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>

<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>

<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>


* To make the handshake:

<code> nano /usr/local/nagios/etc/services </code>

* add the following next to the chech_nrpe services
<code> -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl//client_certs/client_cert.pem -K /usr/local/nagios/etc/ssl/client_certs/client_cert.key </code>

<code> service nagios restart </code>

To check the logs from the agent side

<code> tail -f /var/log/syslog </code>

Make sure that server IP address in the nrpe.cfg

<code> cd /usr/local/nagios/etc </code>
<code> nano nrpe.cfg </code>

In line 106
Put the server IP address

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

7- [https://support.nagios.com/kb/article/nrpe-check_nrpe-error-could-not-complete-ssl-handshake-615.html NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake]

=Security part=

Nagios encryption by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

2- [https://www.youtube.com/watch?v=MnG8Embgfgw&t=506s How to secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.youtube.com/watch?v=EpzTJH85y8Y&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios installation 4.2.0 (Ubuntu Server 16.04.1 LTS) - Step one]

6- [https://www.youtube.com/watch?v=4vZELdYa7O4&index=2&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios-Agent configuration using NRPE plugin - Step two]

7- [https://www.youtube.com/watch?v=TzlYyzj7BkQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=3 Nagios-Agent send checks to Nagios-Server - Step three]

8- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

9- [https://www.youtube.com/watch?v=jg_zan7f_YQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=6 How to send checks to Nagios-Server & How to create own script]

10- [https://www.youtube.com/watch?v=MnG8Embgfgw&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=10 Secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

11- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

------

[[Category:Monitoring]]

Security monitoring solution Nagios

2018-05-07T06:03:38Z

Malyhass: /* Installing the prerequisites */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>

<code> groupadd nagcmd </code>

<code> usermod -a -G nagcmd nagios </code>

<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>

<code> make all </code>

<code> make install </code>

<code> make install-commandmode </code>

<code> make install-init </code>

<code> make install-config </code>

<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>

<code> make </code>

<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>

<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>

<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>

<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>

<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>

<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>


* To make the handshake:

<code> nano /usr/local/nagios/etc/services </code>

* add the following next to the chech_nrpe services
<code> -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl//client_certs/client_cert.pem -K /usr/local/nagios/etc/ssl/client_certs/client_cert.key </code>

<code> service nagios restart </code>

To check the logs from the agent side

<code> tail -f /var/log/syslog </code>

Make sure that server IP address in the nrpe.cfg

<code> cd /usr/local/nagios/etc </code>
<code> nano nrpe.cfg </code>

In line 106
Put the server IP address

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

7- [https://support.nagios.com/kb/article/nrpe-check_nrpe-error-could-not-complete-ssl-handshake-615.html NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake]

=Security part=

Nagios encryption by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

2- [https://www.youtube.com/watch?v=MnG8Embgfgw&t=506s How to secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.youtube.com/watch?v=EpzTJH85y8Y&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios installation 4.2.0 (Ubuntu Server 16.04.1 LTS) - Step one]

6- [https://www.youtube.com/watch?v=4vZELdYa7O4&index=2&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios-Agent configuration using NRPE plugin - Step two]

7- [https://www.youtube.com/watch?v=TzlYyzj7BkQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=3 Nagios-Agent send checks to Nagios-Server - Step three]

8- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

9- [https://www.youtube.com/watch?v=jg_zan7f_YQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=6 How to send checks to Nagios-Server & How to create own script]

10- [https://www.youtube.com/watch?v=MnG8Embgfgw&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=10 Secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

11- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-06T10:08:03Z

Malyhass: /* Security part */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt-get update </code>

<code> apt-get install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt-get update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt-get install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]

2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-06T10:07:53Z

Malyhass: /* Security part */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt-get update </code>

<code> apt-get install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt-get update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt-get install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

1- [https://www.youtube.com/watch?v=HPopknSctVc&t=121s LDAP authentication]
2- [https://www.youtube.com/watch?v=MCsI0R1q0sE&t=75s Reset the password]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-06T10:06:46Z

Malyhass: /* See also */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt-get update </code>

<code> apt-get install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt-get update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt-get install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=Security part=

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Zabbix

2018-05-06T10:06:04Z

Malyhass: Created page with " Zabbix monitoring system Author: Mohanad Aly Cyber Security Engineering (C21) Page Created: 06 May 2017 ‎Last modified: ‎06 May..."

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt-get update </code>

<code> apt-get install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt-get update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt-get install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Security monitoring solution Nagios

2018-05-06T10:04:27Z

Malyhass: /* Security part */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>

<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>


* To make the handshake:

<code> nano /usr/local/nagios/etc/services </code>

* add the following next to the chech_nrpe services
<code> -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl//client_certs/client_cert.pem -K /usr/local/nagios/etc/ssl/client_certs/client_cert.key </code>

<code> service nagios restart </code>

To check the logs from the agent side

<code> tail -f /var/log/syslog </code>

Make sure that server IP address in the nrpe.cfg

<code> cd /usr/local/nagios/etc </code>
<code> nano nrpe.cfg </code>

In line 106
Put the server IP address

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

7- [https://support.nagios.com/kb/article/nrpe-check_nrpe-error-could-not-complete-ssl-handshake-615.html NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake]

=Security part=

Nagios encryption by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

2- [https://www.youtube.com/watch?v=MnG8Embgfgw&t=506s How to secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.youtube.com/watch?v=EpzTJH85y8Y&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios installation 4.2.0 (Ubuntu Server 16.04.1 LTS) - Step one]

6- [https://www.youtube.com/watch?v=4vZELdYa7O4&index=2&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios-Agent configuration using NRPE plugin - Step two]

7- [https://www.youtube.com/watch?v=TzlYyzj7BkQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=3 Nagios-Agent send checks to Nagios-Server - Step three]

8- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

9- [https://www.youtube.com/watch?v=jg_zan7f_YQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=6 How to send checks to Nagios-Server & How to create own script]

10- [https://www.youtube.com/watch?v=MnG8Embgfgw&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=10 Secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

11- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

------

[[Category:Monitoring]]

Security monitoring solution Nagios

2018-05-06T10:02:30Z

Malyhass: /* See also */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>

<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>


* To make the handshake:

<code> nano /usr/local/nagios/etc/services </code>

* add the following next to the chech_nrpe services
<code> -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl//client_certs/client_cert.pem -K /usr/local/nagios/etc/ssl/client_certs/client_cert.key </code>

<code> service nagios restart </code>

To check the logs from the agent side

<code> tail -f /var/log/syslog </code>

Make sure that server IP address in the nrpe.cfg

<code> cd /usr/local/nagios/etc </code>
<code> nano nrpe.cfg </code>

In line 106
Put the server IP address

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

7- [https://support.nagios.com/kb/article/nrpe-check_nrpe-error-could-not-complete-ssl-handshake-615.html NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake]

=Security part=

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.youtube.com/watch?v=EpzTJH85y8Y&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios installation 4.2.0 (Ubuntu Server 16.04.1 LTS) - Step one]

6- [https://www.youtube.com/watch?v=4vZELdYa7O4&index=2&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios-Agent configuration using NRPE plugin - Step two]

7- [https://www.youtube.com/watch?v=TzlYyzj7BkQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=3 Nagios-Agent send checks to Nagios-Server - Step three]

8- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

9- [https://www.youtube.com/watch?v=jg_zan7f_YQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=6 How to send checks to Nagios-Server & How to create own script]

10- [https://www.youtube.com/watch?v=MnG8Embgfgw&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=10 Secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

11- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

------

[[Category:Monitoring]]

Security monitoring solution Nagios

2018-05-06T10:00:42Z

Malyhass:

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 06 May 2017

‎Last modified: ‎06 May 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>

<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>


* To make the handshake:

<code> nano /usr/local/nagios/etc/services </code>

* add the following next to the chech_nrpe services
<code> -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl//client_certs/client_cert.pem -K /usr/local/nagios/etc/ssl/client_certs/client_cert.key </code>

<code> service nagios restart </code>

To check the logs from the agent side

<code> tail -f /var/log/syslog </code>

Make sure that server IP address in the nrpe.cfg

<code> cd /usr/local/nagios/etc </code>
<code> nano nrpe.cfg </code>

In line 106
Put the server IP address

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

7- [https://support.nagios.com/kb/article/nrpe-check_nrpe-error-could-not-complete-ssl-handshake-615.html NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.youtube.com/watch?v=EpzTJH85y8Y&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios installation 4.2.0 (Ubuntu Server 16.04.1 LTS) - Step one]

6- [https://www.youtube.com/watch?v=4vZELdYa7O4&index=2&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios-Agent configuration using NRPE plugin - Step two]

7- [https://www.youtube.com/watch?v=TzlYyzj7BkQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=3 Nagios-Agent send checks to Nagios-Server - Step three]

8- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

9- [https://www.youtube.com/watch?v=jg_zan7f_YQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=6 How to send checks to Nagios-Server & How to create own script]

10- [https://www.youtube.com/watch?v=MnG8Embgfgw&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=10 Secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

11- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

------

[[Category:Monitoring]]

Security monitoring solution Nagios

2018-05-06T09:59:10Z

Malyhass: Created page with " Nagios monitoring system Author: Mohanad Aly Cyber Security Engineering (C21) Page Created: 25 November 2017 ‎Last modified: ‎07 Janu..."

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎07 January 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>

<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>


* To make the handshake:

<code> nano /usr/local/nagios/etc/services </code>

* add the following next to the chech_nrpe services
<code> -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl//client_certs/client_cert.pem -K /usr/local/nagios/etc/ssl/client_certs/client_cert.key </code>

<code> service nagios restart </code>

To check the logs from the agent side

<code> tail -f /var/log/syslog </code>

Make sure that server IP address in the nrpe.cfg

<code> cd /usr/local/nagios/etc </code>
<code> nano nrpe.cfg </code>

In line 106
Put the server IP address

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

7- [https://support.nagios.com/kb/article/nrpe-check_nrpe-error-could-not-complete-ssl-handshake-615.html NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.youtube.com/watch?v=EpzTJH85y8Y&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios installation 4.2.0 (Ubuntu Server 16.04.1 LTS) - Step one]

6- [https://www.youtube.com/watch?v=4vZELdYa7O4&index=2&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios-Agent configuration using NRPE plugin - Step two]

7- [https://www.youtube.com/watch?v=TzlYyzj7BkQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=3 Nagios-Agent send checks to Nagios-Server - Step three]

8- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

9- [https://www.youtube.com/watch?v=jg_zan7f_YQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=6 How to send checks to Nagios-Server & How to create own script]

10- [https://www.youtube.com/watch?v=MnG8Embgfgw&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=10 Secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

11- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

------

[[Category:Monitoring]]

Improve security with Zabbix-Monitor-Server

2018-01-09T12:11:54Z

Malyhass: /* Zabbix Monitoring system */

[[File:zabbix_logo.png|thumb|300px| Zabbix monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 19 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Zabbix'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Zabbix Monitoring system===
Zabbix is an Open Source, high-level enterprise software designed to monitor and keep track of networks, servers and applications in real time. Build in a server-client model, Zabbix can collect different type of data than are used to create historical graphics and output performance or load trends of the monitored targets.

Zabbix is based on the following components:

{| class="wikitable"
|-
! Software
! Version
! Comments
|-
| Apache
| 1.3.12 or later
|
|-
| PHP
| 5.0 or later
|
|-
| PHP modules: php-gd
| GD 2.0 or later
| PHP GD module must support PNG images.
|-
|PHP TrueType support
|
| with-ttf
|-
|PHP bc support
|
|php-bcmath, --enable-bcmath
|-
|PHP XML support
|
|php-xml or php5-dom, if provided as a separate package by the distributor
|-
|PHP session support
|
|php-session, if provided as a separate package by the distributor
|-
|PHP socket support
|
|php-net-socket, --enable-sockets. Required for user script support.
|-
|PHP multibyte support
|
|php-mbstring, --enable-mbstring
|-
|IBM DB2 ibm_db2
|
|Required if IBM DB2 is used as Zabbix back end database.
|-
|MySQL php-mysql
|3.22 or later
|Required if MySQL is used as Zabbix back end database.
|-
|Oracle oci8
|
|Required if Oracle is used as Zabbix back-end database.
|-
|PostgreSQL php-pgsql
|7.0.2 or later if Zabbix < 1.8.9, 7.4 or later if Zabbix >= 1.8.9
|Required if PostgreSQL is used as Zabbix back-end database. Consider using PostgreSQL 8.x or later for much better performance. It is suggested to use at least PostgreSQL 8.3, performance [https://www.postgresql.org/docs/8.3/static/release-8-3.html which introduced much better VACUUM].
|-
|SQLite php-sqlite3
|3.3.5 or later
|Required if SQLite is used as Zabbix back-end database.
|}

= The main advantages of Zabbix =
*Open-source
*Customized Dashboards
*Ease of Use
*Monitor everything
*Network Security
*Performance
*Agentless Monitoring
*Hardware Monitoring

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Zabbix=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Zabbix.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:
<code> sudo apt install mysql-server </code>

<code> wget http://repo.zabbix.com/zabbix/3.2/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.2-1+xenial_all.deb </code>

<code> dpkg -i zabbix-release_3.2-1+xenial_all.deb </code>

<code> apt-get update </code>

<code> apt-get install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-get zabbix-sender snmp snmpd snmp-mibs-downloader php7.0-bcmath php7.0-xml php7.0-mbstring </code>

<code> mysql -u root -p your password </code>

<code> create database zabbix character set utf8 collate utf8_bin; </code>

<code> grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix'; </code>

<code> exit; </code>

<code> cd /usr/share/doc/zabbix-server-mysql/ </code>

<code> zcat create.sql.gz | mysql -u root -p zabbix </code>

<code> mysql -u root -p your password </code>

<code> show databases; </code>

<code> use zabbix; </code>

<code> show tables; </code>

<code> exit; </code>

<code> cd /etc/zabbix/ </code>

*And copy evenhandler directory to the nagios directory:

<code> timedatectl list-timezones </code>
Or
<code>timedatectl </code>

<code> nano apache.conf </code>

<code> nano zabbix_server.conf </code>

<code> service apache2 restart </code>

<code> service zabbix-server restart </code>

<code> cd nagios-plugins-2.1.2/ </code>

<code> service zabbis-server status </code>

<code> ifconfig </code>

*Open your web browser and YOURIPADDRESS/zabbix
[[File:Screenshot from 2017-11-25 21-26-14.png|thumb|center| Zabbix monitoring system]]

=Zabbix-Agent=

Before start to install the Zabbbix-agent update the machine
<code> apt-get update </code>

Zabbix-Agent is easy to install, just one command and it installed into the machine.
<code> apt-get install zabbix-agent </code>

User need to go to the configuration folder to start edit the agent config file
<code> cd /etc/zabbix </code>

Start to edit the file to make the correct configuration to send all the checks to Zabbix-server
<code> nano -c zabbix_agentd.conf </code>

Checking the configuration file

*Uncomment line 43
*If user need to enable the debugging mode uncomment line 57
*Enable the remote command uncomment line 73
*Enable the log remote command uncomment line 82
*Server IP address line 95
*Listen-port 10050 uncomment line 103
*Enable the server-active uncomment line 136
*Hostname depends on the user configuration

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Zabbix-server/"
</VirtualHost>
</pre>

=Summary=
Zabbix is an open source application for monitoring a system. Zabbix has been widely used because of the ease of configuration. Zabbix also in support by various plugins. Look here for more information [https://www.zabbix.com/documentation/3.2/start zabbix-main-documentation].

=See also=

Zabbix installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=-uxApkZ-K0w&t=1015s Zabbix-Server-Installation]

2- [https://www.youtube.com/watch?v=AeNRo2P-6DY&t=1s&list=PLKAuFoXV02Volco2M8VEZxkKHOCcdHhWw&index=5 Zabbix-Agent]

=References=
1- [https://en.wikipedia.org/wiki/Zabbix System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://www.zabbix.com/monitor_everything Zabbix-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.zabbix.com/documentation/1.8/manual/installation/requirements Requirements table reference]
------

[[Category:Monitoring]]

Improve security with Nagios-Monitor-Server

2018-01-07T09:16:07Z

Malyhass:

Improve security with Nagios-Monitor-Server

2018-01-07T09:15:20Z

Malyhass: /* References */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>

<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>


* To make the handshake:

<code> nano /usr/local/nagios/etc/services </code>

* add the following next to the chech_nrpe services
<code> -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl//client_certs/client_cert.pem -K /usr/local/nagios/etc/ssl/client_certs/client_cert.key </code>

<code> service nagios restart </code>

To check the logs from the agent side

<code> tail -f /var/log/syslog </code>

Make sure that server IP address in the nrpe.cfg

<code> cd /usr/local/nagios/etc </code>
<code> nano nrpe.cfg </code>

In line 106
Put the server IP address

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

7- [https://support.nagios.com/kb/article/nrpe-check_nrpe-error-could-not-complete-ssl-handshake-615.html NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

5- [https://www.youtube.com/watch?v=EpzTJH85y8Y&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios installation 4.2.0 (Ubuntu Server 16.04.1 LTS) - Step one]

6- [https://www.youtube.com/watch?v=4vZELdYa7O4&index=2&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP Nagios-Agent configuration using NRPE plugin - Step two]

7- [https://www.youtube.com/watch?v=TzlYyzj7BkQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=3 Nagios-Agent send checks to Nagios-Server - Step three]

8- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

9- [https://www.youtube.com/watch?v=jg_zan7f_YQ&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=6 How to send checks to Nagios-Server & How to create own script]

10- [https://www.youtube.com/watch?v=MnG8Embgfgw&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=10 Secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security]

11- [https://www.youtube.com/watch?v=7En5kheIwOM SSL Handshake between Nagios (Server - Agent)]

------

[[Category:Monitoring]]

Improve security with Nagios-Monitor-Server

2018-01-07T09:11:27Z

Malyhass: /* Enable the encryption between the server and the agent */

Improve security with Nagios-Monitor-Server

2018-01-07T09:09:12Z

Malyhass: /* Setting up Nagios */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>

<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

7- [https://support.nagios.com/kb/article/nrpe-check_nrpe-error-could-not-complete-ssl-handshake-615.html NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

------

[[Category:Monitoring]]

Improve security with Nagios-Monitor-Server

2018-01-07T09:08:03Z

Malyhass: /* See also */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>
<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

7- [https://support.nagios.com/kb/article/nrpe-check_nrpe-error-could-not-complete-ssl-handshake-615.html NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

------

[[Category:Monitoring]]

Improve security with Nagios-Monitor-Server

2018-01-07T09:06:52Z

Malyhass: /* See also */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>
<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

6- [https://support.nagios.com/kb/article.php?id=519 NRPE - v3 Enhanced Security]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

------

[[Category:Monitoring]]

Improve security with Nagios-Monitor-Server

2018-01-07T09:05:52Z

Malyhass: /* Enable the encryption between the server and the agent */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>
<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

------

[[Category:Monitoring]]

Improve security with Nagios-Monitor-Server

2018-01-07T09:05:22Z

Malyhass: /* Enable the encryption between the server and the agent */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>
<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

------

[[Category:Monitoring]]

Improve security with Nagios-Monitor-Server

2018-01-07T09:05:07Z

Malyhass: /* Enable the encryption between the server and the agent */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>
<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

* Setup Directories:

* Setup Directories:

<code> cd /usr/local/nagios/etc/ </code>

<code> mkdir ssl </code>

<code> chown root:nagios ssl </code>

<code> mkdir ca nagios_server_certs client_certs </code>

<code> chown root:nagios * </code>

<code> mkdir ./demoCA </code>

<code> mkdir ./demoCA/newcerts </code>

<code> cd ./demoCA </code>

<code> touch index.txt </code>

<code> echo '1000' Angle brackets serial </code>

* Create Certificate Authority
<code> openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650 </code>

* NRPE Client Certificate
<code> cd /usr/local/nagios/etc/ssl/client_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes </code>

* Sign this certificate request by our CA:

<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem </code>

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

<code> scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/ </code>

<code> scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/ </code>

* Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

<code> nano nrpe.cfg </code>

* In line 238 uncomment:

<code>
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
</code>

* restart nrpe:
<code> service nrpe restart </code>

* Don't forgot to uncomment the follow:

<code>
1- ssl_logging=0xff
2 ssl_client_certs=2
</code>

check_nrpe Plugin Certificate
<code> cd /usr/local/nagios/etc/ssl/nagios_server_certs/ </code>
<code> openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes </code>
<code> cd /usr/local/nagios/etc/ssl/ </code>
<code> openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem </code>

* Using Certificates With check_nrpe Plugin

<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code>

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

------

[[Category:Monitoring]]

Improve security with Nagios-Monitor-Server

2018-01-07T08:57:06Z

Malyhass: /* Enable the encryption Front-end Web */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>
<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Enable the encryption between the server and the agent=

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

------

[[Category:Monitoring]]

File:Nagios-server-monitor.png

2017-11-25T23:20:35Z

Malyhass:

Improve security with Nagios-Monitor-Server

2017-11-25T23:20:18Z

Malyhass: /* Setting up Nagios */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>
<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]
[[File:Nagios-server-monitor.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

------

[[Category:Monitoring]]

Improve security with Nagios-Monitor-Server

2017-11-25T23:09:30Z

Malyhass: /* Installing the prerequisites */

[[File:image.png|thumb|300px| Nagios monitoring system]]

Author:
Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017

= Introduction =
This article introduces the Monitoring application called '''Nagios'''.

===Monitoring===
Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref>
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.
Monitoring is used to:
*Check performance
*Detect if something worth noticing happened
*Prevent something to happen
*Detect whether a system is under attack and that is the most important part for the cyber security

===Nagios Monitoring system===
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. <ref>[https://en.wikipedia.org/wiki/Nagios]</ref>

Monitoring is made of three components:

{| class="wikitable"
|-
! Software
! Version
|-
| Apache
| 1.3.12 or later
|-
| PHP
| 5.0 or later
|-
|MySQL php-mysql
|3.22 or later
|-
|}

= The main advantages of Nagios =
*Open-source
*Customized Dashboards
*Ease of Use
*Infinite Scalability
*Data in Real Time
*Network Security

= Why monitoring is important for cyber security =
*First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)[https://en.wikipedia.org/wiki/Information_security What is CIA], and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
*Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
*Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
*Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
*Fifth the debugging, when system have error the monitor tool should have a readable debugging..

= Setting up Nagios=

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

==== Prerequisites ====
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.

This tutorial describes the commands and configuration to make the services work together Nagios.

*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command
<code> sudo apt update</code>
<code> sudo apt upgrade</code>

=== Installing the prerequisites ===
*The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

<code> sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code>

User and group configuration

<code> useradd nagios </code>
<code> groupadd nagcmd </code>
<code> usermod -a -G nagcmd nagios </code>
<code> usermod -a -G nagios,nagcmd www-data </code>

Download and extract the Nagios core

<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code>

Extract the file
<code> tar -xzf nagios*.tar.gz </code>

System administrator need to configure it with the user and the group you have created earlier

<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code>
<code> make all </code>
<code> make install </code>
<code> make install-commandmode </code>
<code> make install-init </code>
<code> make install-config </code>
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code>

Copy even-handler directory to the nagios directory

<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code>
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code>

Install the Nagios Plugins

<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code>

Extract it

<code> tar -xzf nagios-plugins*.tar.gz </code>

Install the Nagios plugin's with the commands below
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code>
<code> make </code>
<code> make install </code>

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

<code> nano -c /usr/local/nagios/etc/nagios.cfg </code>
uncomment line 51 for the host monitor configuration.
Save and exit.

Add a new folder named servers.
<code> mkdir -p /usr/local/nagios/etc/servers </code>

Change the user and group for the new folder to Nagios:
<code> chown nagios:nagios /usr/local/nagios/etc/server </code>

Enable Apache modules
<code> sudo a2enmod rewrite </code>
<code> sudo a2enmod cgi </code>

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code>

Enable the Nagios virtualhost
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable </code>

Start Apache
<code> service apache2 restart </code>

When Nagios starts, you may see the following error
Starting nagios (via systemctl): nagios.serviceFaile
System administrator can fix with the following

<code> cd /etc/init.d/ </code>
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code>
<code> nano /etc/init.d/nagios </code>

Paste this code at the end of the file

<pre>
DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock
</pre>

Make it executable and start Nagios

<code> chmod +x /etc/init.d/nagios </code>
<code> service apache2 restart </code>


Still it there is another process to fix the issue

First we are going to create/change the nagios.service

<code> nano /etc/systemd/system/nagios.service </code>

Paste the following code of the file

<pre>
[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
</pre>

System administrator need to enable created nagios.service config

<code> systemctl enable /etc/systemd/system/nagios.service </code>
<code> service nagios start </code>

To check the service is working
$ service nagios status

*Open web browser and YOURIPADDRESS/nagios

[[File:Nagios-server.png|thumb|center| Nagios monitoring system]]

=Enable the encryption Front-end Web=

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

<code> sudo a2enmod ssl </code>

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

<code> sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt </code>

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

*openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
*req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
*-x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
*-nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
*-days 365: This specifies that the certificate we are creating will be valid for one year.
*-newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
*-keyout: This parameter names the output file for the private key file that is being created.
*-out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now:
<code> sudo nano /etc/apache2/sites-available/default-ssl.conf </code>
<pre>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
----> SSLCertificateFile /etc/apache2/ssl/apache.crt
----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
</pre>

SSL-enabled virtual host
<code> sudo a2ensite default-ssl.conf </code>

Restart Apache to load our new virtual host file
<code> service apache2 restart </code>

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

<code> https://server_domain_name_or_IP </code>

This to solve the problem to enable the ssl
<code> nano 000-default.conf </code>

<pre>
# Special virtulhost only for redirecting
<VirtualHost *:80>
ServerName
Redirect "/" "https://Nagios-server/"
</VirtualHost>
</pre>

=Summary=
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. [https://www.nagios.org/about/overview/ Nagios-main-documentation].

=See also=

Nagios installation by Cyber-Tect-Tips

1- [https://www.youtube.com/watch?v=EpzTJH85y8Y Nagios-Server-Installation Step one]

2- [https://www.youtube.com/watch?v=4vZELdYa7O4 Nagios-Agent configuration using NRPE plugin - Step two]

3- [https://www.youtube.com/watch?v=TzlYyzj7BkQ Nagios-Agent send checks to Nagios-Server - Step three]

4- [https://www.youtube.com/watch?v=Ci_FgH-dwr0 Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)]

5- [https://www.youtube.com/watch?v=Kz-Z-dL0T_U&list=PLKAuFoXV02VqeLyddX-CIMcMdqWcI2UoP&index=5 Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step]

=References=
1- [https://www.nagios.org/ Nagios System monitoring]

2- [https://en.wikipedia.org/wiki/Information_security CIA]

3- [https://en.wikipedia.org/wiki/Nagios Nagios-Information]

4- [https://www.youtube.com/channel/UChHzqszXw_5edX-9DOK4JxA Cyber-Tech-Tips]

------

[[Category:Monitoring]]

File:Nagios-server.png

2017-11-25T23:08:30Z

Malyhass:

File:Image.png

2017-11-25T23:04:54Z

Malyhass: