Install LibreNMS on CentOS

Posted on January 27, 2018 by admin

Install prerequisites

yum install -y epel-release 
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install -y policycoreutils-python cronie fping git httpd ImageMagick jwhois mariadb mariadb-server mtr MySQL-python net-snmp net-snmp-utils nmap php71w php71w-cli php71w-common php71w-curl php71w-gd php71w-mcrypt php71w-mysql php71w-process php71w-snmp php71w-xml php71w-zip python-memcached rrdtool

Setup LibreNMS user

useradd librenms -d /opt/librenms -M -r
usermod -a -G librenms apache

Install LibreNMS

cd /opt
git clone https://github.com/librenms/librenms.git librenms

Configure MySQL

Start MySQL

systemctl start mariadb
mysql -u root

Create the Database and database user. Change password to a different password

CREATE DATABASE librenms CHARACTER SET utf8 COLLATE utf8_unicode_ci;
CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
FLUSH PRIVILEGES;
exit

Disable MySQL strict mode

vi /etc/my.cnf

Add the following in the [mysqld] section

innodb_file_per_table=1
sql-mode=""
lower_case_table_names=0

Enable and restart mariadb i.e.(MySQL)

systemctl enable mariadb
systemctl restart mariadb

Configure PHP. Set Timezone

You can go here to figure out which time zone you need.

vi  /etc/php.ini

Find the [Date] Section and change the timezone

Example:

date.timezone = America/New_York

Configure Apache

vi /etc/httpd/conf.d/librenms.conf

Add the following, change the server name.

<VirtualHost *:80>
  DocumentRoot /opt/librenms/html/
  ServerName  librenms.example.com

  AllowEncodedSlashes NoDecode
  <Directory "/opt/librenms/html/">
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
  </Directory>
</VirtualHost>

Enable and restart apache

systemctl enable httpd
systemctl restart httpd

Allow fping

cd /opt/librenms
vi http_fping.tt

Add the following

module http_fping 1.0;

require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}

#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };

Configure SELinux

You can disable SELinux completely in the /etc/selinux/config file or run these commands to make LibreNMS and SELinux play together.

semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/logs(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/logs(/.*)?'
restorecon -RFvv /opt/librenms/logs/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/rrd(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.*)?'
restorecon -RFvv /opt/librenms/rrd/
setsebool -P httpd_can_sendmail=1
checkmodule -M -m -o http_fping.mod http_fping.tt
semodule_package -o http_fping.pp -m http_fping.mod
semodule -i http_fping.pp

Configure Firewall

firewall-cmd --zone public --add-service http
firewall-cmd --permanent --zone public --add-service http
firewall-cmd --zone public --add-service https
firewall-cmd --permanent --zone public --add-service https

Configure snmpd

cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf

Edit the snmpd file and change RANDOMSTRINGGOESHERE to your community string

vi /etc/snmp/snmpd.conf

Enable and restart snmpd

curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
chmod +x /usr/bin/distro
systemctl enable snmpd
systemctl restart snmpd

Setup Cron Job and Cycle logs

cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms

cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms

Set Permisions

chown -R librenms:librenms /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs

Finish Install

Finish the install by

http://your-server-ip/install.php

Change timezone in CentOS, Fedora, RedHat

Posted on January 27, 2018 by admin

The file /etc/localtime is a symbolic link to the timezone. All the timezones are listed in /usr/share/zoneinfo/

Replace America/New_York with the appropriate timezone.

ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime

You can view the current time zone with the following command

timedatectl

or with date

date +"%Z %z"

LibreNMS not able to ping device and can’t change device name

Posted on January 22, 2018 by admin

If your having issues in the LibreNMS web interface changing a devices IP address or you can’t add a new one because it says it can’t ping the device, it is probably because SELinux is causing issues.

As far as changing a devices ip address, it looks like SELinux is not allowing Apache write access to the /opt/librenms/rrd directory

Temporary fix is to run

setenforce 0

You can permenatly disable SElinux by opening up “/etc/selinux/config” and changing “SELINUX=enforcing” to “SELINUX=disabled” and rebooting.

Renaming of x.x.x.x failed . Does your web server have permission to modify the rrd files?

It looks like there may be a bug where you’ll try to change the IP of a device and get the above error. It looks like the issue has something to do with the ip address. If your trying to change the IP on a router that has multiple IP addresses, try a different address in LibreNMS.

Allow WHM/cPanel ssh logins from specific IP addresses using iptables

Posted on January 20, 2018 by admin

For some reason the hosts.allow and hosts.deny files don’t seem to work on cPanel. One of the alternative methods to limit ssh logins to specific addresses is to use iptables.

Allow access from specific IP addresses.

Replace 192.168.1.0/24 and 192.168.0.0/24 with your addresses. You can add more addresses using the “,”. Also if your ssh port is not the default port, be sure to change it.

iptables -A INPUT -s 192.168.1.0/24,192.168.0.0/24 -p tcp --dport 22 -j ACCEPT

Reject access from everywhere else

iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j REJECT

You can see your rules with

 iptables -L --line-numbers

If you need to add another rule after the fact, you’ll need to make sure that it is above the REJECT rule. you can use the “-I” to insert it between rules.

Example: inserts rule as the second rule in the INPUT chain

iptables -I INPUT 2 -s 192.168.42.0/24 -p tcp --dport 22 -j ACCEPT

Add, List, and Delete iptable rules

Posted on January 20, 2018 by admin

Add iptable rule

The following rule rejects access to port 22 on all devices except ones on the 192.168.1.0/24 network. Note the “!”. This command can be useful for a WHM/cPanel server to limit ssh access.

iptables -A INPUT ! -s 192.168.1.0/24 -p tcp --dport 22 -j REJECT

List iptable rules with line numbers

iptables -L --line-numbers

Example output

root@localhost [~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT tcp -- !192.168.1.11 anywhere tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mailman
2 cpanel-dovecot-solr all -- anywhere anywhere

Chain cpanel-dovecot-solr (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match cpanelsolr

Remove iptable rule

To delete a rule use the -D option with the Chain and the line number. So to delete the first rule in the example output above, we would specify the INPUT chain and the the line number 1

 iptables -D INPUT 1

Auto mount CIFS mount point on system startup on Ubuntu

Posted on December 29, 2017 by admin

Install CIFS utils

sudo apt-get install -y cifs-utils

You can manually test it with the following command. Change the ip address, mount points, username, and password.

mount.cifs /192.168.1.102/mount/point /mnt -o user=john,pass=password3,uid=john

Note that specifying the uid in the options, allows the user to add, delete, and modify the files and folders of that specific mount point.

To auto mount on system startup, add the following line to /etc/fstab. Change the appropriate lines.

//192.168.1.102/mount/point   /mnt  auto   user=john,pass=password3,uid=john   0   0

You can test it by mounting everything in fstab

sudo mount -a

Basic MongoDB commands

Posted on November 23, 2017 by admin

Connect to Mongo database

mongo

Connect to Mongo on a different port (May be needed. Port is for UniFi server)

mongo -port 27117

Show Databases

show dbs

Use database

use dbname

Show tables/collections

show collections

show tables

List contents of table/collection

db.collection.find()

Example: (This example prints everything in the “admin” collection)

db.admin.find()

Find info that line that whose name is admin

 db.admin.find({name : "admin" })

Find everything in a table, but only print columns that are named “name, email, and x_shadow”

db.admin.find({ }, { name : "", email : "", "x_shadow" : "" })

List users

show users

Authenticate

db.auth("username","password")

Insert into table/collection

d = {"data":"data"}
db.collection.insert(d)

Update a line, for example a users password. Swap out the ObjectId for the ID that mongo gives you when you list the admins or users. You will need to swap out the hash for the hash of the password you want.

db.admin.update({"_id" : ObjectId("a328bf90547ehc429a03ed85")}, {$set: { "x_shadow" : "$6$XB32GMXr$8dUt9huJzzL6O.gGZbs7QH1npldbzBzNDt/uUO1bI3b7Ij3YipgubtVHwincUUZjnDLh.KDI36uh2gUCID9yb1"}});

Example:

d = {"name":"admin","lang":"en_US","x_password":"password","time_created":"","last_site_name":"default"}
db.admin.insert(d)

Delete line from table/collection

db.collection.remove()

Example: (This will look for all the “rows” where the “name” contains “admin” and remove it)

db.admin.remove({ name: "admin"})

UniFI Specific

The following commands are specifically for a UniFi server.

Show UniFi Sites

db.site.find().forEach(printjson);

mongo --port 27117 ace --eval "db.site.find().forEach(printjson);"

Show UniFi admins

db.admin.find().forEach(printjson);

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

Install UniFi Video 3.8.5 on Ubuntu or Debian

Posted on November 17, 2017 by admin

You can run all the commands from the terminal, or ssh into the server

See here if you need to setup SSH on the server.

Install prerequisites

sudo apt-get install mongodb mongodb-server openjdk-8-jre-headless jsvc

Download UniFi Video installer

Note the Debian package works on Ubuntu, and has been tested on the latest Ubuntu

wget https://dl.ubnt.com/firmwares/ufv/v3.8.5/unifi-video.Debian7_amd64.v3.8.5.deb

Install package

sudo dpkg -i unifi-video.Debian7_amd64.v3.8.5.deb

Login to the UniFi Video controller using your web browser and going to the following address to finish configuring the NVR.

https://your-server-address:7443

Install SSH Server on Linux (Debian, Ubuntu, Fedora, CentOS, RedHat)

Posted on November 17, 2017 by admin

Debian / Ubuntu

sudo apt-get install -y openssh-server

RPM based Distros, Fedora / CentOS / RedHat

sudo dnf install -y openssh-server

or use yum

sudo yum install -y openssh-server

Start ssh service

sudo systemctl start sshd

By default the SSH service should start when the system starts, but if not try the following command to enable the service on boot up.

Debian / Ubuntu

systemctl enable ssh

Fedora, CentOS, RedHat

systemctl enable sshd

Change SSH port

Not necessary, but it is a good idea to change the default ssh port. To change the port edit the sshd file.

vi /etc/ssh/sshd_config

If you change the port, you’ll need to allow it in the firewall (firewalld, iptables) and if SELinux is enabled, semanage.

Repair UniFi Video database

Posted on November 13, 2017 by admin

Stop the unifi-video service

sudo service unifi-video stop

Delete the journal with

rm -rf /usr/lib/unifi-video/data/db/journal/*

Switch to the unifi-video user

sudo su unifi-video

Repair the database

mongod --dbpath /var/lib/unifi-video/db --repair

Exit the user

exit

Start the unifi-video service

service unifi-video start

Incredigeek

Category Archives: Linux