"Fossies" - the Fresh Open Source Software Archive

Member "mosshe/mosshe.example" (13 Feb 2019, 11937 Bytes) of package /linux/privat/old/mosshe.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file.

    1 #!/bin/bash
    2 
    3 # set -x 
    4 
    5 #=========================================================
    6 #=========================================================
    7 # our configuration
    8 #=========================================================
    9 #=========================================================
   10 
   11 # MYNAME=allka.wyae.de
   12 MYNAME=$(/bin/hostname)
   13 MYDOM=$(/bin/hostname -d)
   14 MYGROUP="Server"    # Leave unset to lookup via DNS TXT
   15 
   16 WEBURL="https://www.wyae.de/mosshe/notok.html"
   17 DATADIR=/usr/local/lib/mosshe
   18 WWWDIR=/usr/local/lib/mosshe/www
   19 ## WWWDIR=/var/www/mosshe
   20 TEMPDIR=/tmp
   21 
   22 NETWAIT=5   # seconds timeout for network service check
   23 
   24 
   25 #=========================================================
   26 # Startup
   27 #=========================================================
   28 . $DATADIR/functions.mosshe
   29 
   30 MossheSelfCheck root@wyae.de    # send alert to - if MoSShE has a problem
   31 
   32 
   33 #=========================================================
   34 # local checks
   35 #=========================================================
   36 . $DATADIR/functions.localchecks
   37 
   38 HDCheck /dev/sda1 20000 10000   # system disk: 20GB /  10GB  - warn / alert (MByte)
   39 HDCheckGB /dev/sda1 20 10   # system disk: 20GB /  10GB  - warn / alert (GByte)
   40 HDfreeGB / 20 10        # root file system: 20GB /  10GB  - warn / alert (GByte)
   41 HDfreeMB /boot 400 100      # boot file system: 400MB / 100 MB  - warn / alert (MByte)
   42 
   43 # http://www.computerworld.com/article/2846009/the-5-smart-stats-that-actually-predict-hard-drive-failure.html
   44 # https://www.backblaze.com/blog-smart-stats-2014-8.html
   45 HDhardwareSmart /dev/sda "Raw_Read_Error_Rate" 5 5000
   46 HDhardwareSmart /dev/sda "Seek_Error_Rate" 1 10
   47 HDhardwareSmart /dev/sda "Reallocated_Sector_Ct" 50 500
   48 HDhardwareSmart /dev/sda "Offline_Uncorrectable" 1 5
   49 
   50 
   51 LoadCheck 1 3       # load: warn / alert
   52 LoadCheckPercent 100 300    # load: warn / alert
   53 MemCheck 30 100     # free mem: warn, min (MByte)
   54 #SwapCheck 30 100   # page swaps / second : warn / alert
   55 
   56 ProcessCheck 120 200    # processes: warn / alert
   57 ZombieCheck 3 10    # zombies: warn / alert
   58 ShellCheck 0 3      # shells: max.root, max.user
   59 
   60 NetworkErrorsCheck eth0  1 5        # percentage of errors on interface
   61 NetworkTrafficCheck eth0  50000 80000   # kbit/s average
   62 NetworkBandwidth eth0  500 900      # be careful not to exceed 1TB bandwidth
   63 NetworkConnections 450 7000     # number of concurrent connections
   64 
   65 
   66 # check "sensors" output for matching strings on your hardware 
   67 # (second parameter MUST NOT contain space characters)
   68 HardwareSensorBetween "fan1" "CPU Fan description" 100 3000
   69 HardwareSensor "temp1" "probably harddrive temperature" 45 60
   70 
   71 
   72 ApcUpsValueTooHigh LOADPCT 39 80    # pulling too much juice from UPS?
   73 ApcUpsValueTooLow BCHARGE 30 90     # battery up to snuff?
   74 ApcUpsValueTooLow TIMELEFT 2 5      # enough minutes left to run?
   75 ApcUpsStatus STATUS ONLINE      # status ok?
   76 
   77 
   78 # check ClamAV-Daemon which likes to crash
   79 FileCheck /var/run/clamav/clamd.ctl
   80 ProcCheck /usr/sbin/clamd
   81 
   82 # fieles growing too old or large
   83 FileTooOld /var/log/syslog 90       # file older than 90 minutes
   84 # FileTooOld /var/log/backup.log 1500   # file older than 90 minutes
   85 #
   86 FileTooBig /var/log/auth 500    # file bigger than 9.000 KBytes (= 9 MB)
   87 FileTooBig /var/log/syslog 9000 # file bigger than 9.000 KBytes (= 9 MB)
   88 
   89 
   90 # LogEntryCheck HTTPbruteforce  ' 401 ' '/var/log/apache/*access.log' 100 200       # make sure we don't get HTTP bruteforced
   91 # LogEntryCheck HTTPbruteforce  ' 401 ' '/var/log/lighttpd/*access.log' 700 1000        # make sure we don't get HTTP bruteforced
   92 LogEntryCheck ImapBruteforce    'authdaemond: pam_unix(imap:auth): authentication failure' /var/log/auth.log 10 50      # we don't like IMAP/Webmail bruteforcing either
   93 LogEntryCheck Pop3Bruteforce    'authdaemond: pam_unix(pop3:auth): authentication failure' /var/log/auth.log 10 50      # we don't like IMAP/Webmail bruteforcing either
   94 LogEntryCheck VsFtpdBruteforce  'pam_unix(vsftpd:auth): authentication failure' /var/log/auth.log 50 100        # we don't like FTP bruteforcing either
   95 
   96 LogEntryCheck TooManySU     'Successful su for ' /var/log/auth.log 50 100       # too many SU changes
   97 LogEntryCheck SuFailed      'FAILED su for' /var/log/auth.log 5 10          # SU should not fail too often
   98 
   99 LogEntryCheck SSHlogin      'Accepted publickey for ' /var/log/auth.log 100 200 # suspiciously many SSH logins
  100 LogEntryCheck SSHbruteforce ' Illegal user ' /var/log/auth.log 3 5          # we don't like SSH bruteforcing
  101 
  102 LogEntryCheck OtherBruteforce   'authentication failure' /var/log/auth.log 50 100   # we don't like other (PAM-based) bruteforcing either
  103 LogEntryCheck SASLusage     'sasl_username' /var/log/mail.log 400 600       # we don't like SMTP-Auth bruteforcing either
  104 
  105 
  106 
  107 # basic IDS functionality: check for changes
  108 
  109 # CheckFileChanges  KnownFile  OriginalFile
  110 CheckFileChanges resolv.conf /etc/resolv.conf
  111 CheckFileChanges passwd /etc/passwd
  112 CheckFileChanges shadow /etc/shadow
  113 CheckFileChanges authorized_keys /root/.ssh/authorized_keys
  114 
  115 # CheckConfigChanges  KnownOutputFile  "command +parameters"
  116 # CheckConfigChanges routing.txt "netstat -nr"
  117 # CheckConfigChanges listeners.txt "netstat -tulpen"
  118 
  119 
  120 #=========================================================
  121 # network checks
  122 #=========================================================
  123 . $DATADIR/functions.netchecks
  124 
  125 MYGROUP="Services"
  126 
  127 PingTime router.wyae.de 3 50 150    # IP, NumberOfPings, max roundtrip ms WARN, ALERT
  128 PingLoss router.wyae.de 3 70 99     # IP, NumberOfPings, max% Loss WARN, ALERT
  129 PingLoss laka.wyae.de 3 70 99       # IP, NumberOfPings, max% Loss WARN, ALERT
  130 # PingPartner europe.wyae.de 2 60 250   # IP, NumberOfPings, max% Loss, max roundtrip ms
  131 TCPing www.wyae.de 80   # Server,  Port
  132 
  133 HTTPheader http://www.wyae.de/mosshecheck.txt       # just the URL - checks return code, works for HTTP and HTTPS
  134 
  135 # HTTPheadermatch 302 http://www.bloodties.de/  # expected RTN code,  URL
  136 
  137 
  138 # URL, expected response   -   HTTP only
  139 # HTTPcontentmatch http://www.bloodties.de/bloodties/news/index.cfm "Copyright © 2008 by www.BloodTies.de"
  140 
  141 # FTPcheck allka.wyae.de        # server name
  142 
  143 IMAPcheck allka-local       # server name
  144 
  145 SMTPcheck allka.wyae.de     # server name
  146 
  147 #SAMBAcheck filesv03            # server name
  148 
  149 
  150 HTTPheader http://www.mutabe.de/        # just the URL - checks return code, works for HTTP and HTTPS
  151 #POP3check europe.wyae.de   # server name
  152 #SMTPcheck europe.wyae.de   # server name
  153 
  154 
  155 
  156 #################################################################
  157 MYGROUP="RBL"
  158 
  159 # Mailserver, RBL-Domain
  160 RBLcheckIP 88.198.144.125 whois.rfc-ignorant.org
  161 
  162 RBLcheckFQDN allka.wyae.de cbl.abuseat.org
  163 RBLcheckFQDN allka.wyae.de virbl.dnsbl.bit.nl
  164 RBLcheckFQDN allka.wyae.de dnsbl.inps.de
  165 RBLcheckFQDN allka.wyae.de ix.dnsbl.manitu.net
  166 RBLcheckFQDN allka.wyae.de no-more-funn.moensted.dk
  167 RBLcheckFQDN allka.wyae.de combined.njabl.org
  168 RBLcheckFQDN allka.wyae.de dnsbl.njabl.org
  169 RBLcheckFQDN allka.wyae.de dnsbl.sorbs.net
  170 RBLcheckFQDN allka.wyae.de bl.spamcannibal.org
  171 RBLcheckFQDN allka.wyae.de bl.spamcop.net
  172 RBLcheckFQDN allka.wyae.de sbl.spamhaus.org
  173 RBLcheckFQDN allka.wyae.de xbl.spamhaus.org
  174 RBLcheckFQDN allka.wyae.de pbl.spamhaus.org
  175 RBLcheckFQDN allka.wyae.de dnsbl-1.uceprotect.net
  176 RBLcheckFQDN allka.wyae.de dsn.rfc-ignorant.org
  177 RBLcheckFQDN allka.wyae.de postmaster.rfc-ignorant.org
  178 RBLcheckFQDN allka.wyae.de bogusmx.rfc-ignorant.org
  179 
  180 
  181 #################################################################
  182 MYGROUP="DNS"
  183 
  184 
  185 # DNS-Server, FQDN-to-resolve, Query-type
  186 DNSquery allka.wyae.de allka.wyae.de a
  187 
  188 
  189 # DNS-Server, FQDN-to-resolve, Query-type, result/match
  190 DNSmatch allka-local www.wyae.de a 88.198.144.125
  191 DNSmatch 8.8.8.8 www.wyae.de a 88.198.144.125
  192 
  193 
  194 #=========================================================
  195 # MySQL checks
  196 #=========================================================
  197 . $DATADIR/functions.mysql
  198 
  199 MySQLThreads 30 90
  200 MySQLQueries 10 50
  201 
  202 
  203 
  204 #=========================================================
  205 # Mail checks - per last 5 minutes
  206 #=========================================================
  207 . $DATADIR/functions.postfix
  208 . $DATADIR/functions.dovecot
  209 
  210 MailqCheck 10 40
  211 
  212 PostfixOutTLS 10 50
  213 PostfixInTLS 10 50
  214 PostfixInConnections 10 50
  215 PostfixNoqueue 10 50
  216 PostfixSent 10 50
  217 
  218 DovecotStored 10 50
  219 DovecotSieved 10 50
  220 DovecotLoginFailed 10 50
  221 
  222 
  223 
  224 #=========================================================
  225 # Import agent data from other servers
  226 #=========================================================
  227 
  228 #------  pull 
  229 
  230 # ImportAgent http://www.test.test/mosshe/index.csv
  231 # ImportAgentCurl http://username:password@example.com/mosshe/index.csv
  232 # ImportAgentWget http://username:password@example.com/mosshe/index.csv
  233 
  234 
  235 #------  passive checks 
  236 
  237 # sending
  238 # cp $WWDIR/index.csv /mnt/nfsmount/mosshe/zeus.example.com.csv     # via file system mount
  239 # scp $WWDIR/index.csv mosshe@central.example.com:zeus.example.com.csv  # via password-free ssh key
  240 # ftp-upload --host central.example.com --user mossheusr --password mosshepw --passive --no-ls --dir /incoming --as zeus.example.com.csv $WWDIR/index.csv   # via ftp-upload
  241 
  242 
  243 # reading
  244 # MYGROUP="Externals"
  245 # ReapPassiveChecks  zeus.example.com  10  /home/ftp/zeus.example.com.csv   # servername,  max.age (minutes),  file location
  246 # ReapPassiveChecks  hera.example.com  10  /home/ssh/hera.example.com.csv   # servername,  max.age (minutes),  file location
  247 
  248 
  249 #------ Linux VServer checks
  250 
  251 # CheckVserverDown VORLAGE
  252 
  253 # CheckVserverUp NameOfVSERVER
  254 # ReapPassiveChecks  NameOfVSERVER  10  /var/vserver/NameOfVSERVER/var/www/mosshe/index.csv       # servername,  max.age (minutes),  file location
  255 
  256 
  257 
  258 #=========================================================
  259 # Finalize and send alert if necessary
  260 #=========================================================
  261 FinalizeLog     # always needed (provide any parameter to rm -f $WWWDIR/*.html)
  262 
  263 SortGroups  # optional group-list & per-group-listing
  264 
  265 SortServers # yes, we want e per-server listing (optional)
  266 
  267 # RRD processing of logs - without graphs, just plain data
  268 #ProcessRRD
  269 
  270 
  271 #---------------------------------------------
  272 # send alerts
  273 
  274 # AlertMailOnChange root@wyae.de        # send alert to - if status changes
  275 
  276 # AlertMailAlways root@example.test     # send alert to - repeated, if status not OK
  277 
  278 # send alert if status changes for the system given (here: www.example.com)
  279 # AlertMailOnChangeFor www.example.com admin@example.com "Ticket 123456: server outages"
  280 
  281 SyslogOnChange local0               # syslog changes to syslog with FACILITY (default: local0)
  282 
  283 
  284 
  285 #---------------------------------------------
  286 # do logging
  287 
  288 # LogTo /var/log/mosshe/mosshe.log  # continuously log to filename
  289 # LogToDaily /var/log/mosshe/mosshe_log # continuously log to filename, date is appended automatically
  290 # LogToMonthly /var/log/mosshe/mosshe_log   # continuously log to filename, month is appended automatically
  291 
  292 LogToWeekly /var/log/mosshe/mosshe_log  # continuously log to filename, week is appended automatically
  293 
  294 
  295 # evaluate single services for availability
  296 #SLA_Eval crystal.wyae.de HTTPheadermatch_200
  297 
  298 # graph data
  299 #       800 pixel = 800 x 5min = 66.6h = 2d 18.6h
  300 #       1 week = 168h    @ 5 min = 2016 datapoints
  301 PlotDataFiles  2016
  302 
  303 # mosshe_averagegraph
  304 # average 12 @ 5min = 1h
  305 #       every hour  @800pixel    = 33.25d = 1 month
  306 #       every hour  over 1 week = 12 weeks = 3 months - here doubled = 6 months
  307 PlotAvgDataFiles 12 4032
  308 
  309 
  310 
  311 
  312 #############################################################################
  313 # MoSSHe: remote server monitoring environment
  314 #
  315 # Copyright (C) 2003- Volker Tanger
  316 #
  317 # This program is free software; you can redistribute it and/or
  318 # modify it under the terms of the GNU General Public License
  319 # as published by the Free Software Foundation; either version 2
  320 # of the License, or (at your option) any later version.
  321 #
  322 # For bug reports and suggestions or if you just want to talk to me please
  323 # contact me at volker.tanger@wyae.de
  324 #
  325 # Updates will be available at  http://www.wyae.de/software/mosshe/
  326 # please check there for updates prior to submitting patches!
  327 #
  328 # For list of changes please refer to the HISTORY file. Thanks.
  329 #############################################################################
  330