c7606 количество маршрутов

sh platform hardware capacity forwarding

mls cef maximum-routes ip
mls cef maximum-routes ipv6

zabbix and syslog centos

Журналирование логов с коммутаторов и маршрутизаторов в заббиксе.

1. В /var/log/ создаётся файл, куда будут складываться логи с оборудования, например

touch switch.log.

Назначаются права доступа^

chmod 664 switch.log

chown root:zabbix switch.log

2. Редактируем rsyslog.conf:

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

local1.*                                                /var/log/switch.log

3. Ротация логов – /etc/logrotate.conf

/var/log/switch.log
{
rotate 7 #количество файлов
size 10M #размер файла для ротации
create
}

4. В заббиксе в items заббикс сервера создаём

Логи будут отображатся в latest data.

Что необходимо сделать:

Разные файлы для свитчей, агрегаций, коммутаторов. Тригеры на определённое словосочетание в логах

postfix on postgresql fedora 21

Предварительная настройка системы. 1. Настройка сетевой подсистемы /etc/sysctl.conf

Создать пользователя vmail и группу vmail:

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/vmail -m

Здесь тюнинг

# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # Controls the default maxmimum size of a mesage queue kernel.msgmnb = 65536 # Controls the maximum size of a message, in bytes kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.tcp_max_orphans=65536 net.ipv4.tcp_fin_timeout=10 net.ipv4.tcp_keepalive_time=1800 net.ipv4.tcp_keepalive_intvl=15 net.ipv4.tcp_keepalive_probes=5 net.ipv4.tcp_max_syn_backlog=4096 net.ipv4.tcp_synack_retries=1 net.ipv4.tcp_mem=50576   64768   98152 net.ipv4.tcp_rmem=4096 87380 16777216 net.ipv4.tcp_wmem=4096 65536 16777216 net.ipv4.tcp_orphan_retries=0 net.ipv4.tcp_syncookies=0 net.ipv4.netfilter.ip_conntrack_max=1048576 net.ipv4.tcp_timestamps=1 net.ipv4.tcp_sack=1 net.ipv4.tcp_congestion_control=htcp net.ipv4.tcp_no_metrics_save=1 net.ipv4.route.flush=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.lo.rp_filter=1 net.ipv4.conf.eth0.rp_filter=1 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.lo.accept_source_route=0 net.ipv4.conf.eth0.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv4.ip_local_port_range=1024 65535 net.ipv4.tcp_tw_reuse=1 net.ipv4.tcp_window_scaling=1 net.ipv4.tcp_rfc1337=1 net.ipv4.ip_forward=0 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_echo_ignore_all=1 net.ipv4.icmp_ignore_bogus_error_responses=1 net.core.somaxconn=15000 net.core.netdev_max_backlog=1000 net.core.rmem_default=65536 net.core.wmem_default=65536 net.core.rmem_max=16777216 net.core.wmem_max=16777216

Установка и настройка postgresql Оказалось, что в моём случае это не нужно, база существует на другом сервере, и мне нужно просто связаться с ней. Но то что я накопал, терять жалко, поэтому пока оставлю.

Скрытый текст

1. Устанавливаем: yum install postgresql postgresql-server Запуск службы после перезагрузки: systemctl enable postgresql.service Запущен ли постгрес – systemctl status postgresql.service postgresql-setup initdb – хз зачем, но вроде надо. 2. Настройка. Поменять пароль пользователю postgres: passwd postgres Задаём пароль пользователю postgres в базе данных: psql -U postgres ALTER USER postgres with encrypted password ‘пароль’; yum install httpd php php-pgsql postfix dovecot dovecot-pgsql fail2ban clamav amavisd-new roundcubemail spamassassin Конфигурация /var/lib/pgsql/data/pg_hba.conf # TYPE  DATABASE        USER            ADDRESS                 METHOD # “local” is for Unix domain socket connections only local   all         all                               md5 # IPv4 local connections: host    all             all             127.0.0.1/32            md5 host    all             all             10.230.84.0/24          md5 # IPv6 local connections: host    all             all             ::1/128                 reject

Настройка postfix /etc/postfix/main.cf Теперь создам файлы для того, чтобы postfix знал, где что искать в нашей базе данных: /etc/postfix domain.pgsql, mailbox.pgsql, aliases.pgsql

domain.pgsql

hosts = “ip-address” dbname = “db name” user = mail_agent password = “password” query = SELECT domain_name as domain FROM email_domains WHERE domain_name=’%s’ select_field = domain where_field = domain additional_conditions = AND active = true

mailbox.pgsql

hosts = “ip-address” dbname = “db name” user = mail_agent password = “password” query = SELECT (domain || ‘/’|| email || ‘/’) as mbox FROM _mailagent_mailboxes WHERE email=’%s’ select_field = mbox where_field = username

aliases.pgsql

hosts = “ip-address” dbname = “db name” user = mail_agent password = “password” query = SELECT goto FROM _mailagent_aliases WHERE alias=’%s’ select_field = goto where_field = address

Настройка dovecot.   Запуск демона dovecot -n для проверки конфигурации

/etc/dovecot/dovecot-sql.conf.ext

driver=pgsql connect=host=”address” dbname=”name” user=mail_agent password=”password” port=”port” #default_pass_scheme = MD5 user_query = SELECT ‘/var/spool/mail/%d/%n’ as home, ‘maildir:/var/spool/mail/%d/%n’ as mail, 500 AS uid, 500 AS gid, (‘dirsize:storage=’ || quota) AS quota FROM _mailagent_mailboxes WHERE email = ‘%u’ password_query = SELECT email as user, password, ‘/var/spool/mail/%d/%n’ as userdb_home, ‘maildir:/var/spool/mail/%d/%n’ as userdb_mail, 500 as userdb_uid, 500 as userdb_gid FROM _mailagent_mailboxes WHERE email = ‘%u’

10-mail.conf

Местонахождение почтовых ящиков: /etc/dovecot/conf.d/10-mail.conf ## ## Mailbox locations and namespaces ## # Location for users’ mailboxes. mail_location = maildir:~/ # System user and group used to access mails. If you use multiple, userdb # can override these by returning uid or gid fields. You can use either numbers # or names. mail_uid = 500 mail_gid = 500 ## ## Mail processes ## # Valid UID range for users, defaults to 500 and above. This is mostly # to make sure that users can’t log in as daemons or other system users. first_valid_uid = 500 last_valid_uid = 500 # Valid GID range for users, defaults to non-root/wheel. first_valid_gid = 500 last_valid_gid = 500 ## ## mbox-specific settings ## # Which locking methods to use for locking mbox. mbox_write_locks = fcntl

Для раскладывания почты по папка служит плагин sieve: dovecot-pigeonhole.x86_64 : Sieve and managesieve plug-in for dovecot Включается плагин в файле /etc/dovecot/conf.d/15-lda.conf:

/etc/dovecot/15-lda.conf

## ## LDA specific settings (also used by LMTP) ## protocol lda { # Space separated list of plugins to load (default is global mail_plugins). mail_plugins = sieve }

и в файле 20-lmta.conf:

/etc/dovecot/20-lmta.conf

Ничего здесь делать не надо, вроде

В файле 20-managesieve.conf указываем:

/etc/dovecot/20-managesieve.conf

## ## ManageSieve specific settings ## # Uncomment to enable managesieve protocol: protocols = $protocols sieve # Service definitions service managesieve-login { inet_listener sieve { port = 4190 } } service managesieve { } # Service configuration protocol sieve { }

Настройка sieve в файле:

/etc/dovecot/conf.d/90-sieve.conf

## ## Settings for the Sieve interpreter ## # Do not forget to enable the Sieve plugin in 15-lda.conf and 20-lmtp.conf # by adding it to the respective mail_plugins= settings. plugin { # The path to the user’s main active script. sieve = ~/.dovecot.sieve sieve_global_path = /etc/dovecot/sieve/default.sieve sieve_dir = ~/ sieve_global_dir = /etc/dovecot/sieve }

Настройка плагинов в

90-plugin.conf

## ## Plugin settings ## # All wanted plugins must be listed in mail_plugins setting before any of the # settings take effect. See for list of plugins and # their configuration. Note that %variable expansion is done for all values. plugin { #setting_name = value autocreate = Trash autocreate2 = Junk autocreate3 = Sent autocreate4 = Drafts autosubscribe = Trash autosubscribe2 = Junk autosubscribe3 = Sent autosubscribe4 = Drafts }

Авторизация

10-auth.conf

## ## Authentication processes ## auth_worker_max_count = 512 auth_mechanisms = plain login ## ## Password and user databases ## !include auth-sql.conf.ext

В файле

20-pop3.conf

protocol pop3 { mail_plugins = autocreate }

Файл 10-master.conf

default_process_limit = 1000 default_client_limit = 500000 #default_vsz_limit = 256M # Login user is internally used by login processes. This is the most untrusted # user in Dovecot system. It shouldn’t have access to anything at all. #default_login_user = dovenull # Internal user is used by unprivileged processes. It should be separate from # login user, so that login processes can’t disturb other processes. #default_internal_user = dovecot service imap-login { inet_listener imap { #port = 143 } inet_listener imaps { #port = 993 #ssl = yes } # Number of connections to handle before starting a new process. Typically # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 # is faster. #service_count = 1 # Number of processes to always keep waiting for more connections. #process_min_avail = 0 # If you set service_count=0, you probably need to grow this. #vsz_limit = 64M } service pop3-login { inet_listener pop3 { #port = 110 } inet_listener pop3s { #port = 995 #ssl = yes } } service lmtp { unix_listener lmtp { #mode = 0666 } # Create inet listener only if you can’t use the above UNIX socket #inet_listener lmtp { # Avoid making LMTP visible for the entire internet #address = #port = #} } service imap { # Most of the memory goes to mmap()ing files. You may need to increase this # limit if you have huge mailboxes. #vsz_limit = 256M # Max. number of IMAP processes (connections) process_limit = 1000 } service pop3 { # Max. number of POP3 processes (connections) process_limit = 1000 } service auth { # auth_socket_path points to this userdb socket by default. It’s typically # used by dovecot-lda, doveadm, possibly imap process, etc. Its default # permissions make it readable only by root, but you may need to relax these # permissions. Users that have access to this socket are able to get a list # of all usernames and get results of everyone’s userdb lookups. unix_listener auth-userdb { #mode = 0600 user = vmail group = vmail } client_limit=500000 # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } # Auth process is run as this user. #user = $default_internal_user } service auth-worker { # Auth worker process is run as root by default, so that it can access # /etc/shadow. If this isn’t necessary, the user should be changed to # $default_internal_user. #user = root } service dict { # If dict proxy is used, mail processes should have access to its socket. # For example: mode=0660, group=vmail and global mail_access_groups=vmail unix_listener dict { #mode = 0600 #user = #group = } }

Настройка amavisd-new, SpamAssassin и ClamAV ⁄etc⁄amavisd⁄amavisd.conf   Настройка fail2ban

⁄etc⁄fail2ban⁄filter.d⁄dovecot.conf

# Fail2Ban filter Dovecot authentication and pop3/imap server # [INCLUDES] before = common.conf [Definition] _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(pam_unix((dovecot:auth))?:)?s+authentication failure; logname=S* uid=S* euid=S* tty=dovecot ruser=S* rhost=(s+user=S*)?s*$ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? (((auth failed, d+ attempts)( in d+ secs)?|tried to use (disabled|disallowed) S+ auth)):( user=,)?( method=S+,)? rip=(, lip=(d{1,3}.){3}d{1,3})?(, TLS( handshaking(: SSL_accept() failed: error:[dA-F]+:SSL routines:[TLSd]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=)?s*$ ^%(__prefix_line)s(Info|dovecot: auth(default)): pam(S+,): pam_authenticate() failed: (User not known to the underlying authentication module: d+ Time(s)|Authentication failure (password mismatch?))s*$ ignoreregex = # DEV Notes: # * the first regex is essentially a copy of pam-generic.conf # * Probably doesn’t do dovecot sql/ldap backends properly # * Removed the ‘no auth attempts’ log lines from the matches because produces # lots of false positives on misconfigured MTAs making regexp unuseable # # Author: Martin Waschbuesch # Daniel Black (rewrote with begin and end anchors)

httpd – apache. Postfix is a open-source mail transfer agent (MTA) that routes and delivers electronic mail. Dovecot is an open-source IMAP and POP3 server for Linux/UNIX-like systems Fail2ban – scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs ClamAV^® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threat Amavis – an interface between Postfix and SpamAssassin, ClamAV. Used for spam and virus scanning. Roundcube – бесплатный клиент для работы с электронной почтой через веб-интерфейс. SpamAssassin: content-based spam scanner. Нужные пакеты: yum install httpd php php-pgsql postfix postgresql postgresql-server dovecot dovecot-pgsql dovecot-pigeonhole fail2ban clamav clamav-db clamd amavisd-new roundcubemail spamassassin

Remote file copy with ssh

scp login@192.168.1.2:/home/login/somefile.pdf (wherefrom) /home/name (local host)