Reliable Penguin

Here's how to filter or block ICMP timestamp requests and replies.

On Redhat/CentOS, edit /etc/sysconfig/iptables and add the following lines

-A RH-Firewall-1-INPUT -p ICMP --icmp-type timestamp-request -j DROP
-A RH-Firewall-1-INPUT -p ICMP --icmp-type timestamp-reply -j DROP

and then run:

/sbin/iptables restart

Or run the following commands:

/sbin/iptables -I RH-Firewall-1-INPUT 1 -p ICMP --icmp-type timestamp-request -j DROP
/sbin/iptables -I RH-Firewall-1-INPUT 1 -p ICMP --icmp-type timestamp-reply -j DROP
/sbin/service iptables save

Recently on an Ubantu server we just added these lines to /etc/rc.local:

/sbin/iptables -I INPUT 1 -p ICMP --icmp-type timestamp-request -j DROP
/sbin/iptables -I INPUT 1 -p ICMP --icmp-type timestamp-reply -j DROP

OpenNMS is a great network monitoring tool. Here's the OpenNMS site:

http://www.opennms.org

In this case I'm going to do an install on to a RedHat Fedora Core 1 server. Here's the installation guide:

https://sourceforge.net/docman/display_doc.php?docid=23937&group_id=4141

The first step is to install the various prerequisites:

- Java 2 SDK 1.4.2 or later from http://java.sun.com

We did a stock install of the 1.4.2_07 tar/gz package to /usr/local/. Don't forget to export the JAVA_HOME environment variable:

export JAVA_HOME=/usr/local/j2sdk1.4.2_07/

- Tomcat 4 from http://jakarta.apache.org/tomcat/index.html

We did a standard install of the 4.1.31 tar/gz package following the instructions here:

http://jakarta.apache.org/tomcat/tomcat-4.1-doc/RUNNING.txt

The install was placed at /usr/local/jakarta-tomcat-4.0.

We added the following lines to /etc/rc.local to start Tomcat on bootup and open the appropriate firewall ports:


# tomcat startup
export JAVA_HOME=/usr/local/j2sdk1.4.2_07
export CATALINA_HOME=/usr/local/jakarta-tomcat-4.0
$CATALINA_HOME/bin/startup.sh
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT


At this point Tomcat was accessible at http://{myipaddress}:8080

- RRDTool from http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/

We used the 1.0.49 source tar/gz package and built it using the instructions in the enclosed README file. The package was installed to: /usr/local/rrdtool-1.0.49

Had to add a --enable-shared option to the configure command line to get the shared libraries to build.

Had to symlink rrdtool into /usr/bin so that opennms could find it:

ln -s /usr/local/rrdtool-1.0.49/bin/rrdtool /usr/bin/rrdtool

Also edited /etc/ld.so.conf and add "/usr/local/rrdtool-1.0.49/lib/" - the path to the rddtool shared libraries. Finally ran ldconfig to update the cache.

- PostgreSQL 7.2 or later from http://www.postgresql.org/

We used the 7.4.7 release and installed the following binary rpms:

postgresql-7.4.7-2PGDG.i686.rpm
postgresql-contrib-7.4.7-2PGDG.i686.rpm
postgresql-devel-7.4.7-2PGDG.i686.rpm
postgresql-docs-7.4.7-2PGDG.i686.rpm
postgresql-jdbc-7.4.7-2PGDG.i686.rpm
postgresql-libs-7.4.7-2PGDG.i686.rpm
postgresql-pl-7.4.7-2PGDG.i686.rpm
postgresql-server-7.4.7-2PGDG.i686.rpm
postgresql-tcl-7.4.7-2PGDG.i686.rpm
postgresql-test-7.4.7-2PGDG.i686.rpm

After installing we did the following commands to start the database and set it to start on bootup:


service postgresql start
chkconfig --level 345 postgresql on


And that does it for the prerequisites.

We'll now install OpenNMS, still following the instructions at:

https://sourceforge.net/docman/display_doc.php?docid=23937&group_id=4141

To keep the install simple we used the FC1 RPM binaries provided by OpenNMS. After downloading we had three files:

opennms-1.2.0-1_fc1.i386.rpm
opennms-docs-1.2.0-1_fc1.i386.rpm
opennms-webapp-1.2.0-1_fc1.i386.rpm

Next we tried to install the first rpm with:

rpm -i opennms-1.2.0-1_fc1.i386.rpm

We ran into some problems with missing dependancies at this point. First we had to install:

compat-libstdc++-7.3-2.96.118.i386.rpm

which was downloaded from RPMFind.

Then we installed with dependancies turned off.

rpm -i --nodeps opennms-1.2.0-1_fc1.i386.rpm
rpm -i opennms-docs-1.2.0-1_fc1.i386.rpm
rpm -i --nodeps opennms-webapp-1.2.0-1_fc1.i386.rpm

Many of the opennms files get installed to:

/opt/OpenNMS

Next we'll setup the installer:

export OPENNMS_HOME=/opt/OpenNMS
$OPENNMS_HOME/bin/runjava -s

And run the installer:

$OPENNMS_HOME/bin/install -disU

This failed with jdbc errors about problems connection to postgres.

To fix it we added the following firewall rule:

iptables -A INPUT -s 127.0.0.1 -p tcp --dport 5432 -j ACCEPT

And modified the pg_hba.conf file to this:

local all all ident sameuser
host all all 127.0.0.1 255.255.255.255 trust

Now the installer ran properly.

Next we ran the installer for the webapps:

export CATALINA_HOME=/usr/local/jakarta-tomcat-4.0
$OPENNMS_HOME/bin/install -y -w $CATALINA_HOME/webapps -W $CATALINA_HOME/server/lib

This worked without any problems.

Next we tried to start opennms with:

$OPENNMS_HOME/bin/opennms.sh start

This took a really long time to return and then reported that startup had failed. In fact startup worked it just takes several minutes.

We had to restart tomcat before we could get to the webapp at:

http://{myipaddress}:8080/opennms

The initial login was user "admin" and password "admin"

Finally we set opennms to start on boot with:

chkconfig --add opennms

On redhat, the ETHTOOL_OPTS can provide some control over interface speed. Here's the description from documentation:

 
ETHTOOL_OPTS=...
      Any device-specific options supported by ethtool. For example,
      if you wanted to force 100Mb full duplex:
        ETHTOOL_OPTS="speed 100 duplex full autoneg off"
      Note that changing speed or duplex settings almost always
      requires disabling autonegotiation with 'autoneg off'.

The ethtool utility provides extensive low level control over ethernet interfaces.

Here are some handy references about network config on redhat:

• /usr/share/doc/initscripts-<version>/sysconfig.txt — A guide to available options for network configuration files, including IPv6 options not covered in this chapter.
• /usr/share/doc/iproute-<version>/ip-cref.ps — This file contains a wealth of information about the ip command, which can be used to manipulate routing tables, among other things. Use the ggv or kghostview application to view this file.
• http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/ch-networkscripts.html

RedHat supports the configuration of alias interfaces via network scripts of the for "ifcfg-eth0:0" as described in the documentation here:

http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1-networkscripts-interfaces.html

Additionally there is undocumented support for alias ranges. Using a single network script of the form "ifcfg-eth0-range0" a set of alias interfaces can be defined. This if very handly when setting up several aliases on a web server.

Here's a sample config file named "ifcfg-eth0-range0":

DEVICE=eth0
BOOTPROTO=static
HWADDR=00:0C:F1:D7:BB:6F
ONBOOT=yes
TYPE=Ethernet
IPADDR_START=70.84.242.240
IPADDR_END=70.84.242.247
CLONENUM_START=240
NETMASK=255.255.255.255
NO_ALIASROUTING=yes


Alias interfaces can be manually activated/deactivated with "ifup eth0-range0" or "ifdown eth0-range0".