From 6f111d82f04e72b4e7e52b431fa05ed0ebda336c Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Sat, 14 Oct 2017 06:42:35 +0200 Subject: [PATCH] daily autocommit --- icinga2/conf.d/satellite.conf | 10 +-- icinga2/zones.conf | 10 +++ icinga2/zones.d/master/hosts.conf | 107 +++++++++++++++++++++++++++ icinga2/zones.d/master/services.conf | 23 ++++++ iptables/rules.v4 | 36 ++++++++- iptables/rules.v6 | 6 +- 6 files changed, 181 insertions(+), 11 deletions(-) diff --git a/icinga2/conf.d/satellite.conf b/icinga2/conf.d/satellite.conf index 4a6b97a..349ae29 100644 --- a/icinga2/conf.d/satellite.conf +++ b/icinga2/conf.d/satellite.conf @@ -26,8 +26,8 @@ template Service "satellite-service" { } -apply Dependency "satellite-host" to Host { - parent_host_name = host.zone - - assign where host.zone != "" && "satellite-host" in host.templates -} +#apply Dependency "satellite-host" to Host { +# parent_host_name = host.zone +# +# assign where host.zone != "" && "satellite-host" in host.templates +#} diff --git a/icinga2/zones.conf b/icinga2/zones.conf index 22600fe..dd50bd2 100644 --- a/icinga2/zones.conf +++ b/icinga2/zones.conf @@ -11,6 +11,11 @@ object Zone "master" { endpoints = [ "ns1.uhu-banane.de" ] } +object Endpoint "ns2.uhu-banane.de" { + host = "ns2.uhu-banane.de" + port = "5665" +} + object Endpoint "ns3.uhu-banane.de" { host = "ns3.uhu-banane.de" port = "5665" @@ -21,6 +26,11 @@ object Endpoint "sarah.uhu-banane.de" { port = "5665" } +object Zone "ns2.uhu-banane.de" { + endpoints = [ "ns2.uhu-banane.de" ] + parent = "master" +} + object Zone "ns3.uhu-banane.de" { endpoints = [ "ns3.uhu-banane.de" ] parent = "master" diff --git a/icinga2/zones.d/master/hosts.conf b/icinga2/zones.d/master/hosts.conf index 87bc34c..3317802 100644 --- a/icinga2/zones.d/master/hosts.conf +++ b/icinga2/zones.d/master/hosts.conf @@ -1,3 +1,46 @@ +object Host "ns2.uhu-banane.de" { + check_command = "hostalive" //check is executed on the master + address = "162.254.24.33" + + vars.os = "Linux" + vars.os_family = "Debian" + # All about DNS server + vars.is_ns = true + vars.check_dns_domain = "uhu-banane.de" + + /* Define http vhost attributes for service apply rules in `services.conf`. */ + vars.http_vhosts["http"] = { + http_uri = "/" + } + + vars.ping_wrta = 200 + vars.ping_crta = 300 + + /* Define disks and attributes for service apply rules in `services.conf`. */ + vars.disks["disk"] = { + /* No parameters. */ + } + vars.disks["disk /"] = { + disk_partitions = "/" + } + vars.disks["disk /home"] = { + disk_partitions = "/home" + } + vars.disks["disk /tmp"] = { + disk_partitions = "/tmp" + } + vars.disks["disk /var"] = { + disk_partitions = "/var" + } + + /* Define notification mail attributes for notification apply rules in `notifications.conf`. */ + vars.notification["mail"] = { + /* The UserGroup `icingaadmins` is defined in `users.conf`. */ + groups = [ "icingaadmins" ] + } + vars.client_endpoint = name //follows the convention that host name == endpoint name +} + object Host "ns3.uhu-banane.de" { check_command = "hostalive" //check is executed on the master address = "185.102.95.107" @@ -38,3 +81,67 @@ object Host "ns3.uhu-banane.de" { vars.client_endpoint = name //follows the convention that host name == endpoint name } +object Host "sarah.uhu-banane.de" { + check_command = "hostalive" //check is executed on the master + address = "185.48.118.130" + + vars.os = "Linux" + vars.os_family = "Debian" + # All about DNS server + vars.is_ns = false + + vars.is_mta = true + + vars.mailq_warning = 100 + vars.mailq_critical = 300 + + vars.smtp_address = "mail.uhu-banane.net" + vars.smtp_port = 25 + vars.smtp_helo_fqdn = "icinga2.uhu-banane.de" + vars.smtp_starttls = true + + vars.is_imap_server = true + + vars.imap_address = "mail.uhu-banane.net" + vars.imap_port = 993 + vars.imap_ssl = true + vars.imap_ipv4 = true + + /* Define http vhost attributes for service apply rules in `services.conf`. */ + vars.http_vhosts["http"] = { + http_uri = "/" + } + + /* Define disks and attributes for service apply rules in `services.conf`. */ + vars.disks["disk"] = { + /* No parameters. */ + } + vars.disks["disk /"] = { + disk_partitions = "/" + } + vars.disks["disk /home"] = { + disk_partitions = "/home" + } + vars.disks["disk /tmp"] = { + disk_partitions = "/tmp" + } + vars.disks["disk /var"] = { + disk_partitions = "/var" + } + + vars.disks["disk /opt"] = { + disk_partitions = "/opt" + } + + vars.disks["disk /var/backup"] = { + disk_partitions = "/var/backup" + } + + /* Define notification mail attributes for notification apply rules in `notifications.conf`. */ + vars.notification["mail"] = { + /* The UserGroup `icingaadmins` is defined in `users.conf`. */ + groups = [ "icingaadmins" ] + } + vars.client_endpoint = name //follows the convention that host name == endpoint name +} + diff --git a/icinga2/zones.d/master/services.conf b/icinga2/zones.d/master/services.conf index 07d4bcd..e234040 100644 --- a/icinga2/zones.d/master/services.conf +++ b/icinga2/zones.d/master/services.conf @@ -79,3 +79,26 @@ apply Service "users" { assign where host.vars.client_endpoint } +apply Service "mailq" { + import "generic-service" + + check_command = "mailq" + + //specify where the check is executed + command_endpoint = host.vars.client_endpoint + + assign where host.vars.client_endpoint && host.vars.is_mta +} + +apply Service "smtp" { + import "generic-service" + check_command = "smtp" + assign where host.vars.is_mta +} + +apply Service "imap" { + import "generic-service" + check_command = "imap" + assign where host.vars.is_imap_server +} + diff --git a/iptables/rules.v4 b/iptables/rules.v4 index 2fd8eb0..dbde405 100644 --- a/iptables/rules.v4 +++ b/iptables/rules.v4 @@ -1,10 +1,25 @@ -# Generated by iptables-save v1.6.0 on Thu Jul 20 10:19:41 2017 +# Generated by iptables-save v1.6.0 on Fri Oct 13 16:05:18 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [71:11710] +:OUTPUT ACCEPT [124:37795] :f2b-apache - [0:0] +:f2b-apache-modsecurity - [0:0] +:f2b-apache-nohome - [0:0] +:f2b-apache-noscript - [0:0] +:f2b-apache-overflows - [0:0] +:f2b-postfix - [0:0] +:f2b-ssh - [0:0] +:f2b-sshd - [0:0] +:icinga2 - [0:0] :rejects - [0:0] +-A INPUT -p tcp -m multiport --dports 22 -j f2b-ssh +-A INPUT -p tcp -m multiport --dports 25,465,587 -j f2b-postfix +-A INPUT -p tcp -m multiport --dports 0:65535 -j f2b-sshd +-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-nohome +-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-modsecurity +-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-overflows +-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache-noscript -A INPUT -p tcp -m multiport --dports 80,443 -j f2b-apache -A INPUT -s 220.192.0.0/12 -p tcp -m multiport --dports 22 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 222.184.0.0/13 -p tcp -m multiport --dports 22 -j REJECT --reject-with icmp-port-unreachable @@ -17,9 +32,24 @@ -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5665 -j icinga2 -A INPUT -j rejects -A INPUT -p tcp -m multiport --dports 445 -j REJECT --reject-with icmp-port-unreachable -A INPUT -j REJECT --reject-with icmp-port-unreachable +-A f2b-apache -j RETURN +-A f2b-apache-modsecurity -j RETURN +-A f2b-apache-nohome -j RETURN +-A f2b-apache-noscript -j RETURN +-A f2b-apache-overflows -j RETURN +-A f2b-postfix -j RETURN +-A f2b-ssh -s 58.242.83.8/32 -j REJECT --reject-with icmp-port-unreachable +-A f2b-ssh -j RETURN +-A f2b-sshd -j RETURN +-A icinga2 -s 185.102.95.107/32 -j ACCEPT +-A icinga2 -s 162.254.24.33/32 -j ACCEPT +-A icinga2 -s 185.48.118.128/32 -j ACCEPT +-A icinga2 -s 185.48.118.130/32 -j ACCEPT +-A icinga2 -j REJECT --reject-with icmp-port-unreachable -A rejects -s 134.119.179.226/32 -j REJECT --reject-with icmp-port-unreachable -A rejects -p tcp -m tcp --dport 23 -j REJECT --reject-with icmp-port-unreachable -A rejects -p tcp -m tcp --dport 445 -j REJECT --reject-with icmp-port-unreachable @@ -33,4 +63,4 @@ -A rejects -p tcp -m tcp --dport 5060 -j REJECT --reject-with icmp-port-unreachable -A rejects -p tcp -m tcp --dport 8080 -j REJECT --reject-with icmp-port-unreachable COMMIT -# Completed on Thu Jul 20 10:19:41 2017 +# Completed on Fri Oct 13 16:05:18 2017 diff --git a/iptables/rules.v6 b/iptables/rules.v6 index be66a4b..19cc1d6 100644 --- a/iptables/rules.v6 +++ b/iptables/rules.v6 @@ -1,8 +1,8 @@ -# Generated by ip6tables-save v1.6.0 on Thu Jul 20 10:19:41 2017 +# Generated by ip6tables-save v1.6.0 on Fri Oct 13 16:05:18 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [49648:18025916] +:OUTPUT ACCEPT [114899:30256543] -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT @@ -25,4 +25,4 @@ -A FORWARD -j NFLOG --nflog-prefix "IPv6 FORWARD Reject " --nflog-threshold 1 -A FORWARD -j REJECT --reject-with icmp6-port-unreachable COMMIT -# Completed on Thu Jul 20 10:19:41 2017 +# Completed on Fri Oct 13 16:05:18 2017 -- 2.39.5