Setting up a TFTP server in Debian/Ubuntu

I’ve needed to setup a TFTP server for various reasons in the past. Most recently, I needed it in order to upload files (OS images, VPN clients, etc.) to Cisco routers, switches and ASA Firewalls. So this blog is for the sole purpose of setting up a TFTP server.

I need to stress and emphasis the security issues that TFTP servers have. There is no logon credentials, the protocol is all in plain text, and there is no file security for any files supplied by the TFTP server. So make sure that you are only putting files on this server that are considered “compromisable”. If you’re going to be backing up files on this server (running configs, especially), then you should do everything in your power to limit access to this machine by use of firewall rules. For large networks, I would recommend using a product like CatTools.

Alright, so lets see here. First off you’re going to need to install some software.

steve @ steve-G75VX ~ :) ##   sudo apt-get update
[sudo] password for steve:
...
...                                                                                                                                                                        
Fetched 916 kB in 8s (112 kB/s)                                                                                                                                                                                                            
Reading package lists... Done
steve @ steve-G75VX ~ :) ##   sudo apt-get install xinetd tftpd tftp
Reading package lists... Done
Building dependency tree      
Reading state information... Done
xinetd is already the newest version.
tftp is already the newest version.
tftpd is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.
steve @ steve-G75VX ~ :) ##


Now that we have our software installed, we need to configure our TFTP daemon to run.

Start by creating a new file and paste in this info:

steve @ steve-G75VX ~ :) ##   sudo nano /etc/xinetd.d/tftp
service tftp
{
protocol        = udp
port            = 69
socket_type     = dgram
wait            = yes
user            = nobody
server          = /usr/sbin/in.tftpd
server_args     = /tftp
disable         = no
}
steve @ steve-G75VX ~ :) ##


Things to remember here are that you’re specifying the default port of 69/udp and that the user “nobody” is going to be the user of the files.


Now that we have that done, we can create our directory and set permissions:

steve @ steve-G75VX ~ :) ##   sudo mkdir /tftp
steve @ steve-G75VX ~ :) ##   sudo chmod -R 777 /tftp
steve @ steve-G75VX ~ :) ##   sudo chown -R nobody /tftp


All that’s left is that we need to start the service!

steve @ steve-G75VX ~ :) ##   sudo service xinetd restart

-OR-

steve @ steve-G75VX ~ :) ##   sudo /etc/init.d/xinetd restart


Just test to make sure that the service is running:

steve @ steve-G75VX ~ :) ##   ps aux | grep xinet
root      7049  0.0  0.0  15024   456 ?        Ss   Oct22   0:00 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
steve    16301  0.0  0.0  15188  1984 pts/3    S+   17:25   0:00 grep --color=auto xinet
steve @ steve-G75VX ~ :) ##  
steve @ steve-G75VX ~ :) ##   ports | grep 69
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
udp        0      0 0.0.0.0:69              0.0.0.0:*                           -              
steve @ steve-G75VX ~ :) ##


And we’re done!

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Debian Backups, the Command Line Way…

I’ve been wanting to write a blog on this for a long time since I’ve actually had this backup method running in my environment for years. It’s super easy to setup and, while thank god I’ve never had to recover from a backup, I have been able to go back and recover individual files from my backups. What you’ll need from an environment setup is at least one Linux box that you need backed up, and at least one NAS or other file storage server that has an SSH server. I perform all my backups to online disk storage that is based on FreeNAS. There are plenty of NAS environment, and I’m not saying FreeNAS is the best or the worst, but I like it and it works for me. It works extremely well with Linux, Windows and Mac OS X.

There are two parts to this:

  • 1. manual backups
  • 2. automated backups

  • Let’s start with the manual backups, because once we have the manual backups performed, then we can easily turn that into a script and run it in CRON.


    First, we need to specify the directories we don’t want to backup in a file that is accessible to root. Let’s list the directories in “/” first.

    steve @ steve-G75VX ~ :) ##   ll /
    total 18M
    drwxr-xr-x  25 root   root 4.0K Oct 22 14:54 ./
    drwxr-xr-x  25 root   root 4.0K Oct 22 14:54 ../
    drwxr-xr-x   2 root   root 4.0K Aug 14 02:03 bin/
    drwxr-xr-x   4 root   root 3.0K Oct  3 11:39 boot/
    drwxrwxr-x   2 root   root 4.0K May 21 11:52 cdrom/
    -rw-------   1 root   root  18M Oct  3 11:40 core
    drwxr-xr-x  24 root   root 4.8K Oct 31 12:38 dev/
    drwxr-xr-x 148 root   root  12K Oct 27 20:37 etc/
    drwxr-xr-x   3 root   root 4.0K May 21 11:53 home/
    lrwxrwxrwx   1 root   root   33 Aug 14 02:06 initrd.img -> boot/initrd.img-3.19.0-25-generic
    lrwxrwxrwx   1 root   root   33 Jul 10 08:56 initrd.img.old -> boot/initrd.img-3.19.0-22-generic
    drwxr-xr-x  26 root   root 4.0K Oct 13 13:41 lib/
    drwxr-xr-x   2 root   root 4.0K May 21 12:41 lib32/
    drwxr-xr-x   2 root   root 4.0K Apr 22  2015 lib64/
    drwx------   2 root   root  16K May 21 11:47 lost+found/
    drwxr-xr-x   3 root   root 4.0K May 21 12:01 media/
    drwxr-xr-x   2 root   root 4.0K Apr 17  2015 mnt/
    drwxr-xr-x   6 root   root 4.0K Oct 20 11:28 opt/
    dr-xr-xr-x 283 root   root    0 Oct 21 20:30 proc/
    drwx------   4 root   root 4.0K Oct 27 16:57 root/
    drwxr-xr-x  30 root   root 1.1K Oct 27 20:50 run/
    drwxr-xr-x   2 root   root  12K Aug 14 02:03 sbin/
    drwxr-xr-x   2 root   root 4.0K Apr 22  2015 srv/
    dr-xr-xr-x  13 root   root    0 Oct 22 14:55 sys/
    drwxrwxrwx   2 nobody root 4.0K Oct 22 17:55 tftp/
    drwxrwxrwt  18 root   root 4.0K Nov  1 15:17 tmp/
    drwxr-xr-x  11 root   root 4.0K May 21 12:41 usr/
    drwxr-xr-x  13 root   root 4.0K Apr 22  2015 var/
    lrwxrwxrwx   1 root   root   30 Aug 14 02:06 vmlinuz -> boot/vmlinuz-3.19.0-25-generic
    lrwxrwxrwx   1 root   root   30 Jul 10 08:56 vmlinuz.old -> boot/vmlinuz-3.19.0-22-generic


    So, based on this, we’ll exclude like this:

    steve @ steve-G75VX ~ :) ##   sudo mkdir /backups
    [sudo] password for steve:
    steve @ steve-G75VX ~ :) ##   sudo touch /backups/exclude.list
    steve @ steve-G75VX ~ :) ##   sudo nano /backups/exclude.list
    steve @ steve-G75VX ~ :) ##  

    /cdrom
    /dev
    /lost+found
    /proc
    /run
    /sys
    /tmp

    (Ctrl+x to quit, then y to save)


    Now that we have our directory and exclude list setup, now we need to make sure RSYNC is installed on our system.

    steve @ steve-G75VX ~ :) ##   sudo apt-get update
    ...
    ...
    Fetched 1,743 kB in 21s (79.7 kB/s)
    Reading package lists... Done
    steve @ steve-G75VX ~ :) ##   sudo apt-get install rsync
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    rsync is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.
    steve @ steve-G75VX ~ :) ##


    Now that we have RSYNC installed and our backup exclusions defined, lets get our backups started.

    First, edit your .bashrc file in your home directory and add this line:

    alias backupall='sudo rsync -athvz --delete / steve@1.1.1.1:/mnt/Backups/laptop/


    “What does all this do?” you might ask… well, it’s quite simple really.

    First, we create an alias for your shell named, “backupall”, because we’ll be performing full system backups from here.

    Next, we call “rsync” to run as root, and ask it to run with the switches -a, -t, -h, -v and -z.

  • -a = run in archive mode, which equals -rlptgoD (no -H,-A,-X)
  • -t = makes sure to preserve modification times on your files
  • -h = ensures that output numbers in a human-readable format
  • -v = trun verbosely.
  • -z = makes sure that file data is compressed during the transfer
  • And lastly, the “–delete” means, “This tells rsync to delete extraneous files from the receiving side (ones that aren’t on the sending side), but only for the directories that are being synchronized. You must have asked rsync to send the whole directory (e.g. lqdirrq or lqdir/rq) without using a wildcard for the directory’s contents (e.g. lqdir/*rq) since the wildcard is expanded by the shell and rsync thus gets a request to transfer individual files, not the files’ parent directory. Files that are excluded from the transfer are also excluded from being deleted unless you use the –delete-excluded option or mark the rules as only matching on the sending side (see the include/exclude modifiers in the FILTER RULES section).” — http://linux.die.net/man/1/rsync

    Next is the “/”, which means we’re backing up everything in “/”, which is everything.

    Lastly, we’re specifying the destination. In this case, we’re doing RSYNC over SSH, so we’ll be specifying a location in the way that you would specify a destination in SCP.


    Now test running your backup. I’ve run mine before, so my update is pretty quick. But this is going to backup your whole system for, so expect it to take a while.

    steve @ steve-G75VX ~ :( ᛤ>   backupallnas
    steve@1.1.1.1's password:
    sending incremental file list
    ./
    var/lib/mysql/blog/wp_AnalyticStats.MYD
    var/lib/mysql/blog/wp_AnalyticStats.MYI
    var/lib/mysql/blog/wp_options.MYD
    var/lib/mysql/blog/wp_options.MYI
    var/lib/mysql/blog/wp_postmeta.MYD
    var/lib/mysql/blog/wp_postmeta.MYI
    var/lib/sudo/steve/0
    var/log/auth.log
    var/log/apache2/access.log
    var/log/apache2/error.log

    sent 1.09M bytes  received 50.77K bytes  58.56K bytes/sec
    total size is 1.91G  speedup is 1673.17
    rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1070) [sender=3.0.9]
    steve @ steve-G75VX ~ :( ᛤ>



    Now we need to create our script, and make it executable.

    root @ steve-G75VX ~ :) ##   nano /backups/backupall
    root @ steve-G75VX ~ :) ##   chmod +x /backups/backupall
    root @ steve-G75VX ~ :) ##   ll /backups/backupall
    -rwxr-xr-x 1 root root 96 Nov  1 17:02 /backups/backupall*
    root @ steve-G75VX ~ :) ##


    I added this one line to the backup file:

    sudo rsync -athvz --delete / steve@1.1.1.1:/mnt/Backups/laptop/



    This looks pretty good! Now that we have a full backup of our machine, lets get this setup in CRON.

    steve @ steve-G75VX ~ :) ##   sudo su
    root @ steve-G75VX ~ :) ##   crontab -l
    no crontab for root
    root @ steve-G75VX ~ :( ##   crontab -e
    no crontab for root - using an empty one

    Select an editor.  To change later, run 'select-editor'.
      1. /bin/ed
      2. /bin/nano        <---- easiest
      3. /usr/bin/vim.tiny

    Choose 1-3 [2]: 2
    crontab: installing new crontab
    root @ steve-G75VX ~ :) ##


    The line that I added to CRON was this:

    0 3 * * * /backups/backupall >/dev/null 2&>1


    This basically states that every day at 3am, this script will be run.


    From here we need to make sure our local system can perform password-less logon to the SSH server. To do that we’ll be working off of a prior blog I wrote on SSH Keys, here: Using SSH Keys to simplify logins to remote systems.

    You’ll want to test that your system can SSH to your remote system without entering a password. As long as that works, we’re good to go!

    That’s it! It’s that simple!



    I have run into issues on some machines where SSH keys don’t work. I haven’t had the time to troubleshoot why, so I got a different way to figure out how to make backups work, without using SSH keys. The down side is that this is MUCH less secure, and I really don’t recommend running this in a production setting. But for home or non-business use, you’re probably just fine.

    So to do this, we’re going to use “SSHPASS” package. It’s out there for Debian and Ubuntu, so I’m sure it’s out there for other Linux/Unix systems as well.

    root @ steve-G75VX ~ :) ##   sudo apt-get install sshpass
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    The following NEW packages will be installed:
      sshpass
    0 upgraded, 1 newly installed, 0 to remove and 38 not upgraded.
    Need to get 10.5 kB of archives.
    After this operation, 56.3 kB of additional disk space will be used.
    Get:1 http://us.archive.ubuntu.com/ubuntu/ vivid/universe sshpass amd64 1.05-1 [10.5 kB]
    Fetched 10.5 kB in 0s (65.3 kB/s)  
    Selecting previously unselected package sshpass.
    (Reading database ... 258807 files and directories currently installed.)
    Preparing to unpack .../sshpass_1.05-1_amd64.deb ...
    Unpacking sshpass (1.05-1) ...
    Processing triggers for man-db (2.7.0.2-5) ...
    Setting up sshpass (1.05-1) ...
    root @ steve-G75VX ~ :) ##


    Go ahead and test logging into your NAS box, or any box really, with this. The idea is that, when you’re scripting you need to logon to remote systems without a password. If you can’t use SSH keys, then this is your next best bet. Create a file in “root’s” home dir and name it whatever you want. I named mine, “backup.dat”. It must contain only the password you use to log into your remote machine, on one line, all by itself.

    root @ steve-G75VX ~ :) ##   nano ~/backup.dat
    root @ steve-G75VX ~ :) ##   chmod 600 backup.dat


    You’ll call “sshpass”, -f for the file with the password, the location of your “ssh” program, -p and the port number (default port for ssh is 22), followed by the username you login with (make sure it’s in the format of, “user@machine-ip”).

    root @ steve-G75VX ~ :) ##   sshpass -f /root/backup.dat /usr/bin/ssh -p 22 steve@1.1.1.1
    Last login: Sun Nov  1 17:22:08 2015 from 1.1.1.2
    FreeBSD 9.2-RELEASE (FREENAS.amd64) #0 r+2315ea3: Fri Dec 20 12:48:50 PST 2013

        FreeNAS (c) 2009-2013, The FreeNAS Development Team
        All rights reserved.
        FreeNAS is released under the modified BSD license.

        For more information, documentation, help or support, go here:
        http://freenas.org
    Welcome to FreeNAS
    [steve@freenas ~]$ exit
    logout
    Connection to 1.1.1.1 closed.
    root @ steve-G75VX ~ :) ##


    Okay, now that we’ve tested this and know it’s working, lets modify our script here and get this working with “sshpass”.

    root @ steve-G75VX ~ :) ##   /usr/bin/rsync -athvz --delete --rsh="/usr/bin/sshpass -f /root/backup.dat ssh -o StrictHostKeyChecking=no -l YourUserN@me" /home/steve steve@1.1.1.1:/mnt/Backups/laptop/


    Now test to make sure the script is working (as soon as you see the incremental file list being sent, you know it’s working properly):

    root @ steve-G75VX ~ :) ##   /usr/bin/rsync -athvz --delete --rsh="/usr/bin/sshpass -f /root/backup.dat ssh -o StrictHostKeyChecking=no -l steve" /home/steve steve@1.1.1.1:/mnt/Backups/laptop
    sending incremental file list
    ^Crsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(632) [sender=3.1.1]
    root @ steve-G75VX ~ :) ##
    root @ steve-G75VX ~ :) ##
    root @ steve-G75VX ~ :) ##   /backups/backupall
    sending incremental file list
    steve/.cache/google-chrome/Default/Cache/
    ^Crsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(632) [sender=3.1.1]
    root @ steve-G75VX ~ :( ##

    Success!







    http://linux.die.net/man/1/rsync
    https://www.debian-administration.org/article/56/Command_scheduling_with_cron

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    How-to: SCP files from ASA

    This is a quick and simple blog. Just notes really on how to use SCP/SSH to download files off of an ASA. It comes in handy for scripting purposes, but I thought I would at least share for everyone to see.

    First things first, we need to enable SSH and SCopy on our ASA. We can accomplish this by entering config mode, and then issuing 2 different “ssh” commands:

    steve @ phiberoptiklmde ~ :) ##  ssh steve@1.1.1.1
    pomeroy@1.1.1.1's password:
    Type help or '?' for a list of available commands.
    MyASA5510> en
    Password: ***********
    MyASA5510# conf t
    MyASA5510(config)#ssh 0.0.0.0 0.0.0.0 Inside
    MyASA5510(config)#ssh scopy enable
    MyASA5510(config)#wr
    Cryptochecksum: 0d46cc75 79177ae7 9069c9a8 94153d78

    8184 bytes copied in 0.690 secs
    [OK]
    MyASA5510(config)#exit
    MyASA5510#exit

    The first “ssh” command allows anyone to connect to this from the “Inside” interface of our ASA. This is NOT secure. In a real production environment, we should lock this down to a specific IP address, a handful of IP addresses, or a management network.

    The second “ssh” command tells the ASA to enable “scopy”. Which basically means that you can connect to the ASA with a SCP client and download files.

    From here we can just use our Linux machine to download the file to whatever folder you want to save your files to. See below on how to do that.
    Start with “scp”, then your user account at the IP of the machine: “scp steve@1.1.1.1”.
    From here, it needs to call an actual file that exists on the ASA. If you log into the ASA and issue the “dir” command from enable mode, you can get a listing of all files on the local flash drive on the machine.
    Lastly, you just need to specify the path that you want to save the file to.

    It’s that easy!

    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-win-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-win-3.1.05152-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-win-3.1.05152-k9.pkg                                                                                                                                                                           100%   34MB 212.0KB/s   02:42    
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-macosx-i386-3.1.02040-k9.pkg /home/steve/Desktop/penvpn01-anyconnect/anyconnect-macosx-i386-3.1.02040-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-macosx-i386-3.1.02040-k9.pkg                                                                                                                                                                   100%   11MB 226.7KB/s   00:48    
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-3.1.02040-k9.pkg /home/steve/Desktop/anyconnect-linux-3.1.02040-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-linux-3.1.02040-k9.pkg                                                                                                                                                                         100%   11MB 317.9KB/s   00:34    
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-64-3.1.02040-k9.pkg /home/steve/Desktop/anyconnect-linux-64-3.1.02040-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-linux-64-3.1.02040-k9.pkg                                                                                                                                                                      100% 9735KB 314.0KB/s   00:31    
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-macosx-i386-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-macosx-i386-3.1.05152-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-macosx-i386-3.1.05152-k9.pkg                                                                                                                                                                   100%   11MB 334.6KB/s   00:34  
    Connection to 1.1.1.1 closed by remote host.  
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-64-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-linux-64-3.1.05152-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-linux-64-3.1.05152-k9.pkg                                                                                                                                                                      100%   10MB 343.9KB/s   00:31  
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##   scp steve@1.1.1.1:anyconnect-linux-3.1.05152-k9.pkg /home/steve/Desktop/anyconnect-linux-3.1.05152-k9.pkg
    serdman@1.1.1.1's password:
    anyconnect-linux-3.1.05152-k9.pkg                                                                                                                                                                         100%   10MB 341.5KB/s   00:31    
    Connection to 1.1.1.1 closed by remote host.
    steve @ phiberoptiklmde ~ :) ##

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    Bash Shell Customizing

    I’ve had a request for a blog on how to update bash shell. I’ll put more into this in the future, but for now, here is the actual code in my .bashrc file.

    Basically, I like to have my command line environment customized to my liking, just like any other user/administrator. So what I’ve done here is added some color to my shell, as well as added some nice, helpful and easy to remember aliases that really save time in typing.

    Here is a screenshot of what my shell looks like:

    Screenshot

    #PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
    PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"

    # mint-fortune - If you like the fortunes, keep this on, otherwise delete it.
    # you will need to have Mint Fortunes installed on your system for this to work
    /usr/bin/mint-fortune

    #------------------------------------------------------------------------------------------------------
    #------------------------------------------------------------------------------------------------------


    #[Color Prompt] This adds color prompt to your shell.
    #    I've gone through and figured out a whole bunch
    #    of colors so you can go ahead and customize to
    #    your heart's content.

    force_color_prompt=yes

    #[Variables]
    RESET="\[\017\]"
    NORMAL="\[\033[;m\]"
    LGREEN="\[\033[1;32m\]"
    LGREEN0="\[\033[0;32m\]"
    LBLUE="\[\033[1;34m\]"
    LCYAN="\[\033[1;36m\]"
    LRED="\[\033[1;31m\]"
    LPURPLE="\[\033[1;35m\]"
    BLACK="\[\033[0;30m\]"
    BLUE="\[\033[0;34m\]"
    GREEN="\[\033[0;32m\]"
    CYAN="\[\033[0;36m\]"
    PURPLE="\[\033[0;35m\]"
    BROWN="\[\033[0;33m\]"
    LGRAY="\[\033[0;37m\]"
    DGREY="\[\033[01;30m\]"
    RED="\[\033[0;31m\]"
    YELLOW="\[\033[01;33m\]"
    WHITE="\[\033[01;37m\]"


    #[Good Command]
    SMILEY="${GREEN}:)${NORMAL}"

    #[Bad Command]
    FROWNY="${RED}:(${NORMAL}"

    #[Command Judge]
    SELECT="if [ \$? = 0 ]; then echo \"${SMILEY}\"; else echo \"${FROWNY}\"; fi"

    #[Working PS1 output]
    PS1="${RESET}${LCYAN}\u ${RED}@ ${LCYAN}\h: ${YELLOW}\w\a~ \`${SELECT}\` ${YELLOW}\$ ${GREEN} ${NORMAL} "


    #------------------------------------------------------------------------------------------------------
    #------------------------------------------------------------------------------------------------------


    #[Aliases]
    alias du="du -bchsS"
    alias ll="ls -alhF --color=auto"
    alias ..='cd ..'
    alias ...='cd ../..'
    alias dfah='df -ah'
    alias mount='mount |column -t'
    alias now='date +"%T'
    alias nowdate='date +"%d-%m-%Y"'
    alias vlspci='sudo lspci -vvnn'
    alias vi=vim
    alias disks='sudo blkid && sudo fdisk -l'

    alias svi='sudo vi'
    alias vis='vim "+set si"'
    alias edit='vim'
    alias ports='netstat -tulanp'
    alias apt-get="sudo apt-get"
    alias updatey="sudo apt-get --yes"
    alias update='sudo apt-get update && sudo apt-get upgrade'
    alias meminfo='free -m -l -t'
    alias psmem='ps auxf | sort -nr -k 4'
    alias psmem10='ps auxf | sort -nr -k 4 | head -10'
    alias pscpu='ps auxf | sort -nr -k 3'
    alias pscpu10='ps auxf | sort -nr -k 3 | head -10'
    alias cpuinfo='lscpu'
    ##alias cpuinfo='less /proc/cpuinfo' ##
    alias gpumeminfo='grep -i --color memory /var/log/Xorg.0.log'
    alias reboot='sudo /sbin/reboot'
    alias poweroff='sudo /sbin/poweroff'
    alias halt='sudo /sbin/halt'
    alias shutdown='sudo /sbin/shutdown'
    alias tftpstuff='sudo chmod 777 /tftp/* && sudo chown root:root /tftp/*'


    #------------------------------------------------------------------------------------------------------
    #------------------------------------------------------------------------------------------------------

    #[Backups] This section is where I have my backups defined.
    #    For more information, please check out my "Backups"
    #    blog. You can find it here:
    #    http://www.erdmanor.com/blog/debian-backups-command-line-way/

    alias backupall='sudo rsync -athvz --delete --exclude-from='backups/exclude.list' / /backups/computername/path/to/save/backups'

    VN:F [1.9.22_1171]
    Rating: 5.0/5 (1 vote cast)
    VN:F [1.9.22_1171]
    Rating: +1 (from 1 vote)

    Backing up Cisco Configurations for Routers, Switches and Firewalls

    I will add more about this when I have time. Until then, you should be able to just install python, paramiko and pexpect and run this script as-is (obviously changing the variables).

    This should give you all the software you need:

    sudo apt-get update
    sudo apt-get install python python-pexpect python-paramiko

    I plan on GREATLY increasing the ability of this script, adding additional functionality, as well as setting up a bash script that will be able to parse the configs, and perform much deeper backup abilities for ASAs.

    I have not tested this on Routers and Switches. I can tell you that the production 5520 HA Pair that I ran this script against was running “Cisco Adaptive Security Appliance Software Version 8.4(2)160”. Theoretically, I would believe that this would work with all 8.4 code and up, including the 9.x versions that are out as of the writing of this blog.

    Here you go! Full Scripted interrogation of Cisco ASA 5520 that can be setup to run on a CRON job.

    #!/usr/bin/python
    import paramiko, pexpect, hashlib, StringIO, re, getpass, os, time, ConfigParser, sys, datetime, cmd, argparse



    ### DEFINE VARIABLES

    currentdate="10-16-2014"
    hostnamesfile='vpnhosts'
    asahost="192.168.222.1"
    tacacsuser='testuser'
    userpass='Password1'
    enpass='Password2'
    currentipaddress="192.168.222.1"
    currenthostname="TESTASA"


    #dummy=sys.argv[0]
    #currentdate=sys.argv[1]
    #currentipaddress=sys.argv[2]
    #tacacsuser=sys.argv[3]
    #userpass=sys.argv[4]
    #enpass=sys.argv[5]
    #currenthostname=sys.argv[6]

    parser = argparse.ArgumentParser(description='Get "show version" from a Cisco ASA.')
    parser.add_argument('-u', '--user',     default='cisco', help='user name to login with (default=cisco)')
    parser.add_argument('-p', '--password', default='cisco', help='password to login with (default=cisco)')
    parser.add_argument('-e', '--enable',   default='cisco', help='password for enable (default=cisco)')
    parser.add_argument('-d', '--device',   default=asahost, help='device to login to (default=192.168.120.160)')
    args = parser.parse_args()

       


    #python vpnbackup.py $currentdate $currentipaddress $tacacsuser $userpass $enpass $currenthostname



    def asaLogin():
       
        #start ssh")
        child = pexpect.spawn ('ssh '+tacacsuser+'@'+asahost)
       
        #testing to see if I can increase the buffer
        child.maxread=9999999
       
        #expect password prompt")
        child.expect ('.*assword:.*')
        #send password")
        child.sendline (userpass)
        #expect user mode prompt")
        child.expect ('.*>.*')
        #send enable command")
        child.sendline ('enable')
        #expect password prompt")
        child.expect ('.*assword:.*')
        #send enable password")
        child.sendline (enpass)
        #expect enable mode prompt = timeout 5")
        child.expect ('#.*', timeout=10)
        #set term pager to 0")
        child.sendline ('terminal pager 0')
        #expect enable mode prompt = timeout 5")
        child.expect ('#.*', timeout=10)
        #run create dir function")
        createDir()
        #run create show version")
        showVersion(child)
        #run create show run")
        showRun(child)
        # run showCryptoIsakmp(child)
        showCryptoIsakmp(child)
        # run dirDisk0(child)
        dirDisk0(child)
        # run showInterfaces(child)
        showInterfaces(child)
        #run  showRoute")
        showRoute(child)
        #run showVpnSessionDetail")
        showVpnSessionDetail(child)
        # run showVpnActiveSessions(child)
        showWebVpnSessions(child)
        # run showVpnActiveSessions(child)
        showAnyConnectSessions(child)
        #send exit")
        child.sendline('exit')
        #close the ssh session")
        child.close()
       
       
    def createDir():
        if not os.path.exists(currentdate):
            os.makedirs(currentdate)
        if not os.path.exists(currentdate+"/"+currenthostname):
            os.makedirs(currentdate+"/"+currenthostname)
       
       
       
    def showVersion(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-ver.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show version")
        child.sendline('show version')
        #expect enable mode prompt = timeout 400")
        child.expect(".*# ", timeout=50)
        #closing the log file")
        fout.close()
       
       
    def showRun(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-run.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending more system running-config")
        child.sendline('more system:running-config')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=999)
        #closing the log file
        fout.close()   
       

    def showCryptoIsakmp(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"cryptoisakmp.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show crypto isakmp sa")
        child.sendline('show crypto isakmp sa')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=50)
        #closing the log file
        fout.close()   


    def dirDisk0(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"dirdisk0.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending dir disk0:")
        child.sendline('dir disk0:')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=75)
        #closing the log file
        fout.close()


    def showInterfaces(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"interfaces.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show interface")
        child.sendline('show interface')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=100)
        #closing the log file
        fout.close()


    def showRoute(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"show-route.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show route")
        child.sendline('show route')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=300)
        #closing the log file
        fout.close()


    def showVpnSessionDetail(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"vpnsession.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show vpn-sessiondb detail")
        child.sendline('show vpn-sessiondb detail')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=50)
        #closing the log file
        fout.close()


    def showWebVpnSessions(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"webvpns.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show vpn-sessiondb webvpn")
        child.sendline('show vpn-sessiondb webvpn')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=200)
        #closing the log file
        fout.close()


    def showAnyConnectSessions(child):
        #setting a new file for output")
        fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"anyconnectvpns.txt",'w')
        #capturing the command output to the file")
        child.logfile_read = fout
        #sending show vpn-sessiondb anyconnect")
        child.sendline('show vpn-sessiondb anyconnect')
        #expect enable mode prompt = timeout 400
        child.expect(".*# ", timeout=999)
        #closing the log file
        fout.close()




    def main():
        #Nothing has been executed yet
        #executing asaLogin function
        asaLogin()
        #Finished running parTest\n\n Now exiting
       

    main()

    Here are all the websites that have provided help to me writing these scripts:
    http://www.802101.com/2014/06/automated-asa-ios-and-nx-os-backups.html
    http://yourlinuxguy.com/?p=300
    http://content.hccfl.edu/pollock/Unix/FindCmd.htm
    http://paulgporter.net/2012/12/08/30/
    http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html
    http://ubuntuforums.org/archive/index.php/t-106287.html
    http://stackoverflow.com/questions/12604468/find-and-delete-txt-files-in-bash
    http://stackoverflow.com/questions/9806944/grep-only-text-files
    http://unix.stackexchange.com/questions/132417/prompt-user-to-login-as-root-when-running-a-shell-script
    http://stackoverflow.com/questions/6961389/exception-handling-in-shell-scripting
    http://stackoverflow.com/questions/7140817/python-ssh-into-cisco-device-and-run-show-commands
    http://pastebin.com/qGRdQwpa
    http://blog.pythonicneteng.com/2012/11/pexpect-module.html
    https://pynet.twb-tech.com/blog/python/paramiko-ssh-part1.html
    http://twistedmatrix.com/pipermail/twisted-python/2007-July/015793.html
    http://www.lag.net/paramiko/
    http://www.lag.net/paramiko/docs/
    http://stackoverflow.com/questions/25127406/paramiko-2-tier-cisco-ssh
    http://rtomaszewski.blogspot.com/2012/08/problem-runing-ssh-or-scp-from-python.html
    http://www.copyandwaste.com/posts/view/pexpect-python-and-managing-devices-tratto/
    http://askubuntu.com/questions/344407/how-to-read-complete-line-in-for-loop-with-spaces
    http://stackoverflow.com/questions/10463216/python-pexpect-timeout-falls-into-traceback-and-exists
    http://stackoverflow.com/questions/21055943/pxssh-connecting-to-an-ssh-proxy-timeout-exceeded-in-read-nonblocking
    http://www.pennington.net/tutorial/pexpect_001/pexpect_tutorial.pdf
    https://github.com/npug/asa-capture/blob/master/asa-capture.py
    http://stackoverflow.com/questions/26227791/ssh-with-subprocess-popen

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    Creating a basic monitoring server for network devices

    I’ve recently been working more and more with network device management. So, to help with up-time monitoring, interface statistics, bandwidth utilization, and alerting, I’ve been building up a server with some great Open Source tools. My clients love it because it costs virtually nothing to run these machines, and it helps keep the network running smoothly when we know what is going on within the network.

    One thing I haven’t been able to do yet is SYSLOG monitoring with the ability to generate email alerts off of specific SYSLOG messages. That’s in the work, and I’ll be adding that information into this blog as soon as I get it up and running properly.

    I am using Debian 7.6 for this Operating System. Mainly because it’s very stable, very small, and doesn’t update as frequently (making it easier to manage). You can follow a basic install of this OS from here: Debian Minimal Install. That will get you up and running and we’ll take it from there.

    Okay, now that you have an OS running, go ahead and open up a command prompt and log in as your user account or “root”. Go ahead an then “sudo su”.

    Now we will update apt:

    apt-get update

     

    From here, let’s get LAMP installed and running so our web services will run properly.

    apt-get install apache2
    apt-get install mysql-server
    apt-get install php5 php-pear php5-mysql

     

    Now that we have that all setup, lets secure MySQL a bit:

    mysql_secure_installation

     

    When you run through this, make sure to answer these questions:

    root@testmonitor:/root# mysql_secure_installation




    NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
          SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!


    In order to log into MySQL to secure it, we'll need the current
    password for the root user.  If you've just installed MySQL, and
    you haven't set the root password yet, the password will be blank,
    so you should just press enter here.

    Enter current password for root (enter for none):
    OK, successfully used password, moving on...

    Setting the root password ensures that nobody can log into the MySQL
    root user without the proper authorisation.

    You already have a root password set, so you can safely answer 'n'.

    Change the root password? [Y/n] n
     ... skipping.

    By default, a MySQL installation has an anonymous user, allowing anyone
    to log into MySQL without having to have a user account created for
    them.  This is intended only for testing, and to make the installation
    go a bit smoother.  You should remove them before moving into a
    production environment.

    Remove anonymous users? [Y/n] y
     ... Success!

    Normally, root should only be allowed to connect from 'localhost'.  This
    ensures that someone cannot guess at the root password from the network.

    Disallow root login remotely? [Y/n] y
     ... Success!

    By default, MySQL comes with a database named 'test' that anyone can
    access.  This is also intended only for testing, and should be removed
    before moving into a production environment.

    Remove test database and access to it? [Y/n] y
     - Dropping test database...
    ERROR 1008 (HY000) at line 1: Can't drop database 'test'; database doesn't exist
     ... Failed!  Not critical, keep moving...
     - Removing privileges on test database...
     ... Success!

    Reloading the privilege tables will ensure that all changes made so far
    will take effect immediately.

    Reload privilege tables now? [Y/n] y
     ... Success!

    Cleaning up...



    All done!  If you've completed all of the above steps, your MySQL
    installation should now be secure.

    Thanks for using MySQL!

     
     

    Let’s test the server and make sure it’s working properly. Using nano, edit the file “info.php” in the “www” directory:

    nano /var/www/info.php

     

    Add in the following lines:

    <?php
    phpinfo();
    ?>

     

    Now, open a web browser and type in the server’s IP address and the info page:

    http://192.168.0.101/info.php

     

     

    Now let’s get Cacti installed.

    apt-get install cacti cacti-spine

    Make sure to let the installer know that you’re using Apache2 as your HTTP server.

    Also, you’ll need to let the installer “Configure database for cacti with dbconfig-common”. Say yes!

    After you apt is done installing your software, you’ll have to finish the install from a web browser.

    http://192.168.0.101/cacti/install/

     

    After answering a couple very easy questions, you’ll be finished and presented with a login screen.

    The default credentials for cacti are “admin:admin”

    From there you can log in and start populating your server with all the devices that you want to monitor. It’s that easy.

     

     

     

     

    Now, let’s get Nagios installed. Again, it’s really easy. I just install everything nagios (don’t forget the asterisk after nagios):

    apt-get install nagios*

    This is what it will look like:

    root@debiantest:/root# apt-get install nagios*
    Reading package lists... Done
    Building dependency tree      
    Reading state information... Done
    Note, selecting 'nagios-nrpe-plugin' for regex 'nagios*'
    Note, selecting 'nagios-nrpe-doc' for regex 'nagios*'
    Note, selecting 'nagios-plugins-basic' for regex 'nagios*'
    Note, selecting 'check-mk-config-nagios3' for regex 'nagios*'
    Note, selecting 'nagios2' for regex 'nagios*'
    Note, selecting 'nagios3' for regex 'nagios*'
    Note, selecting 'nagios-snmp-plugins' for regex 'nagios*'
    Note, selecting 'uwsgi-plugin-nagios' for regex 'nagios*'
    Note, selecting 'ndoutils-nagios3-mysql' for regex 'nagios*'
    Note, selecting 'nagios-plugins' for regex 'nagios*'
    Note, selecting 'gosa-plugin-nagios-schema' for regex 'nagios*'
    Note, selecting 'nagios-nrpe-server' for regex 'nagios*'
    Note, selecting 'nagios-plugin-check-multi' for regex 'nagios*'
    Note, selecting 'nagios-plugins-openstack' for regex 'nagios*'
    Note, selecting 'libnagios-plugin-perl' for regex 'nagios*'
    Note, selecting 'nagios-images' for regex 'nagios*'
    Note, selecting 'pnp4nagios-bin' for regex 'nagios*'
    Note, selecting 'nagios3-core' for regex 'nagios*'
    Note, selecting 'libnagios-object-perl' for regex 'nagios*'
    Note, selecting 'nagios-plugins-common' for regex 'nagios*'
    Note, selecting 'nagiosgrapher' for regex 'nagios*'
    Note, selecting 'nagios' for regex 'nagios*'
    Note, selecting 'nagios3-dbg' for regex 'nagios*'
    Note, selecting 'nagios3-cgi' for regex 'nagios*'
    Note, selecting 'nagios3-common' for regex 'nagios*'
    Note, selecting 'nagios3-doc' for regex 'nagios*'
    Note, selecting 'pnp4nagios' for regex 'nagios*'
    Note, selecting 'pnp4nagios-web' for regex 'nagios*'
    Note, selecting 'ndoutils-nagios2-mysql' for regex 'nagios*'
    Note, selecting 'nagios-plugins-contrib' for regex 'nagios*'
    Note, selecting 'ndoutils-nagios3' for regex 'nagios*'
    Note, selecting 'nagios-plugins-standard' for regex 'nagios*'
    Note, selecting 'gosa-plugin-nagios' for regex 'nagios*'
    The following extra packages will be installed:
      autopoint dbus fonts-droid fonts-liberation fping freeipmi-common freeipmi-tools gettext ghostscript git git-man gosa gsfonts imagemagick-common libavahi-client3 libavahi-common-data libavahi-common3 libc-client2007e
      libcalendar-simple-perl libclass-accessor-perl libclass-load-perl libclass-singleton-perl libconfig-tiny-perl libcroco3 libcrypt-smbhash-perl libcups2 libcupsimage2 libcurl3 libcurl3-gnutls libdata-optlist-perl libdate-manip-perl
      libdatetime-locale-perl libdatetime-perl libdatetime-timezone-perl libdbus-1-3 libdigest-hmac-perl libdigest-md4-perl libencode-locale-perl liberror-perl libfile-listing-perl libfont-afm-perl libfpdf-tpl-php libfpdi-php
      libfreeipmi12 libgd-gd2-perl libgd2-xpm libgettextpo0 libgomp1 libgs9 libgs9-common libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl
      libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libice6 libijs-0.35 libio-pty-perl libio-socket-ip-perl libio-socket-ssl-perl libipc-run-perl libipmiconsole2 libipmidetect0 libjansson4 libjasper1 libjbig0 libjbig2dec0
      libjpeg8 libjs-jquery-ui libkohana2-php liblcms2-2 liblist-moreutils-perl liblqr-1-0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl liblwp-useragent-determined-perl libmagickcore5 libmagickwand5 libmail-imapclient-perl
      libmailtools-perl libmath-calc-units-perl libmath-round-perl libmcrypt4 libmemcached10 libmodule-implementation-perl libmodule-runtime-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-libidn-perl libnet-smtp-tls-perl
      libnet-snmp-perl libnet-ssleay-perl libodbc1 libpackage-deprecationmanager-perl libpackage-stash-perl libpackage-stash-xs-perl libpaper-utils libpaper1 libparams-classify-perl libparams-util-perl libparams-validate-perl
      libparse-recdescent-perl libpgm-5.1-0 libpq5 libradiusclient-ng2 libreadonly-perl libreadonly-xs-perl librecode0 librrds-perl librtmp0 libruby1.9.1 libslp1 libsm6 libsocket-perl libssh2-1 libsub-install-perl libsub-name-perl
      libsystemd-login0 libtalloc2 libtdb1 libtiff4 libtimedate-perl libtry-tiny-perl libunistring0 liburi-perl libwbclient0 libwww-perl libwww-robotrules-perl libxpm4 libxt6 libyaml-0-2 libyaml-syck-perl libzmq1 mlock ndoutils-common
      perlmagick php-fpdf php5-curl php5-gd php5-imagick php5-imap php5-ldap php5-mcrypt php5-recode poppler-data python-httplib2 python-keystoneclient python-pkg-resources python-prettytable qstat rsync ruby ruby1.9.1 samba-common
      samba-common-bin slapd smarty3 smbclient ttf-liberation uwsgi-core x11-common
    Suggested packages:
      dbus-x11 freeipmi-ipmidetect freeipmi-bmc-watchdog gettext-doc ghostscript-cups ghostscript-x hpijs git-daemon-run git-daemon-sysvinit git-doc git-el git-arch git-cvs git-svn git-email git-gui gitk gitweb gosa-si-server
      cyrus21-imapd postfix-ldap gosa-schema php5-suhosin php-apc uw-mailutils cups-common libgd-tools libdata-dump-perl libjasper-runtime libjs-jquery-ui-docs libkohana2-modules-php liblcms2-utils libcrypt-ssleay-perl
      libmagickcore5-extra libauthen-sasl-perl libmcrypt-dev mcrypt libio-socket-inet6-perl libcrypt-des-perl libmyodbc odbc-postgresql tdsodbc unixodbc-bin libscalar-number-perl slpd openslp-doc libauthen-ntlm-perl backuppc perl-doc
      cciss-vol-status expect ndoutils-doc imagemagick-doc ttf2pt1 rrdcached libgearman-client-perl libcrypt-rijndael-perl poppler-utils fonts-japanese-mincho fonts-ipafont-mincho fonts-japanese-gothic fonts-ipafont-gothic
      fonts-arphic-ukai fonts-arphic-uming fonts-unfonts-core python-distribute python-distribute-doc ri ruby-dev ruby1.9.1-examples ri1.9.1 graphviz ruby1.9.1-dev ruby-switch ldap-utils cifs-utils nginx-full cherokee libapache2-mod-uwsgi
      libapache2-mod-ruwsgi uwsgi-plugins-all uwsgi-extra
    The following NEW packages will be installed:
      autopoint check-mk-config-nagios3 dbus fonts-droid fonts-liberation fping freeipmi-common freeipmi-tools gettext ghostscript git git-man gosa gosa-plugin-nagios gosa-plugin-nagios-schema gsfonts imagemagick-common libavahi-client3
      libavahi-common-data libavahi-common3 libc-client2007e libcalendar-simple-perl libclass-accessor-perl libclass-load-perl libclass-singleton-perl libconfig-tiny-perl libcroco3 libcrypt-smbhash-perl libcups2 libcupsimage2 libcurl3
      libcurl3-gnutls libdata-optlist-perl libdate-manip-perl libdatetime-locale-perl libdatetime-perl libdatetime-timezone-perl libdbus-1-3 libdigest-hmac-perl libdigest-md4-perl libencode-locale-perl liberror-perl libfile-listing-perl
      libfont-afm-perl libfpdf-tpl-php libfpdi-php libfreeipmi12 libgd-gd2-perl libgd2-xpm libgettextpo0 libgomp1 libgs9 libgs9-common libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl
      libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libice6 libijs-0.35 libio-pty-perl libio-socket-ip-perl libio-socket-ssl-perl libipc-run-perl libipmiconsole2 libipmidetect0
      libjansson4 libjasper1 libjbig0 libjbig2dec0 libjpeg8 libjs-jquery-ui libkohana2-php liblcms2-2 liblist-moreutils-perl liblqr-1-0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl liblwp-useragent-determined-perl
      libmagickcore5 libmagickwand5 libmail-imapclient-perl libmailtools-perl libmath-calc-units-perl libmath-round-perl libmcrypt4 libmemcached10 libmodule-implementation-perl libmodule-runtime-perl libnagios-object-perl
      libnagios-plugin-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-libidn-perl libnet-smtp-tls-perl libnet-snmp-perl libnet-ssleay-perl libodbc1 libpackage-deprecationmanager-perl libpackage-stash-perl
      libpackage-stash-xs-perl libpaper-utils libpaper1 libparams-classify-perl libparams-util-perl libparams-validate-perl libparse-recdescent-perl libpgm-5.1-0 libpq5 libradiusclient-ng2 libreadonly-perl libreadonly-xs-perl librecode0
      librrds-perl librtmp0 libruby1.9.1 libslp1 libsm6 libsocket-perl libssh2-1 libsub-install-perl libsub-name-perl libsystemd-login0 libtalloc2 libtdb1 libtiff4 libtimedate-perl libtry-tiny-perl libunistring0 liburi-perl libwbclient0
      libwww-perl libwww-robotrules-perl libxpm4 libxt6 libyaml-0-2 libyaml-syck-perl libzmq1 mlock nagios-images nagios-nrpe-plugin nagios-nrpe-server nagios-plugin-check-multi nagios-plugins nagios-plugins-basic nagios-plugins-common
      nagios-plugins-contrib nagios-plugins-openstack nagios-plugins-standard nagios-snmp-plugins nagios3 nagios3-cgi nagios3-common nagios3-core nagios3-dbg nagios3-doc nagiosgrapher ndoutils-common ndoutils-nagios3-mysql perlmagick
      php-fpdf php5-curl php5-gd php5-imagick php5-imap php5-ldap php5-mcrypt php5-recode pnp4nagios pnp4nagios-bin pnp4nagios-web poppler-data python-httplib2 python-keystoneclient python-pkg-resources python-prettytable qstat rsync ruby
      ruby1.9.1 samba-common samba-common-bin slapd smarty3 smbclient ttf-liberation uwsgi-core uwsgi-plugin-nagios x11-common
    0 upgraded, 196 newly installed, 0 to remove and 0 not upgraded.
    Need to get 81.9 MB of archives.
    After this operation, 272 MB of additional disk space will be used.
    Do you want to continue [Y/n]?

     

     

    Now to test, just login at http://your-server-ip/nagios3/

    You’ll have to look up tutorials on configuring Nagios and Cacti. Of the two, Cacti is much easier because it’s all web based. But Nagios isn’t too difficult once you get used to playing around with config files.

    One last thing I did was setup a landing page to point at the services. To do that just edit the index.php file in your www folder like this:

    root@testdebian:/etc/nagios3/conf.d/hosts# cat /var/www/index.html
    <html><body><h1>TEST Monitoring Server</h1>
    <p>This is the landing page for the TEST Monitoring server.</p>
    <p>&nbsp;</p>
    <p>Please use the following links to access services:</p>
    <p><a href="/nagios3"> 1. Nagios</a></p>
    <p><a href="/cacti"> 2. Cacti</a></p>
    </body></html>
    root@testdebian:/etc/nagios3/conf.d/hosts#

    Now you can browse to the IP address and get a easy to use page that will forward you to which ever service you want!

    Let me know if you have any questions!

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

    Open Source: Postfix Mail Relay, SPAM filter, DNS Server, Web Server, AWStats, ISPConfig3 and More!


    Everyone out there hates SPAM, right? I know I do. And my domain isn’t out there that much, so I can’t say that I get anywhere near as much SPAM mail as some large enterprise businesses do. What If I told you that your Barracuda Spam filter, or your McAfee Spam Filter, or whatever paid product, is junk? What if I told you that we can get you up and running with a FREE SPAM filter for your mail server. What if I told you that it was just as easy to setup and use as your current SPAM filter? How about this question: How much are you paying for your current SPAM filter?

    Well, this blog post is getting put together for all you people out there that love spending money on useless junk. Welcome to the world of Free Software projects that have been around for well more than a decade. Instead of paying $100+ grand a year on an appliance, how about you employ a real person to manage a few Linux boxes? That’s entirely what we’re planning right here. So come along, we’re going to show you how to setup your already existing Microsoft Exchange server to sit in a more secure, higher tier DMZ, and setup a Debian server, from scratch, to host a Postfix server that is going to work with Amavis, Spam Assassin, and ClamAV to securely inspect all your mail.

    Warning… This blog is long. Be prepared, and make sure you have TIME!

    I very seriously recommend following my previous blog on how to build a Debian Server: Debian Minimal Install

     
     

    But if you want to just push forward, just follow these instructions:
     
     
    Let’s start with getting your Debian server built and running. Start with getting a Virtual Machine up and running. Boot to your Small Debian ISO and kick off the install.
     
    You can really just hit “next” on many of the screens during the install. English language, USA, keyboard layout American English, etc…
     
    Make sure you pick a server name that is going to last a while, like CompanySPAM01, or something unique like that.
     
    Setup your domain name, root password, user accounts, etc…
     
    Setup your partitions however you deem fit, install packages, pick a local Debian Mirror repository, etc…
     
    NOW, when you get to Software Selection, DO NOT INSTALL “Graphical Desktop Environment”. The only thing you need is an SSH Server and the “Standard System Utilities”.
     

    Install the GRUB boot loader as normal, and boom, you’re done!

     
     

    Alright, so boot up your new Debian server, and lets get going. Log in as root or whatever user you created and lets get some housekeeping completed.

     

    So Let’s get a static Address on this thing by editing this file: /etc/network/interfaces

    # This file describes the network interfaces available on your system
    # and how to activate them. For more information, see interfaces(5).

    # The loopback network interface
    auto lo
    iface lo inet loopback

    # The primary network interface
    #allow-hotplug eth0
    #iface eth0 inet dhcp
    auto eth0
    iface eth0 inet static
    address 192.168.0.100
    netmask 255.255.255.0
    network 192.168.0.0
    broadcast 192.168.0.255
    gateway 192.168.0.1

     

    And you can restart networking with this:

    /etc/init.d/networking restart

     

    Next we’ll get the SSH Server so we can get some remote access to this server.

    apt-get install ssh openssh-server openssh-client

     

    When that’s done you should be able to SSH from your local machine to this virtual host using:

    ssh steve@192.168.0.100

     
     

    You’ll probably want to sudo from this user, so if that’s the case:

    su root
    Password:
    # apt-get install sudo
    #nano /etc/sudoers

     
     

    When Editing the sudoers file, if you break it, have fun! Just copy the line where root is and paste it right below, change the name root to your username. Like this:

    # User privilege specification
    root ALL=(ALL) ALL
    steve ALL=(ALL) ALL

     
     

    Now, we need to update this thing to install “Dotdeb” software. So Edit your “/etc/apt/sources.list”

    # Dotdeb repository
    deb http://packages.dotdeb.org squeeze all
    deb-src http://packages.dotdeb.org squeeze all

     
     

    Now we can add the GPG key:

    wget http://www.dotdeb.org/dotdeb.gpg
    cat dotdeb.gpg | sudo apt-key add -
    Ok!
    #apt-get update
    apt-get upgrade

     
     

    Now we need to make sure that NTP is installed and running properly on our new server, we’ll also need Postfix, Amavisd, SpamAssassin, ClamAV, and a slew of other software. And at the same time go ahead and install Bind9 if you plan on hosting your Externally facing DNS zones from here. It’s not a bad idea, and even if you’re a small company, you can easily do this on your own.

    apt-get install ntp ntpdate

     

    Then you can “sudo nano /etc/ntp.conf”

    # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

    driftfile /var/lib/ntp/ntp.drift
    statistics loopstats peerstats clockstats
    filegen loopstats file loopstats type day enable
    filegen peerstats file peerstats type day enable
    filegen clockstats file clockstats type day enable

    # Specify one or more NTP servers.

    server kerberos.mydomain.com #insert your PDC here
    server kerberos2.mydomain.com #secondary DC
    server kerberos3.mydomain.com #third DC
    server 1.ubuntu.pool.ntp.org #fall back to Ubuntu's NTP
    server 2.ubuntu.pool.ntp.org #
    server 3.ubuntu.pool.ntp.org #
    #

     
     

    Now install more software:

    apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils

     

    During the install, Postfix will ask you for what type of site, make sure to choose “INTERNET SITE”. The System mail name is going to be the primary domain name that you own and operate. In my case this is “erdmanor.com” Then you’ll be prompted to setup passwords for MySQL.

     

    If you do a “netstat -ntap” you’ll see that MySQL is running binded to local loopback (127.0.0.1). We don’t want this. We need to make sure that MySQL is listening on all Interfaces, so edit out the bind address in this file “/etc/mysql/my.cnf”. Make sure to look at all the other options you can set in there too. It’s a pretty big conf file.

     

    And when you’re done, restart the MySQL Server like this: “sudo /etc/init.d/mysql restart”

    #bind-address = 127.0.0.1

     
     

    Now rerun your “netstat -ntap” and verify that it’s running on 0.0.0.0:3306.

    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -

     
     

    Alright, so let’s get some SPAM killing software installed. Running this command will prompt you to install this software and a ton of dependencies. Save your scroll back and you can go through that stuff later.

    apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl nginx

     
     

    Awesome, now we have most of the software we need. Let’s get the website up and running for our PHPMyAdmin site and ISPConfig3 software. Now, I’m no PHP wizard or expert, but all of these packages are necessary. If you need more information, I’ve left some links in the sources portion of this blog, all the way at the bottom. Again, you’ll see a bunch of dependencies installed here.

    apt-get install php5-fpm php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl fcgiwrap

     
     

    Now we’re ready to install PhpMyAdmin:

    apt-get install phpmyadmin

     

    You’ll see that Apache is installed at this time, again with many other dependencies. When installing this software, make sure that you answer these questions:
    1. Webserver to reconfigure: (this is a checkbox, dont check either of them).
    2. Configure database for phpmyadmin with dbconfig-common?: NO

    PhpMyAdmin is installed into this directory: “/usr/share/phpmyadmin/” You can check it out like this:

    ls -alh /usr/share/phpmyadmin/

     
     

    Like I stated before, Apache is installed now. We need to stop the Apache service while we’re configuring the server, and we need to make sure that Apache doesn’t start with the system too. We’ll turn it back on later. Then we can get nginx (Pronounced, Engine-X) started up.

    sudo /etc/init.d/apache2 stop
    sudo insserv -r apache2
    sudo /etc/init.d/nginx start

     
     

    Now we can get DNS working, but first we need to install it. We’ll configure it later.

    apt-get install bind9 dnsutils

     
     

    If you’re looking to get some statistics from your server and analize logs, etc… you’ll want to get some stat software installed.

    “Vlogger is a little piece of code borned to handle dealing with large amounts of virtualhost logs. it’s bad news that apache can’t do this on its own. vlogger takes piped input from apache, splits it off to separate files based on the first field. it uses a file handle cache so it can’t run out of file descriptors. it will also start a new logfile every night at midnight, and maintain a symlink to the most recent file. for security, it can drop privileges and do a chroot to the logs directory.”

     

    “The Webalizer is a fast, free web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser.”

     

    “AWStats is a free powerful and featureful tool that generates advanced web, streaming, ftp or mail server statistics, graphically. This log analyzer works as a CGI or from command line and shows you all possible information your log contains, in few graphical web pages. It uses a partial information file to be able to process large log files, often and quickly. It can analyze log files from all major server tools like Apache log files (NCSA combined/XLF/ELF log format or common/CLF log format), WebStar, IIS (W3C log format) and a lot of other web, proxy, wap, streaming servers, mail servers and some ftp servers.”

     

    apt-get install vlogger webalizer awstats geoip-database

     
     

    First thing we’ll do here is stop the AWStats cron job by commenting out all the lines in the AWStats Cron job. Start by editing this file: “/etc/cron.d/awstats”

    #*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] &amp;&amp; /usr/share/awstats/tools/update.sh
    #
    # Generate static reports:
    #10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] &amp;&amp; /usr/share/awstats/tools/buildstatic.sh

     
     

    Next we’re going to make sure that Apache is stopped and that nginx is running so that we can install ISPConfig3. This is super important, otherwise you’ll have all kinds of issues when you install ISPConfig3!

    sudo /etc/init.d/apache2 stop
    sudo /etc/init.d/nginx restart

     
     

    Now you need to download ISPConfig3 from their website. http://www.ispconfig.org/ispconfig-3/download/

    cd ~/tarballs #create this directory if it doesn't exist.
    wget http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.4.6.tar.gz
    tar -zxvf ISPConfig-3.0.4.6.tar.gz
    cd ~/tarballs/ispconfig3_install/install/
    sudo php -q install.php

     
     

    Now that the installer is running for ISPConfig3, and this will help you configure all the necessary services for you.

    steve@:~/tarballs/ispconfig3_install/install$ sudo php -q install.php
    PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/ming.ini on line 1 in Unknown on line 0
    PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/ps.ini on line 1 in Unknown on line 0

    --------------------------------------------------------------------------------
     _____ ___________   _____              __ _         ____
    |_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
      | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
      | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
     _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
     \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                                  __/ |
                                                 |___/
    --------------------------------------------------------------------------------


    &gt;&gt; Initial configuration

    Operating System: Debian 6.0 (Squeeze/Sid) or compatible

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with .
    Tap in "quit" (without the quotes) to stop the installer.

    Select language (en,de) [en]: en

    Installation mode (standard,expert) [standard]: standard

    Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server.erdmanor.com]:

    MySQL server hostname [localhost]:

    MySQL root username [root]:

    MySQL root password []: {generate a long password here}

    MySQL database to create [dbispconfig]: {something clever}

    MySQL charset [utf8]:

    Apache and nginx detected. Select server to use for ISPConfig: (apache,nginx) [apache]: nginx

    Generating a 2048 bit RSA private key
    .......+++
    ..................................................................+++
    writing new private key to 'smtpd.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Ohio
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Erdmanor.com
    Organizational Unit Name (eg, section) []:IT-IS
    Common Name (eg, YOUR name) []:Steve Erdman
    Email Address []:webmaster
    Configuring Jailkit
    Configuring SASL
    Configuring PAM
    Configuring Courier
    PHP Warning: chmod(): No such file or directory in /home/steve/tarballs/ispconfig3_install/install/lib/installer_base.lib.php on line 838
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring Pureftpd
    sh: cannot create /etc/pure-ftpd/conf/ChrootEveryone: Directory nonexistent
    sh: cannot create /etc/pure-ftpd/conf/BrokenClientsCompatibility: Directory nonexistent
    sh: cannot create /etc/pure-ftpd/conf/DisplayDotFiles: Directory nonexistent
    sh: cannot create /etc/pure-ftpd/conf/DontResolve: Directory nonexistent
    Configuring MyDNS
    Configuring nginx
    Configuring Vlogger
    Configuring Apps vhost
    Configuring Bastille Firewall
    PHP Notice: Undefined index: fail2ban in /home/steve/tarballs/ispconfig3_install/install/install.php on line 263
    Installing ISPConfig
    ISPConfig Port [8080]:

    Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: y

    Generating RSA private key, 4096 bit long modulus
    .................................................................................................................................................................................................................................................++
    .............................................................................++
    e is 65537 (0x10001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Ohio
    Locality Name (eg, city) []:Concord-Twp
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Erdmanor.com
    Organizational Unit Name (eg, section) []:IT-IS
    Common Name (eg, YOUR name) []:Steve Erdman
    Email Address []:webmaster@erdmanor.com

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:Erdman.cc
    writing RSA key
    Configuring DBServer
    Installing ISPConfig crontab
    no crontab for root
    no crontab for getmail
    Restarting services ...
    Stopping MySQL database server: mysqld.
    Starting MySQL database server: mysqld ..
    Checking for tables which need an upgrade, are corrupt or were
    not closed cleanly..
    Stopping Postfix Mail Transport Agent: postfix.
    Starting Postfix Mail Transport Agent: postfix.
    Stopping amavisd: amavisd-new.
    Starting amavisd: amavisd-new.
    Stopping ClamAV daemon: clamd.
    Starting ClamAV daemon: clamd .
    Reloading PHP5 FastCGI Process Manager: php5-fpm.
    Reloading nginx configuration: nginx.
    Restarting nginx: nginx.
    nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
    nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
    nginx: [emerg] still could not bind()
    Installation completed.

     
     
     

    Now that you have ISPConfig3 installed, pop open a web browser and head over to your new ISPConfig3 control panel. The default credentials are super secure: admin:admin. Obviously you’re going to be changing those… RIGHT?!

     

    You need to start by adding a new website to your ISPConfig3 admin console. So Click on “Sites” then “Create new website…”

     

    Here you need to fill out the proper information. Server the site is hosted on, Domain Name you’re hosting, if you need CGI, SSI, SSL and the type of PHP you want. Obviously it’ll be active.

     

    From what I’ve seen out on some other websites, we need to create some “mod_rewrite” aliases. Reason being is that the PhpMyAdmin console needs to be available from a few different URL’s. So If you’re hosting multiple hostnames or domains from this server, you’ll basically need to create an vhost alias for each one. It’s a lot of manual work, but at the end of the day it’ll be worth it. I got this code snippet from the www.howtoforge.com website, so make sure to visit them and say thanks!

    This code MUST go into the “nginx Directives” field on the Options tab of each website managed inside ISPConfig3, as you can see in the graphic:

     location /phpmyadmin {
    root /usr/share/;
    index index.php index.html index.htm;
    location ~ ^/phpmyadmin/(.+\.php)$ {
    try_files $uri =404;
    root /usr/share/;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include /etc/nginx/fastcgi_params;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 256 4k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_intercept_errors on;
    }
    location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
    root /usr/share/;
    }
    }
    location /phpMyAdmin {
    rewrite ^/* /phpmyadmin last;

     
     

    Now, from a security perspective, I would highly recommend disabling http (port 80) and only using https (SSL over port 443). I’m not stupid though and realize that not everyone can afford to pay for a site certificate. If you’re a small organization, make sure to only allow access to this server from the Internal network of your organization. Obviously this server should be sitting in your multi tiered DMZ as I outlined in a previous blog Serious network architecture that works for everyone.

     location /phpmyadmin {
    root /usr/share/;
    index index.php index.html index.htm;
    location ~ ^/phpmyadmin/(.+\.php)$ {
    try_files $uri =404;
    root /usr/share/;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_param HTTPS on; # fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include /etc/nginx/fastcgi_params;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 256 4k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_intercept_errors on;
    }
    location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
    root /usr/share/;
    }
    }
    location /phpMyAdmin {
    rewrite ^/* /phpmyadmin last;
    }

     
     

    If you are using HTTPS across your site and you want to force user to use that, then you need to edit your “/etc/nginx/nginx.conf” conf file with this code below. Make sure that code gets placed inside your braces of the HTTP area, otherwise you’ll have all sorts of issues getting this to work:

    http {
    ## Detect when HTTPS is used
    map $scheme $fastcgi_https {
    default off;
    https on;
    }
    }

     

     

    Then restart nginx:

    sudo /etc/init.d/nginx restart

     
     

    For nginx to work over both HTTP and HTTPS, you’ll need to go into your “nginx Directives” again and instead of the “fastcgi_param HTTPS on”, you need to add the line “fastcgi_param HTTPS $fastcgi_https” so that requests will work over both protocols.

     location /phpmyadmin {
    root /usr/share/;
    index index.php index.html index.htm;
    location ~ ^/phpmyadmin/(.+\.php)$ {
    try_files $uri =404;
    root /usr/share/;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_param HTTPS $fastcgi_https; # fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include /etc/nginx/fastcgi_params;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 256 4k;
    fastcgi_busy_buffers_size 256k;
    fastcgi_temp_file_write_size 256k;
    fastcgi_intercept_errors on;
    }
    location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
    root /usr/share/;
    }
    }
    location /phpMyAdmin {
    rewrite ^/* /phpmyadmin last;
    }

     
     

    Now, lets get back to the Mail setup. Start with running the “newaliases” command, then restart Postfix.

    newaliases
    /etc/init.d/postfix restart

     
     

    So from here on out everything should be able to be managed from the ISPConfig3 Control Panel. if you have any further questions, feel free to contact me!

     
     
     
     

    Sources:
    http://www.dotdeb.org/
    http://wiki.nginx.org/Main
    http://php-fpm.org/about/
    http://php.net/manual/en/book.apc.php
    http://www.if-not-true-then-false.com/2012/php-apc-configuration-and-usage-tips-and-tricks/
    http://nginx.localdomain.pl/wiki/FcgiWrap
    http://wiki.nginx.org/Fcgiwrap
    http://community.linuxmint.com/software/view/vlogger
    http://www.webalizer.org/
    http://awstats.sourceforge.net/
    http://www.howtoforge.com/perfect-server-debian-squeeze-debian-6.0-with-bind-dovecot-and-nginx-ispconfig-3

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.22_1171]
    Rating: 0 (from 0 votes)