Julian

#1

apt-get update && \
aptitude purge -y rmail fetchmail procmail bsd-mailx sendmail sendmail-cf sendmail-doc sendmail-base sendmail-bin sensible-mda && \
aptitude purge -y sendmail-base bind9 samba samba-common cifs-utils ldap-utils && \
aptitude -y full-upgrade && \
apt-get autoremove && \
aptitude install -y bash-completion unzip nano htop git mosh curl ufw ntp mailutils

#2

nano /etc/sysctl.d/10-network-security.conf && sysctl -p && echo "OK."


# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
# net.ipv4.icmp_echo_ignore_all = 1

#3

# Smarhost Settings
smtp_tls_security_level = may
smtp_sasl_auth_enable = yes

smtp_sasl_security_options = noplaintext noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password

#4

nano /etc/rkhunter.conf.local
nano /etc/default/rkhunter




# DISABLED TESTS (KVM)
# DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps os_specific"

# IGNORE SCRIPTS
# SCRIPTWHITELIST=/usr/bin/unhide.rb

# IGNORE /dev
# ALLOWDEVFILE=/dev/.udev/rules.d/root.rules
# ALLOWDEVFILE="/dev/tty10"

# IGNORE HIDDEN
# ALLOWHIDDENDIR=/dev/.udev
# ALLOWHIDDENFILE="/dev/.initramfs"

# IGNORE DELETED FILES
# ALLOWPROCDELFILE=/usr/sbin/mysqld:




# Set this to yes to enable automatic database updates
# (default: false)
APT_AUTOGEN="true"

#5

mkdir -p ~/.ssh && chmod 700 ~/.ssh && nano ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo "OK."

check_zfs

#!/usr/bin/perl -w

# check_zfs Nagios plugin for monitoring Sun ZFS zpools
# Copyright (c) 2007 
# Written by Nathan Butcher

# Released under the GNU Public License
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

# Version: 0.9.2
# Date : 24th July 2007
# This plugin has tested on FreeBSD 7.0-CURRENT and Solaris 10
# With a bit of fondling, it could be expanded to recognize other OSes in
# future (e.g. if FUSE Linux gets off the ground)

# Verbose levels:-
# 1 - Only alert us of zpool health and size stats
# 2 - ...also alert us of failed devices when things go bad
# 3 - ...alert us of the status of all devices regardless of health
#
# Usage:   check_zfs <zpool> <verbose level 1-3>
# Example: check_zfs zeepool 1
#	ZPOOL zeedata : ONLINE {Size:3.97G Used:183K Avail:3.97G Cap:0%}

use strict;

my %ERRORS=('DEPENDENT'=>4,'UNKNOWN'=>3,'OK'=>0,'WARNING'=>1,'CRITICAL'=>2);
my $state="UNKNOWN";
my $msg="FAILURE";

if ($#ARGV+1 != 2) {
	print "Usage: $0 <zpool name> <verbose level 1-3>\n";
	exit $ERRORS{$state};
}

# Tony disabled this, ZFS pools are in Linux
#if ($^O ne 'solaris' && $^O ne 'freebsd') {
#	print "This plugin currently only works on Solaris 10, OpenSolaris distributions, and FreeBSD 7 and later.\n";
#	exit $ERRORS{$state};
#}

my $pool=$ARGV[0];
my $verbose=$ARGV[1];

my $size="";
my $used="";
my $avail="";
my $cap="";
my $expandsz="";
my $frag="";
my $health="";
my $dmge="";
my $dedup="";

if ($verbose < 1 || $verbose > 3) {
	print "Verbose levels range from 1-3\n";
	exit $ERRORS{$state};
}

my $statcommand="sudo zpool list $pool";

if (! open STAT, "$statcommand|") {
	print ("$state '$statcommand' command returns no result! NOTE: This plugin needs OS support for ZFS, and execution with root privileges.\n");
	exit $ERRORS{$state};
}

while(<STAT>) {
	chomp;
	next if (/^NAME\s+SIZE\s+USED\s+AVAIL\s+CAP\s+HEALTH\s+ALTROOT/);
	if (/^${pool}\s+/) {
		($size, $used, $avail, $expandsz, $frag, $cap, $dedup, $health) = /^${pool}\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/;
	}
}

# Tony: Debuging
# print "Size: $size \t Used: $used \t Avai: $avail \t Cap: $cap \t Health: $health\n";

close(STAT);

## check for valid zpool list response from zpool
if (! $health ) {
	$state = "CRITICAL";
	$msg = sprintf "ZPOOL {%s} does not exist and/or is not responding!\n", $pool;
	print $state, " ", $msg;
	exit ($ERRORS{$state});
}

## determine health of zpool and subsequent error status
if ($health eq "ONLINE" ) {
	$state = "OK";
} else {
	if ($health eq "DEGRADED") {
		$state = "WARNING";
	} else {
		$state = "CRITICAL";
	}
}

## get more detail on possible device failure
## flag to detect section of zpool status involving our zpool
my $poolfind=0;

$statcommand="sudo zpool status $pool";
if (! open STAT, "$statcommand|") {
	$state = 'CRITICAL';
	print ("$state '$statcommand' command returns no result! NOTE: This plugin needs OS support for ZFS, and execution with root privileges.\n");
	exit $ERRORS{$state};
}

## go through zfs status output to find zpool fses and devices
while(<STAT>) {
	chomp;

	if (/^\s${pool}/ && $poolfind==1) {
		$poolfind=2;
		next;
	} elsif ( $poolfind==1 ) {
		$poolfind=0;
	}

	if (/NAME\s+STATE\s+READ\s+WRITE\s+CKSUM/) {
		$poolfind=1;
	}

	if ( /^$/ ) {
		$poolfind=0;
	}

	if ($poolfind == 2) {

		## special cases pertaining to full verbose
		if (/^\sspares/) {
			next unless $verbose == 3;
			$dmge=$dmge . "[SPARES]:- ";
			next;
		}
		if (/^\s{5}spare\s/) {
			next unless $verbose == 3;
			my ($sta) = /spare\s+(\S+)/;
			$dmge=$dmge . "[SPARE:${sta}]:- ";
			next;
		}
		if (/^\s{5}replacing\s/) {
			next unless $verbose == 3;
			my $perc;
			my ($sta) = /^\s+\S+\s+(\S+)/;
			if (/%/) {
				($perc) = /([0-9]+%)/;	
			} else {
				$perc = "working";
			}
			$dmge=$dmge . "[REPLACING:${sta} (${perc})]:- ";
			next;
		}

		## other cases
		my ($dev, $sta) = /^\s+(\S+)\s+(\S+)/;

		## pool online, not degraded thanks to dead/corrupted disk
		if ($sta && $state eq "OK" && $sta eq "UNAVAIL") {
			$state="WARNING";
			
			## switching to verbose level 2 to explain weirdness
			if ($verbose == 1) {
				$verbose =2;
			}
		}

		## no display for verbose level 1
		next if ($verbose==1);
		## don't display working devices for verbose level 2
		next if ($verbose==2 && $state eq "OK");
		next if ($verbose==2 && ($sta eq "ONLINE" || $sta eq "AVAIL" || $sta eq "INUSE"));
	
		## show everything else
		if (/^\s{3}(\S+)/) {
			$dmge=$dmge . "<" . $dev . ":" . $sta . "> ";
		} elsif (/^\s{7}(\S+)/) {
			$dmge=$dmge . "(" . $dev . ":" . $sta . ") ";
		} else {
			$dmge=$dmge . $dev . ":" . $sta . " ";
		}
	}
}

## calling all goats!

$msg = sprintf "ZPOOL %s : %s {Size:%s Used:%s Avail:%s Cap:%s} %s\n", $pool, $health, $size, $used, $avail, $cap, $dmge;
print $state, " ", $msg;
exit ($ERRORS{$state});

id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI07/r/Kexf65zELkJVsVX5u7FSZGIYzIKxZP9Pf9pabapK7raRqL5Pb5emG2o8PwAzqBXepIIU0x8m7G8fitRKzrt+KusdieHB96p26K47+p6crLbXt1YdLoabkO3Y3ufBhG4u8z5+P2nO4Dcfbb4TqUe02Ai3rHIzk3qqlO9Nk3JN7jF/qRuTXBqWnGUn/V2qywYWXtiB7thlTxeB/sV8uq2p8ts6j9/sXoJE9AS3G5Wgso9kQ4PM0+xDhnk+pnpOnI82Fhf/SnD0ML3hkymmbxKaUsGH2DG1+fLnQtfo1VuCTYmoGZUHaLxxEGELg0CHo6LTl3E+Z3Kig2bMDo9 mail@sebbo.net