2015年11月26日 星期四

Zabbix 監控的四種方式

Zabbix 監控的四種方式

(1) Agent
( https://www.zabbix.com/documentation/2.2/manual/concepts/agent )

Zabbix Agent

Overview

Zabbix agent is deployed on a monitoring target to actively monitor
local resources and applications
(hard drives, memory, processor statistics etc).

The agent gathers operational information locally and reports data
to Zabbix server for further processing. In case of failures
(such as a hard disk running full or a crashed service process),

Zabbix server can actively alert the administrators of the particular
machine that reported the failure.

Zabbix agents are extremely efficient because of use of native system
calls for gathering statistical information.

(2) SNMP (https://zh.wikipedia.org/wiki/%E7%AE%80%E5%8D%95%E7%BD%91%E7%BB%9C%E7%AE%A1%E7%90%86%E5%8D%8F%E8%AE%AE)
     [SNMP(Simple Network Management Protocol)]

(3) JMX  ( https://zh.wikipedia.org/zh-tw/JMX )
     [JMX (Java Management Extensions )]

(3) IPMI ( https://zh.wikipedia.org/wiki/IPMI )
     [IPMI(Intelligent Platform Management Interface)]




其它本人的 blog 參考資訊如下:

利用SNMP OIDs 加入 Zabbix 監控
http://xrcd2.blogspot.tw/2012/10/snmp-oids-zabbix.html

(java snmp)
Cacti JVM Monitoring template ( Part I )
http://xrcd2.blogspot.tw/2012/12/cacti-jvm-monitoring-template.html

(jvava jmx)
Cacti JVM Monitoring template ( Part II )
http://xrcd2.blogspot.tw/2013/01/cacti-jvm-monitoring-template-part-ii.html


設定 zabbix 監控 標的物 的方法 與 Templates  ,
這將會決定 Zabbix 可以看什麼與作什麼.





從這裡可以看出用 agent 與 snmp 這二種方式的差異所在.




cacti 是固定 5 分鐘 的 interval (它最小是可以改為1分鐘),
但 zabbix 就不一定是固定的 interval







2015年11月25日 星期三

Zatree for zabbix 2.2.x

Zatree for zabbix 2.2.x  ( Zabbix Tree )

https://github.com/spide4k/zatree

https://github.com/spide4k/zatree/tree/master/zabbix-2.2.x

以 zabbix 2.2.x 為例可參考上述的 URL的 SOP 安裝

完成後就有 zatree 的 plugin



































































2015年10月26日 星期一

Cacti Plugin Flowview 1.1 安裝 SOP

Cacti Plugin Flowview 1.1 安裝 SOP


使用環境 CentOS 6.X X64 + Cacti 0.8.8c

前置作業 安裝 flow-tools 套件;

參考 URL

http://pkgs.org/centos-6/epel-x86_64/flow-tools-0.68.5.1-1.el6.x86_64.rpm.html

Download

Download flow-tools-0.68.5.1-1.el6.x86_64.rpm for CentOS 6 from the EPEL repository.

Install Howto
Download the latest epel-release rpm from
http://dl.fedoraproject.org/pub/epel/6/x86_64/

Install epel-release rpm:
# rpm -Uvh epel-release*rpm

Install flow-tools rpm package:
# yum install flow-tools


Download  flowview ( flowview-v1.1-1.tgz )

http://docs.cacti.net/plugin:flowview


解壓縮檔及放置到 cacti plunins

#tar -zvcf flowview-v1.1-1.tgz

#mv flowview /var/www/html/cacti/plugins

[root@aaa plugins]# pwd
/var/www/html/cacti/plugins

[root@aaa plugins]# ll
total 32
drwxr-xr-x 3 cactiuser apache 4096 Sep 25  2011 clog
drwxr-xr-x 7 cactiuser apache 4096 Oct 26 17:12 flowview
-rw-r--r-- 1 cactiuser apache   44 Nov 24  2014 index.php
drwxr-xr-x 4 cactiuser apache 4096 Oct  6  2011 monitor
drwxrwxr-x 6 cactiuser apache 4096 Aug 29  2011 nectar
drwxr-xr-x 3 cactiuser apache 4096 Oct 26 16:26 settings
drwxr-xr-x 5 cactiuser apache 4096 Jan 12  2015 thold
drwxr-xr-x 9 cactiuser apache 4096 Jan 12  2015 weathermap
[root@aaa plugins]#

建立 flow 的 raw data 存放目錄

#mdkir -p /var/netflow/flows/completed
#chmod 777 -R /var/netflow/flows/completed


進入 cacti web UI 設定 啟用 Flowview
Console -> configuration -> plugin management->  Flowview  install & enable





設定 Flow Viewer 基本資訊
Console -> configuration -> settings --> Misc --> Flow Viewer



重點在這裡是要確定設定無誤,並按下右下角的 SAVE 按鍵..

設定 plugins Flows Listeners 資訊

plugin-> flows -> listeners-> add .....

























重點在這裡是要確定設定無誤,並按下右下角的 SAVE 按鍵..


最好是確認一下 cacti DB 內有上述設定.

#mysql

mysql> use cacti;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT value FROM `settings` WHERE name = 'path_flows_dir';
+------------------------------+
| value                        |
+------------------------------+
| /var/netflow/flows/completed |
+------------------------------+
1 row in set (0.00 sec)

mysql> SELECT * FROM plugin_flowview_devices;
+----+------+--------+-----------+------+---------+---------+----------+--------+-------------+
| id | name | folder | allowfrom | port | nesting | version | rotation | expire | compression |
+----+------+--------+-----------+------+---------+---------+----------+--------+-------------+
|  1 | Vyos | C7609  | 0         | 2205 | 3       | 5       |     1439 |      2 |           0 |
+----+------+--------+-----------+------+---------+---------+----------+--------+-------------+
1 row in set (0.00 sec)

mysql>



取代系統預設的  flow-capture

#備份 原始檔案

#mv /etc/init.d/flow-capture  /etc/init.d/flow-capture.bk

#取代  flow-capture

[root@aaa flowview]# pwd
/var/www/html/cacti/plugins/flowview
[root@aaa flowview]# cp flow-capture /etc/init.d/flow-capture



[root@aaa init.d]# pwd
/etc/init.d
[root@aaa init.d]# vi flow-capture
#!/usr/bin/php
<?php
/*
# description: Start Flow-Capture
# chkconfig: 2345 95 00
*/

#以下這行設定務必正確,要不然 Flow-Capture 將無法正常被執行

$cacti_base = '/var/www/html/cacti';



執行 flow-capture
#cd /etc/init.d/

[root@aaa init.d]# ./flow-capture start
NOTE: Starting Flow Tools
NOTE: Launching flow-capture as '/usr/bin/flow-capture -w /var/netflow/flows/completed/C7609 0/0/2205 -S5 -V5 -z 0 -n 1439 -e 2880 -N 3'
[root@aaa init.d]#



[root@aaa flowview]# netstat -antup | grep flow
udp        0      0 0.0.0.0:2205                0.0.0.0:*                               2494/flow-capture
[root@aaa flowview]#



如果出現以下錯誤訊息請務必再次檢查 cacti web ui 上的所有設定是否正確.
使用上述 DB 語法 即可


[root@aaa init.d]# ./flow-capture start
NOTE: Starting Flow Tools
WARNING: No flows configured

flow-capture raw data 驗證方式


[root@aaa 2015-10-27]# pwd
/var/netflow/flows/completed/C7609/2015/2015-10/2015-10-27
[root@aaa 2015-10-27]#

[root@aaa 2015-10-27]# ll
total 88
-rw-r--r-- 1 root root   92 Oct 27 09:44 ft-v05.2015-10-27.094338+0800
-rw-r--r-- 1 root root   92 Oct 27 09:45 ft-v05.2015-10-27.094401+0800
-rw-r--r-- 1 root root   92 Oct 27 09:46 ft-v05.2015-10-27.094501+0800
-rw-r--r-- 1 root root   92 Oct 27 09:47 ft-v05.2015-10-27.094601+0800
-rw-r--r-- 1 root root   92 Oct 27 09:48 ft-v05.2015-10-27.094701+0800
-rw-r--r-- 1 root root   92 Oct 27 09:49 ft-v05.2015-10-27.094801+0800
-rw-r--r-- 1 root root   92 Oct 27 09:50 ft-v05.2015-10-27.094901+0800
-rw-r--r-- 1 root root   92 Oct 27 09:51 ft-v05.2015-10-27.095001+0800
-rw-r--r-- 1 root root   92 Oct 27 09:52 ft-v05.2015-10-27.095101+0800
-rw-r--r-- 1 root root   92 Oct 27 09:53 ft-v05.2015-10-27.095201+0800
-rw-r--r-- 1 root root   92 Oct 27 09:54 ft-v05.2015-10-27.095301+0800
-rw-r--r-- 1 root root   92 Oct 27 09:55 ft-v05.2015-10-27.095401+0800
-rw-r--r-- 1 root root   92 Oct 27 09:56 ft-v05.2015-10-27.095501+0800
-rw-r--r-- 1 root root   92 Oct 27 09:57 ft-v05.2015-10-27.095601+0800
-rw-r--r-- 1 root root   92 Oct 27 09:58 ft-v05.2015-10-27.095747+0800
-rw-r--r-- 1 root root   92 Oct 27 09:59 ft-v05.2015-10-27.095801+0800
-rw-r--r-- 1 root root   92 Oct 27 10:00 ft-v05.2015-10-27.095901+0800
-rw-r--r-- 1 root root   92 Oct 27 10:01 ft-v05.2015-10-27.100001+0800
-rw-r--r-- 1 root root   92 Oct 27 10:02 ft-v05.2015-10-27.100101+0800
-rw-r--r-- 1 root root 1244 Oct 27 10:03 ft-v05.2015-10-27.100201+0800
-rw-r--r-- 1 root root   92 Oct 27 09:57 tmp-v05.2015-10-27.095701+0800
-rw-r--r-- 1 root root   92 Oct 27 10:03 tmp-v05.2015-10-27.100301+0800
[root@aaa 2015-10-27]#


[root@aaa 2015-10-27]# cat  ft-v05.2015-10-27.100201+0800  |  flow-stat -f10
#  --- ---- ---- Report Information --- --- ---
#
# Fields:    Total
# Symbols:   Disabled
# Sorting:   None
# Name:      Source/Destination IP
#
# Args:      flow-stat -f10
#
#
# src IPaddr     dst IPaddr       flows                 octets                packets
#
192.168.1.17     192.168.1.255    1                     78                    1                
192.168.111.7    192.168.111.255  1                     78                    1                
0.0.0.0          255.255.255.255  1                     576                   1                
192.168.222.138  192.168.222.255  1                     78                    1                
192.168.111.46   192.168.111.255  1                     156                   2                
192.168.111.32   192.168.111.255  1                     78                    1                
192.168.1.208    192.168.1.255    1                     206                   1                
192.168.111.138  192.168.111.255  1                     78                    1                
192.168.111.173  192.168.111.255  1                     78                    1                
192.168.111.32   255.255.255.255  1                     328                   1                
169.254.104.223  169.254.255.255  1                     78                    1                
192.168.111.200  192.168.111.255  1                     78                    1                
192.168.1.142    192.168.1.255    1                     78                    1                
192.168.1.152    192.168.1.255    1                     156                   2                
192.168.1.59     192.168.1.255    1                     234                   3                
192.168.111.136  192.168.111.255  1                     78                    1                
192.168.1.149    192.168.1.255    1                     312                   4                
192.168.1.180    192.168.1.255    1                     78                    1                
[root@aaa 2015-10-27]#


以下方式是用來解決 DB 重啟後 plugin_flowview_devices 記錄不存在的問題.

#mysql

mysql> use cacti;
mysql> ALTER TABLE  plugin_flowview_devices ENGINE=MyISAM;


====================


# vyos netflow configuration setting  ( vyatta )


set system flow-accounting netflow version 5
set system flow-accounting netflow server 192.168.111.xxx port 2205
set system flow-accounting interface eth0
set system flow-accounting netflow timeout expiry-interval 60
set system flow-accounting netflow sampling-rate 500
set system flow-accounting netflow engine-id  0
set system flow-accounting netflow timeout max-active-life 604800
set system flow-accounting netflow timeout flow-generic 3600
set system flow-accounting netflow timeout tcp-fin 300
set system flow-accounting netflow timeout tcp-generic 3600
set system flow-accounting netflow timeout tcp-rst 120
set system flow-accounting netflow timeout icmp 300
set system flow-accounting netflow timeout udp 300

DEMO


2015年10月18日 星期日

內部 Push Mail 的需求

緣起~

內部 Push Mail 的需求.

在現實機房內,可能有些設備,基本上支援簡單的 Mail Alert,如 NetApp / Fortigate ....
所以我們可以透過 Push Mail 的方式,將 Mail Alert 轉發至 手機的 SMS.

如下的參考資訊與方式:

http://www.bulksms.com/features/send-sms-messages-from-your-email.htm



http://developer.bulksms.com/eapi/code-samples/



http://developer.bulksms.com/eapi/code-samples/perl/send_sms/

send_sms.pl

#!/usr/bin/perl -w
use strict;
use HTTP::Request::Common;
use LWP::UserAgent;

my $ua = LWP::UserAgent->new(timeout => 30);

# Please see the FAQ regarding HTTPS (port 443) and HTTP (port 80/5567)

my $res = $ua->request(POST '?EAPI URL?/submission/send_sms/2/2.0',
Header => 'Content-Type: application/x-www-form-urlencoded',
Content => [
username => 'myusername',
password => 'xxxxxxxxxx',
msisdn => '44123123123',
message => 'Test from Perl',
],
);

if ($res->is_error) {
  die "HTTP request error, with error code ".$res->code.
  ", and body:\n\n".$res->error_as_HTML;
}

my ($result_code, $result_string, $batch_id) = split(/\|/, $res->content);

if ($result_code eq '0') {
  print "Message sent: batch $batch_id";
}
else {
  print "Error sending: $result_code: $result_string";
}
print "\n";

上面這個 Mail 2 SMS GateWay 的方式是由專門的公司才提供的服務.

如要 DIY Push Mail 的方法,可參考如下,以 Perl 為例:


http://cpansearch.perl.org/src/LENGEL/Net-SMS-2Way-0.08-FIXED/contrib/email2sms.pl

# Author: Lee Engel, <lee@kode.co.za>
# Copyright (C) 2009 by Lee S. Engel
# A very simple email-to-sms gateway.

# INSTALLATION INSTRUCTIONS:
# Create a user which will handle all the email-to-sms stuff. Example: adduser -m -d /home/sms sms
# Install Net::SMS::2Way and create a config file for it at /home/sms/sms.cfg
# Install the MailTool Perl module. (See http://search.cpan.org/~markov/MailTools-2.04/)  Try this: perl -MCPAN -e " install( 'MailTool' ); "
# Create a .forward file in the sms user's home directory:  echo '|/home/sms/email2sms.pl' > /home/sms/.forward
# Change your alias_maps config option in /etc/postfix/main.cf  to look like this: alias_maps = hash:/etc/aliases pcre:/etc/aliases-regexp
# Create /etc/aliases-regexp with a line which looks likes this: /^\d+$/ sms
# Copy this script to /home/sms/email2sms.pl and make it executable by all.


經由上述說明得知可以透過 mail .forward 的機制達到這個功能,
由於 Net::SMS::2Way 內定是使用  BulkSMS API

http://bulksms.2way.co.za/docs/eapi/submission/send_sms/

並不太適用於個人實際運用,故想自創一個 Email to SMS Gateway ( Push Mail Server) 的想法,

抄改上述程式範例修改如下;

[root@aaa zabbix]# cat .forward
|/home/zabbix/sms/email2sms.pl

[root@aaa zabbix]# cat /home/zabbix/sms/email2sms.pl
#!/usr/bin/perl
use Mail::Header;
use Mail::Internet;
use Mail::Send;

$mail = Mail::Internet->new(\*STDIN);
$mail_headers = $mail->head();

$mail_body = $mail->body();
$mail->tidy_body( $mail_body );

$body_text = join( "\n",  @$mail_body );
chomp( $body_text );

if( length( $body_text ) > 160 )
{
$body_text = substr( $body_text, 0, (160 - length($body_text)) );
}

$headers = $mail_headers->header_hashref();
$sender_address = $headers->{From}->[0];
$sender_address =~ s/^(\S+)\s+.*/$1/;
chomp( $sender_address);

@to_headers = qw( To X-Original-To Delivered-To );

foreach $to_header ( @to_headers )
{
open(write_log,">>/home/zabbix/mail2sms.txt");
print write_log "$sender_address $body_text\n";
close(write_log);
         #在這裡就可以寫自己的企業簡訊 API介接的地方
last;
}
[root@aaa zabbix]#


這樣會發成當有人寄 Mail 給 zabbix 時,會觸發上面的 .forward
==> 接者在 Run 這個 shell
接者將  $body_text 轉導成 SMS 的 API 內文即可,這樣就完成
 Push Mail 的簡單任務了.



2015年4月14日 星期二

Linux SSO ( Single Sign-On ) + OTP


Linux SSO ( Single Sign-On ) + OTP [ OpenSource  Solution ]

Linux IPA Server (類似 Windows AD ),
可使用個人的 Domain 帳號 SSO( Single Sign-On )到 Join IPA Domain 的任何 Linux
(另支援IPA Client端的 OS 有 Linux / AIX / HP-UX / Windows ..)

Windows http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
Configuring a Microsoft Windows System to Join the FreeIPA Realm
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html






Linux SSO 的 Solution IPA

關於 IPA   (identity policy audit )

http://www.freeipa.org/page/Main_Page

或稱 IdM Server (Identity Management Server)

架構簡圖

http://sexysexypenguins.com/wp-content/uploads/2014/10/ipa-components-590x444.png




















關於 OTP ( TOTP https://tools.ietf.org/html/rfc6238 )

OTP 的 Solution

可使用 freeotp (freeotp https://fedorahosted.org/freeotp/)

加手機版 Token



IPA 4.0 可搭配 OTP (freeotp https://fedorahosted.org/freeotp/)
變成 SSO + OTP的帳密控管環境
在 IPA 4.0 版就開始支援較完整的 OTP ( http://www.freeipa.org/page/V4/OTP )

以 CentOS 7.x 為例,可能安裝的套件如下:

[root@centos7 /]# rpm -qa | grep ipa
device-mapper-multipath-0.4.9-77.el7.x86_64
libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
python-iniparse-0.4-9.el7.noarch
device-mapper-multipath-libs-0.4.9-77.el7.x86_64
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
ipa-client-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-1.12.2-58.el7_1.6.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
ipa-python-4.1.0-18.el7.centos.3.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
[root@centos7 /]#

安裝與設定完成後,可透過下列方式去查看 IPA 是否有正常運行

關於 ipa server status

[root@centos7 /]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@centos7 /]#


關於 ipa server listen port

[root@centos7 /]# nmap 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-14 16:26 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000010s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
389/tcp  open  ldap
443/tcp  open  https
464/tcp  open  kpasswd5
636/tcp  open  ldapssl
749/tcp  open  kerberos-adm
8009/tcp open  ajp13
8080/tcp open  http-proxy
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
[root@centos7 /]#

其它相關資訊如下:


CentOS IPA Server 的安裝與設定可參考

Red Hat Enterprise Linux 6 Identity Management Guide

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html



Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html


或 freeipa 的 url

https://www.freeipa.org/page/Documentation

如 RHEL/CentOS  6.x migrating 到 7.x [IPA 3.xx --> IPA 4.xx ]

(MIGRATING THE IDM SERVER TO RED HAT ENTERPRISE LINUX 7)

可參考下面的 URL

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html


關於 IPA WBE UI 的 OTP 設定畫面

登入 IPA Server


宣告使用 OTP (即登入時的密碼為 系統的密碼+FreeOTP 的 Token 連在一起)
即 SSO 密碼的全部內容:前段為系統端密碼後段為FreeOTP的Token  [PWDToken]


新增該帳號的 OTP Token


選擇 Type 為 TOTP 的型態


使用手機版的 freeotp 的 App 去將 Token 的 QR Code 拍下來


Sync OTP Token 


輸入該 ID 的 登入資訊及 Toke ID 等資訊,輸入完成後再點選 Sync OTP Token 即可



FreeOTP 的畫面 及 Token 密碼





2015年3月30日 星期一

VyOS OpenVpn Plugin OTP ( SOP )


VyOS OpenVpn Plugin OTP SOP

關於 OTP

http://zh.wikipedia.org/wiki/%E4%B8%80%E6%AC%A1%E6%80%A7%E5%AF%86%E7%A2%BC



一次性密碼[編輯]
一次性密碼(One Time Password,簡稱OTP),又稱動態密碼,是指只能使用
一次的密碼。一般的靜態密碼在安全性上容易因為木馬與鍵盤側錄程式等而被
竊取,而只要花上相當程度的時間,也有可能被暴力破解。為了解決一般密碼
容易遭到破解情況,因此開發出一次性密碼的解決方案。

原理[編輯]
一次性密碼的產生方式,主要是以時間差做為伺服器與密碼產生器的同步條件
。在需要登錄的時候,就利用密碼產生器產生一次性密碼,OTP一般分為計次
使用以及計時使用兩種,計次使用的OTP產出後,可在不限時間內使用;計時
使用的OTP則可設定密碼有效時間,從30秒到兩分鐘不等[1],而OTP在進行認
證之後即廢棄不用,下次認證必須使用新的密碼,增加了試圖不經授權存取有
限制資源的難度。

優勢[編輯]
一次性密碼的解決方案有以下幾個優點:

解決使用者在密碼的記憶與保存上的困難性。
由於密碼只能使用一次,而且因為是動態產生,所以不可預測,也只有一次的
使用有效性,可以大為提升使用的安全程度。

基於這些優點,有越來越多的銀行金融業甚至是遊戲業使用OTP解決方案,來
提升保護其使用者的安全性


在 VyOS 上新增 Debian APT repository

參考

http://vyos.net/wiki/FAQ 加入  repository


Usage

 How do I install debian packages?

First configure repositories. The Hydrogen release will be based on Debian Squeeze so:

set system package repository squeeze components 'main contrib non-free'
set system package repository squeeze distribution 'squeeze'
set system package repository squeeze url 'http://mirrors.kernel.org/debian'


Squeeze is not supported anymore, however Helium has some packages from Squeeze Long Term Support so:

set system package repository squeeze-lts components 'main contrib non-free'
set system package repository squeeze-lts distribution 'squeeze-lts'
set system package repository squeeze-lts url 'http://mirrors.kernel.org/debian'


In case you need more modern software or software that standard isn't available in squeeze, add

set system package repository squeeze-backports components main
set system package repository squeeze-backports distribution squeeze-backports
set system package repository squeeze-backports url 'http://backports.debian.org/debian-backports'

Then do "sudo apt-get update" and you can install packages with "sudo apt-get install xxxxxxx" as usual

安裝 Google Authenticator Module

參考 https://www.linux.com/community/blogs/133-general-linux/783135-securing-ssh-with-two-factor-authentication-using-google-authenticator

#apt-get install libpam0g-dev
#apt-get install make gcc wget

安裝 libpam-google-authenticator-1.0-source.tar.bz2

先安裝 bzip2 用它來解 .tar.bz2 的檔案

root@vyos:/home/vyos# apt-get install bzip2
Reading package lists... Done
Building dependency tree    
Reading state information... Done
Suggested packages:
  bzip2-doc
The following NEW packages will be installed:
  bzip2
0 upgraded, 1 newly installed, 0 to remove and 40 not upgraded.
Need to get 47.4 kB of archives.
After this operation, 160 kB of additional disk space will be used.
Get:1 http://mirrors.kernel.org/debian/ squeeze/main bzip2 i386 1.0.5-6+squeeze1 [47.4 kB]
Fetched 47.4 kB in 0s (48.7 kB/s)                
Selecting previously deselected package bzip2.
(Reading database ... 40785 files and directories currently installed.)
Unpacking bzip2 (from .../bzip2_1.0.5-6+squeeze1_i386.deb) ...
Processing triggers for man-db ...
Setting up bzip2 (1.0.5-6+squeeze1) ...
root@vyos:/home/vyos#

下載與安裝 libpam-google-authenticator-1.0-source.tar.bz2

root@vyos:/home/vyos# wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
--2015-03-30 17:34:56--  http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
Resolving google-authenticator.googlecode.com... 173.194.72.82, 2404:6800:4008:c05::52
Connecting to google-authenticator.googlecode.com|173.194.72.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32708 (32K) [application/x-bzip2]
Saving to: `libpam-google-authenticator-1.0-source.tar.bz2'

100%[======================================================================================================================================>] 32,708       128K/s   in 0.2s  

2015-03-30 17:34:56 (128 KB/s) - `libpam-google-authenticator-1.0-source.tar.bz2' saved [32708/32708]

解壓縮

root@vyos:/home/vyos# tar -xjvf  libpam-google-authenticator-1.0-source.tar.bz2
libpam-google-authenticator-1.0/base32.c
libpam-google-authenticator-1.0/demo.c
libpam-google-authenticator-1.0/google-authenticator.c
libpam-google-authenticator-1.0/hmac.c
libpam-google-authenticator-1.0/pam_google_authenticator.c
libpam-google-authenticator-1.0/pam_google_authenticator_unittest.c
libpam-google-authenticator-1.0/sha1.c
libpam-google-authenticator-1.0/base32.h
libpam-google-authenticator-1.0/hmac.h
libpam-google-authenticator-1.0/sha1.h
libpam-google-authenticator-1.0/totp.html
libpam-google-authenticator-1.0/Makefile
libpam-google-authenticator-1.0/FILEFORMAT
libpam-google-authenticator-1.0/README
libpam-google-authenticator-1.0/utc-time/
libpam-google-authenticator-1.0/utc-time/app.yaml
libpam-google-authenticator-1.0/utc-time/utc-time.py
root@vyos:/home/vyos# cd libpam-google-authenticator-1.0/
root@vyos:/home/vyos/libpam-google-authenticator-1.0#

root@vyos:/home/vyos# cd libpam-google-authenticator-1.0/
root@vyos:/home/vyos/libpam-google-authenticator-1.0# ls -la
total 180
drwxr-xr-x 3 root root   4096 Mar 30 17:35 .
drwxr-xr-x 4 vyos users  4096 Mar 30 17:35 ..
-rw-rw-r-- 1 root root   2632 May 15  2012 FILEFORMAT
-rw-rw-r-- 1 root root   4915 May 15  2012 Makefile
-rw-rw-r-- 1 root root   4519 May 15  2012 README
-rw-rw-r-- 1 root root   2471 May 15  2012 base32.c
-rw-rw-r-- 1 root root   1387 May 15  2012 base32.h
-rw-rw-r-- 1 root root   4737 May 15  2012 demo.c
-rw-rw-r-- 1 root root  24608 May 15  2012 google-authenticator.c
-rw-rw-r-- 1 root root   2495 May 15  2012 hmac.c
-rw-rw-r-- 1 root root    919 May 15  2012 hmac.h
-rw-rw-r-- 1 root root  48300 May 15  2012 pam_google_authenticator.c
-rw-rw-r-- 1 root root  19257 May 15  2012 pam_google_authenticator_unittest.c
-rw-rw-r-- 1 root root  11201 May 15  2012 sha1.c
-rw-rw-r-- 1 root root   1189 May 15  2012 sha1.h
-rw-rw-r-- 1 root root   9422 May 15  2012 totp.html
drwxrwxr-x 2 root root   4096 May 15  2012 utc-time
root@vyos:/home/vyos/libpam-google-authenticator-1.0#

接者就是 #make & make install

成功的話就會出現這樣的提示

cp pam_google_authenticator.so /lib/security
cp google-authenticator /usr/local/bin

那就代表 google-authenticator 已經可以被使用了

接下來就是宣告它可以被 openvpn 使用

參考 http://joepaetzel.com/2014/05/20/enable-multi-factor-authentication-for-openvpn/


root@vyos:/etc/pam.d# pwd
/etc/pam.d
root@vyos:/etc/pam.d# vi openvpn

auth required /lib/security/pam_google_authenticator.so

root@vyos:/etc/pam.d#

接下來則是開個別帳號的 OTP


root@vyos:/home/vyos/libpam-google-authenticator-1.0# sudo su - xxtony
ebtony@vyos:~$ pwd
/home/xxtony
xxtony@vyos:~$ google-authenticator











































































VyOS 的 openvpn 設定



Xshell:\> ssh   192.168.xxx.xxx


Connecting to 192.168.xxx.xxx:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Welcome to VyOS
Linux vyos 3.13.11-1-586-vyos #1 SMP Fri Feb 27 21:24:23 UTC 2015 i686
Welcome to VyOS.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc/*/copyright.
Last login: Mon Mar 30 16:52:23 2015 from 192.168.xxx.xxx
vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 address '192.168.xxx.xxx/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0c:29:69:2c:9b'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces loopback 'lo'
set interfaces openvpn vtun0 encryption 'aes128'
set interfaces openvpn vtun0 hash 'sha1'
set interfaces openvpn vtun0 local-port '1194'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 openvpn-option '--reneg-sec 0 --duplicate-cn --comp-lzo  --inactive 120  --plugin  /usr/lib/openvpn/openvpn-auth-pam.so openvpn  --username-as-common-name'
set interfaces openvpn vtun0 protocol 'tcp-passive'
set interfaces openvpn vtun0 server push-route '192.168.1xx.0/24'
set interfaces openvpn vtun0 server push-route '192.168.1.0/24'
set interfaces openvpn vtun0 server subnet '192.168.200.0/28'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/keys/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/keys/vpn01.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/keys/dh1024.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/keys/vpn01.key'
set nat source rule 10 destination address '0.0.0.0/0'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 protocol 'all'
set nat source rule 10 source address '192.168.200.0/24'
set nat source rule 10 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop '192.168.xxx.254'
set service ssh 'allow-root'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system host-name 'vyos'
set system login user xxtony authentication encrypted-password '$6$fQ3aoaQ.AwIwMx$g53v4npApNW9ueefVoZ8QvEwcGZZQwvuu7xG6S9mYhyKBoGIA0HVHasbUbDQz9TxW726RagOZlVL.Th/8FhUc.'
set system login user xxtony authentication plaintext-password ''
set system login user xxtony level 'admin'
set system login user vyos authentication encrypted-password '$1$WEiLV3hz$rVSlk.8f2iRTs99rhWI1t.'
set system login user vyos level 'admin'
set system name-server '168.95.1.1'
set system ntp server 168.95.195.12 'prefer'
set system package auto-sync '1'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community password ''
set system package repository community url 'http://packages.vyos.net/vyos'
set system package repository community username ''
set system package repository squeeze components 'main contrib non-free'
set system package repository squeeze distribution 'squeeze'
set system package repository squeeze password ''
set system package repository squeeze url 'http://mirrors.kernel.org/debian'
set system package repository squeeze username ''
set system package repository squeeze-backports components 'main'
set system package repository squeeze-backports distribution 'squeeze-backports'
set system package repository squeeze-backports password ''
set system package repository squeeze-backports url 'http://backports.debian.org/debian-backports'
set system package repository squeeze-backports username ''
set system package repository squeeze-lts components 'main contrib non-free'
set system package repository squeeze-lts distribution 'squeeze-lts'
set system package repository squeeze-lts password ''
set system package repository squeeze-lts url 'http://mirrors.kernel.org/debian'
set system package repository squeeze-lts username ''
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'Asia/Taipei'


手機安裝 google authenticator app

https://support.google.com/accounts/answer/1066447?hl=zh-Hant

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=zh_TW











透過手機上的  google authenticator app 讀取 OS 透過  google-authenticator  產出的 QR Code


那個 密碼就是  OpenVPN 的 OTP 了 ..















結束





2015年2月1日 星期日

PowerDNS + PowerAdmin ( Tarball install centos linux )

Tarball install centos linux

PowerDNS + PowerAdmin

https://www.powerdns.com/
http://www.poweradmin.org/

PowerDNS+PowerAdmin的組合就是一個有 WEB UI 的 DNS Service Solution ,
其功能同 Bind DNS ,以下為使用 tarball 安裝的SOP及重要參考的設定範例.

#tar -jvxf pdns-3.4.1.tar.bz2

#yum -y install libtool boost-devel
#yum -y install lua*


https://dl.fedoraproject.org/pub/epel/6/x86_64/

#rpm -ivh epel-release-6-8.noarch.rpm

#yum -y install php-mcrypt*

powerdns 3.4.1 tarball install

#./bootstrap
#./configure --prefix=/usr/local/pdns-3.4.1

#make

#make install

PowerDNS  schema

/usr/local/src/pdns-3.4.1/modules/gmysqlbackend/schema.mysql.sql

#mysql pdns < schema.mysql.sql


WEB UI schema (PowerAdmin)

/var/www/html/poweradmin/sql

#mysql pdns < poweradmin-mysql-db-structure.sql

http://xxx.xxx.xxx.xxx/install (install )

========================================

powerdns 3.3.1 tarball install

# ./configure --prefix=/usr/local/pdns-3.3.1 --with-mysql --with-mysql-config=/usr/bin/mysql_config
#make
#make install

PowerDNS  3.3.1 schema

 /usr/local/src/pdns-3.3.1/pdns/no-dnssec.schema.mysql.sql


#cat pdns.conf


setuid=pdns
setgid=pdns
launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=powerdnsadmin
gmysql-password=poweradminpwd
gmysql-dbname=powerdns


==============

Poweradmin 2.1.6


#cat config.inc.php

<?php

// NOTE: Do not edit this file, otherwise it's very likely your changes
// will be overwritten with an upgrade.

// Instead, create the file "inc/config.inc.php" and set the variables you
// want to set there. Your changes will override the defaults provided by us.

// Better description of available configuration settings you can find here:
// <https://www.poweradmin.org/trac/wiki/Documentation/ConfigurationFile>

// Database settings
$db_host = 'localhost';
$db_port = '3306';
$db_user = 'admin';
$db_pass = 'admin';
$db_name = 'powerdns';
$db_type = 'mysql';
//$db_file = ''; # used only for SQLite, provide full path to database file
//$db_debug = false; # show all SQL queries

$db_layer = 'PDO'; # or PDO

// Security settings
// This should be changed upon install
$session_key = '^SW!!h9@iQYBTOjqDjpAP9()1^oGeCZa_#oxMNj_C%Zg@@';
$password_encryption = 'md5'; // or md5salt

// Interface settings
$iface_lang = 'en_EN';
$iface_style = 'example';
$iface_rowamount = 50;
$iface_expire = 1800;
$iface_zonelist_serial = false;
$iface_title = 'Poweradmin';

// Predefined DNS settings
$dns_hostmaster = 'dns.xrcd2.com.tw';
$dns_ns1 = 'dns.xrcd2.com.tw';
$dns_ns2 = 'dns2.xrcd2.com.tw';
$dns_ttl = 86400;
$dns_fancy = false;
$dns_strict_tld_check = true;

// Timezone settings
// See <http://www.php.net/manual/en/timezones.php> for help.
//$timezone = 'UTC';

// Logging settings

// Syslog usage - writes authentication attempts to syslog
// This facility could be used in combination with fail2ban to
// ban IPs with break-in attempts
$syslog_use = false;
$syslog_ident = 'poweradmin';
// On Windows usually only LOG_USER is available
$syslog_facility = LOG_USER;

?>
[root@dns2 inc]#


==============================

powerdns 3.4.1

#cat pdns.conf

setuid=pdns
setgid=pdns
launch=gmysql
gmysql-host=localhost
gmysql-user=pdns
gmysql-password=password
gmysql-dbname=pdns
gmysql-socket=/var/lib/mysql/mysql.sock
config-dir=/usr/local/pdns-3.4.1/etc
daemon=no
guardian=yes
local-address=0.0.0.0
local-port=53
module-dir=/usr/local/pdns-3.4.1/lib/pdns
socket-dir=/var/run
version-string=DNS
recursor=168.95.1.1



Poweradmin 2.1.7

#cat config.inc.php

<?php

/**
 * Sample configuration file with default values
 *
 * @package     Poweradmin
 * @copyright   2007-2010 Rejo Zenger <rejo@zenger.nl>
 * @copyright   2010-2014 Poweradmin Development Team
 * @license     http://opensource.org/licenses/GPL-3.0 GPL
 */
// NOTE: Do not edit this file, otherwise it's very likely your changes
// will be overwritten with an upgrade.
// Instead, create the file "inc/config.inc.php" and set the variables you
// want to set there. Your changes will override the defaults provided by us.
// Better description of available configuration settings you can find here:
// <https://github.com/poweradmin/poweradmin/wiki/Configuration-File>
// Database settings
$db_host = 'localhost';
$db_port = '3306';
$db_user = 'pdns';
$db_pass = 'password';
$db_name = 'pdns';
$db_type = 'mysql';
//$db_file = ''; # used only for SQLite, provide full path to database file
//$db_debug = false; # show all SQL queries
$db_layer = 'PDO'; # or MDB2
//$db_ssl_ca            = '';
// Security settings
// This should be changed upon install
$session_key = 'nwnAzC}nZ6RTx[w%)M=IxU7UZ(o(5PJ4k37tM0uI42_hf}';
$password_encryption = 'md5'; // or md5salt

// Interface settings
$iface_lang = 'en_EN';
$iface_style = 'example';
$iface_rowamount = 50;
$iface_expire = 1800;
$iface_zonelist_serial = false;
$iface_title = 'Poweradmin';
$iface_add_reverse_record = true;

// Predefined DNS settings
$dns_hostmaster = 'dns.xrcd2.com.tw';
$dns_ns1 = 'ns1.xrcd2.com.tw';
$dns_ns2 = 'ns2.xrcd2.com.tw';
$dns_ttl = 86400;
$dns_fancy = false;
$dns_strict_tld_check = false;
$dns_top_level_tld_check = false;     // Don't allow to create top level TLDs
$dns_third_level_check = false;
// Timezone settings
// See <http://www.php.net/manual/en/timezones.php> for help.
//$timezone = 'UTC';
// Logging settings
// Syslog usage - writes authentication attempts to syslog
// This facility could be used in combination with fail2ban to
// ban IPs with break-in attempts
$syslog_use = false;
$syslog_ident = 'poweradmin';
// On Windows usually only LOG_USER is available
$syslog_facility = LOG_USER;

// PowerDNSSEC settings
$pdnssec_use = false;
$pdnssec_command = '/usr/bin/pdnssec';

// LDAP settings
$ldap_use = false;
$ldap_debug = false;
$ldap_uri = 'ldap://domaincontroller.example.com';
$ldap_basedn = 'OU=Users,DC=example,DC=com';
$ldap_binddn = 'GROUP\lookupuser';
$ldap_bindpw = 'some_password';
$ldap_user_attribute = 'sAMAccountName';
$ldap_proto = 3;
[root@Rsyslog inc]#


=========================

3.3.1

[root@centos64 init.d]# cat pdns
#!/bin/sh
# chkconfig: - 80 75
# description: PDNS is a versatile high performance authoritative nameserver

### BEGIN INIT INFO
# Provides:          pdns
# Required-Start:    $remote_fs $network $syslog
# Required-Stop:     $remote_fs $network $syslog
# Should-Start:      $all
# Should-Stop:       $all
# Default-Start:  
# Default-Stop:      0 1 6
# Short-Description: Start/stop PowerDNS authoritative server
# Description:       Start/stop PowerDNS authoritative server
### END INIT INFO

set -e

#prefix=/usr
#exec_prefix=/usr
#BINARYPATH=/usr/bin
#SBINARYPATH=/usr/sbin


prefix=/usr/local/pdns-3.3.1
exec_prefix=/usr/local/pdns-3.3.1
BINARYPATH=/usr/local/pdns-3.3.1/bin
SBINARYPATH=/usr/local/pdns-3.3.1/sbin


SOCKETPATH=/var/run

[ -f "$SBINARYPATH/pdns_server" ] || exit 0

[ -r /etc/default/pdns ] && . /etc/default/pdns

cd $SOCKETPATH
suffix=$(basename $0 | cut -d- -f2- -s)
if [ -n "$suffix" ]
then
EXTRAOPTS=--config-name=$suffix
PROGNAME=pdns-$suffix
else
PROGNAME=pdns
fi

pdns_server="$SBINARYPATH/pdns_server $EXTRAOPTS"

doPC()
{
ret=$($BINARYPATH/pdns_control $EXTRAOPTS $1 $2 2> /dev/null)
}

NOTRUNNING=0
doPC ping || NOTRUNNING=$?

case "$1" in
status)
if test "$NOTRUNNING" = "0"
then
doPC status
echo $ret
else
echo "not running"
fi
;;

stop)
echo -n "Stopping PowerDNS authoritative nameserver: "
if test "$NOTRUNNING" = "0"
then
doPC quit
rm -f /var/lock/subsys/pdns
echo $ret
else
echo "not running"
fi
;;


force-stop)
echo -n "Stopping PowerDNS authoritative nameserver: "
killall -v -9 pdns_server
rm -f /var/lock/subsys/pdns
echo "killed"
;;

start)
echo -n "Starting PowerDNS authoritative nameserver: "
if test "$NOTRUNNING" = "0"
then
echo "already running"
else
if $pdns_server --daemon --guardian=yes
then
touch /var/lock/subsys/pdns
echo "started"
fi
fi
;;

condrestart)
if [ -f /var/lock/subsys/pdns ];
then
echo "running, restarting"
$0 restart
else
echo "not running"
fi
;;

force-reload | restart)
echo -n "Restarting PowerDNS authoritative nameserver: "
if test "$NOTRUNNING" = "1"
then
echo "not running, starting"
else

echo -n stopping and waiting..
doPC quit
sleep 3
echo done
fi
$0 start
;;

reload)
echo -n "Reloading PowerDNS authoritative nameserver: "
if test "$NOTRUNNING" = "0"
then
doPC cycle
echo requested reload
else
echo not running yet
$0 start
fi
;;

monitor)
if test "$NOTRUNNING" = "0"
then
echo "already running"
else
$pdns_server --daemon=no --guardian=no --control-console --loglevel=9
fi
;;

dump)
if test "$NOTRUNNING" = "0"
then
doPC list
echo $ret
else
echo "not running"
fi
;;

show)
if [ $# -lt 2 ]
then
echo Insufficient parameters
exit
fi
if test "$NOTRUNNING" = "0"
then
echo -n "$2="
doPC show $2 ; echo $ret
else
echo "not running"
fi
;;

mrtg)
if [ $# -lt 2 ]
then
echo Insufficient parameters
exit
fi
if test "$NOTRUNNING" = "0"
then
doPC show $2 ; echo $ret
if [ "$3x" != "x" ]
then
doPC show $3 ; echo $ret
else
echo 0
fi
doPC uptime ; echo $ret
echo PowerDNS daemon
else
echo "not running"
fi

;;

cricket)
if [ $# -lt 2 ]
then
echo Insufficient parameters
exit
fi
if test "$NOTRUNNING" = "0"
then
doPC show $2 ; echo $ret
else
echo "not running"
fi

;;



*)
echo pdns [start\|stop\|condrestart\|force-reload\|reload\|restart\|status\|dump\|show\|mrtg\|cricket\|monitor]

;;
esac




===========================

3.4.1

[root@cetnos66 init.d]# cat pdns
#!/bin/sh
# chkconfig: - 80 75
# description: PDNS is a versatile high performance authoritative nameserver

### BEGIN INIT INFO
# Provides:          pdns
# Required-Start:    $remote_fs $network $syslog
# Required-Stop:     $remote_fs $network $syslog
# Should-Start:
# Should-Stop:
# Default-Start:
# Default-Stop:      0 1 6
# Short-Description: PowerDNS authoritative server
# Description:       PowerDNS authoritative server
### END INIT INFO

set -e

prefix=/usr/local/pdns-3.4.1
exec_prefix=/usr/local/pdns-3.4.1
BINARYPATH=/usr/local/pdns-3.4.1/bin
SBINARYPATH=/usr/local/pdns-3.4.1/sbin
SOCKETPATH=/var/run

[ -f "$SBINARYPATH/pdns_server" ] || exit 0

[ -r /etc/default/pdns ] && . /etc/default/pdns

cd $SOCKETPATH
suffix=$(basename $0 | cut -d- -f2- -s)
if [ -n "$suffix" ]
then
EXTRAOPTS=--config-name=$suffix
PROGNAME=pdns-$suffix
else
PROGNAME=pdns
fi

pdns_server="$SBINARYPATH/pdns_server $EXTRAOPTS"

doPC()
{
ret=$($BINARYPATH/pdns_control $EXTRAOPTS $1 $2 2> /dev/null)
}

NOTRUNNING=0
doPC ping || NOTRUNNING=$?

case "$1" in
status)
if test "$NOTRUNNING" = "0"
then
doPC status
echo $ret
else
echo "not running"
exit 3
fi
;;

stop)
echo -n "Stopping PowerDNS authoritative nameserver: "
if test "$NOTRUNNING" = "0"
then
doPC quit
rm -f /var/lock/subsys/pdns
echo $ret
else
echo "not running"
fi
;;

force-stop)
echo -n "Stopping PowerDNS authoritative nameserver: "
killall -v -9 pdns_server
rm -f /var/lock/subsys/pdns
echo "killed"
;;

start)
echo -n "Starting PowerDNS authoritative nameserver: "
if test "$NOTRUNNING" = "0"
then
echo "already running"
else
if $pdns_server --daemon --guardian=yes
then
touch /var/lock/subsys/pdns
echo "started"
else
echo "starting failed"
exit 1
fi
fi
;;

condrestart)
if [ -f /var/lock/subsys/pdns ];
then
echo "running, restarting"
$0 restart
else
echo "not running"
fi
;;

force-reload | restart)
echo -n "Restarting PowerDNS authoritative nameserver: "
if test "$NOTRUNNING" = "1"
then
echo "not running, starting"
else

echo -n stopping and waiting..
doPC quit
sleep 3
echo done
fi
$0 start
;;

reload)
echo -n "Reloading PowerDNS authoritative nameserver: "
if test "$NOTRUNNING" = "0"
then
doPC cycle
echo requested reload
else
echo not running yet
$0 start
fi
;;

monitor)
if test "$NOTRUNNING" = "0"
then
echo "already running"
else
$pdns_server --daemon=no --guardian=no --control-console --loglevel=9
fi
;;

dump)
if test "$NOTRUNNING" = "0"
then
doPC list
echo $ret
else
echo "not running"
fi
;;

show)
if [ $# -lt 2 ]
then
echo Insufficient parameters
exit
fi
if test "$NOTRUNNING" = "0"
then
echo -n "$2="
doPC show $2 ; echo $ret
else
echo "not running"
fi
;;

mrtg)
if [ $# -lt 2 ]
then
echo Insufficient parameters
exit
fi
if test "$NOTRUNNING" = "0"
then
doPC show $2 ; echo $ret
if [ "$3x" != "x" ]
then
doPC show $3 ; echo $ret
else
echo 0
fi
doPC uptime ; echo $ret
echo PowerDNS daemon
else
echo "not running"
fi

;;

cricket)
if [ $# -lt 2 ]
then
echo Insufficient parameters
exit
fi
if test "$NOTRUNNING" = "0"
then
doPC show $2 ; echo $ret
else
echo "not running"
fi

;;

*)
echo pdns [start\|stop\|condrestart\|force-reload\|reload\|restart\|status\|dump\|show\|mrtg\|cricket\|monitor]

;;
esac