Small Server Tips

Alcuni trucchi che mi aiutano a mantenere aggiornato il mio piccolo server.

  • logwatch – una mail per sapere come va
  • apticron – una notifica per non cercare aggiornamenti quando non ce ne sono
  • debian-goodies – piccole utility

A volte tocca arrangiarsi.

Di seguito vediamo come utilizzarli

LOGWATCH

Molte applicazioni creano dei log, ma spesso questi non vengono controllati, in questo caso logwatch invierà una mail con quanto ci interessa con un report dei log che desideriamo.

L’installazione è semplice

#aptitude install logwatch

Il file di configurazione si trova qui :

/usr/share/logwatch/default.conf/logwatch.conf

Per personalizzarlo basta darci una letta per capire dove intervenire, ma ci sono alcuni punti che vi consiglio di verificare.

A chi inviare la mail, di default

MailTo = root

Lo spazio di tempo da prendere in osservazione

Range = yesterday

Quanto deve essere dettagliato il report (è possibile usare anche i numeri)

# Low = 0
# Med = 5
# High = 10
Detail = Low

 

I log dei servizi che vi interessano, di default All, altrimenti specificate quelli desiderati.

Service = All

Dopo l’installazione si dovrebbe eseguire giornalmente con cron ma è possibile anche avviarlo manualmente

$man logwatch
logwatch  [--detail  level  ]  [--logfile  log-file-group ] [--service service-name ] [--mailto address ]
[--archives] [--range range ] [--debug       level ] [--filename file-name ] [--logdir directory ]
[--hostlimit hosts ] [--hostname hostname ] [--html_wrap number of characters  ]
[--host‐ format  host  based  options  ]  [--output  output-type  ]  [--format  report  format  ]
[--encode  encoding  to  use ] [--numeric] [--version] [--help|--usage]

Esempio:

#logwatch --detail Low --mailto root --service sshd --range today

Ecco il report

############# Logwatch 7.4.3 (04/27/16) #################### 
         Processing Initiated: Sun Sep 18 00:06:12 2016
         Date Range Processed: yesterday
                               ( 2016-Sep-17 )
                               Period is day.
         Detail Level of Output: 0
         Type of Output/Format: mail / text
         Logfiles for Host: sukaserver
 ################################################################## 
 
 --------------------- SSHD Begin ------------------------ 
 
 Users logging in through sshd:
     pippero:
        192.168.3.101: 1 time
 
 **Unmatched Entries**
 Connection reset by 192.168.3.101 port 2130 [preauth] : 1 time(s)
 
 ---------------------- SSHD End ------------------------- 
 
 
 ###################### Logwatch End #########################

APTICRON

La macchina in oggetto fa abilmente girare una debian stable, gli aggiornamenti non sono frequenti e per risparmiarmi di verificarli ogni giorno grazie ad apticron mi arriva una mail per avvisarmi degli upgrade.

I pacchetti sono già stati scaricati e non mi resta che avviare l’aggiornamento.

Il file di configurazione si trova in  /etc/apticron/apticron.conf  se volete modificarlo.

Ad esempio oggi che debian stable è passata da 8.5 a 8.6 mi è arrivata una notifica di cui riporto solo una parte

apticron report [Sat, 17 Sep 2016 14:38:03 +0200]
 ========================================================================
 
 apticron has detected that some packages need upgrading on:
 
 localhost.localdomain 
 [ 192.168.0.150 ]
 
 The following packages are currently pending an upgrade:
 
 apache2 2.4.10-10+deb8u7
 apache2.2-common 2.4.10-10+deb8u7
 apache2-bin 2.4.10-10+deb8u7
 apache2-data 2.4.10-10+deb8u7
 apache2-mpm-prefork 2.4.10-10+deb8u7
 apache2-utils 2.4.10-10+deb8u7
 automake 1:1.14.1-4+deb8u1
 base-files 8+deb8u6
 clamav 0.99.2+dfsg-0+deb8u2
 clamav-base 0.99.2+dfsg-0+deb8u2
 clamav-daemon 0.99.2+dfsg-0+deb8u2
 clamav-freshclam 0.99.2+dfsg-0+deb8u2
 clamdscan 0.99.2+dfsg-0+deb8u2
 comerr-dev 2.1-1.42.12-2
 e2fslibs 1.42.12-2
 e2fsprogs 1.42.12-2
 file 1:5.22+15-2+deb8u2
 gnupg 1.4.18-7+deb8u3
 gnupg2 2.0.26-6+deb8u1
 gnupg-agent 2.0.26-6+deb8u1
 gnupg-curl 1.4.18-7+deb8u3
 gpgsm 2.0.26-6+deb8u1
 gpgv 1.4.18-7+deb8u3
 libaudiofile1 0.3.6-2+deb8u1
 libaudiofile-dev 0.3.6-2+deb8u1
 libc6 2.19-18+deb8u6
 libc6-dbg 2.19-18+deb8u6
 libc6-dev 2.19-18+deb8u6
 libc6-i686 2.19-18+deb8u6
 libc-bin 2.19-18+deb8u6
 libc-dev-bin 2.19-18+deb8u6
 libclamav7 0.99.2+dfsg-0+deb8u2
 libcomerr2 1.42.12-2
 libgudev-1.0-0 215-17+deb8u5
 libltdl7 2.4.2-1.11+b1
 libltdl-dev 2.4.2-1.11+b1
 libmagic1 1:5.22+15-2+deb8u2
 libnet-ssleay-perl 1.65-1+deb8u1
 libpam-systemd 215-17+deb8u5
 libpolkit-agent-1-0 0.105-15~deb8u2
 libpolkit-backend-1-0 0.105-15~deb8u2
 libpolkit-gobject-1-0 0.105-15~deb8u2
 libpython2.7 2.7.9-2+deb8u1
 libpython2.7-minimal 2.7.9-2+deb8u1
 libpython2.7-stdlib 2.7.9-2+deb8u1
 libruby2.1 2.1.5-2+deb8u3
 libsqlite3-0 3.8.7.1-1+deb8u2
 libss2 1.42.12-2
 libssl1.0.0 1.0.1t-1+deb8u3
 libssl-dev 1.0.1t-1+deb8u3
 libsystemd0 215-17+deb8u5
 libudev1 215-17+deb8u5
 libxml2 2.9.1+dfsg1-5+deb8u3
 libxml2-dev 2.9.1+dfsg1-5+deb8u3
 libxml2-utils 2.9.1+dfsg1-5+deb8u3
 locales 2.19-18+deb8u6
 multiarch-support 2.19-18+deb8u6
 openssl 1.0.1t-1+deb8u3
 policykit-1 0.105-15~deb8u2
 python2.7 2.7.9-2+deb8u1
 python2.7-minimal 2.7.9-2+deb8u1
 python-libxml2 2.9.1+dfsg1-5+deb8u3
 ruby2.1 2.1.5-2+deb8u3
 scdaemon 2.0.26-6+deb8u1
 sendmail-base 8.14.4-8+deb8u1
 sendmail-cf 8.14.4-8+deb8u1
 systemd 215-17+deb8u5
 systemd-sysv 215-17+deb8u5
 tzdata 2016f-0+deb8u1
 tzdata-java 2016f-0+deb8u1
 udev 215-17+deb8u5
 wget 1.16-1+deb8u1
 
 ========================================================================
 
 Package Details:
 
 Reading changelogs...
 --- Changes for libtool (libltdl7 libltdl-dev) ---
 libtool (2.4.2-1.11+b1) jessie; urgency=low, binary-only=yes
 
   * Binary-only non-maintainer upload for i386; no source changes.
   * Rebuild with current automake
 
 -- amd64/i386 Build Daemon (babin) <buildd-babin@buildd.debian.org>  Tue, 14 Oct 2014 19:21:11 +0200
 
 --- Changes for audiofile (libaudiofile1 libaudiofile-dev) ---
 audiofile (0.3.6-2+deb8u1) jessie; urgency=high
 
   * Team upload.
   * Fix CVE-2015-7747: buffer overflow when changing both sample format and
     number of channels. (Closes: #801102)
 
 -- James Cowgill <jcowgill@debian.org>  Tue, 14 Jun 2016 16:39:49 +0100
 
 --- Changes for file (file libmagic1) ---
 file (1:5.22+15-2+deb8u2) stable; urgency=high
 
   * Fix CVE-2015-8865:
     Buffer over-write in finfo_open with malformed magic file.
 
 -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Mon, 09 May 2016 08:18:53 +0200
 
 --- Changes for apache2 (apache2 apache2.2-common apache2-bin apache2-data apache2-mpm-prefork apache2-utils) ---
 apache2 (2.4.10-10+deb8u7) jessie; urgency=medium
 
   * Fix installation of /lib/systemd/system/apache2.service.d/forking.conf.
 
 -- Julien Cristau <jcristau@debian.org>  Thu, 15 Sep 2016 22:42:19 +0200
 
 apache2 (2.4.10-10+deb8u6) jessie; urgency=medium
 
   * Fix race condition and logical error in init script. Thanks to Thomas
     Stangner for the patch. Closes: #822144
   * Remove links to manpages.debian.org in default index.html to avoid
     broken robots doing a DoS on the site. Closes: #821313
   * mod_socache_memcache: Increase idle timeout to 15s to allow keep-alive
     connections. Closes: #803035
   * mod_proxy_fcgi: Fix wrong behavior with 304 responses. Closes: #827472
   * Correct systemd-sysv-generator behavior by customizing some parameters.
     This fixes 'systemctl status' returning incorrect results.
     Closes: #827444
   * mod_proxy_html: Add missing config file mods-available/proxy_html.conf.
     This is intentionally not enabled during upgrade, to make it less
     likely to break existing setups. It will be enabled by a a2dismod/a2enmod
     cycle, though. Closes: #827258
...
...
...
========================================================================
 
 You can perform the upgrade by issuing the command:
 
 apt-get dist-upgrade
 
 as root on localhost.localdomain

DEBIAN-GOODIES

Questi programmi sono progettati per integrarsi con gli strumenti standard della shell, estendendoli per funzionare sul sistema dei pacchetti Debian.

 dgrep   - Cerca una espressione regolare in tutti i file nei pacchetti
           specificati.
 dglob   - Genera un elenco di nomi di pacchetti che corrispondono ad
           un modello.

Sono inclusi anche i seguenti strumenti poiché sono utili ma non giustificano un proprio pacchetto specifico:

 debget             - scarica il file .deb di un pacchetto nel database di
                      APT;
 dpigs              - mostra quali pacchetti installati occupano più
                      spazio;
 debman             - visualizza facilmente le pagine man da un pacchetto
                      .deb senza estrarle;
 debmany            - seleziona le pagine man di pacchetti installati e
                      non;
 checkrestart       - aiuta a trovare e riavviare processi che stanno
                      usando versioni vecchie di file aggiornati (come
                      librerie);
 popbugs            - visualizza un elenco personalizzato di bug
                      release-critical basato sui pacchetti in uso sul
                      proprio sistema (usando i dati di
                      popularity-contest);
 which-pkg-broke    - trova quale è il pacchetto che può averne reso un
                      altro difettoso;
 check-enhancements - trova i pacchetti che migliorano quelli installati.

Il comando che uso maggiormente è checkrestart, sopratutto dopo che ho eseguito degli aggiornamenti.

un esempio:

# checkrestart
 Found 76 processes using old versions of upgraded files
 (44 distinct programs)
 (40 distinct packages)
 
 Of these, 25 seem to contain init scripts which can be used to restart them:
 The following packages seem to have init scripts that could be used
 to restart them:
 smartmontools:
         1630    /usr/sbin/smartd
 fetchmail:
         21893   /usr/bin/fetchmail
 udev:
         3201    /lib/systemd/systemd-udevd
 cron:
         1622    /usr/sbin/cron
 cups-browsed:
         2523    /usr/sbin/cups-browsed
 fail2ban:
         2979    /usr/bin/fail2ban-server
 rsyslog:
         1627    /usr/sbin/rsyslogd
 openbsd-inetd:
         1626    /usr/sbin/inetd
 mdadm:
         801     /sbin/mdadm
 redis-server:
         1633    /usr/bin/redis-server
 avahi-daemon:
         2138    /usr/sbin/avahi-daemon
         2457    /usr/sbin/avahi-daemon
 openssh-server:
         16096   /usr/sbin/sshd
         27418   /usr/sbin/sshd
         16166   /usr/sbin/sshd
         27423   /usr/sbin/sshd
         1618    /usr/sbin/sshd
 ntop:
         5089    /usr/sbin/ntop
 portmap:
         1610    /sbin/portmap
 clamav-daemon:
         29153   /usr/sbin/clamd
 vnstat:
         1628    /usr/sbin/vnstatd
 cups-daemon:
         13287   /usr/sbin/cupsd
 dirmngr:
         17943   /usr/bin/dirmngr
 clamav-freshclam:
         1504    /usr/bin/freshclam
 postfix:
         3358    /usr/lib/postfix/qmgr
         3332    /usr/lib/postfix/master
 dbus:
         1697    /usr/bin/dbus-daemon
 mailgraph:
         2564    /usr/sbin/mailgraph
 webmin:
         19232   /usr/share/webmin/miniserv.pl
 at:
         1629    /usr/sbin/atd
 bandwidthd:
         2297    /usr/sbin/bandwidthd
         2296    /usr/sbin/bandwidthd
         2295    /usr/sbin/bandwidthd
         2294    /usr/sbin/bandwidthd
 
 These are the init scripts:
 service smartmontools restart
 service fetchmail restart
 service udev-finish restart
 service udev restart
 service cron restart
 service cups-browsed restart
 service fail2ban restart
 service rsyslog restart
 service openbsd-inetd restart
 service mdadm-raid restart
 service mdadm-waitidle restart
 service mdadm restart
 service redis-server restart
 service avahi-daemon restart
 service ssh restart
 service ntop restart
 service portmap restart
 service clamav-daemon restart
 service vnstat restart
 service cups restart
 service dirmngr restart
 service clamav-freshclam restart
 service postfix restart
 service dbus restart
 service mailgraph restart
 service webmin restart
 service atd restart
 service bandwidthd restart
 These processes do not seem to have an associated init script to restart them:
 bsdutils:
         2656    /usr/bin/logger
 courier-authlib:
         1781    /usr/lib/courier/courier-authlib/authdaemond
         1807    /usr/lib/courier/courier-authlib/authdaemond
         1806    /usr/lib/courier/courier-authlib/authdaemond
         1805    /usr/lib/courier/courier-authlib/authdaemond
         1804    /usr/lib/courier/courier-authlib/authdaemond
         1803    /usr/lib/courier/courier-authlib/authdaemond
         1780    /usr/sbin/courierlogger
         1794    /usr/sbin/courierlogger
 systemd:
         21684   /lib/systemd/systemd
         21683   /lib/systemd/systemd
         1       /lib/systemd/systemd
         14476   /lib/systemd/systemd-logind
         202     /lib/systemd/systemd-journald
 vlock:
         3616    /usr/sbin/vlock-main
 consolekit:
         3712    /usr/sbin/console-kit-daemon
 pgld:
         2801    /usr/sbin/pgld
 courier-base:
         1795    /usr/sbin/couriertcpd
 policykit-1:
         3786    /usr/lib/policykit-1/polkitd
 tmux:
         16245   /usr/bin/tmux
         27451   /usr/bin/tmux
         21719   /usr/bin/tmux
 mysql-server-core-5.5:
         2655    /usr/sbin/mysqld
 bash:
         21724   /bin/bash
         21759   /bin/bash
         27424   /bin/bash
         1876    /bin/bash
         2808    /bin/bash
         21721   /bin/bash
         21720   /bin/bash
         21723   /bin/bash
         27459   /bin/bash
         27440   /bin/bash
         16197   /bin/bash
         16167   /bin/bash
 mc:
         21722   /usr/bin/mc
 perl-base:
         2843    /usr/bin/perl
         2627    /usr/bin/perl
 login:
         16178   /bin/su
         27433   /bin/su
         27452   /bin/su

PS many thanks to skizzhg for debian-goodies e nemo for logwatch

Rispondi