I am new to snmp and after some readings I have 2 questions:-
1) Does net-snmp AUTOMATICALLY sends trap when we configure agent's snmpd.conf file with directives like trapsink, monitor, etc. for inbuilt OIDs like cpu and disk??
I am asking because I am trying to send a trap when cpu goes beyond 90%.
My agent and master are on the same linux box.
My snmptrad.conf file:-
authCommunity log aaa
authCommunity log public
My snmpd.conf file (removing extra comment lines):-
master agentx com2sec notConfigUser default public
group notConfigGroup v1 notConfigUser group
notConfigGroup v2c notConfigUser
view systemview included .1.3.6.1.2.1.1 view systemview
included .1.3.6.1.2.1.25.1.1 view all included .1 view mib2
included .iso.org.dod.internet.mgmt.mib-2 fc
access notConfigGroup "" any noauth exact systemview
none none
createUser internalMonitoringName SHA mysecretpassword AES rouser
internalMonitoringName iquerySecName internalMonitoringName
com2sec local localhost aaa
com2sec net-27 10.0.0.0/8 aaa
com2sec net-46 10.9.46.0/24 aaa
com2sec net-60 10.9.60.0/24 aaa
com2sec net-10 10.20.0.0/16 aaa
group MyRWGroup any local
group MyROGroup any net-27
group MyROGroup any net-46
group MyROGroup any net-60
group MyROGroup any net-10
access MyROGroup "" any noauth 0 all none none
access MyRWGroup "" any noauth 0 all mib2 mib2
syslocation "Somewhere in testlab"
syscontact Root root#localhost
dontLogTCPWrappersConnects yes
trap2sink localhost aaa
monitor -r 30 machineTooBusy hrProcessorLoad > 90
When I run some process to increase cpu load, the cpu load goes beyond 90% (I can see that in top command) but I can't see the trap message in /var/log/messages.
What I am doing wrong here?
2) Also, my next question is, if I have a custom MIB file for which I have wrtten an agent, Can I add the variable/OID from that custom MIB with "monitor" directive in snmpd.conf file to send trap AUTOMATICALLY? OR I must send trap from within my agent???
Please help on my confusion...
No, it doesn't send anything automatically. You have two steps to follow:
1) define where you want to send traps or informs. That's what the trapsink and similar lines do.
2) then define what you want sent. That's what the monitor and similar directives do. The monitor directive can be used to monitor just about anything, including your own custom MIB variables.
When you include both of these, then it'll send out traps automatically (by doing internal monitoring, and then sending a trap to each configured trapsink or other destination).
Related
What the subject says. I have an user who logs in using SSH through a provider that gives him a dynamic IP from a pool; all of their IPs map to static.hostingprovider.name, but that name doesn't resolve back to the same IP address.
SSH detects this and spits out the message "POSSIBLE BREAK-IN ATTEMPT", which triggers the failregex. I want to add an exception so that, if the connection attempt comes from static.hostingprovider.name, it ignores the warning. If I just add static.hostingprovider.name to the ignoreregex list, will it simply work?
In your jail.local file add this line:
ignoreip = static.hostingprovider.name
I currently have the following DNS Query Alert rule set up in Suricata (for test purposes):
alert dns any any -> any any (msg:”Test dns_query option”; dns_query; content:”google”; nocase; sid:1;)
Which is triggered when it captures DNS events which contain the word "google", such as in this packet:
{"timestamp":"2017-06-08T15:58:59.907085+0000","flow_id":1798294020028434,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":52385,"proto":"UDP","dns":{"type":"answer","id":57334,"rcode":"NOERROR","rrname":"www.google.com","rrtype":"A","ttl":300,"rdata":"172.217.12.164"}}
However, instead of searching for resource record names that contain "google", I want to use this same kind of alert to trigger on IP addresses that resolve to loopback, as is the case with the following packet (Notice the rdata field):
{"timestamp":"2017-06-08T15:59:37.120927+0000","flow_id":36683121284050,"in_iface":"ens33","event_type":"dns","src_ip":"172.16.10.132","src_port":53,"dest_ip":"192.168.160.140","dest_port":62260,"proto":"UDP","dns":{"type":"answer","id":53553,"rcode":"NOERROR","rrname":"outlook1.us","rrtype":"A","ttl":120,"rdata":"127.0.0.1"}}
As I have noticed, the contentsection of a Suricata rule searches only for a string.
My current rule triggers on a text match with the rrname/domain, how would I make it so that the rule triggers on rdata/IP address?
p.s.
Just out of curiosity I tried replacing the "google" in the content section of my alert with "127.0.0.1" and that didn't work either, as expected.
The ip address is just a 32 bit number. In the rule the IP should be represented as a hex value and not a string, for purposes of efficiency and saving bandwidth (a string will be 8+ bytes as opposed to 4 bytes).
Here is my final Suricata rule to alert whenever somebody gets sent to loopback on my network:
alert dns any any -> any any (msg:"BLACKLISTED DOMAIN"; content:"|7F 00 00 01|"; sid:1;)
i want to transfer a call from first executive to second executive when customer call to first executive by mistake? How first executive can map customer to second executive by pressing a key by using asterisk technology?
Default transfer is *2. For exact code check features.conf
You also have dialplan Transfer application you can map on any other extension.
You have Transfer ami command usable via asterisk managment interface(AMI)
The question is a bit vague, but since you put freepbx on the tags, I suppose you are using freepbx generated dialplan.
If I understand well, when a certain inbound context calls executive1 you want
1) them to be automagically redirected on executive2 before executive1 answers
or
2) executive1 answers, realizes that call is wrong and blind-transfers call to executive2 pressing a single button (= DTMF).
CASE 1 - Automatic redirection
Edit your /etc/asterisk/extension_custom.conf
[your inbound context]
exten => <executive 1 number>,Goto(your inbound context, executive2 number, 1)
You can find the name of your inbound context in the freepbx automatic generated dialplan, or in the freepbx GUI
CASE2 - In call transfer
Refer to this post to define a new feature code for in-call transfer. Unfortunately your feature code will be likely some #digit
Associate the application
Goto(your inbound context, executive2 number, 1)
to the feature code
Hope this will help.
I know this might be a dummy question or a question that comes from lack of knowledge, but I hope someone can still answer it. I did try to read a lot of Postfix documentation but found no answer to this. I don't even know if it's a Postfix specific or mail servers general question.
So I have a mail server, just a clean Postfix install that delivers email.
I've defined my users and connected with IMAP and SMTP using Thunderbird.
When I went to Thunderbird account settings and disabled "place a copy", Postfix did not put a copy of the sent message in the user .Sent folder.
However, I've also connected my Gmail, Hotmail or Yahoo mail and disabled the "place a copy" and still have a copy in the sent items folder.
So in this case there are 2 options:
Something is wrong with my Postfix configuration
Gmail, Hotmail, Yahoo put a copy in their sent folder as a different process on the server side
Just for the record, having searched around for a how to, and not finding one, I am posting it here:
The only (easy) way I've found to save sent emails is the sender_bcc solution (with it's attendant faults):
I am using postfix / dovecot / sieve / mysql virtual boxes
In /etc/postfix/main.cf add:
sender_bcc_maps = mysql:/etc/postfix/mysql-virtual-bcc-maps.cf
Create file /etc/postfix/mysql-virtual-bcc-maps.cf:
user = (database user)
password = (database password)
hosts = 127.0.0.1
dbname = (database databasename)
query = SELECT CONCAT_WS('',LEFT('%s', LOCATE('#', '%s')-1),'+sent#',SUBSTRING('%s', LOCATE('#', '%s')+1)) AS destination FROM virtual_users WHERE email='%s' AND autosent=1
You'll note in my query, I've added a (tinyint default 0) column to my virtual_users table so I can turn on/off this automatic sent items feature per user. This query takes the sender email address that postfix gives it, splits it in half at the # sign, and adds +sent to the address so it looks like sender+sent#domain.tld. This allows sieve in the next step to pick it up and drop it straight to sent items.
In /etc/dovecot/sieve/default.sieve add:
require ["fileinto", "mailbox", "envelope", "subaddress","imap4flags"];
if envelope :detail "to" "sent" {
addflag "\\Seen";
fileinto :create "Sent";
stop;
}
Also helpful to modify /etc/dovecot/conf.d/15-mailboxes.conf and add the auto subscribe to sent (and junk and trash and others for that matter):
mailbox Sent {
special_use = \Sent
auto = subscribe
}
I think that is all (I'm posting this the next day after doing it, so I think I got it all...)
Postfix itself does not place copies of sent messages anywhere; it receives messages and delivers them to the recipient. Saving sent messages to your own mailbox is the responsibility of your user agent (Thunderbird, in your case).
It's important to understand that Postfix (and other traditional Unix SMTP servers) don't have a "user" concept. Yes, if so configured it's possible to authenticate by supplying a username and a password, but Postfix doesn't use this identity information.
That said, it's not impossible to configure Postfix to do what you expected – sender_bcc_maps can be used to add a recipient to messages sent by you, and by adding yourself and using a filter in your mail client (or mail delivery agent like procmail) you can make sure that messages sent by you end up in the Sent folder.
I am running a Installation with automatic copies created by sender_bcc_maps. It's working fine. You have to check the sender, otherwise everyone can create sent mails in foreign sent folders.
I have solved it with two virtual domains. One for the user and one for the copy.
But there is a big problem with sender_bcc_maps. All bcc senders will be deleted in the sent copy. You cannot see anymore, who got a blind copy of this mail.
As 'ego2dot0' said above, you don't need any MDA filters (sieve etc.) to do this. It can be done using Postfix alone, although it took me a while to figure out how to do it.
You have to use sender_bcc_maps AND virtual_mailbox_maps features together.
You have to use a virtual domain dedicated specially for copies to self. If your actual domain is "your.domain.tld", you can use eg. subdomain "copyself.your.domain.tld". This subdomain does not have to actually exist, ie. be defined in the DNS (moreover, it's better that it isn't defined, so nobody accidentally sends mail to it from outside). It is a purely virtual domain that is recognized only by Postfix.
1) Configure sender_bcc_maps to BCC mail coming from user#your.domain.tld to user#copyself.your.domain.tld. You can do it for only a few selected users using a regular "hash" type map, or you can do it for all users at once using PCRE type map and regular expressions.
2) You have to define your virtual domain in virtual_mailbox_domains, like this:
virtual_mailbox_domains=copyself.your.domain.tld
3) Configure virtual_mailbox_maps so that the destination mailbox for address "user#copyself.your.domain.tld" is the actual "Sent" mailbox of the user "user". For example (assumed that you are using regular system users and Maildir format - like in my case) the path to "Sent" mailbox for user "user" will be "/home/user/Maildir/.Sent". So, you can define common part of the path as virtual_mailbox_base, eg.
virtual_mailbox_base=/home
and then in the virtual mailbox map enter the rest of the path like this:
user#copyself.your.domain.tld user/Maildir/.Sent/
(the trailing / is important to indicate the Maildir format).
Again, you can use PCRE type map to do this for all users.
4) To properly save mail to the mailbox, Postfix need to also know the proper UID and GID for the particular user, so you have to use virtual_uid_maps and virtual_gid_maps parameters as well. If you are using virtual users, it's probably enough to define "static" type maps specifying a single UID and GID of the system user that owns all the virtual mailboxes. However, if you are using system users like me, you need the proper actual UID and GID for any user. If you have only a few users, you can use a regular "hash" type map, with entries like these:
user#copyself.your.domain.tld 2001
or you can try to setup a pipeline with "pipemap" map type, that uses some PCRE maps and "unix:passwd.byname" map to obtain the UIDs and GIDs for all users (I haven't done this part, as my Postfix installation is compiled without "pipemap" type support).
So to sum everything up, use something like this:
In /etc/postfix/main.cf file, add the following lines:
sender_bcc_maps=hash:/etc/postfix/sender_bcc
virtual_mailbox_domains=copyself.your.domain.tld
virtual_mailbox_base=/home
virtual_mailbox_maps=hash:/etc/postfix/copyself
virtual_uid_maps=hash:/etc/postfix/copyself_uids
virtual_gid_maps=hash:/etc/postfix/copyself_gids
/etc/postfix/sender_bcc contains a bunch of lines like:
user#your.domain.tld user#copyself.your.domain.tld
/etc/postfix/copyself contains - respectively - lines like:
user#copyself.your.domain.tld user/Maildir/.Sent/
/etc/postfix/copyself_uids and /etc/postfix/copyself_gids contain - respectively - lines like:
user#copyself.your.domain.tld 2001
I have done this on my server and it works great for me.
I have a server at home with basic DSL. I registered a domain name (at GoDaddy) and can login remotely just fine. However, this requires the input of the IP address and a static IP would be prohibitively expensive. I haven't found a good dynamic service. Instead, it seems that my IP address doesn't change very often--maybe once a month--and so it's just as easy for me to update the GoDaddy domain information. However, I would like to receive an alert from my server when this change happens. Here's the script that I wrote to do this:
#!/bin/bash
oldipinfo=""
while [ 1 ]
do
sleep 3600
ipinfo=`lynx -dump checkip.dyndns.org`
if [ ipinfo != oldipinfo ]
then
echo "New IP for server $(ipinfo)" | mail -s "NEW IP!" myaddress#gmail.com
echo $ipinfo >> ipinfo.out
oldipinfo=ipinfo
fi
done
This actually e-mails me (and updates the file) every hour, so I've done something wrong?
Thanks for your help!
JV
You never read the oldipinfo from the file you cache it in, so your script always has oldipinfo set to an empty string, meaning that "" != x.x.x.x will always be true.
You should have
oldipinfo=`cat ipinfo.txt`