loadmonitor.schema: attributetype
(
5.1 NAME 'ammsisserver'
DESC 'Il server da monitorare' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 5.2 NAME 'ammsisusername' DESC 'username per ssh' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 5.4 NAME 'ammsiscommunity' DESC 'Community name per snmp' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) objectclass ( 6.1 NAME 'monitoredserver' SUP top AUXILIARY DESC 'Il server da monitorare' MUST ( ammsisserver ) ) objectclass ( 6.2 NAME 'sshcredentials' SUP top AUXILIARY DESC 'credenziali ssh' MUST ( ammsisusername ) ) objectclass ( 6.3 NAME 'snmpcredentials' SUP top AUXILIARY DESC 'credenziali snmp' MUST ( ammsiscommunity ) ) |
utenti-server.ldif dn:
uid=0,dc=lab,dc=ammreti
uid: 0 objectClass: top objectClass: account objectClass: monitoredserver ammsisserver: pippo/10.69.101.2/ssh ammsisserver: pluto/10.69.101.3/snmp dn: cn=pippo,dc=lab,dc=ammreti cn: pippo objectClass: top objectClass: nisObject objectClass: sshcredentials nisMapEntry: pippo nisMapName: pippo ammsisusername: root dn: cn=pluto,dc=lab,dc=ammreti cn: pluto objectClass: top objectClass: nisObject objectClass: sshcredentials nisMapEntry: pluto nisMapName: pluto ammsiscommunity: loadmon |
local0.info /var/log/loadmonitor.all local0.warn /var/log/loadmonitor.err *.* /var/log/messages |
snmpd.conf rocommunity
loadmon
load 0.8 |
ssh.conf operazioni da eseguire sul client
(naturalmente la seconda influenza
anche il server)
# ssh-keygen -t dsa -b 1024 # cat ~/.ssh/id_dsa.pub | ssh server_pippo "cat >> ~/.ssh/authorized_keys2" |
iptables.sh iptables -I INPUT
-i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP |
loadmonitor.sh #!/bin/bash # # NOTA NOTA NOTA NOTA # e' solo una bozza di soluzione, non necessariamente completa e corretta function sshcheck() { searchldap "cn=$0" | grep -E '^ammsisusername:' | cut -f2 -d: | read uname iptables -I OUTPUT -p tcp --dport 22 -d $1 -j ACCEPT iptables -I INPUT -p tcp --sport 22 -s $1 -j ACCEPT ssh $1 "uptime | awk '{ print $10 }' | cut -c3,4" | read load iptables -D OUTPUT -p tcp --dport 22 -d $1 -j ACCEPT iptables -D INPUT -p tcp --sport 22 -s $1 -j ACCEPT test "$load" -lt 80 } function snmpcheck() { searchldap "cn=$0" | grep -E '^ammsiscommunity:' | cut -f2 -d: | read comm iptables -I OUTPUT -p tcp --dport 161 -d $1 -j ACCEPT iptables -I INPUT -p tcp --sport 161 -s $1 -j ACCEPT snmpget -v 1 -c $comm $1 1.3.6.1.4.1.2021.10.1.100.1 | cut -f2 -d= | read load iptables -D OUTPUT -p tcp --dport 161 -d $1 -j ACCEPT iptables -D INPUT -p tcp --sport 161 -s $1 -j ACCEPT test "$load" -eq 0 } function searchldap { iptables -I OUTPUT -p tcp --dport 389 -d $LDAPSERVER -j ACCEPT iptables -I INPUT -p tcp --sport 389 -s $LDAPSERVER -j ACCEPT ldapsearch -s sub -b "dc=lab,dc=ammreti" "($1)" $LDAPSERVER iptables -D OUTPUT -p tcp --dport 389 -d $LDAPSERVER -j ACCEPT iptables -D INPUT -p tcp --sport 389 -s $LDAPSERVER -j ACCEPT } export M=15 export N=3 export LDAPSERVER=localhost # query ldap per scoprire il valore dell'attributo # server associato al mio uid searchldap 'uid=`id -u`' | grep -E '^ammsisserver:' | cut -f2 -d: | sed -e 's/\// /g' | ( while read nome ip metodo do echo $nome, $ip, $metodo # test per scoprire il metodo di monitoraggio ed # invocazione di sshcheck o snmpcheck if [ "$metodo" == "ssh" ] ; then sshcheck $nome $ip elif [ "$metodo" == "snmp" ] ; then snmpcheck $nome $ip fi # test del codice d'uscita, logging e nuova pianificazione dell'esecuzione # (mediante at, salvando ambiente e path completo) di conseguenza if [ $? ] ; then logger -p local0.info "monitor $nome" ( set ; echo `pwd`/`basename $0` ) | at now + $N minutes else logger -p local0.warn "monitor $nome" ( set ; echo `pwd`/`basename $0` ) | at now + $M minutes fi done ) # nota - qui si chiude la shell aperta al termine della pipeline originata dalla ldapsearch |