Edgemarc Configuration

Can't use the Firewall 2. Breaks the connection and doesn't allow rtp traffic to flow. The call setup and teardown will work but no audio will be sent or received.
The traffic shaper should be used by setting the upstream and down stream bandwidth to a little less than the circuit supports that way the edgemarc will prioritize the voice packets and drop the data packets instead of allowing random packets to dropped later in the connection because there is not enough bandwidth to support all the traffic. The suggested bandwidth value for one T1 is 1320 kbps.

Installing Nagios on Fedora

If you follow these instructions, here's what you'll end up with:
  • Nagios and the plugins will be installed underneath /usr/local/nagios
  • Nagios will be configured to monitor a few aspects of your local system (CPU load, disk usage, etc.)
  • The Nagios web interface will be accessible at http://localhost/nagios/
  • Preparing Linux for Nagios installation
    • Make sure you've installed the following packages on your Fedora installation before continuing
      • Apache
      • GCC compiler
      • GD development libraries
    •  They can be installed by running
      • yum install httpd
      • yum install gcc
      • yum install glibc glibc-common
      • yum install gd gd-devel
    • Become the root user.
      • su -l
    • Create a new nagios user account and give it a password.
      • /usr/sbin/useradd -m nagios passwd nagios
    • Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.
      • /usr/sbin/groupadd nagcmd /usr/sbin/usermod -a -G nagcmd nagios /usr/sbin/usermod -a -G nagcmd apache
  • Create a directory for storing the downloads.
    • mkdir ~/downloads
    • cd ~/downloads
  • Download the source code tarballs of both Nagios and the Nagios plugins
    • wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.1.2.tar.gz
    • wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.13.tar.gz
  • Compile and Install Nagios
    • Extract the Nagios source code tarball.
      • cd ~/downloads tar xzf nagios-3.1.2.tar.gz cd nagios-3.1.2 
    • Run the Nagios configure script, passing the name of the group you created earlier like so
      • ./configure --with-command-group=nagcmd
    • Compile the Nagios source code.
      • make all
    • Install binaries, init script, sample config files and set permissions on the external command directory.
      • make install
      • make install-init
      • make install-config
      • make install-commandmode
  • Customize Configuration
    • Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You'll need to make just one change before you proceed... 
      •  Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you'd like to use for receiving alerts.
        • nano /usr/local/nagios/etc/objects/contacts.cfg
  • Configure the Web Interface
    • Install the Nagios web config file in the Apache conf.d directory.
      • make install-webconf
    • Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you'll need it later.
      • htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
    • Restart Apache to make the new settings take effect.
      • service httpd restart
  • Compile and Install the Nagios Plugins
    • Extract the Nagios plugins source code tarball.
      • cd ~/downloads tar xzf nagios-plugins-1.4.11.tar.gz cd nagios-plugins-1.4.11
    • Compile and install the plugins.
      • ./configure --with-nagios-user=nagios --with-nagios-group=nagios make make install
  • Start Nagios
    • Add Nagios to the list of system services and have it automatically start when the system boots.
      • chkconfig --add nagios chkconfig nagios on 
    • Verify the sample Nagios configuration files
      • /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
    • If there are no errors, start Nagios.
      • service nagios start
  • Modify SELinux Settings
    • Fedora ships with SELinux (Security Enhanced Linux) installed and in Enforcing mode by default. This can result in "Internal Server Error" messages when you attempt to access the Nagios CGIs.
      • See if SELinux is in Enforcing mode.
        • getenforce
      • Put SELinux into Permissive mode.
        • setenforce 0
      • To make this change permanent, you'll have to modify the settings in /etc/selinux/config and reboot.
    • Instead of disabling SELinux or setting it to permissive mode, you can use the following command to run the CGIs under SELinux enforcing/targeted mode:
      • chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/ chcon -R -t httpd_sys_content_t /usr/local/nagios/share/
  • Login to the Web Interface
    • You should now be able to access the Nagios web interface at the URL below. You'll be prompted for the username (nagiosadmin) and password you specified earlier.
      • http://localhost/nagios/ 

To make sure an snmp check is working you can issue the following command in /usr/local/nagios/libexe.

./check_snmp -H -p -w 35 -c 40 -o 1.3.6.1.4.1.1748.3.1.1.6.0
 

    Preparing Fedora

    # Install wget a utility for retrieving files using the HTTP or FTP protocols
    yum install wget

    # Install wput a utility for uploading files or whole directories to remote ftp-servers
    yum install wput

    #install apache
    install httpd

    #install GNU Compiler Collection (GCC). A compiler system produced by the GNU Project #supports languages: C, C++, Objective-C, Fortran, and Java compiler
    yum install gcc

    #install the corresponding desired libraries
    yum install gcc-ada
    yum install gcc-java
    yum install gcc-objc

    Meditarix Configuration

    g711pcmu must be enabled to work with the voice portal, if it is not you will get a half a ring and then a fast busy

    Mediatrix 1124 Firmware Upgrade

    If you pick static file for the firmware you must specify the location of the folder containing the firmware (without beginning and ending "/") :
    zend_crm/public/files/firmware/mediatrix/current/1124

    if you pick remote file for the firmware you must specify the location of the Setup.inf file:
    zend_crm/public/files/firmware/mediatrix/current/1124/Setup.inf

    Installing and Configuring TFTP Server on Linux

    • Install
      • yum install tftp-server
    • Setup 
      • nano /etc/xinetd.d/tftp
        • Find disable = yes, make it no 
        • change server_args to the location that you want the root of the tftp server to be in 
          • -v is necessary so the tftp will log all requests 
          • -c option allows you to upload files to the tftp server without them first existing






          • server_args             = -v -s /tftpboot 
    • Start TFTP Server (Note: auto-startup tftp might not be good idea)
      •  /sbin/chkconfig tftp on
      • /sbin/chkconfig xinetd on




      • /sbin/service xinetd start 
    • Testing
      •  touch /tftpboot/test
      • From another computer, Linux, OS X:
        • tftp [ip of tftp server]
        • tftp get test
        • tftp quit
      • From another computer, Windows OS:
        • tftp 192.168.0.1 GET test
        • If you can see “test” under the current directory, then this TFTP server should work properly.
        • If not, check the firewall, open UDP port 69. You can run system-config-security to open it.
      • You can use grep tftp /var/log/messages to see the log

    Upgrading Cisco 7940 Firmware and Configuring

    Upgrading Firmware

    • Key things to remember before beginning the upgrade
    • Must go from SCCP 3.1 to SIP 2.3 to SIP 6.3 to SIP 7.5. All version 8 software seem to go into a never ending reboot cycle
    • At a certain point **# no longer unlocks the phone and you must type the password "cisco" in to configure the phone
    • All of Cisco's information about upgrading firmware can be found at:
      http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7960g_7940g/mgcp/firmware/matrix/frmwrup.html

    • Download firmware from
      http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=6.3&mdfid=268437897&sftType=Session+Initiation+Protocol+%28SIP%29+Software&optPlat=&nodecount=27&edesignator=null&modelName=Cisco+Unified+IP+Phone+7940G&treeMdfId=278875243&modifmdfid=null&imname=&treeName=Wireless&hybrid=Y&imst=N

    • Place necessary files in root of TFTP server
    • The phone first looks for OS79XX.txt.  The OS79XX.TXT file must only contain the name of the file that you attempt to load, without the .bin extension.

    • If you convert from SCCP to SIP and the version you attempt to load is SIP 2.3 software or earlier, the OS79XX.TXT must be in the format of POS3xxyy . For example, if the SIP software version is 2.2, the file must contain POS30202.
    •  If you convert from SCCP to SIP and the version you attempt to load is SIP 3.0 software or later, the OS79XX.TXT must be in the format of POS3-xx-y-zz . For example, if the SIP software version is 7.4, the file must contain POS3-07-4-00.
    •  If you convert from SIP to SCCP, the OS79XX.TXT must be in the format of P003aabbccdd. For example, if the SCCP software version is 7.2(3), the file must contain P00307020300.

    • Configure network settings of the phone
    • Turn DHCP off
    • Set IP Address
    • Set netmask
    • Set default gateway
    • Set DNS

    • Set address of primary TFTP server

    • Reboot the phone to begin downloading the new firmware
    Configuring Phone
    • The SipDefault.cnf has all of the main configuration settings that are the same for each phone.
    • The SipMAC.cnf has all of the phone specific settings line/port and authentication information.
    • The SEPMAC.cnf.xml just tells what load to use
    • The O79XX.txt just tells what load to use (it is loaded first in most cases)

    Call Waiting With Broadsoft and Mediatrix 1124s

    Call waiting is only dependent upon its status in the Mediatrix 1124. If it is disabled in the Mediatrix 1124, the second caller gets a busy signal, if it is enabled in the Mediatrix 1124, the second caller hears and ring and the callee hears a tone to indicate the second call. Call waiting is no way dependent upon Broadsoft

    Installing and Configuring Apache & PhpMyAdmin on Fedora

    If you install Phpmyadmin on Fedora using yum, it will place the files in /usr/share/phpmyadmin
    and will add phpmyadmin.conf to the /etc/httpd/conf.d folder. To configure http://[url]/phpmyadmin to go to the /usr/share/phpmyadmin folder

    Nagios & Sendmail SMTP Relay

    When a notification has made it successfully through all of the filters it executes the commands defined in host_notification_commands or the service_notification_commands directive for the contact that is being notified. These commands are defined /usr/local/nagios/etc/commands.cfg.  The default notify-service-by-email command uses the /usr/bin/mail script to send emails. This script allows users to send emails quickly by using the sendmail server that comes installed with Fedora OS.

    In order for nagios to be able send valid email (email that won't be blocked by spam filters and has a valid return address) on behalf of a domain who's mail server is not the local machine, the local mail server must relay all emails to that domain's mail server. By default most mail servers will only receive emails sent to users of the domains it is responsible for. Only after authenticating can a user send mail from the server to outside domain. If the ability to send mail to any domain was available to unauthenticated users, anyone could send limitless spam from the server. Thus in order for sendmail to be able to send email to domains other than the domains the mail server it will be relaying to is responsible for, it must authenticate with the relay server.

    Before configuring sendmail, it is important check to make sure the relaying server is configured properly to allow an authenticated user to send mail. This can be confirmed by:
    • telnet to the relay mail server
      • telnet [relay server's hostname/ip] [port]
      • 220 Smokey.ip2business.com Microsoft ESMTP MAIL Service ready at Wed, 26 May 2010 17:41:52 -0400
    • issue ehlo command to see the mail server's list of extensions. The mail server must support the AUTH LOGIN extension to allow users to authenticate.
      • ehlo client-domain.com
      • 250-mailserver-domain.com Hello [ip address]
        250-SIZE
        250-PIPELINING
        250-DSN
        250-ENHANCEDSTATUSCODES
        250-X-ANONYMOUSTLS
        250-AUTH NTLM LOGIN
        250-X-EXPS GSSAPI NTLM
        250-8BITMIME
        250-BINARYMIME
        250-CHUNKING
        250-XEXCH50
        250 XRDST
    • Make sure the mail server is not an open relay (allows unauthenticated users to send mail to domains not handled by the server) by attempting to send an email to an outside domain. If an error message is not generated after the "rcpt to" command, this security issue must be fixed.
      • mail from: doesnt-matter@domain.com
      • 250 2.1.0 Sender OK
      • rcpt to: doesnt-matter@external-domain.com
      • 550 5.7.1 Unable to relay
      • rset
      • 250 2.0.0 Resetting
    • Now authenticate with the mail server and attempt to send the email again
      • Issue the auth login command to initiate the authentication process. The server will respond with "Username:" in base64 encoding
      • auth login
      • 334 VXNlcm5hbWU6
      • enter your username in base64 encoding. This site will convert for you: http://www.opinionatedgeek.com/dotnet/tools/base64encode/
      • [username in base64]
      • 334 UGFzc3dvcmQ6
      • The mail server then responds by asking for your password in base64
      • [password in base64]
      • 235 2.7.0 Authentication successful
      • mail from: doesnt-matter@mail-server-domain.com
      • 250 2.1.0 Sender OK
      • rcpt to: doesnt-matter@external-domain.com
      • 250 2.1.5 Recipient OK
      • data
      • 354 Start mail input; end with .
      • Subject: "[Text for the subject line]"
      • [Text for the body of the email]
      • .
      • 250 2.6.0 <3325ca07-af24-4837-96b2-c0fe558897d7@domain.com> Queued mail for delivery
    Once you have verified the relaying server has been configured properly, sendmail can be configured to send all of its mail to the relay server by using the SMART_HOST directive and SMTP_AUTH with PLAIN mech for authentication. The following directions come from http://www.screaming-penguin.com/node/4214.  Many Linux distros use Sendmail as the default MTA (Fedora among them).
    1. Note that the default locations on Fedora (and many distros) for Sendmail installed files is "/etc/mail". sendmail.cf, sendmail.mc, access map, so on, are located at /etc/mail.
    2. Check that your Sendmail binary has STARTTLS and SASL support: sendmail -d0.1 -bv Make sure STARTTLS and SASL are present in the output, this is the default on Fedora and other distors now so they are likely alread there - if you do not have these you need to backup and recompile sendmail to include them. Yes the client usage requires them.
    3. Edit your sendmail.mc to include the "smart host" option. (Use brackets here if you want sendmail to skip an MX record lookup and use the A record - `[mail.bellsouth.net]'. Don't use brackets if you need the MX - `mail.bellsouth.net'. If you are unsure try it with brackets and if it doesn't work take them out.) define(`SMART_HOST',`[mail.bellsouth.net]')
    4. Edit your sendmail.mc to setup a map for "authinfo". FEATURE(`authinfo',`hash /etc/mail/authinfo.db')
    5. Check the rest of your sendmail.mc to make sure that things are sane and items relevant to STARTTLS and SASL are uncommented and valid. For example check to ensure you have the certificate related entries (and that these entries are valid - you may have to create the sendmail.pem cert - from the cert dir "make sendmail.pem" assuming you have the OpenSSL libraries available): define(`confCACERT_PATH',`/usr/share/ssl/certs') define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt') define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem') define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem') Make sure you also have the auth mechanisms defined/uncommented (I am not sure this should be required just for the client - but I had to enable to get things working): define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl define(`confAUTH_OPTIONS', `A p y')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl Also you should turn up the logging temporarily in order to verify things: define(`confLOG_LEVEL', `20')dnl
    6. Create the "authinfo" file in (the file that tells the SMTP_AUTH client what credentials to login with for what domain). AuthInfo:mail.bellsouth.net "U:root" "I:user@bellsouth.net" "P:password" "M:LOGIN PLAIN"
    7. With the newly edited "sendmail.mc" file use m4 (the sendmail macro burner) to create "sendmail.cf". m4 sendmail.mc > sendmail.cf
    8. With the newly created "authinfo" file make the authinfo.db which sendmail will use. makemap hash /etc/mail/authinfo < /etc/mail/authinfo
    9. Restart sendmail (default /etc/init.d/sendmail restart) and check the logs (default /etc/maillog) to make sure there are no issues/errors/warnings. Errors such as unable to find STARTTLS certificate need to be addressed before you proceed, really there should be no errors or warnings, these have meanings. ;)
    10. Run a map test to ensure that the "authinfo" db is being correctly picked up by your new sendmail configuration. echo '/map authinfo AuthInfo:mail.bellsouth.net' | /usr/sbin/sendmail -bt If this is found and there is an entry then proceed, otherwise something is amiss with authinfo and that needs to be addressed.
    11. OPTIONAL - Make an alias for the "root" user to go to an actual external email account (if not already done). For example in /etc/aliases change the line under "Person that should get root's email" to go to "root: user@gmail.com" where that is a valid external email account. Make sure to run "newaliases" to invoke.
    12. Send an email to root and watch the logs. mail root Test this is a test .
    The logs should show all the SMTP level info (since it is using level 20) and should show a line that reads similar to: Feb 17 21:08:45 totsp sendmail[27587]: k1I28jTQ027587: MAIL From: SIZE=29 AUTH=root@yourhostname.org. This shows that the AUTH was made. Then a little further down in the log you should see that the message was accepted. (If it was not accepted you will see that it was rejected and why (the response code). UPDATE: Also see the new information on the Sendmail.org site about using Sendmail as an AUTH client - http://www.sendmail.org/~ca/email/auth.html.


     Nagios
    • the web gui can be reached by going to http://localhost/nagios/
    • the support documents can be found at http://support.nagios.com/knowledgebase/officialdocs
    • configuration files are in /usr/local/nagios
    • check nagios configuration files for errors by issuing: /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
    • Main Nagios log file: /usr/local/nagios/var/nagios.log
    • Debug Log file: /usr/local/nagios/var/nagios.debug (debug level controlled in /usr/local/nagios/nagios.cfg))
    • By default nagios will automatically ping hosts and send notifications if the host goes down. This can be disabled with the "checks_enabled 0" directive
    • If the host has no service a notification is sent only after the hard down state is reached. To reach the hard down state first you must wait max_retry_attempts*retry_interval
    • By setting notification_interval 0 in the general-service template Nagios will only send one (1) email per critical or downstate. If this is set to something else, then you will generate multipletickets, which is not good.
    • Services don't send notifications until they have reached a hard state as well.
    • Nagios uses the the /bin/mail script to send email which uses sendmail
    • Nagios dispatches all notifications to the sendmail client, which is responsible for sending the emails.The sendmail client  queues mail in the /var/spool/clientqueue folder.
    • The check_ping!200.0,20%!600.0,60% command passes arguments delimited by "!". The first argument gets past to the -w flag as the warning threshold (200ms round trip or 20% packet loss) and the second argument gets past to the -c flag as the critical threshold (600 or 60% packet loss).