Instalación de Pandora FMS Open en Ubuntu
Instalación en Ubuntu server 22.04.1 ó 22.04.2 con derechos de usuario root, systemd habilitado y conexión a internet.
Instalación en línea para Ubuntu (22.04 LTS):
curl -SsL https://raw.githubusercontent.com/pandorafms/pandorafms/develop/extras/deploy-scripts/pandora_deploy_community_ubuntu_2204_gh.sh | bash
Inicio
En una ventana terminal con usuario root:
apt install -y gawk sed grep ping rm -rf /opt/pandora/deploy mkdir -p /opt/pandora/deploy cd /opt/pandora/deploy apt update apt install -y net-tools vim curl wget \ software-properties-common apt-transport-https \ ca-certificates gnupg lsb-release
Instalación de Apache2 y PHP 8
add-apt-repository ppa:ondrej/php apt update apt upgrade apt install -y php8.0-fpm php8.0-common libapache2-mod-fcgid php8.0-cli apache2 a2enmod proxy_fcgi setenvif systemctl reload apache2 a2enconf php8.0-fpm systemctl restart php8.0-fpm
Dependencias de la Consola web PFMS
apt install -y \ ldap-utils postfix \ wget graphviz \ xfonts-75dpi xfonts-100dpi \ xfonts-ayu xfonts-intl-arabic \ xfonts-intl-asian xfonts-intl-phonetic \ xfonts-intl-japanese-big xfonts-intl-european \ xfonts-intl-chinese xfonts-intl-japanese \ xfonts-intl-chinese-big libzstd1 \ gir1.2-atk-1.0 libavahi-common-data \ cairo-perf-utils libfribidi-bin \ php8.0-mcrypt php8.0-gd \ php8.0-curl php8.0-mysql \ php8.0-ldap php8.0-fileinfo \ php8.0-gettext php8.0-snmp \ php8.0-mbstring php8.0-zip \ php8.0-xmlrpc php8.0-xml \ php8.0-yaml libnet-telnet-perl \ whois cron
Dependencias del servidor PFMS
apt install -y \ perl nmap \ fping sudo \ net-tools nfdump \ expect openssh-client \ unzip xprobe coreutils \ libio-compress-perl libmoosex-role-timer-perl \ libdbd-mysql-perl libcrypt-mysql-perl \ libhttp-request-ascgi-perl liblwp-useragent-chicaching-perl \ liblwp-protocol-https-perl snmp \ libnetaddr-ip-perl libio-socket-ssl-perl \ libio-socket-socks-perl libio-socket-ip-perl \ libio-socket-inet6-perl libnet-telnet-perl \ libjson-perl libencode-perl \ cron libgeo-ip-perl \ arping snmp-mibs-downloader \ snmptrapd libnsl2 make \ openjdk-8-jdk mkdir -m 0755 -p /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \ sudo gpg --yes --dearmor -o /etc/apt/keyrings/docker.gpg echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \ sudo tee /etc/apt/sources.list.d/docker.list apt update -y apt-get install -y \ docker-ce docker-ce-cli containerd.io \ docker-buildx-plugin docker-compose-plugin systemctl disable docker --now systemctl disable docker.socket --now rm -f /usr/sbin/fping ln -s /usr/bin/fping /usr/sbin/fping
Herramienta Google Chrome
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb dpkg -i google-chrome-stable_current_amd64.deb ln -s /usr/bin/google-chrome /usr/bin/chromium-browser
Dependencias IPAM
apt install -y \ libnetaddr-ip-perl \ coreutils libdbd-mysql-perl \ libxml-simple-perl libgeo-ip-perl \ libio-socket-inet6-perl libxml-twig-perl \ libnetaddr-ip-perl
Configuración de AppArmor y UFW
systemctl stop ufw.service systemctl disable ufw systemctl stop apparmor systemctl disable apparmor
Instalación de MySQL
curl -O https://repo.percona.com/apt/percona-release_latest.generic_all.deb apt install -y gnupg2 lsb-release ./percona-release_latest.generic_all.deb percona-release setup ps80 apt install -y percona-server-server percona-xtrabackup-80
systemctl start mysql mysql -uroot -p ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'pandora'; create database pandora; CREATE USER pandora IDENTIFIED BY 'pandora'; ALTER USER 'pandora' IDENTIFIED WITH mysql_native_password BY 'pandora'; GRANT ALL PRIVILEGES ON pandora.* TO 'pandora'; exit;
cat > /etc/mysql/my.cnf << EOF_DB [mysqld] datadir=/var/lib/mysql user=mysql character-set-server=utf8mb4 skip-character-set-client-handshake # Disabling symbolic-links is recommended to prevent assorted security risks symbolic-links=0 # Mysql optimizations for Pandora FMS # Please check the documentation in http://pandorafms.com for better results max_allowed_packet = 64M innodb_buffer_pool_size = grep -i total /proc/meminfo | head -1 | awk '{printf "%.2f \n", $(NF-1)*0.4/1024}' | sed "s/\\..*$/M/g" innodb_lock_wait_timeout = 90 innodb_file_per_table innodb_flush_log_at_trx_commit = 0 innodb_flush_method = O_DIRECT innodb_log_file_size = 64M innodb_log_buffer_size = 16M innodb_io_capacity = 300 thread_cache_size = 8 thread_stack = 256K max_connections = 100 key_buffer_size=4M read_buffer_size=128K read_rnd_buffer_size=128K sort_buffer_size=128K join_buffer_size=4M skip-log-bin sql_mode="" log-error=/var/log/mysql/error.log [mysqld_safe] log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid EOF_DB
systemctl restart mysql
Instalación de Pandora FMS Open
curl -LSs --output \ pandorafms_console-7.0NG.tar.gz \ "https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_console-7.0NG.772.tar.gz" curl -LSs --output \ pandorafms_server-7.0NG.tar.gz \ "https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_server-7.0NG.772_x86_64.tar.gz" curl -LSs --output \ pandorafms_agent_linux-7.0NG.tar.gz \ "https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_agent_linux-7.0NG.772.tar.gz"
Consola web PFMS
tar xvzf pandorafms_console-7.0NG.tar.gz cp -Ra pandora_console /var/www/html/ rm -f /var/www/html/pandora_console/*.spec
Servidor PFMS
useradd pandora mv pandorafms_server-7.0NG.tar.gz /opt/pandora/deploy/ cd /opt/pandora/deploy tar xvfz pandorafms_server-7.0NG.tar.gz cd pandora_server ./pandora_server_installer --install
Agente PFMS
apt install -y libyaml-tiny-perl perl coreutils wget curl unzip procps python3 python3-pip mv pandorafms_agent_linux-7.0NG.tar.gz /opt/pandora/deploy/ cd /opt/pandora/deploy tar xvzf pandorafms_agent_linux-7.0NG.tar.gz cd unix ./pandora_agent_installer --install cp -a tentacle_client /usr/local/bin/
Instalación de GoTTY
curl --output pandora_gotty.deb https://github.com/pandorafms/pandorafms/releases/download/tools/pandora_gotty_1.1.0.deb apt install -y ./pandora_gotty.deb
Configuración para SSL
cat > /etc/apache2/conf-available/ssl-params.conf << EOF_PARAM SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires Apache >= 2.4.11 SSLSessionTickets Off EOF_PARAM
a2enmod ssl a2enmod headers a2enmod rewrite a2enconf ssl-params a2ensite default-ssl a2enconf ssl-params apache2ctl configtest systemctl restart apache2 systemctl enable mysql --now systemctl enable apache2 --now systemctl enable php8.0-fpm --now
Tablas y datos para MySQL
mysql -uroot -ppandora use pandora; source /var/www/html/pandora_console/pandoradb.sql source /var/www/html/pandora_console/pandoradb_data.sql exit;
Configuración de PHP y Apache2
cat > /var/www/html/pandora_console/include/config.php << EO_CONFIG_F <?php \$config["dbtype"] = "mysql"; \$config["dbname"]="pandora"; \$config["dbuser"]="pandora"; \$config["dbpass"]="pandora"; \$config["dbhost"]="127.0.0.1"; \$config["homedir"]="/var/www/html/pandora_console"; \$config["homeurl"]="/pandora_console"; error_reporting(0); \$ownDir = dirname(__FILE__) . '/'; include (\$ownDir . "config_process.php"); EO_CONFIG_F
cat > /etc/apache2/conf-enabled/pandora_security.conf << EO_CONFIG_F ServerTokens Prod <Directory "/var/www/html"> Options FollowSymLinks AllowOverride All Require all granted </Directory> EO_CONFIG_F
chmod 600 /var/www/html/pandora_console/include/config.php chown -R www-data:www-data /var/www/html/pandora_console mv /var/www/html/pandora_console/install.php /var/www/html/pandora_console/install.done
ln -s /etc/php/8.0/fpm/php.ini /etc/ sed --follow-symlinks -i -e "s/^max_input_time.*/max_input_time = -1/g" /etc/php.ini sed --follow-symlinks -i -e "s/^max_execution_time.*/max_execution_time = 0/g" /etc/php.ini sed --follow-symlinks -i -e "s/^upload_max_filesize.*/upload_max_filesize = 800M/g" /etc/php.ini sed --follow-symlinks -i -e "s/^memory_limit.*/memory_limit = 800M/g" /etc/php.ini sed --follow-symlinks -i -e "s/.*post_max_size =.*/post_max_size = 800M/" /etc/php.ini sed --follow-symlinks -i -e "s/^disable_functions/;disable_functions/" /etc/php.ini echo 'TimeOut 900' > /etc/apache2/conf-enabled/timeout.conf echo 'ProxyTimeout 300' >> /etc/apache2/conf-enabled/timeout.conf
cat > /var/www/html/index.html << EOF_INDEX <meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/"> EOF_INDEX systemctl restart apache2 systemctl restart php8.0-fpm
Configuración de servidor y agente PFMS
cat> /etc/snmp/snmptrapd.conf <<EOF authCommunity log public disableAuthorization yes EOF
sed -i -e "s/^dbhost.*/dbhost 127.0.0.1/g" /etc/pandora/pandora_server.conf sed -i -e "s/^dbname.*/dbname pandora/g" /etc/pandora/pandora_server.conf sed -i -e "s/^dbuser.*/dbuser pandora/g" /etc/pandora/pandora_server.conf sed -i -e "s|^dbpass.*|dbpass pandora|g" /etc/pandora/pandora_server.conf sed -i -e "s/^dbport.*/dbport 3306/g" /etc/pandora/pandora_server.conf sed -i -e "s/^#.mssql_driver.*/mssql_driver 17/g" /etc/pandora/pandora_server.conf
grep -q "group www-data" /etc/pandora/pandora_server.conf || \ cat>> /etc/pandora/pandora_server.conf<<EOF_G #Adding group www-data to assing remote-config permission correctly for ubuntu 22.04 group www-data EOF_G
sed -i "s/^remote_config.*$/remote_config 1/g" /etc/pandora/pandora_agent.conf
cat>> /etc/sysctl.conf <<EO_KO # Pandora FMS Optimization # default=5 net.ipv4.tcp_syn_retries = 3 # default=5 net.ipv4.tcp_synack_retries = 3 # default=1024 net.ipv4.tcp_max_syn_backlog = 65536 # default=124928 net.core.wmem_max = 8388608 # default=131071 net.core.rmem_max = 8388608 # default = 128 net.core.somaxconn = 1024 # default = 20480 net.core.optmem_max = 81920 EO_KO sysctl --system
chown pandora:www-data /var/log/pandora chmod g+s /var/log/pandora cat> /etc/logrotate.d/pandora_server <<EO_LR /var/log/pandora/pandora_server.log /var/log/pandora/web_socket.log /var/log/pandora/pandora_server.error { su root apache weekly missingok size 300000 rotate 3 maxage 90 compress notifempty copytruncate create 660 pandora apache } /var/log/pandora/pandora_snmptrap.log { su root apache weekly missingok size 500000 rotate 1 maxage 30 notifempty copytruncate create 660 pandora apache } EO_LR
cat> /etc/logrotate.d/pandora_agent <<EO_LRA /var/log/pandora/pandora_agent.log { su root apache weekly missingok size 300000 rotate 3 maxage 90 compress notifempty copytruncate } EO_LRA chmod 0644 /etc/logrotate.d/pandora_server chmod 0644 /etc/logrotate.d/pandora_agent
Tentacle y cron
/etc/init.d/pandora_server start systemctl enable pandora_server service tentacle_serverd start systemctl enable tentacle_serverd
echo "* * * * * root wget -q -O - --no-check-certificate --load-cookies /tmp/cron-session-cookies --save-cookies /tmp/cron-session-cookies --keep-session-cookies http://127.0.0.1/pandora_console/enterprise/cron.php >> $PANDORA_CONSOLE/log/cron.log" >> /etc/crontab echo "@hourly root bash -c /etc/cron.hourly/pandora_db" >> /etc/crontab
Configuración remota del agente:
sed -i "s/^remote_config.*$/remote_config 1/g" /etc/pandora/pandora_agent.conf /etc/init.d/pandora_agent_daemon start systemctl enable pandora_agent_daemon
PhantomJS
sed --follow-symlinks -i -e "s/^openssl_conf = openssl_init/#openssl_conf = openssl_init/g" /etc/ssl/openssl.cnf
Postfix
systemctl enable postfix --now
OpenSSL
sed -i '/default = default_sect/a legacy = legacy_sect' /etc/ssl/openssl.cnf sed -i 's/# activate = 1/activate = 1/' /etc/ssl/openssl.cnf sed -i '/activate = 1/a [legacy_sect]\nactivate = 1' /etc/ssl/openssl.cnf
SSH banner
[ "$(curl -s ifconfig.me)" ] && ipplublic=$(curl -s ifconfig.me) cat > /etc/issue.net << EOF_banner Welcome to Pandora FMS appliance on Ubuntu ------------------------------------------ Go to Public http://$ipplublic/pandora_console to login web console $(ip addr | grep -w "inet" | grep -v "127.0.0.1" | grep -v "172.17.0.1" | awk '{print $2}' | awk -F '/' '{print "Go to Local http://"$1"/pandora_console to login web console"}') You can find more information at http://pandorafms.com EOF_banner rm -f /etc/issue ln -s /etc/issue.net /etc/issue echo 'Banner /etc/issue.net' >> /etc/ssh/sshd_config
Inicio de sesión en PFMS
Para acceder a la Consola web se ha de escribir la dirección IP (o URL) del dispositivo seguido de /pandora_console/
.
Las credenciales por defecto para entrar son:
- usuario:
admin
- contraseña:
pandora