Instalación de Pandora FMS Open en Ubuntu

Instalación en Ubuntu server 22.04.1 ó 22.04.2 con derechos de usuario root, systemd habilitado y conexión a internet.

Instalación en línea para Ubuntu (22.04 LTS):

curl -SsL https://raw.githubusercontent.com/pandorafms/pandorafms/develop/extras/deploy-scripts/pandora_deploy_community_ubuntu_2204_gh.sh | bash

Inicio

En una ventana terminal con usuario root:

apt install -y gawk sed grep ping
rm -rf /opt/pandora/deploy
mkdir -p /opt/pandora/deploy
cd /opt/pandora/deploy
apt update
apt install -y net-tools vim curl wget \
 software-properties-common apt-transport-https \
 ca-certificates gnupg lsb-release

Instalación de Apache2 y PHP 8

add-apt-repository ppa:ondrej/php
apt update
apt upgrade
apt install -y php8.0-fpm php8.0-common libapache2-mod-fcgid php8.0-cli apache2
a2enmod proxy_fcgi setenvif
systemctl reload apache2
a2enconf php8.0-fpm
systemctl restart php8.0-fpm

Dependencias de la Consola web PFMS

apt install -y \
 ldap-utils postfix \
 wget graphviz \
 xfonts-75dpi xfonts-100dpi \
 xfonts-ayu xfonts-intl-arabic \
 xfonts-intl-asian xfonts-intl-phonetic \
 xfonts-intl-japanese-big xfonts-intl-european \
 xfonts-intl-chinese xfonts-intl-japanese \
 xfonts-intl-chinese-big libzstd1 \
 gir1.2-atk-1.0 libavahi-common-data \
 cairo-perf-utils libfribidi-bin \
 php8.0-mcrypt php8.0-gd \
 php8.0-curl php8.0-mysql \
 php8.0-ldap php8.0-fileinfo \
 php8.0-gettext php8.0-snmp \
 php8.0-mbstring php8.0-zip \
 php8.0-xmlrpc php8.0-xml \
 php8.0-yaml libnet-telnet-perl \
 whois cron

Dependencias del servidor PFMS

apt install -y \
 perl nmap \
 fping sudo \
 net-tools nfdump \
 expect openssh-client \
 unzip xprobe coreutils \
 libio-compress-perl libmoosex-role-timer-perl \
 libdbd-mysql-perl libcrypt-mysql-perl \
 libhttp-request-ascgi-perl liblwp-useragent-chicaching-perl \
 liblwp-protocol-https-perl snmp \
 libnetaddr-ip-perl libio-socket-ssl-perl \
 libio-socket-socks-perl libio-socket-ip-perl \
 libio-socket-inet6-perl libnet-telnet-perl \
 libjson-perl libencode-perl \
 cron libgeo-ip-perl \
 arping snmp-mibs-downloader \
 snmptrapd  libnsl2 make \
 openjdk-8-jdk
 
mkdir -m 0755 -p /etc/apt/keyrings
 
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
 sudo gpg --yes --dearmor -o /etc/apt/keyrings/docker.gpg
 
echo \
 "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu  $(lsb_release -cs) stable" | \
 sudo tee /etc/apt/sources.list.d/docker.list
 
apt update -y
apt-get install -y \
 docker-ce docker-ce-cli containerd.io \
 docker-buildx-plugin docker-compose-plugin
 
systemctl disable docker --now
systemctl disable docker.socket --now
 
rm -f /usr/sbin/fping
ln -s /usr/bin/fping /usr/sbin/fping

Herramienta Google Chrome

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
dpkg -i google-chrome-stable_current_amd64.deb
ln -s /usr/bin/google-chrome /usr/bin/chromium-browser

Dependencias IPAM

apt install -y \
 libnetaddr-ip-perl \
 coreutils libdbd-mysql-perl \
 libxml-simple-perl libgeo-ip-perl \
 libio-socket-inet6-perl libxml-twig-perl \
 libnetaddr-ip-perl

Configuración de AppArmor y UFW

systemctl stop ufw.service
systemctl disable ufw
systemctl stop apparmor
systemctl disable apparmor

Instalación de MySQL

curl -O https://repo.percona.com/apt/percona-release_latest.generic_all.deb
apt install -y gnupg2 lsb-release ./percona-release_latest.generic_all.deb
percona-release setup ps80
apt install -y percona-server-server percona-xtrabackup-80

systemctl start mysql
 
mysql -uroot -p
 
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'pandora';
 
create database pandora;
 
CREATE USER  pandora IDENTIFIED BY 'pandora';
 
ALTER USER 'pandora' IDENTIFIED WITH mysql_native_password BY 'pandora';
 
GRANT ALL PRIVILEGES ON pandora.* TO 'pandora';
 
exit;

cat > /etc/mysql/my.cnf << EOF_DB
[mysqld]
datadir=/var/lib/mysql
user=mysql
character-set-server=utf8mb4
skip-character-set-client-handshake
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Mysql optimizations for Pandora FMS
# Please check the documentation in http://pandorafms.com for better results
max_allowed_packet = 64M
innodb_buffer_pool_size = grep -i total /proc/meminfo | head -1 | awk '{printf "%.2f \n", $(NF-1)*0.4/1024}' | sed "s/\\..*$/M/g"
innodb_lock_wait_timeout = 90
innodb_file_per_table
innodb_flush_log_at_trx_commit = 0
innodb_flush_method = O_DIRECT
innodb_log_file_size = 64M
innodb_log_buffer_size = 16M
innodb_io_capacity = 300
thread_cache_size = 8
thread_stack    = 256K
max_connections = 100
key_buffer_size=4M
read_buffer_size=128K
read_rnd_buffer_size=128K
sort_buffer_size=128K
join_buffer_size=4M
skip-log-bin
sql_mode=""
log-error=/var/log/mysql/error.log
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
EOF_DB

systemctl restart mysql

Instalación de Pandora FMS Open

curl -LSs --output \
 pandorafms_console-7.0NG.tar.gz \
 "https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_console-7.0NG.772.tar.gz"
 
curl -LSs --output \
 pandorafms_server-7.0NG.tar.gz \
 "https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_server-7.0NG.772_x86_64.tar.gz"
 
curl -LSs --output \
 pandorafms_agent_linux-7.0NG.tar.gz \
 "https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_agent_linux-7.0NG.772.tar.gz"

Consola web PFMS

tar xvzf pandorafms_console-7.0NG.tar.gz
 
cp -Ra pandora_console /var/www/html/
 
rm -f /var/www/html/pandora_console/*.spec

Servidor PFMS

useradd pandora
 
mv pandorafms_server-7.0NG.tar.gz /opt/pandora/deploy/
 
cd /opt/pandora/deploy
 
tar xvfz pandorafms_server-7.0NG.tar.gz
 
cd pandora_server
 
./pandora_server_installer --install

Agente PFMS

apt install -y libyaml-tiny-perl perl coreutils wget curl unzip procps python3 python3-pip
 
mv pandorafms_agent_linux-7.0NG.tar.gz /opt/pandora/deploy/
 
cd /opt/pandora/deploy
 
tar xvzf pandorafms_agent_linux-7.0NG.tar.gz
 
cd unix
 
./pandora_agent_installer --install
 
cp -a tentacle_client /usr/local/bin/

Instalación de GoTTY

curl --output pandora_gotty.deb https://github.com/pandorafms/pandorafms/releases/download/tools/pandora_gotty_1.1.0.deb
apt install -y ./pandora_gotty.deb

Configuración para SSL

cat > /etc/apache2/conf-available/ssl-params.conf << EOF_PARAM
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 
    SSLHonorCipherOrder On
 
 
    Header always set X-Frame-Options DENY
 
    Header always set X-Content-Type-Options nosniff
 
    # Requires Apache >= 2.4
 
    SSLCompression off
 
    SSLUseStapling on
 
    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
 
 
    # Requires Apache >= 2.4.11
 
    SSLSessionTickets Off
EOF_PARAM

a2enmod ssl
a2enmod headers 
a2enmod rewrite
a2enconf ssl-params 
a2ensite default-ssl 
a2enconf ssl-params 
apache2ctl configtest 
 
systemctl restart apache2
systemctl enable mysql --now
systemctl enable apache2 --now
systemctl enable php8.0-fpm --now

Tablas y datos para MySQL

mysql -uroot -ppandora
 
use pandora;
 
source /var/www/html/pandora_console/pandoradb.sql
 
source /var/www/html/pandora_console/pandoradb_data.sql
 
exit;

Configuración de PHP y Apache2

cat > /var/www/html/pandora_console/include/config.php << EO_CONFIG_F
<?php
\$config["dbtype"] = "mysql";
\$config["dbname"]="pandora";
\$config["dbuser"]="pandora";
\$config["dbpass"]="pandora";
\$config["dbhost"]="127.0.0.1";
\$config["homedir"]="/var/www/html/pandora_console";
\$config["homeurl"]="/pandora_console";
error_reporting(0);
\$ownDir = dirname(__FILE__) . '/';
include (\$ownDir . "config_process.php");
EO_CONFIG_F

cat > /etc/apache2/conf-enabled/pandora_security.conf << EO_CONFIG_F
ServerTokens Prod
<Directory "/var/www/html">
    Options FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
EO_CONFIG_F

chmod 600 /var/www/html/pandora_console/include/config.php  
 
chown -R www-data:www-data /var/www/html/pandora_console  
 
mv /var/www/html/pandora_console/install.php /var/www/html/pandora_console/install.done

ln -s /etc/php/8.0/fpm/php.ini /etc/
 
sed --follow-symlinks -i -e "s/^max_input_time.*/max_input_time = -1/g" /etc/php.ini
 
sed --follow-symlinks -i -e "s/^max_execution_time.*/max_execution_time = 0/g" /etc/php.ini
 
sed --follow-symlinks -i -e "s/^upload_max_filesize.*/upload_max_filesize = 800M/g" /etc/php.ini
 
sed --follow-symlinks -i -e "s/^memory_limit.*/memory_limit = 800M/g" /etc/php.ini
 
sed --follow-symlinks -i -e "s/.*post_max_size =.*/post_max_size = 800M/" /etc/php.ini
 
sed --follow-symlinks -i -e "s/^disable_functions/;disable_functions/" /etc/php.ini
 
echo 'TimeOut 900' > /etc/apache2/conf-enabled/timeout.conf
echo 'ProxyTimeout 300' >> /etc/apache2/conf-enabled/timeout.conf

cat > /var/www/html/index.html << EOF_INDEX
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">
EOF_INDEX
 
systemctl restart apache2
 
systemctl restart php8.0-fpm

Configuración de servidor y agente PFMS

cat> /etc/snmp/snmptrapd.conf <<EOF
authCommunity log public
disableAuthorization yes
EOF

sed -i -e "s/^dbhost.*/dbhost 127.0.0.1/g" /etc/pandora/pandora_server.conf
 
sed -i -e "s/^dbname.*/dbname pandora/g" /etc/pandora/pandora_server.conf
 
sed -i -e "s/^dbuser.*/dbuser pandora/g" /etc/pandora/pandora_server.conf
 
sed -i -e "s|^dbpass.*|dbpass pandora|g" /etc/pandora/pandora_server.conf
 
sed -i -e "s/^dbport.*/dbport 3306/g" /etc/pandora/pandora_server.conf
 
sed -i -e "s/^#.mssql_driver.*/mssql_driver 17/g" /etc/pandora/pandora_server.conf

grep -q "group www-data" /etc/pandora/pandora_server.conf || \
cat>> /etc/pandora/pandora_server.conf<<EOF_G
#Adding group www-data to assing remote-config permission correctly for ubuntu 22.04
group www-data
EOF_G

sed -i "s/^remote_config.*$/remote_config 1/g" /etc/pandora/pandora_agent.conf

cat>> /etc/sysctl.conf <<EO_KO
# Pandora FMS Optimization
# default=5
net.ipv4.tcp_syn_retries = 3
# default=5
net.ipv4.tcp_synack_retries = 3
# default=1024
net.ipv4.tcp_max_syn_backlog = 65536
# default=124928
net.core.wmem_max = 8388608
# default=131071
net.core.rmem_max = 8388608
# default = 128
net.core.somaxconn = 1024
 
# default = 20480
net.core.optmem_max = 81920
 
EO_KO
 
sysctl --system

chown pandora:www-data /var/log/pandora
 
chmod g+s /var/log/pandora
 
cat> /etc/logrotate.d/pandora_server <<EO_LR
/var/log/pandora/pandora_server.log
/var/log/pandora/web_socket.log
/var/log/pandora/pandora_server.error {
        su root apache
        weekly
        missingok
        size 300000
        rotate 3
        maxage 90
        compress
        notifempty
        copytruncate
        create 660 pandora apache
}
 
/var/log/pandora/pandora_snmptrap.log {
        su root apache
        weekly
        missingok
        size 500000
        rotate 1
        maxage 30
        notifempty
        copytruncate
        create 660 pandora apache
}
 
EO_LR

cat> /etc/logrotate.d/pandora_agent <<EO_LRA
/var/log/pandora/pandora_agent.log {
        su root apache
        weekly
        missingok
        size 300000
        rotate 3
        maxage 90
        compress
        notifempty
        copytruncate
}
 
EO_LRA
 
chmod 0644 /etc/logrotate.d/pandora_server
 
chmod 0644 /etc/logrotate.d/pandora_agent

Tentacle y cron

/etc/init.d/pandora_server start
 
systemctl enable pandora_server 
 
service tentacle_serverd start
 
systemctl enable tentacle_serverd

echo "* * * * * root wget -q -O - --no-check-certificate --load-cookies /tmp/cron-session-cookies --save-cookies /tmp/cron-session-cookies --keep-session-cookies http://127.0.0.1/pandora_console/enterprise/cron.php >> $PANDORA_CONSOLE/log/cron.log" >> /etc/crontab
 
echo "@hourly         root    bash -c /etc/cron.hourly/pandora_db" >> /etc/crontab

Configuración remota del agente:

sed -i "s/^remote_config.*$/remote_config 1/g" /etc/pandora/pandora_agent.conf
 
/etc/init.d/pandora_agent_daemon start
 
systemctl enable pandora_agent_daemon

PhantomJS

sed --follow-symlinks -i -e "s/^openssl_conf = openssl_init/#openssl_conf = openssl_init/g" /etc/ssl/openssl.cnf

Postfix

systemctl enable postfix --now

OpenSSL

sed -i '/default = default_sect/a legacy = legacy_sect' /etc/ssl/openssl.cnf
sed -i 's/# activate = 1/activate = 1/' /etc/ssl/openssl.cnf
sed -i '/activate = 1/a [legacy_sect]\nactivate = 1' /etc/ssl/openssl.cnf

SSH banner

[ "$(curl -s ifconfig.me)" ] && ipplublic=$(curl -s ifconfig.me)
 
cat > /etc/issue.net << EOF_banner
 
Welcome to Pandora FMS appliance on Ubuntu
------------------------------------------
Go to Public http://$ipplublic/pandora_console to login web console
$(ip addr | grep -w "inet" | grep -v "127.0.0.1" | grep -v "172.17.0.1" | awk '{print $2}' | awk -F '/' '{print "Go to Local http://"$1"/pandora_console to login web console"}')
 
You can find more information at http://pandorafms.com
 
EOF_banner
 
rm -f /etc/issue
ln -s /etc/issue.net /etc/issue
 
echo 'Banner /etc/issue.net' >> /etc/ssh/sshd_config

Inicio de sesión en PFMS

Para acceder a la Consola web se ha de escribir la dirección IP (o URL) del dispositivo seguido de /pandora_console/ .

Las credenciales por defecto para entrar son:

  • usuario: admin
  • contraseña: pandora

Volver al índice de documentación de Pandora FMS