Async.fi

Basic MRTG config

It's a mess, but making things work took some effort, and a lot of copypasting from numerous sources, so I'm recording this here.

/etc/mrtg.cfg: 

WorkDir: /var/www/mrtg
WriteExpires: Yes
Language: english
Title[^]: Traffic Analysis for Yourserver
Options[_]: growright, bits

LoadMIBs: /usr/share/mibs/netsnmp/UCD-SNMP-MIB, /usr/share/mibs/ietf/TCP-MIB, /usr/share/mibs/ietf/UDP-MIB, /usr/share/mibs/ietf/HOST-RESOURCES-MIB

Target[localhost.cpu]:ssCpuRawUser.0&ssCpuRawUser.0:yoursnmpcommunity@localhost+ ssCpuRawSystem.0&ssCpuRawSystem.0:yoursnmpcommunity@localhost+ ssCpuRawNice.0&ssCpuRawNice.0:yoursnmpcommunity@localhost
RouterUptime[localhost.cpu]: yoursnmpcommunity@localhost
MaxBytes[localhost.cpu]: 100
Title[localhost.cpu]:  CPU Load
PageTop[localhost.cpu]: <H1> Active CPU Load %</H1>
Unscaled[localhost.cpu]: ymwd
ShortLegend[localhost.cpu]: %
YLegend[localhost.cpu]: %
Legend1[localhost.cpu]: %
Legend2[localhost.cpu]:
Legend3[localhost.cpu]:
Legend4[localhost.cpu]:
LegendI[localhost.cpu]: Active
LegendO[localhost.cpu]:
Options[localhost.cpu]: growright,nopercent

Target[localhost.mem]: .1.3.6.1.4.1.2021.4.6.0&.1.3.6.1.4.1.2021.4.6.0:yoursnmpcommunity@localhost
PageTop[localhost.mem]: <H1> Free Memory</H1>
Options[localhost.mem]: nopercent,growright,gauge,noo
Title[localhost.mem]:  Free Memory
MaxBytes[localhost.mem]: 1000000
kMG[localhost.mem]: k,M,G,T,P,X
YLegend[localhost.mem]: bytes
ShortLegend[localhost.mem]: bytes
LegendI[localhost.mem]: Free Memory:
LegendO[localhost.mem]:
Legend1[localhost.mem]: Free memory, not including swap, in bytes

Target[localhost.swap]: memAvailSwap.0&memAvailSwap.0:yoursnmpcommunity@localhost
PageTop[localhost.swap]: <H1> Swap Available</H1>
Options[localhost.swap]: growright,gauge,nopercent
Title[localhost.swap]:  Swap Available
MaxBytes[localhost.swap]: 1073741824
kMG[localhost.swap]: k,M,G,T,P,X
YLegend[localhost.swap]: bytes
ShortLegend[localhost.swap]: bytes
LegendI[localhost.swap]: Swap Available:
LegendO[localhost.swap]:
Legend1[localhost.swap]: Swap memory available

Target[localhost.rootdisk]: dskPercent.1&dskPercent.1:yoursnmpcommunity@localhost
PageTop[localhost.rootdisk]: <H1> Used Root Disk</H1>
Title[localhost.rootdisk]:  Used Root Disk
MaxBytes[localhost.rootdisk]: 100
Options[localhost.rootdisk]: nopercent,growright,gauge
Unscaled[localhost.rootdisk]: ymwd
ShortLegend[localhost.rootdisk]: %
YLegend[localhost.rootdisk]: %

Target[localhost.eth0]: /95.85.11.102:yoursnmpcommunity@localhost
MaxBytes[localhost.eth0]: 12500000
Title[localhost.eth0]:  eth0
PageTop[localhost.eth0]: <h1> eth0</h1>
ShortLegend[localhost.eth0]: b/s
YLegend[localhost.eth0]: b/s

Target[localhost.eth1]: /10.129.5.83:yoursnmpcommunity@localhost
MaxBytes[localhost.eth1]: 12500000
Title[localhost.eth1]:  eth1
PageTop[localhost.eth1]: <h1> eth1</h1>
ShortLegend[localhost.eth1]: b/s
YLegend[localhost.eth1]: b/s

Target[localhost.udpin]: udpInDatagrams.0&udpInDatagrams.0:yoursnmpcommunity@localhost
PageTop[localhost.udpin]: <H1> Incoming UDP pkts per minute</H1>
Title[localhost.udpin]:  Incoming UDP pkts per minute
MaxBytes[localhost.udpin]: 1000000
ShortLegend[localhost.udpin]: p/m
YLegend[localhost.udpin]: p/m
LegendI[localhost.udpin]: Incoming
LegendO[localhost.udpin]:
Options[localhost.udpin]: nopercent,growright,perminute

Target[localhost.udpout]: udpOutDatagrams.0&udpOutDatagrams.0:yoursnmpcommunity@localhost
PageTop[localhost.udpout]: <H1> Outgoing UDP pkts per minute</H1>
Title[localhost.udpout]:  Outgoing UDP pkts per minute
MaxBytes[localhost.udpout]: 1000000
ShortLegend[localhost.udpout]: p/m
YLegend[localhost.udpout]: p/m
LegendI[localhost.udpout]:
LegendO[localhost.udpout]: Outgoing
Options[localhost.udpout]: nopercent,growright,perminute

Target[localhost.tcpconns]: tcpCurrEstab.0&tcpCurrEstab.0:yoursnmpcommunity@localhost
Title[localhost.tcpconns]:  TCP Connections
PageTop[localhost.tcpconns]: <H1> TCP Connections</H1>
MaxBytes[localhost.tcpconns]: 10000000000
ShortLegend[localhost.tcpconns]: conns
YLegend[localhost.tcpconns]: conns
LegendI[localhost.tcpconns]: Incoming
LegendO[localhost.tcpconns]: Outgoing
Legend1[localhost.tcpconns]: Established incoming connections
Legend2[localhost.tcpconns]: Established outgoing connections
Options[localhost.tcpconns]: nopercent,gauge,growright

Target[localhost.tcpnewconns]: tcpPassiveOpens.0&tcpActiveOpens.0:yoursnmpcommunity@localhost
Title[localhost.tcpnewconns]:  New TCP Connections
PageTop[localhost.tcpnewconns]: <h1> New TCP Connections / minute</h1>
MaxBytes[localhost.tcpnewconns]: 1000000000
ShortLegend[localhost.tcpnewconns]: conns/min
YLegend[localhost.tcpnewconns]: conns/min
LegendI[localhost.tcpnewconns]: Incoming
LegendO[localhost.tcpnewconns]: Outgoing
Legend1[localhost.tcpnewconns]: New inbound connections
Legend2[localhost.tcpnewconns]: New outbound connections
Options[localhost.tcpnewconns]: growright,nopercent,perminute

Tagged with:

Categorised as:

Running a Django app with Gunicorn and Upstart

Skimmed from here, I mostly just changed the last line that starts Gunicorn from using gunicorn_django to plain gunicorn, as recommended by the Django overlords.

/etc/init/yourapp.conf: 

description "Your App"
author "Your Name "

start on (net-device-up and local-filesystems)
stop on shutdown
respawn

script
    export HOME="/root/of/django/app" # i.e. where "manage.py" can be found
    export PATH="$PATH:/root/of/django/app/env/bin" # "env" is our virtualenv
    export DJANGO_SETTINGS_MODULE="settings"
    export LANG="en_US.UTF-8"
    cd $HOME
    exec $HOME/env/bin/gunicorn -b 127.0.0.1:8000 -w 1 --log-file /var/log/gunicorn/yourapp.log app
end script

app.py: 

import os, sys

sys.path.insert(0, '/root/of/django/app/')
path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
if path not in sys.path:
    sys.path.append(path)

import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()

Tagged with:

Categorised as:

Basic iptables setup (Ubuntu)

Accept anything coming in from 127.0.0.1: 

iptables -A INPUT -i lo -j ACCEPT

Accept "related" ("packet is starting a new connection, but is associated with an existing connection") and "established" ("packet is associated with a connection which has seen packets in both directions") packets: 

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

SSH; set port (XXXXX) to 22 if you're running the default, which you perhaps should not do as the script kiddies will not leave you alone. If this is changed to something non-default then do not forget to change the port in /etc/ssh/sshd_config (the Port configuration directive) and do these changes coordinatedly. Otherwise you will be locked out. 

iptables -A INPUT -p tcp -m tcp --dport XXXXX -j ACCEPT

HTTP and HTTPS: 

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

NTP, because we're part of the NTP Pool Project: 

iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT

Log dropped packets, but not too much: 

iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables DROP: " --log-level 7

Do the actual dropping: 

iptables -A INPUT -j DROP

In order to save these settings on shutdown, create the following file in /etc/network/if-post-down.d/iptables: 

#!/bin/sh
iptables-save -c > /etc/iptables.rules
exit 0

To restore the settings on boot, create the following file in /etc/network/if-pre-up.d/iptables: 

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

And make the two executable: 

chmod +x /etc/network/if-post-down.d/iptables /etc/network/if-pre-up.d/iptables

Tagged with:

Categorised as:

Gone DigitalOcean

In order to try something new (and save money) I switched my personal "utility" server from EC2 to DigitalOcean. As I was running just a t1.micro instance anyway, I selected DigitalOcean's cheapest offering, which costs $5/month (512MB/20GB(SSD)/1TB). Plus $1/month for regular backups (they somehow backup the whole server while the server is running, so I'm not sure how consistent said backup can possibly be but at least it's cheap).

DigitalOcean is offering just servers, and the whole experience isn't of course quite as polished as with Amazon. Nor can you, say, access S3 (or other services) at quite the same speed as when in Amazon's network. But for my use case it's a good fit.

Tagged with:

Categorised as: