Kernel 7

This guide assumes you already have the following:
+ Linux RPM-based system
+ NTP Synchronization
+ Internet Access for “Google Authenticator” API

[1] Install pre-requisites for “Google Authenticator“:
yum install gcc pam-devel subversion python-devel git

[2] Install Google Authenticator PAM module:
mkdir /tmp/google-authenticator
cd /tmp/google-authenticator/
git clone http://code.google.com/p/google-authenticator/
cd google-authenticator/libpam/
make && make install

[3] Setup SSH’s PAM to use Google Authenticator:
vi /etc/pam.d/sshd

vi /etc/ssh/sshd_config

service sshd restart

[4] Setup Google Authenticator for any user that will have access to the system (i.e. jdoe):
su – jdoe
google-authenticator
+ Note your “Secret Key”, “Verification Code”, and “Scratch Codes”.
+ Answer “y”, “y”, “n”, “y”.

[5] Test SSH Login with the user configured (i.e. jdoe):
+ Setup the Google Authenticator on your Smart Phone
+ Launch an SSH session to login with “jdoe”
+ Enter the Verification Code from Google Authenticator (Smart Phone)
+ Enter your Linux password

VMware ESX/ESXi patches can be applied easily through the CLI.
As a pre-requisite for this guide, you need to enable SSH access to the ESX/ESXi host.

[1] Download the necessary patches from VMware’s web site:
http://www.vmware.com/go/downloadpatches

[2] Browse the ESX/ESXi host’s storage and upload the patches to the “/DATA_STORE_LOCATION/esxi-patches/” folder.

[3] Shutdown all the VMs and put the ESX/ESXi host in “Maintenance Mode”.

[4] Apply the patches one after the other in the order they were released, using the following command in the SSH CLI:
ESX/ESXi v4.x :: esxupdate –bundle=/DATA_STORE_LOCATION/esxi-patches/ESXXXXX-XXXXXXXXX.zip update
ESX/ESXi v5.x :: esxcli software vib update -d “/DATA_STORE_LOCATION/esxi-patches/ESXXXXX-XXXXXXXXX.zip”

[5] Reboot the vSphere/ESX/ESXi host if required by the patches installed.

Nagios is particularly complicated itself in scheduling a downtime, and automating it is a pain.
Here is an easy to use PHP script that will make scheduling a breeze:

[1] Download the “Downtime Scheduling Utility” and extract it to your preferred location:
http://sweetdeliah.com/nagios/downtime/nagios_down-0.2.tar.gz

[2] To schedule a maintenance, here is a template:
./nagios_down.php -h ‘host-server-001′ -f -b ’03:00 23 January 2012′ -e ’03:30 23 January 2012’ -a ‘John Doe’ -c ‘Monthly Maintenance for Windows Patches’

This will put the host “host-server-001” in maintenance mode for 30 minutes on January 23rd, 2012, between 03:00 AM and 03:30 AM, with “John Doe” as the person responsible for logging the downtime, and “Monthly Maintenance for Windows Patches” as a comment.

[3] You can automate the process using Cron or your Custom GUI if any.

[+] Secure ISC BIND Template:
http://www.cymru.com/Documents/secure-bind-template.html

[+] Secure BGP Template for Cisco Routers:
http://www.cymru.com/Documents/secure-bgp-template.html

[+] Secure BGP Template for Juniper Routers:
http://www.cymru.com/gillsr/documents/junos-bgp-template.pdf

[+] Secure IOS Template:
http://www.cymru.com/Documents/secure-ios-template.html
http://wiki.nil.com/Router_security_template

[+] Secure JunOS Template:
http://www.cymru.com/gillsr/documents/junos-template.pdf

Your source for Open Source solution, Kernel 7, launched !