Recently we have worked with a small company who was trying to determine the best tool to monitor their network. They had heard of Nagios and wanted to explore that option first. They also were most interested in an Open Source option as they did not want to have renew licenses to lower their ongoing cost. In this type of evaluation, there are a lot of things to consider.

1. Nagios Options
Nagios was built to be flexible and that flexibility has created a number of options that can be used for a frontend or an addon. Some of those options are free to use and some will cost a small fee. I say “small fee” because if you compare it to some of the major networking monitoring tools an organization can spend many thousands of dollars monitoring their network. In this consulting situation they wanted to narrow the field down to two options Nagios Core (the Open Source, free option) and Nagios XI which costs a modest fee per year for support and updates. Though there are other options out there, this is a good place to start because Nagios is under the hood in those other options that create a frontend.

2. Comparison: Nagios Core vs. Nagios XI
Nagios Core is the Open Source option for Nagios. It is powerful in that it can be used to monitor many different devices in a diverse setting. I have talked with administrators who are using Nagios Core to perform 5000 checks per second! For a small business that may not initially be the focus, but performance should be an indicator, as success in using this tool will lead to the decision to perform more checks. The next aspect to consider with Nagios Core is flexibility. What kind of devices do you want to monitor? Nagios can monitor switches, routers, wireless devices, Windows servers, Linux servers, applications on those devices, network bandwidth, etc. Nagios Core, like Nagios XI, is only limited by the administrators ability to implement the kind of check required.

One caveat for Nagios Core is that it will require intermediate skills at the Linux command line. If your organization does not have administrators with command line skills you will either need to get them training for the command line or take a close look at the second option, Nagios XI.

Nagios XI is a powerful Nagios option that is configured from a GUI, which make the transition to Nagios easier, I did not say easy. Any network monitoring tool requires a solid understanding of the devices you are monitoring. And though Nagios XI does present the graphical configuration options like wizards, reports, views, etc., it also requires some skill at the command line. Even with Nagios XI you may have to install Perl modules from the command line for instance if you select plugins that do not come with Nagios XI.

For faster implementation of network monitoring Nagios XI is your best choice if you are not skilled in using the command line. Nagios XI can ultimately be cheaper than Nagios Core if you value the time administrators take to set things up from the command line.

Ultimately, the best choice is what works in the long term for a company.

Today we finally finished a large migration project for a small company.  Migration is more than just an upgrade, it is a major shift to more efficient technology, faster resources, better security and ultimately cost savings.

Here is what this project entailed.

1. Migrate 4 mail servers to new hardware, CentOS 6 and faster resources.
Mail servers are very important to organizations so migrating 4 servers takes time as mail must always be available. Part of this project was to create a MX Backup so if local mail servers were down now mail would be lost as it is collected on a remote mail server sitting on a cloud.  Another aspect of this migration was to enhance the Spam checking with special configuration to Spamassassin and rules to help the organization lower Spam rates.

2. Migration of 2 DNS Server
DNS is where a lot of organizations really slack off.  We have seen repeated situations where organizations set up a DNS server and nothing is done to it in years and by that time no one remembers how to fix it or migrate it to a new location.  For this project we rebuilt two DNS servers at different locations across the country so that no matter what happened locally their DNS was functioning correctly.

3. Migration of 10 Web Servers
When we migrate web servers it is not only moving the domains and setting up SSL certificates for shopping carts but is also involves these key features for security:
* PSAD (Port Scan Attack Detector) – a program to stop attackers from scanning ports
* rkhunter – a rootkit hunter that searches for rootkits daily and sends an email to an administrator
* AIDE (Advanced Intrusion Detection Environment) – checks for changes in the operating system
* ModSecurity – prevents zero day exploits, a must if you use PHP and MySQL environments

Security is extremely important these days and any migration needs to include an update of current technologies.

4. Updated Technology
One of the goals of this migration was to include daily images of all servers and weekly images of all servers.  This provides a way for organizations to save big when there are problems.  If a server has a security event or if an administrator makes a mistake, it can easily be fixed by pushing out an image in less than 5 minutes.  In the long run this allows organizations to limit their IT staff as they have something to fall back on.

5. Cost Savings
This entire project with faster hardware, better technology, updated systems, etc. actually was completed with the company savings of 40% each month!  That is the big deal about migration, it ultimately provides a better system at less cost.  We often find companies could make big savings if they ultilized some of the new technology that is available.

Migration, it should lead to more efficient technology, better security and ultimately greater savings for an organization.

In the last few months there has been a lot of consulting work we have done for Postfix.  Postfix is a great mail server …meaning, easy to use, secure, stable and intelligent.  One of the major themes we see with consulting for Postfix is that many organizations are moving to Postfix based on a greater need for performance.  The primary mail server they are moving away from is Sendmail.  Now Sendmail is also a good mail server, but does not seem able to meet the performance that Postfix can provide.  One of the reasons this is true is that Sendmail is monolithic, in other words it is one application that does everything.  While Postfix is a modular system that has a number of applications that work together.  In addition, Postfix is easier to work with.  The config files and the terminology for getting things done is based on information that is just plain easier to understand.  Anyone who has picked up the O’Reilly book on Sendmail knows, Sendmail configuration is anything but easy.

The other theme that we are seeing with Postfix is that organizations are using Postfix as a gateway to their internal mail server.  This is often done to protect an Exchange server that is used by employees.  The security that is inherent to the Linux operating system and the rock solid security that is provided in Postfix are great ways to protect that internal mail server.  When you set up Postfix as a gateway you can lock down all access to the box for users so that it can become a very hardened box.

Postfix provides both excellent performance and security, features specifically needed in today’s mail focused world.

I live in mountainous Northwest Montana. I have always been intrigued by an attitude from my US Forrest Service friends who each summer tell me they are, “hoping there are lots of big forest fires this summer”. What…I thought Smokey the Bear wanted to prevent forest fires. But no, many of those who work for the US Forrest Service actually depend on fighting fires to provide the finances for their vacations and Holidays. Now let me be quick to say these people do not start fires nor encourage starting fires, it just works out that forest disasters are great paydays.

As inconsistent as that may seem, in the world of technology we face the same issues. Having talked with a lot of computer techs who own small businesses about the advantages of Linux, many of them have told me they would be crazy to encourage Linux as they are sitting on a gold mine with Microsoft. Many shops keep the doors open by cleaning and doing repairs caused by viruses.

It must be a part of life, as when you look at Linux consulting you have the same dilemma. Consulting without education and documentation is just as empty and self serving as those in the US Forrest Service who hope for fires or those who repair your virus laden Windows machine hoping to strike it rich once again when you click on the tempting email. Linux consultants can live in that “outer zone” that makes them special and prevents them from communicating the changes they made for the client in a way that educates the client, thus rendering the consultant unnecessary. Or, neglecting documenting changes for the client, forcing the client to call for more help down the road when the system updates.

It seems we as human beings have a tendency to look out for ourselves, naturally. Each of these examples creates a dilemma, one that really demonstrates serious inconsistencies. As a client shopping for Linux consulting you should request these two factors to keep Linux consultants consistent. First, request a short training session where the consultant walks you through exactly what was done and explains why each step was taken. Second, you should request a written, detailed PDF of the steps that were taken so that you can repeat the process if you needed to at a later time.

Yes, we all have a tendency to be inconsistent, creating dilemmas as we walk through life, but accountability is the one aspect that brings sanity to it all. Make your Linux consultant accountable.

DNS is often the focus of Linux consulting as we as a world are extremely dependent upon the resolution that DNS offers. Whether it is websites we need to access or email that we are sending, DNS is the backbone for those services. The Domain Name Service on a Linux server is usually provided by bind which often gives people trouble in managing. The reality is that DNS is not that difficult to configure it is just a lot of new concepts that are rolled into one project. As with everything, new concepts bring new terminology which increases the difficulty of managing DNS.

Typically the consulting side of managing DNS involves trying to unravel the DNS settings that are in place. It is not often that you are asked to build a new DNS server, it is usually the request to fix one that is not performing like it should. One of the things we try to do is provide standards in the implementation of DNS and encourage patterns. DNS is one of those services that can be set up in a number of ways, including various views, naming variations, configuration options. The flexibility of DNS often leads companies to configure their DNS from a number of sources without enforcing standards and patterns. Standards are important so the next one working on the server can understand how and why it is configured the way it is. Patterns are important because they enable you to spot issues outside the norms.

One other aspect that makes DNS difficult is that it takes time to realize mistakes. Because DNS needs to resolve across the world, your changes may not become apparent immediately. This adds stress to the whole process. Using tools like dig and checking DNS settings from remote locations helps to troubleshoot some of these issues before they get out of hand.

For many companies outsourcing their DNS is often cheaper in the long run than training employees. The problem with training employees in the DNS configuration is that often those employees are not around when it is time to make adjustments to the DNS server.

Consulting often allows you to experience innovative technologies or applications that are under development. Two weeks ago we were provided the opportunity to work with a company that was building a new application that required data to be moved from a client ROM chip to a location on a CentOS server using FTP.

The challenge with this Linux consulting project was how to create a solution that was as simple as possible. When you are working with changing variables from the client pushing data, especially when it is limited to a ROM chip, you do not want to create scripts that depend on updating and can be impacted by changes. In this situation, it was smarter to create a solution that required a little more work but was not at the mercy of changing client variables like IP Address, names, method of login, etc.
Technology often over smarts itself by giving you the impression that the latest and greatest fancy solution is the best. In the long run, complexity often requires constant care and adjustment.
This using the newest solution because it is the most complex will also lead you down the path of managing unknown territory. The simple solution has often been around for a long time and has a tested history that makes the most sense for a solution.

Often the simple answer is more work but in the long run provides greater stability and security, both of which make a happy client.

Recently we had a Linux consulting opportunity to install and configure a Postfix mail server for a small company. The company wanted “secure” email for their users. One aspect of the request was to create an encrypted login and communication from the client to the mail server for IMAP using Squirrelmail and providing secure connections to the local client Thunderbird or Outlook. This process is straightforward however there is an issue with the word “secure”.

When a client uses a word like “secure” they often assume a great deal that may not be completely true. In this situation we provided the necessary aspects of SSL and TLS so that the clients had encrypted communication for logins and retrieving mail to their local machine or accessing mail from the web based option. That part of the concept of “secure” was in place. However, proper consulting requires you to also help the client understand that though all of the communication with the client may be secure, once the sent email leaves the mail server on port 25, it is plain text. So passwords and logins are secure but the actual content of the email is sent out in plain text. The only option here is to use encryption for the content of the email as well, an option that most companies do not want to hassle with.

The other aspect of “secure” is that in consulting you need also to encourage clients to use virus checks, SMTP restrictions and filters to control aspects of mail that they certainly do not want.

This project illustrates that Linux consulting requires the consultant to inform the client about their choices and about the bigger picture which the client often does not appreciate simply because they do not have the necessary background.

Outsourcing allows you to create a solution to a specific problem quickly. Many of the solutions that you may want to deploy in your organization require skills that take years to develop. Outsourcing helps you leverage the time factor. For example, when a company decides that the high cost of licenses for a mail server need to be replaced with an open source solution, it is not an easy process to simply assign a Windows admin who is used to a graphical interface to build a Linux server from the command line. In addition, it is difficult to determine all of the intricate details on how to construct a mail server. There is no doubt that the process of building a mail server can provide a lot of skill set development, but often companies waste thousands in development when they could have outsourced the project and purchased training for a low cost.

Here is an example to use as a comparison demonstrating the advantages of training and outsourcing at the same time.

Company A:
Company A decides to build a Nagios server to monitor their internal servers, printers, routers and switches. The company assigns a Windows admin the responsibility and gives them 3 months to get it up and working. The company has 25 internal servers both Windows and Linux, 10 laser printers and 8 switches and routers, a relatively small number. The first problem the admin faces is which Linux distribution to use. Then once they choose a distribution they cannot figure out how to install Nagios as it is not in the repositories of the distro they chose. Finally they do figure out how to install and once it is in place the admin wastes a huge amount of time reading documentation meant for different versions and distributions without realizing it. Oh yes, this is a very common problem when using the Internet and randomly selecting information. By the time the project is completed, and it is not uncommon for this to take 3 months the first time around, the company has paid the admin for 80 hours to work on this project for a company cost of $5200, assuming the admin gets $65 an hour over a 3 month period.

Company B:
Company B takes a completely different route. Recognizing that their Windows admins are not familiar with Linux and could use structured Linux training to help them achieve the goal, they first send two admins to an virtual training course for Nagios. In the classroom the two admins have practice servers that are available and a live instructor to ask questions and get ideas. The admins build and test Nagios in labs provided by the training company. At the same time, the company outsources the Nagios server install to the same company that trains the admins and within a month they have Nagios up and running and two fully trained admins to support the Nagios server. The training cost $395 each and the Nagios outsourcing cost the company $500. Total cost for training two admins, $2330. This assumes 8 hours of training for each of the administrators.

Time is money, every organization recognizes that time spent by administrators trying to create solutions is costly. Organizations need to weigh the cost of “Googling Solutions” over structured training coupled with outsourcing.

SpiderTools.com expands Postfix Consulting and Outsourcing Offerings

Postfix Training
The Live Postfix Training is a virtual classroom course which is 5 weeks long with classes once a week for 2 hours. Students will have access to a live mail server to set up and test configuration options. A printed 400 page manual and videos of how to set up a Postfix Mail server are also provided. Classes are flexible and students typically work with the instructor one-on-one.

The Self-Directed Postfix Course provides a 400 page PDF manual with videos which are constantly updated. The goal with the self-directed material is to provide all of the resources you need to set up and maintain a Postfix Mail Server. This course is without instructor support and without a practice server.

Postfix Outsourcing Packages
Each of these Postfix outsourcing packages focus on providing a stable, secure installation of the mail server with attention to detail. All of the packages provide an immediate reduction of SPAM with SMTP restrictions which significantly reduce SPAM by evaluating connections for legitimate email. In addition, Spamassassin provides excellent analysis of email to review the content of email for SPAM and RBLs (blackholes) installed will evaluate incoming email through databases.

Basic Postfix Installation – $179.95
* One Domain
* Dovecot with IMAP and POP3
* SMTP Restrictions
* ClamAV Virus Protection
* Spamassassin
* 3 RBLs Installed
* Statistics Daily Report
* Squirrelmail

Secure Postfix Installation – $249.95
This package builds upon the basic installation and adds SMTP AUTH so mobile users can send and receive email securely from Postfix. It also provides secure login using TLS to encrypt passwords and contents when logging in to retrieve email.
* One Domain
* Dovecot with IMAP/IMAPS and POP3/POP3S
* SMTP Restrictions
* ClamAV Virus Protection
* Spamassassin
* 3 RBLs Installed
* Statistics Daily Report
* SMTP AUTH
* Squirrelmail

Multiple Domain Postfix Installation – $349.95
If you need multiple domains on Postfix this is the package to choose. It includes and installation of PostfixAdmin which allows you to manage your mail server accounts from a web based platform.
* Up to 20 Domains
* Dovecot with IMAPS/POP3S
* SMTP Restrictions
* ClamAV Virus Protection
* Spamassassin
* SMTP AUTH
* Squirrelmail
* MySQL Database
* PostfixAdmin for a Web Based Access to Postfix

Postfix Consulting
Hourly Postfix consulting is provided for those organizations which need support to solve problems with Postfix or for special configurations.