This post documents a small shell script designed to provide basic mail queue statistics via SNMP for Postfix.

Requirements

• Postfix
• Net-SNMP

Installation

The code can be downloaded here.

To install, place the script anywhere in your system and edit it to provide the correct path to the “qshape” perl script that comes with Postfix.

Note: Under openSUSE qshape.pl is part of the postfix-docs package and is not installed by default.

To configure net-snmp, edit your snmpd.conf line and add a line as follows:

pass [oid-of-choice] /bin/snmpqshape.sh [oid-of-choice]

For example, due to a quirk in a paticular SNMP monitoring package I use, I had to use an OID belonging to Motorola:

pass .1.3.6.1.4.1.17713.2 /bin/snmpqshape.sh .1.3.6.1.4.1.17713.2

Net-SNMP will return 3 OIDs on query:

.0 :: Incoming
.1 :: Active
.2 :: Deferred

MRTG / RRDTool

Since the setup of monitoring / statistics tools such as MRTG or RRDTool is site-specific, no provisions are made on this page to provide a complete usage example. A minimal example for RRDTool:
#! /bin/sh
STR="`snmpwalk -OvQ -r 10 -t 5 -v 2c -c publicommunity hostname.site.com \
.1.3.6.1.4.1.17713.2 | perl -ne 's/^/:/;s/\n//;print'`"
rrdtool update /path/to/rr-database.rrd -t incoming:active:deferred N${STR}

DISCLAIMER
This code is free to use and distribute, and the author offers no liability or warranty for it’s misuse.

Want to limit the total bandwidth available to a Linux server, and don’t want to do it at the switch or router? Here’s how!

Simply use the Linux traffic control tools as follows. First enter:

tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 100mbit

Now enter the following line. This line sets the bandwidth rate; note the “256kbit”. This will limit our server to 256Kbps.

tc class add dev eth0 parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated

And lastly:

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 0/0 flowid 1:1

For more informtation on how this works, type ‘man tc’ at your console.

The most common attack vector on Linux web servers, is to get something uploaded onto the server that can then be executed. Most of these automated attacks try to put their payload into /tmp, which is universally writable by any user, and then execute it.

But what if they couldn’t execute it?

This is an easy way to beef up your webserver server security a little. Create a 1GB partition on your system, and in your fstab file, add a “noexec flag” like so:

/dev/sda3 /tmp ext3 acl,user_xattr,noexec 1 1

Now, the system will prevent any executable in /tmp from being executed and thus sealing off the most common flaw that allows for most automated attacks to work.

No unallocated space on your disk and don’t want to risk resizing? Use a loopback filesystem.

/dev/loop0 /tmp ext3 acl,user_xattr,noexec 1 1