Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
This is a draft post showing how you can monitor the performance of a server (or servers) with NixStats and receive alerts by SMS, Push, Email, Telegram etc
fyi: This is not a paid post, this is just me using the NixStats software to monitor my servers and send alerts.
Advertisement:
Finding a good host
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
Buy a domain name here
Monitoring Servers
The post below will show you how you can monitor servers online with https://nixstats.com/ and send alerts when resources reach limits or servers fail.
I signed up and started a Nixstats (14 day free trial).
After I created an account I was emailed by Nixtsats with agent install instructions for Linux (1 line). I was also advised to add contacts and to set up alerts.
I logged into the Nixstats settings and set up…
- My Timezone
- Default reporting period
- First name and Surname
- Reporting emails
- etc
Nixstats Subscription Upgrade
Subscription options
- Free (5 monitors, 1 server, 24-hour data retention etc)
- Founder (25 monitors, 10 servers, 30-day data retention etc)
- Business (100 monitors, 15 servers, 60-day data retention etc)
I enabled the limited founder subscription so I can monitor 10x servers (this deal is too good to miss). I tried creating a status page myself last year and it is terribly hard.
I am now out of the free trial period 🙂 Let’s start monitoring many servers.
I enabled two factor Auth to Nixstats logins
I created a Nixstats API key for future use (watch this space)
I installed the Nixstats agent (the dashboard gave a 1 line command you can run as root to install the agent (on Linux)).
FYI: Command (######################## is a number linked to your account)
1 | wget --no-check-certificate -N https://www.nixstats.com/nixstatsagent.sh && bash nixstatsagent.sh ######################## |
Output
1 2 3 4 5 6 7 | wget --no-check-certificate -N https://www.nixstats.com/nixstatsagent.sh && bash nixstatsagent.sh ######################## --2018-10-02 09:53:56-- https://www.nixstats.com/nixstatsagent.sh Resolving www.nixstats.com (www.nixstats.com)... 2400:cb00:2048:1::6819:8013, 2400:cb00:2048:1::6819:8113, 104.25.128.19, ... Connecting to www.nixstats.com (www.nixstats.com)|2400:cb00:2048:1::6819:8013|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 38708 (38K) [application/octet-stream] Saving to: 'nixstatsagent.sh' |
nixstatsagent.sh 100%[====================================================>] 37.80K –.-KB/s in 0.1s
2018-10-02 09:53:56 (338 KB/s) – ‘nixstatsagent.sh’ saved [38708/38708]
Found Ubuntu …
Installing …
Installing Python2-PIP …
Installing nixstatsagent …
Generation a server id …
Got server_id: ######################
Creating and starting service
Created symlink /etc/systemd/system/multi-user.target.wants/nixstatsagent.service -> /etc/systemd/system/nixstatsagent.service.
Created the nixstatsagent service
Server Dashboard
below is a summary of all connected servers ( https://nixstats.com/dashboard/servers ).
Monitor Setup
I set up a number of monitors to monitor ping replies and https traffic
Advanced Monitoring
I can also set the monitor credentials, timeouts, retries, auth methods, max redirects and frequency. If you server blocks login or resource GET attempts you may need to whitelist IP’s. IP’s of monitoring servers are located here https://nixstats.com/whitelist.php
Monitor Summary
The default dashboard is very informative. Feel free to create your own dashboards that focus on your own infastructure or apps.
Individual Server Reports
Advertisement:
You can click on a server and monitor it in detail.
Server Memory Graphs
Long-term memory graphs.
Install Optional Nixstats Plugins
Nixstats offers many plugins to monitor software that is installed on your server (e.g NGINX, MySQL, PHP etc).
1) NGINX Monitoring (Plugin)
To enable NGINX monitoring I read https://help.nixstats.com/en/article/monitoring-nginx-50nu7f/
I edited my NGINX sites-enabled config.
1 | sudo nano /etc/nginx/sites-enabled/default |
I added the following
1 2 3 4 5 6 7 8 9 | server { listen 127.0.0.1:8080; server_name localhost; location /status_page { stub_status on; allow 127.0.0.1; deny all; } } |
I tested, reloaded and restarted NGINX
1 2 3 | nginx -t nginx -s reload /etc/init.d/nginx restart |
The status page will only be available on the local machine, I tested the page on the local machine
1 2 3 4 5 | wget -qO- http://127.0.0.1:8080/status_nginx Active connections: 3 server accepts handled requests 15 15 31 Reading: 0 Writing: 1 Waiting: 2 |
It’s Working.
I edit /etc/nixstats.ini
1 | sudo nano /etc/nixstats.ini |
I remove comments before these lines to enable the plugin
1 2 3 | [nginx] enabled = yes status_page_url = http://127.0.0.1:8080/status_nginx |
I ran the following command to see if NGINX monitoring is possible
1 | nixstatsagent --test nginx |
Output
1 2 3 4 5 6 7 8 9 10 11 12 13 | nginx: { "accepts": 39, "accepts_per_second": 0.0, "active_connections": 6, "handled": 39, "handled_per_second": 0.0, "reading": 0, "requests": 119, "requests_per_second": 0.0, "waiting": 5, "writing": 1 } |
It’s Working
I restarted the nixstatsagent
1 | service nixstatsagent restart |
I can now view NGINX properties like active_connections in my dashboard. 🙂
2) Enable PHP-FPM Monitoring (Plugin)
Looks like a PHP-FPM monitoring was recently added lets set that up too. Read my guide on setting up PHP child workers here.
We’ve added a premade dashboard for PHP-FPM. If you’re not yet monitoring PHP-FPM take a look at the integration guide https://t.co/X4ywRHw9hX pic.twitter.com/aag1fTsr3R
— Nixstats (@nixstats) September 6, 2018
To enable PHP-FPM monitoring I read https://help.nixstats.com/en/article/monitoring-php-fpm-1tlyur6/
I edited my PHP-FPM ini file
1 | sudo nano /etc/php/7.2/fpm/pool.d/www.conf |
I added the following line
1 | pm.status_path = /status_phpfpm |
Restart PHP
1 | sudo service php7.2-fpm restart |
I added the following to /etc/nginx/sites-enabled/default localhost server block added above Note I use php 7.2 below (read more here).
1 2 3 | server { listen 127.0.0.1:8080; server_name localhost; |
location /status_phpfpm {
access_log off;
allow 127.0.0.1;
deny all;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
log_not_found off;
}
}
I tested, reloaded and restarted NGINX
1 2 3 | nginx -t nginx -s reload /etc/init.d/nginx restart |
I restart PHP-FPM
1 | sudo systemctl restart php7.2-fpm |
Enabled the plugin in /etc/nixstats.ini
1 2 3 | [phpfpm] enabled = yes status_page_url = http://127.0.0.1:8080/status_phpfpm?json |
I tested the status page
1 | wget -qO- http://127.0.0.1:8080/status_phpfpm?json |
Output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | { "pool":"www", "process manager":"static", "start time":1538654543, "start since":178, "accepted conn":28, "listen queue":0, "max listen queue":0, "listen queue len":0, "idle processes":49, "active processes":1, "total processes":50, "max active processes":2, "max children reached":0, "slow requests":0 } |
Advertisement:
I tested the agent
1 | nixstatsagent --test phpfpm |
Output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | phpfpm: { "accepted_conn": 51, "accepted_conn_per_second": 0.0, "active_processes": 1, "idle_processes": 49, "listen_queue": 0, "listen_queue_len": 0, "max_active_processes": 2, "max_children_reached": 0, "max_listen_queue": 0, "pool": "www", "process_manager": "static", "slow_requests": 0, "start_since": 318, "start_time": 1538654543, "total_processes": 50 } |
I can now query PHP-FPM status values in Nixstats 🙂
Enable MySQL Monitoring (Plugin)
To enable MySQL monitoring I read https://help.nixstats.com/en/article/monitoring-mysql-1frskd8/
I edited the nixstats.ini
1 | sudo nano /etc/nixstats.ini |
I enabled the mysql section in nixstats.ini and added my mysql credentials
1 2 3 4 5 6 7 8 | [mysql] enabled=yes username=mysqluser password=####################### host=127.0.0.1 database=mysql port=3306 socket=null |
I ran this command to test MySQL querying
1 2 3 | nixstatsagent --test mysql mysql: Load error: No module named MySQLdb |
I had an error.
A quick Google revealed I had to install a mysql python module.
1 | sudo apt-get install python-mysqldb |
Allow localhost to connect to MySQL
Edit /etc/mysql.cnf and allow all localhost and external connections (I could not bind to localhost and an external IP at the same time)
1 | bind-address = 0.0.0.0 |
TIP: Ensure you have firewalled access to your MySQL server, never open it up without protection.
Let’s try again
1 | nixstatsagent --test mysql |
Output
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | mysql: { "aborted_clients": 0, "aborted_connects": 0, "binlog_cache_disk_use": 0, "binlog_cache_use": 0, "bytes_received": 0, "bytes_sent": 0, "com_delete": 0, "com_delete_multi": 0, "com_insert": 0, "com_insert_select": 0, "com_load": 0, "com_replace": 0, "com_replace_select": 0, "com_select": 0, "com_update": 0, "com_update_multi": 0, "connections": 0, "created_tmp_disk_tables": 0, "created_tmp_files": 0, "created_tmp_tables": 0, "key_read_requests": 0, "key_reads": 0, "key_write_requests": 0, "key_writes": 0, "max_used_connections": 3.0, "open_files": 14.0, "open_tables": 316.0, "opened_tables": 0, "qcache_free_blocks": 1.0, "qcache_free_memory": 16760152.0, "qcache_hits": 0, "qcache_inserts": 0, "qcache_lowmem_prunes": 0, "qcache_not_cached": 0, "qcache_queries_in_cache": 0, "qcache_total_blocks": 1.0, "questions": 0, "select_full_join": 0, "select_full_range_join": 0, "select_range": 0, "select_range_check": 0, "select_scan": 0, "slave_open_temp_tables": 0.0, "slow_launch_threads": 0, "slow_queries": 0, "sort_range": 0, "sort_rows": 0, "sort_scan": 0, "table_locks_immediate": 0, "table_locks_waited": 0, "threads_cached": 2.0, "threads_connected": 1.0, "threads_created": 0, "threads_running": 1.0, "uptime": 35837.0 } |
Nice,
I restart MySQL
1 | sudo systemctl restart mysql |
I restart my Nixstats service
1 | service nixstatsagent restart |
Now let’s monitor MySQL in Nixstats
I can now view MySQL metrix
Status Page
Nixstats allows you to create a status page ( https://nixstats.com/pages/overview ) where you can add any servers or monitors to that page. This stats page is truly awesome, it builds a live status page based on data coming from your installed agents.
You can even set up a custom subdomain that points to a Nixstats hosted status page too (e.g https://status.yourdomain.com).
FYI: An SSL certificate on your staus page may take a few hours to set up. Don’t panic if it is not instantatly available.
Nice.
This saves doing it yourself. The status page will look like it running on your server.
Status Page
You can create a status page that automatically aggregates collected data from monitors and displays them in a nice layout.
This is great, I used to do my own status pages but not anymore.
Alerts
I added a contact so I could receive alerts. I could then add my mobile, email and PushOver key (to receive push notifications) and Telegram Bot API token.
Test Alerts
I sent a test alert to each service against the contact.
Advertisement:
I activated a Pushover licence on my Android device for about $7.49 AUD (one off) to ensure I keep getting Push Notifications.
Nixstats have links that show you how you can create a Telegram Bot and Pushover.net account.
Pushover will cost about $5 USD one off per device (see faq).
I created the following alerts
Alert: Disk Usage higher than 90%
Alert: Load greater than 90 per cent for 1 minute
Alert: Less than 5 percent memory free.
Summary of alerts.
I also added a CPU reached 95% one for 5 mins alert too (but it’s not pictured above)
I forgot to specify alert recipients and methods for each alert so I edited each alert and added the contact.
Now it’s time to test the alerts.
I shut down a server to test alerts
1 | shutdown -h now |
Alerts to my defined Email, SMS, Push and Telegram are working a treat 🙂
After I rebooted the server I also received alerts about the server being back up.
The status page showed the server that was offline too.
Nice
Troubleshooting
I had an issue instaling the agent on Debian
I ran the following command
1 2 3 4 5 6 | wget --no-check-certificate -N https://www.nixstats.com/nixstatsagent.sh && bash nixstatsagent.sh ####################### --2018-10-02 00:41:38-- https://www.nixstats.com/nixstatsagent.sh Resolving www.nixstats.com (www.nixstats.com)... 2400:cb00:2048:1::6819:8113, 2400:cb00:2048:1::6819:8013, 104.25.129.19, ... Connecting to www.nixstats.com (www.nixstats.com)|2400:cb00:2048:1::6819:8113|:443... connected. HTTP request sent, awaiting response... 304 Not Modified File 'nixstatsagent.sh' not modified on server. Omitting download. |
nixstatsagent.sh: line 508: [: Installer exited with error code 0. See nixstatsagent.log for details.: integer expression expected
An error occured, please check the install log file (nixstatsagent.log)!
Contents of nixstatsagent.log
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | cat nixstatsagent.log Ign:1 http://deb.debian.org/debian stretch InRelease Hit:2 http://deb.debian.org/debian-security stretch/updates InRelease Hit:3 http://deb.debian.org/debian stretch-updates InRelease Hit:4 http://deb.debian.org/debian stretch Release Ign:5 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic InRelease Ign:7 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic Release Ign:8 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main all Packages Hit:9 https://packages.sury.org/php stretch InRelease Ign:10 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main amd64 Packages Ign:11 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main Translation-en Ign:8 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main all Packages Ign:10 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main amd64 Packages Ign:11 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main Translation-en Ign:8 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main all Packages Ign:10 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main amd64 Packages Ign:11 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main Translation-en Ign:8 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main all Packages Ign:10 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main amd64 Packages Ign:11 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main Translation-en Ign:8 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main all Packages Ign:10 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main amd64 Packages Ign:11 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main Translation-en Ign:8 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main all Packages Err:10 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main amd64 Packages 404 Not Found Ign:11 http://ppa.launchpad.net/ondrej/php/ubuntu cosmic/main Translation-en Reading package lists... W: The repository 'http://ppa.launchpad.net/ondrej/php/ubuntu cosmic Release' does not have a Release file. E: Failed to fetch http://ppa.launchpad.net/ondrej/php/ubuntu/dists/cosmic/main/binary-amd64/Packages 404 Not Found E: Some index files failed to download. They have been ignored, or old ones used instead. nixstatsagent.sh: line 118: apt-get upgrade returned error code 100. Please see nixstatsagent.log for details.: command not found |
I asked the Nixstats chat help and I was advised I had a dead repository (I removed this (editing the dead repo in the appropriate file in /etc/apt/) and all was ok)
I had trouble testing my Telegram alerts but it was my fault as I forgot to follow the bot account I created. Telegram does not allow message from a user (bot) unless you follow them.
A chat with the Nixstats staff sorted me out. Thanks, Nixstats chat team.
I had an issue with a missing python mysql package
1 | Load error: No module named MySQLdb |
I solved it by instaling python-mysqldb
1 | sudo apt-get install python-mysqldb |
Nixstats Help
Nixstats have a help subdomain: https://help.nixstats.com/en/
Error Logs Plugin
I did ask Nixstats on Twitter and they said they are working on a logging plugin, I can’t wait for that.
We’re launching a closed beta for Logging at Nixstats. Contact us to get setup! You can search and tail log files across all your servers! pic.twitter.com/FIeip2SOUw
— Nixstats (@nixstats) October 4, 2018
I now have access to beta log features and can see log tabs in Nixstats
I had or check the version of my rsyslogd
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | rsyslogd -v rsyslogd 8.32.0, compiled with: PLATFORM: x86_64-pc-linux-gnu PLATFORM (lsb_release -d): FEATURE_REGEXP: Yes GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes memory allocator: system default Runtime Instrumentation (slow code): No uuid support: Yes systemd support: Yes Number of Bits in RainerScript integers: 64 |
I edited: /etc/rsyslog.d/31-nixstats.conf
I pasted
1 2 3 | ########################################################## ### Rsyslog Template for Nixstats ### ########################################################## |
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
template(name=”NixFormat” type=”string”
string=”<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [5bb8825c3f0bc16aa068f144@5fJR7vuYTJOX6cEiyZlLv5By tag=\”rsyslog\”] %msg%\n”
)
action(type=”omfwd” protocol=”tcp” target=”log.nixstats.com” port=”514″ template=”NixFormat”)
#################END CONFIG FILE#########################
I restarted the rsyslog service
1 | sudo service rsyslog restart |
Live Log Output
I can see a live log from (unknown) logs.
I can see the firewall blocking access to certain ports.
Search logs
Blacklist Checking (Beta)
Nixstats tweeted “We just launched a new blacklist check feature. Monitor your IP and hostname reputation. Free during the Beta!”
I enabled it.
I received a Blacklist notification
I requested removal at junkmailfilter.com
Thanks Nixstats
Conclusion
This is one of the best software packages I have seen in a while. I have developed status
pages in the past (no more). Great work Nixstats.
Please check out Nixstats today, they are awesome. Signup for a free account and consider the limited time founder plan (it’s a bargain).
Nixstats Live chat support is awesome
Server Plug
If you need a server, consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.
https://www.upcloud.com/register/?promo=D84793
Advertisement:
Ask a question or recommend an article
Revision History
v1.3 Blacklist beta
V1.2 Logs beta
v1.1 Logging Tweet
v1.0 Initial Post
Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
This post will show you how you can setup Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures and Domain-based Message Authentication, Reporting, and Conformance (DMARC) on your GMail (G Suite) email to limit spam and increase security.
Advertisement:
I have a number of guides on moving away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. I use Google G Suite to send and receive emails that are linked to my domain (even via the command line) using multiple domains (with aliases).
For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).
Buy a domain name from Namecheap here.
Buy how can you extend your email security and limit spam?
Enter..
Sender Policy Framework (SPF) for Authorizing Use of Domains in Email
Background: SPF summary from the RFC document from the Internet Engineering Task Force (IETF).
“Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the “MAIL FROM” of a message or the domain given on the SMTP HELO/EHLO commands. This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby ADministrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.”
Google has a guide in setting up SPF records for your G Suite account.
Scan your site for SPF, DKIM and DMARC configuration(s).
Gmail has a test site where you can check your site SPF, DKIM and DMARC etc: https://toolbox.googleapps.com/apps/checkmx/
How to set up an SPF Record
I followed this guide to set up an SPF record on my G Suite account. I use Cloudflare for my DNS provider so I’ll make my DNS changes there.
Update: Google instructions were wrong, use a TXT record and not a SPF record.
Read more on SPF at Wikipedia here.
DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.
Now let’s set up DomainKeys Identified Mail (DKIM) Signatures
Read more on DKIM at Wikipedia here.
Background: The DKIM RFC form the Internet Engineering Task Force (IETF) states…
“DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.”
Google has a DKIM FAQ: https://support.google.com/a/answer/174124
Login to your G Suite account and load this FAQ.
The FAQ page states..
“You can help prevent spoofing by adding a digital signature to outgoing message headers using the DKIM standard. This involves using a private domain key to encrypt your domain’s outgoing mail headers, and adding a public version of the key to the domain’s DNS records. Recipient servers can then retrieve the public key to decrypt incoming headers and verify that the message really comes from your domain and hasn’t been changed along the way.”
Click Generate the Domain Key
Follow the steps and generate a key
Generate a new record
Add the DKIM key to your DNS record
DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Read more on DMARC at Wikipedia here. Read the official page here https://dmarc.org/.
Background: The DMARC RFC form the Internet Engineering Task Force (IETF) states…
DMARC Flow
“Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.
Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.
DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.”
Google G Suite has a guide to setting up a DMARC record here
Snip from the Google guide here..
“Spammers can sometimes forge the “From” address on email messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Google is participating in DMARC.org, which gives domain owners more control over what Gmail does with spam email messages from their domain.
G Suite follows the DMARC.org standard and allows you to decide how Gmail treats unauthenticated emails coming from your domain. Domain owners can publish a policy telling Gmail and other participating email providers how to handle unauthenticated messages sent from their domain. By defining a policy, you can help combat phishing to protect users and your reputation.“
Login to your G Suite account and load this FAQ
Click Add A DMARC Record
You will then need to set up a DKIM Domain Key (if you have not done so yet)
When you are done you need to choose your DMARC rules, I would suggest you go to https://mxtoolbox.com/DMARCRecordGenerator.aspx to generate a record
I generated these rules
Warning: Setting a DMARC policy that is too strict may block mail from being delivered. Tighten rules over time.
Login to your DNS provider and add your TXT record.
You should now have an SPF, DKIM and DMARC record in DNS.
Update: The SPD record above should be a TXT (Google led me astray)
DNS will take a while to replicate so do wait a few hours before checking again with the checkmx tool.
Now go to bed and wait for DNS to replicate.
Troubleshooting SPF
My TXT record would not validate with https://toolbox.googleapps.com/apps/checkmx/check
The MX Toolbox SPF checker reports that SPF records are deprecated and to use TXT records instead.
Fix (remove the SPF record and add a TXT record with the same contents). Don’t forget to delete the old SPF record.
Results
Reports
SPF/DKIM reports will let me know when unauthorized people send email from my domain.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | This is a spf/dkim authentication-failure report for an email message received from IP 125.105.176.155 on Sat, 14 Apr 2018 13:14:09 +0800. Below is some detail information about this message: 1. SPF-authenticated Identifiers: none; 2. DKIM-authenticated Identifiers: none; 3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism check failures; For more information please check Aggregate Reports or mail to abuse@163.com. Feedback-Type: auth-failure User-Agent: NtesDmarcReporter/1.0 Version: 1 Original-Mail-From: <gibwcm@fearby.com> Arrival-Date: Sat, 14 Apr 2018 13:14:09 +0800 Source-IP: 125.105.176.155 Reported-Domain: fearby.com Original-Envelope-Id: VcCowECJ7EIejtFanCHFLg--.51187S2 Authentication-Results: 163.com; dkim=none; spf=softfail smtp.mailfrom=gibwcm@fearby.com Delivery-Result: delivered Identity-Alignment: none Received: from mitai (unknown [208.136.26.72]) by fearby.com with SMTP id LyDKBHx6xsr7XZkf.1 for <pjy315@163.com>; Sat, 14 Apr 2018 13:14:03 +0800 Message-ID: <20180414131403067652@fearby.com> From: =?utf-8?B?5rip5a6D?= <gibwcm@fearby.com> To: <pjy315@163.com> Subject: =?utf-8?B?UmXvvJrlm57lpI3vvJrovazlj5HvvJrml7bpl7Q05pyIMjAtMjHml6XkuIo=?= =?utf-8?B?5rW3IOWcsOeCuSDnvo7oh6PljJblpoblk4Hlhazlj7jln7norq3ln7rlnLA=?= Date: Sat, 14 Apr 2018 13:13:56 +0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_08FE_016CD6FE.1A359D20" X-mailer: Bagf 2 |
Also, DMARC will alert me to unauthorized activity
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | <?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4329490063964523747</report_id> <date_range> <begin>1523750400</begin> <end>1523836799</end> </date_range> </report_metadata> <policy_published> <domain>fearby.com</domain> <adkim>r</adkim> <aspf>r</aspf> <p>quarantine</p> <sp>none</sp> <pct>5</pct> </policy_published> <record> <row> <source_ip>2001:19f0:5801:5fa:5400:ff:fe80:ec7a</source_ip> <count>2</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> <reason> <type>sampled_out</type> <comment></comment> </reason> </policy_evaluated> </row> <identifiers> <header_from>fearby.com</header_from> </identifiers> <auth_results> <spf> <domain>unknown</domain> <result>none</result> </spf> </auth_results> </record> </feedback> |
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.4 Reports
v1.3 DMARC Flow image
V1.2 Updated wording
V1.1 Fixed typos (they were free)
v1.0 Initial post
Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
This post will show you how you can setup Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures and Domain-based Message Authentication, Reporting, and Conformance (DMARC) on your GMail (G Suite) email to limit spam and increase security.
Read the full article here: https://fearby.com/article/securing-google-g-suite-email-by-setting-up-spf-dkim-and-dmarc-with-cloudflare/
Add email alias to an existing GSuite email account
This short post will show you how (and why) you should add email aliases to email accounts for previously added domains.
Advertisement:
Here are my two posts related to setting up a new suite account and adding a second domain to an existing GSuite account. I used to have my own C Panel domain but moved all servers to self-managed servers first on Digital Ocean then AWS then Vultr. Vultr is now my preferred hosts as they are affordable and have server locations in Australia.
Login to your G Suite with an admin account.
Click Users
I tried to add an email alias to existing 2x domains in Google Suite (the help did not align with the screens I was seeing in my admin consoles), there was no email alias section)??
Official Google Help: https://support.google.com/domains/answer/6304345?hl=en-AU
Snip:
1 2 3 4 5 | Every user in a G Suite account has a <em>primary address</em> for signing in to their account and receiving mail. If a user wants another email address, you can create an <strong>email alias</strong> for them. <strong>Why use an alias? </strong> If ann@solarmora.com wants a sales address to post to the company website, you can create the alias <strong>sales@solarmora.com</strong>. Mail sent to either address then appears in Ann's Gmail inbox. You can add up to 30 email aliases for each user. Users continue to sign in to their G Suite account with their primary address, not an email alias. |
I fired up the G Suite support
I wanted to add the following email aliases of “security@..”, “admin@..” and “root@..” to an existing email on 2 domains to support security disclosures (post soon (nope Troy Hunt beat me, read his post on security disclosure here)).
While I was waiting for the support chat I figured out the email alias thing, it turned out I needed to click the “Account” header on the user screen (I did not realise “account word was clickable).
Solution: How to add Aliases
You need to click the account heading (It’s a link apparently).
When the Ajax content loads you can scroll down to alias section.
Tip: There is no “Apply” or “OK” button when adding aliases so just press enter.
Now if you want to be able to send as the new alias you need to add the aliases in Gmail.
Now you can send via this email alias in GMail or via CLI via the primary account 🙂
1 | sendemail -f root@yourdomain.com -t to@email.com -u "Test email via alias" -s smtp.gmail.com:587 -o tls=yes -xu simon@yourdomain.com -xp YourPa$$w0rdH3r3 -m "Test email via alias" |
Read my blog post on sending email from the command line via G Suite.
Donate and make this blog better
Ask a question or recommend an article
Revision History
v1.1 Added Troy Hunt “Data Breach Disclosures” link
v1.0 Working Copy.
Hope this helps someone.
Adding a second domain to an existing GSuite account and creating an email address
Below is my post (personal view, not paid view) on how to add a second domain to an existing gsuite account and creating an email address and sending emails from a client tor CLI.
Advertisement:
Jan 2018 Update
Post on adding email aliases to G Suite
Main
Read my post here if you have never created or managed a GSuite account to take control of mail for a domain. This guide will build on this previous guide and show you how to add a second domain to an existing GSuite account. Read this guide if you need a Namecheap domain and or an Ubuntu VM to host a website. I really like deploying WordPress via Command Line (CLI), read my guide here.
Buy a domain name from Namecheap here.
Before you get started login to your G Suite account and ensure your first domain is set up and working. If you don’t have a GSuite account click here to set one up (first 14 days are free).
Also, I highly recommend the G Suite support, this has to be the best and most experienced support I have used of any company (my views only).
In the Google G Suite admin bar type “add domain” and select “Add new Domain” (not “Add new domain Alias”).
Select “Add another domain” and click “CONTINUE AND VERIFY DOMAIN OWNERSHIP”
Now copy the domain verify code (I use Namecheap for my domains so you may see different advice)
I logged into Namecheap and added the TXT record to my domain.
While I was here I added G Suite MX records.
I went back to GSuite and clicked Verify
I could now add an email user to the second domain I just added to G Suite. 🙂
I set a strong password so I won’t force the reset of a password at next login. I plan on using the email account for manual and semi-automated alerts in code (read my guide here on how to send GSuite/gmails via code).
Once the user is created you can send them a welcome email.
Sample welcome email.
The email is now ready to use. I can send and revive email using this account with an email client.
I can even send emails via the command line (read how here)
1 2 3 4 5 | cat testemail.sh #!/bin/bash echo "Sending Email"; sendemail -f from@domain.com -t to@email.com -u "Subject" -s smtp.gmail.com:587 -o tls=yes -xu from@domain.com -xp 'passwordhere' -m 'Message Body Here' |
Send via running
1 | sudo bash testemail.sh |
Output
1 2 | Sending Email Dec 13 23:16:15 thedomain sendemail[8397]: Email was sent successfully! |
More
Post on adding email aliases to G Suite
Hope this helps someone.
Donate and make this blog better
Ask a question or recommend an article
Revision History
1.3 added more links.
v1.2 Fixed.
How to be alerted after system boot on Ubuntu 16.04 with an email via Gmail
This will allow you to sent an email at startup on Ubuntu boot. You will need to ensure sendmail is setup and working (read my guide on How to send email via G Suite from Ubuntu in the cloud, setup an Ubuntu server in the cloud here (guide here)).
Advertisement:
Create a scripts folder
1 | mkdir /scripts/ |
Create a file called /scripts/emailstartup.sh and add..
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | #!/bin/bash echo "Dumping startup log"; journalctl -b0 --system _COMM=systemd --no-pager >/scripts/boot.log #echo "Deleting old log file"; #rm -R /scripts/boot.zip #echo "Zipping up Startup Log File."; #zip -r -9 /scripts/boot.zip /scripts/boot.log echo "Sending Email With Attachment"; # Ensure you have gmail or gsuite setup on your domain, guide here https://fearby.com/article/moving-a-cpanel-domain-with-email-to-a-self-managed-vps-and-gmail/ sendemail -f email@yourserver.com -t email@yourserver.com -u "Startup: $HOSTNAME server" -m "Attached are the startup logs for $HOSTNAME server" -s smtp.gmail.com:587 -o tls=yes -xu email@domain.com -xp password -a /scripts/boot.log |
optional: Uncomment lines above to attach a zip file instead of a log file (don’t forget to attach the zip instead of the log file in sendmail.)
Make the script file executable
1 | sudo chmod +X /scripts/emailstartup.sh |
Test the script
1 2 3 4 5 6 7 | sudo /bin/bash /scripts/emailstartup.sh Dumping startup log Deleting old log file Zipping up Startup Log File. adding: scripts/boot.log (deflated 91%) Sending Email With Attachment Sep 05 18:49:27 yourservernamehere sendemail[2606]: Email was sent successfully! |
Add the following to crontab -e to ensure the script is executed 5 minutes after startup.
1 | @reboot sleep 300 && /bin/bash /scripts/emailstartup.sh >> /dev/null 2>&1 |
On reboot, you will be emailed desired start-up information.
Donate and make this blog better
Ask a question or recommend an article
v1.0 initial post
How to send email via G Suite from Ubuntu in the cloud
Here is how I send emails from the command line in Ubuntu servers in the cloud via G SUote connect emails
Advertisement:
Jan 2018 Update
Post on adding a second domain to G Suite
Post on adding email aliases to G Suite
Main
If you use ufw for your Ubuntu firewall then allow port 587 out traffic (read more in securing Ubuntu in the cloud here).
1 | sudo ufw allow out 587 |
Ensure your port is open on IPV4 and IPV6.
1 | sudo ufw status |
If you have a GUI managed firewall with your server host then configure it to allow port 587 (out).
Read more on useful terminal commands here or setting up a Digital Ocean Ubuntu server here for as low as $5 a month here, Vultr server for as low as $2.5 here ($10 free credit). Read more about setting up an AWS Ubuntu server here.
Install sendmail and other pre requisites
1 | apt-get install libio-socket-ssl-perl libnet-ssleay-perl sendemail |
Now you are ready to send an email with 1 line in the terminal (use your Gmail email unless you have diverted your email to G Suite (then use that email, guide here). Create a G Suite account here.
FYI: I have setup my email for my domain to redirect via G Suite (see my guide here and older guide here)
Send an email from the command line
1 | sendemail -f your@email.com -t your@email.com -u "test email" -m "test message" -s smtp.gmail.com:587 -o tls=yes -xu your@email.com -xp y@ursecurepa$$wordg@eshere123 |
This is not a drop-in replacement for Outlook or Thunderbird email clients but it is perfect for command line alerts to con-jobs or start-up notifications.
Sending an email with an attachment
1 | sendemail -f your@email.com -t your@email.com -u "test email" -m "test message" -s smtp.gmail.com:587 -o tls=yes -xu your@email.com -xp Y@urSecu&rpa$$w@rd123 -a /folder/file.zip |
Coming soon: A guide on backing up Ubuntu with Rsync etc.
More
Post on adding a second domain to G Suite
Post on adding email aliases to G Suite
Donate and make this blog better
Ask a question or recommend an article
v1.2 added other links
v1.1 added links to two G Suite guides.