mercoledì 29 agosto 2012

Nagios: check remote hosts via SSH with command validation


Nagios server: Fedora release 16 (Verne)
Nagios remote node: Debian GNU/Linux testing (wheezy)


Basic SSH Configuration
Let's allow the access from the nagios server to the nagios node creating a ssh key passphrase-less:

zmo@nagiosSer:~$ cd .ssh/
zmo@nagiosSer:~/.ssh$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/zmo/.ssh/id_dsa): nagios     
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in nagios.
Your public key has been saved in nagios.pub.
The key fingerprint is:
....

.. so that you will have nagios and nagios.pub from the others

zmo@nagiosSer:~/.ssh$ ls
id_rsa id_rsa.pub nagios nagios.pub

On the remote node create the nagios user and the necessary file

root@nagiosNod:~# adduser nagios
Adding user `nagios' ...
Adding new group `nagios' (1006) ...
Adding new user `nagios' (1006) with group `nagios' ...
...
Enter new UNIX password: xxxxxxxx
Retype new UNIX password: xxxxxxxx
...
root@nagiosNod:~# su - nagios
nagios@nagiosNod:~$ mkdir .ssh
nagios@nagiosNod:~$ touch .ssh/authorized_keys


Paste your pub key, from the nagios server, into the remote nagios authorized_keys file


zmo@nagiosSer:~/.ssh$ cat nagios.pub | ssh nagios@nagiosNod.remote.com 'cat >> /home/nagios/.ssh/authorized_keys'
nagios@nagiosNod.remote.com's password: xxxxxxxx


Have a try

zmo@nagiosSer:~$ ssh -i .ssh/nagios nagios@nagiosNod 
Last login: Tue Aug 28 20:44:54 2012 from nagiosSer
nagios@nagiosNod:~$



On the nagios server


root@nagiosSer:~# yum install nagios-plugins-by_ssh.i686


On the nagios remote node
Install the nagios plugins

root@nagiosNod:~# apt-get install nagios-plugins-basic


NOTE: you can find where the plugins have been stored by 

root@nagiosNod:~# dpkg -L nagios-plugins-basic
...
/usr/lib/nagios/plugins/check_apt
/usr/lib/nagios/plugins/check_tcp
/usr/lib/nagios/plugins/check_dummy
/usr/lib/nagios/plugins/check_ntp
/usr/lib/nagios/plugins/check_nwstat
/usr/lib/nagios/plugins/check_load
/usr/lib/nagios/plugins/check_procs
...


On the nagios server
Let's write a SSH config file

root@nagiosSer:~# cd /etc/nagios
root@nagiosSer:~/etc/nagios# vim check_by_ssh_config


Host nagiosNod 84.68.x.x
	User nagios
	Hostname nagiosNod.remote.com
	IdentityFile /home/zmo/.ssh/nagios

This file will be passed as ssh configuration to check_by_ssh. You can obviously add others hosts.

Configure the commands.cfg

root@nagiosSer:~/etc/nagios# vim objects/commands.cfg


# Check Remote Disk
define command {
        command_name    check_remote_disk
        command_line    $USER1$/check_by_ssh -H $HOSTADDRESS$ -F /etc/nagios/check_by_ssh_config -C "/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$"
}

A little explanation:
* $USER$ - the user which nagios run (nagios)
* $HOSTADDRESS$ - the numeric IP address definied in the server configuration file (/etc/nagios/objects/nagiosNod.cfg), mapped on "address" field
* -F /etc/nagios/check_by_ssh_config - The SSH configuration file previously written
* -C /usr/lib/nagios/.. - The command will execute on the remote node

Its better (not mandatory) to put that services in a different group. So, open /etc/nagios/objects/templates.cfg (or services.cfg) and append:

# Remote service
define service{
	name				remote-service
	use				generic-service
        max_check_attempts              4
        normal_check_interval           5
        retry_check_interval            1
        register                        0
	}


Now in /etc/nagios/objects/nagiosNod.cfg file we could append:

define service {
        use                             remote-service
	host_name			nagiosNod
        service_description             Home Partition
        check_command                   check_remote_disk!20%!10%!/home
	}


SSH validation
This step is for allow just the check_* commands execution from the nagios server on the nagios nod; not other commands, not a login or whatever else.

Create a validation commands file:

nagios@nagiosNod:~# touch /usr/local/bin/validate-nagios-check
nagios@nagiosNod:~# chown nagios.nagios /usr/local/bin/validate-nagios-check
nagios@nagiosNod:~# su - nagios
nagios@nagiosNod:~$ vim /usr/local/bin/validate-nagios-check
#!/bin/sh
# Ensure 
case "$SSH_ORIGINAL_COMMAND" in
	*\&*)
		echo "Rejected"
		;;
	*\;*)
		echo "Rejected"
		;;
	/usr/lib/nagios/plugins/check_*)
		exec $SSH_ORIGINAL_COMMAND
		;;
	*)
		echo "Rejected"
		;;
esac

A little explanation: $SSH_ORIGINAL_COMMAND is our /usr/lib/nagios/plugins/check_* . Using exec here, will prevent to open a shell for the command execution but just to exec the command.

Let's back to our authorized_keys. We have to append in the beginnin of the key definition (ssh-dss or ssh-rsa) the string to execute our validate-nagios-check script from the nagios server.

nagios@nagiosNod:~$ vim .ssh/authorized_keys
from="73.224.x.x",command="/usr/local/bin/validate-nagios-check" 
ssh-dss AAAAB3NzaC1kc3MAAACBAKK3jM9O+cmjPufrn9Ie7q+iJJu+1B0bHH6lhfYC8KandEIWP0gMGz4v...
...


You can test the validation script from the nagios server to the node.

root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com
Rejected
Connection to nagiosNod.remote.com closed.
root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com /bin/ls
Rejected
root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com /usr/lib/nagios/plugins/check_http -hcheck_http v1.4.16 (nagios-plugins 1.4.16)
Copyright (c) 1999 Ethan Galstad 
Copyright (c) 1999-2011 Nagios Plugin Development Team
...
Pubblicato da alle Nessun commento:
Etichette: , , ,

mercoledì 22 agosto 2012

Dnsmasq and the network "pushing" on CentOS

This simple post shows you how tu push networks to your clients using the Dnsmasq DHCP server.

A possible scenario would be, your DHCP server (192.168.0.1) gives you 192.168.0.x address but you also need to reach 172.16.x.x and 10.0.x x networks, for access to (for instance) some VPN resources in your LAN. Those networks are NOT handled by your DHCP server. The quick solution is to make your DHCP server "pushing" that networks. And that is possibile thanks to "121" dhcp-option.

Let's assume our network id may be "vicinet" (you can also miss the network id, of course):


dhcp-option = vicinet, 121, 10.0.0.0/16, 192.16.0.1, 172.16.0.0/16, 192.168.0.1



The format will always be:


dhcp-option = 'id_net', 121, NETWORK, GATEWAY

Pubblicato da alle Nessun commento:
Etichette: ,

martedì 21 agosto 2012

Shorewall and Pptp VPN on Ubuntu



~# apt-get install shorewall linux-pptp


PPP
Let's create a ppp peer file:


~# vim /etc/ppp/peers/zmo


I ve successfully tried these options


# Zmo PPTP VPN configuration
remotename zmo
linkname zmo
ipparam zmo
pty "pptp 149.79.X.X --nolaunchpppd" (remote VPN endpoint)
name username
require-mppe-128
refuse-eap
noauth
lock
noauth
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
persist
mtu 1400
mru 1400



Compile the chap-secret file


# Secrets for authentication using CHAP
# client server secret IP addresses
username zmo 2023n5t-w0re *



Network Interface
Fill the /etc/network/interfaces file. You can use the "unit x" parameter. This blessy option allows you to enumerate your ppp device (like ppp0, ppp1, ppp5 ..).


# Zmo Pptp VPN
auto ppp5
iface ppp5 inet ppp
provider zmo
unit 5



Try to get up the link, just giving


~# ifup ppp5



I raccomand to use this file (/etc/network/interfaces) even in the case you wanna add some route/net rules to your VPN device. Use the "post-up" options here.


# Zmo Pptp VPN
auto ppp5
iface ppp5 inet ppp
provider zmo
unit 5
post-up /sbin/route add 149.88.X.X gw 149.19.X.X
post-up /sbin/route add -net 150.84.X.X netmask 255.255.255.0 gw 150.84.X.X



Shorewall
Define a zone for the vpn on shorewall. I will define "zmo"


~# vim /etc/shorewall/interfaces


It should be looks like:


# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
wan eth0 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
dmz eth1 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
lan eth2 detect tcpflags,nosmurfs,routefilter,logmartians,dhcp
# VPN pptp
zmo ppp5 detect tcpflags,nosmurfs,routefilter,logmartians



Allow the vpn to be reached just by the lan


~# vim /etc/shorewall/policy



...
# Zmo Pptp VPN
lan zmo ACCEPT
all zmo REJECT
...


Masquerade the VPN traffic from that interface:


~# vim /etc/shorewall/masq



# For information about entries in this file, type "man shorewall-masq"
##############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
ppp5 - -


NOTE: an IP wont be needed here; shorewall will be masquerade the traffic with the interface IP address. Then we just can put a "-" in SOURCE/ADDRESS fields. The IP address would be needed if you would masquerade the traffic with a different IP address.

In the end, compile the "tunnels" shorewall file. You can retrieve a tunnels template file from the doc


~# cp /usr/share/doc/shorewall/default-config/tunnels /etc/shorewall



It should be looks like:


###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
pptpclient zmo 0.0.0.0/0

Pubblicato da alle Nessun commento:
Etichette: , ,
Iscriviti a: Post (Atom)