Micro data centers, that unstoppable David defeating Goliath again

by Dimas Pardo | Last updated Oct 27, 2021 | Tech

Reasons why you need micro data centers right now

We all remember a couple of biblical allegories here. That of the Good Samaritan, that of The Prodigal Son, that of an Aragonese with new Adidas and the trolleybus on line 8… But the one that interests us today is that of the most holy and bethlemite David, preceded by Saul and succeeded by Solomon, who, among his many achievements, managed to defeat the Philistine giant Goliath. And he did so despite their difference in size and strength, which comes close to explaining the potential of micro data centers compared to traditional data centers.

Micro data centers, small but actual beasts

Look in the rear-view mirror, an allegorical rear-view mirror of course, as it is very unlikely that you will find yourself driving while reading this brilliant article. Look in the rear view mirror. Far back on the road is the gray monotony of centralized data centers. Yes, given how new and cool cloud computing is, which companies are currently going for, data centers are becoming, in a subtle way, micro data centers. That is, smaller and more succinct versions of the system, the mechanics and the traditional apparatus.

These “mini versions”, compared to traditional data centers, are built for a different type of workload. In addition, they solve very specific problems that traditional data centers can no longer solve.

Macro qualities of a micro data center

If we go directly to the most common features, the most typical micro data center is around ten servers and one hundred virtual machines. They are autonomous systems that contain the same capabilities as traditional data centers and more. We are talking about refrigeration systems, security systems, humidity sensors and a constant power supply.

I no longer need you to look in the rearview mirror, now look at the front windshield. Due to the global pandemic of Covid-19, remote work or telework has become part of our lives permanently. Well, these micro data centers as small and cute as they come have been created as the ideal proposal for locations of all types. They can be deployed in a higher number of locations and rooms. Even for a rudimentary installation in a classic office, they are the most silent and functional ones.

More benefits of micro data centers

If we had to make an official list of benefits and advantages of our little David, the first thing we would point out, in bold type, is that micro data centers directly empower companies. And they do not do so by magic, they do it, for example, reducing server costs, since they do not require bulky storage, or giving the option to companies to upgrade according to their own needs. This already by itself supposes a substantial difference in costs that will come in handy for the development and growth of companies.
Micro data centers are closer to users, which also translates into a reduction in latency. All of that in addition to how cheap they are compared to traditional data centers.

If you keep on looking ahead the advances are coming, one after the other, like traffic signs that we quickly leave behind with our allegorical ride. Technology companies increasingly have more data to accumulate and are in need of more processing power. Big brands will have no problem, they have the money, but what about small offices, retail areas or even town firms? They more than anyone should take advantage of edge computing and micro data centers to improve their businesses. And not only because they have the strangest and most remote and forsaken locations, but because these micro data centers can run all kinds of security systems, cash registers and other digital systems that are usually needed by small businesses.

Imagine your neighborhood grocer, “Frank, The 6 fingers,” using data analytics to improve marketing. After all, micro data centers only need a comfortable cabinet for cooling. And if we are talking about a small savings bank or common bank, well, they can implement their financial practices making them more efficient with micro data centers. Leaning even towards IT solutions, edge computing, IoT…

But be careful: Micro data centers should not be mistaken with edge computing.

To avoid mistaking them: micro data centers take advantage of edge computing to reach their goal, while edge computing is the one that increases processing power, brings it closer to the data source, speeds up the process of transporting data and improves device performance.

Even if it was this time from 1 Samuel 17: 4-23; 21: 9, David blows up again and knocks out Goliath. Proving that the small can knock down the big one and that we all have a chance in this land of God, at least if we are seasoned enough and have a fighting spirit.

Would you like to find out more about what Pandora FMS can offer you? Find out clicking here . If you have to monitor more than 100 devices, you can also enjoy a FREE 30-day Pandora FMS Enterprise TRIAL. Installation in Cloud or On-Premise, you choose !! Get it here .

Last but not least, remember that if you have a reduced number of devices to monitor, you can use the Pandora FMS OpenSource version. Find more information here .

Do not hesitate to send your inquiries. The great team behind Pandora FMS will be happy to assist you! And if you want to keep up with all our news and you like IT, release and, of course, monitoring, we are waiting for you in this our blog and in our different social networks, from Linkedin to Twitter through the unforgettable Facebook . We even have a YouTube channel , and with the best storytellers. Ah well, we also have a new Instagram channel ! Follow our account, we still have a long way to go to match that of Billie Eilish.

Key concepts of systems and networks

by Alvaro Tejerina | Last updated Sep 27, 2021 | Tech

Together we check out the key concepts of systems and networks

In the middle of the information century, who has not surfed the Internet or used a computer, be it a desktop or a laptop? But do you really know what a computer is and what it is made of? and what about the Internet?

It is important to know at least the most superficial layer of something as important as computer systems and networks, and therefore, we are going to talk about the key concepts of these two topics.

A computer system is a device made up of the union of hardware and software, which allows the use of this system by a person, whether qualified or not, that depends on the purpose of the system.

But, what does “hardware” and “software” mean? Let’s talk a little more about it.

You can define as hardware the set of physical components that make up a computer system. We are going to define the main components of a computer system, although there are a few more:

• Processor: It is the component in charge of executing all the system programs. It is in turn made up of one or more CPUs.
• RAM memory: This component stores the data and instructions executed by the CPUs and other system components.
• Hard Drives: Information and content are stored here in computer systems.
• Motherboard: It is the component where the others are located, and works as a bridge for communication between them.

Well, now that we have a basic understanding of what hardware is, we move on to software.

Software are all the programs that run on a computer system, among which you may differentiate three types of software:

• System Software: It is responsible for the proper functioning of the operating system and hardware in general, such as device drivers.
• Programming software: They are tools whose sole purpose is the development of new software.
• Application software: It is any program designed to perform one or more specific tasks, for example video games or applications designed for business or education.

We already know what a computer system is, but without communication with the outside we are not making the most out of the potential that these systems have (which is a lot), so we decided to connect it to that abstract site full of information and services: the ‘Internet’.

Everyone knows the term “Internet”, but do we know what the “Internet” is?
We could say that the Internet is the great global network that unites all existing devices, allowing communication between all of them from anywhere on the planet. In turn, this large network is made up of other smaller networks, such as those of a country, city, neighborhood, etc.
Mainly, we distinguish three types of networks:

• LAN: It is the smallest network, a local area network, such as the one in work areas or the one you have at home.
• MAN: It is a somewhat larger network, being able to cover from neighborhoods to cities. They can also be the networks used by large companies for communication between their different offices.
• WAN: It is a network that connects countries or even continents to each other, not devices. We can say that the Internet is the ultimate WAN network.

Ok, we already know what the Internet is made of. But, how do devices communicate on these networks? There are systems used to identify each computer on the network, known as IP addresses. An IP address is, basically, the ID or identifier of a device, so it is unique and unrepeatable.

At the beginning, when the idea of an IP address was created, there were only a few dozen computers in the whole world, and this, as we already know, has gotten quite out of control since then. As a result of this increase, they decided to come up with a new concept, known as DNS (for its acronym Domain Name System).

What the DNS protocol does is, basically, translate the domain name that we enter, either in the web browser or in any other program, and convert it into an IP address, with which it communicates with the destination. Of course, all domain names are stored on DNS servers, scattered around the world to avoid connection overload, and to avoid slow name resolutions.

There are a large number of protocols, each with a different purpose. These protocols are grouped in layers, such as application, transport, Internet or access to the network, according to the TCP/IP model. But, that’s not all. We still lack another important concept in relation to communications between devices, what we know as “ports” of a computer system.

Imagine a road, if all the traffic that wants to enter a city only had a single road, what would happen? Well, the same thing happens in computing, and that is why these virtual ports exist.

These ports range from 0 to 65535, but the first 1024 are reserved for “important” protocols, such as the DNS protocol, which we have mentioned above, belonging to the application layer and that uses port 53 for both UDP and TCP connections.

TCP and UDP are two protocols belonging to the transport layer, whose main difference is that the TCP protocol is connection-oriented. That is, the TCP protocol makes sure that the data reaches its destination, while the UDP protocol sends the data, faster but less securely. This data may even not arrive or at least not fully arrive.

The protocols for web connections or HTTP/HTTPS, both belong to the application layer. Depending on which one you choose, it uses a different port. That is, for HTTP connections, port 80/TCP is used, although it is deprecated due to its lack of security, so the standard has become HTTPS connections, which use port 443/TCP and include a security layer based on SSL/TLS.

Connections made through safe channels or SSH, also from the application layer, use port 22/TCP, and thus we could continue with lots of other protocols.

Of course, these ports are a standard in the systems that receive the requests, the client that initiates the request can use any port that is not reserved to send the request and receive this data. As you can see, this is much easier to communicate with servers, although they can also modify their default ports, but the normal thing is that they do not do so if they want to provide a public service.

Finally, we are going to talk about a concept that, due to the pandemic, is the order of the day: the VPN.

As its name indicates (Virtual Private Network), we can define a VPN as a network “tunnel” that is created between client and server, where data are fully encrypted and sent through the Internet. The common use of VPNs is anonymity on the network, since the IP that is exposed is that of the VPN server, or, also, to be able to visit pages that cannot be accessed from the source country.
In the business environment, this tunnel allows direct communication between the client device with any other device in the network of that server, which allows access to an environment as if we were physically in the office of our company. It also allows access control and registration, which otherwise could not be done.

Would you like to find out more about what Pandora FMS can offer you? Find out clicking here . If you have to monitor more than 100 devices, you can also enjoy a FREE 30-day Pandora FMS Enterprise TRIAL. Installation in Cloud or On-Premise, you choose !! Get it here .

Last but not least, remember that if you have a reduced number of devices to monitor, you can use the Pandora FMS OpenSource version. Find more information here .

Do not hesitate to send your inquiries. The great team behind Pandora FMS will be happy to assist you! And if you want to keep up with all our news and you like IT, release and, of course, monitoring, we are waiting for you in this our blog and in our different social networks, from Linkedin to Twitter through the unforgettable Facebook . We even have a YouTube channel , and with the best storytellers. Ah well, we also have a new Instagram channel ! Follow our account, we still have a long way to go to match that of Billie Eilish.

Using Satellite Server for distributed environment monitoring

by Rafael Ameijeiras | Last updated Aug 12, 2022 | Tech

Satellite server in remote environment monitoring

Today we will talk about one of the most versatile elements that Pandora FMS Enterprise offers us for monitoring distributed environments, the Satellite server. It will allow you to monitor different networks remotely, without the need to have connectivity directly from the monitoring environment with the computers that make it up. We will describe the typical case of companies that have central headquarters and remote offices, the different things we may find and how the satellite server can help us deploy efficient monitoring in an economic, fast and simple way.

Standard monitoring types

Before getting into the description of the case, let’s remember how monitoring works overall with Pandora FMS. There are two basic types of monitoring, local monitoring and remote monitoring.

The first, which we call local, consists of installing a small software on your devices (servers, mobiles, workstations, etc.) which we call monitoring agent. Agents are in charge of collecting the metrics locally on the machine, packaging them and sending them to the server. In this type of monitoring, communication goes from the agent (monitored device) to the server in a defined time interval, so the server does not have to interrogate the device, it just has an open port through which information is received, and any device that can reach that port will be able to send its data, so communication is “simple”, you just need to make sure that your monitoring server is exposed to all of your agents.

The second form of monitoring is what we call remote monitoring. Remote monitoring means that the monitoring server interrogates the agent to monitor through some protocol (icmp, tcp, snmp, http, wmi, etc). This could go from a simple ping to connecting to the api of a complex tool, such as vsphere, to retrieve information from all virtual machines, esx and datastores running in this environment and their corresponding metrics.

This type of monitoring opens the doors to being able to retrieve large amounts of data requiring little configuration and without the need to install any extra software on the devices, which is wonderful, but it also entails other inconveniences, such as having to guarantee connectivity from the monitoring server to each of the elements to be monitored, taking into account the security criteria to open these communications.

When you have a single headquarters of any size, this is not usually a problem, since you might usually have your devices and applications concentrated in the same place and communications management between environments is usually easier, this situation becomes complicated when you have more than one headquarters or small remote offices.

Description of a distributed environment

Let’s picture a distributed architecture with a headquarters where you have most of your applications and IT equipment, but you also have smaller sites that also have their equipment and applications. We have examples of this infrastructure, highly distributed, in environments like restaurant franchises, supermarkets, banks, retail stores, pharmacies, insurance companies, etc. Where they usually have powerful, well-managed data centers at headquarters, but remote sites lack the space or staff to maintain servers. Most of the time, there are not even permanent technical support staff for the equipment in these locations, so implementing monitoring can be challenging.

If some technology is implemented such as a site-to-site vpn, a sd-wan or dedicated communication between your sites, there is hardly any problem, you may have your monitoring environment at your headquarters and from there “attack” your remote devices. Well, the problem is that these solutions are expensive and require implementation and management, and if they are not already implemented, their implementation can become very complicated (and expensive). It is in these cases where the satellite server becomes essential, since it combines the versatility of remote monitoring with the communication behavior of local monitoring.

Using the Satellite Server

The Satellite Server consists of software that will be in charge of doing the remote checks on your network. Let’s say that in our restaurant, for example, it will do network scans, monitor each of the restaurant’s devices through different protocols, store these data and then pack them and send them to the main Pandora FMS server as if it were a local agent, so the headquarters/remote headquarters communication is simplified. You just have to make sure that a single device, the Satellite Server, can communicate with Pandora FMS server, in that sense from the remote headquarters to the main headquarters to send the data packets. Remote checks will always be done from within the local network without the need to expose any of the services, devices or applications of your remote headquarters.

Even if you want to make use of hybrid monitoring (local and remote monitoring) in your remote headquarters, you may install software agents on your devices and point them to our satellite so that it becomes the single delivery point between your remote headquarters and your headquarters.

In addition, the Satellite Server has remote configuration, so once deployed, it can be managed and configured from your main monitoring environment, being able to add new metrics, alert systems, policies and more configurations without having to access your remote headquarters, all from your Pandora FMS web console at your headquarters.

Regarding its deployment, the Satellite Server is a very light software especially compared to a full Pandora FMS installation, so the hardware requirements for monitoring remote sites are really low, it can even be deployed in a Raspberry Pi, which is a very cheap and compact device, or failing that, you may use any of the resources that are already deployed at the headquarters, such as a data server, to deploy your Satellite.

As you can see, monitoring remote sites using the satellite server simplifies a huge deal the configuration necessary for monitoring, helping you save money and implementation time that without a tool like this would be a lot higher and more complex.

Today we discussed only one of the typical cases, which is one of the most common ones, to describe the performance and the usefulness of a satellite server, but it is not only valid for remote locations, it is useful in many other ways, such as load balancing, making checks at the same point from different locations (very useful in monitoring web pages) or even for monitoring complex environments such as Kubernetes or Openshift, where many of the services are not exposed to the outside, such as databases or backend services, and that you could monitor if you deployed a pod with the satellite within the network and directly attacking these services, for example.

If you want to learn more about the Satellite Server feature, how to install and configure it, or want to find out more Pandora FMS specific features, stay tuned to our blog and do not hesitate to visit our youtube channel, where you may find tutorials, workshops and a lot of content devoted to this and many other topics related to monitoring.

Firewall… It’s getting hot in here!

by Alejandro Sánchez Carrión | Last updated Sep 1, 2021 | Tech

Do you already know what a web firewall is? Let us tell you about it.

There’s something that humans and machines have in common, and no, it’s not the disappointment suffered by the final season of Game of Thrones, or, well, at least not only that. What we have in common is that we need protection. You know, animals need it too, and plants, but if you’ve gotten this far, it seems that you’re interested in computers, networks and all these pretty modern “geek” things, so today we’ll talk about that kind of protection.

Just as you would protect your dog, your ficus or yourself, you have to protect your computer. The world is a place full of dangers and risks and the Internet is not far behind. It’s like in Crystal Jungle, only instead of people carrying guns around, we’ll find hunched over users willing to collect information from your computer, networks, and troll you in any possible way.

Remember: “The night is dark and harbors errors”. And horrors too.

The Internet also hosts them, so to protect our beloved computer, we must make use of a “Web Firewall”. What is this “Web Firewall”?

A “Web Firewall” is a system that is intended to protect our private network and block unauthorized access or attacks from other networks. In turn, it allows incoming and outgoing traffic between computers on the same network. That is, it is like the door of your house, or, worth the analogy, a half-open blind that only lets in a specific amount of breeze according to your personal comfort.

But not only that, it can be our beloved ally, protector of what we love the most, since through configurations you may limit, encrypt or decrypt this traffic. Here’s another lucid analogy: Maybe, in your day to day, you have to go to a clandestine meeting whose members no one should know. It is similar with your computer, you may encrypt your traffic so that you cannot access the most relevant data.

The web firewall, capable of such feats, can be implemented in hardware or software. If it’s well configured, it will be an advantage when it comes to protecting your networks, so it’s vitally important to understand how it works and how you may get the most out of it.

How does a web firewall work?

Outline of a firewall on a computer network

It is usually located at the junction point between two networks. Each network or computer can have its own firewall. This can limit the consequences of an attack, as you can prevent damage from spreading from one network to another. The sooner the spread of evil is tackled, the better.

The essential thing that you must know for the operation of the web firewall is that the totality of information and traffic that goes through our router and that is transmitted between networks is analyzed by it. If the traffic complies with the rules you have configured for it, it can enter or leave your network. If the traffic does not meet those certain rules, then it will be blocked from reaching its destination.

There are several methods by which you may filter the traffic of the firewall, for example, configuring it as you please. Remember that a good firewall configuration is paramount. If the lock on your front door was badly designed and anyone could open it, bad people could get in and steal, this is the same thing.

Let’s take a look at some of the filtering methods we’ve been provided by our dear friend, the Web Firewall.

Traffic filtering methods

• Firewall policies: They allow you to block certain types of network traffic.
• Anti-spam firewall: It protects against spam, phishing, etc.
• Antivirus firewall: It protects the internal network against attacks that come from the Internet or wan.
• Content filtering: It allows you to block some types of web content.
• WAP Managed Service: It allows you to control wap devices.
• DPI services: It allows you to control specific applications.

There are a few types of firewalls to highlight, these can be software or hardware, and, if we investigate a little more, we will find others that are somewhat more defined.

Types of web firewall

• Gateway application level: It applies security mechanisms for specific applications.
• Gateway level circuit: It applies security mechanisms when a tcp or udp connection is established.
• Packet filtering: At network level as an IP packet filter.
• Personal: It is installed as software on your computer.

Using a firewall has lots of advantages. We already discussed some, with lots of examples and tremendous analogies, even so, we are going to list the most obvious ones:

Advantages of using a firewall

• It blocks access to computers and/or applications to our networks.
• It allows you to control and restrict communications between the parties under your settings.
• It optimizes communication between internal network elements, helping to reconfigure security settings.
• It establishes reliable perimeters.
• Protection of intrusions and private information.

Nothing is perfect, and web firewalls, despite their fiery name, well, they aren’t either. These also have some notable limitations:

Limitations of a web firewall

• It cannot protect itself from attacks whose traffic does not go through it.
• It cannot protect threats made by insider attacks or negligent users.
• It does not protect against service security flaws and protocols whose traffic is allowed.
• It cannot protect against attacks on the internal network through files or software.

There are many firewall systems, if we use Linux, the one commonly used is Iptables. Yes, it sounds weird, we don’t like weird sounding things and since we don’t like weird things we use the firewall… Hmm… before entering a self-destructive paradox, we will try to understand what this“Iptables” is through a simple explanation.

What is Iptables?

Linux has a firewall system included in its kernel called Iptables, although its configuration can be a bit complex. Its default configuration is to allow everything to enter and exit.

With a suitable Iptables configuration you will be able to filter which packages, data or information you want to enter and which ones you do not. Just like the previous example about the inputs.

To work with Iptables you need administrative permissions so you will have to use sudo. You will have to choose wisely what you let in and what not, and, for this, an adequate knowledge of the commands that you can use in this system is necessary. The following examples are only intended to teach a basic configuration to understand the logic of the web firewall, but for a more correct and complex configuration, I recommend adding information by searching the Internet, specialized books or colleagues in the world.

Some commands to understand Iptables

sudo iptables -P INPUT DROP

-P = Anyone who wants to access the computer
INPUT = We ignore it
DROP = We ignore it

With this command nobody will be able to enter your computer, in fact you neither… so it is not the most appropriate one.

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

The first line tells us that our own computer (lo = localhost) can do whatever it wants.

Before, we said that this was like a house, if we have siblings, parents or children and they leave, we want them to be able to get in again, right? Well that’s what we do with the second line, all the connections that come out of our computer will be allowed by Iptables.

sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT

With this command, anyone can see the websites that our computer has.

-j ACCEPT = Accept or allow
-dport 80 = Traffic to port 80
-p tcp = make it tcp
-A INPUT = that is incoming

These would be some basic examples of how Iptables works. That is, just to understand the basics of its operation. Like I said, I recommend digging deeper and diving into more information to make an acceptable setup.

And just like Game of Thrones ended, this article also does it, although much better (what a crappy last season), so I only have to say goodbye and wish you to have a good day. AH! And to recommend you to use Pandora FMS, which despite not being a web firewall, is a tool that will also help you protect yourself by collecting information.

Would you like to find out more about what Pandora FMS can offer you? Find out clicking here . If you have to monitor more than 100 devices, you can also enjoy a FREE 30-day Pandora FMS Enterprise TRIAL. Installation in Cloud or On-Premise, you choose !! Get it here .

Last but not least, remember that if you have a reduced number of devices to monitor, you can use the Pandora FMS OpenSource version. Find more information here .

Do not hesitate to send your inquiries. The great team behind Pandora FMS will be happy to assist you! And if you want to keep up with all our news and you like IT, release and, of course, monitoring, we are waiting for you in this our blog and in our different social networks, from Linkedin to Twitter through the unforgettable Facebook . We even have a YouTube channel , and with the best storytellers. Ah well, we also have a new Instagram channel ! Follow our account, we still have a long way to go to match that of Billie Eilish.

Do you know what VMWare is and how to include it in monitoring?

by Rafael Ameijeiras | Last updated May 8, 2024 | Tech

Find out what VMWare is and how to include it in monitoring

Before we dive into how to monitor virtualized environments with VMWare, let’s clarify a couple of concepts for those who are less into the subject, starting withWhat is VMWare?.

VMWare is a software product development company, mostly related to virtualization, and more recently to containerization, although this is beyond the scope of this article. Today, we are going to focus on monitoring virtualized environments with VMWare.

To do this, the first step would be to know what virtualization is. A quick summary, and a bit imprecise I must say, but that will give you a general idea. We can claim that virtualization is like dividing the components (CPU, Memory, Disk, etc.) of a physical computer or server (which we will refer to from now on as Bare-Metal) into virtual or emulated components. This will allow us to share the same component between different instances which we will call “virtual machines.” That way, using a single set of hardware, you may have different virtual machines running different versions of operating systems, applications, libraries, etc. simultaneously and separate from each other.

The interesting thing about this is that, for the virtual machine (which we will refer to as VM from now on), the resources that have been assigned to it are only from it and are real elements. This opens a world of possibilities, it allows you to have many services and virtual machines running on a single hardware device with the energy, space and cost savings that this implies. In addition, since it is all at software level, it will allow you to manage the machine as one more file inside the computer, being able to copy it, modify it or even package and distribute it.

The advantages of virtualization are more than proven and today almost any service and infrastructure runs mostly on virtual servers. A very clear example is when you go to your favorite cloud provider and click a button to activate an instance of a database or a server, actually what you’re doing is activating a virtual machine that it already had pre-configured and that can work for you in a matter of seconds, thanks to this technology.

Due to these types of advantages, and because of the massive distribution of virtual machines in most ecosystems, it is so important to have a monitoring tool capable of adapting to this type of environment efficiently.

Now that we know what virtualization is, we will see a new concept. We already said that from a physical machine we can emulate and subdivide its components to create instances of smaller virtual machines, and it is true, although there is a small nuance, we require software devoted to this, we call this software hypervisor.

There are different types, manufacturers and features we are not going to delve into today. If you are interested in this topic and want us to do a more detailed article on virtualization leave it in the comments

vSphere

Today we will focus on one of VMWare’s most widespread and well-known products: the vSphere suite which, according to Wikipedia, “is VMware’s core business suite, the cornerstone on which almost all the business products they offer rely on. It consists of the ESXi virtualization software that is installed directly on the servers and the centralized management console vCenter.2020 ”

As we have seen, vSphere is the name of the set of tools that VMWare offers for device virtualization, there is a range of different vSphere environments, from a single ESXi server that works as a hypervisor as well as management.

To much more complex environments where several ESXi work in parallel being managed by a centralized administration software called vCenter.

Virtual environment monitoring

To monitor virtual environments, whether it is from VMWare or not, there are two main ways.

The first is to treat each virtual machine as an independent machine, attacking its operating system with standard protocols or using some monitoring agent.
This approach does not require for the tool have a special or devoted management, since it will deal with each VM as any other machine. Along this approach, we can say that we will interrogate the operating system, therefore, in heterogeneous environments, we must define metric captures for each system.

The second way is more general and allows deploying monitoring very quickly and efficiently. In this case we will integrate the hypervisor, since it has information on all the machines it contains and we can interrogate it directly. For each manufacturer the protocol, the responses and the format with which we will interrogate the hypervisor may vary, but in most cases they have an interface to communicate with it. Along this approach, it is the monitoring tool that must be adapted and have a connector to communicate with the supervisor in a centralized way.

Of course, Pandora FMS has both types of monitoring, being able to combine them if necessary if deep and detailed monitoring is required.

In today’s case, we will see the monitoring integrated in Pandora FMS Enterprise Discovery tool. That will allow us, in a very simple way, to connect well, either with a standalone ESX or with a vcenter, through the vmware SDK.

vSphere Monitoring with Pandora FMS

Starting from the fact that we have a Pandora FMS Enterprise instance, the steps are very simple: by default Pandora FMS has the necessary libraries to connect to a VMWare environment, you only need a user account with reading permissions and connectivity with the ESX or vCenter as the case may be.

Once you fill in the simple form with the data from our VMWare environment:

You will see a window to configure some monitoring data, such as the scan interval for new machines, the execution threads that you will devote to this task, if you want to activate network monitoring and (only for vcenter), if you want to capture the environment events.

You will also have a field for extra configurations that will allow you to add advanced configurations related to the task (you can see the possible configurations:
https://pandorafms.com/manual/en/documentation/03_monitoring/05_virtual_environment_monitoring?s[]=vmware#vmware 1 plugin ocnfiguration ).

Once finished, you will be able to see that a task has been added to Pandora FMS task list, where you will be able to see its last execution, enable it, disable it or force task execution manually.

The default task will give you information about all the ESXs (in the case of vcenter), virtual machines and datastores available in the vmware environment that you configured, returning the following metrics:

Default monitoring for Datacenter:

• Ping
• Check 443 port

Default monitoring for Datastore:

• Capacity
• Free Space
• Disk Overallocation
• Free Space Bytes

Default monitoring for ESXi:

• CPU Usage
• Memory Usage
• Received data
• Transmitted data
• Disk Read Latency
• Disk Write Latency
• Host Alive
• Disk Rate
• Net Usage

Default monitoring for virtual machines:

• CPU Usage
• Memory Usage
• Tools Running Status
• Host Alive
• Disk Free
• Disk Read Latency
• Disk Write Latency
• Received data
• Transmitted data
• Net Usage

In addition to the metrics described, you will also have a specific view for monitoring vSphere environments that has compilation information on the general state of the environment and each monitored ESX and even a map of the monitored infrastructure.

As you can see, it is very easy to start monitoring a vSphere environment with Pandora FMS, just follow a few steps and you will have your VMWare monitoring integrated quickly and easily.

If you are interested in knowing in more detail how synthetic transactions are configured and executed with Pandora FMS, do not hesitate to visit our YouTube channel, where you may find different contents such as tutorials, workshops and a lot of other resources devoted to this and many other topics related to monitoring.

10 reasons to change your monitoring software

by Jimmy Olano | Last updated Aug 11, 2023 | Tech

Every change is for the better and we give you ten reasons to change your monitoring software.

Cuando se habla de cambiar de software, no sé por qué, me viene a la mente la compra de música. Bueno, yo soy de los de antes: vinilos, cassettes, a principios de siglo los CD y DVD… Claro, ahora es diferente, actualmente existe el pago por suscripción, que reproduce en línea, y donde generalmente se ofrece el álbum de turno o paquetes completos con muchas estrellas musicales…

We could start right there, highlighting the difference between “the cloud and the earth”, running software on the Internet versus having one on your own physical servers. Both have their costs, we know. In fact, we already gave detailed information in another article on the subject. Because before talking about changing your monitoring software we must start there, the money. That’s the reason why you will have to take into account several factors, so let’s go for pencil and paper (virtual) and let’s start numbering!

1) Pandora FMS offers several forms of installation and download, as well as modes of operation. That is one reason to consider switching monitoring software. This mechanism allows you to grow, and, if necessary, reinstall at any time. You don’t have to buy a whole package either: in Pandora FMS you start by installing the Community version and as you see the benefits for yourself, you can move on to installing and testing the Enterprise version, without obligations or hassle. There you will always have the installers, both online and offline, as many times as you need them.

2) Do you have a feature in mind that cannot be found in any monitoring software? Don’t be embarrassed, it happens. I, at the very least, am very picky about how to insert text and data into text or number boxes. When you focus on them, I like for the text to be selected in a specific color, for example. And don’t even let me begin on entering numerical amounts or phone numbers.

And Pandora FMS does not have exactly that requirement either… However, you just have to go through the Community version that is open source and through its forum to get the help you need to develop the idea.

Better yet, you may have already been successful but now you want a more ambitious and highly customized improvement for your company: try the Enterprise version, where they will give you professional advice and offer you extraordinary improvement plans tailored to your needs. After all, only you know what is best for your company and what it needs. An exactly tailored suit or smehting ready-to-wear ? You choose!

3) With Pandora FMS you will be able to monitor at first remotely, without interfering much in your work processes, continue with an advanced remote configuration and, if everything goes smoothly, advance to monitoring with Software Agents, which are installed on each device. While you change -and advance- Pandora FMS has already outlined the path until (for now) June 2023. Exploring and changing monitoring software can be done before it’s necessary, even if it’s late.

4) Using great monitoring software, widely used worldwide and also used by large corporations, is not a guarantee of good security. I invite you to read about the case that took many headlines in the press, social networks, radio and television. Take this chance to have a coffee and take a deep breath to come back, there are still six reasons to change your monitoring software.

5) Because you don’t believe in magic wands. Neither do I, and in Pandora FMS that is very clear for them. Each client has a different problem and it is necessary to adapt to each particular case. But it will not be by magic, you have to invest time and effort, and in that domain Pandora FMS offers decades of proven experience.

6) Because “we just know that we do not know anything”. Without the aim to go in depth into the philosophical field, we must always pay attention to constant learning. Perhaps the documentation of your software is quite poor and it would be a good time to change it. Pandora FMS has forums of users of the Community version, documentation, tutorials and this blog that you are reading today. With all of them you can learn at your own pace, but if you want or rather need a push – certification included – check out our training in monitoring. Psst, with the Enterprise license this last one is included, don’t miss the chance!

7) Another reason to change your monitoring software is indeed not to change anything! Perhaps you simply need a monitoring contingency plan or an alternative of audit or measurement of result comparison. For example, I am a client of DigitalOcean, a company that provides virtual computers and that has both monitoring processes (Software Agent type) in each droplet (virtual machine), as well as at large-scale with Prometheus in its hypervisors. However, remote checks and Pandora FMS Software Agents are more useful for me, which also helps me verify information. It is not that I don’t trust the monitoring software implemented by my own provider, but rather you must always have different options, see the full horizon to be able to choose the way forward.

8) Because two are better than one: eHorus is a remote access program that can later be integrated with Pandora FMS. EHorus remote access software can be integrated into Pandora FMS, so you may combine computer – or client – monitoring, find out the bandwidth consumption of your network, the software installed on your PC, see logs and events and connect to the computers you need from the monitoring console itself. Test without commitment nor cost for up to 10 devices.

9) Because three is better than one. We add another reason to change your monitoring software, Pandora ITSM Fully compatible and integrated with Pandora FMS. Pandora ITSM incorporates your forms for clients in your own Web, feeding Pandora ITSM directly through API. In addition you will have access to lots of articles, downloadable files, multi language, categorized and with access control to manage incidences. Monitor changes and performances on your machines with Pandora FMS agents!

10) Is the “billiard ball” with the number ten missing? You yourself can add the tenth reason to change your monitoring software. Tell us about your experience with other software, you can leave your comments below, visit our channel at YouTube, Linkedin or Twitter.

Would you like to find out more about what Pandora FMS can offer you? Learn more here.

You can also enjoy a FREE Pandora FMS Enterprise 30-day TRIAL. Installation in Cloud or On-Premise, the choice is yours !! Get it here!

Last but not least, remember that if you have a reduced number of devices to monitor, you can use Pandora FMS OpenSource version. Find more information here!

Do not hesitate to send us your questions.
The team behind Pandora FMS will be happy to assist you!

Google Authenticator and Pandora FMS, defend yourself from cyberattacks

by Pandora FMS team | Last updated Sep 1, 2021 | Tech

Double authentication with Google Authenticator in Pandora FMS

Introduction – Internet and its issues

For a long time, the Internet has been an easily accessible place for most people around the world, full of information, fun, and in general, it is an almost indispensable tool for most companies, if not all, and very useful in many other areas, such as education, administration, etc. But, since evil is a latent quality in the human being, this useful tool has also become a double-edged sword.

We speak of “cyberattacks”, or computer attacks. These “cyberattacks” are a set of code in a programming language, usually C, prepared to exploit a vulnerability in a system, or to find them. Although the most effective ones are created by people with great computer knowledge, some use already created programs, although yes, less effective than the first. That is why we hear news about cyberattacks on a daily basis. With each year that goes by, these cyberattacks multiply exponentially, being one of the biggest concerns for companies around the world. Because of this, protecting your system must be your highest priority in fighting against this problem.

From firewalls to applications, you must add all the security measures at your reach to your computing devices, both in the work environment and in your personal space, to guarantee the highest security. Although cybercriminals are more focused on attacking companies, obviously because there are more benefits, it never hurts to protect your personal life.

Problem Description – Password Attacks

Among all possible computer attacks, one of the most frequent ones is the brute force attack or password attack. This attack consists of using a series of commands or programs, together with a combination of alphanumeric characters and sets of symbols, simulating a username and password. Later, these data are launched against the entity, application or web page, as can be the case of Pandora FMS. It has that name because it is a constant attack, it does not try to exploit any specific vulnerability, but simply seeks to crack the username and password by constantly launching that code, with all possible user and password combinations. Although there are thousands of other attacks, we will focus on this one in particular, since it is one of the easiest to perform.

Solution – Google Authenticator

One of the simplest and most useful solutions to try to minimize this problem is to use a two-step authentication program (2FA). The most recommended and used one is the Google version, called “Google Authenticator“. It is a mobile application, available for both Android and iOS. This application consists of linking our account with the application itself, by scanning a QR code. Once you scan it, it will show you a 6-digit number that you must enter to verify your identity and link your account with Google’s. After having linked it, the application will provide you with a 6-digit number, with an expiration of thirty seconds, which you must enter each time you log into your account, and thus verify that you are the owner of said account.

Pandora FMS offers the possibility of configuring this application integrating its use with the server. That way, when you want to log in to Pandora FMS console, it will be necessary to enter a “code”, and thus guarantee that only the user who can obtain that code through the application can log in.

Configuring that tool is as simple as going to the “Authentication” section within the “Setup” tab.

Here the task will be as simple as activating “Double authentication” and, if desired, forcing its use on all users. Once it is done, click on “Update”.

When updating, a window will appear asking you to download the Google authenticator application. Remember it is a mobile application, and, although the link redirects you to the website, you may download it from the Android Play Store or Apple App Store. If you already had it, you would only have to click continue.

Then, open the application and scan the QR code with it. This will add an account to your application’s registry where a 6-digit number will appear. In case this fails, click “Refresh code”. If everything goes well, continue.

The last window that will appear will be to ask you for the code that was generated in the application, to finish linking your Pandora FMS user with the device where the codes are generated. You will only have to enter this code and you will have finished the configuration of your double authenticator.

To do the test, log out of Pandora FMS and re-enter the credentials of your user, and this time instead of showing you the console it will ask you to enter the application code.

Farewell

Once you have correctly configured this tool, your system will be somewhat more secure, although of course, that does not mean that it is impenetrable, since every day, the so-called “hackers” create new codes to violate this type of security. That is why we always recommend changing passwords frequently and keeping all your devices updated to the latest version of their programs and software in general and continue adding new security measures throughout your network.

There is only one way to live in peace: Safe password management

by Dimas Pardo | Last updated Sep 1, 2021 | Tech

A few rules for safe password management

In this, our competent blog, we boast of always giving you good advice and providing you with the technological information necessary for your life as a technologist to make sense. Today it is the case again, we will not reveal the hidden secret about the omnipotence of Control/Alt/Delete, but almost. Today in Pandora FMS blog, we give you a few tips for safe password management.

Safe password management

The purpose of this article is for users to be responsible for keeping their coveted passwords or authentication information safe when accessing confidential information. Because think about it, dear reader, how long ago did you come up with your first password? Surely it was to enter your select club in the treehouse. Maybe you even still choose the same for your social networks, Netflix or office pc. Was it as ordinary as your birth date? Your name and the first two acronyms of your surname? “RockyIV”, which was the name of your fourth favorite pet and movie? I don’t blame you, we have all been equally original and carefree when choosing a password.

But that is over! Many things already depend on this password, on this motto or pass that must include more than eight characters and at least one capital letter and one number. Your company security is not a game, damn it! There is a lot of mischief and felon out there that can put you and your businesses in a loophole, because of a vulnerability such as having a poor password! But do not worry, we will help you, we will talk about safe password management. We are Pandora FMS blog, we like potato salad, Kubrick movies and fighting against injustices!

Recommendations for safe password management

*Obvious but vital fact: User IDs and passwords are used to check the identity of a user on systems and devices. I just point that out here as an outline in case someone is so lost that they don’t know this. I repeat that we are talking about strong password management, so knowing what a password is is a must and saves time.

Said passwords are necessary for users to have access to information, normally, even if the merit is not recognized: capital information in your company. User IDs and passwords also help ensure that users are held accountable for their activities on the systems they have access to. Because yes, telereader friend, users are responsible for any activity associated with their user IDs and passwords. For that reason, it is very important for you to protect the password with your life and comply with the following policies related to them:

1. Users may not, under any circumstances, give their password or a password indication to a third party. *This seems obvious, but trust me, it is not. People sneak passwords like they’re office whispers or reggaeton choruses.
2. Users will not use user identifiers or passwords of other users. *As we can see, in this case, sharing is not living.
3. Users must change initial passwords or passwords received as temporary “reset” passwords immediately upon receipt. *For me, this is the most exciting and creative part, you never want to set the abstract code they give you, you want to improvise, imagine, CREATE!
4. Users should change their passwords if they suspect that their confidentiality may have been compromised, and immediately report the situation as a security incident. *Don’t be ashamed of yourself, admit that someone may have violated your secret and repent before it’s too late.
5. Users should not use the “remember password” function of programs. For example, if an application sends users the message of “automatically remember or store” the user’s password for future use, they will have to reject it. *This is a piece of information you did not know, huh? Well, it is as interesting as it is important.
6. Users should not store passwords without encryption, for example, in a text file or an office document. In this case, this document must be protected with access control.
7. When an administration password must be communicated, never send by the same means, the user and the password. For example, the user should be sent by email and the password by instant messaging. *I know that sometimes you try to save time, but with these things you better take your time and do not risk it.
8. Users should not set the password on a post-it on the monitor, nor on the table, nor in the drawer or “hidden” in another place in the office or among your personal belongings. *This is one of the big mistakes everyone makes. Yes, post-its or notebook sheets have always helped us, but this time they are too obvious to keep such a big secret.
9. Users should not use the same password for two systems or different applications. *Sorry, but you will have to memorize more than one. But rest assured, if a chimpanzee could recognize the descending sequence of nine numbers, someone who graduated from elementary school can do better.
10. Users who find out the password of other users must report it, ensuring it is changed as soon as possible. *Here fellowship first and foremost. It is not only right hugging after company dinners. Camaraderie above all!
11. Users must change their passwords at least once a year, or when indicated by the system, and in the case of administration passwords every 180 days, or in the event of changes of personnel in the company that may know them.
12. If now you are afraid because you do not have a strong enough password, it’s normal, but I repeat, calm down, follow the following rules for passwords creation (if the system supports them) and nothing will go wrong:

• a) Passwords must be at least six characters long.
• b) Passwords must not be easily predictable and must not be contained in dictionaries. For example: your username, date of birth, or 1234, we all know that one.
• c) Passwords must not contain consecutive repeating characters. For example: “AABBCC”.
• d) Passwords must have at least an alphanumeric character, a numeric character, and a special character.

Good, and so far that was the lecture about being responsible that you must assume and internalize if you want things to go smooth at least in terms of passwords and vulnerabilities. Oh, nothing to thank us for! You know: “Life is beautiful. Password yourself”. Look, that could be your new password, right? No, the answer is NO! REMEMBER EVERYTHING WE LEARNED TODAY IN THIS ARTICLE!

Would you like to find out more about what Pandora FMS can offer you? Find out clicking here .

If you have to monitor more than 100 devices, you can also enjoy a FREE 30-day Pandora FMS Enterprise TRIAL. Installation in Cloud or On-Premise, you choose !! Get it here .

Last but not least, remember that if you have a reduced number of devices to monitor, you can use the Pandora FMS OpenSource version. Find more information here .

Do not hesitate to send us your questions. Pandora FMS team will be happy to help you!

And if you want to keep up with all our news and you like IT, releases and, of course, monitoring, we are waiting for you in our blog and in our different social networks, from Linkedin to Twitter through the unforgettable Facebook . We even have a YouTube channel , and with the best storytellers.

10 reasons why you shouldn’t install Nagios in your company

by Pandora FMS team | Last updated Nov 17, 2022 | Tech

Everybody knows Nagios, or at least… everybody should know Nagios.

It is a useful tool to monitor systems and networks that thousands of users worldwide have been using for more than fifteen years.

Then, if it is so popular, on what are we based to say that it is not a good solution?

Careful! We’re not saying that Nagios is a bad tool, but many times the fact that it is a solution so extended and used everywhere in the world may make us assume certain things about the product and leave aside the most important question: What is what your business really needs?

After almost 20 years of experience in server, network and security technology, we dare to list some of the reasons for which it is not a good idea to assemble a Nagios system to manage a monitoring service on which business continuity depends.

Nagios technical features

Nagios has been with us for almost a quarter of century. And that’s good, but it also entails some limitations.

1. It’s not a product, it’s a project

When Nagios is installed in a company, it is installed specifically for that company, so you will not find two Nagios alike, installed and deployed in the same way. Their internal configuration files will be incredibly different.

That is always a problem in the long run.

Why?

If two technicians write a script differently and that makes it difficult to interpret them by a third party, imagine what would happen with a configuration mega-script as complex as that of Nagios.

Although two environments and two problems may be identical, the technician of the first environment will have problems understanding the Nagios installation of the second one and the technician from the second one will have trouble with the other Nagios installation.

2. Plugins Puzzle

The standard features of basic Nagios are extremely limited.

The solution to extend it is to install plugins, addons and third-party extensions, which makes it an even less standard ecosystem.

Simply put, Nagios is a puzzle of pieces made by people who have nothing in common and who lack a joint overview.

3. High dependency

Since Nagios is a tailor-made project, it depends on a limited group of people (some of whom are out of your reach) who will be there to hear your complaints, but may not even be able to solve the problem, as there will not be a final person in charge.

This team will be the only one that can maintain the installation of Nagios, therefore the knowledge will not be easily scalable or transferable to third parties.

4. Poorly scalable and flexible

Nagios is not intended for changing environments. Its configuration is static, cumbersome and complicated to integrate into automatic provisioning processes.

As it is well known, scalability is not Nagios’ strong point.

Business Aspects with Nagios

A tool like Nagios brings a number of limitations to your business. Not only for what it is able to do, but for the cost of maintaining it.

Particularly:

5. Software unit and human dependence

If monitoring is the key to your business, to growth or to maintaining current production, with Nagios you will stop relying on a software vendor and start relying on a small team of specialists.

The ones known as Gurus.

6. Unsolvable problems

Any problem that your technicians do not know how to solve will be unsolvable, especially if the implementation is very customized, since no one outside your company will know what changed or how to solve it.

Systems are audited in large companies and, in most cases, product manufacturer support is essential.

7. Large derivative costs

Although initially Nagios may seem cheaper than other solutions (you save yourself a recurring license cost), the problems arising from its maintenance will make it much more expensive in the long run.

8. Risk of losing support

If the technical team (usually a single person) leaves the company, it will be impossible to maintain the monitoring project.

There will be no support, training or documentation that can replace the “guru” who assembled it and, at best, it will be like starting from scratch.

At worst, it will take longer to understand what is assembled and how it is managed correctly.

9. Human Cost vs License Cost

Paying the salary of a Nagios guru for three years is much higher than the cost of a license, a training course and a systems technician.

After all, monitoring with Nagios takes up the time of a highly qualified technician who specializes in a task that bears no benefit.

Especially because it may not have to be carried out.

10. Alternatives available

There are dozens of software applications with license, support and training plans that will save you lots of headaches.

You probably don’t need all the power that Pandora FMS Enterprise can offer you and it’s enough with PRTG or What’s up Gold. Or maybe with Pandora FMS free software version.

We only recommend Pandora FMS Enterprise to those organizations that have needs that justify the versatility, power and flexibility of our tool.

Monitoring security architecture

by Sancho Lerena | Last updated Aug 27, 2021 | Tech

Introduction

Do an exercise, ask five IT technicians -of any profile- what SNMP means.. If you’re close with them the better, so that the first thing they do is not go to Wikipedia to boast. Hopefully, they might tell you what they said to me when I was working in networks.

“Security is Not My Problem”

Taking into account that the SNMP protocol is one of the monitoring bases, and a system that has been in use for more than thirty years, this answer, “Security is Not My Problem”, sums up the current monitoring situation quite well: ignorance, laziness and lack of interest in monitoring security.

By the way, we talked about SNMP in another article on our blog and I will give you a teaser in advance, it means Simple Network Management Protocol and it comes from 1987.

Considering that monitoring is “key to the kingdom”, since it allows access to all systems and even access many times with administration credentials, shouldn’t we take security a little more seriously when we talk about it?

Recent vulnerabilities in well-known monitoring systems such as Solarwinds or Centreon make the need to take security seriously in the implementation of monitoring systems increasingly urgent, since these have a very strong integration with systems.

In many cases, security problems are not so much about one piece of software being much safer than another, but about poor configuration and/or architecture. It must be taken into account that a monitoring system is complex, extensive, and in general, it is highly adapted to each organization. Today it was Solarwinds, tomorrow it could be Pandora FMS or Nagios.

No application is 100% secure, nor is any corporate network secured against intrusion, whatever the type. This is an increasingly evident fact and the only thing that can be done about it is to know the risks and assume which ones you can take, which ones absolutely not, and work on the latter.

Safe monitoring architecture

It is essential to keep in mind at all times that a monitoring system contains key information for a possible intruder. If monitoring falls into the wrong hands, your system will be compromised. That is why it is so important to devote time to the architecture of your monitoring system, whatever it may be.

Carry out a first analysis, collecting the requirements and scope of your monitoring strategy:

• Identify what systems you are going to monitor and catalogue their security levels.
• Identify which profiles will have access to the monitoring system.
• Identify how you will obtain information from those systems, whether through probes/agents or remote data.
• Identify who is responsible for the systems you are going to monitor.

The architecture of a system will have, whatever the chosen software, the following elements and will have to take into account its network topology, its resources and the way to protect them properly:

1. Information display interface (web console, heavy application).
2. Data storage (usually a relational database).
3. Information collectors (intermediate servers, pollers, collectors, etc.).
4. Agents (optional).
5. Notification system (alerts, notices, etc.).

Monitoring system securing

No matter how correct the implementation of a system, its architecture and its design as a whole is, if one of the elements that make it up is violated, the damage it may suffer by a malicious attack compromises the entire structure. For this reason, in security there is a saying, “Security is a chain and your real security always depends on its weakest point.”

This list of security concepts applied to the architecture of a monitoring system can be summarized as the features that a monitoring product must have to ensure maximum security in an implementation:

• Encrypted traffic between all its components.
• High availability of all its components.
• Integrated backup.
• Double access authentication.
• Delegated authentication system (LDAP, AD, SAML, Kerberos, etc.).
• ACL and user profiling.
• Internal audit.
• Password policy.
• Sensitive data encryption.
• Credential containers.
• Monitoring of restricted areas/indirect access.
• Installation without superuser.
• Safe agent/server architecture (passive).
• Centralized and distributed update system.
• 24/7 support.
• Clear vulnerability management policy by the manufacturer.

Monitoring infrastructure basic securing

The management console, monitoring servers and other elements should never be on an accessible public network. The console should always be protected on an internal network, protected by firewalls and, if possible, on a network independent from other management systems.

The operating systems that host the monitoring infrastructure should not be used for other purposes: for example, to reuse the database for other applications, nor the base operating systems to run other applications.

Safe and encrypted traffic

You should make sure that your system supports SSL/TLS encryption and certificates at both ends at all levels: user operation, communication between components or sending data from the agent to the servers.

If you are going to use agents in unsafe locations, it is highly recommended that you force all external agents to use certificate-based authentication at both ends, to avoid receiving information from unauthorized sources and to prevent information collected by agents to not travel transparently.

On the other hand, it is very important for you to activate encryption on your web server to provide an encrypted administration console and prevent any attacker from seeing access credentials, remote system passwords or confidential information.

Full High Availability

For all elements: database, servers, agents and console.

Integrated backup

The tool itself should make this as easy as possible, as settings and data are often highly distributed and consistent backup is complex.

Clear vulnerability management policy by the manufacturer

Every day, dozens of independent auditors test the strengths and weaknesses of all kinds of business applications. They seek to gain a foothold in the sector by publishing an unknown ruling to increase their reputation. Many clients, as part of their internal security management processes, execute external and internal security audits that target their IT infrastructure.

Be that as it may, all products have security flaws, the question is: how are those flaws handled? Transparency, diligence and communication are essential to prevent customers from having problems derived from vulnerabilities in the software they use. It is essential that there is a clear policy in this regard, so that it is known which public vulnerabilities have been reported, when they have been corrected and if a new one is detected, the steps to follow for notification, mitigation and distribution to the end customer.

Dual authentication system

Pandora FMS has an -optional- system based on google authenticator that allows forcing its use for all users for security policies. This will make user access to the administration console much safer, preventing that due to privilege escalation the system can be accessed as administrator, which is, at best, the highest risk that can be run.

Delegated authentication system

Complementary to the previous one, you can delegate management console authentication to authenticate against LDAP, Active Directory, or SAML. It will enable a centralized access management, and combined with the double authentication system your access will become much safer.

ACL and user profiling

Identify and assign different users to specific people. Do not use generic users, assign only the necessary permissions and do not use “super administrators”. They are good practices not only for monitoring tools but for any business software implementation with access to sensitive information.

Nowadays, any professional tool to define an access profile for each user will do so in such a way that no user has “absolute control”, but only has the minimum required access to their functions.

Internal audit system

You must have a system in place to record all user actions, including information on altered or deleted fields. Said system must be able to be exported abroad so that not even the administrator user can alter said records.

Password policy

A basic element that allows you to enforce a strict password management policy for access to application users: minimum password size, password type, their reuse, forced change once in a while, etc.

Sensitive data encryption

The system must allow the most sensitive data to be stored encrypted and safely, such as access credentials, monitoring element custom fields, etc. Even if the system itself contains the encryption “seed”, it will always be much more difficult for a potential attacker to access this information.

Credential containers

Or an equivalent system for the administrator to delegate credential use to other users who use said credentials to monitor elements without seeing the passwords contained in the container.

Restricted area monitoring

In these systems, information will be collected remotely by a satellite server and will be available to be collected from the central system (in Pandora FMS through a specific component called Sync server). That way, data can be collected from a network without access to the outside, ideal for very restrictive environments where the impact is drastically reduced if an attacker takes over the system.

Agent remote management locking system

For critical security environments, where the agent cannot be remotely managed once it is configured. This is especially critical in monitoring, since if a system is compromised and its administration is accessed, by the way the system is configured itself, it will have access to all systems from where it receives information. In critical systems, the remote management capacity must be deactivated, even if that makes administration more tricky. The same applies to automatic updates on the agent.

Design of safe architecture for communication with agents

Sometimes known as passive communication. That way, agents will not listen to a port nor have remote access from the console. They are the ones who will connect to the central system to ask for instructions.

Installation without root

Pandora FMS can be installed in environments with custom paths without running with root. In some banking environments, it is a requirement that we meet.

Notification and reporting system (alerts, notices, etc.)

A monitoring system is only useful if it shows accurate information when it is needed. Alert or weekly report reception is the culmination of all the previous work and for that you will have to take into account some “obvious” points that are often overlooked. Protect those systems, wherever they may be.

Periodic updates

All manufacturers now distribute regular updates, which include both bug fixes and security problems. In our case, we publish updates approximately every five weeks. It is essential to update systems as soon as possible, because when a vulnerability is reported, product managers ask external security researchers who have reported the bug, not to publish anything about the vulnerability until a patch is published. Once the patch is published, the researcher will publish the information in more detail as wished, a fact that can be used to exploit and attack non-updated software versions.

Pandora FMS has a vulnerability disclosure public policy as well as a public catalog of known and reported vulnerabilities. Our policy has maximum transparency and full communication with security researchers, always to mitigate the impact of any security problem and to be able to protect our clients as a top priority.

24/7 support

In our support, the technician who answers the phone has the whole team backing him up. If there is a security issue and a security patch has to be published within hours. We not only have the technology to spread the patch to all our customers, but also the team to develop it in record time.

Base system securing

Hardening or system securing is a key point in the global security strategy of a company. As manufacturers, we issue a series of recommendations to carry out a safe installation of all Pandora FMS components, based on a standard RHEL7 platform or its equivalent Centos7. These same recommendations are valid for any other monitoring system:

Hardening checklist for monitoring base system:

• System access credentials.
• Superuser access management.
• System access audit.
• SSH securing.
• Web server securing.
• DB server securing.
• Server minimization.
• Local monitoring.

Access credentials

To access the system, nominative access users will be created, without privileges and with access restricted to their needs. Ideally, the authentication of each user should be integrated with a double authentication system, based on token. There are free and safe alternatives such as Google Authenticator that can be easily integrated into Linux, although outside the scope of this guide. Seriously consider its use.

If it is necessary to create other users for applications, they must be users without remote access (for this, it is necessary to deactivate their Shell or some equivalent method).

Superuser access through sudo

In the event that certain users must have administrator permissions, SUDO will be used.

Base system access audit

It is necessary to have the security log /var/log/secure active and monitor those logs with monitoring (which we will see later).

By default CentOS has this enabled. If not, just check the /etc/rsyslog.conf or /etc/syslog.conf file.

We recommend you to take the logs from the audit system and collect them with an external log management system. Pandora FMS can do it easily and it will be useful to set alerts or review them centrally in case of need.

SSH server securing

The SSH server allows you to remotely connect to your Linux systems to execute commands, so it is a critical point and must be secured by paying attention to the following points:

• Modify default port.
• Disable root login.
• Disable port forwarding.
• Disable tunneling.
• Remove SSH keys for remote root access.
• Investigate the source of keys for remote access. To do this, look at the content of the file /home/xxxx/.ssh/authorized_keys and see which machines they are from. Delete them if you think there shouldn’t be any.
• Establish a standard remote access banner that clearly explains that the server is a private access server and that anyone without credentials should log out.

MySQL server securing

Listening port. If MySQL server has to provide service to the outside, just check that the root credentials are safe. If MySQL only gives service to an internal element, make sure that it only listens on localhost.

Web server securing

We will modify the configuration to hide the Apache and OS version in the server information headers.

If you use SSL, disable unsafe methods. We recommend the use of TLS 1.3 only.

System service minimizing

This technique can be very exhaustive. It consists simply of eliminating everything that is not necessary in the system. Thus we avoid possible problems in the future with poorly configured applications that we really did not need and that can be vulnerable in the future.

Local monitoring

All the internal monitoring systems would have to be monitored to the highest level, specially information registries. In our case the following active controls in addition to the standard controls are always recommended:

• Active security Plugin.
• Complete system inventory (specially users and installed packages).
• System logs and server security.

Would you like to find out more about what Pandora FMS can offer you? Find out clicking here .

If you have to monitor more than 100 devices, you can also enjoy a FREE 30-day Pandora FMS Enterprise TRIAL. Installation in Cloud or On-Premise, you choose !! Get it here .

Last but not least, remember that if you have a reduced number of devices to monitor, you can use the Pandora FMS OpenSource version. Find more information here .

Do not hesitate to send us your questions. Pandora FMS team will be happy to help you!

And if you want to keep up with all our news and you like IT, releases and, of course, monitoring, we are waiting for you in our blog and in our different social networks, from Linkedin to Twitter through the unforgettable Facebook . We even have a YouTube channel , and with the best storytellers.

Engineering and development in Pandora FMS

by Sancho Lerena | Last updated Aug 11, 2023 | Tech

Pandora FMS started as a totally personal open source project back in 2004. I wasn’t even a professional programmer, I was doing Unix security consulting. In fact, I chose PHP but Pandora FMS was my first application with PHP, I knew some things about ASP and my favorite programming language had been C.

A project with a single programmer and no professional users of his software yet is very different from a project with several dozen programmers and hundreds of clients using the software in critical environments. The evolution that Pandora FMS has undergone from 2004 to 2021 is a real case of steady improvement in software engineering.

Fortunately, I did not pay much attention to that subject of the degree, because most of the things that work and that I have learned with practice do not come in a book, nor are they explained at the university, because each software project and each team of people is very different. It may sound cliché, but it is the truth, and it is better to accept it and avoid formulas, because building a solid software product that can grow over time is not trivial at all.

In this article, I am going to talk about our experience, our evolution over time, but above all, about how our engineering processes work today. I have always believed that the most important part of open source is transparency, and that this should apply to everything, not only to software but also to processes and knowledge in general.

Version control system

It is an essential part of any software project. Today the ubiquitous GIT is everywhere (by the way, not everyone knows that Git is the work of Linus Torvalds, original author of the Linux kernel). A version control system helps, in short, a group of developers work without overlapping their jobs.

When the Pandora FMS project started, I was working without version control, because there were no other people. When some people began to collaborate on it, we realized that a simple shared directory was not worth it, because we were overlapping the code and, yes, making backups to save old versions was not a very efficient method.

The first version control system we used was CVS, which we have been using for eight years or more. Around 2008, we started using SVN (Subversion) another slightly more efficient system and it wasn’t until 2013 when we started using GIT and opened our official repository on Github.

Pandora FMS public repository on Github

Since Pandora FMS has an open source version and an Enterprise version -with proprietary code and commercial licenses- we have two GIT projects, one public on GitHub and the other private, which we manage with GitLab. The GitHub version is in sync with our private copy on GitLab at our offices. Some partners who collaborate with us in developing have access to this private repository, and through an extension of our support application (Pandora ITSM) we share all development planning tickets by releases with some of our partners, so that they can see in real time, the development planning based on “releases” and all the details of each ticket.

GitLab ticket view in Pandora ITSM/em>

Release ticket view

Development methodology used in Pandora FMS

At Pandora FMS, we have been using our own methodology from the beginning, although we have borrowed many ideas from agile methodologies, especially from SCRUM. From a life cycle point of view, we use an adaptation of the Rolling Release methodology

These are some important definitions when defining how we work, some of them come from Scrum, others from other methodologies.

Objectives of Pandora FMS work methodology

The objectives involve not only the development members, but also QA, the documentation team and part of the marketing team:

• • Maximum visualization: The entire team must see the same information, and it must flow from bottom to top and from top to bottom. By sharing objectives we will be able to do a more effective job.
  • What is not seen does not exist, which implies that all information relevant to the project must be reflected in the management, implemented with Gitlab. What is not seen does not exist, and what does not exist will not be taken into account for any purpose. Strictly following this methodology will allow everyone to be very aware of the planning:

-Strict deadline compliance.

-Advance planning without last minute modifications.

-Clearer information and in due time.

-Elimination of work peaks and etc.

• Integrity,, with an increasingly large and complex project, it is imperative to keep integrity during development. All code must follow standards..

Ticket

The ticket is the minimum work unit. There is a single person responsible for its completion and it is planned to be carried out in a milestone (version release).

A ticket is the way in which the development work is broken down, so a big feature will be made up by different tickets, on which ideally several people can work.

The ticket must contain a functional or description of the requirements, which can include diagrams, specifications, interface diagrams (mockup), test sets, examples, etc. In some cases it may even contain the analysis and design of the whole solution.

A completed ticket must perform as specified in the functional document (ticket) and the changes that have been made to these specifications must be reflected in the ticket.

The functional is key so that QA can validate a ticket or not. QA will have to reopen a ticket if it does not meet any of the functional aspects.

Members and working groups

Product Owner (PO)

The PO defines where Pandora FMS has to go, in contact with customers, support and
the “real” market situation, providing technical and functional guidelines but without getting involved in development as such.

Product Committee

Group of people who will meet permanently with the PO to agree where the product is going to, trying to ensure that all PO decisions are collegiate. It is made up of the leader of each Development, QA, Support, Projects and Documentation team.

Development Manager (DM)

The DM will manage the entire development cycle: define milestones, priorities, manage
individually all members and make operational decisions. The DM reports exclusively to PO and is the leader of the development team.

Development Team

They are in charge of the development of large features and product improvements, complete code refactoring, change development (small features), bug fixes and product maintenance improvements.

QA Team

They verify that each development atomic unit works as defined in the
specifications. They will also create and maintain an ecosystem of automated testing for both backend and user experience.

Support Team

They are the ones who deal directly with the client solving issues. Their experience with the product’s day-to-day means that their opinions must be taken into account, that is why they are part of the product committee.

Project team

They implement it on the end customer and are the ones closest to the customer, since they are often there before the project exists, and they usually offer ideas and all kinds of features in hand, for all purposes they are the “speaker” of the commercial department, therefore they are part of the product committee.

Training and Documentation Team

Responsible for training and the product’s documentation. They coordinate with the marketing team and the translation team.

Remote working

All team members (development, QA, documentation) telework freely. In fact, developers from Europe, Asia and America participate in Pandora FMS, and within Spain they are distributed throughout the national territory. We are a 100% distributed and decentralized company, although with traditional hierarchies.

In order to telework, we need each member to take responsibility for their work, be autonomous and commit to planning. Teleworking entails minimizing the need for oral communication and physical personal meeting, replacing them not with teleconferences, but with a precise use of the tools of the development process.

Development watch-keeping

A developer on the team is especially devoted to solving incidences involving code, in permanent connection with the support team (from 8 am to 8 pm, CEST). This allows not only to have maximum agility when solving a problem on a client, but also code changes are integrated into the code repository in an organized way.

Ticket creation and classification process

Any member of the company (including salespeople) can create a ticket in GitLab. This includes customers and partners, although in their case there is a prior filter by the support team and the sales team respectively.

The more detailed the ticket, the more unequivocal the development will be. Add images, gifs, animations and all the necessary clarifications. As well as the way to access the environment where the problem has been found or the contact persons. A developer will never contact a customer directly. If there is the need to interact with them, it will be done through the support or project team.

Nobody, except for the DM or PO, can change a ticket milestone. On creation, the ticket will not have an assigned milestone or assigned user. The task of defining which release a ticket belongs to is the responsibility of PO and DM exclusively.

When a ticket is finished and the developer thinks it should be reviewed by a colleague, they mention it in the merge request through @xxxxx. The review must be nominal. This review is independent of the code review carried out by the department manager.

General ticket workflow

• The ticket is assigned to a programmer by the DM. If it does not have a ticket assigned, the ticket will be auto-assigned. (See below the terms that regulate this system).
• The developer must understand/solve any questions that may arise after reading the functional document, if necessary, check with the DM or the author of the ticket. This must be done before starting to develop. Once read, you must, in order:

1. Evaluate (by assigning labels) its complexity and size, reaching a prior consensus with the DM.
2. Develop the feature following the ticket specifications
3. Document everything developed in the same ticket or, if required, in a new documentation ticket. This ticket must relate to the “parent” ticket by ticket #ID.
4. The developer must test its functionality at least in:
   -standard docker development environment
   -docker development environment with data.

• When it is deemed complete, it will be tagged ~ QA Pending and placed in the hands of QA.
• For each FEATURE ticket, there will be a reference person, generally from projects, support or even the PO itself. This person will be the one who will define part of the functional (together with the DM and PO), but above all, this person will be the reference person for the developer to ask any details during development, and most importantly, should see the development progress, step by step, so that it is validated.
• Any change to the functional will be reflected by the reference person in the ticket as comments, without altering the original functional.
• If there is a child documentation ticket, QA will validate the ticket using the documentation generated by the reference person, NOT by the functional of the ticket, validating the documentation and the feature at the same time.

Release planning

When creating a ticket, the milestone must be empty (not assigned) like the user. The only ones that can classify a ticket are: DM and PO.

A series of milestones have been defined to support the ticket classification process, some of them, those dated (releases), can be seen as milestones, while the rest should be seen as simple ticket containers.

• (Not allocated): It is the absence of milestones in a ticket. For all intents and purposes, this ticket “does not exist yet.” The DM and PO will validate each and every one of these tickets to see if they make sense in the product roadmap. No developer should take any of these tickets.
• Feature backlog: Tickets that will be made at some indeterminate time in the future that sooner or later will have to be addressed. No developer should take any of these tickets.
• Low priority bugs: Reported bugs with no priority assigned yet by PO/DM. No developer should take any of these tickets.
• STAGE: Tickets proposed by each department for planning in a product release. At each planning meeting, these tickets will be discussed, and moved to other milestones. At the end of the cycle start meeting, this milestone should be empty. The DM is the one who has the final decision as to which STAGE tickets are assigned to a certain release and which are not, relying on the product committee if necessary. No developer should take any of these tickets.
• XXX: Release XXX. Milestone that groups a series of tickets that will be released on a certain date. A milestone has a deadline associated with it. In the case of RRR releases, this date could change, in the case of LTS not.

1. The development of the tickets associated with a release must be finished 5 days before the scheduled day for the release. Tickets not completed before that date will be delayed to the next release and the delay will have to be justified to the DM.
2. There are two types of release milestones:
   -LTS: in April and November. They are 6 months apart.
   -Regular Releases (RRR): There will be 2 to 4 regular releases between LTS releases.

• A developer with no assigned tasks for a release, as long as there are no pending assignment tickets in the release milestones for the developer’s team, can take one of the unassigned tickets from:
  -The closest release, based on date.
  -Second closest release, based on date.

CICD

Pandora FMS developers integrate the code of their branches in a central repository several times a day, causing a series of automatic tests to be executed whose objective is to detect faults as soon as possible and improve the quality of the product.

These tests run dynamically in a series of executors or “runners”, some of them specific, for certain architectures (e.g., ARM), that execute static code analyzers, unit tests, and activate containers to carry out integration tests in a real installation of the application.

The generation of Pandora FMS packages is completely automated. Packages are generated every night from the development branch for manual testing. They can also be generated on demand by any developer or member of the QA or support teams, from any branch through the GitLab web interface.

When a release is made from the stable branch, in addition to package generation, a series of steps are executed that deploy them to Ártica’s internal package server, to SourceForge, to Ártica’s customer support environment, and that, likewise, update the Debian, SUSE and CentOS repositories along with the official Docker images.