-
Which port of server listen to agent?
Hi there,
I’d like to know which port of server listen to agent.
Is there any difference on port listening between linux and windows agents?Thanks,
Vagelis. -
7 Replies
-
Hi there,
I’d like to know which port of server listen to agent.
Is there any difference on port listening between linux and windows agents?Thanks,
Vagelis.None.
The communication is made using SSH.
The agents connect to Port 22 (SSH) of the server, they don’t open any port to listen.Raúl
-
Im assuming then that the agents dont have to run as root or be accessed by root? Reason i ask is that if they did, then that would be that the monitoring server would have to have root access to every server in monitors. If thats the case, then if the monitoring server was compromised, then obviously that “hacker” would have root access to every server it monitors.
-
The agents don’t need to run as root, but keep in mind that maybe some checks you might want to do are only available with root privileges. It is totally up to you.
Anyways, how would you compromise a bash script? The agents are just a bash script so it seems pretty hard for me to hack a bash script 🙂On the other hand, even if the servers are running as root, the server NEVER starts the communications to the agents, the agents do. So you cannot access agents machines from the server, from the CLI I mean.
-
My point is that the Pandora server communicates with those bash scripts through SSH, correct? So obviously the Pandora server has that authentication info. So if the Pandora server gets compromised, they have that ssh access to the servers that are being monitored as well. Does that make sense?
-
No, it does using Tentacle.
And even more, if you want it to connect via SSH, only the agents can access the server, so the communication is done in this way:
Agents->Server
Not:
Server -> AgentMoreover, the agent connects to the server using “pandora” as an user, never as root.
The user pandora is still a risk (not as big as using root) that’s why we recommend (if you decide to go for SSH instead of Tentacle) installing scponly as a shell for the Pandora user:
http://openideas.info/wiki/index.php?title=Pandora_1.3:Documentation_en:Advanced#SSH_server_securization -
-
Very intersting discussion. I was busy in the last days and absent from this forum. Now I’m back 😉
I’m using pandora agents running as pandora user. It’s working pretty good. I have only one or two checks that need root access. For they, I use a cron (as root) to write the info into a file that pandora user is allowed to read. It’s not the “best” approach, but is working very well so far.
Some info are available for any user, but few people know. For example, the ifconfig command can be used by any user, you just need to give the full path (eg: /sbin/ifconfig).
The only thing that I still have to fix is the startup script. It works only with root.
Regards.
