Pandora: Documentation en: SSH and FTP setup

From Pandora FMS Wiki
Jump to: navigation, search

Go back to Pandora FMS documentation index

1 SSH Configuration to Get Data in Pandora FMS

Sometimes it is not possible to use the standard transfer method in Pandora FMS (Tentacle) because one might be using a Unix system that does not have Perl (as in ESX systems for example) and that would mean using the old shellscript agent. When this happens, the options are to use FTP or SSH to transfer the file.

Pandora FMS can use the SSH protocol to copy XML data packages, generated by the agents, to the server. To configure it, follow these steps:

Step 1. Create a "pandora" user in the host where your Pandora FMS server is installed, which will receive the data through SSH. If you already have Pandora FMS server installed, then this user must have already been created. Set a strong password for this user with the command:

 passwd pandora

Step 2. Once within the server, create the /home/pandora/.ssh directory with permissions 750 and user pandora:root

Step 3. In each system where you have an agent that must use SSH, create a pair of keys. To do so, execute the following command with the user that will be used to execute the Pandora FMS agent:

# ssh-keygen 

A few questions will be shown, you can answer by simply pressing Enter. A public/private key for this user will be created in the system. Now, copy it to the target system, the Pandora FMS server where data must be sent to.

Step 4. Copy the public key to the Pandora FMS server. There are two ways to copy the created public key:

Manually, copying the content of the public key file from the system where the agent is, to the remote key file in Pandora FMS server, located at /home/pandora/.ssh/authorized_keys (that should have ownership pandora:root and permissions 600).

The public key file, generated in the system where the agent is, is /root/.ssh/id_rsa.pub. This file will contain something similar to this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzqyZwhAge5LvRgC8uSm3tWaFV9O6fHQek7PjxmbBUxTWfvNbbswbFsF0esD3COavziQAUl3rP8DC28vtdWHFRHq+RS8fmJbU/VpFpN597hGeLPCbDzr2WlMvctZwia7pP4tX9tJI7oyCvDxZ7ubUUi/bvY7tfgi7b1hJHYyWPa8ik3kGhPbcffbEX/PaWbZ6TM8aOxwcHSi/4mtjCdowRwdOJ4dQPkZp+aok3Wubm5dlZCNLOZJzd9+9haGtqNoAY/hkgSe2BKs+IcrOAf6A16yiOZE/GXuk2zsaQv1iL28rOxvJuY7S4/JUvAxySI7V6ySJSljg5iDesuWoRSRdGw== [email protected]

Automatically using the following command:

ssh-copy-id [email protected]_ip

It will ask the password of the "pandora" user server, and once this has been confirmed, it will show a message like this one:

Now try logging into the machine, with "ssh '[email protected]_ip'", and check in:
  .ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

Do this test to verify that the automatic connection to the Pandora FMS server with the "pandora" user from the agent's machine with root user is possible. If that does not work, the agent will not be able to send data through SSH.

This method will be used by agents to copy data to the /var/spool/pandora/data_in Pandora FMS server directory.

Make sure that the directory /var/spool/pandora/data_in directory already exists and that the user «pandora» has writing permissions, otherwise it will not work.

Finally, modify the agent configuration to specify the copy method as ssh and not tentacle. This should be modified in the /etc/pandora/pandora_agent.conf file and in the transfer_mode configuration token.

2 Configuration to receive data in the server through FTP

Client configuration to send data through FTP allows to specify the user and password that will be sent. So it becomes quite easy to implement the copy through FTP instead of Tentacle.

Besides configuring the Pandora FMS agents for sending data by means of FTP, set a FTP server in Pandora FMS server, fix a password for the user "pandora" (that will be the one to use in the Pandora FMS agents) and grant writing access to the "pandora" user to the /var/spool/pandora/data_in directory and to lower ones.

This implies configuring the FTP server to tailor it to these needs. Therefore, vsFTPd is used throughout this guide.


2.1 SSH Server Securization

Pandora FMS uses sftp/ssh2 (scp), among others, to copy data files from agents to the server. Due to this, you will need at least one data server with a SSH2 server that listens to the «pandora» user. This could be an important risk for a network that needs to be strictly securized. Open SSH2 is highly safe, but regarding Computer Security, there is nothing that is absolutely safe, so take measures in order to make it "safer".

If is equally possible to ban access through SSH to certain users, as well as setting restrictions to access through FTP.

To proceed, modify the "pandora" user. This user must have password. Its login shell will be changed to restrict access by SSH to the user, its directory home, to avoid access to other folders:

usermod -s /sbin/nologin -d /var/spool/pandora/data_in_pandora

Info.png

In Debian systems, the shell route is /usr/sbin/nologin.

 


With these user changes, it will not be possible to login through SSH.

2.2 Vsftpd securization

The cons about using FTP instead of Tentacle is that sending data through FTP is not as safe, since having an FTP running on Pandora FMS server makes it more vulnerable to FTP system design inherent failures. The following sections describe how to provide a server safety minimum.

Therefore, and similar to how the login through SSH for pandora user was disabled for safety reasons, a safe access method through FTP must be set.A simple and safe method is creating a PAM rule for vsftpd. Therefore create a /etc/pam.d/ftp file that contains the following:

auth    required        pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth    required    pam_succeed_if.so quiet user ingroup pandora
auth    required    pam_succeed_if.so quiet shell = /sbin/nologin

Info.png

In Debian systems, the shell path is /usr/sbin/nologin.

 


Look for the pam_service_name token in the vsftpd (/etc/vsftpd.conf) configuration file and type in the name of the created file:

pam_service_name=ftp

With this configuration, only users that belong to the pandora group and have nologin as associated shell will be able to access Pandora FMS though FTP. As a result, the group «pandora» including «pandora» user must be created, if it does not exist yet.

Just by adjusting a couple of things in the /etc/vsftpd.conf file, access to users that login through FTP to their direct root can be restricted. The parameters are the following:

chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.nochroot_list

In case it needs to exclude some user and avoid restricting it to its Chroot, just include said user in the vsftpd.nochroot_list file (one user per line).

Other options for higher security are these:

dirlist_enable=NO
download_enable=NO
deny_file=authorized_keys
deny_file=.ssh
chroot_local_user=YES


Info.png

Remember restarting the vsftpd service after modifying the configuration file so that they become effective.

 


With these settings, the user will be limited to its root directory (/var/spool/pandora/data_in for «pandora» user specifically). The user can carry out FTP transferences to send files but not list files.

Try logging in with the user «pandora» in FTP, change directory and list files, if you cannot, the setup has been successful.


Go back to Pandora FMS Documentation index