Pandora: Documentation en: SSH and FTP setup
1 SSH Configuration to Get Data in Pandora FMS
Sometimes we cannot use the standard transfer method in Pandora FMS (Tentacle) because we could be using a Unix system that doesn't have Perl (as in ESX systems for example) and we have to use the old shellscript agent. When this happens the options are to use FTP or SSH to transfer the file.
Pandora FMS can use the SSH protocol to copy the XML data packages generated by the agents, to the server. To configure it, you have to follow these steps:
Step 1. Create a "pandora" user in the host where your Pandora FMS server is installed, which is going to receive the data through SSH. If you have installed a Pandora FMS server already, then you should have this user already created. Set a strong password for this user with the command:
Step 2. At the server, create /home/pandora/.ssh directory with permissions 750 and user pandora:root
Step 3. In each system where you have an agent that wants to use SSH, create a pair of keys. To do so, execute the following command with the user that will be used to execute the Pandora's agent:
A few questions will be shown, you can answer by simply pressing Enter. A public/private key for this user will be created in the system. Now you must copy it to the target system, the Pandora FMS' server.
Step 4. Copy the public key to the Pandora's server. There are two ways to copy the public key that has just been created:
Manually, copying the content of the public key file from the system where the agent is, to the remote keys file in Pandora server, located at /home/pandora/.ssh/authorized_keys (that should have ownership pandora:root and permissions 600).
The public key file generated in the system where is the agent is /root/.ssh/id_rsa.pub. This file will contain something similar to this:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzqyZwhAge5LvRgC8uSm3tWaFV9O6fHQek7PjxmbBUxTWfvNbbswbFsF0esD3COavziQAUl3rP8DC28vtdWHFRHq+RS8fmJbU/VpFpN597hGeLPCbDzr2WlMvctZwia7pP4tX9tJI7oyCvDxZ7ubUUi/bvY7tfgi7b1hJHYyWPa8ik3kGhPbcffbEX/PaWbZ6TM8aOxwcHSi/4mtjCdowRwdOJ4dQPkZp+aok3Wubm5dlZCNLOZJzd9+9haGtqNoAY/hkgSe2BKs+IcrOAf6A16yiOZE/GXuk2zsaQv1iL28rOxvJuY7S4/JUvAxySI7V6ySJSljg5iDesuWoRSRdGw== [email protected]
Automatically using the following command:
ssh-copy-id [email protected]_ip
It will ask the password of the server "pandora" user, and once this has been confirmed, it will show you a message like this:
Now try logging into the machine, with "ssh '[email protected]_ip'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Do this test to verify that the automatic connection to the Pandora FMS server with the user "pandora" from the agent's machine with root user is possible. If that doesn't work, the agent will not be able to send data through SSH.
This method will be used by the agents to copy data to the /var/spool/pandora/data_in. Pandora FMS server directory
Make sure also that the directory /var/spool/pandora/data_in directory already exists and that the user «pandora» has writing permissions, or otherwise it will not work.
At last, modify the agent configuration to specify to it that the copy method is ssh and not tentacle. This should be modified in the /etc/pandora/pandora_agent.conf' file and in the transfer_mode configuration token.
1.1 SSH Server Securization
Pandora FMS uses, among others, sftp/ssh2 (scp), to copy data files from the agents to the server. Due to this, you will need at least one data server with a SSH2 server that listen the «pandora» user. This could be an important risk for a network that needs to bee strictelly securized. Open SSH2 is very secure, but regarding Computer Security, there is nothing that is absolutely secure, so you should take measures in order to make it «more» secure.
To use SSH, it is recommended to use scponly, an small tool that forbidden that the remote start sessions use SSH for specific uses.This way it is possible to forbid access through SSH for «pandora» users and allow only sftp/s in this system.
1.1.1 What is Scponly?
Scponly is an alternative 'shell' for system administrators that want to give access to remote users to read and write files without giving any remote privilege for execution. It could be also described as an intermediate system between the system and the SSH system applications.
A typical use of Scponly is to create a semi-public account that is not similar to the concept of anonymous session start for FTP. This allows that an administrator could share files in the same way that a FTP would do it, but it should use all the protection that SSH gives. This is specially relevant if you consider that the FTP authentications cross public networks in a flat text format.
Using scponly to securize the «pandora» user is very easy:
Install scponly (for systems based on Debian):
apt-get install scponly
Or use yum install scponly with suitable repositories, or install manually with rpm -i scponly.
Replace the shell of «pandora» user for scponly:
usermod -s /usr/bin/scponly pandora
It is done. With this, you could use the «pandora» user to copy files with scp, but you will not have access to the server with the «pandora» user.
More information at scponly web site.
2 Configuration to receive data in the server through FTP
Please, read the previous section regarding to SSH. The configuration on client to send data through FTP allows to specify the user and the password that is going to be send, so it's easy to implement the copy through FTP to the agent, instead to Tentacle. The problem is that the sending of data through FTP is less safe, so as there is a FTP working with Pandora's server, this makes it more vulnerable to failures that comes with the FTP system security design. See the sections that come after to know how "securize" a little more your server.
Besides configuring the Pandora's agents for sending data with FTP, you will have to configure a FTP server into the Pandora server, fix a password for the user "pandora" (that will be the one you will use in the Pandora's agents) and allow the writing access to the "pandora" user to the /var/spool/pandora/data_in directory and to other lower ones.
This implies that you should configure the FTP server to adecuate it to these needs. In the following sections, you could see how to do it for the ProFTPD and VsFTP servers, two of the most used in Linux.
2.1 Securizing the FTP (proftpd) Server
From its version 1.3,Pandora FMS also support all the platforms of its agent, the FTP usage to transfer XML data files. For all of this, you will need, at least, a dataserver with a FTP server ready for the «pandora» user. This could be an important risk in a network that needs to be strictly securized.
These small recommendations to do a secure FTP, are for the demon proftpd, a FTP server sofware with GPL license highly configurable, that includes several options to limit the access.
It is recommended to configure these parameters in proftpd.conf
Umask 077 077 MaxInstances 30 DefaultRoot /var/spool/pandora/data_in pandora
The DefaultRoot directive uses pandora as group, so you should create the «pandora» group that would include the «pandora» user.
Other file that controls the access at user level is /etc/ftpusers.This file contains all users that have not permission to connect with this server.
[[email protected]]# cat /etc/ftpusers root bin daemon adm lp sync shutdown halt mail news uucp operator games guest anonymous nobody
Try to start session with «pandora» user in the FTP and to access to other different directories from /var/spool/pandora/data_in(this should be the only visible directory for this user under the alias).
2.2 Vsftpd Securization
Vsftpd has different parameters to securize a FTP account, but this could come into conflict with scponly. It is recommended to implement some changes to reinforce the security in the «pandora» account, to could use the FTP and SSH transfer systems in a simultaneous way:
- Change the home directory of «pandora» user by /var/spool/pandora/data_in
- Keep scponly as shell by default.
- Copy or move the directory /home/pandora/.ssh to /var/spool/pandora/data_in.Do not forget to check the the directory /.ssh has the «pandora» use as owner and that it has the right permissions.
- Modify the vsftpd configuration file: /etc/vsftpd.conf and add the following parameters:
check_shell=NO dirlist_enable=NO download_enable=NO deny_file=authorized_keys deny_file=.ssh chroot_local_user=YES
This configuration fix the home directory of «pandora» user as /var/spool/pandora/data_in, and does not allow to the «pandora» user to connect remotely to establish an interactive command session. It also allows FTP transfers with the same user, «pandora», to send &mdash files; but only allows to have access to the &mdash data entry directory; and does not allow neither to have access to other directories nor list the content of any file.