Configuring SSH and/or FTP to Receive Data

The standard transfer method in Pandora FMS to send files, Tentacle, needs the Perl programming language installed. Some devices, such as ESX systems (UNIX), lack this tool. When this happens, the alternatives are to use FTP or SSH to transfer monitoring data.

Pandora FMS can use the FTP or SSH protocol to copy the XML data packages generated by the software agents to the PFMS server.

Consider Pandora FMS server as Server and each one of the devices running the Software Agent as Client. You may always check which user you are working with by means of the whoami command.

Step 1: Create a pandora user in the machine where Pandora FMS server is running. This machine will receive the data through SSH. If you have already installed a Pandora FMS server, surely this user is already created. Set a strong password for that user with the command:

passwd pandora

Step 2. Once within the server, create the /home/pandora/.ssh directory with 750 permissions and pandora:root user.

Step 3: Create, on each machine running a Software Agent that will use SSH, a pair of keys (private and public). To do this, execute the following command with the same user with which Pandora FMS Software Agent is executed:

ssh-keygen

A series of questions will appear to which you will have to answer by simply pressing the Enter key. With this you have created a public key and a private key for that user in the machine. Now you should copy it to the destination machine, which is the Pandora FMS server where you want to send the monitoring data.

Step 4: Copy the public key to the Pandora FMS Server. The public key you just generated can be copied in two ways.

The public key file generated in the Client is:

/home/<user>/.ssh/id_rsa.pub

Where <user> is the user name that runs Pandora FMS Software Agent in the Client. If the key pair was generated as root user, it will be in:

/root/.ssh/id_rsa.pub

This file will have a content similar to this one:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzqyZwhAge5LvRgC8uSm3tWaFV9O6fHQek7PjxmbBUxTWfvNbbswbFsF0esD3COavziQAUl3rP8DC28vtdWHFRHq+RS8fmJbU/VpFpN597hGeLPCbDzr2WlMvctZwia7pP4tX9tJI7oyCvDxZ7ubUUi/bvY7tfgi7b1hJHYyWPa8ik3kGhPbcffbEX/PaWbZ6TM8aOxwcHSi/4mtjCdowRwdOJ4dQPkZp+aok3Wubm5dlZCNLOZJzd9+9haGtqNoAY/hkgSe2BKs+IcrOAf6A16yiOZE/GXuk2zsaQv1iL28rOxvJuY7S4/JUvAxySI7V6ySJSljg5iDesuWoRSRdGw== root@dragoon

This content must be added to the end of the authorized_keys file on the Server. Its path is:

/home/pandora/.ssh/authorized_keys

Use the following command at Client:

ssh-copy-id pandora@<Server-address>

Where <Server-address> is the IP address or URL of the Server.

It will ask for the server's pandora user password (set in step 1) and, once confirmed, it will display a message similar to the following:

Now try logging into the machine, with "ssh '<Server-address>'", and check in:
  .ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

Perform this test to verify automatic connection to Pandora FMS Server with the pandora user from the Client (with the user running the Software Agent):

ssh pandora@<Server-address>

Once you are able to connect to the Server as described above, the Software Agent on the Client will be able to start sending monitoring data.

Once you have verified the connection through SSH, this will be the method used by the software agents to copy data to Pandora FMS Server directory. This directory is located at:

/var/spool/pandora/data_in

Also make sure that the directory /var/spool/pandora/data_in exists and the pandora user has writing permissions, otherwise it will not work.

Finally, modify the software agent configuration in the Client to specify that the copying method is SSH. This is modified in /etc/pandora/pandora_agent.conf file, in the transfer_mode configuration token. Remember to restart the software agent service on each Client after this change.

Pandora FMS uses, among others, sftp/ssh2 (SCP) to copy data files from the software agents to the server. Therefore, you will need at least one data server with an SSH2 server listening to the pandora user. This could be a significant risk in a network that needs to be strictly secured. OpenSSH2 is very secure, but in terms of computer security, there is nothing that is absolutely secure; so, measures must be taken to make it “more” secure.

It is possible to prevent SSH access for certain users, as well as to configure restrictions on FTP access.

To do this, modify the pandora user on the Server. This user must have a strong password. Its login shell will be changed to restrict SSH access to the user, and its home directory, to prevent its access to other folders:

usermod -s /sbin/nologin -d /var/spool/pandora/data_in pandora

With these changes to the pandora user on the Server, when logging in via SSH, such user will not be able to execute commands with it in an interactive terminal.

The client settings for sending data via FTP allow you to specify the user and password to be sent, making it quite easy to implement FTP copying instead of Tentacle.

Besides configuring Pandora FMS software agents to send data with FTP, you will have to configure an FTP server where you execute Pandora FMS server, establish a password for the pandora user and allow writing access to the pandora user to the /var/spool/pandora/data_in directory and its subdirectories.

This means that you should configure the FTP server to adapt it to these needs; for this, in this guide vsFTPd is used.

The disadvantage of using FTP instead of Tentacle is that sending data through FTP is less secure, since having an FTP running in Pandora FMS server, this makes it more vulnerable to failures inherent to the design of the FTP system. In the following sections we will show how to secure in a basic way the vsftpd server (simply called Server).

For this reason, and in the same way that the SSH login has been disabled for the pandora user for security reasons, a safe access method should be established for the FTP users. A safe and simple method for this is to create a PAM rule for vsftpd. For this you should create a file called /etc/pam.d/ftp containing the following:

auth    required        pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth    required    pam_succeed_if.so quiet user ingroup pandora
auth    required    pam_succeed_if.so quiet shell = /sbin/nologin

In the configuration file of vsftpd (/etc/vsftpd.conf) search the token pam_service_name and set the name of the created file:

pam_service_name=ftp

With this configuration, only the users that belong to the pandora group and have nologin as associated shell will be able to connect to Pandora FMS by FTP, so you should create the pandora group that includes the pandora user. In any case, verify that both exist in the Server.

With a last configuration of the /etc/vsftpd.conf file, the access of the users that access by FTP its root directory will be restricted. The parameters are as follows:

chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.nochroot_list

In case you need to exclude a user from this and avoid restricting it to your Chroot, just include that user in this vsftpd.nochroot_list file (one user per line).

Other options to be configured to implement higher security are the following:

dirlist_enable=NO
download_enable=NO
deny_file=authorized_keys
deny_file=.ssh
chroot_local_user=YES

With this configuration, the user will be restricted to its root directory (/var/spool/pandora/data_in in the case of the pandora user). The user will be able to make transfers via FTP (send files), but will not be able to list files.

Try to log in with the pandora user in the FTP, change directory and list files; if it does not succeed, the configuration will have been successful.

Go back to Pandora FMS documentation index