====== Configuring SSH and/or FTP to Receive Data ======
{{indexmenu_n>1}}
===== Introduction =====
The standard transfer method in Pandora FMS to send files, [[:en:documentation:pandorafms:technical_reference:09_tentacle|Tentacle]], needs the [[https://en.wikipedia.org/wiki/Perl|Perl]] programming language installed. Some devices, such as ESX systems (UNIX), lack this tool. When this happens, the alternatives are to use FTP or SSH to transfer monitoring data.
{{ :wiki:pfms-server-ftp-ssh-data.png?nolink& }}
Pandora FMS can use the FTP or SSH protocol to copy the XML data packages generated by the [[:en:documentation:pandorafms:introduction:03_glossary#software_agent|software agents]] to the PFMS server.
===== SSH Configuration to Get Data in Pandora FMS =====
Always keep in mind Pandora FMS [[:en:documentation:pandorafms:technical_annexes:15_security_architecture|Security Architecture]].
Consider Pandora FMS server as **Server** and each one of the devices running the Software Agent as **Client**. You may always check which user you are working with by means of the **whoami** command.
==== User creation in Server ====
**Step 1**: Create a ''pandora'' user in the machine where Pandora FMS server is running. This machine will receive the data through SSH. If you have already installed a Pandora FMS server, surely this user is already created. Set a strong password for that user with the command:
passwd pandora
==== User configuration in Server ====
**Step 2**. Once within the server, create the ''/home/pandora/.ssh'' directory with ''750'' permissions and ''pandora:root user''.
==== Key creation in Client ====
**Step 3**: Create, on each machine running a Software Agent that will use SSH, a pair of keys (private and public). To do this, execute the following command **with the same user with which Pandora FMS Software Agent is executed**:
ssh-keygen
A series of questions will appear to which you will have to answer by simply pressing the Enter key. With this you have created a public key and a private key for that user in the machine. Now you should copy it to the destination machine, which is the Pandora FMS server where you want to send the monitoring data.
==== Copy of public key to Server ====
**Step 4**: Copy the public key to the Pandora FMS **Server**. The public key you just generated can be copied in two ways.
=== Manual copying ===
The public key file generated in the **Client** is:
/home//.ssh/id_rsa.pub
Where '''' is the user name that runs Pandora FMS Software Agent in the **Client**. If the key pair was generated as root user, it will be in:
/root/.ssh/id_rsa.pub
This file will have a content similar to this one:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzqyZwhAge5LvRgC8uSm3tWaFV9O6fHQek7PjxmbBUxTWfvNbbswbFsF0esD3COavziQAUl3rP8DC28vtdWHFRHq+RS8fmJbU/VpFpN597hGeLPCbDzr2WlMvctZwia7pP4tX9tJI7oyCvDxZ7ubUUi/bvY7tfgi7b1hJHYyWPa8ik3kGhPbcffbEX/PaWbZ6TM8aOxwcHSi/4mtjCdowRwdOJ4dQPkZp+aok3Wubm5dlZCNLOZJzd9+9haGtqNoAY/hkgSe2BKs+IcrOAf6A16yiOZE/GXuk2zsaQv1iL28rOxvJuY7S4/JUvAxySI7V6ySJSljg5iDesuWoRSRdGw== root@dragoon
This content must be added to the end of the ''authorized_keys'' file on the **Server**. Its path is:
/home/pandora/.ssh/authorized_keys
The ''authorized_keys'' file on the Server must belong (ownership) to the user ''pandora:root'' and must have permissions ''600''
=== Automatic copy ===
Use the following command at **Client**:
ssh-copy-id pandora@
Where '''' is the IP address or URL of the **Server**.
It will ask for the server's ''pandora'' user password ([[:en:documentation:pandorafms:technical_annexes:01_ssh_and_ftp_setup#user_creation_in_server|set in step 1]]) and, once confirmed, it will display a message similar to the following:
Now try logging into the machine, with "ssh ''", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
Perform this test to verify automatic connection to Pandora FMS **Server** with the ''pandora'' user from the **Client** (with the user running the Software Agent):
ssh pandora@
Once you are able to connect to the **Server** as described above, the Software Agent on the **Client** will be able to start sending monitoring data.
==== Client Configuration ====
Once you have verified the connection through SSH, this will be the method used by the software agents to copy data to Pandora FMS Server directory. This directory is located at:
/var/spool/pandora/data_in
Also make sure that the directory ''/var/spool/pandora/data_in'' exists and the ''pandora'' user has writing permissions, otherwise it will not work.
Finally, modify the [[:en:documentation:pandorafms:installation:05_configuration_agents#transfer_mode|software agent configuration]] in the **Client** to specify that the copying method is SSH. This is modified in ''/etc/pandora/pandora_agent.conf'' file, in the ''transfer_mode'' configuration token. Remember to restart the software agent service on each Client after this change.
==== SSH Server assuring ====
[[https://pandorafms.com/blog/information-security/|{{ :wiki:pfms-cyber_attack.png?nolink& |Absolutely no one is safe from security attacks}}]]
Pandora FMS uses, among others, sftp/ssh2 ([[https://es.wikipedia.org/wiki/Secure_Copy|SCP]]) to copy data files from the software agents to the server. Therefore, you will need at least one data server with an SSH2 server listening to the ''pandora'' user. This could be a significant risk in a network that needs to be strictly secured. OpenSSH2 is **very** secure, but in terms of computer security, there is nothing that is absolutely secure; so, measures must be taken to make it "more" secure.
Always keep in mind Pandora FMS [[:en:documentation:pandorafms:technical_annexes:15_security_architecture|Security Architecture]].
It is possible to prevent SSH access for certain users, as well as to configure restrictions on FTP access.
To do this, modify the ''pandora'' user on the **Server**. This user must have a [[:en:documentation:pandorafms:technical_annexes:01_ssh_and_ftp_setup#user_creation_in_server|strong password]]. Its login shell will be changed to restrict SSH access to the user, and its ''home'' directory, to prevent its access to other folders:
usermod -s /sbin/nologin -d /var/spool/pandora/data_in pandora
With these changes to the ''pandora ''user on the **Server**, when logging in via SSH, such user will not be able to execute commands with it in an interactive terminal.
(See the [[:es:documentation:pandorafms:installation:01_installing#requisitos_minimos_de_software|recommended operating systems]] for Pandora FMS.) In Debian systems the shell path is ''/usr/sbin/nologin''.
===== FTP configuration to receive data in Pandora FMS =====
The client settings for sending data via FTP allow you to specify the user and password to be sent, making it quite easy to implement FTP copying instead of [[:en:documentation:pandorafms:technical_reference:09_tentacle|Tentacle]].
[[https://pandorafms.com/blog/file-transfer-protocol/|{{ :wiki:pfms-what-is-ftp.png?nolink& |What is File Transfer Protocol (FTP)?}}]]
Besides configuring Pandora FMS software agents to send data with FTP, **you will have to configure an FTP server where you execute Pandora FMS server**, [[:en:documentation:pandorafms:technical_annexes:01_ssh_and_ftp_setup#creating_a_server_user|establish a password]] for the ''pandora'' user and allow writing access to the ''pandora'' user to the ''/var/spool/pandora/data_in'' directory and its subdirectories.
This means that you should configure the FTP server to adapt it to these needs; for this, in this guide **[[https://de.wikipedia.org/wiki/Vsftpd|vsFTPd]]** is used.
==== vsftpd assuring ====
The disadvantage of using FTP instead of Tentacle is that sending data through FTP is less secure, since having an FTP running in Pandora FMS server, this makes it more vulnerable to failures inherent to the design of the FTP system. In the following sections we will show **how to secure in a basic way the vsftpd server** (simply called **Server**).
For this reason, and in the same way that the [[:en:documentation:pandorafms:technical_annexes:01_ssh_and_ftp_setup#ssh_server_assuring|SSH login has been disabled]] for the ''pandora'' user for security reasons, a safe access method should be established for the FTP users. A safe and simple method for this is to create a PAM rule for **vsftpd**. For this you should create a file called ''/etc/pam.d/ftp'' containing the following:
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth required pam_succeed_if.so quiet user ingroup pandora
auth required pam_succeed_if.so quiet shell = /sbin/nologin
(See the [[:es:documentation:pandorafms:installation:01_installing#requisitos_minimos_de_software|recommended operating systems]] for Pandora FMS.) In Debian systems the shell path is ''/usr/sbin/nologin''.
In the configuration file of **vsftpd** (''/etc/vsftpd.conf'') search the token ''pam_service_name'' and set the name of the created file:
pam_service_name=ftp
With this configuration, only the users that belong to the ''pandora'' group and have ''nologin'' as associated //shell// will be able to connect to Pandora FMS by FTP, //so you should create the// ''pandora'' //group// that includes the ''pandora'' user. In any case, verify that both exist in the **Server**.
With a last configuration of the ''/etc/vsftpd.conf'' file, the access of the users that access by FTP its root directory will be restricted. The parameters are as follows:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.nochroot_list
In case you need to exclude a user from this and avoid restricting it to your **Chroot**, just include that user in this ''vsftpd.nochroot_list'' file (one user per line).
Other options to be configured to implement higher security are the following:
dirlist_enable=NO
download_enable=NO
deny_file=authorized_keys
deny_file=.ssh
chroot_local_user=YES
Remember to restart the **vsftpd** service after making changes to the configuration file for them to take effect.
With this configuration, the user will be restricted to its root directory (''/var/spool/pandora/data_in'' in the case of the ''pandora'' user). The user will be able to make transfers via FTP (send files), **but will not be able to list files**.
Try to log in with the pandora user in the FTP, change directory and list files; if it does **not** succeed, the configuration will have been successful.
[[:en:documentation:start|Go back to Pandora FMS documentation index]]