Configuring SSH and/or FTP to Receive Data

Introduction

The standard transfer method in Pandora FMS to send files, Tentacle, needs the Perl programming language installed. Some devices, such as ESX systems (UNIX), lack this tool. When this happens, the alternatives are to use FTP or SSH to transfer monitoring data.

Pandora FMS can use the FTP or SSH protocol to copy the XML data packages generated by the software agents to the PFMS server.

SSH Configuration to Get Data in Pandora FMS

Always keep in mind Pandora FMS Security Architecture.

Consider Pandora FMS server as Server and each one of the devices running the Software Agent as Client. You may always check which user you are working with by means of the whoami command.

User creation in Server

Step 1: Create a pandora user in the machine where Pandora FMS server is running. This machine will receive the data through SSH. If you have already installed a Pandora FMS server, surely this user is already created. Set a strong password for that user with the command:

passwd pandora

User configuration in Server

Step 2. Once within the server, create the /home/pandora/.ssh directory with 750 permissions and pandora:root user.

Key creation in Client

Step 3: Create, on each machine running a Software Agent that will use SSH, a pair of keys (private and public). To do this, execute the following command with the same user with which Pandora FMS Software Agent is executed:

ssh-keygen

A series of questions will appear to which you will have to answer by simply pressing the Enter key. With this you have created a public key and a private key for that user in the machine. Now you should copy it to the destination machine, which is the Pandora FMS server where you want to send the monitoring data.

Copy of public key to Server

Step 4: Copy the public key to the Pandora FMS Server. The public key you just generated can be copied in two ways.

Manual copying

The public key file generated in the Client is:

/home/<user>/.ssh/id_rsa.pub

Where <user> is the user name that runs Pandora FMS Software Agent in the Client. If the key pair was generated as root user, it will be in:

/root/.ssh/id_rsa.pub

This file will have a content similar to this one:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzqyZwhAge5LvRgC8uSm3tWaFV9O6fHQek7PjxmbBUxTWfvNbbswbFsF0esD3COavziQAUl3rP8DC28vtdWHFRHq+RS8fmJbU/VpFpN597hGeLPCbDzr2WlMvctZwia7pP4tX9tJI7oyCvDxZ7ubUUi/bvY7tfgi7b1hJHYyWPa8ik3kGhPbcffbEX/PaWbZ6TM8aOxwcHSi/4mtjCdowRwdOJ4dQPkZp+aok3Wubm5dlZCNLOZJzd9+9haGtqNoAY/hkgSe2BKs+IcrOAf6A16yiOZE/GXuk2zsaQv1iL28rOxvJuY7S4/JUvAxySI7V6ySJSljg5iDesuWoRSRdGw== root@dragoon

This content must be added to the end of the authorized_keys file on the Server. Its path is:

/home/pandora/.ssh/authorized_keys

The authorized_keys file on the Server must belong (ownership) to the user pandora:root and must have permissions 600

Automatic copy

Use the following command at Client:

ssh-copy-id pandora@<Server-address>

Where <Server-address> is the IP address or URL of the Server.

It will ask for the server's pandora user password (set in step 1) and, once confirmed, it will display a message similar to the following:

Now try logging into the machine, with "ssh '<Server-address>'", and check in:
  .ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

Perform this test to verify automatic connection to Pandora FMS Server with the pandora user from the Client (with the user running the Software Agent):

ssh pandora@<Server-address>

Once you are able to connect to the Server as described above, the Software Agent on the Client will be able to start sending monitoring data.

Client Configuration

Once you have verified the connection through SSH, this will be the method used by the software agents to copy data to Pandora FMS Server directory. This directory is located at:

/var/spool/pandora/data_in

Also make sure that the directory /var/spool/pandora/data_in exists and the pandora user has writing permissions, otherwise it will not work.

Finally, modify the software agent configuration in the Client to specify that the copying method is SSH. This is modified in /etc/pandora/pandora_agent.conf file, in the transfer_mode configuration token. Remember to restart the software agent service on each Client after this change.

SSH Server assuring

Absolutely no one is safe from security attacks

Pandora FMS uses, among others, sftp/ssh2 (SCP) to copy data files from the software agents to the server. Therefore, you will need at least one data server with an SSH2 server listening to the pandora user. This could be a significant risk in a network that needs to be strictly secured. OpenSSH2 is very secure, but in terms of computer security, there is nothing that is absolutely secure; so, measures must be taken to make it “more” secure.

Always keep in mind Pandora FMS Security Architecture.

It is possible to prevent SSH access for certain users, as well as to configure restrictions on FTP access.

To do this, modify the pandora user on the Server. This user must have a strong password. Its login shell will be changed to restrict SSH access to the user, and its home directory, to prevent its access to other folders:

usermod -s /sbin/nologin -d /var/spool/pandora/data_in pandora

With these changes to the pandora user on the Server, when logging in via SSH, such user will not be able to execute commands with it in an interactive terminal.

(See the recommended operating systems for Pandora FMS.) In Debian systems the shell path is /usr/sbin/nologin.

FTP configuration to receive data in Pandora FMS

The client settings for sending data via FTP allow you to specify the user and password to be sent, making it quite easy to implement FTP copying instead of Tentacle.

What is File Transfer Protocol (FTP)?

Besides configuring Pandora FMS software agents to send data with FTP, you will have to configure an FTP server where you execute Pandora FMS server, establish a password for the pandora user and allow writing access to the pandora user to the /var/spool/pandora/data_in directory and its subdirectories.

This means that you should configure the FTP server to adapt it to these needs; for this, in this guide vsFTPd is used.

vsftpd assuring

The disadvantage of using FTP instead of Tentacle is that sending data through FTP is less secure, since having an FTP running in Pandora FMS server, this makes it more vulnerable to failures inherent to the design of the FTP system. In the following sections we will show how to secure in a basic way the vsftpd server (simply called Server).

For this reason, and in the same way that the SSH login has been disabled for the pandora user for security reasons, a safe access method should be established for the FTP users. A safe and simple method for this is to create a PAM rule for vsftpd. For this you should create a file called /etc/pam.d/ftp containing the following:

auth    required        pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth    required    pam_succeed_if.so quiet user ingroup pandora
auth    required    pam_succeed_if.so quiet shell = /sbin/nologin

(See the recommended operating systems for Pandora FMS.) In Debian systems the shell path is /usr/sbin/nologin.

In the configuration file of vsftpd (/etc/vsftpd.conf) search the token pam_service_name and set the name of the created file:

pam_service_name=ftp

With this configuration, only the users that belong to the pandora group and have nologin as associated shell will be able to connect to Pandora FMS by FTP, so you should create the pandora group that includes the pandora user. In any case, verify that both exist in the Server.

With a last configuration of the /etc/vsftpd.conf file, the access of the users that access by FTP its root directory will be restricted. The parameters are as follows:

chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.nochroot_list

In case you need to exclude a user from this and avoid restricting it to your Chroot, just include that user in this vsftpd.nochroot_list file (one user per line).

Other options to be configured to implement higher security are the following:

dirlist_enable=NO
download_enable=NO
deny_file=authorized_keys
deny_file=.ssh
chroot_local_user=YES

Remember to restart the vsftpd service after making changes to the configuration file for them to take effect.

With this configuration, the user will be restricted to its root directory (/var/spool/pandora/data_in in the case of the pandora user). The user will be able to make transfers via FTP (send files), but will not be able to list files.

Try to log in with the pandora user in the FTP, change directory and list files; if it does not succeed, the configuration will have been successful.

Go back to Pandora FMS documentation index