- Setting up more secure Nagios clients
-
I’m often called in to organizations that have no monitoring. Setting up a Nagios server is pretty straight forward. But the prospect of installing dozens of nagios client setups by hand is not appealing.
There are lots of ways to get plugin data from clients. My favorite is open-key ssh. I use /bin/rbash on the client to restrict what the shell can do and create a single custom key that is copies to each box (man ssh-keygen for details).
To use ssh on the Nagios server you have to write custom command entries, here’s a sample for the commands.cfg file:
————————————–define command{ command_name ssh_check_procs # the command doesn't have a path because the clients # use a restricted bash that is not allowed to use # slashs in the commandline command_line ssh -2i /usr/local/nagios/keys/id_client_nagios \ $HOSTADDRESS$ check_procs' }—————————————
#Here’s the shell recipe I use to get them going.
# Setup the Client environment on machines to be monitored.
# As root!
# Tony Hansmann (t o n y replacewith-at-sign open source #consulting com)
# use rbash for an added safety with an open SSH key
ln -s /bin/bash /bin/rbashmkdir -p /usr/local/nagios/libexec
useradd -d /usr/local/nagios/libexec -c “nagios client user” -s /bin/rbash nagios
chown root.nagios /usr/local/nagios/libexec
chmod 750 /usr/local/nagios/libexec# add the id_client_nagios.pub from the nagios server to
# ~nagios/.ssh/authorized_keys file on each client.
chown nagios .ssh .ssh/authorized_keys# remove all dot files from client dir
find ~nagios -type f -name “.*” -print -maxdepth 1|xargs rm# rewrite the .bashrc (do not create any other dot files)
echo “PATH=\$HOME:/usr/bin” > ~nagios/.bashrc
chown root.root ~nagios/.bashrc
chmod 755 ~nagios/.bashrc
# make the interactive login the same config file.
ln -sf ~nagios/.bashrc ~nagios/.bash_profile########## Back on the server now ##############
# As root scp the server’s ~nagios/libexec/* to client:scp -r ~nagios/libexec/* root@client:/usr/local/nagios/libexec
Leave a Reply
You must be logged in to post a comment.