[HOWTO] Using SSH tunnels to graph a remote Unix server

If you figure out how to do something interesting/cool in Cacti and want to share it with the community, please post your experience here.

Moderators: Developers, Moderators

User avatar
fmangeant
Cacti Guru User
Posts: 2345
Joined: Fri Sep 19, 2003 8:36 am
Location: Sophia-Antipolis, France
Contact:

[HOWTO] Using SSH tunnels to graph a remote Unix server

Post by fmangeant »

  • Version 0.2 (01/09/2008) : added details about SSH options
  • Version 0.1 (12/20/2007) : intial release


This HowTo will explain how to use SSH tunnels to graph a Unix server that isn't directly reachable by your Cacti server :

Image

In this example, the Cacti server can reach the Gateway, which can reach the target server.



Chapter I: Configuring the SSH tunnel

On Gateway, create a "cactiuser" user :

Code: Select all

# useradd -d /home/cactiuser -m cactiuser
Then you have to generate SSH keys (without passphrase) :

Code: Select all

# su - cactiuser
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cactiuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cactiuser/.ssh/id_rsa.
Your public key has been saved in /home/cactiuser/.ssh/id_rsa.pub.
The key fingerprint is:
40:f6:91:a1:2d:d1:46:d4:76:e3:d8:c6:3f:c2:cf:f2 cactiuser@gateway
The public key of the "cactiuser" user has then to be authorized as an input key :

Code: Select all

$ cd $HOME/.ssh
$ cp -p id_rsa.pub authorized_keys
Finally, create the SSH tunnel :

Code: Select all

# su - cactiuser -c "ssh -f -N -g -L 192.168.0.2:10000:192.168.1.2:161 cactiuser@localhost"
This SSH tunnel will forward all packets sent to 192.168.0.2 on TCP port 10000, to 192.168.1.2 on port TCP 161.

The options that are used are the following :
  • -f : requests SSH to go to background just before command execution
  • -N : do not execute a remote command
  • -g : allows remote hosts to connect to local forwarded ports
  • -L : specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.
You can add this command to /etc/rc.local, so it will be executed at boot time.



Chapter II: Configuring Net-SNMP

By default, the Net-SNMP agent listens on UDP port 161; we'll modify its configuration to listen on TCP port 161.

To do so, use that in snmpd.conf on the target server :

Code: Select all

agentaddress tcp:161
rocommunity mycommunity
For a more detailed configuration of snmpd.conf, follow this other HowTo.



Chapter III: Testing the SNMP connectivity

From the Gateway host, run this command :

Code: Select all

$ snmpwalk -v 1 -c mycommunity tcp:192.168.1.2 sysname
SNMPv2-MIB::sysName.0 = STRING: target_server
From the Cacti server, run this command :

Code: Select all

$ snmpwalk -v 1 -c mycommunity tcp:192.168.0.2:10000 sysname
SNMPv2-MIB::sysName.0 = STRING: target_server
If everything works fine, your host is then ready to be added to Cacti.

If not, review your network configuration (firewall rules, especially).


Chapter IV: Adding the device to Cacti

In Cacti, create a new device like that :

Image

Voila ! Your target server is graphed by Cacti :)
Last edited by fmangeant on Wed Jan 09, 2008 9:57 am, edited 2 times in total.
[size=84]
[color=green]HOWTOs[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15353]Install and configure the Net-SNMP agent for Unix[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=26151]Install and configure the Net-SNMP agent for Windows[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=28175]Graph multiple servers using an SNMP proxy[/url][/list]
[color=green]Templates[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15412]Multiple CPU usage for Linux[/url]
[*][url=http://forums.cacti.net/viewtopic.php?p=125152]Memory & swap usage for Unix[/url][/list][/size]
User avatar
Linegod
Developer
Posts: 1626
Joined: Thu Feb 20, 2003 10:16 am
Location: Canada
Contact:

Post by Linegod »

Nice howto - well done!
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca
User avatar
Linegod
Developer
Posts: 1626
Joined: Thu Feb 20, 2003 10:16 am
Location: Canada
Contact:

Post by Linegod »

Posted to the howto section of Cacti Docs: http://docs.cacti.net/howto
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca
mercjoe
Posts: 18
Joined: Fri May 28, 2010 7:29 pm

Post by mercjoe »

This is great, thanks for posting.

But what if there are servers you want to monitor and those servers are on private lans which use the same RFC 1918 private IP blocks ?

Thanks again
Diego
User avatar
Linegod
Developer
Posts: 1626
Joined: Thu Feb 20, 2003 10:16 am
Location: Canada
Contact:

Post by Linegod »

VPNs and/or MPLS are your only solution.
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca
mercjoe
Posts: 18
Joined: Fri May 28, 2010 7:29 pm

Post by mercjoe »

So multiple tunnels is not possible ?
User avatar
Linegod
Developer
Posts: 1626
Joined: Thu Feb 20, 2003 10:16 am
Location: Canada
Contact:

Post by Linegod »

mercjoe wrote:So multiple tunnels is not possible ?
Multiple tunnels, with multiple NATs is possible, but is easily managed.
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca
mercjoe
Posts: 18
Joined: Fri May 28, 2010 7:29 pm

Post by mercjoe »

I meant establishing several tunnels on the gateway/FW, one for each internal server. Thats possible right ? Why do you talk about NAT ?
Mika2008
Posts: 26
Joined: Tue Dec 01, 2009 4:24 pm

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

Post by Mika2008 »

hello,
very good how to !

is it up to date ?
i can use it now for the new cacti please ?
lamletoi
Posts: 1
Joined: Thu Nov 24, 2011 12:05 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

Post by lamletoi »

I cant use
su - cactiuser -c "ssh -f -N -g -L 192.168.0.2:10000:192.168.1.2:161 cactiuser@localhost"

Please help me !
Leivo
Posts: 5
Joined: Wed May 01, 2013 11:56 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

Post by Leivo »

I've been building my monitoring on my router and as I monitor some external servers also I felt that having that SSH pipe opened once and left unmonitored is a bit of problem. I also trimmed the SSH switches towards more direct connection :).
I assume that these pipes are opened from the Cacti host it self that is why I don't use -g nor IP information in my SSH connection. I created a script to monitor the connection status so I don't have to worry if the SSH tunnel gets disconnected for any reason. The script is ran by the cron every three minutes.
The host entry to Cacti also needs to be changed, the one shown in the screen captures didn't work (for me). hostname should be tcp:localhost and SNMP port should be 10000 (and up, as you go along your hosts)

Code: Select all

#!/opt/bin/bash
#
#  SSH tunnel check script
#  Author Juha Leivo
#  versio: 1.0
#

# parameters for array are FQDN for host, location of RSA key, local port to redirect, hostname of the server, SNMP community
host_array=(myserver.mydomain.org /opt/cacti-keys/myserver001_rsa 10000 MYSERVER001 public myserver2.mydomain.org /opt/cacti-keys/myserver2_rsa 10001 MYSERVER002 public)
len=${#host_array[*]} #Num elements in array

debug="1" #debugging enabled if this value is 1
if [ "$debug" -eq "1" ] ; then echo "Array lenght is $len" ; fi

# Parameters SSHKEYLOCATION, LOCALPORTTOBINDTO, HOSTTOCONNECTTO
connect_to_host()
{
  ssh -i $1 -f -N -L $2:127.0.0.1:161 cactimonitor@$3
  if [ "$debug" -eq "1" ] ; then echo "Connection string ssh -i $1 -f -N -L $2:127.0.0.1:161 cactimonitor@$3"; fi
}

# Parameters SNMPCOMMUNITY LOCALPORT HOSTNAME
# returns 1 if host replies back with the same hostname string as given
# returns 2 if the host name doesn't match given name
test_host()
{
  hosttest=`snmpwalk -v 1 -c $1 tcp:localhost:$2 sysname|cut -d: -f 4|cut -c2-`

  if [ "$debug" -eq "1" ] ; then echo "snmpwalk result is $hosttest" ; fi

  if [ "$hosttest" = "$3" ]
  then
    return "1"
  else
    return "2"
  fi
}

# takes the host connection string as its parameter
# counts the amount of connections to determine if connection exist
# tries to kill connection
# returns 1 if no connections detected or connection successfully killed
# returns 2 if connection kill failed
kill_connection()
{
  isConnection=`ps |grep $1|grep -v grep| cut -d" " -f 1 |tail -1|wc -l`
  if [ "$debug" -eq "1" ] ; then echo "connection test result is $isConnection" ; fi
  if [ "$isConnection" -eq "1" ]
  then
    pid=`ps |grep $1|grep -v grep|cut -d" " -f 1 |tail -1`
    if [ "$debug" -eq "1" ] ; then echo "Trying to kill pid $pid" ; fi
    kill $pid
    isConnection=`ps |grep $1|grep -v grep|cut -d" " -f 1 |tail -1|wc -l`
    if [ "$isConnection" -eq "1" ]
    then
      echo "Tried killing, something went wrong, waiting for few minutes"
      return 2
    else
      if [ "$debug" -eq "1" ] ; then echo "Killing connection was successful" ; fi
      return 1
    fi
  else
    if [ "$debug" -eq "1" ] ; then echo "Killing connection was successful as there was no connection to being with" ; fi
    return 1
  fi
}

# looping array
i=0
while [ $i -lt $len ]; do
  echo "Testing host ${host_array[$i+3]}"
  test_host ${host_array[$i+4]} ${host_array[$i+2]} ${host_array[$i+3]}
  if [ "$?" -eq "2" ]
  then
    echo "host connection lost, trying to connect"
    echo "checking for lingering connection"
    kill_connection ${host_array[$i]}
    if [ "$?" -eq "1" ]
    then
      connect_to_host ${host_array[$i+1]} ${host_array[$i+2]} ${host_array[$i]}
      echo "Testing new connection"
      test_host ${host_array[$i+4]} ${host_array[$i+2]} ${host_array[$i+3]}
      if [ "$?" -eq "2" ]
      then
        echo "Still no connection, will retry again in few minutes"
      fi
    fi
  fi
  # going to next host
  let "i += 5"
done
sharifu
Posts: 13
Joined: Mon Apr 16, 2012 10:08 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

Post by sharifu »

This is not working for me any more and i cannot seem to figure out why.

if i run it on cli it works and as cacti user, but on not working on the graphs.


Code: Select all

ssh -f -N -g -L 20162:localhost:161 mcmap@xxx.xxx.xxx.xxx > /dev/null 2>&1

Code: Select all

[root@uranus2 share]# snmpwalk -v1 -c mycommunity tcp:localhost:20162 .1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Linux spectrumgeo.com 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64
In the log file i get

Code: Select all

03/09/2015 11:43:19 AM - CMDPHP: Poller[0] WARNING: SNMP Get Timeout for Host:'tcp:localhost:20162', and OID:'.1.3.6.1.2.1.1.1.0' 
pankajsain
Posts: 1
Joined: Wed Mar 18, 2015 3:01 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

Post by pankajsain »

:D I got the problem,

PS: Blog author wrongly defined the Ports in 'Hostname field' [tcp:<gateway>:10000] and in 161 in 'Snmp Port field'.

Configuration in cacti web-console should be:

in Hostname field: tcp:192.168.0.2
in Snmp Port field: 10000

Save the configuration and now it will work.

- Pankaj Sain
sharifu
Posts: 13
Joined: Mon Apr 16, 2012 10:08 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

Post by sharifu »

I have tried your update, it does not work.


Image


CLI works though

Code: Select all

[root@uranus2 ~]# snmpwalk -v1 -c mycommunity tcp:localhost:20162 system
SNMPv2-MIB::sysDescr.0 = STRING: Linux spectrumgeo.com 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (77402861) 8 days, 23:00:28.61
SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: spectrumgeo.com
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORID.1 = OID: SNMP-MPD-MIB::snmpMPDMIBObjects.3.1.1
SNMPv2-MIB::sysORID.2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.6 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORDescr.1 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (6) 0:00:00.06

sharifu
Posts: 13
Joined: Mon Apr 16, 2012 10:08 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

Post by sharifu »

i have found the bug, on version 0.8.8.c file snmp.php replace line 56 with

Code: Select all

if($hostname == "tcp:localhost"){
				$output = exec("snmpget -c $community -v 1 tcp:localhost:$port $oid");//@snmpwalk("$hostname:$port", "$community", "$oid", ($timeout * 1000), $retries);
				$explode = explode("=",$output);
				$snmp_value = trim($explode[1]);				
			}else
				$snmp_value = @snmpget("$hostname:$port", "$community", "$oid", ($timeout * 1000), $retries);
Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests