[HOWTO] Using SSH tunnels to graph a remote Unix server

[fmangeant]

• Version 0.2 (01/09/2008) : added details about SSH options
• Version 0.1 (12/20/2007) : intial release

This HowTo will explain how to use SSH tunnels to graph a Unix server that isn't directly reachable by your Cacti server :



In this example, the Cacti server can reach the Gateway, which can reach the target server.



Chapter I: Configuring the SSH tunnel

On Gateway, create a "cactiuser" user :

Code: Select all

# useradd -d /home/cactiuser -m cactiuser

Then you have to generate SSH keys (without passphrase) :

Code: Select all

# su - cactiuser
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cactiuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cactiuser/.ssh/id_rsa.
Your public key has been saved in /home/cactiuser/.ssh/id_rsa.pub.
The key fingerprint is:
40:f6:91:a1:2d:d1:46:d4:76:e3:d8:c6:3f:c2:cf:f2 cactiuser@gateway

The public key of the "cactiuser" user has then to be authorized as an input key :

Code: Select all

$ cd $HOME/.ssh
$ cp -p id_rsa.pub authorized_keys

Finally, create the SSH tunnel :

Code: Select all

# su - cactiuser -c "ssh -f -N -g -L 192.168.0.2:10000:192.168.1.2:161 cactiuser@localhost"

This SSH tunnel will forward all packets sent to 192.168.0.2 on TCP port 10000, to 192.168.1.2 on port TCP 161.

The options that are used are the following :

• -f : requests SSH to go to background just before command execution
• -N : do not execute a remote command
• -g : allows remote hosts to connect to local forwarded ports
• -L : specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.

You can add this command to /etc/rc.local, so it will be executed at boot time.



Chapter II: Configuring Net-SNMP

By default, the Net-SNMP agent listens on UDP port 161; we'll modify its configuration to listen on TCP port 161.

To do so, use that in snmpd.conf on the target server :

Code: Select all

agentaddress tcp:161
rocommunity mycommunity

For a more detailed configuration of snmpd.conf, follow this other HowTo.



Chapter III: Testing the SNMP connectivity

From the Gateway host, run this command :

Code: Select all

$ snmpwalk -v 1 -c mycommunity tcp:192.168.1.2 sysname
SNMPv2-MIB::sysName.0 = STRING: target_server

From the Cacti server, run this command :

Code: Select all

$ snmpwalk -v 1 -c mycommunity tcp:192.168.0.2:10000 sysname
SNMPv2-MIB::sysName.0 = STRING: target_server

If everything works fine, your host is then ready to be added to Cacti.

If not, review your network configuration (firewall rules, especially).


Chapter IV: Adding the device to Cacti

In Cacti, create a new device like that :



Voila ! Your target server is graphed by Cacti

[Linegod]

Nice howto - well done!

[Linegod]

Posted to the howto section of Cacti Docs: http://docs.cacti.net/howto

[mercjoe]

This is great, thanks for posting.

But what if there are servers you want to monitor and those servers are on private lans which use the same RFC 1918 private IP blocks ?

Thanks again
Diego

[Linegod]

VPNs and/or MPLS are your only solution.

[mercjoe]

So multiple tunnels is not possible ?

[Linegod]

So multiple tunnels is not possible ?

Multiple tunnels, with multiple NATs is possible, but is easily managed.

[mercjoe]

I meant establishing several tunnels on the gateway/FW, one for each internal server. Thats possible right ? Why do you talk about NAT ?

[Mika2008]

hello,
very good how to !

is it up to date ?
i can use it now for the new cacti please ?

[lamletoi]

I cant use
su - cactiuser -c "ssh -f -N -g -L 192.168.0.2192.168.1.2:161 cactiuser@localhost"

Please help me !

[Leivo]

I've been building my monitoring on my router and as I monitor some external servers also I felt that having that SSH pipe opened once and left unmonitored is a bit of problem. I also trimmed the SSH switches towards more direct connection .
I assume that these pipes are opened from the Cacti host it self that is why I don't use -g nor IP information in my SSH connection. I created a script to monitor the connection status so I don't have to worry if the SSH tunnel gets disconnected for any reason. The script is ran by the cron every three minutes.
The host entry to Cacti also needs to be changed, the one shown in the screen captures didn't work (for me). hostname should be tcp:localhost and SNMP port should be 10000 (and up, as you go along your hosts)

Code: Select all

#!/opt/bin/bash
#
#  SSH tunnel check script
#  Author Juha Leivo
#  versio: 1.0
#

# parameters for array are FQDN for host, location of RSA key, local port to redirect, hostname of the server, SNMP community
host_array=(myserver.mydomain.org /opt/cacti-keys/myserver001_rsa 10000 MYSERVER001 public myserver2.mydomain.org /opt/cacti-keys/myserver2_rsa 10001 MYSERVER002 public)
len=${#host_array[*]} #Num elements in array

debug="1" #debugging enabled if this value is 1
if [ "$debug" -eq "1" ] ; then echo "Array lenght is $len" ; fi

# Parameters SSHKEYLOCATION, LOCALPORTTOBINDTO, HOSTTOCONNECTTO
connect_to_host()
{
  ssh -i $1 -f -N -L $2:127.0.0.1:161 cactimonitor@$3
  if [ "$debug" -eq "1" ] ; then echo "Connection string ssh -i $1 -f -N -L $2:127.0.0.1:161 cactimonitor@$3"; fi
}

# Parameters SNMPCOMMUNITY LOCALPORT HOSTNAME
# returns 1 if host replies back with the same hostname string as given
# returns 2 if the host name doesn't match given name
test_host()
{
  hosttest=`snmpwalk -v 1 -c $1 tcp:localhost:$2 sysname|cut -d: -f 4|cut -c2-`

  if [ "$debug" -eq "1" ] ; then echo "snmpwalk result is $hosttest" ; fi

  if [ "$hosttest" = "$3" ]
  then
    return "1"
  else
    return "2"
  fi
}

# takes the host connection string as its parameter
# counts the amount of connections to determine if connection exist
# tries to kill connection
# returns 1 if no connections detected or connection successfully killed
# returns 2 if connection kill failed
kill_connection()
{
  isConnection=`ps |grep $1|grep -v grep| cut -d" " -f 1 |tail -1|wc -l`
  if [ "$debug" -eq "1" ] ; then echo "connection test result is $isConnection" ; fi
  if [ "$isConnection" -eq "1" ]
  then
    pid=`ps |grep $1|grep -v grep|cut -d" " -f 1 |tail -1`
    if [ "$debug" -eq "1" ] ; then echo "Trying to kill pid $pid" ; fi
    kill $pid
    isConnection=`ps |grep $1|grep -v grep|cut -d" " -f 1 |tail -1|wc -l`
    if [ "$isConnection" -eq "1" ]
    then
      echo "Tried killing, something went wrong, waiting for few minutes"
      return 2
    else
      if [ "$debug" -eq "1" ] ; then echo "Killing connection was successful" ; fi
      return 1
    fi
  else
    if [ "$debug" -eq "1" ] ; then echo "Killing connection was successful as there was no connection to being with" ; fi
    return 1
  fi
}

# looping array
i=0
while [ $i -lt $len ]; do
  echo "Testing host ${host_array[$i+3]}"
  test_host ${host_array[$i+4]} ${host_array[$i+2]} ${host_array[$i+3]}
  if [ "$?" -eq "2" ]
  then
    echo "host connection lost, trying to connect"
    echo "checking for lingering connection"
    kill_connection ${host_array[$i]}
    if [ "$?" -eq "1" ]
    then
      connect_to_host ${host_array[$i+1]} ${host_array[$i+2]} ${host_array[$i]}
      echo "Testing new connection"
      test_host ${host_array[$i+4]} ${host_array[$i+2]} ${host_array[$i+3]}
      if [ "$?" -eq "2" ]
      then
        echo "Still no connection, will retry again in few minutes"
      fi
    fi
  fi
  # going to next host
  let "i += 5"
done

[sharifu]

This is not working for me any more and i cannot seem to figure out why.

if i run it on cli it works and as cacti user, but on not working on the graphs.

Code: Select all

ssh -f -N -g -L 20162:localhost:161 mcmap@xxx.xxx.xxx.xxx > /dev/null 2>&1

Code: Select all

[root@uranus2 share]# snmpwalk -v1 -c mycommunity tcp:localhost:20162 .1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Linux spectrumgeo.com 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64

In the log file i get

Code: Select all

03/09/2015 11:43:19 AM - CMDPHP: Poller[0] WARNING: SNMP Get Timeout for Host:'tcp:localhost:20162', and OID:'.1.3.6.1.2.1.1.1.0' 

[pankajsain]

I got the problem,

PS: Blog author wrongly defined the Ports in 'Hostname field' [tcp:<gateway>:10000] and in 161 in 'Snmp Port field'.

Configuration in cacti web-console should be:

in Hostname field: tcp:192.168.0.2
in Snmp Port field: 10000

Save the configuration and now it will work.

- Pankaj Sain

[sharifu]

I have tried your update, it does not work.





CLI works though

Code: Select all

[root@uranus2 ~]# snmpwalk -v1 -c mycommunity tcp:localhost:20162 system
SNMPv2-MIB::sysDescr.0 = STRING: Linux spectrumgeo.com 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (77402861) 8 days, 23:00:28.61
SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: spectrumgeo.com
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORID.1 = OID: SNMP-MPD-MIB::snmpMPDMIBObjects.3.1.1
SNMPv2-MIB::sysORID.2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.6 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORDescr.1 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (6) 0:00:00.06

[sharifu]

i have found the bug, on version 0.8.8.c file snmp.php replace line 56 with

Code: Select all

if($hostname == "tcp:localhost"){
				$output = exec("snmpget -c $community -v 1 tcp:localhost:$port $oid");//@snmpwalk("$hostname:$port", "$community", "$oid", ($timeout * 1000), $retries);
				$explode = explode("=",$output);
				$snmp_value = trim($explode[1]);				
			}else
				$snmp_value = @snmpget("$hostname:$port", "$community", "$oid", ($timeout * 1000), $retries);