check_mysql
Tedman Eng
teng at dataway.com
Fri Jan 6 03:42:29 CET 2006
We use a lot of ssh-based checks. Compiling nrpe is difficult to do on some
linux-based appliances or other locked-down devices. Most of our checks are
custom scripts that execute ssh-based remote commands.
Though not check_mysql specific, here's some guidelines we follow:
1a) Disable root login, use an alternate restricted account if possible)
PermitRootLogin = no
1b) If not possible to disable root login, disable root's password-based
login
PermitRootLogin = without-password
2) Disable Password-based login, use public key authentication only
An intruder would have to put a physically place a file on the server to
be able to login
3) Restrict the public key to certain IP's
4) Restrict the public key to certain commands
(Brian Hatch has a wrapper script to call if you'd like more control)
5) Restrict the public key from port forwarding
6) Install some sort of SSH-banning script like DenyHosts
(denyhosts.sourceforge.net)
Sample public key we put on the remote server
/home/serviceaccount/.ssh/authorized_keys:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="1.2.3.4",comm
and="/usr/local/bin/check_something" ssh-dss
gnm'@j=v-eEQXsAn]FA])QAOWyTzh8jC[<os)pak?;Mq$QnjVsSM#7h[+SORYndjIUrpPYtKhLLq
THaFYrdyxrBkOa nagios at company.com
The worse that could happen if the private key on the nagios host was
compromised is that someone could execute the remote check at their whim
(possibly causing a denial of service if the remote check is resource
intensive).
-----Original Message-----
From: Rene Nelson [mailto:neririn at gmail.com]
Sent: Thursday, January 05, 2006 1:48 PM
To: nagios-users at lists.sourceforge.net
Subject: [Nagios-users] check_mysql
I want to check this via check_by_ssh, but do not want to use the root user
nor password. (not too excited about leaving it in a clear text .cfg file)
Is there a way to get the same information using a read-only user with no
password? Is there a best practices for Check_MySQL via check_by_ssh?
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list