check_mysql

Tedman Eng teng at dataway.com
Fri Jan 6 03:42:29 CET 2006

Previous message: check_mysql
Next message: What does it mean ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We use a lot of ssh-based checks.  Compiling nrpe is difficult to do on some
linux-based appliances or other locked-down devices.  Most of our checks are
custom scripts that execute ssh-based remote commands.


Though not check_mysql specific, here's some guidelines we follow:

1a) Disable root login, use an alternate restricted account if possible)
PermitRootLogin = no

1b) If not possible to disable root login, disable root's password-based
login
PermitRootLogin = without-password

2) Disable Password-based login, use public key authentication only
   An intruder would have to put a physically place a file on the server to
be able to login

3) Restrict the public key to certain IP's

4) Restrict the public key to certain commands
   (Brian Hatch has a wrapper script to call if you'd like more control)

5) Restrict the public key from port forwarding

6) Install some sort of SSH-banning script like DenyHosts
(denyhosts.sourceforge.net)


Sample public key we put on the remote server

/home/serviceaccount/.ssh/authorized_keys:
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="1.2.3.4",comm
and="/usr/local/bin/check_something" ssh-dss
gnm'@j=v-eEQXsAn]FA])QAOWyTzh8jC[<os)pak?;Mq$QnjVsSM#7h[+SORYndjIUrpPYtKhLLq
THaFYrdyxrBkOa nagios at company.com


The worse that could happen if the private key on the nagios host was
compromised is that someone could execute the remote check at their whim
(possibly causing a denial of service if the remote check is resource
intensive).


-----Original Message-----
From: Rene Nelson [mailto:neririn at gmail.com]
Sent: Thursday, January 05, 2006 1:48 PM
To: nagios-users at lists.sourceforge.net
Subject: [Nagios-users] check_mysql


I want to check this via check_by_ssh, but do not want to use the root user
nor password.  (not too excited about leaving it in a clear text .cfg file)
Is there a way to get the same information using a read-only user with no
password?  Is there a best practices for Check_MySQL via check_by_ssh? 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: check_mysql
Next message: What does it mean ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list