Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How do I securely perform remote server monitoring?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Mon Jan 25, 2016 2:05 am    Post subject: How do I securely perform remote server monitoring? Reply with quote

I set up a server so that gkrellmd can only be accessed through ssh. I want to turn the necessary lines into a script, like so:

Code:

#!/bin/bash
ssh -N -f -L 19150:127.0.0.1:19150 (user)@(ip_address)
gkrellm -s 127.0.0.1 -P 19150 &


The problem is ssh can't get a password from me this way. How do I write this with the password included?
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.


Last edited by audiodef on Mon Jan 25, 2016 4:34 pm; edited 1 time in total
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Mon Jan 25, 2016 2:27 am    Post subject: Reply with quote

audiodef ...

if you want passwordless logins then use a (passwordless) key.

best ... khay
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Mon Jan 25, 2016 4:33 pm    Post subject: Reply with quote

I don't want to compromise whatever security measures I've set up on my server, so I guess a better question is: What is the best way to perform remote server monitoring in a secure way?
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 553
Location: France

PostPosted: Mon Jan 25, 2016 5:14 pm    Post subject: Reply with quote

What do you want to monitor ? Do you want to monitor your system through internet ?
On a LAN, and if you have a little time to setup a server, Nagios (with NRPE), for example, is certainly more appropriate than a set of home-made patches around a localhost-focused tool.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Mon Jan 25, 2016 7:12 pm    Post subject: Reply with quote

audiodef wrote:
I don't want to compromise whatever security measures I've set up on my server

audiodef ... in what way would the use of a key compromise security?

audiodef wrote:
[...] so I guess a better question is: What is the best way to perform remote server monitoring in a secure way?

As CneGroumF points out that depends on your needs, nagios/icinga offers many plugins (ie, fail2ban, mysql, openvpn) and a web interface, and is the oft used solution for such things.

best ... khay
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Mon Jan 25, 2016 7:14 pm    Post subject: Reply with quote

I want to monitor general server stuff for now: uptime, cpu load, mem, processes - the stuff you get through gkrellm. It's not on a LAN - it's a remote hosted server.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Mon Jan 25, 2016 7:18 pm    Post subject: Reply with quote

khayyam wrote:
audiodef wrote:
I don't want to compromise whatever security measures I've set up on my server

audiodef ... in what way would the use of a key compromise security?



What I mean is I don't want to NOT use a key. :wink:
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Mon Jan 25, 2016 7:27 pm    Post subject: Reply with quote

audiodef wrote:
I want to monitor general server stuff for now: uptime, cpu load, mem, processes - the stuff you get through gkrellm. It's not on a LAN - it's a remote hosted server.

audiodef ... personally I wouldn't want to be bothered with such stuff, only be alerted as and when something occurs which needs my attention. However, for your initial problem all you need do is setup a key and have the key added to ssh-agent on login (via sys-auth/pam_ssh or net-misc/keychain) ... your script should then function without the need of a passphrase (because a key exchange would be used for authentication).

best ... khay
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Mon Jan 25, 2016 9:00 pm    Post subject: Reply with quote

i'm with khayyam there, first key isn't less secure than a password, i wouldn't claim it's even more secure but that's still what i think.

if you really don't want use password or keys, then use a solution that use none: you could build a file with infos you want from the server and upload it to your computer thru ftp (using an annon access with a fake email as password), this way, you'll get what you want without sharing any key or real password.
you might just send the file by email if you prefer.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Tue Jan 26, 2016 1:23 am    Post subject: Reply with quote

Found a simple way to do what I wanted: emerge tilda, set it to fill up 100% of my screen in the background, no taskbar or pager, just ssh in normally and leave htop running.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Tue Jan 26, 2016 1:59 am    Post subject: Reply with quote

audiodef wrote:
Found a simple way to do what I wanted: emerge tilda, set it to fill up 100% of my screen in the background, no taskbar or pager, just ssh in normally and leave htop running.

audiodef ... or you could pass the command to run:

Code:
$ ssh user@host htop

best ... khay
Back to top
View user's profile Send private message
dalu
Guru
Guru


Joined: 20 Jan 2003
Posts: 494

PostPosted: Tue Jan 26, 2016 2:53 am    Post subject: Reply with quote

what would I want to monitor indeed..
when I wanted to write my own

net
/sys/class/net/<ifname>/statistics/
or
/proc/net/dev

cpu
/proc/stat

disk
/proc/diskstats

memory
/proc/meminfo

what else could be monitored?
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Tue Jan 26, 2016 3:23 pm    Post subject: Reply with quote

khayyam wrote:
audiodef wrote:
Found a simple way to do what I wanted: emerge tilda, set it to fill up 100% of my screen in the background, no taskbar or pager, just ssh in normally and leave htop running.

audiodef ... or you could pass the command to run:

Code:
$ ssh user@host htop

best ... khay


I actually tried that but got an error about unknown terminal.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Tue Jan 26, 2016 3:25 pm    Post subject: Reply with quote

dalu wrote:
what would I want to monitor indeed..
when I wanted to write my own

net
/sys/class/net/<ifname>/statistics/
or
/proc/net/dev

cpu
/proc/stat

disk
/proc/diskstats

memory
/proc/meminfo

what else could be monitored?


I learned a little more since my OP. You can monitor all kinds of things in all kinds of detail. I found a couple of other useful top utils: apachetop and mytop. There are top programs for various types of network monitoring and packet sniffing, etc. atop is another useful general info top program that shows more detail in an organized way than top.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Tue Jan 26, 2016 8:12 pm    Post subject: Reply with quote

audiodef wrote:
Code:
$ ssh user@host htop

I actually tried that but got an error about unknown terminal.[/quote]
audiodef ... hmmm, so what is $TERM reporting?

Code:
$ echo $TERM

best ... khay
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Wed Jan 27, 2016 12:38 am    Post subject: Reply with quote

Hm, echo $TERM shows xterm at both ends.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
enZom
n00b
n00b


Joined: 13 Nov 2015
Posts: 30
Location: In a sandbox

PostPosted: Wed Jan 27, 2016 2:25 am    Post subject: Reply with quote

You could look into using a 2048 bit or higher key.

@monitoring
I often run multiple windows of lnav looking at different log files.
For split windows Tmux or if you're @ a desktop terminator works.

The watch command can be helpful too.
Code:
watch grep \"cpu MHz\" /proc/cpuinfo

Code:
watch cat /proc/net/ip_conntrack

#Or if you have the rest of the conntrack goodies installed.
conntrack -E

Code:
watch netstat -atnu


Also a fan of jnettop
Code:
jnettop -i eth0
Back to top
View user's profile Send private message
ShaneCar
n00b
n00b


Joined: 27 Oct 2015
Posts: 4
Location: San Francisco

PostPosted: Thu Jan 28, 2016 3:32 am    Post subject: Reply with quote

Nagios (NRPE) would save you some time setting up the setting up the server. If uptime, cpu load, mem, and processes is what you care about, then that seems like the best option. BigPanda, while not open source, is also an interesting tool. It plugs right into Nagios- https://bigpanda.io/integrations/nagios-the-alternative-to-a-flood-of-alerts- and will sift through all the noise for you, so all you're looking at is high level data thats meaningful. Either way, I think NRPE will save you time and headache.
_________________
Everything Cloud, infrastructure, monitoring, scaling.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Thu Jan 28, 2016 11:59 pm    Post subject: Reply with quote

I came across Nagios earlier, and wondered if it would be overkill for one server.
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Mon Feb 01, 2016 7:24 pm    Post subject: Reply with quote

khayyam wrote:
audiodef wrote:
Code:
$ ssh user@host htop

I actually tried that but got an error about unknown terminal.


You need to write it as ssh -t htop, otherwise the default when a command is passed to ssh is to run it with only dumb pipes for stdin/out.
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6308
Location: /usr/lib64/lv2

PostPosted: Mon Feb 01, 2016 7:27 pm    Post subject: Reply with quote

Ant P. wrote:
khayyam wrote:
audiodef wrote:
Code:
$ ssh user@host htop

I actually tried that but got an error about unknown terminal.


You need to write it as ssh -t htop, otherwise the default when a command is passed to ssh is to run it with only dumb pipes for stdin/out.


Thanks! :)
_________________
Gentoo Studio: A Gentoo-based, professional digital audio workstation OS.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum