[hobbit] need help in monitoring edmz client

Lennon, Padraig Padraig.Lennon at pioneerinvestments.com
Sun Aug 17 13:40:58 CEST 2008


Hi Johan,
The script should be used on the hobbit server, NOT the client side as
you are checking that the link from the server to the client is ok. It
is bad practice to run the software as root. You should really use a
dedicated user for the installs of hobbit.
 
1. You should setup ssh public/private key between the hobbit
application user (normally hobbit or something similar) and whatever
user you used on the client. This is normally hobbit too
4. An example of the bb-host entry is the following 
    0.0.0.0 server.domain.com # noconn ssh-tunnel  (You should leave the
noconn there if you do not allow outgoing pings to the DMZ host.
5. This is an example of my client hobbitclient.cfg file  (at the top) -
Change the BBDISP (this may have changed in 4.3??)
 
# Environment settings for the Hobbit client.
 
BBDISP="127.0.0.1"             # IP address of the Hobbit server

regards

 
 
 
 
 
Padraig Lennon
Senior Systems Engineer
Production Services
Pioneer Global Investments (Dublin)
5th Floor Georges Quay Plaza, Dublin 2
ext: 2081
Direct dial: 00353 1 480 2081
 

________________________________

From: Johan Booysen [mailto:johan at matrix-data.co.uk] 
Sent: 15 August 2008 11:22
To: hobbit at hswn.dk
Subject: RE: [hobbit] need help in monitoring edmz client



I wonder if you'd mind helping me out on this.

 

I've followed the instructions on
http://www.trantor.org/theshire/doku.php/addons:ssh_tunnel, but must be
missing something somewhere.

 

I've got the following:

 

1.       Password-less ssh between the server and the clients (for both
hobbit and root users, to be sure)

2.       The ssh-tunnels script copied to the appropriate location,
chmodded to 750:
-rwxr-xr-x 1 root root 5469 Aug 15 09:05
/usr/lib/hobbit/server/ext/ssh-tunnels.sh

3.       Added the following to
/usr/lib/hobbit/server/etc/hobbitlaunch.cfg:
[ssh-tunnel]
    ENVFILE /usr/lib/hobbit/server/etc/hobbitserver.cfg
    CMD $BBHOME/ext/ssh-tunnels.sh
    LOGFILE $BBSERVERLOGS/ssh-tunnels.log
    INTERVAL 1m

4.       Appended the following to client entries in bb-hosts
(deliberately trying both ssh_tunnels and ssh_tunnel):
10.2.0.5    servername       ssh_tunnels
10.2.0.6    servername       ssh_tunnel

5.       On the clients I've got this in /etc/default/hobbit-client:
HOBBITSERVERS="127.0.0.1"

 

So the one thing I'm missing is where to set BBDISPLAY to 127.0.0.1 on
the client.  Is this different from having HOBBITSERVERS="127.0.0.1" in
/etc/default/hobbit-client?

 

Restart the hobbit server, but the above don't seem to be doing the
trick.  /var/log/hobbit/ssh-tunnels.log is empty at this stage.

 

Would appreciate it if you could tell me if I've missed out on something
somewhere, or the best way of troubleshooting this.  The way I've done
it before with the ssh tunnels being established via /etc/rc.local does
not appear work out as well as I thought it would.

 

Thanks.




From: Lennon, Padraig [mailto:Padraig.Lennon at pioneerinvestments.com] 
Sent: 14 August 2008 17:05
To: hobbit at hswn.dk
Subject: RE: [hobbit] need help in monitoring edmz client

 

Not sure if this is of any use to you Johan..

 

 

I have a server side script which controls the ssh tunnels to my
windows/*nix clients which are in the DMZ

 

Basically it requires that you put a tag at the end of the client name
in bb-hosts called ssh-tunnel

 

Its hardly a work of art but it works ok for us.. If it sees the
connection is down it will warn and continue to retry the connection..

 

Hope this helps..

 

regards

 

 

 

Padraig Lennon

Senior Systems Engineer

Production Services

Pioneer Global Investments (Dublin)

5th Floor Georges Quay Plaza, Dublin 2

ext: 2081

Direct dial: 00353 1 480 2081

 

 

________________________________

From: Johan Booysen [mailto:johan at matrix-data.co.uk] 
Sent: 14 August 2008 16:57
To: hobbit at hswn.dk
Subject: RE: [hobbit] need help in monitoring edmz client

I want to be able to monitor 2 hosts in the dmz.

 

Having su -c "ssh hobbit at hobbitclient -T -n -N -g -x
-R1984:127.0.0.1:1984" hobbit in /etc/rc.local seems to work for the
first host.  I added a second line like that for a second host, but it
doesn't work for the second host unless I execute the command manually -
at which point both dmz hosts report back.

 

Does anyone know why this is happening and how I can get it to work?

 

Thanks.

 

From: Johan Booysen [mailto:johan at matrix-data.co.uk] 
Sent: 14 August 2008 14:02
To: hobbit at hswn.dk
Subject: RE: [hobbit] need help in monitoring edmz client

 

This works for me (RHEL5 machines), if it helps anyone else.  Any
comments most welcome:

 

Create the .ssh folder (on both the hobbit server and the hobbit client)
in /var/lib/hobbit as root, chown it to hobbit:hobbit, and chmod it to
700.

 

On the hobbit server, now as the hobbit user:

 

Generate a private/public keypair with an empty password:

 

$ pwd

   /var/lib/hobbit

 

$ ssh-keygen -t dsa

 

Copy the generated public key to the hobbit client:

 

$ scp .ssh/id_dsa.pub hobbit at hobbitclient:/var/lib/hobbit

 

 

On the hobbit client:

 

Rename the public key:

 

$ mv id_dsa.pub authorized_keys

 

Copy the authorized_keys file to the user's .ssh directory. 

 

$ mv authorized_keys .ssh/

 

Check that the authorized_keys file has the following permissions:

 

-rw-r--r-- 1 hobbit hobbit 603 Aug 14 12:16 authorized_keys

 

>From the server, log on to the client.  You should not be prompted for a
password

 

Modify the hobbit server's /etc/rc.local:

 

  su -c "ssh hobbit at hobbitclient -T -n -N -g -x -R1984:127.0.0.1:1984"
hobbit

  

Configure /etc/default/hobbit-client on the hobbit client in the DMZ to
connect to localhost:

 

  HOBBITSERVERS="127.0.0.1"

 

Add the client to /etc/hobbit/bb-hosts on the hobbit server:

 

  10.2.0.5    target_machine

 

From: Johan Booysen [mailto:johan at matrix-data.co.uk] 
Sent: 14 August 2008 13:26
To: hobbit at hswn.dk
Subject: RE: [hobbit] need help in monitoring edmz client

 

Just to clarify:

 

I've set up ssh keys authentication between the hobbit server and a
client in our DMZ, for the hobbit user.

 

I can ssh from server to client without entering a password, so it
works.

 

If I run ssh hobbit at x.x.x.x -T -n -N -g -x -R1984:127.0.0.1:1984 from
the commanline on the server, communications between server and client
works.

 

If I add ssh hobbit at 10.2.0.5 -T -n -N -g -x -R1984:127.0.0.1:1984 either
to initttab or  /etc/rc.local, then the client stops reporting (after a
server reboot).

 

Anyone know what I should do?

 

Thanks.

 

From: Johan Booysen [mailto:johan at matrix-data.co.uk] 
Sent: 14 August 2008 12:49
To: hobbit at hswn.dk
Subject: RE: [hobbit] need help in monitoring edmz client

 

Daniel,

 

Do you just simply add that command to inittab?

 

Thanks.

 

 

From: Perumal, Santoshbabu [mailto:santoshbabu_perumal at platts.com] 
Sent: 13 August 2008 19:20
To: hobbit at hswn.dk
Subject: RE: [hobbit] need help in monitoring edmz client

 

HI Daniel

 

   Thanks for your steps. Yes my target machine is UNIX box.

 

 

from the hobbit server , run from inittab   (I don't understand run from
innittab ..I can run the below command from command line shell promt
right)

ssh user at taregt_machine -T -n -N -g -x -R1984:127.0.0.1:1984  

 

 

on the target machine, set the hobbit client to connect to localhost
--I have to edit hobbitclient.cfg and change BBDISP value to 127.0.0.1
right..want to make sure...

 

 

Also hobbit server has to communicate with target machines(clients) on
port 1984 right.otherwise this step does not work right.

 

 

 

Thanks

 

 

________________________________

From: Daniel Bourque [mailto:dbourque at weatherdata.com] 
Sent: Wednesday, August 13, 2008 1:52 PM
To: hobbit at hswn.dk
Subject: Re: [hobbit] need help in monitoring edmz client

 

If the target machine is unix/linux. The simplest way is to use ssh keys
& tunneling.

from the hobbit server , run from inittab   

ssh user at taregt_machine -T -n -N -g -x -R1984:127.0.0.1:1984

on the target machine, set the hobbit client to connect to localhost.

Daniel Bourque
Sr. Systems Engineer
WeatherData Service Inc
An Accuweather Company



Perumal, Santoshbabu wrote: 

Hi, 

  

   We have some servers in edmz.port 1984 is blocked by firewall.so
client cannot able to communicate with hobbit server on port 1984.when I
search around I read about msgcache,hobbitfetch utilities but I am not
familiar with that. can anyone please give me the configuration steps
that I need to make on both server side and edmz client site. 

  

Thanks in advance 

  

Thanks 

santhosh 

  

  

The information contained in this message is intended only for the
recipient, and may be a confidential attorney-client communication or
may otherwise be privileged and confidential and protected from
disclosure. If the reader of this message is not the intended recipient,
or an employee or agent responsible for delivering this message to the
intended recipient, please be aware that any dissemination or copying of
this communication is strictly prohibited. If you have received this
communication in error, please immediately notify us by replying to the
message and deleting it from your computer.  The McGraw-Hill Companies,
Inc. reserves the right, subject to applicable local law, to monitor and
review the content of any electronic message or information sent to or
from McGraw-Hill employee e-mail addresses without informing the sender
or recipient of the message. 

 

________________________________

The information contained in this message is intended only for the
recipient, and may be a confidential attorney-client communication or
may otherwise be privileged and confidential and protected from
disclosure. If the reader of this message is not the intended recipient,
or an employee or agent responsible for delivering this message to the
intended recipient, please be aware that any dissemination or copying of
this communication is strictly prohibited. If you have received this
communication in error, please immediately notify us by replying to the
message and deleting it from your computer. The McGraw-Hill Companies,
Inc. reserves the right, subject to applicable local law, to monitor and
review the content of any electronic message or information sent to or
from McGraw-Hill employee e-mail addresses without informing the sender
or recipient of the message.

________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20080817/a9ae8df0/attachment.html>
-------------- next part --------------



"The information in this e-mail and in any attachments is confidential and intended solely 
for the attention and use of the named addressee(s). This information may be subject to legal, 
professional or other privilege and further distribution of it is strictly prohibited without 
our authority. If you are not the intended recipient, you are not authorised to and must not 
disclose, copy, distribute, or retain this message or any part of it, and should notify us 
immediately.

This footnote also confirms that this email has been automatically scanned for the presence 
of computer viruses, profanities and certain file types."

Pioneer Investment Management Limited.

1 George’s Quay Plaza, George’s Quay, Dublin 2, Ireland. 

Registered in Ireland no. 287793.


More information about the Xymon mailing list