[HOWTO] Using SSH tunnels to graph a remote Unix server

If you figure out how to do something interesting/cool in Cacti and want to share it with the community, please post your experience here.

Moderators: Moderators, Developers

Author
Message
User avatar
fmangeant
Cacti Guru User
Posts: 2326
Joined: Fri Sep 19, 2003 8:36 am
Location: Sophia-Antipolis, France
Contact:

[HOWTO] Using SSH tunnels to graph a remote Unix server

#1 Post by fmangeant » Thu Dec 20, 2007 10:46 am

  • Version 0.2 (01/09/2008) : added details about SSH options
  • Version 0.1 (12/20/2007) : intial release


This HowTo will explain how to use SSH tunnels to graph a Unix server that isn't directly reachable by your Cacti server :

Image

In this example, the Cacti server can reach the Gateway, which can reach the target server.



Chapter I: Configuring the SSH tunnel

On Gateway, create a "cactiuser" user :

Code: Select all

# useradd -d /home/cactiuser -m cactiuser
Then you have to generate SSH keys (without passphrase) :

Code: Select all

# su - cactiuser
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cactiuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cactiuser/.ssh/id_rsa.
Your public key has been saved in /home/cactiuser/.ssh/id_rsa.pub.
The key fingerprint is:
40:f6:91:a1:2d:d1:46:d4:76:e3:d8:c6:3f:c2:cf:f2 [email protected]
The public key of the "cactiuser" user has then to be authorized as an input key :

Code: Select all

$ cd $HOME/.ssh
$ cp -p id_rsa.pub authorized_keys
Finally, create the SSH tunnel :

Code: Select all

# su - cactiuser -c "ssh -f -N -g -L 192.168.0.2:10000:192.168.1.2:161 [email protected]"
This SSH tunnel will forward all packets sent to 192.168.0.2 on TCP port 10000, to 192.168.1.2 on port TCP 161.

The options that are used are the following :
  • -f : requests SSH to go to background just before command execution
  • -N : do not execute a remote command
  • -g : allows remote hosts to connect to local forwarded ports
  • -L : specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.
You can add this command to /etc/rc.local, so it will be executed at boot time.



Chapter II: Configuring Net-SNMP

By default, the Net-SNMP agent listens on UDP port 161; we'll modify its configuration to listen on TCP port 161.

To do so, use that in snmpd.conf on the target server :

Code: Select all

agentaddress tcp:161
rocommunity mycommunity
For a more detailed configuration of snmpd.conf, follow this other HowTo.



Chapter III: Testing the SNMP connectivity

From the Gateway host, run this command :

Code: Select all

$ snmpwalk -v 1 -c mycommunity tcp:192.168.1.2 sysname
SNMPv2-MIB::sysName.0 = STRING: target_server
From the Cacti server, run this command :

Code: Select all

$ snmpwalk -v 1 -c mycommunity tcp:192.168.0.2:10000 sysname
SNMPv2-MIB::sysName.0 = STRING: target_server
If everything works fine, your host is then ready to be added to Cacti.

If not, review your network configuration (firewall rules, especially).


Chapter IV: Adding the device to Cacti

In Cacti, create a new device like that :

Image

Voila ! Your target server is graphed by Cacti :)
Last edited by fmangeant on Wed Jan 09, 2008 9:57 am, edited 2 times in total.
[size=84]
[color=green]HOWTOs[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15353]Install and configure the Net-SNMP agent for Unix[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=26151]Install and configure the Net-SNMP agent for Windows[/url]
[*][url=http://forums.cacti.net/viewtopic.php?t=28175]Graph multiple servers using an SNMP proxy[/url][/list]
[color=green]Templates[/color] :
[list][*][url=http://forums.cacti.net/viewtopic.php?t=15412]Multiple CPU usage for Linux[/url]
[*][url=http://forums.cacti.net/viewtopic.php?p=125152]Memory & swap usage for Unix[/url][/list][/size]

User avatar
Linegod
Developer
Posts: 1630
Joined: Thu Feb 20, 2003 10:16 am
Location: Canada
Contact:

#2 Post by Linegod » Thu Jan 03, 2008 1:27 pm

Nice howto - well done!
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca

User avatar
Linegod
Developer
Posts: 1630
Joined: Thu Feb 20, 2003 10:16 am
Location: Canada
Contact:

#3 Post by Linegod » Sat Jul 04, 2009 10:24 am

Posted to the howto section of Cacti Docs: http://docs.cacti.net/howto
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca

mercjoe
Posts: 18
Joined: Fri May 28, 2010 7:29 pm

#4 Post by mercjoe » Sun May 30, 2010 6:40 pm

This is great, thanks for posting.

But what if there are servers you want to monitor and those servers are on private lans which use the same RFC 1918 private IP blocks ?

Thanks again
Diego

User avatar
Linegod
Developer
Posts: 1630
Joined: Thu Feb 20, 2003 10:16 am
Location: Canada
Contact:

#5 Post by Linegod » Sun May 30, 2010 7:55 pm

VPNs and/or MPLS are your only solution.
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca

mercjoe
Posts: 18
Joined: Fri May 28, 2010 7:29 pm

#6 Post by mercjoe » Sun May 30, 2010 8:24 pm

So multiple tunnels is not possible ?

User avatar
Linegod
Developer
Posts: 1630
Joined: Thu Feb 20, 2003 10:16 am
Location: Canada
Contact:

#7 Post by Linegod » Sun May 30, 2010 9:35 pm

mercjoe wrote:So multiple tunnels is not possible ?
Multiple tunnels, with multiple NATs is possible, but is easily managed.
--
Live fast, die young
You're sucking up my bandwidth.

J.P. Pasnak,CD
CCNA, LPIC-1
http://www.warpedsystems.sk.ca

mercjoe
Posts: 18
Joined: Fri May 28, 2010 7:29 pm

#8 Post by mercjoe » Sun May 30, 2010 11:04 pm

I meant establishing several tunnels on the gateway/FW, one for each internal server. Thats possible right ? Why do you talk about NAT ?

Mika2008
Posts: 26
Joined: Tue Dec 01, 2009 4:24 pm

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

#9 Post by Mika2008 » Thu Nov 04, 2010 8:42 am

hello,
very good how to !

is it up to date ?
i can use it now for the new cacti please ?

lamletoi
Posts: 1
Joined: Thu Nov 24, 2011 12:05 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

#10 Post by lamletoi » Thu Nov 24, 2011 12:09 am

I cant use
su - cactiuser -c "ssh -f -N -g -L 192.168.0.2:10000:192.168.1.2:161 [email protected]"

Please help me !

Leivo
Posts: 5
Joined: Wed May 01, 2013 11:56 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

#11 Post by Leivo » Wed May 01, 2013 12:05 pm

I've been building my monitoring on my router and as I monitor some external servers also I felt that having that SSH pipe opened once and left unmonitored is a bit of problem. I also trimmed the SSH switches towards more direct connection :).
I assume that these pipes are opened from the Cacti host it self that is why I don't use -g nor IP information in my SSH connection. I created a script to monitor the connection status so I don't have to worry if the SSH tunnel gets disconnected for any reason. The script is ran by the cron every three minutes.
The host entry to Cacti also needs to be changed, the one shown in the screen captures didn't work (for me). hostname should be tcp:localhost and SNMP port should be 10000 (and up, as you go along your hosts)

Code: Select all

#!/opt/bin/bash
#
#  SSH tunnel check script
#  Author Juha Leivo
#  versio: 1.0
#

# parameters for array are FQDN for host, location of RSA key, local port to redirect, hostname of the server, SNMP community
host_array=(myserver.mydomain.org /opt/cacti-keys/myserver001_rsa 10000 MYSERVER001 public myserver2.mydomain.org /opt/cacti-keys/myserver2_rsa 10001 MYSERVER002 public)
len=${#host_array[*]} #Num elements in array

debug="1" #debugging enabled if this value is 1
if [ "$debug" -eq "1" ] ; then echo "Array lenght is $len" ; fi

# Parameters SSHKEYLOCATION, LOCALPORTTOBINDTO, HOSTTOCONNECTTO
connect_to_host()
{
  ssh -i $1 -f -N -L $2:127.0.0.1:161 [email protected]$3
  if [ "$debug" -eq "1" ] ; then echo "Connection string ssh -i $1 -f -N -L $2:127.0.0.1:161 [email protected]$3"; fi
}

# Parameters SNMPCOMMUNITY LOCALPORT HOSTNAME
# returns 1 if host replies back with the same hostname string as given
# returns 2 if the host name doesn't match given name
test_host()
{
  hosttest=`snmpwalk -v 1 -c $1 tcp:localhost:$2 sysname|cut -d: -f 4|cut -c2-`

  if [ "$debug" -eq "1" ] ; then echo "snmpwalk result is $hosttest" ; fi

  if [ "$hosttest" = "$3" ]
  then
    return "1"
  else
    return "2"
  fi
}

# takes the host connection string as its parameter
# counts the amount of connections to determine if connection exist
# tries to kill connection
# returns 1 if no connections detected or connection successfully killed
# returns 2 if connection kill failed
kill_connection()
{
  isConnection=`ps |grep $1|grep -v grep| cut -d" " -f 1 |tail -1|wc -l`
  if [ "$debug" -eq "1" ] ; then echo "connection test result is $isConnection" ; fi
  if [ "$isConnection" -eq "1" ]
  then
    pid=`ps |grep $1|grep -v grep|cut -d" " -f 1 |tail -1`
    if [ "$debug" -eq "1" ] ; then echo "Trying to kill pid $pid" ; fi
    kill $pid
    isConnection=`ps |grep $1|grep -v grep|cut -d" " -f 1 |tail -1|wc -l`
    if [ "$isConnection" -eq "1" ]
    then
      echo "Tried killing, something went wrong, waiting for few minutes"
      return 2
    else
      if [ "$debug" -eq "1" ] ; then echo "Killing connection was successful" ; fi
      return 1
    fi
  else
    if [ "$debug" -eq "1" ] ; then echo "Killing connection was successful as there was no connection to being with" ; fi
    return 1
  fi
}

# looping array
i=0
while [ $i -lt $len ]; do
  echo "Testing host ${host_array[$i+3]}"
  test_host ${host_array[$i+4]} ${host_array[$i+2]} ${host_array[$i+3]}
  if [ "$?" -eq "2" ]
  then
    echo "host connection lost, trying to connect"
    echo "checking for lingering connection"
    kill_connection ${host_array[$i]}
    if [ "$?" -eq "1" ]
    then
      connect_to_host ${host_array[$i+1]} ${host_array[$i+2]} ${host_array[$i]}
      echo "Testing new connection"
      test_host ${host_array[$i+4]} ${host_array[$i+2]} ${host_array[$i+3]}
      if [ "$?" -eq "2" ]
      then
        echo "Still no connection, will retry again in few minutes"
      fi
    fi
  fi
  # going to next host
  let "i += 5"
done

sharifu
Posts: 13
Joined: Mon Apr 16, 2012 10:08 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

#12 Post by sharifu » Mon Mar 09, 2015 6:50 am

This is not working for me any more and i cannot seem to figure out why.

if i run it on cli it works and as cacti user, but on not working on the graphs.


Code: Select all

ssh -f -N -g -L 20162:localhost:161 [email protected] > /dev/null 2>&1

Code: Select all

[[email protected] share]# snmpwalk -v1 -c mycommunity tcp:localhost:20162 .1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Linux spectrumgeo.com 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64
In the log file i get

Code: Select all

03/09/2015 11:43:19 AM - CMDPHP: Poller[0] WARNING: SNMP Get Timeout for Host:'tcp:localhost:20162', and OID:'.1.3.6.1.2.1.1.1.0' 

pankajsain
Posts: 1
Joined: Wed Mar 18, 2015 3:01 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

#13 Post by pankajsain » Wed Mar 18, 2015 3:15 am

:D I got the problem,

PS: Blog author wrongly defined the Ports in 'Hostname field' [tcp:<gateway>:10000] and in 161 in 'Snmp Port field'.

Configuration in cacti web-console should be:

in Hostname field: tcp:192.168.0.2
in Snmp Port field: 10000

Save the configuration and now it will work.

- Pankaj Sain

sharifu
Posts: 13
Joined: Mon Apr 16, 2012 10:08 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

#14 Post by sharifu » Wed Mar 18, 2015 5:39 am

I have tried your update, it does not work.


Image


CLI works though

Code: Select all

[[email protected] ~]# snmpwalk -v1 -c mycommunity tcp:localhost:20162 system
SNMPv2-MIB::sysDescr.0 = STRING: Linux spectrumgeo.com 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (77402861) 8 days, 23:00:28.61
SNMPv2-MIB::sysContact.0 = STRING: Root <[email protected]> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: spectrumgeo.com
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORID.1 = OID: SNMP-MPD-MIB::snmpMPDMIBObjects.3.1.1
SNMPv2-MIB::sysORID.2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.6 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORDescr.1 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (6) 0:00:00.06


sharifu
Posts: 13
Joined: Mon Apr 16, 2012 10:08 am

Re: [HOWTO] Using SSH tunnels to graph a remote Unix server

#15 Post by sharifu » Wed Jul 01, 2015 7:57 am

i have found the bug, on version 0.8.8.c file snmp.php replace line 56 with

Code: Select all

if($hostname == "tcp:localhost"){
				$output = exec("snmpget -c $community -v 1 tcp:localhost:$port $oid");//@snmpwalk("$hostname:$port", "$community", "$oid", ($timeout * 1000), $retries);
				$explode = explode("=",$output);
				$snmp_value = trim($explode[1]);				
			}else
				$snmp_value = @snmpget("$hostname:$port", "$community", "$oid", ($timeout * 1000), $retries);

Post Reply