Hello!

Thinking about SSL implementation to Zabbix protocol, I suddenly remembered one solution how to make connection to MySQL server secure - Stunnel
solution.
http://www.stunnel.org
Have anyone trued the same approach for zabbix protocol? Will try today :D

I was able to encrypt and route all traffic over port 22. Also meant that I did not have to ask the customer to poke any new holes in their firewall. (I bet this is too simple for you, but perhaps the below will be of use to others)

You need a "bastion" host that can be reached over port 22 (ssh).
Then set up each client server, via zabbix agentd.conf
# IP address of Zabbix server. No spaces allowed.
Server=[ip of bastion]

Set up ssh keys from the zabbix server to the bastion host so the zabbix user can log in w/o entering a password.

Install autossh

Create a forwardports.sh script something like this:
less /home/zabbix/bin/forwardports.sh
#!/bin/sh
## IP's are fake of course ;-)

## always restarting tunnel
AUTOSSH_MAXSTART=-1; export AUTOSSH_MAXSTART


bastion=155.155.155.155
bastionLocalPort=10555
bastionRemotePort=10000
server1=1.1.1.1
server1LocalPort=10001
server1RemotePort=10000
server2=1.1.1.2
server2LocalPort=10002
server2RemotePort=10000
server3=1.1.1.3
server3LocalPort=10003
server3RemotePort=10000
l

#echo $SSH_AUTH_SOCK
if [ X$SSH_AUTH_SOCK == X ]
then
eval `ssh-agent -s`
fi
ssh-add /home/zabbix/.ssh/id_dsa


autossh -l zabbix -fN -L $bastionLocalPort:127.0.0.1:$bastionRemotePort \
-L $server1LocalPort:$server1:$server1RemotePort \
-L $server2LocalPort:$server2:$server2RemotePort \
-L $server3LocalPort:$server3:$server3RemotePort $bastion

##END SCRIPT

Finally, you can make sure that this script runs as a service (under debian at least) with this script:

$ less /etc/init.d/zabbix-autossh
#! /bin/sh

set -e

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/home/zabbix/bin/forwardports.sh
NAME=forwardports.sh
DESC="port forwarding for zabbix"
PID=/home/zabbix/run/$NAME.pid

# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0

case "$1" in
start)
echo -n "Starting $DESC: $NAME"
start-stop-daemon --start --quiet --pidfile $PID \
--exec $DAEMON
echo "."
;;
stop)
echo "Stopping $DESC: $NAME"
PID=`ps auxww| fgrep autossh | fgrep 'l zabbix -N' | grep -v grep \
| tr -s ' ' '!' | cut -d'!' -f2`
if [ X$PID == "X" ]
then
echo "no PID found, autossh for zabbix not running"
else
echo "zabbix autossh pid=$PID"



Hope someone finds this useful

regards

chaag

i use a reverse ssh tunnel to monitor server in other countries over the net securly

I am trying to configure Zabbix agent and server for secure communication. I Tried to configure as given in the script. But I am little bit confused. Whether I should run this script in server location or in Agent location ?

I used SSH port forwarding. But, I tested for server requesting for checks.

Configuration:


ssh -l zabbix -L 20000:127.0.0.1:10050 host.zabbixagent.com
Where:
-L 20000: any free port on the PC where Zabbix server is running.
127.0.0.1:10050: Run the zabbix agent with LISTENIP=127.0.0.1 and port 10050
host.zabbixagent.com: PC on which zabbix agent is running.

This will connect to zabbixagent securly and communication between server and agent is secured. Don't close this window.

Now add host to Zabbix server, specify hosts IP address as 127.0.0.1(localhost) and port 20000.
In the above configuration. Zabbix server will connect to localhost and port 20000, ssh will inturn transmit all the data comming in this port to host.zabbixagent.com PC.

Draw back: Need to create 2 hosts, if user prefers to monitor PC with both zabbix agent templates and SNMP templates.

I think scripts can be written to start ssh port forwarding or start once and never close the window.

Has anyone had success with the zabbix protocol with stunnel or any other means in lieu of ssh?