Hi,
For monitoring an astaro firewall beyond the capabilities offered by SNMP I decided to try installing the ZABBIX Agent onto a testbed for evaluation.
Software used:
* Astaro Firewall 7.402
* Binaries for ZABBIX Agent 1.6.4 för linux (i386/kernel 2.6) so kindly provided by forum-user emerzon
This is the complete writeup of the steps I took, and it seems there are no unexpected side-effects using this setup, apart from the obvious loss of support from Astaro due to the fact that the system has been tampered with.
I am posting this for the community to help those interested in the same solution, and for peer review in there are obvious security-flaws in the setup (Remember this is a firewall/router/gateway and, as such, sensitive equipment).
Anyway, here are the steps i took to make this work:
* You need console access as user root, either through the console or ssh. I prefer ssh to easily 'cut-n-paste' the commands into the shell.
* Make user 'zabbix'
useradd zabbix -s /bin/false
* Create directories
mkdir /etc/zabbix
mkdir /home/zabbix
mkdir /home/zabbix/bin
* Create minimal zabbix_agentd.conf
echo Server=(ZABBIX Server IP) > /etc/zabbix/zabbix_agentd.conf
echo ListenIP=(Local IP on trusted network) >> /etc/zabbix/zabbix_agentd.conf
* Fetch and unpack the agent binaries (Tanks to forum-user emerzon for providing these)
cd /home/zabbix/bin
wget http://www.chita.com.br/zabbix/zabbi..._6.i386.tar.gz
gunzip zabbix_agents_1.6.4.linux2_6.i386.tar.gz
tar -xf zabbix_agents_1.6.4.linux2_6.i386.tar
rm zabbix_agents_1.6.4.linux2_6.i386.tar
chown root.root *
* Create start/stop-script
cat << EOF > /etc/init.d/zabbix_agentd
#!/bin/sh
#
# Copyright (C) 2009 Thomas Hellström
#
. /lib/lsb/init-functions
PATH=/sbin:/bin:/usr/sbin:/usr/bin
PNAME="Zabbix Agent"
if test \$? -ne 0
then
exit 0
fi
case "\$1" in
start)
echo -n ":: Starting \$PNAME"
startproc /home/zabbix/bin/zabbix_agentd >/dev/null 2>&1
rc_status -v
;;
stop)
echo -n ":: Stopping \$PNAME"
killall zabbix_agentd >/dev/null 2>&1
rc_status -v
;;
status)
echo -n ":: Status \$PNAME"
if checkproc zabbix_agentd; then
rc_failed 0
else
rc_failed 3
fi
rc_status -v
;;
restart)
\$0 stop
\$0 start
echo -e \${attn}":: Restarting \$PNAME"\${norm}
rc_status -v
;;
*)
echo "Usage: \$N {start|stop|status|restart}" >&2
exit 1
;;
esac
rc_exit
EOF
* Make script executable
chmod 755 /etc/init.d/zabbix_agentd
* Create links for runlevel 3
ln -fs /etc/init.d/zabbix_agentd /etc/init.d/rc3.d/S99zabbix_agentd
ln -fs /etc/init.d/zabbix_agentd /etc/init.d/rc3.d/K01zabbix_agentd
* Start the agent manually (So you dont have ro reboot your firewall now)
/etc/init.d/zabbix_agentd start
* Create the following rule on the astaro firewall (webinterface -> Network Security -> Packet Filter)
Source: (ZABBIX Server IP)
Service: TCP/10050
Destination: (Local IP on trusted network)
Action: Allow
That's all there is to it. Remember this setup does not take into account the possibility to setup the agent in a chroot:ed environment for extra security. I leave it up to you to decide if your application needs the extra security that provides.
I hope someone finds this post useful, although my primary reason for posting this is to archive the instructions for my own use and for a chance for others to point out potential security-risks in the setup.
Best regards,
Thomas Hellström
For monitoring an astaro firewall beyond the capabilities offered by SNMP I decided to try installing the ZABBIX Agent onto a testbed for evaluation.
Software used:
* Astaro Firewall 7.402
* Binaries for ZABBIX Agent 1.6.4 för linux (i386/kernel 2.6) so kindly provided by forum-user emerzon
This is the complete writeup of the steps I took, and it seems there are no unexpected side-effects using this setup, apart from the obvious loss of support from Astaro due to the fact that the system has been tampered with.
I am posting this for the community to help those interested in the same solution, and for peer review in there are obvious security-flaws in the setup (Remember this is a firewall/router/gateway and, as such, sensitive equipment).
Anyway, here are the steps i took to make this work:
* You need console access as user root, either through the console or ssh. I prefer ssh to easily 'cut-n-paste' the commands into the shell.
* Make user 'zabbix'
useradd zabbix -s /bin/false
* Create directories
mkdir /etc/zabbix
mkdir /home/zabbix
mkdir /home/zabbix/bin
* Create minimal zabbix_agentd.conf
echo Server=(ZABBIX Server IP) > /etc/zabbix/zabbix_agentd.conf
echo ListenIP=(Local IP on trusted network) >> /etc/zabbix/zabbix_agentd.conf
* Fetch and unpack the agent binaries (Tanks to forum-user emerzon for providing these)
cd /home/zabbix/bin
wget http://www.chita.com.br/zabbix/zabbi..._6.i386.tar.gz
gunzip zabbix_agents_1.6.4.linux2_6.i386.tar.gz
tar -xf zabbix_agents_1.6.4.linux2_6.i386.tar
rm zabbix_agents_1.6.4.linux2_6.i386.tar
chown root.root *
* Create start/stop-script
cat << EOF > /etc/init.d/zabbix_agentd
#!/bin/sh
#
# Copyright (C) 2009 Thomas Hellström
#
. /lib/lsb/init-functions
PATH=/sbin:/bin:/usr/sbin:/usr/bin
PNAME="Zabbix Agent"
if test \$? -ne 0
then
exit 0
fi
case "\$1" in
start)
echo -n ":: Starting \$PNAME"
startproc /home/zabbix/bin/zabbix_agentd >/dev/null 2>&1
rc_status -v
;;
stop)
echo -n ":: Stopping \$PNAME"
killall zabbix_agentd >/dev/null 2>&1
rc_status -v
;;
status)
echo -n ":: Status \$PNAME"
if checkproc zabbix_agentd; then
rc_failed 0
else
rc_failed 3
fi
rc_status -v
;;
restart)
\$0 stop
\$0 start
echo -e \${attn}":: Restarting \$PNAME"\${norm}
rc_status -v
;;
*)
echo "Usage: \$N {start|stop|status|restart}" >&2
exit 1
;;
esac
rc_exit
EOF
* Make script executable
chmod 755 /etc/init.d/zabbix_agentd
* Create links for runlevel 3
ln -fs /etc/init.d/zabbix_agentd /etc/init.d/rc3.d/S99zabbix_agentd
ln -fs /etc/init.d/zabbix_agentd /etc/init.d/rc3.d/K01zabbix_agentd
* Start the agent manually (So you dont have ro reboot your firewall now)
/etc/init.d/zabbix_agentd start
* Create the following rule on the astaro firewall (webinterface -> Network Security -> Packet Filter)
Source: (ZABBIX Server IP)
Service: TCP/10050
Destination: (Local IP on trusted network)
Action: Allow
That's all there is to it. Remember this setup does not take into account the possibility to setup the agent in a chroot:ed environment for extra security. I leave it up to you to decide if your application needs the extra security that provides.
I hope someone finds this post useful, although my primary reason for posting this is to archive the instructions for my own use and for a chance for others to point out potential security-risks in the setup.
Best regards,
Thomas Hellström