Hello,
we use zabbix to monitor services in our local network.
Now we have one root server on the internet hosted by our provider which is accessible via the pubic ip adress.
Now I want to
a) monitor some public services on the root server (ssh, http, smtp) via simple checks
b) monitor some local items on the root server (fs usage, cpu usage, etc) via zabbix agent.
Because the connection between zabbix server and agent is through the internet, I want to secure this connection.
I figured out that ssh tunnels, vpn or stunnel are common possibilities.
But if I for example use a ssh tunnel between my zabbix server and the agent, on the server I have to configure the local IP Adress of the server (localhost) as the adress of the agent so that it is routed via the ssh tunnel.
But when I use the local end of the ssh tunnel (for example 127.0.0.1 with Port 10150) this IP adress will also be used for the simple checks. I do not want, that the simple checks are made through the ssh tunnel too but are made directly because they should not depend on the ssh tunnel and should even work if the tunnel stops working.
Do I need to make two hosts? One accessible via ssh tunnel for the agent checks and one accessible directly for the simple checks?
I thought about wirting some local iptables rules on the zabbix server that every connection to the agent on Port 10050 is routed/'nated' via the local end of the ssh tunnel so that for the zabbix server the ssh tunnel ist totaly unvisible.
I think both options are a little bit bloated. Is there any other solution for this? I think it's a very common situation and not somethin totaly abstract.
Sorry for my english, I hope everyone understood my questions.
Thank you
Tobias
we use zabbix to monitor services in our local network.
Now we have one root server on the internet hosted by our provider which is accessible via the pubic ip adress.
Now I want to
a) monitor some public services on the root server (ssh, http, smtp) via simple checks
b) monitor some local items on the root server (fs usage, cpu usage, etc) via zabbix agent.
Because the connection between zabbix server and agent is through the internet, I want to secure this connection.
I figured out that ssh tunnels, vpn or stunnel are common possibilities.
But if I for example use a ssh tunnel between my zabbix server and the agent, on the server I have to configure the local IP Adress of the server (localhost) as the adress of the agent so that it is routed via the ssh tunnel.
But when I use the local end of the ssh tunnel (for example 127.0.0.1 with Port 10150) this IP adress will also be used for the simple checks. I do not want, that the simple checks are made through the ssh tunnel too but are made directly because they should not depend on the ssh tunnel and should even work if the tunnel stops working.
Do I need to make two hosts? One accessible via ssh tunnel for the agent checks and one accessible directly for the simple checks?
I thought about wirting some local iptables rules on the zabbix server that every connection to the agent on Port 10050 is routed/'nated' via the local end of the ssh tunnel so that for the zabbix server the ssh tunnel ist totaly unvisible.
I think both options are a little bit bloated. Is there any other solution for this? I think it's a very common situation and not somethin totaly abstract.
Sorry for my english, I hope everyone understood my questions.
Thank you
Tobias
Comment