Ad Widget

**nelsonab** · 20-08-2008, 21:44

I think that should work. However when the IP changes the old one will likely be queried until the TTL (Time To Live) expires. It looks like the Zabbix server poller process does a DNS lookup every time it queries a hostname based item. Thus it will likely query the DNS server once until the entry expires or it's local cache overflows, but that's an OS level issue. :-)

**fulltilt** · 21-08-2008, 09:26

thanks - i try :-)
the local server is debian os - i only use one zabbix user here.
a couple months ago i used dyn-domain for some backups via rsync, without any problems.

Originally posted by nelsonab

I think that should work. However when the IP changes the old one will likely be queried until the TTL (Time To Live) expires. It looks like the Zabbix server poller process does a DNS lookup every time it queries a hostname based item. Thus it will likely query the DNS server once until the entry expires or it's local cache overflows, but that's an OS level issue. :-)

**loophole** · 21-08-2008, 14:35

Hi ,

I'm running the same setup like you and beside the 24hour reconnect not having any trouble with WAN-Servers.

the only drawback i discovered is that the dynds ip change is not coming through very fast on normal DNS-Servers. Workaround is to directly query the DNS Server of your dyndns host.

heres a little script i run every 5mins per cron to see if ip changed. I use it to change my firewall settings.

Code:

#!/bin/bash
NEW=$(/usr/bin/dig @ns3.afraid.org +short your.dyndns.host)
#echo $NEW
if [ -f /tmp/ip ]; then
  OLD=$(cat /tmp/ip)
else
  echo $NEW > /tmp/ip
fi
#echo $OLD

if  [ "$NEW" !=  "$OLD" ]; then
  echo $NEW > /tmp/ip
  echo "Changing rule"
  /sbin/iptables -D INPUT 1
  /sbin/iptables -A INPUT 1 -s  $NEW -p tcp --dport 10050 -j ACEPPT
  FIRST=$(head -n1 /etc/hosts)
  echo $FIRST > /etc/hosts
  echo "$NEW your.dyndns.host" >> /etc/hosts
fi

One could also trigger a remote command to change the firewall, but i'm not feeling secure with that.
To prevent Actions from fiering i have a Trapper installed that is triggered through the ip-up ip-down scripts called through ppp(oe) and have that as an condition for the action to be taken.
It's not working right now cause the ip-* scripts not getting called everytime.

Greetings loophole

**fulltilt** · 21-08-2008, 14:44

very nice - thank you very much :-)

Originally posted by loophole

Hi ,

I'm running the same setup like you and beside the 24hour reconnect not having any trouble with WAN-Servers.

the only drawback i discovered is that the dynds ip change is not coming through very fast on normal DNS-Servers. Workaround is to directly query the DNS Server of your dyndns host.

heres a little script i run every 5mins per cron to see if ip changed. I use it to change my firewall settings.

Code:

#!/bin/bash
NEW=$(/usr/bin/dig @ns3.afraid.org +short your.dyndns.host)
#echo $NEW
if [ -f /tmp/ip ]; then
  OLD=$(cat /tmp/ip)
else
  echo $NEW > /tmp/ip
fi
#echo $OLD

if  [ "$NEW" !=  "$OLD" ]; then
  echo $NEW > /tmp/ip
  echo "Changing rule"
  /sbin/iptables -D INPUT 1
  /sbin/iptables -A INPUT 1 -s  $NEW -p tcp --dport 10050 -j ACEPPT
  FIRST=$(head -n1 /etc/hosts)
  echo $FIRST > /etc/hosts
  echo "$NEW your.dyndns.host" >> /etc/hosts
fi

One could also trigger a remote command to change the firewall, but i'm not feeling secure with that.
To prevent Actions from fiering i have a Trapper installed that is triggered through the ip-up ip-down scripts called through ppp(oe) and have that as an condition for the action to be taken.
It's not working right now cause the ip-* scripts not getting called everytime.

Greetings loophole

**fulltilt** · 24-08-2008, 11:55

O.K. working fine ...

one Question if i use zabbix server on local pc and monitor webserver from outside:
is it secure enough if i install zabbix agents on webserver clients?
e.g. with user zabbix for agents or did i have to secure zabbix user (agent) with password?

installed agent on webserver without zabbix server - but doing this:
groupadd zabbix
useradd -c 'Zabbix' -d /home/zabbix -g zabbix -s /bin/bash zabbix
mkdir /home/zabbix
chown zabbix:zabbix /home/zabbix

Originally posted by loophole

Hi ,
One could also trigger a remote command to change the firewall, but i'm not feeling secure with that.
To prevent Actions from fiering i have a Trapper installed that is triggered through the ip-up ip-down scripts called through ppp(oe) and have that as an condition for the action to be taken.
It's not working right now cause the ip-* scripts not getting called everytime.
Greetings loophole

**loophole** · 26-08-2008, 08:18

I'm not quite sure what execatly you want to secure with the password. As for the login of the user "zabbix" on the clients, that defenetly should be done.
The way you describe is the right way to go. Create new group and user
If some one whould fidle with the agent he couldn't do much (but who knows for sure).

Another thing you can do is build an ssl tunnel with ssh. There is a thread here somewhere. Or read up on the ssh manpages.

**fulltilt** · 26-08-2008, 08:29

thanks - good to know :-)
have you also connection problems with agents to zabbix server (to dynDomain)?
If i set up more than one agent, the sec. agent could not connect properly on port.
Did i have to use for each agent another port?

Regards

Originally posted by loophole

I'm not quite sure what execatly you want to secure with the password. As for the login of the user "zabbix" on the clients, that defenetly should be done.
The way you describe is the right way to go. Create new group and user
If some one whould fidle with the agent he couldn't do much (but who knows for sure).

Another thing you can do is build an ssl tunnel with ssh. There is a thread here somewhere. Or read up on the ssh manpages.

**loophole** · 26-08-2008, 10:23

I'm only watching over one VServer so can't tell. I see if i can get a second server to monitor. But on work, everything runs fine. Maybe you forgot to open up the firewall for the other hosts?

Just set up the DebugLeve of the agent to 4 and see whats showing in the logs.

**fulltilt** · 26-08-2008, 10:27

one host here is also working ...
maybe there is a problem with local router - i think he can only handle one port per IP ...
is there a port range i can use for agents?

### edit
hm - i try 10049 but same error here:
Getting list of active checks failed. Will retry after 60 seconds

Originally posted by loophole

I'm only watching over one VServer so can't tell. I see if i can get a second server to monitor. But on work, everything runs fine. Maybe you forgot to open up the firewall for the other hosts?

Just set up the DebugLeve of the agent to 4 and see whats showing in the logs.

**loophole** · 26-08-2008, 10:38

In zabbix_agentd.conf you can set the port. And in the webfrontend you can configure the server for the extra port. But i don't know how to have the server listen on more than one port.

A little hint how i initialie check on connectivity

Code:

telnet zabbix.server.domain 10051

the same the other way around

Code:

telnet zabbix.client.domain 10050

Don't forget to have the config in the webfrontend to reflect your agent settings.

**fulltilt** · 26-08-2008, 11:11

now its working - i delete host and items and set up again.
But i can only use line graphs in second host no aggregated working here - is this a bug?

Originally posted by loophole

In zabbix_agentd.conf you can set the port. And in the webfrontend you can configure the server for the extra port. But i don't know how to have the server listen on more than one port.

A little hint how i initialie check on connectivity

Code:

telnet zabbix.server.domain 10051

the same the other way around

Code:

telnet zabbix.client.domain 10050

Don't forget to have the config in the webfrontend to reflect your agent settings.

**loophole** · 26-08-2008, 11:16

Can't tell you. Just tried to create a aggregated graph with the the 1.4 version and worked. Don't have acces to my homesetup right now. I check back on this later

**fulltilt** · 26-08-2008, 11:37

thanks - i think it's a problem by home router - with first host everything is working fine.
second host:
Getting list of active checks failed. Will retry after 60 seconds
please let me know if it work @ homeserver :-)

Originally posted by loophole

Can't tell you. Just tried to create a aggregated graph with the the 1.4 version and worked. Don't have acces to my homesetup right now. I check back on this later

**loophole** · 26-08-2008, 15:07

I checked my home setup with another machine of a friend. It's also a VServer.

Steps taken:
I copied the 1.5.3 source code and compiled only with --enable-agent. Then copied the zabbix_agentd.conf file, changed the hostname and commented the Listen directive in. Starting zabbix_agentd on second outward host.

After that I created a new host in the webfrontend, and after a few seconds the first data was coming in.
(There was some settings with the firewall to allow agentd..)

The setup of hosts in the webfrontend are all using DNS name as source, no IP given. Only inside Zabbixconfs are using IP's.

Seems to me your second setup is not quite right. Can you post your config file?

Ad Widget

zabbix_agentd.conf IP as dyndns domain

zabbix_agentd.conf IP as dyndns domain

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment