====== ssh_tunnel.sh ====== ^ Author | [[ padraig.lennon@pioneerinvestments.com | Padraig Lennon ]] | ^ Compatibility | All Versions | ^ Requirements | Linux/Solaris | ^ Download | None | ^ Last Update | 2011-04-07 | ===== Description ===== If you have servers in a DMZ which do not allow inbound connections to port 1984 hobbit, then a common way around it is to allow out ssh (port 22) and create a reverse ssh tunnel to the hobbit server (port 1984) using ssh keys for password-less connections. Full details on setting this up can be found on the hobbit wiki: [[http://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Other_Docs/HOWTO#Monitor_Xymon_clients_in_a_DMZ_using_reverse_SSH_tunnels]] (Thanks to Johan Booysen for writing this up) **ssh_tunnels.sh** is a server side bash script which reads the **bb-hosts** file for clients with the appended tag **ssh-tunnels**. The script will loop through the list gathered from bb-hosts and check that the reverse ssh tunnel process is up and running. If it is not it will turn red, but it will attempt to restart the tunnel. It will continue to do this until the tunnel is ok. This will result in a new column called **ssh-tunnel** being added to the client display. **Update 0.0.3** - You can now specify non-standard ssh ports to connect to the ssh client. You can do this by using the following syntax: **ssh-tunnel:NNNN** where NNNN is the port in question. Example **ssh-tunnel:2222** This is only needed if a non-standard port is used. The script defaults to port 22 Please note that if you upgrade your existing version to 0.0.3 you will need to kill all existing tunnels first. This is because the process listing will change. To kill all existing tunnels you can run the command for PROCESS in `ps -ef | grep "[:]xymon_server:" | awk {'print $2'}`;do kill $PROCESS ; done where xymon_server is the name of the host running the ssh-tunnels.sh script.. If in doubt just do a directory listing. The script will recreate the tunnels once running ===== Installation ===== 1. Place the script on the Xymon Server in the **/path/to/hobbit/server/ext** folder 2. chmod 755 /path/to/hobbit/server/ext/ssh_tunnels.sh 3. Edit the file **/path/to/hobbit/server/etc/hobbitlaunch.cfg** Add the following: [ssh-tunnel] ENVFILE /path/to/hobbit/server/etc/hobbitserver.cfg CMD $BBHOME/ext/ssh-tunnels.sh LOGFILE $BBSERVERLOGS/ssh-tunnels.log INTERVAL 1m 4. Restart the Xymon Server application ===== Source ===== ==== ssh_tunnel.sh ==== #!/bin/ksh #set -xv ##################################################################### # # Name: Padraig Lennon # Date: 07-Apr-2011 # Script Description: Check the SSH tunnels to DMZ (External) Hobbit/Xymon clients # Version: 0.05 # Licence: Please feel free to modify, and use without cost # Please leave reference to original author. # # ######################################################### # # Date - Modifier - Version - Change # 12-Dec-2007 - P.Lennon - 0.01 - Initial Release # 19-Aug-2008 - P.Lennon - 0.02 - Updated the script to display the coloured icon on the client # web page # 03-Aug-2009 - P.Lennon - 0.03 - Allow user define the ssh port (if non-standard) in # bb-host using ssh-tunnel:port syntax # 26-Feb-2010 - P.Lennon - 0.04 - Match exact name of client in COUNT # 07-Apr-2011 - P.Lennon - 0.05 - Add "-o StrictHostKeyChecking=no" to avoid issues # with Key Checking # ########################################################################### # Constants/Global variables ########################################################################### PROGNAME=$(basename $0) # Script Name TEMP_FILE=/tmp/${PROGNAME}.$$.$RANDOM # Temp Output File TEST=ssh-tunnel # Hobbit/Xymon test name COLUMN=$TEST # Hobbit/Xymon test name AUTHOR=padraig.lennon@pioneerinvestments.com # Test Author VERSION="

`basename $0`, $AUTHOR
" SSH_PORT="22" ########################################################################### # Functions ########################################################################### ##### # Function to remove temporary files and other housekeeping # Arguments=0 ##### function clean_up { rm -f ${TEMP_FILE} # Remove the temp output file } ##### # Function called for a graceful exit # Arguments=0 ##### function graceful_exit { clean_up exit } ##### # Function for exit due to fatal program error # Arguments=1 # Argument 0: string containing descriptive error message ##### function error_exit { local ERR_MSG ERR_MSG="##\n#Error: ${1}\n##\n" echo -e ${ERR_MSG} >&2 clean_up exit 255 } ##### # Function for printing warning messages # Arguments=1 # Argument 0: string containing descriptive warning message ##### function warning { local WARN_MSG WARN_MSG="##\n#Warning: ${1}\n##\n" echo -e ${WARN_MSG} >&2 } ##### # Function for printing script steps # Arguments=1 # Argument 0: string containing descriptive step message ##### function print_step { local STEP_MSG STEP_MSG="#----> ${1}" echo -e ${STEP_MSG} } ##### # Function to perform exit if interrupt signal is trapped # Arguments=0 ##### function int_exit { echo -e "${PROGNAME}: Aborted by user" clean_up exit 255 } ##### # Function to display help message for program # No arguments ##### function help { local tab=$(echo -en "\t\t") cat <<- -EOF- Check ssh-tunnels to dmz clients Usage: ${PROGNAME} [-h] Required parameters: Optional parameters: -h, --help Display this help message and exit. Example(s): ${PROGNAME} Exit Codes: 0 Success 255 Error Author: Padraig Lennon -EOF- } ##### USER DEFINED FUNCTIONS ###################### ########################################################################### # Check command line parameters ########################################################################### # Trap INT signals and properly exit trap int_exit INT # Process command line arguments # Parameters with arguments divide with : i.e. for option o use o: # Parameters with no arguments add the option after the h. no extra : while getopts ":h" opt; do case $opt in h ) help graceful_exit ;; * ) help error_exit "Wrong parameter passed" ;; esac done ########################################################################### # Main Body of Script ########################################################################### ${GREP} -i "^[0-9].*#.*${TEST}" ${BBHOSTS} | while read L do set $L # To get one line of output from the grep output HOSTIP=$1 MACHINEDOTS=$2 MACHINE=`echo $MACHINEDOTS | $SED -e 's/\./,/g'` for OPTION in `echo $* | $AWK -F# {'print $2'}| $SED s/\s+/\s/g` do OPTION_VAL=`echo $OPTION | $GREP ${TEST} 2>/dev/null` if [ "$OPTION_VAL" != "" ] ; then # We have found the test definition. Check if an alternative port was supplied SSH_PORT_VAL=`echo $OPTION_VAL | $AWK -F: {'print $2'}` if [ "$SSH_PORT_VAL" != "" ] ; then SSH_PORT=$SSH_PORT_VAL else SSH_PORT=22 fi fi done COLOR=green MSG="$TEST status for host $MACHINEDOTS" CLIENT=`echo $MACHINEDOTS | $AWK -F. {'print $1'}` COUNT=`$PS -ef|$GREP "ssh -fnNR [1]984"| $EGREP "$SSH_PORT $CLIENT$"| wc -l | $SED -e "s/\ //g"` if [ $COUNT -eq 0 ] ; then COLOR=yellow # Restarting the Tunnel ssh -fnNR 1984:`hostname`:1984 -o StrictHostKeyChecking=no -p $SSH_PORT $CLIENT if [ $? -ne 0 ] ; then MSG="&red Tunnel is down.. Restart attempt failed" COLOR=red else MSG="&yellow Tunnel recently restarted" COLOR=yellow fi elif [ $COUNT -gt 1 ] ; then for PROCESS in `$PS -ef | $GREP "ssh -fnNR"| GREP "$CLIENT" | $AWK {'print $2'}` do kill $PROCESS done # Restarting the Tunnel ssh -fnNR 1984:`hostname`:1984 -o StrictHostKeyChecking=no -p $SSH_PORT $CLIENT if [ $? -ne 0 ] ; then MSG="&red Tunnel is down.. Restart attempt failed" COLOR=red else MSG="&yellow Tunnel recently restarted" COLOR=yellow fi else MSG="&green SSH Tunnel to $CLIENT ok" fi $BB $BBDISP "status $MACHINEDOTS.$COLUMN $COLOR `date` ${MSG} $VERSION " done graceful_exit
===== Known Bugs and Issues ===== ===== To Do ===== ===== Credits ===== ===== Changelog ===== * **2008-08-14 - 0.0.1** * Initial release * **2008-08-19 - 0.0.2** * Updated the script to display the coloured icon on the client web page * **2009-08-03 - 0.0.3** * Allow user define the ssh port (if non-standard) in bb-hosts using ssh-tunnel:port syntax * **2010-02-26 - 0.0.4** * Match exact name of client in COUNT (Thanks Tony Larco for testing) * **2011-04-07 - 0.0.5** * Added "-o StrictHostKeyChecking=no" to avoid issues with key checking