====== ssh_tunnel.sh ======
^ Author | [[ padraig.lennon@pioneerinvestments.com | Padraig Lennon ]] |
^ Compatibility | All Versions |
^ Requirements | Linux/Solaris |
^ Download | None |
^ Last Update | 2011-04-07 |
===== Description =====
If you have servers in a DMZ which do not allow inbound connections to port 1984 hobbit, then a common way around it is to allow out ssh (port 22) and create a reverse ssh tunnel to the hobbit server (port 1984) using ssh keys for password-less connections.
Full details on setting this up can be found on the hobbit wiki: [[http://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Other_Docs/HOWTO#Monitor_Xymon_clients_in_a_DMZ_using_reverse_SSH_tunnels]]
(Thanks to Johan Booysen for writing this up)
**ssh_tunnels.sh** is a server side bash script which reads the **bb-hosts** file for clients with the appended tag **ssh-tunnels**.
The script will loop through the list gathered from bb-hosts and check that the reverse ssh tunnel process is up and running. If it is not it will turn red, but it will attempt to restart the tunnel. It will continue to do this until the tunnel is ok.
This will result in a new column called **ssh-tunnel** being added to the client display.
**Update 0.0.3** - You can now specify non-standard ssh ports to connect to the ssh client. You can do this by using the following syntax: **ssh-tunnel:NNNN** where NNNN is the port in question. Example **ssh-tunnel:2222** This is only needed if a non-standard port is used. The script defaults to port 22
Please note that if you upgrade your existing version to 0.0.3 you will need to kill all existing tunnels first. This is because the process listing will change. To kill all existing tunnels you can run the command
for PROCESS in `ps -ef | grep "[:]xymon_server:" | awk {'print $2'}`;do kill $PROCESS ; done
where xymon_server is the name of the host running the ssh-tunnels.sh script.. If in doubt just do a directory listing. The script will recreate the tunnels once running
===== Installation =====
1. Place the script on the Xymon Server in the **/path/to/hobbit/server/ext** folder
2. chmod 755 /path/to/hobbit/server/ext/ssh_tunnels.sh
3. Edit the file **/path/to/hobbit/server/etc/hobbitlaunch.cfg**
Add the following:
[ssh-tunnel]
ENVFILE /path/to/hobbit/server/etc/hobbitserver.cfg
CMD $BBHOME/ext/ssh-tunnels.sh
LOGFILE $BBSERVERLOGS/ssh-tunnels.log
INTERVAL 1m
4. Restart the Xymon Server application
===== Source =====
==== ssh_tunnel.sh ====
#!/bin/ksh
#set -xv
#####################################################################
#
# Name: Padraig Lennon
# Date: 07-Apr-2011
# Script Description: Check the SSH tunnels to DMZ (External) Hobbit/Xymon clients
# Version: 0.05
# Licence: Please feel free to modify, and use without cost
# Please leave reference to original author.
#
# #########################################################
#
# Date - Modifier - Version - Change
# 12-Dec-2007 - P.Lennon - 0.01 - Initial Release
# 19-Aug-2008 - P.Lennon - 0.02 - Updated the script to display the coloured icon on the client
# web page
# 03-Aug-2009 - P.Lennon - 0.03 - Allow user define the ssh port (if non-standard) in
# bb-host using ssh-tunnel:port syntax
# 26-Feb-2010 - P.Lennon - 0.04 - Match exact name of client in COUNT
# 07-Apr-2011 - P.Lennon - 0.05 - Add "-o StrictHostKeyChecking=no" to avoid issues
# with Key Checking
#
###########################################################################
# Constants/Global variables
###########################################################################
PROGNAME=$(basename $0) # Script Name
TEMP_FILE=/tmp/${PROGNAME}.$$.$RANDOM # Temp Output File
TEST=ssh-tunnel # Hobbit/Xymon test name
COLUMN=$TEST # Hobbit/Xymon test name
AUTHOR=padraig.lennon@pioneerinvestments.com # Test Author
VERSION="`basename $0`, $AUTHOR
"
SSH_PORT="22"
###########################################################################
# Functions
###########################################################################
#####
# Function to remove temporary files and other housekeeping
# Arguments=0
#####
function clean_up
{
rm -f ${TEMP_FILE} # Remove the temp output file
}
#####
# Function called for a graceful exit
# Arguments=0
#####
function graceful_exit
{
clean_up
exit
}
#####
# Function for exit due to fatal program error
# Arguments=1
# Argument 0: string containing descriptive error message
#####
function error_exit
{
local ERR_MSG
ERR_MSG="##\n#Error: ${1}\n##\n"
echo -e ${ERR_MSG} >&2
clean_up
exit 255
}
#####
# Function for printing warning messages
# Arguments=1
# Argument 0: string containing descriptive warning message
#####
function warning
{
local WARN_MSG
WARN_MSG="##\n#Warning: ${1}\n##\n"
echo -e ${WARN_MSG} >&2
}
#####
# Function for printing script steps
# Arguments=1
# Argument 0: string containing descriptive step message
#####
function print_step
{
local STEP_MSG
STEP_MSG="#----> ${1}"
echo -e ${STEP_MSG}
}
#####
# Function to perform exit if interrupt signal is trapped
# Arguments=0
#####
function int_exit
{
echo -e "${PROGNAME}: Aborted by user"
clean_up
exit 255
}
#####
# Function to display help message for program
# No arguments
#####
function help
{
local tab=$(echo -en "\t\t")
cat <<- -EOF-
Check ssh-tunnels to dmz clients
Usage: ${PROGNAME} [-h]
Required parameters:
Optional parameters:
-h, --help Display this help message and exit.
Example(s):
${PROGNAME}
Exit Codes:
0 Success
255 Error
Author: Padraig Lennon
-EOF-
}
##### USER DEFINED FUNCTIONS ######################
###########################################################################
# Check command line parameters
###########################################################################
# Trap INT signals and properly exit
trap int_exit INT
# Process command line arguments
# Parameters with arguments divide with : i.e. for option o use o:
# Parameters with no arguments add the option after the h. no extra :
while getopts ":h" opt; do
case $opt in
h ) help
graceful_exit
;;
* ) help
error_exit "Wrong parameter passed"
;;
esac
done
###########################################################################
# Main Body of Script
###########################################################################
${GREP} -i "^[0-9].*#.*${TEST}" ${BBHOSTS} | while read L
do
set $L # To get one line of output from the grep output
HOSTIP=$1
MACHINEDOTS=$2
MACHINE=`echo $MACHINEDOTS | $SED -e 's/\./,/g'`
for OPTION in `echo $* | $AWK -F# {'print $2'}| $SED s/\s+/\s/g`
do
OPTION_VAL=`echo $OPTION | $GREP ${TEST} 2>/dev/null`
if [ "$OPTION_VAL" != "" ] ; then
# We have found the test definition. Check if an alternative port was supplied
SSH_PORT_VAL=`echo $OPTION_VAL | $AWK -F: {'print $2'}`
if [ "$SSH_PORT_VAL" != "" ] ; then
SSH_PORT=$SSH_PORT_VAL
else
SSH_PORT=22
fi
fi
done
COLOR=green
MSG="$TEST status for host $MACHINEDOTS"
CLIENT=`echo $MACHINEDOTS | $AWK -F. {'print $1'}`
COUNT=`$PS -ef|$GREP "ssh -fnNR [1]984"| $EGREP "$SSH_PORT $CLIENT$"| wc -l | $SED -e "s/\ //g"`
if [ $COUNT -eq 0 ] ; then
COLOR=yellow
# Restarting the Tunnel
ssh -fnNR 1984:`hostname`:1984 -o StrictHostKeyChecking=no -p $SSH_PORT $CLIENT
if [ $? -ne 0 ] ; then
MSG="&red Tunnel is down.. Restart attempt failed"
COLOR=red
else
MSG="&yellow Tunnel recently restarted"
COLOR=yellow
fi
elif [ $COUNT -gt 1 ] ; then
for PROCESS in `$PS -ef | $GREP "ssh -fnNR"| GREP "$CLIENT" | $AWK {'print $2'}`
do
kill $PROCESS
done
# Restarting the Tunnel
ssh -fnNR 1984:`hostname`:1984 -o StrictHostKeyChecking=no -p $SSH_PORT $CLIENT
if [ $? -ne 0 ] ; then
MSG="&red Tunnel is down.. Restart attempt failed"
COLOR=red
else
MSG="&yellow Tunnel recently restarted"
COLOR=yellow
fi
else
MSG="&green SSH Tunnel to $CLIENT ok"
fi
$BB $BBDISP "status $MACHINEDOTS.$COLUMN $COLOR `date`
${MSG}
$VERSION
"
done
graceful_exit
===== Known Bugs and Issues =====
===== To Do =====
===== Credits =====
===== Changelog =====
* **2008-08-14 - 0.0.1**
* Initial release
* **2008-08-19 - 0.0.2**
* Updated the script to display the coloured icon on the client web page
* **2009-08-03 - 0.0.3**
* Allow user define the ssh port (if non-standard) in bb-hosts using ssh-tunnel:port syntax
* **2010-02-26 - 0.0.4**
* Match exact name of client in COUNT (Thanks Tony Larco for testing)
* **2011-04-07 - 0.0.5**
* Added "-o StrictHostKeyChecking=no" to avoid issues with key checking